{ "id": "6de23da7-a9ea-4be5-9ec8-e1838a8145b2", "created_at": "2026-04-06T00:18:48.261546Z", "updated_at": "2026-04-10T03:38:20.746796Z", "deleted_at": null, "sha1_hash": "b61e4c6ba0bf6f9658599075cdee2c82a340f909", "title": "Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2334333, "plain_text": "Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part\r\n3)\r\nBy Ransom-ISAC\r\nPublished: 2025-11-13 · Archived: 2026-04-05 17:33:44 UTC\r\nExecutive Summary\r\nIn September 2025, Ransom-ISAC was brought in by Crystal Intelligence to investigate a cryptocurrency and data theft\r\nattempt via a private weaponised GitHub repository. What initially appeared to be a standard phishing campaign, quickly\r\nevolved into something far more sophisticated—a multi-layered attack leveraging novel blockchain-based command-and-control infrastructure and cross-platform malware designed to compromise development environments at scale.\r\nPart 1 of this series delves into the sophisticated nature of a potentially attributed DPRK campaign where novel tradecraft\r\nsuch as Cross-Chain TxDataHiding techniques combined with the subsequent creation of a takedown-proof Command and\r\ncontrol (C2) infrastructure. Part2 continues with a holistic analysis of the core malicious payloads with a complete view into\r\nthe entire kill chain.\r\nPart 3 aims to expand on the findings from parts 1 and 2 with a focus on the infrastructure leveraged by the threat actor\r\nduring the campaign which can support attribution during the later stages. Through the understanding of the operational\r\ninfrastructure, we aim to uncover other related clusters through our analysis, using infrastructure fingerprinting and wider\r\nopen-source intelligence in order to explore potentially related campaigns.\r\nFor Part 3 of this investigation, Ransom-ISAC collaborated with Bridewell to conduct the comprehensive infrastructure\r\nanalysis and attribution assessment detailed in this report. Bridewell's expertise in threat infrastructure tracking and OPSEC\r\nanalysis was instrumental in developing the infrastructure fingerprints and cluster analysis presented here. We extend our\r\nsincere thanks to the Bridewell team for their invaluable contributions to this research effort and their commitment to\r\nadvancing the cybersecurity community's understanding of sophisticated threat actor infrastructure.\r\nIt is worth noting that as efforts are made to reduce bias while correlating our infrastructure findings with what is known\r\nfrom parts 1 and 2, any attribution made during this part is kept independent to the previous parts. Only where correlation is\r\nrequired, the relevant connections are retrieved and built upon. With all infrastructure tracking engagements, no prior\r\nattribution assessments influence our analysis in order to deliver an unbiased, independent evaluation.\r\nShould you have any information that can potentially support or refute our analysis, please feel free to reach out to us at\r\nRansom-ISAC. As and where assumptions or estimates are made to fill the gaps in our analysis, they have been stated\r\nclearly so that the reader is aware.\r\nInfrastructure Analysis\r\nThis section will explore the adversary infrastructure in detail to provide insights into some of the Operational Security\r\n(OPSEC) measures taken by the adversary during the intrusion to impair attribution. We shall start with a recap of the main\r\ntypes of infrastructure found in the previous part and the known IP addresses.\r\nIntrusion C2 Channels\r\nThere are primarily two types of C2 channels previously identified based on the type of C2 mechanism and the different\r\npayloads distributed. The Python dropper communicating on a HTTP API C2 channel over port 27017 and the Loader/RAT\r\ncommunicating over both HTTP API and socket.io channels on C2 ports 27017 and 443 respectively. The two types of C2\r\nchannel are as follows:\r\nHTTP API: http://[server]:27017\r\nCommand Socket: http://[server]:443 (WebSocket via socket.io)\r\nThese C2 channels are also responsible for hosting payloads found during the various stages of the infection chain in\r\naddition to the conventional C2 capabilities such as remote commands execution and data exfiltration.\r\nNote: For the purpose of our analysis, it is not required to treat the infrastructure differently based on the payloads since the\r\ntwo types of channels are sufficient for building infrastructure fingerprints. For more information on the implementation of\r\nthe C2 channels by the malware, please check out part 2.\r\nAnalysis from parts 1 and 2 identified 4 unique C2 IP addresses discovered either, directly through tracing the complex\r\ninfection chain or, configured as alternate/fallback hard-coded values in the malicious payloads acting as a fail safe\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 1 of 27\n\nmechanism in the event the primary channel is not able to establish connection with patient zero.\r\nC2 IP Addresses C2 Port C2 Channel Type Malware\r\n23.27.20[.]143 27017 HTTP API Python Dropper\r\n136.0.9[.]8 27017, 443 HTTP API, socket.io Loader/RAT\r\n166.88.4[.]2 27017, 443 HTTP API, socket.io Loader/RAT\r\n23.27.202[.]27 27017, 443 HTTP API, socket.io Loader/RAT\r\nC2 Components\r\nNote: There is discrepancy in the first seen dates for the listed C2s and those identified later as an outcome of the\r\ninfrastructure fingerprinting efforts. This is due to the interval of the C2 services and ports crawled by the internet scanners\r\nwhich has inadvertently created blind spots. The earliest date from the selection of internet scanners was considered, these\r\nshould be treated as estimates only.\r\nThe section is divided into two sub-sections based on the type of leveraged C2 channel.\r\nDropper C2: HTTP API\r\nLet's begin our analysis with the IP address 23.27.20[.]143 - identified during the intrusion. The reason to select this IP\r\naddress is it's prevalence in the previously conducted intrusion analysis and the standalone focus on HTTP API as a C2\r\nchannel. We will explore socket.io as a C2 at a later point.\r\nSource IP address: 23.27.20[.]143\r\nSource Location: United Kingdom\r\nPrimary C2 Port: 27017\r\nAlternate C2 Port: 5432\r\nStatus: ACTIVE\r\nFirst C2 Configuration Seen: 6th August 2025\r\nThrough the use of internet scanners, the following HTTP header configuration was identified and associated with the\r\nsource IP address.