{ "id": "2974b124-feb5-440f-b027-bbe7f9f8e0ad", "created_at": "2026-04-17T02:20:25.281815Z", "updated_at": "2026-04-18T02:21:47.730323Z", "deleted_at": null, "sha1_hash": "b40d974e023a0b6e51845fe1585ec7172de04d96", "title": "28th November– Threat Intelligence Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63219, "plain_text": "28th November– Threat Intelligence Report\r\nBy lorenf\r\nPublished: 2022-11-28 · Archived: 2026-04-17 02:00:51 UTC\r\nNovember 28, 2022\r\nFor the latest discoveries in cyber research for the week of 28th November, please download our Threat\r\nIntelligence Bulletin.\r\nTop Attacks and Breaches\r\nThe European Parliament website has been attacked following a vote declaring Russia a state sponsor of\r\nterrorism. The pro-Russian hacktivist groups Anonymous Russia and Killnet, have claimed responsibility\r\nfor the attack, causing an ongoing DDoS (Distributed Denial of Service).\r\nUkrainian organizations have been a victim of ransomware attacks that have been linked to the Russian\r\nmilitary cyber-espionage group Sandworm (AKA Redmond, IRIDIUM). The group has used a new\r\nmalware dubbed ‘RansomBoggs’, distributed by a PowerShell script from the domain controller.\r\n‘RansomBoggs’ encrypts files using AES-256 in CBC mode using a random key, and adds a ‘.chsch’\r\nextension to the encrypted files.\r\nThe Ragnar Locker ransomware gang has published stolen data belonging to Zwijndrecht police, a local\r\npolice unit in Antwerp, Belgium. The data, which was initially attributed to the municipality of\r\nZwijndrecht, contains a large amount of personal information including thousands of car plate numbers,\r\nfines, crime report files, investigation reports, and more.\r\nThe Sports betting company DraftKings has been breached, causing the loss of approximately $300K of\r\nfunds from active user accounts. The threat actors managed to change user passwords, and enabled two-factor authentication on a different phone number which led them to gain personal bank account\r\ninformation.\r\nSeveral American colleges, including Cincinnati State College, have been the victims of ransomware\r\nattacks over the Thanksgiving holiday. The threat actors shut down the colleges’ financial aid services,\r\nnetwork printing, VPN tools, admission application platforms, transcript exchanges, grading tools and\r\nmore. Ransomware attacks targeting educational institutions are a part of on-going recently observed trend.\r\nCheck Point Threat Emulation provides protection against this threat (Trojan.Win.ViceSociety.*)\r\nBlack Basta ransomware group is running a campaign targeting organizations in the United States, Canada,\r\nUnited Kingdom, Australia, and New Zealand. The group uses QakBot (AKA QBot, Pinkslipbot) banking\r\nTrojan to infect an environment and install a backdoor allowing it to drop the ransomware. Successful\r\nhttps://research.checkpoint.com/2022/28th-november-threat-intelligence-report/\r\nPage 1 of 3\n\nexploitation will allow the ransomware group to steal victims’ financial data, including browser\r\ninformation, keystrokes, and credentials.\r\nCheck Point Threat Emulation provides protection against this threat (Trojan.Wins.Qbot; Banker.Wins.Qbot)\r\nVulnerabilities and Patches\r\nGoogle has released an update for the Chrome web browser to patch a new, actively exploited zero-day\r\nvulnerability. Tracked as CVE-2022-4135, the vulnerability resides in the GPU component, as a heap-based buffer overflow bug that could be used to crash a program or execute arbitrary code, leading to\r\nunintended behavior.\r\nResearchers have observed a recently patched SQL injection vulnerability in Zoho ManageEngine\r\nproducts. Tracked CVE-2022-40300, the flaw will let threat actors send a crafted request to the target\r\nserver, which could lead to arbitrary SQL code execution in the security context of the database service,\r\nwhich runs with SYSTEM privileges.\r\nMicrosoft has tied an attack on seven facilities managing the electricity grid in Northern India to a\r\nvulnerable component, Boa web server, used by vendors across a variety of IoT devices and popular\r\nsoftware development kits (SDKs). Successful exploitation could allow attackers to silently gain access to\r\nnetworks by collecting information from files.\r\nThreat Intelligence Reports\r\nResearchers have investigated the Luna Moth ransomware campaign that has extorted hundreds of\r\nthousands of dollars from several victims in the legal and retail sectors, by using callback phishing and\r\ntelephone-oriented attack delivery (TOAD).\r\nA technical analysis of a new Go-based information stealer named ‘Aurora’ has been published. The\r\nmalware steals sensitive information from browsers and cryptocurrency apps, exfiltrates data directly from\r\ndisks, and loads additional payloads.\r\nResearchers dived into a new ransomware tool called ‘AXLocker’, which encrypts several file types and\r\nmake them unusable, steals Discord tokens from the victim’s machine, and demands a ransom payment to\r\nrecover the encrypted files.\r\nCheck Point Threat Emulation provides protection against this threat (Ransomware.Win.TouchTrapFiles.A)\r\nResearchers have discovered a new variant of the ‘RansomExx’ ransomware, primarily designed to run on\r\nLinux operating system. The ransomware, operated by the DefrayX threat actor group, encrypts files using\r\nAES-256, with RSA used to protect the encryption keys.\r\nCheck Point Threat Emulation provides protection against this threat (Ransomware.Wins.Ransomexx)\r\nAn information-stealing Google Chrome browser extension named ‘VenomSoftX’ is being deployed by\r\nWindows malware to steal cryptocurrency and clipboard contents as users browse the web. The Chrome\r\nextension is being installed by the ViperSoftX Windows malware, which acts as a JavaScript-based RAT\r\nand cryptocurrency hijacker.\r\nBLOGS AND PUBLICATIONS\r\nhttps://research.checkpoint.com/2022/28th-november-threat-intelligence-report/\r\nPage 2 of 3\n\nCheck Point Research Publications\r\nGlobal Cyber Attack Reports\r\nThreat Research\r\nFebruary 17, 2020\r\n“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign\r\nWe value your privacy!\r\nBFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to\r\nvisit this website you agree to our use of cookies.\r\nACCEPT\r\nREJECT\r\nSource: https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/\r\nhttps://research.checkpoint.com/2022/28th-november-threat-intelligence-report/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2022/28th-november-threat-intelligence-report/" ], "report_names": [ "28th-november-threat-intelligence-report" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-18T02:00:04.145412Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-18T02:00:03.443104Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc333b03-6842-4964-a37d-99f10143bf33", "created_at": "2023-11-21T02:00:07.367885Z", "updated_at": "2026-04-18T02:00:03.794554Z", "deleted_at": null, "main_name": "DefrayX", "aliases": [ "Hive0091" ], "source_name": "MISPGALAXY:DefrayX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-18T02:00:05.246254Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-18T02:00:03.229751Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "G0034", "TeleBots", "Blue Echidna", "FROZENBARENTS", "Seashell Blizzard", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "ELECTRUM", "IRIDIUM", "UAC-0113", "UAC-0082", "VOODOO BEAR" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-18T02:00:05.092881Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-18T02:00:03.591147Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-18T02:00:04.58124Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-18T02:00:04.681628Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1776392425, "ts_updated_at": 1776478907, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b40d974e023a0b6e51845fe1585ec7172de04d96.pdf", "text": "https://archive.orkl.eu/b40d974e023a0b6e51845fe1585ec7172de04d96.txt", "img": "https://archive.orkl.eu/b40d974e023a0b6e51845fe1585ec7172de04d96.jpg" } }