{
	"id": "2975e944-d75c-4346-a914-7696d1504bfd",
	"created_at": "2026-04-06T00:06:13.929832Z",
	"updated_at": "2026-04-10T03:33:23.803076Z",
	"deleted_at": null,
	"sha1_hash": "a8b13c87fa6f0a68a889d664d0febecbf52fb173",
	"title": "Popping Blisters for research: An overview of past payloads and exploring recent developments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 201303,
	"plain_text": "Popping Blisters for research: An overview of past payloads and\r\nexploring recent developments\r\nBy Fox-SRT\r\nPublished: 2023-11-01 · Archived: 2026-04-05 19:52:59 UTC\r\nAuthored by Mick Koomen\r\nSummary\r\nBlister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the\r\nBlister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister.\r\nThe overview shows that since its support for environmental keying, most samples have this feature enabled, indicating that\r\nattackers mostly use Blister in a targeted manner. Furthermore, there has been a shift in payload type from Cobalt Strike to\r\nMythic agents, matching with previous reporting. Blister drops the same type of Mythic agent which we thus far cannot link\r\nto any public Mythic agents. Another development is that its developers started obfuscating the first stage of Blister, making\r\nit more evasive. We provide YARA rules and scripts1 to help analyze the Mythic agent and the packer we observed with it.\r\nRecap of Blister\r\nBlister is a loader that loads a payload embedded inside it and in the past was observed with activity linked to Evil Corp2,3.\r\nMatching with public reporting, we have also seen it as a follow-up in SocGholish infections. In the past, we observed\r\nBlister mostly dropping Cobalt Strike beacons, yet current developments show a shift to Mythic agents, another red teaming\r\nframework.\r\nElastic Security first documented Blister in December 2021 in a campaign that used malicious installers4. It used valid code\r\nsignatures referencing the company Blist LLC to pose as a legitimate executable, likely leading to the name Blister. That\r\ncampaign reportedly dropped Cobalt Strike and BitRat.\r\nIn 2022, Blister started solely using the x86-64 instruction set, versus including 32-bit as well. Furthermore, RedCanary\r\nwrote observing SocGholish dropping Blister5, which was later confirmed by other vendors as well6.\r\nIn August the same year, we observed a new version of Blister. This update included more configuration options, along with\r\nan optional domain hash for environmental keying, allowing attackers to deploy Blister in a targeted manner. Elastic\r\nSecurity recently wrote about this version7.\r\n2023 initially did not bring new developments for Blister. However, similar to its previous update, we observed development\r\nactivity in August. Notably, we saw samples with added obfuscation to the first stage of Blister, i.e. the loader component\r\nthat is injected into a legitimate executable. Additionally, in July, Unit 428 observed SocGholish dropping Blister with a\r\nMythic agent.\r\nIn summary, 2023 brought new developments for Blister, with added obfuscations to the first stage and a new type of\r\npayload. The next part of this blog is divided into two parts: firstly, we look back at previous Blister payloads and\r\nconfigurations, and in the second part, we discuss the recent developments.\r\nLooking back at Blister\r\nIn early 2023, we observed a SocGholish infection at our security operations center (SOC). We notified the customer and\r\nwere given a binary that was related to the infection. This turned out to be a Blister sample, with Cobalt Strike as its\r\npayload.\r\nWe wrote an extractor that worked on the sample encountered at the SOC, but for certain other Blister samples it did not. It\r\nturned out that the sample from the SOC investigation belonged to a version of Blister that was introduced in August, 2022,\r\nwhile older samples had a different configuration. After writing an extractor for these older versions, we made an overview\r\nof what Blister had been dropping in roughly the past two years.\r\nThe samples we analyzed are all available on VirusTotal, the platform we used to find samples. We focus on 64-bit Blister\r\nsamples, newer samples are not using 32-bit anymore, as far as we know. In total, we found 137 samples we could unpack,\r\n33 samples with the older version and 104 samples with the newer version from 2022.\r\nIn the Appendix, we list these samples, where version 1 and 2 refer to the old and new version respectively. The table is\r\nsorted on the first seen date of a sample in VirusTotal, where you clearly see the introduction of the update.\r\nBecause we want to keep the tables comprehensible, we have split up the data into four tables. For now, it is important to\r\nnote that Table 2 provides information per Blister sample we unpacked, including the date it was first uploaded to\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 1 of 20\n\nVirusTotal, the version, the label of the payload it drops, the type of payload, and two configuration flags. Furthermore, to\r\nhave a list of Blister and payload hashes in clear text in the blog, we included these in Table 6. We also included a more\r\ncomplete data set at https://github.com/fox-it/blister-research.\r\nDiscussing payloads\r\nLooking at the dropped payloads, we see that it mostly conforms with what has already been reported. In Figure 1, we\r\nprovide a timeline based on the first seen date of a sample in VirusTotal and the family of the payload. The observed\r\npayloads consist of Cobalt Strike, Mythic, Putty, and a test application. Initially, Blister dropped various flavors of Cobalt\r\nStrike and later dropped a Mythic agent, which we refer to as BlisterMythic. Recently, we also observed a packer that\r\nunpacks BlisterMythic, which we refer to as MythicPacker. Interestingly, we did not observe any samples drop BitRat.\r\nFigure 1, Overview of Blister samples we were able to unpack, based on the first seen date reported in VirusTotal.\r\nFrom the 137 samples, we were able to retrieve 74 unique payloads. This discrepancy in amount of unique Blister samples\r\nversus unique payloads is mainly caused by various Blister samples that drop the same Putty or test application, namely 18\r\nand 22 samples, respectively. This summer has shown a particular increase in test payloads.\r\nCobalt Strike\r\nCobalt Strike was dropped through three different types of payloads, generic shellcode, DLL stagers, or obfuscated\r\nshellcode. In total, we retrieved 61 beacons, in Table 1 we list the Cobalt Strike watermarks we observed. Watermarks are a\r\nunique value linked to a license key. It should be noted that Cobalt Strike watermarks can be changed and hence are not a\r\nsound way to identify clusters of activity.\r\nWatermark (decimal) Watermark (hexadecimal) Nr. of beacons\r\n206546002 0xc4fa452 2\r\n1580103824 0x5e2e7890 21\r\n1101991775 0x41af0f5f 38\r\nTable 1, Counted Cobalt Strike watermarks observed in beacons dropped by Blister.