\r\nHTTP/1.1 404 Not Found\r\nAccess-Control-Allow-Origin: *\r\nCache-Control: no-store, no-cache, must-revalidate\r\nConnection: keep-alive\r\nContent-Type: text/html; charset=utf-8\r\nDate: Fri, 31 Oct 2025 00:23:35 GMT\r\nExpires: Sat, 26 Jul 1997 05:00:00 GMT\r\nKeep-Alive: timeout=15,max=100\r\nLast-Modified: Fri, 31 Oct 2025 00:23:35 GMT\r\nPragma: no-cache\r\nServer: EmbedIO/3.5.2\r\nContent-Length: 0\r\nNote: The above header configuration was obtained using an internet scanner and is different from the HTTP response\r\ncaptured during the original intrusion analysis. The fundamental difference resides in the HTTP status code, content length\r\nand encoding that would have influenced the fingerprint creation.\r\nOne of the possible reasons behind this mismatch could be, how the operator had set up the infrastructure to improve their\r\nOPSEC and prevent the various internet scanners from crawling that would rely on default options, modules and/or user\r\nagents to probe the IP addresses.\r\nCommon HTTP API C2 Characteristics\r\nWith respect to IP address leveraging the HTTP API C2 channel, all four C2 IP addresses have the following characteristics\r\nin common:\r\n1. HTTP Header Configuration\r\nServer and version: EmbedIO/3.5.2\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 2 of 27\n\nEmbedIO is a lightweight open-source web server by Unosquare which is available for users to download from the GitHub.\r\nThe server is built for .NET Framework and .NET Core with the latest version 3.5.2 that released in November 2022. Some\r\nof the key features include:\r\nCross-platform: tested on multiple OS and runtimes\r\nExtensible: Write your own modules\r\nCreate REST APIs quickly with the out-of-the-box Web API module\r\nWebSockets support\r\nCreate GUIs for Windows services or Linux daemons\r\nThe cross platform capability of the server is on par with the payloads designed for the intrusion. The modular and light\r\nweight nature along with the convenience of creating GUIs makes it a lucrative choice for an adversary. From an\r\ninfrastructure tracking standpoint, currently, at the time of writing this, there are only 300 servers deployed in the wild with\r\nthis specific version of EmbedIO which can be considered rare.\r\n2. HTTP Header Setting - Expires Field\r\nThe value Expires: Sat, 26 Jul 1997 05:00:00 GMT in the HTTP header appears to stand out. The value is clearly older\r\nthan today's date. The significance of using an Expires header that has a past value is an older (HTTP/1.0) method for\r\ncontrolling the cache. This is contradicting since the HTTP method above is HTTP/1.1. The more modern (HTTP/1.1) has a\r\nmore effective way to prevent caching by using the Cache-Control header which is already being used in the above HTTP\r\nheader with the correct parameters Cache-Control: no-store, no-cache, must-revalidate. If a modern browser sees both, it\r\nwill obey Cache-Control and ignore Expires.\r\nAdditionally, the specific use of this exact date value is probably inspired from an older PHP documentation that referenced\r\nit as an example. Also, the day and date combination does not logically add up, the correct day is Monday for that date, not\r\nSaturday. There are roughly 20,000 servers with this date value, which is low and a vast majority of them use HTTP/1.1.\r\nThis past date setting (even on the HTTP/1.1 method) is likely and deliberately set by the operator for backward\r\ncompatibility to ensure that even very old clients or proxies that don't understand Cache-Control will still see the past\r\nExpires date and know not to cache the content.\r\n3. HTTP Header Setting - Keep Alive\r\nKeep-Alive: timeout=15,max=100 value in the HTTP header is set to ensure that victims always make a new request to the\r\nserver when interacting with it. From an operator's perspective, it is defining the limits for the C2 beaconing time intervals\r\nopting for a persistent connection with the C2. The specific parameters are set to let the server know to only keep a\r\nconnection open for a window of 15 seconds after the last response is sent.\r\nIf the client does not send a new request within that defined time frame, the server will close the connection to free up the\r\nresources. Also, the server will allow a maximum of 100 total requests to be sent over a single connection after which an\r\nexisting connection is closed and a new one is required. At the time of writing this, 50,000 servers globally are configured\r\nwith this setting.\r\n4. Hosted Infrastructure\r\nAutonomous System Number (ASN): AS149440\r\nOrganisation Name: Evoxt Enterprise\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 3 of 27\n\nThe organisation has a 3 year old autonomous system (AS) for its network infrastructure, which allows it to provision its\r\nown network routing. It also provides virtual machines, or Virtual Private Servers (VPS), with a focus on low-cost and high-performance options. The ASN is primarily hosting servers located in the US with global presence extending to Malaysia,\r\nJapan, UK, Hong Kong and Germany to name a few.\r\nThreat actors often use such dedicated VPS to host their C2s giving them a more granular control over the infrastructure. It\r\nis also common for threat actors to spin up their infrastructure in the same region as the victims to avoid any network traffic\r\nfrom being dropped due to geo-blocking. In a later section ASN Overview, we will sift through wider open-source\r\nintelligence to share sightings of known malware and threat groups that have used this ASN in the past.\r\nThe operator's choice to select this ASN could also be based on the overall good reputation. While there is evidence of\r\nhistoric malicious activity associated with this ASN, in general, this ASN is not widely flagged as a malicious network due\r\nto the overall low spam activity (less than 1%) in addition to not being listed on major, widespread blacklists. Abuse\r\ndatabases also show very few reports, with most being several years old and having a low confidence of abuse.\r\n5. Network Ports Used\r\nThe primary port used for C2 is the TCP port 27017 which is a default port used by MongoDB databases to establish\r\nconnection with the clients. The same HTTP headers configuration was also found on a different TCP port 5432 which can\r\nbe treated as an alternate port for C2 that is typically used for PostgreSQL databases.\r\nAt this point, Despite observing only two ports under the same IP address, the threat actor's apparent preference for\r\ndatabase-designated ports is noteworthy, especially considering the targets are developers.\r\n6. Common Services, Ports and Configs\r\nBy considering the services, their ports and broader configuration, we can determine consistency between the already\r\nidentified C2 servers, by logging volatility of the services. Furthermore, these can be combined with other meta data such as\r\nFirst Seen and Last Seen dates (active status) for the servers to provide a better clustering criteria based on such\r\nservice statistics.\r\nConcept of Service Hibernation Score (SHS)\r\nFrom the duration, the First Seen C2 configuration was recorded and up until the last seen date, the calculation is\r\nbased on the number of unique services observed divided by the number of times they have been changed/updated, we can\r\nderive what is informally known as service hibernation score. The primary significance of the score is to broadly\r\nunderstand the consistency of services configured on the infrastructure which can help assess if the same operators are still\r\nusing the infrastructure or not.\r\nFor instance, if a server during its active period (time interval between first and last seen dates) had 5 unique services which\r\nwere altered a total of 15 times, the calculated score would be (5 divided by 15) 0.33. Higher the SHS score, more consistent\r\nthe services are. It is also important to understand that the accuracy of the score itself is highly influenced by the scanning\r\ninterval of those services since it relies on the frequency of the services changed/updated.\r\nC2 IP\r\nAddresses\r\nC2 Port Other Active Services Other Ports SHS\r\n23.27.20[.]143\r\n27017,\r\n5432\r\nRDP, WINRM 3389, 5985 0.034\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 4 of 27\n\nC2 IP\r\nAddresses\r\nC2 Port Other Active Services Other Ports SHS\r\n136.0.9[.]8\r\n27017,\r\n443\r\nRDP, WINRM, DCERPC, NETBIOS,\r\nSMB, Unknown\r\n3389, 5985 0.050\r\n166.88.4[.]2\r\n27017,\r\n443\r\nRDP, WINRM, DCERPC, NETBIOS,\r\nSMB, Unknown\r\n3389, 5985, 135, 139, 445,\r\n17500\r\n0.049\r\n23.27.202[.]27\r\n27017,\r\n443\r\nRDP, WINRM, DCERPC, NETBIOS, SMB 3389, 5985, 135, 139, 445 0.041\r\nNote: Please see that the above C2 port is still referring to HTTP based API channel and not socket.io. We will cover\r\nsocket.io separately to avoid any confusion and hence port 443 is ignored.\r\nWhile it is not specifically known, it can also be assessed with low confidence that the operators are using RDP to remotely\r\naccess their C2 server with an assumption that the victim C2 connection (HTTP based API channel) terminates at C2 server\r\nand thereby not used by operator workstations.\r\n7. RDP TLS Certificate Common Name (CN)\r\nAll IP addresses mentioned above have the issuer/subject CN of EV-4A6OE6M0E2D on their RDP TLS certificate. Currently,\r\nthere are a 300 servers with the same CN.\r\nClustering Assessment Criteria\r\nTo recap, the following common factors were considered to split the resultant IP addresses obtained from the infrastructure\r\nfingerprint. The criteria is based on the following factors and further divided into low, medium and high confidence ratings.\r\nThe factors are also listed in the increasing order of their significance:\r\nHTTP method and status code\r\nHTTP headers configuration\r\nServer and version used\r\nHosted ASN\r\nHosted C2 port\r\nService hibernation score (SHS)\r\nRDP TLS certificate CN\r\nNote: The confidence level is subject to change as we explore other relevant attributes in the subsequent sections such as C2\r\nURL paths, communicating payloads and hard-coded values seen in the payloads.\r\nInfrastructure Fingerprints\r\nUpon consideration of the above attributes, an initial infrastructure fingerprint was constructed.\r\nFINGERPRINT 1: server=\"EmbedIO\" \u0026\u0026 header=\"Expires: Sat, 26 Jul 1997 05:00:00 GMT\" \u0026\u0026 header=\"HTTP/1.1 404\r\nNot Found\" \u0026\u0026 header=\"Content-Length: 0\"\r\nFingerprint 1 results in 11 unique IP addresses (inclusive of the 4 identified previously). These IP addresses are divided\r\nbased on the clustering assessment criteria. For the purpose of attribution, all IP addresses were considered irrespective of\r\ntheir active status. The results are also classified as clusters based on common ASNs, and similar C2 ports (those seen\r\nassociated with databases).\r\nResults of Fingerprint 1:\r\nClusters Confidence IP Addresses ASN ASN Name\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nC2 Ports\r\nCluster-1\r\nHIGH 23.27.20[.]143 149440 Evoxt Enterprise\r\nSep\r\n2025\r\nACTIVE 27017, 5432\r\nCluster-1\r\nHIGH 136.0.9[.]8 149440 Evoxt Enterprise\r\nSep\r\n2025\r\nACTIVE 27017\r\nCluster-1\r\nHIGH 166.88.4[.]2 149440 Evoxt Enterprise\r\nSep\r\n2025\r\nACTIVE 27017\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 5 of 27\n\nClusters Confidence IP Addresses ASN ASN Name\r\nFirst\r\nSeen\r\nLast\r\nSeen\r\nC2 Ports\r\nCluster-1\r\nHIGH 23.27.202[.]27 149440 Evoxt Enterprise\r\nSep\r\n2025\r\nACTIVE 27017\r\nCluster-1\r\nHIGH 23.27.120[.]142 149440 Evoxt Enterprise\r\nOct\r\n2025\r\nACTIVE 27017\r\nCluster-1\r\nHIGH 154.91.0[.]103 149440 Evoxt Enterprise\r\nFeb\r\n2025\r\nMar 2025\r\n27017, 5432,\r\n1433\r\nCluster-2\r\nMEDIUM 85.239.62[.]36 62240\r\nClouvider\r\nLimited\r\nMay\r\n2025\r\nJune\r\n2025\r\n27017\r\nCluster-2\r\nMEDIUM 85.239.60[.]213 62240\r\nClouvider\r\nLimited\r\nFeb\r\n2025\r\nFeb 2025 27017, 80\r\nCluster-3\r\nLOW 91.99.83[.]196 24940\r\nHetzner Online\r\nGmbH\r\nJune\r\n2025\r\nJune\r\n2025\r\n8080\r\nCluster-3\r\nLOW 37.27.108[.]244 24940\r\nHetzner Online\r\nGmbH\r\nJune\r\n2025\r\nJune\r\n2025\r\n8080\r\nCluster-3\r\nLOW 57.128.212[.]19 16276 OVH SAS May\r\n2025\r\nMay\r\n2025\r\n8080\r\nNotable Observations\r\nNew C2 Ports\r\nIn addition to the discovered primary C2 ports, the list now includes, 27017, 5432, 1433, 8080 and 80. It is evident that the\r\nlast two; 8080 and 80 are deviations from the initial assessment that the selected C2 ports were based on databases (it could\r\nalso be possible that these ports only used for testing after which, they were migrated to the other ports). However, the\r\ninclusion of TCP port 1433 is able to compensate on the assessment made since it is the default port for Microsoft SQL\r\nservers.