\r\nThe watermark 206546002, though only used twice, shows up in other reports as well, e.g. a report on an Emotet intrusion9\r\nand a report linking it to Royal, Quantum, and Play ransomware activity10,11. The watermark 1580103824 is mentioned in\r\nreports on Gootloader12, but also Cl0p13 and also is the 9th most common beacon watermark, based on our dataset of Cobalt\r\nStrike beacons14. Interestingly, 1101991775, the watermark that is most common, is not mentioned in public reporting as far\r\nas we can tell.\r\nCobalt Strike profile generators\r\nIn Table 3, we list information on the extracted beacons. In there, we also list the submission path. Most of the submission\r\npaths contain /safebrowsing/ and /rest/2/meetings , matching with paths found in SourcePoint15, a Cobalt Strike\r\ncommand-and-control (C2) profile generator. This is only, however, for the regular shellcode beacons, when we look at the\r\nobfuscated shellcode and the DLL stager beacons, it seems to use a different C2 profile. The C2 profiles for these payloads\r\nmatch with another public C2 profile generator16.\r\nDomain fronting\r\nSome of the beacons are configured to use “domain fronting”, which is a technique that allows malicious actors to hide the\r\ntrue destination of their network traffic and evade detection by security systems. It involves routing malicious traffic through\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 2 of 20\n\na content delivery network (CDN) or other intermediary server, making it appear as if the traffic is going to a legitimate or\r\nbenign domain, while in reality, it’s communicating with a malicious C2 server.\r\nCertain beacons have subdomains of fastly[.]net as their C2 server, e.g. backend.int.global.prod.fastly[.]net or\r\npython.docs.global.prod.fastly[.]net. However, the domains they connect to are admin.reddit[.]com or\r\nadmin.wikihow[.]com, which are legitimate domains hosted on a CDN.\r\nObfuscated shellcode\r\nIn five cases, we observed Blister drop Cobalt Strike by first loading obfuscated shellcode. We included a YARA rule for\r\nthis particular shellcode in the Appendix.\r\nPerforming a retrohunt on VirusTotal yielded only 12 samples, with names indicating potential test files and at least one\r\nsample dropping Cobalt Strike. We are unsure whether this is an obfuscator solely used by Evil Corp or whether it is used by\r\nother threat actors as well.\r\nFigure 2, Layout of particular shellcode, with denoted steps.\r\nThe shellcode is fairly simple, we provide an overview of it in Figure 2. The entrypoint is at the start of the buffer, which\r\ncalls into the decoding stub. This call instruction automatically pushes the next instruction’s address on the stack, which\r\nthe decoding stub uses as a starting point to start mutating memory. Figure 3 shows some of these instructions, which are\r\nquite distinctive.\r\nFigure 3, Decoding instructions observed in particular shellcode.\r\nAt the end of the decoding stub, it either jumps or calls back and then invokes the decryption function. This decryption\r\nfunction uses RC4, but the S-Box is already initialized, thus no key-scheduling algorithm is implemented. Lastly, it jumps to\r\nthe final payload.\r\nBlisterMythic\r\nMatching with what was already reported by Unit 428, Blister recently started using Mythic agents as its payload. Mythic is\r\none of the many red teaming frameworks on GitHub18. You can use various agents, which are listed on GitHub as well19\r\nand can roughly be compared to a Cobalt Strike beacon. It is possible to write your own Mythic agent, as long as you\r\ncomply with a set of constraints. Thus far, we keep seeing the same Mythic agent, which we discuss in more detail later on.\r\nThe first sample dropping Mythic agents was uploaded to VirusTotal on July 24th 2023, just days before initial reportings of\r\nSocGholish infections leading to Mythic. In Table 4, we provide the C2 information from the observed Mythic agents.\r\nWe observed Mythic either as a Portable Executable (PE) or as shellcode. The shellcode seems to be rare and unpacks a PE\r\nfile which thus far always resulted in a Mythic agent, in our experience. We discuss this packer later on as well and provide\r\nscripts that help with retrieving the PE file it packs. We refer to this specific Mythic agent as BlisterMythic and to the packer\r\nas MythicPacker.\r\nIn Table 5, we list the BlisterMythic C2 servers we were able to find. Interestingly, the domains were all registered at\r\nDNSPod. We also observed this in the past with Cobalt Strike domains we linked to Evil Corp. Apart from this, we also see\r\nsimilarities in the domain names used, e.g. domains consisting of two or three words concatenated to each other and using\r\ncom as top-level domain (TLD).\r\nTest payloads\r\nBesides red team tooling like Mythic and Cobalt Strike, we also observed Putty and a test application as payloads. Running\r\nPutty through Blister does not seem logical and is likely linked to testing. It would only result in Putty not touching the disk\r\nand running in memory, which in itself is not useful. Additionally, when we look at the domain hashes in the Blister\r\nsamples, only the Putty and test application samples in some cases share their domain hash.\r\nBlister configurations\r\nWe also looked at the configurations of Blister, from this we can to some extent derive how it is used by attackers. Note that\r\nthe collection also contains “test samples” from the attacker. Except for the more obvious Putty and test application, some\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 3 of 20\n\nsamples that dropped Mythic, for instance, could also be linked to testing. We chose to leave out samples that drop Putty or\r\nthe test application, leaving 97 samples in total. This means that the samples paint a partly biased picture, though we think it\r\nis still valuable and provides a view into how Blister is used.\r\nEnvironmental keying\r\nSince its update in 2022, Blister includes an optional domain hash, that it computes over the DNS search domain of the\r\nmachine ( ComputerNameDnsDomain ). It only continues executing if the hash matches with its configuration, enabling\r\nenvironmental keying.\r\nBy looking at the amount of samples that have domain hash verification enabled, we can say something about how Blister is\r\ndeployed. From the 66 Blister samples, only 6 samples did not have domain hash verification enabled. This indicates it is\r\nmostly used in a targeted manner, corresponding with using SocGholish for initial access and reconnaissance and then\r\ndeploying Blister, for example.\r\nPersistence\r\nOf the 97 samples, 70 have persistence enabled. For persistence, Blister still uses the same method as described by Elastic\r\nSecurity20. It mostly uses IFileOperation COM interface to copy rundll32.exe and itself to the Startup folder, this is\r\nsignificant for detection, as it means that these operations are done by the process DllHost.exe , not the rundll32.exe\r\nprocess that hosts Blister.