\r\nASN Groupings\r\nCluster-1 follows the common pattern of hosted ASN linked to original 4 C2 IP addresses which instills confidence\r\nto this cluster\r\nCluster-2 can be seen associated with a completely different ASN Clouvider Limited\r\nCluster-3 is a grouping of two different ASNs (Hetzner and OVH) which were not seen in other clusters. Both ASNs\r\nare known for having a bad reputation for hosting malicious infrastructure\r\nRDP TLS Certificate CN\r\nWhile it is not mentioned in the table above, all IP addresses linked to Cluster-1 (not just the 4 original ones) have the same\r\nRDP TLS Certificate CN EV-4A6OE6M0E2D . Currently, there are over 1500 servers with this RDP TLS certificate with a vast\r\nmajority belonging to Evoxt.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 6 of 27\n\nHowever, Cluster-2 has a common RDP TLS certificate CN pattern of PACKERP-XXXXXXX . Historically, there are only 17 IP\r\naddresses that have this CN pattern on RDP port 3389, each ending with a unique alphanumeric characters of fixed length.\r\nOne the other hand, Cluster-3 has no RDP service linked to it.\r\nBased on the recent last seen dates on the IP addresses, it might be worth tracking these under a separate cluster which may\r\nprovide insights in the near future as to who is setting up such remote access. Of the 17 IP addresses, 9 were hosted in\r\nRussia and hosted on ASN-62005 BlueVPS OU. A vast majority of these are still active at the time of writing this.\r\nBased on the common ASN (BlueVPS OU) and the RDP TLS certificate CN PACKERP-XXXXXXX , another cluster under the\r\nname Cluster-X-RDP was created to track operators setting up such remote access to the C2 servers in the near future.\r\nFingerprint 2: (asn=\"62005\" || asn=\"49392\") \u0026\u0026 cert=\"PACKERP-\" \u0026\u0026 port=\"3389\"\r\nCluster-X-RDP\r\nIP Addresses First Seen Last Seen\r\n91.242.241[.]31 Nov 2024 ACTIVE\r\n91.242.241[.]170 Apr 2025 ACTIVE\r\n91.242.241[.]117 Apr 2025 ACTIVE\r\n91.242.241[.]122 May 2025 ACTIVE\r\n91.242.241[.]15 Dec 2024 ACTIVE\r\n91.242.241[.]174 Nov 2024 ACTIVE\r\n91.242.241[.]55 Nov 2024 Jun 2025\r\n91.242.241[.]183 Dec 2024 ACTIVE\r\n62.106.66[.]151 Dec 2024 Sep 2025\r\n45.129.199[.]127 Apr 2025 ACTIVE\r\n45.86.231[.]67 Jan 2025 ACTIVE\r\nAnother pattern we observed is that many active IP addresses were hosted on a different ASN-49392 LLC Baxet prior to\r\nbeing hosted on BlueVPS. Based on that observed infrastructure pattern, it can be forecasted that IP address\r\n91.242.241[.]55 with last seen date of June 2025 will be hosted on BlueVPS in the near future.\r\nHosting Timeline Analysis\r\nClusters 1,2 and 3 have a notable pattern pertaining to the choice of ASN selected for their operations. The selection of\r\nEvoxt Enterprise for Cluster 1 as the preferred ASN combined with other infrastructure attributes is unique enough to track\r\nthe cluster.\r\nPrior to using that ASN, the set of IP addresses from cluster 1 were observed on a different ASN EDINHOSTING. To\r\ndetermine when the shift in the ASNs occurred, we leveraged the routing history for IP addresses in clusters 1,2 and 3.\r\nThe diagram below may assist with better visualisation of the hosted infrastructure changes. The green lines and circles\r\nindicate the actual time frame when the infrastructure was observed exhibiting C2 properties. Green-filled circles were used\r\nto showcase a shorter time span in comparison to the green lines.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 7 of 27\n\nThe left side of the diagram maps open-source reporting to the C2 indicators. We shall build upon those references in the\r\nlater sections. From the diagram, it can be deduced that some cluster IP addresses have a longer active C2 behaviour while\r\nothers such as 85.239.62[.]36 and 57.128.212[.]19 were short lived (green-filled circles). Also, IP addresses in cluster\r\n1 have a consistent pattern of previously being hosted on a different ASN compared to the one observed during the intrusion.\r\nAlternate HTTP Status Code: OPSEC 302 Redirection\r\nNote: It is worth reiterating that we mainly considered the HTTP status 404 Not Found because this is what was observed on\r\nmultiple internet scanners during the active timeline of the intrusion we were investigating.\r\nHowever, during part 2 of the series (as mentioned under 302 Response (Easter Egg) section), while tracing the infection\r\nchain through different stages, an alternate HTTP 302 Found response was discovered where the perceived objective was to\r\nredirect unintended victims to a different location (in our scenario, to a specific GitHub link).\r\nThreat actors implement such redirections to ensure network traffic is directed to those that it is intended for, in order to\r\nbypass potential analysis through automated bots, sandbox environments and other means where default parameters are used\r\nto contact adversary infrastructure.\r\nThis is yet another added method to improve adversary's OPSEC but also provides with an opportunity to fingerprint this\r\nunique redirection. The ports 8080 and 8094 leveraged for redirection could also be indicative of potential logging activity\r\nwhich can be generally assessed as the adversary conducting counter intelligence on those analysts attempting to track their\r\nkill chain.\r\nThe primary infrastructure fingerprint (clusters 1,2 and 3) can be modified slightly to accommodate this redirection\r\nmechanism used by the threat actors by simply changing the HTTP status code which also gives rise to a new Cluster-X-302 that results in 11 unique IP addresses, all based in Russia and under the same ASN PJSC Megafon.\r\nAlthough, all 11 IP addresses originating from Cluster-X-302 are historic (not actively seen in 2025), these IP addresses\r\ncould have been part of previously set up infrastructure that was probably used during the early stages and then disposed.