\r\nBlister trying new things\r\nBlister’s previous update altered the core payload, however, the loader that is injected into the legitimate executable\r\nremained unchanged. In August this year, we observed experimental samples on VirusTotal with an obfuscated loader\r\ncomponent, hinting at developer activity. Interestingly, we could link these samples to another sample on VirusTotal which\r\nsolely contained the function body of the loader and another sample that contained a loader with a large set of INT 3\r\ninstructions added to it. Perhaps the developer was experimenting with different mutations to see how it influences the\r\ndetection rate.\r\nObfuscating the first stage\r\nRecent samples from September 2023 have the loader obfuscated in the same manner, with bogus instructions and excessive\r\njump instructions. These changes make it harder to detect Blister using YARA, as the loader instructions are now intertwined\r\nwith junk instructions and sometimes are followed by junk data due to the added jump instructions.\r\nFigure 4, Comparison of two loader components from recent Blister samples, left is without obfuscation and right is with\r\nobfuscation.\r\nIn Figure 4, we compare the two function bodies of the loader, one body which is normally seen in Blister samples and one\r\nobfuscated function body, observed in the recent samples. The comparison shows that naive YARA rules are less likely to\r\ntrigger on the obfuscated function body. In the Appendix, we provide a Blister rule that tries to detect these obfuscated\r\nsamples. The added bogus instructions include instructions, such as btc , bts , lahf and cqo , bogus instructions we\r\nalso observed in the Blister core before, see the core component of SHA256\r\n4faf362b3fe403975938e27195959871523689d0bf7fba757ddfa7d00d437fd4, for example.\r\nDropping Mythic agents\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 4 of 20\n\nApart from an obfuscated loader, Mythic agents currently are the payload of choice. In September and October, we found\r\nobfuscated Blister samples only dropping Mythic. Certain samples have low or zero detections on VirusTotal21 at the time of\r\nwriting, showing that obfuscation does pay off.\r\nWe now discuss one sample22 that drops a shellcode eventually executing a Mythic agent. The shellcode unpacks a PE file\r\nand executes it. We provide a YARA rule for this packer in the Appendix, which we refer to as MythicPacker. Based on this\r\nrule, we did not find other samples, suggesting it is a custom packer. Until now, we have only seen this packer unpacking\r\nMythic agents.\r\nThe dropped Mythic agents are all similar and we cannot link them to any public agents thus far. This could mean that\r\nBlister developers created their own Mythic agent, though this is uncertain. We provided a YARA rule that matches on all\r\nagents we encountered, a VirusTotal retrohunt over the past year resulted in only four samples, all linked to Blister. We think\r\nthis Mythic agent is likely custom-made.\r\nFigure 5, BlisterMythic configuration decryption.\r\nThe agents all share a similar structure, namely an encrypted configuration in the .bss section of the executable. The agent\r\nhas an encrypted configuration which is decrypted by XORing the size of the configuration with a constant that differs per\r\nsample, it seems. For PE files, we have a Python script that can decrypt a configuration. Figure 5 denotes this decryption\r\nloop, where the XOR constant is 0x48E12000 .\r\nFigure 6, Decrypted BlisterMythic configuration\r\nDumping the configuration results in a binary blob that contains various information, including the C2 server. Figure 6\r\nshows a hexdump of a snippet from the decrypted configuration. We created a script to dump the decrypted configuration of\r\nthe BlisterMythic agent in PE format and also a script that unpacks MythicPacker shellcode and outputs a reconstructed PE\r\nfile, see https://github.com/fox-it/blister-research.\r\nConclusion\r\nIn this post, we provided an overview of observed Blister payloads from the past one and a half years on VirusTotal and also\r\ngave insight into recent developments. Furthermore, we provided scripts and YARA rules to help analyze Blister and the\r\nMythic agent it drops.\r\nFrom the analyzed payloads, we see that Cobalt Strike was the favored choice, but that lately this has been replaced by\r\nMythic. Cobalt Strike was mostly dropped as shellcode and briefly run through obfuscated shellcode or a DLL stager. Apart\r\nfrom Cobalt Strike and Mythic, we saw that Blister test samples are uploaded to VirusTotal as well.\r\nThe custom Mythic agent together with the obfuscated loader, are new Blister developments that happened in the past\r\nmonths. It is likely that its developers were aware that the loader component was still a weak spot in terms of static\r\ndetection. Additionally, throughout the years, Cobalt Strike has received a lot of attention from the security community, with\r\navailable dumpers and C2 feeds readily available. Mythic is not as popular and allows you to write your own agent, making\r\nit an appropriate replacement for now.\r\nReferences\r\n1. https://github.com/fox-it/blister-research ↩︎\r\n2. https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions ↩︎\r\n3. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ ↩︎\r\n4. https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign ↩︎\r\n5. https://redcanary.com/blog/intelligence-insights-january-2022/ ↩︎\r\n6. https://www.trendmicro.com/en_ie/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html ↩︎\r\n7. https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader ↩︎\r\n8. https://twitter.com/Unit42_Intel/status/1684583246032506880 ↩︎\r\n9. https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ↩︎\r\n10. https://www.group-ib.com/blog/shadowsyndicate-raas/ ↩︎\r\n11. https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html ↩︎\r\n12. https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ↩︎\r\n13. https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf ↩︎\r\n14. https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/ ↩︎\r\n15. https://github.com/Tylous/SourcePoint ↩︎\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 5 of 20\n\n16. https://github.com/threatexpress/random_c2_profile ↩︎\r\n17. https://twitter.com/Unit42_Intel/status/1684583246032506880 ↩︎\r\n18. https://github.com/its-a-feature/Mythic ↩︎\r\n19. https://mythicmeta.github.io/overview/ ↩︎\r\n20. https://www.elastic.co/security-labs/blister-loader ↩︎\r\n21. https://www.virustotal.com/gui/file/a5fc8d9f9f4098e2cecb3afc66d8158b032ce81e0be614d216c9deaf20e888ac ↩︎\r\n22. https://www.virustotal.com/gui/file/f58de1733e819ea38bce21b60bb7c867e06edb8d4fd987ab09ecdbf7f6a319b9 ↩︎\r\nAppendix\r\nYARA rules\r\nrule shellcode_obfuscator\r\n{\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86-64\"\r\n description = \"Detects shellcode packed with unknown obfuscator observed in Blister samples.\"\r\n reference_sample = \"178ffbdd0876b99ad1c2d2097d9cf776eca56b540a36c8826b400cd9d5514566\"\r\n strings:\r\n $rol_ror = { 48 C1 ?? ?? ?? 48 C1 ?? ?? ?? 48 C1 ?? ?? ?? }\r\n $mov_rol_mov = { 4d ?? ?? ?? 49 c1 ?? ?? ?? 4d ?? ?? ?? }\r\n $jmp = { 49 81 ?? ?? ?? ?? ?? 41 ?? }\r\n condition:\r\n #rol_ror \u003e 60 and $jmp and filesize \u003c 2MB and #mov_rol_mov \u003e 60\r\n}\r\nimport \"pe\"\r\nimport \"math\"\r\nrule blister_x64_windows_loader {\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86-64\"\r\n family = \"Blister\"\r\n description = \"Detects Blister loader component injected into legitimate executables.\"\r\n reference_sample = \"343728792ed1e40173f1e9c5f3af894feacd470a9cdc72e4f62c0dc9cbf63fc1, 8d53dc0857fa634414f84ad06d18\r\n strings:\r\n // 65 48 8B 04 25 60 00 00 00 mov rax, gs:60h\r\n $inst_1 = {65 48 8B 04 25 60 00 00 00}\r\n // 48 8D 87 44 6D 00 00 lea rax, [rdi+6D44h]\r\n $inst_2 = {48 8D 87 44 6D 00 00}\r\n // 44 69 C8 95 E9 D1 5B imul r9d, eax, 5BD1E995h\r\n $inst_3 = {44 ?? ?? 95 E9 D1 5B}\r\n // 41 81 F9 94 85 09 64 cmp r9d, 64098594h\r\n $inst_4 = {41 ?? ?? 94 85 09 64}\r\n // B8 FF FF FF 7F mov eax, 7FFFFFFFh\r\n $inst_5 = {B8 FF FF FF 7F}\r\n // 48 8D 4D 48 lea rcx, [rbp+48h]\r\n $inst_6 = {48 8D 4D 48}\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of ($inst_*) and\r\n pe.number_of_resources \u003e 0 and\r\n for any i in (0..pe.number_of_resources - 1):\r\n ( (math.entropy(pe.resources[i].offset, pe.resources[i].length) \u003e 6) and\r\n pe.resources[i].length \u003e 200000\r\n )\r\n}\r\nrule blister_mythic_payload {\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86-64\"\r\n family = \"BlisterMythic\"\r\n description = \"Detects specific Mythic agent dropped by Blister.\"\r\n reference_samples = \"2fd38f6329b9b2c5e0379a445e81ece43fe0372dec260c1a17eefba6df9ffd55, 3d2499e5c9b46f1f144cfbbd4a2\r\n strings:\r\n $start_inst = { 48 83 EC 28 B? [4-8] E8 ?? ?? 00 00 }\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 6 of 20\n\n$for_inst = { 48 2B C8 0F 1F 00 C6 04 01 00 48 2D 00 10 00 00 }\r\n condition:\r\n all of them\r\n}\r\nrule mythic_packer\r\n{\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86-64\"\r\n family = \"MythicPacker\"\r\n description = \"Detects specific PE packer dropped by Blister.\"\r\n reference_samples = \"9a08d2db7d0bd7d4251533551d4def0f5ee52e67dff13a2924191c8258573024, 759ac6e54801e7171de39e637b9\r\n strings:\r\n // 41 81 38 72 47 65 74 cmp dword ptr [r8], 74654772h\r\n $a = { 41 ?? ?? 72 47 65 74 }\r\n // 41 81 38 72 4C 6F 61 cmp dword ptr [r8], 616F4C72h\r\n $b = { 41 ?? ?? 72 4C 6F 61 }\r\n // B8 01 00 00 00 mov eax, 1\r\n // C3 retn\r\n $c = { B8 01 00 00 00 C3 }\r\n condition:\r\n all of them and uint8(0) == 0x48\r\n}\r\nBlister payloads listing\r\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2021-12-\r\n03\r\n1 Cobalt Strike shellcode N/a 0\r\n2021-12-\r\n05\r\n1 Cobalt Strike shellcode N/a 0\r\n2021-12-\r\n14\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-01-\r\n10\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-01-\r\n11\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-01-\r\n19\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-01-\r\n19\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-01-\r\n31\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-02-\r\n14\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-02-\r\n17\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-02-\r\n22\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-02-\r\n26\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-03-\r\n10\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-03-\r\n14\r\n1 Cobalt Strike shellcode N/a 1\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 7 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2022-03-\r\n15\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-03-\r\n15\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-03-\r\n18\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-03-\r\n18\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-03-\r\n24\r\n1 Putty exe N/a 0\r\n2022-03-\r\n24\r\n1 Putty exe N/a 0\r\n2022-03-\r\n30\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-04-\r\n01\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-04-\r\n11\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-04-\r\n22\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-04-\r\n25\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-06-\r\n01\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-06-\r\n02\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-06-\r\n14\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-07-\r\n04\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-07-\r\n19\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-07-\r\n21\r\n1 Cobalt Strike shellcode N/a 0\r\n2022-08-\r\n05\r\n1 Cobalt Strike shellcode N/a 1\r\n2022-08-\r\n29\r\n2 Cobalt Strike shellcode 0 1\r\n2022-09-\r\n02\r\n2 Cobalt Strike shellcode 0 0\r\n2022-09-\r\n29\r\n2 Cobalt Strike shellcode 1 0\r\n2022-10-\r\n18\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n18\r\n2 Cobalt Strike shellcode 1 1\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 8 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2022-10-\r\n18\r\n2 Cobalt Strike shellcode 1 0\r\n2022-10-\r\n18\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n21\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n21\r\n2 Cobalt Strike shellcode 1 0\r\n2022-10-\r\n24\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n26\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n26\r\n2 Cobalt Strike shellcode 1 1\r\n2022-10-\r\n28\r\n2 Cobalt Strike shellcode 1 0\r\n2022-10-\r\n31\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n02\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n03\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n07\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n08\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n17\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n22\r\n2 Cobalt Strike shellcode 1 1\r\n2022-11-\r\n30\r\n2 Cobalt Strike shellcode 1 1\r\n2022-12-\r\n01\r\n2 Cobalt Strike shellcode 1 1\r\n2022-12-\r\n01\r\n2 Cobalt Strike shellcode 1 0\r\n2022-12-\r\n01\r\n2 Cobalt Strike shellcode 1 0\r\n2022-12-\r\n02\r\n2 Cobalt Strike shellcode 1 1\r\n2022-12-\r\n05\r\n2 Cobalt Strike shellcode 1 1\r\n2022-12-\r\n12\r\n2 Cobalt Strike shellcode 1 1\r\n2022-12-\r\n13\r\n2 Cobalt Strike shellcode 1 1\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 9 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2022-12-\r\n23\r\n2 Cobalt Strike shellcode 1 1\r\n2023-01-\r\n06\r\n2 Cobalt Strike shellcode 1 1\r\n2023-01-\r\n16\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n16\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n16\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n17\r\n2 Cobalt Strike shellcode 0 1\r\n2023-01-\r\n17\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n20\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n20\r\n2\r\nCobalt