\r\nWe are likely to not see this cluster in the future. It is still worth recording this cluster for when we look into wider OSINT\r\nto check for any potential indicator overlap despite the cluster likely burnt and never to be used again.\r\nFingerprint 3: server=\"EmbedIO/3.5.2\" \u0026\u0026 banner=\"HTTP/1.1 302 Found Expires: Sat, 26 Jul 1997 05:00:00 GMT\"\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 8 of 27\n\nKey Characteristics\r\nOPSEC: HTTP 302 Redirect\r\nHosted ports: 8080, 8094\r\nLocation: Russia, hosted on ASN 31213, PJSC Megafon\r\nAttributes: server, keep-alive date, content length and expiry date is same as clusters 1,2 and 3\r\nOther Metadata\r\nFirst Seen X-302 IP address: 6th Nov 2024\r\nLast Seen X-302 IP address: 31st Dec 2024\r\nEagle Portal\r\nCluster-X-302\r\nIP Addresses First Seen Last Seen\r\n78.25.123[.]242 Dec 2024 Mar 2025\r\n78.25.123[.]66 Nov 2024 Sep 2025\r\n78.25.122[.]218 Nov 2024 Sep 2025\r\n78.25.109[.]155 Nov 2024 Mar 2025\r\n78.25.108[.]249 Nov 2024 Oct 2025\r\n78.25.111[.]63 Dec 2024 Mar 2025\r\n78.25.121[.]187 Nov 2024 Mar 2025\r\n78.25.123[.]153 Nov 2024 Mar 2025\r\n78.25.123[.]240 Nov 2024 Dec 2024\r\n78.25.123[.]249 Nov 2024 ACTIVE\r\n85.26.218[.]114 Nov 2024 ACTIVE\r\nCurrently, only 85.239.60[.]213 from Cluster-2 overlaps with activity timeline for this cluster. Also, for all IP addresses\r\nlisted above, specifically on ports 8080 and 8094 (where the redirects were found), we also identified a web page what\r\nappears to be a login page with a Russian title \"Орлан 2.0 (веб-интерфейс)\" which translates to Orlan 2.0 (web\r\ninterface). All login pages have the same JavaScript likely used to track web cookies for the login page. Currently, the exact\r\nsignificance of Orlan 2.0 is not known.\r\nNOTE: The js_md5 value is 736dd2e77c190d2eb418338f49dda10e\r\nBelow is the view of the HTML content, without rendering images, other CSS element:\r\nNote: It can be assessed that the naming convention for the login page could have possibly be inspired from an upgraded\r\nstrike version of the Orlan-10 able to carry four high-explosive fragmentation projectiles was reportedly used in the 2022\r\nRussian invasion of Ukraine which could potentially hint towards pro-Russian stance.\r\nAccording to the Oryx website, at least 208 Orlan-10, 19 Orlan-20, and 16 Orlan-30 have been shot down as of February 12\r\n2025, including by a UK-supplied Martlet missile. A version called Moskit is used for EW. However, this assessment should\r\nbe considered low confidence at best due to lack of direct evidence supporting it.\r\nNote: Орлан (or Orlan) directly translates to 'eagle' in English.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 9 of 27\n\nA plausible hypothesis with moderate-to-high confidence is that the \"Орлан 2.0 (веб-интерфейс)\" login pages observed\r\nacross Cluster-X-302 infrastructure represent legitimate licensed deployments of Orlan Security's DCAP system\r\n(https://orlan-security.ru) being operationally employed by DPRK threat actors to systematically prioritise and optimise\r\nlarge-scale data exfiltration operations.\r\nGiven the DPRK attribution and the actor's established modus operandi focussed on data collection, DPRK operators may\r\nbe deploying legitimate Orlan:DCAP licences on compromised victim networks to automate the identification of high-value\r\ndata targets. Rather than manually searching through terabytes of victim data, the DCAP system would automatically scan\r\nand classify all unstructured data across compromised file servers, identify files containing intellectual property, financial\r\nrecords, trade secrets, and source code, and generate prioritised target lists showing which files are most sensitive based on\r\ncontent analysis using Orlan's built-in neural networks and pattern matching technologies. This would enable DPRK actors\r\nto maximise intelligence and financial value whilst minimising bandwidth consumption and detection risk—directly\r\nsupporting known operational priorities including cryptocurrency exchange data theft, intellectual property exfiltration for\r\nstate economic advancement, and financial fraud operations.\r\nSource: https://orlan-security.ru/\r\nDCAP stands for Data-Centric Audit and Protection - a security system that automatically discovers, classifies, and\r\nmonitors unstructured data (files, emails, documents) across an organisation to identify where sensitive information is\r\nstored, who can access it, and what they're doing with it. DCAPs appear to be a hybrid of Data Loss Prevention (DLP) and\r\nAsset Inventory, popular within Russia.\r\nRather than manually searching through terabytes of victim data, the DCAP system would automatically scan and classify\r\nall unstructured data across compromised file servers, identify files containing intellectual property, financial records, trade\r\nsecrets, and source code, and generate prioritised target lists showing which files are most sensitive based on content\r\nanalysis using Orlan's built-in neural networks and pattern matching technologies.\r\nThe architecture diagram of Orlan:DCAP shows (in Russian):\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 10 of 27\n\nSource: https://www.anti-malware.ru/analytics/Market_Analysis/DCAP-DAG-2025#part67\r\nComponents:\r\nВеб-интерфейс оператора/администратора системы = Web interface for operator/administrator of the system\r\n(top left - the login page from above)\r\nЦентральный сервер приложения = Central application server (top center)\r\nБаза данных = Database (top right)\r\nПул коллекторов = Pool of collectors (the agents - shown in boxes labeled \"Коллектор 1\" and \"Коллектор N\")\r\nКонтролируемый сервер = Controlled/monitored server (bottom - showing multiple servers being monitored)\r\nAD/LDAP = Active Directory/LDAP (center bottom)\r\nThe operational workflow would involve: initial compromise of target organisations, deployment of legitimate Orlan:DCAP\r\nagents (which appear as authorised security software and evade detection), automated scanning and classification of the\r\nvictim's entire data repository, DPRK operators accessing the centralised web interfaces (observed on ports 8080/8094) to\r\nreview classification results, and executing targeted exfiltration focussing on pre-identified sensitive data.\r\nASN Analysis and Wider OSINT\r\nThe ASN of choice for primary infrastructure (clusters 1,2 and 3) observed during the intrusion is Evoxt Enterprise (ASN:\r\nAS149440). This section aims to correlate any available open-source intelligence surrounding the usage of this ASN with\r\nany known malware or threat actors in addition to sharing external references where such documented intrusions/campaigns\r\nhave been observed.\r\nThe IP address ranges were enumerated via the ASNs and then used to extract sightings into known reporting. Where\r\npossible, validation checks were conducted to ensure that the IP addresses actually belonged to the ASN when it was\r\nreferenced in public reports.\r\nKey Observations:\r\nA total of 84 unique sightings of malware and known threat groups were identified using this ASN over the last three years.\r\nThe distribution is split between Offensive Security Tools (OST), commodity malware, custom malware used by nation\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 11 of 27\n\nstates, CVEs exploitation and other reported campaigns.\r\nMajority of the sightings were for Cobalt Strike C2 framework spanning across different Cobalt Strike Watermarks.\r\n0 - The most common watermark, widely associated with cracked versions of Cobalt Strike\r\n100000 - No attribution to known groups or operators\r\n666666666 - A fixed value often associated with pirated copies\r\n987654321 - A fixed value often associated with pirated copies\r\n391144938 - Observed in reporting related to various Chinese nation state groups, such as Viper's Nest\r\nKnown Threat Groups\r\nGroup\r\nName\r\nCountry\r\nOrigin\r\nDescription\r\nDark Peony China\r\nAlso known as RedDelta, the group has been active since at least 2012 and has focused\r\non Southeast Asia and Mongolia. The group has routinely adapted its targeting in\r\nresponse to global geopolitical events. They evolved its infection chain multiple times\r\nsince mid-2023.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 12 of 27\n\nGroup\r\nName\r\nCountry\r\nOrigin\r\nDescription\r\nFIN7 Russia\r\nFIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has\r\ntargeted the retail, restaurant, hospitality, software, consulting, financial services,\r\nmedical equipment, cloud services, media, food and beverage, transportation,\r\npharmaceutical, and utilities industries in the United States.\r\nLazarus DPRK\r\nLazarus Group is a North Korean state-sponsored cyber threat group attributed to the\r\nReconnaissance General Bureau (RGB). Lazarus Group has been active since at least\r\n2009. North Korea's cyber operations have shown a consistent pattern of adaptation,\r\nforming and reorganising units as national priorities shift.\r\nMoonstone\r\nSleet\r\nDPRK\r\nMoonstone Sleet is a North Korean-linked threat actor executing both financially\r\nmotivated attacks and espionage operations. The group previously overlapped\r\nsignificantly with another North Korean-linked entity, Lazarus Group, but has\r\ndifferentiated its tradecraft since 2023.\r\nAPT29 Russia\r\nAPT29 is threat group that has been attributed to Russia's Foreign Intelligence Service\r\n(SVR). They have operated since at least 2008, often targeting government networks in\r\nEurope and NATO member countries, research institutes, and think tanks.\r\nEarth\r\nKurma\r\nUnknown\r\nEarth Kurma is an APT group targeting government and telecommunications sectors in\r\nSoutheast Asia, with a primary focus on data exfiltration. They employ advanced custom\r\nmalware, including rootkits like KRNRAT and MORIYA, and utilise cloud storage\r\nservices for exfiltration.\r\n_V-Selected C2: SocketIO\r\nSo far we have discussed the HTTP API C2 channel (also known as the Dropper C2 from part 2 of the series), in this section\r\nwe shall explore and build upon the secondary C2 infrastructure leveraging WebSocket via socket.io (also known as the _V-selected C2 from part 2).\r\nIt is also worth mentioning that there are some overlapping properties between the two C2 mechanisms. Hence, an attempt is\r\nmade to cover only those aspects of socket.io C2 that were not previously mentioned in order to develop some unique\r\ninsights into the utilised infrastructure.\r\nOut of the 4 original IP addresses found during the intrusion analysis, 3 of them qualify as socket.io C2 on TCP port 443.\r\n23.27.202[.]27\r\n136.0.9[.]8\r\n166.88.4[.]2\r\nHTTP Headers\r\nRevisiting the internet scanners and probing those HTTP response headers that are related to port 443, the following HTTP\r\nheaders were identified during the C2 activity timeline:\r\nHTTP/1.1 404 Not Found\r\nContent-Security-Policy: default-src 'none'\r\nX-Content-Type-Options: nosniff\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 139\r\nDate: REDACTED\r\nConnection: keep-alive\r\nKeep-Alive: timeout=5\r\nThe above headers on their own are not enough to create an infrastructure fingerprint. However, a couple of anomalies were\r\nrecognised that may assist in an improved development of the fingerprint.\r\nInfrastructure Fingerprint\r\nWhile conventionally TCP port 443 is for HTTPS protocol, HTTP is being used for the C2 based on the absence of SSL\r\ncertificate. By combining conventional HTTPS ports (such as port 443) with the listed specific headers in addition to\r\nchecking for absence of SSL certificate, the following fingerprint was developed:\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 13 of 27\n\nFingerprint 4: \"HTTP/1.1 404 Not Found Content-Security-Policy: default-src 'none' X-Content-Type-Options:\r\nnosniff Content-Type: text/html; charset=utf-8 Content-Length: 139 Date: \" \"Connection: keep-alive Keep-Alive:\r\ntimeout=5\" has_ssl:false port:443 !tag:cloud\r\nThe newly formed Cluster-4 provides total of 18 IP addresses which were reduced down to 8 unique IP addresses by\r\nexcluding those IP addressed that were hosted on cloud.\r\nAdditionally, half of resultant IP addresses had Error as their HTML title while the other half did not. It was decided to\r\navoid using a filter based on HTML title in order to capture a broader set of results that can be used to check for indicator\r\noverlap with external reporting.