Strike obfuscated\r\nshellcode\r\nshellcode 1 1\r\n2023-01-\r\n24\r\n2 Cobalt Strike shellcode 1 1\r\n2023-01-\r\n26\r\n2 Cobalt Strike shellcode 1 1\r\n2023-01-\r\n26\r\n2 Cobalt Strike shellcode 1 1\r\n2023-02-\r\n02\r\n2 Cobalt Strike shellcode 1 1\r\n2023-02-\r\n02\r\n2 Test application shellcode 1 0\r\n2023-02-\r\n02\r\n2 Test application shellcode 1 0\r\n2023-02-\r\n02\r\n2 Putty exe 1 0\r\n2023-02-\r\n02\r\n2 Test application shellcode 1 0\r\n2023-02-\r\n15\r\n2 Putty exe 1 0\r\n2023-02-\r\n15\r\n2 Test application shellcode 1 0\r\n2023-02-\r\n15\r\n2 Putty exe 1 0\r\n2023-02-\r\n15\r\n2 Test application shellcode 1 0\r\n2023-02-\r\n17\r\n2 Cobalt Strike stager exe 1 1\r\n2023-02-\r\n27\r\n2 Cobalt Strike stager exe 1 1\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 10 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2023-02-\r\n28\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n06\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n06\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n06\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n15\r\n2 Cobalt Strike stager exe 1 0\r\n2023-03-\r\n19\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n23\r\n1 Cobalt Strike shellcode N/a 1\r\n2023-03-\r\n28\r\n2 Cobalt Strike stager exe 1 1\r\n2023-03-\r\n28\r\n2 Cobalt Strike stager exe 1 0\r\n2023-04-\r\n03\r\n2 Cobalt Strike stager exe 1 1\r\n2023-05-\r\n25\r\n2 Cobalt Strike stager exe 0 1\r\n2023-05-\r\n26\r\n2 Cobalt Strike shellcode 1 1\r\n2023-06-\r\n11\r\n2 Test application shellcode 1 0\r\n2023-06-\r\n11\r\n2 Putty exe 1 0\r\n2023-06-\r\n11\r\n2 Putty exe 1 0\r\n2023-07-\r\n24\r\n2 BlisterMythic exe 1 1\r\n2023-07-\r\n27\r\n2 BlisterMythic exe 1 1\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 11 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n09\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n10\r\n2 Putty shellcode 1 0\r\n2023-08-\r\n11\r\n2 BlisterMythic exe 1 0\r\n2023-08-\r\n15\r\n2 Test application shellcode 1 0\r\n2023-08-\r\n17\r\n2 BlisterMythic exe 1 1\r\n2023-08-\r\n18\r\n2 MythicPacker shellcode 1 0\r\n2023-09-\r\n05\r\n2 MythicPacker shellcode 0 0\r\n2023-09-\r\n05\r\n2 MythicPacker shellcode 0 1\r\n2023-09-\r\n08\r\n2 Test application shellcode 1 0\r\n2023-09-\r\n08\r\n2 Test application shellcode 1 0\r\n2023-09-\r\n08\r\n2 Test application shellcode 1 0\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 12 of 20\n\nFirst\r\nseen\r\nVersion Payload family\r\nPayload\r\ntype\r\nEnvironmental\r\nkeying\r\nPersistence\r\n2023-09-\r\n08\r\n2 Putty shellcode 1 0\r\n2023-09-\r\n08\r\n2 Putty shellcode 1 0\r\n2023-09-\r\n08\r\n2 Test application shellcode 1 0\r\n2023-09-\r\n19\r\n2 BlisterMythic exe 1 1\r\n2023-09-\r\n21\r\n2 MythicPacker shellcode 1 0\r\n2023-09-\r\n21\r\n2 MythicPacker shellcode 1 0\r\n2023-10-\r\n03\r\n2 MythicPacker shellcode 1 0\r\n2023-10-\r\n10\r\n2 MythicPacker shellcode 1 0\r\nTable 2, Information on unpacked Blister samples.\r\nCobalt Strike beacons\r\nWatermark Domain URI\r\n1101991775 albertonne[.]com /safebrowsing/d4alBmGBO/HafYg4QZaRhMBwuLAjVmSPc\r\n1101991775 astradamus[.]com /Collect/union/QXMY8BHNIPH7\r\n1101991775 backend.int.global.prod.fastly[.]net /Detect/devs/NJYO2MUY4V\r\n1101991775 cclastnews[.]com /safebrowsing/d4alBmGBO/UaIzXMVGvV3tS2OJiKxSzyzbh4u1\r\n1101991775\r\ncdp-chebe6efcxhvd0an.z01.azurefd[.]net\r\n/Detect/devs/NJYO2MUY4V\r\n1101991775 deep-linking[.]com /safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9\r\n1101991775 deep-linking[.]com /safebrowsing/fDeBjO/dMfdNUdgjjii3Ccalh10Mh4qyAFw5mS\r\n1101991775 deep-linking[.]com /safebrowsing/fDeBjO/vnZNyQrwUjndCPsCUXSaI\r\n1101991775\r\ndiggin-fzbvcfcyagemchbq.z01.azurefd[.]net\r\n/restore/how/3RG4G5T87\r\n1101991775 edubosi[.]com /safebrowsing/bsaGbO6l/ybGoI3wmK2uF9w9aL5qKmnS8IZIWsJqhp\r\n1101991775 e-sistem[.]com /Detect/devs/NJYO2MUY4V\r\n1101991775 ewebsofts[.]com /safebrowsing/3Tqo/UMskN3Lh0LyLy8BfpG1Bsvp\r\n1101991775 expreshon[.]com /safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9\r\n1101991775 eymenelektronik[.]com /safebrowsing/dfKa/B58qAhJ0AEF7aNwauoqpAL8\r\n1101991775 gotoknysna.com.global.prod.fastly[.]net /safebrowsing/fDeBjO/2hmXORzLK7PkevU1TehrmzD5z9\r\n1101991775\r\nhenzy-h6hxfpfhcaguhyf5.z01.azurefd[.]net\r\n/Detect/devs/NJYO2MUY4V\r\n1101991775 lepont-edu[.]com /safebrowsing/dfKa/9T1BuXpqEDg9tx53mQRU6\r\n1101991775 lindecolas[.]com /safebrowsing/d4alBmGBO/UaIzXMVGvV3tS2OJiKxSzyzbh4u1\r\n1101991775 lodhaamarathane[.]com /safebrowsing/dfKa/9T1BuXpqEDg9tx53mQRU6\r\n1101991775 mail-adv[.]com /safebrowsing/bsaGbO6l/dl1sskHxt1uGDGUnLDB5gxn4vYZQK1kaG6\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 13 of 20\n\nWatermark Domain URI\r\n1101991775 mainecottagebythesea[.]com /functionalStatus/cjdl-CLe4j-XHyiEaDqQx\r\n1101991775 onscenephotos[.]com /restore/how/3RG4G5T87\r\n1101991775 promedia-usa[.]com /safebrowsing/d4alBmGBO/HafYg4QZaRhMBwuLAjVmSPc\r\n1101991775 python.docs.global.prod.fastly[.]net /Collect/union/QXMY8BHNIPH7\r\n1101991775 realitygangnetwork[.]com /functionalStatus/qPprp9dtVhrGV3R3re5Xy4M2cfQo4wB\r\n1101991775 realitygangnetwork[.]com /functionalStatus/vFi8EPnc9zJTD0GgRPxggCQAaNb\r\n1101991775 sanfranciscowoodshop[.]com /safebrowsing/dfKa/GgVYon5zhYu5L7inFbl1MZEv7RGOnsS00b\r\n1101991775 sohopf[.]com /apply/admin_/99ZSSAHDH\r\n1101991775 spanish-home-sales[.]com /safebrowsing/d4alBmGBO/EB-9sfMPmsHmH-A7pmll9HbV0g\r\n1101991775 steveandzina[.]com /safebrowsing/d4alBmGBO/mr3lHbohEvZa0mKDWWdwTV5Flsxh\r\n1101991775 steveandzina[.]com /safebrowsing/d4alBmGBO/YwTM1CK0mBV1Y7UDagpjP\r\n1101991775 websterbarn[.]com /safebrowsing/fDeBjO/CGZcHKnX3arVCfFp98k8\r\n1580103824 10.158.128[.]50\r\n1580103824 bimelectrical[.]com /safebrowsing/7IAMO/hxNTeZ8lBNYqjAsQ2tBRS\r\n1580103824 bimelectrical[.]com /safebrowsing/7IAMO/Jwee0NMJNKn9sDD8sUEem4g8jcB2v44UINpCIj\r\n1580103824 bookmark-tag[.]com /safebrowsing/eMUgI4Z/3RzgDBAvgg3DQUn8XtN8l\r\n1580103824 braprest[.]com\r\n/safebrowsing/d5pERENa/3tPCoNwoGwXAvV1w1JAS-OOPyVYxL1K2styHFtbXar7ME\r\n1580103824 change-land[.]com /safebrowsing/TKc3hA/DzwHHcc8y8O9kAS7cl4SDK0e6z0KHKIX9w7\r\n1580103824 change-land[.]com /safebrowsing/TKc3hA/nLTHCIhzOKpdFp0GFHYBK-0bRwdNDlZz6Qc\r\n1580103824 clippershipintl[.]com /safebrowsing/sj0IWAb/YhcZADXFB3NHbxFtKgpqBtK9BllJiGEL\r\n1580103824 couponbrothers[.]com /safebrowsing/Jwjy4/mzAoZyZk7qHIyw3QrEpXij5WFhIo1z8JDUVA0N0\r\n1580103824 electronic-infinity[.]com /safebrowsing/TKc3hA/t-nAkENGu9rpZ9ebRRXr79b\r\n1580103824 final-work[.]com /safebrowsing/AvuvAkxsR/8I6ikMUvdNd8HOgMeD0sPfGpwSZEMr\r\n1580103824 geotypico[.]com /safebrowsing/d5pERENa/f5oBhEk7xS3cXxstp6Kx1G7u3N546UStcg9nEnzJn2k\r\n1580103824 imsensors[.]com /safebrowsing/eMUgI4Z/BOhKRIMsJsuPnn3IQvgrEc3XLQUB3W\r\n1580103824 intradayinvestment[.]com /safebrowsing/dpNqi/nXeFgGufr9VqHjDdsIZbw-ZH0\r\n1580103824 medicare-cost[.]com /safebrowsing/dpNqi/F3QExtY65SvTVK1ewA26\r\n1580103824 optiontradingsignal[.]com /safebrowsing/dpNqi/7CtHhF-isMMQ6m7NmHYNb0N7E7Fe\r\n1580103824 setechnowork[.]com /safebrowsing/fBm1b/JbcKDYjMWcQNjn69LnGggFe6mpjn5xOQ\r\n1580103824 sikescomposites[.]com /safebrowsing/Jwjy4/cmr4tZ7IyFGbgCiof2tHMO\r\n1580103824 technicollit[.]com /safebrowsing/b0kKKIjr/AzX9ZHB37oJfPsUBUaxBJjzzi132cYRZhUZc81g\r\n1580103824 wasfatsahla[.]com /safebrowsing/IsXNCJJfH/5x0rUIrn–r85sLJIuEY7C9q\r\n206546002 smutlr[.]com /functionalStatus/qPprp9dtVhrGV3R3re5Xy4M2cfQo4wB\r\n206546002 spanish-home-sales[.]com /functionalStatus/fb8ClEdmm-WwYudk-zODoQYB7DX3wQYR\r\nTable 3, Information on observed Cobalt Strike beacons dropped by Blister.