\r\nAlternatively, the above fingerprint can be made broader to capture more IP addresses while increasing risk of false\r\npositives. This can be done by including other ports that could implement HTTPS but typically don't. For example, adding\r\nthe alternate port for HTTPS, port 8443 would have significantly increased the number of results.\r\nCluster-4\r\nIP Addresses ASN Cluster Inclusion\r\n136.0.9[.]8 Evoxt Enterprise Part of Cluster 1\r\n23.27.202[.]27 Evoxt Enterprise Part of Cluster 1\r\n166.88.4[.]2 Evoxt Enterprise Part of Cluster 1\r\n23.27.120[.]142 Evoxt Enterprise Part of Cluster 1\r\n181.117.128[.]64 AMX Argentina NEW\r\n183.101.157[.]30 Korea Telecom NEW\r\n195.122.31[.]246 VAKS, KOOPERATIVA SABIEDRIBA NEW\r\n202.155.8[.]173 CV. Rumahweb Indonesia NEW\r\nC2 URL paths\r\nBoth, the dropper and _V-Select C2s have the following URL paths:\r\nHTTP API: http://[server]:27017\r\n/verify-human/[version] - Logging/telemetry\r\n/u/f - File upload endpoint\r\n/snv - endpoint name snv\r\n/$/boot - Python dropper\r\n/$/z1 - Python Stealer\r\nCommand Socket: http://[server]:443 (WebSocket via socket.io)\r\n/socket.io/\r\nSocket.io URLs\r\nFull socket.io URL Structure: http://[server_ip]:TCP_port/socket.io/?EIO=4\u0026transport=polling\u0026t=[0-9a-z]{8}\r\nTCP_Port - port number, in our case, it is set to 443 (also port 3306 was seen on a different IP address) for the _V-Selected C2s\r\nEIO - Engine,IO version number which is equal to 4, the latest version of the protocol\r\ntransport - The supported transport mechanism that is set to polling state, the other alternative state is Websocket\r\nt - Socket.io implements cache busting with a timestamp parameter in the query string. If you assign\r\ntimestampParam a value of ts then the key for the timestamp would be ts , it defaults to t if no value is\r\nassigned.\r\nThere is also a sid (Session ID) parameter that is mandatory for socket.io connections only after the session is established.\r\nHence, if and only the server accepts connection, it will then respond with an open packet that contains this sid\r\nparameter embedded inside the JSON-encoded payload. The sid is required on every polling request except the very first\r\none.\r\nHere is a breakdown on the steps taken to establish a socket.io connection:\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 14 of 27\n\n---\nmeta-color-scheme: light dark\n---\n1. Initial Handshake: Client sends a request to server with defined EIO and transport parameters\n2. Server Response: After receiving the handshake, server responds and creates a new session including the population\nof the sid .\n3. All subsequent polling: Must now include the sid received from server after the initial handshake. Failure in\nappending the sid will result in a HTTP 400 error.\nThe common characteristics from the URL structure were leveraged (with inclusion of port 3306) to enumerate URL paths\nmatching the criteria.\nSearch query (In-scope Ports): (page.url:\":443\" OR page.url:\":3306\") AND page.url:\"/socket.io/?\nEIO=4\u0026transport=polling\"\nBased on the results, only 136.0.9[.]8 (Cluster-1) was identified on port 443 and 85.239.62[.]36 (Cluster-2) on port\n3306.\nOther experimental ports such as 8000,8080, 8094, 1433 5432 and 27017 were also attempted which provided no significant\nresults with the exception of new IP addresses 45.138.16[.]208 on port 8080 and 154.216.19[.]19 on port 8000.\nWhile investigating these two newly identified IP addresses, they appear to be outliers, although both are flagged as\nmalicious on VirusTotal. Nevertheless, they will be useful to check for indicator overlap at a later point.\nAs seen in the above snippet, there are primarily two HTTP responses from the C2 servers.\nHTTP Status 200:\nhxxp://136.0.9[.]8[:]443/socket.io/?EIO=4\u0026transport=polling\u0026t=\n\n0{\"sid\":\"MGy81qf5krq0sJA0AAI5\",\"upgrades\":\n [\"websocket\"],\"pingInterval\":25000,\"pingTimeout\":60000,\"maxPayload\":10000000}\n\nhxxp://85.239.62[.]36[:]3306/socket.io/?EIO=4\u0026transport=polling\u0026t=\n\n0{\"sid\":\"qUGGniX8EH05h-GZAGBQ\",\"upgrades\":\n [\"websocket\"],\"pingInterval\":25000,\"pingTimeout\":60000,\"maxPayload\":10000000}\n\nBreakdown of the parameters:\n\"sid\": \"xxxxxxxxxxxxxxxxxxxx\"\nThis is the Session ID we discussed. The server has just generated this unique ID for the client. Your client\nmust now include this sid in all future requests for this session.\n\"upgrades\": [\"websocket\"]\nThis is the server telling the client, it is currently using HTTP polling, but can support upgrading the\nconnection to websocket .\nA Socket.IO client will see this and immediately try to establish a new, faster, more efficient WebSocket\nconnection.\n\"pingInterval\": 25000\nThis is the heartbeat interval in milliseconds. The server will send a \"ping\" packet to the client every 25\nseconds to make sure it's still alive.\n\"pingTimeout\": 60000\nThis is the timeout in milliseconds. If the client doesn't respond to a \"ping\" with a \"pong\" packet within 60\nseconds, the server will assume the client has disconnected and will close the session.\n\"maxPayload\": 10000000\nThis is the maximum size of a data packet (in bytes) that the server will accept (10,000,000 bytes, or ~10\nMB).\nHTTP Status 400:\n\n{\"code\":1,\"message\":\"Session ID unknown\"}\n\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\nPage 15 of 27\n\nAn alternate hunting opportunity would have been to check the DOM for the specific values of pingInterval ,\r\npingTimeout and maxPayload which was tested and yields the same results. The Document Object Model (DOM) is\r\nessentially an API for HTML and XML documents that is responsible for defining elements as objects, and created as a tree\r\nof objects when a page loads.\r\nSearch query (DOM Content): text.content:\"pingInterval\\\":25000\" AND text.content:\"pingTimeout\\\":60000\" AND\r\ntext.content:\"maxPayload\\\":10000000\"\r\nSearch query (JSON Response): content:{3a 32 35 30 30 30 2c 22 70 69 6e 67 54 69 6d 65 6f 75 74 22 3a 36 30\r\n30 30 30 2c 22 6d 61 78 50 61 79 6c 6f 61 64 22 3a 31 30 30 30 30 30 30 30}\r\nThe below are SHA256 hashes of the JSON responses extracted from the successful HTTP responses from the servers:\r\n56ee3dc60471063c5ac82a617ed807afbfcf5437fb226d0432b3b6fcc4e8bac4\r\n9f2ee094aae06afdf4461b94ddbfb7b3bde8f5bb3e13f9f60519d5f00dd43066\r\n77a2e59d991aad2db848827968d9faa96fb4dec3f5511cedcd682fda50ed102f\r\n37df04dbd54b51273251708f1d014a66387222f7599357e11d10fbbec0e5ba2d\r\nA new IP address 23.131.92[.]195 was identified that was observed interacting with the bottom two SHA256 hashes\r\nlisted above. It does not match the URL structure and is using HTTPS instead of the HTTP ones observed earlier and hence\r\nis another outlier. There are other broader hunting opportunities where we can simply check for the wider URL patterns and\r\nthen filter on those IP addresses with HTTP status codes 200 and 400.