\r\nBlisterMythic payloads\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 14 of 20\n\nDomain URI\r\n139-177-202-\r\n78.ip.linodeusercontent[.]com\r\n/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js\r\n23-92-30-\r\n58.ip.linodeusercontent[.]com\r\n/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js\r\naviditycellars[.]com\r\n/etc.clientlibs/sapdx/front-layer/dist/resources/sapcom/919.9853a7ee629d48b1ddbe.js\r\nboxofficeseer[.]com /s/0.7.8/clarity.js\r\nd1hp6ufzqrj3xv.cloudfront[.]net /organizations/oauth2/v2.0/authorize\r\nmakethumbmoney[.]com /s/0.7.8/clarity.js\r\nrosevalleylimousine[.]com /login.sophos.com/B2C_1A_signup_signin/api/SelfAsserted/confirmed\r\nTable 4, Information on observed Mythic agents dropped by Blister.\r\nBlisterMythic C2 servers\r\nIP Domain\r\n37.1.215[.]57 angelbusinessteam[.]com\r\n92.118.112[.]100 danagroupegypt[.]com\r\n104.238.60[.]11 shchiswear[.]com\r\n172.233.238[.]215 N/a\r\n96.126.111[.]127 N/a\r\n23.239.11[.]145 N/a\r\n45.33.98[.]254 N/a\r\n45.79.199[.]4 N/a\r\n45.56.105[.]98 N/a\r\n149.154.158[.]243 futuretechfarm[.]com\r\n104.243.33[.]161 sms-atc[.]com\r\n104.243.33[.]129 makethumbmoney[.]com\r\n138.124.180[.]241 vectorsandarrows[.]com\r\n94.131.101[.]58 pacatman[.]com\r\n198.58.119[.]214 N/a\r\n185.174.101[.]53 personmetal[.]com\r\n185.45.195[.]30 aviditycellars[.]com\r\n185.250.151[.]145 bureaudecreationalienor[.]com\r\n23.227.194[.]115 bitscoinc[.]com\r\n88.119.175[.]140 boxofficeseer[.]com\r\n88.119.175[.]137 thesheenterprise[.]com\r\n37.1.214[.]162 remontisto[.]com\r\n45.66.248[.]99 N/a\r\n88.119.175[.]104 visioquote[.]com\r\n45.66.248[.]13 cannabishang[.]com\r\n92.118.112[.]8 turanmetal[.]com\r\n37.1.211[.]150 lucasdoors[.]com\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 15 of 20\n\nIP Domain\r\n185.72.8[.]219 displaymercials[.]com\r\n172.232.172[.]128 N/a\r\n82.117.253[.]168 digtupu[.]com\r\n104.238.60[.]112 avblokhutten[.]com\r\n173.44.141[.]34 hom4u[.]com\r\n170.130.165[.]140 rosevalleylimousine[.]com\r\n172.232.172[.]110 N/a\r\n5.8.63[.]79 boezgrt[.]com\r\n172.232.172[.]125 N/a\r\n162.248.224[.]56 hatchdesignsnh[.]com\r\n185.174.101[.]13 formulaautoparts[.]com\r\n23.152.0[.]193 ivermectinorder[.]com\r\n192.169.6[.]200 szdeas[.]com\r\n194.87.32[.]85 licencesolutions[.]com\r\n185.45.195[.]205 motorrungoli[.]com\r\nTable 5, Detected BlisterMythic C2 servers\r\nBlister samples\r\nSHA256\r\nPayload\r\nfamily\r\nPayload SHA256\r\n0a73a9ee3650821352d9c4b46814de8f73fde659cae6b82a11168468becb68d1 Cobalt Strike 397c08f5cdc59085a48541c89d23a8880d415\r\n0bbf1a3a8dd436fda213bc126b1ad0b8704d47fd8f14c75754694fd47a99526c BlisterMythic ab7cab5192f0bef148670338136b0d3affe8ae\r\n0e8458223b28f24655caf37e5c9a1c01150ac7929e6cb1b11d078670da892a5b Cobalt Strike 4420bd041ae77fce2116e6bd98f4ed6945514\r\n0f07c23f7fe5ff918ee596a7f1df320ed6e7783ff91b68c636531aba949a6f33\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\na3cb53ddd4a5316cb02b7dc4ccd1f615755b46e86a88152a1f8fc59efe170497 Cobalt Strike e85a2e8995ef37acf15ea79038fae70d4566bd\r\na403b82a14b392f8485a22f105c00455b82e7b8a3e7f90f460157811445a8776 Cobalt Strike e0c0491e45dda838f4ac01b731dd39cc70646\r\na5fc8d9f9f4098e2cecb3afc66d8158b032ce81e0be614d216c9deaf20e888ac\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\na9ea85481e178cd35ae323410d619e97f49139dcdb2e7da72126775a89a8464f Cobalt Strike c7accad7d8da9797788562a3de228186290b0\r\nac232e7594ce8fbbe19fc74e34898c562fe9e8f46d4bfddc37aefeb26b85c02b\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\ncef1a88dfc436dab9ae104f0770a434891bbd6\r\nacdaac680e2194dd8fd06f937847440e7ab83ce1760eab028507ee8eba557291 Cobalt Strike b96d4400e9335d80dedee6f74ffaa4eca9ffce2\r\nae148315cec7140be397658210173da372790aa38e67e7aa51597e3e746f2cb2 Cobalt Strike f245b2bc118c3c20ed96c8a9fd0a7b659364f9\r\naeecc65ac8f0f6e10e95a898b60b43bf6ba9e2c0f92161956b1725d68482721d Cobalt Strike 797abd3de3cb4c7a1ceb5de5a95717d84333b\r\nb062dd516cfa972993b6109e68a4a023ccc501c9613634468b2a5a508760873e Cobalt Strike 122b77fd4d020f99de66bba8346961b565e80\r\nb10db109b64b798f36c717b7a050c017cf4380c3cb9cfeb9acd3822a68201b5b Cobalt Strike 902d29871d3716113ca2af5caa6745cb4ab9d\r\nb1d1a972078d40777d88fb4cd6aef1a04f29c5dd916f30a6949b29f53a2d121c Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\nb1f3f1c06b1cc9a249403c2863afc132b2d6a07f137166bdd1e4863a0cece5b1 Cobalt Strike e63807daa9be0228d90135ee707ddf03b0035\r\nb4c746e9a49c058ae3843799cdd6a3bb5fe14b413b9769e2b5a1f0f846cb9d37\r\nCobalt Strike\r\nstager\r\n063191c49d49e6a8bdcd9d0ee2371fb1b90f1\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 16 of 20\n\nSHA256\r\nPayload\r\nfamily\r\nPayload SHA256\r\nb4f37f13a7e9c56ea95fa3792e11404eb3bdb878734f1ca394ceed344d22858f\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\nb956c5e8ec6798582a68f24894c1e78b9b767aae4d5fb76b2cc71fc9c8befed8 Cobalt Strike 6fc283acfb7dda7bab02f5d23dc90b318f4c73\r\nb99ba2449a93ab298d2ec5cacd5099871bacf6a8376e0b080c7240c8055b1395 Cobalt Strike 96fab57ef06b433f14743da96a5b874e96d8c9\r\nb9e313e08b49d8d2ffe44cb6ec2192ee3a1c97b57c56f024c17d44db042fb9eb\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\nbc238b3b798552958009f3a4ce08e5ce96edff06795281f8b8de6f5df9e4f0fe\r\nCobalt Strike\r\nstager\r\n191566d8cc119cd6631d353eab0b8c1b8ba26\r\nbcd64a8468762067d8a890b0aa7916289e68c9d8d8f419b94b78a19f5a74f378 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\nc113e8a1c433b4c67ce9bce5dea4b470da95e914de4dc3c3d5a4f98bce2b7d6c Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\nc1261f57a0481eb5d37176702903025c5b01a166ea6a6d42e1c1bdc0e5a0b04b\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\n189b7afdd280d75130e633ebe2fcf8f54f2811\r\nc149792a5e5ce4c15f8506041e2f234a9a9254dbda214ec79ceef7d0911a3095 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\nc2046d64bcfbab5afcb87a75bf3110e0fa89b3e0f7029ff81a335911cf52f00a Cobalt Strike d048001f09ad9eedde44f471702a2a0f453c57\r\nc3509ba690a1fcb549b95ad4625f094963effc037df37bd96f9d8ed5c7136d94 Cobalt Strike e0c0491e45dda838f4ac01b731dd39cc70646\r\nc3cfbede0b561155062c2f44a9d44c79cdb78c05461ca50948892ff9a0678f3f Cobalt Strike bcb32a0f782442467ea8c0bf919a28b58690c\r\nc79ab271d2abd3ee8c21a8f6ad90226e398df1108b4d42dc551af435a124043c Cobalt Strike 749d061acb0e584df337aaef26f3b555d5596a\r\ncab95dc6d08089dcd24c259f35b52bca682635713c058a74533501afb94ab91f Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\ncea5c060dd8abd109b478e0de481f0df5ba3f09840746a6a505374d526bd28dc MythicPacker 759ac6e54801e7171de39e637b9bb52519805\r\ncfa604765b9d7a93765d46af78383978251486d9399e21b8e3da4590649c53e4\r\nCobalt Strike\r\nstager\r\n57acdb7a22f5f0c6d374be2341dbef97efbcc6\r\nd1afca36f67b24eae7f2884c27c812cddc7e02f00f64bb2f62b40b21ef431084 Cobalt Strike f570bd331a3d75e065d1825d97b922503c83a\r\nd1b6671fc0875678ecf39d737866d24aca03747a48f0c7e8855a5b09fc08712d\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\nd3d48aa32b062b6e767966a8bab354eded60e0a11be5bc5b7ad8329aa5718c76 Cobalt Strike 60905c92501ec55883afc3f6402a05bddfd335\r\nd3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c BlisterMythic 2fd38f6329b9b2c5e0379a445e81ece43fe037\r\nd439f941b293e3ded35bf52fac7f20f6a2b7f2e4b189ad2ac7f50b8358110491 Cobalt Strike 18a9eafb936bf1d527bd4f0bfae623400d6367\r\ndac00ec780aabaffed1e89b3988905a7f6c5c330218b878679546a67d7e0eef2 Cobalt Strike adc73af758c136e5799e25b4d3d69e462e090\r\ndb62152fe9185cbd095508a15d9008b349634901d37258bc3939fe3a563b4b3c MythicPacker 7f71d316c197e4e0aa1fce9d40c6068ada4249\r\ndb81e91fc05991f71bfd5654cd60b9093c81d247ccd8b3478ab0ebef61efd2ad Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\ndd42c1521dbee54173be66a5f98a811e5b6ee54ad1878183c915b03b68b7c9bb Cobalt Strike d988a867a53c327099a4c9732a1e4ced6fe6ec\r\ne0888b80220f200e522e42ec2f15629caa5a11111b8d1babff509d0da2b948f4 Cobalt Strike 915503b4e985ab31bc1d284f60003240430b3\r\ne30503082d3257737bba788396d7798e27977edf68b9dba7712a605577649ffb Cobalt Strike df01b0a8112ca80daf6922405c3f4d1ff7a8ff0\r\ne521cad48d47d4c67705841b9c8fa265b3b0dba7de1ba674db3a63708ab63201\r\nCobalt Strike\r\nstager\r\n40cac28490cddfa613fd58d1ecc8e676d9263a\r\ne62f5fc4528e323cb17de1fa161ad55eb451996dec3b31914b00e102a9761a52 Cobalt Strike 19e7bb5fa5262987d9903f388c4875ff2a3765\r\nebafb35fd9c7720718446a61a0a1a10d09bf148d26cdcd229c1d3d672835335c Cobalt Strike 5cb2683953b20f34ff26ddc0d3442d07b4cd8\r\nebf40e12590fcc955b4df4ec3129cd379a6834013dae9bb18e0ec6f23f935bba Cobalt Strike d99bac48e6e347fcfd56bbf723a73b0b6fb527\r\nef7ff2d2decd8e16977d819f122635fcd8066fc8f49b27a809b58039583768d2 Cobalt Strike adc73af758c136e5799e25b4d3d69e462e090\r\nefbffc6d81425ffb0d81e6771215c0a0e77d55d7f271ec685b38a1de7cc606a8 Cobalt Strike 47bd5fd96c350f5e48f5074ebee98e8b0f4efb\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 17 of 20\n\nSHA256\r\nPayload\r\nfamily\r\nPayload SHA256\r\nf08fdb0633d018c0245d071fa79cdc3915da75d3c6fc887a5ca6635c425f163a\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\nf3bfd8ab9e79645babf0cb0138d51368fd452db584989c4709f613c93caf2bdc Cobalt Strike cd7135c94929f55e19e5d66359eab46422c3c\r\nf58de1733e819ea38bce21b60bb7c867e06edb8d4fd987ab09ecdbf7f6a319b9 MythicPacker 19eae7c0b7a1096a71b595befa655803c7350\r\nf7fa532ad074db4a39fd0a545278ea85319d08d8a69c820b081457c317c0459e Cobalt Strike 902d29871d3716113ca2af5caa6745cb4ab9d\r\nfce9de0a0acf2ba65e9e252a383d37b2984488b6a97d889ec43ab742160acce1\r\nCobalt Strike\r\nstager\r\n40cac28490cddfa613fd58d1ecc8e676d9263a\r\nffb255e7a2aa48b96dd3430a5177d6f7f24121cc0097301f2e91f7e02c37e6bf Cobalt Strike 5af6626a6bc7265c21adaffb23cc58bc52c4eb\r\n1a50c358fa4b725c6e0e26eee3646de26ba38e951f3fe414f4bf73532af62455 Cobalt Strike 8f1cc6ab8e95b9bfdf22a2bde77392e706b6fb\r\n1be3397c2a85b4b9a5a111b9a4e53d382df47a0a09065639d9e66e0b55fe36fc\r\nCobalt Strike\r\nstager\r\n3f28a055d56f46559a21a2b0db918194324a1\r\n1d058302d1e747714cac899d0150dcc35bea54cc6e995915284c3a64a76aacb1 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n02b1bd89e9190ff5edfa998944fd6048d32a3bde3a72d413e8af538d9ad770b4\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\n3760db55a6943f4216f14310ab10d404e5c0a\r\n2cf125d6f21c657f8c3732be435af56ccbe24d3f6a773b15eccd3632ea509b1a Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n2f2e62c9481ba738a5da7baadfc6d029ef57bf7a627c2ac0b3e615cab5b0cfa2 Cobalt Strike 39ed516d8f9d9253e590bad7c5daecce9df21f\r\n3bc8ce92409876526ad6f48df44de3bd1e24a756177a07d72368e2d8b223bb39 Cobalt Strike 20e43f60a29bab142f050fab8c5671a0709ee4\r\n3dffb7f05788d981efb12013d7fadf74fdf8f39fa74f04f72be482847c470a53 Cobalt Strike 8e78ad0ef549f38147c6444910395b053c533\r\n3f6e3e7747e0b1815eb2a46d79ebd8e3cb9ccdc7032d52274bc0e60642e9b31e Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n3fff407bc45b879a1770643e09bb99f67cdcfe0e4f7f158a4e6df02299bac27e\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n4b3cd3aa5b961791a443b89e281de1b05bc3a9346036ec0da99b856ae7dc53a8 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n4faf362b3fe403975938e27195959871523689d0bf7fba757ddfa7d00d437fd4 Cobalt Strike 60905c92501ec55883afc3f6402a05bddfd335\r\n5d72cc2e47d3fd781b3fc4e817b2d28911cd6f399d4780a5ff9c06c23069eae1 MythicPacker 9a08d2db7d0bd7d4251533551d4def0f5ee52\r\n5ea74bca527f7f6ea8394d9d78e085bed065516eca0151a54474fffe91664198 Cobalt Strike be314279f817f9f000a191efb8bcc2962fcc61\r\n5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db BlisterMythic 3d2499e5c9b46f1f144cfbbd4a2c8ca50a3c10\r\n06cd6391b5fcf529168dc851f27bf3626f20e038a9c0193a60b406ad1ece6958\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n6a7ae217394047c17d56ec77b2243d9b55617a1ff591d2c2dfc01f2da335cbbf MythicPacker 1e3b373f2438f1cc37e15fdede581bdf2f7fc22\r\n6e75a9266e6bbfd194693daf468dd86d106817706c57b1aad95d7720ac1e19e3 Cobalt Strike 4adf3875a3d8dd3ac4f8be9c83aaa7e3e35a8d\r\n7e61498ec5f0780e0e37289c628001e76be88f647cad7a399759b6135be8210a\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n7f7b9f40eea29cfefc7f02aa825a93c3c6f973442da68caf21a3caae92464127 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n8b6eb2853ae9e5faff4afb08377525c9348571e01a0e50261c7557d662b158e1\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n8d53dc0857fa634414f84ad06d18092dedeb110689a08426f08cb1894c2212d4 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n8e6c0d338f201630b5c5ba4f1757e931bc065c49559c514658b4c2090a23e57b Cobalt Strike f2329ae2eb28bba301f132e5923282b74aa7a9\r\n8f9289915b3c6f8bf9a71d0a2d5aeb79ff024c108c2a8152e3e375076f3599d5 BlisterMythic f89cfbc1d984d01c57dd1c3e8c92c7debc2beb\r\n9c5c9d35b7c2c448a610a739ff7b85139ea1ef39ecd9f51412892cd06fde4b1b\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n13c7f28044fdb1db2289036129b58326f294e76e011607ca8d4c5adc2ddddb16 Cobalt Strike 19e7bb5fa5262987d9903f388c4875ff2a3765\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 18 of 20\n\nSHA256\r\nPayload\r\nfamily\r\nPayload SHA256\r\n19b0db9a9a08ee113d667d924992a29cd31c05f89582953eff5a52ad8f533f4b\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n19d4a7d08176119721b9a302c6942718118acb38dc1b52a132d9cead63b11210\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n22e65a613e4520a6f824a69b795c9f36af02247f644e50014320857e32383209 Cobalt Strike 18a9eafb936bf1d527bd4f0bfae623400d6367\r\n028da30664cb9f1baba47fdaf2d12d991dcf80514f5549fa51c38e62016c1710 Cobalt Strike 8e78ad0ef549f38147c6444910395b053c533\r\n37b6fce45f6bb52041832eaf9c6d02cbc33a3ef2ca504adb88e19107d2a7aeaa Cobalt Strike 902d29871d3716113ca2af5caa6745cb4ab9d\r\n42beac1265e0efc220ed63526f5b475c70621573920968a457e87625d66973af\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n43c1ee0925ecd533e0b108c82b08a3819b371182e93910a0322617a8acf26646 Cobalt Strike 5cb2683953b20f34ff26ddc0d3442d07b4cd8\r\n44ce7403ca0c1299d67258161b1b700d3fa13dd68fbb6db7565104bba21e97ae MythicPacker f3b0357562e51311648684d381a23fa2c1d09\r\n49ba10b4264a68605d0b9ea7891b7078aeef4fa0a7b7831f2df6b600aae77776 Cobalt Strike 0603cf8f5343723892f08e990ae2de8649fcb4\r\n54c7c153423250c8650efc0d610a12df683b2504e1a7a339dfd189eda25c98d4\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n58fdee05cb962a13c5105476e8000c873061874aadbc5998887f0633c880296a\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n73baa040cd6879d1d83c5afab29f61c3734136bffe03c72f520e025385f4e9a2 Cobalt Strike 17392d830935cfad96009107e8b034f952fb5\r\n78d93b13efd0caa66f5d91455028928c3b1f44d0f2222d9701685080e30e317d Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n83c121db96d99f0d99b9e7a2384386f3f6debcb01d977c4ddca5bcdf2c6a2daa\r\nCobalt Strike\r\nstager\r\n39323f9c0031250414cb4683662e1c533960d\r\n84b245fce9e936f1d0e15d9fca8a1e4df47c983111de66fcc0ad012a63478c8d\r\nCobalt Strike\r\nstager\r\nd961e9db4a96c87226dbc973658a14082324e\r\n84b2d16124b690d77c5c43c3a0d4ad78aaf10d38f88d9851de45d6073d8fcb65 Cobalt Strike 0091186459998ad5b699fdd54d57b1741af73\r\n85d3f81a362a3df9ba2f0a00dd12cd654e55692feffc58782be44f4c531d9bb9 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n96e8b44ec061c49661bd192f279f7b7ba394d03495a2b46d3b37dcae0f4892f1\r\nCobalt Strike\r\nstager\r\n6f7d7da247cac20d5978f1257fdd420679d0ce\r\n96ebacf48656b804aed9979c2c4b651bbb1bc19878b56bdf76954d6eff8ad7ca Cobalt Strike d988a867a53c327099a4c9732a1e4ced6fe6ec\r\n113c9e7760da82261d77426d9c41bc108866c45947111dbae5cd3093d69e0f1d Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10 Cobalt Strike e63807daa9be0228d90135ee707ddf03b0035\r\n307fc7ebde82f660950101ea7b57782209545af593d2c1115c89f328de917dbb\r\nCobalt Strike\r\nstager\r\n40cac28490cddfa613fd58d1ecc8e676d9263a\r\n356efe6b10911d7daaffed64278ba713ab51f7130d1c15f3ca86d17d65849fa5\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n394ce0385276acc6f6c173a3dde6694881130278bfb646be94234cc7798fd9a9 Cobalt Strike 60e2fe4eb433d3f6d590e75b2a767755146ac\r\n396dce335b16111089a07ecb2d69827f258420685c2d9f3ea9e1deee4bff9561\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n541eab9e348c40d510db914387068c6bfdf46a6ff84364fe63f6e114af8d79cf\r\nCobalt Strike\r\nstager\r\n4e2a011922e0060f995bfde375d75060bed00\r\n745a3dcdda16b93fedac8d7eefd1df32a7255665b8e3ee71e1869dd5cd14d61c\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\ncef1a88dfc436dab9ae104f0770a434891bbd6\r\n753f77134578d4b941b8d832e93314a71594551931270570140805675c6e9ad3 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n863de84a39c9f741d8103db83b076695d0d10a7384e4e3ba319c05a6018d9737 Cobalt Strike 3a1e65d7e9c3c23c41cb1b7d1117be4355beb\r\n902fa7049e255d5c40081f2aa168ac7b36b56041612150c3a5d2b6df707a3cff Cobalt Strike 397c08f5cdc59085a48541c89d23a8880d415\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 19 of 20\n\nSHA256\r\nPayload\r\nfamily\r\nPayload SHA256\r\n927e04371fa8b8d8a1de58533053c305bb73a8df8765132a932efd579011c375 Cobalt Strike 2e0767958435dd4d218ba0bc99041cc9f12c9\r\n2043d7f2e000502f69977b334e81f307e2fda742bbc5b38745f6c1841757fddc\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n02239cac2ff37e7f822fd4ee57ac909c9f541a93c27709e9728fef2000453afe Cobalt Strike 18a9eafb936bf1d527bd4f0bfae623400d6367\r\n4257bf17d15358c2f22e664b6112437b0c2304332ff0808095f1f47cf29fc1a2 Cobalt Strike 3a1e65d7e9c3c23c41cb1b7d1117be4355beb\r\n6558ac814046ecf3da8c69affea28ce93524f93488518d847e4f03b9327acb44\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n8450ed10b4bef6f906ff45c66d1a4a74358d3ae857d3647e139fdaf0e3648c10 BlisterMythic ab7cab5192f0bef148670338136b0d3affe8ae\r\n9120f929938cd629471c7714c75d75d30daae1f2e9135239ea5619d77574c1fe Cobalt Strike 647e992e24e18c14099b68083e9b04575164e\r\n28561f309d208e885a325c974a90b86741484ba5e466d59f01f660bed1693689 Cobalt Strike 397c08f5cdc59085a48541c89d23a8880d415\r\n30628bcb1db7252bf710c1d37f9718ac37a8e2081a2980bead4f21336d2444bc\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\n13f23b5db4a3d0331c438ca7d516d565a08ca\r\n53121c9c5164d8680ae1b88d95018a553dff871d7b4d6e06bd69cbac047fe00f Cobalt Strike 902d29871d3716113ca2af5caa6745cb4ab9d\r\n67136ab70c5e604c6817105b62b2ee8f8c5199a647242c0ddbf261064bb3ced3\r\nCobalt Strike\r\nobfuscated\r\nshellcode\r\n0aecd621b386126459b39518f157ee240866c\r\n79982f39ea0c13eeb93734b12f395090db2b65851968652cab5f6b0827b49005 MythicPacker 152455f9d970f900eb237e1fc2c29ac4c72616\r\n87269a95b1c0e724a1bfe87ddcb181eac402591581ee2d9b0f56dedbaac04ff8 Cobalt Strike f3d42e4c1a47f0e1d3812d5f912487d046621\r\n89196b39a0edebdf2026053cb4e87d703b9942487196ff9054ef775fdcad1899\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n91446c6d3c11074e6ff0ff42df825f9ffd5f852c2e6532d4b9d8de340fa32fb8\r\nTest\r\napplication\r\n43308bde79e71b2ed14f318374a80fadf201cc\r\n96823bb6befe5899739bd69ab00a6b4ae1256fd586159968301a4a69d675a5ec Cobalt Strike 3b3bdd819f4ee8daa61f07fc9197b2b39d0434\r\n315217b860ab46c6205b36e49dfaa927545b90037373279723c3dec165dfaf11 Cobalt Strike 96fab57ef06b433f14743da96a5b874e96d8c9\r\n427481ab85a0c4e03d1431a417ceab66919c3e704d7e017b355d8d64be2ccf41 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n595153eb56030c0e466cda0becb1dc9560e38601c1e0803c46e7dfc53d1d2892 Cobalt Strike f245b2bc118c3c20ed96c8a9fd0a7b659364f9\r\n812263ea9c6c44ef6b4d3950c5a316f765b62404391ddb6482bdc9a23d6cc4a6 Cobalt Strike 18a9eafb936bf1d527bd4f0bfae623400d6367\r\n1358156c01b035f474ed12408a9e6a77fe01af8df70c08995393cbb7d1e1f8a6 Cobalt Strike b916749963bb08b15de7c302521fd0ffec1c66\r\n73162738fb3b9cdd3414609d3fe930184cdd3223d9c0d7cb56e4635eb4b2ab67 Cobalt Strike 19e7bb5fa5262987d9903f388c4875ff2a3765\r\n343728792ed1e40173f1e9c5f3af894feacd470a9cdc72e4f62c0dc9cbf63fc1 Putty 0581160998be30f79bd9a0925a01b0ebc4cb9\r\n384408659efa1f87801aa494d912047c26259cd29b08de990058e6b45619d91a\r\nCobalt Strike\r\nstager\r\n824914bb34ca55a10f902d4ad2ec931980f56\r\n49925637250438b05d3aebaac70bb180a0825ec4272fbe74c6fecb5e085bcf10 Cobalt Strike e0c0491e45dda838f4ac01b731dd39cc70646\r\nTable 6, Hashes of Blister samples and of the payload it drops, including the payload label.\r\nSource: https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nhttps://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/"
	],
	"report_names": [
		"popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eae4b6c4-8a61-4303-becc-b11f00b5bfda",
			"created_at": "2024-02-22T02:00:03.772831Z",
			"updated_at": "2026-04-10T02:00:03.592334Z",
			"deleted_at": null,
			"main_name": "ShadowSyndicate",
			"aliases": [],
			"source_name": "MISPGALAXY:ShadowSyndicate",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775792003,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8b13c87fa6f0a68a889d664d0febecbf52fb173.pdf",
		"text": "https://archive.orkl.eu/a8b13c87fa6f0a68a889d664d0febecbf52fb173.txt",
		"img": "https://archive.orkl.eu/a8b13c87fa6f0a68a889d664d0febecbf52fb173.jpg"
	}
}