\r\nSearch query (Extended Ports): (page.url:\":8000\" OR page.url:\":8080\") AND page.url:\"/socket.io/?\r\nEIO=4\u0026transport=polling\"\r\nThe three newly discovered IP addresses from HTTP 200 status code are all low confidence in terms of lacking relevance to\r\nthe socket.io C2s:\r\n45.138.16[.]208\r\n154.216.19[.]19\r\n23.131.92[.]195\r\nNote: 45.138.16[.]208 and 23.131.92[.]195 were identified on VirusTotal since they were not scanned through\r\nurlscan.io.\r\nThere were also URLs which had failed scanned status, these are low-confidence and are listed below:\r\n5.252.178[.]86 HTTP socket on port 8000\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 16 of 27\n\n34.231.213[.]130 HTTP socket on port 8000\r\nFor the 400 code, the following were identified (only the newly discovered ones are mentioned):\r\n191.96.53[.]163 HTTP based socket.io on port 5000\r\n34.250.221[.]219 HTTPS based socket.io\r\nOther urlscan.io queries:\r\nSearch query (HTTP Status 200): page.url:\"/socket.io/?EIO=4\u0026transport=polling\" AND page.status:200\r\nSearch query (HTTP Status 400): page.url:\"/socket.io/?EIO=4\u0026transport=polling\" AND page.status:400\r\nNote: Both search queries require filtering on IP addresses used in the URLs to filter down the raw results from the queries.\r\nHTTP API URLs\r\n/verify-human/[version] - Logging/telemetry\r\n/u/f - File upload endpoint\r\n/snv - endpoint name snv\r\n/$/boot - Python dropper\r\n/$/z1 - Python Stealer\r\nSearch Query: entity:url url:\"27017\" (url:\"/verify-human/\" or url:\"/u/f\" or url:\"/snv\" or url:\"/$/boot\" or\r\nurl:\"/$/z1\" )\r\nUnique IP addresses 136.0.9.8 , 23.27.20.143 , 85.239.62.36 were identified which belong to clusters 1 and 2. A\r\nvariation of the search query was tested to accommodate for the alternate C2 ports 5432, 1433 and 8080 where no results\r\nwere found.\r\nCommunicating Payloads with Infrastructure\r\nDuring part 2 of the series, we developed five YARA rules to track the core payloads observed during the intrusion. These\r\nrules are listed below for reference and are available on our GitHub.\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25\r\nTo better illustrate the relationships between the infrastructure clusters, payloads matching YARA and the rules themselves,\r\nplease see the graph below.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 17 of 27\n\nAttribution\r\nThis section contains information that is used to summarise and conclude our assessment on attribution to the intrusion\r\nactivity with respect to the infrastructure leveraged. Our findings from the intrusion and wider pivoting while building the\r\nclusters is complemented with the use of open-source reporting associated with our observed activity.\r\nClusters Overview\r\nCluster Name Cluster Size Confidence Description\r\nCluster 1 6 HIGH HTTP API C2 channel hosted on ASN Evoxt Enterprise\r\nCluster 2 2 MEDIUM HTTP API C2 channel hosted on ASN Clouvider Limited\r\nCluster 3 3 LOW HTTP API C2 channel hosted on other ASNs and port numbers\r\nCluster 4 9 HIGH Socket.io C2 Channel over port 443 and 3306\r\nCluster-X-RDP 9 MEDIUM Remote Access Infrastructure used to set up C2s for the intrusion\r\nCluster-X-302 11 MEDIUM OPSEC redirection method used with HTTP 302\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 18 of 27\n\nKey Indicators Overlap\r\nAll IP addresses from the defined clusters were used to search for any references in the past open-source reporting:\r\n136.0.9[.]8 , 166.88.4[.]2 and 85.239.62[.]36 were all mentioned in two separate blogs by Aikido who initially\r\nidentified a campaign in May 2025 where threat actors compromised popular NPM packages. The observed initial access\r\nvector for the campaign was an NPM developer's token being compromised and then used to make malicious changes to\r\nNPM package GitHub repositories.\r\nIt is worth mentioning that between the two blogs shared by Aikido, they referenced three IP addresses and there is a\r\npositive match on all three with what was seen during cluster developments which can suggest that the intrusion we\r\nobserved is likely related to the campaign covered by Aikido. They also commented on 85.239.62[.]36 around when it\r\nwas potentially activated in Feb 2025 which is insightful since it belongs to Cluster 2.\r\nAikido did not make attribution to known threat groups. However, they suspect on basis of the sophistication in the infection\r\nchain that it is likely a state-sponsored operation. Interestingly, based on the Russian hosting ASN observed on\r\n85.239.62[.]36 , they are leaning towards a Russian APT behind the operations which is also one of our stronger\r\nhypothesis.\r\nClose Proximity Reporting\r\nThe following reports have been picked based on their closer proximity reporting interval that is in line with what we have\r\nseen with the intrusion timeline and were also selected based on the tradecraft described which we deemed is similar to the\r\nintrusion under consideration.\r\nThere are no obvious indicator overlaps with the reports discussed below. Hence, we have attempted to broaden our\r\napproach to look for other attributes that may support or refute our clusters.\r\nReiterating on what has been discussed during the initial sections, please see the factors that support the criteria for our\r\nassessment below:\r\nHTTP headers related to clusters 1, 2 and 3\r\nResemblance with known infrastructure fingerprints\r\nPorts: Any preferred ports favouring databases\r\nsocket.io HTTP 200 response parameters ( maxPayload , pingInterval and pingTimeout )\r\nASNs: Consistent selection of ASNs seen for cluster 1 primarily which is inclusive of historic networks hosting the\r\nIP addresses for cluster 1 - Evoxt Enterprise, LLC and EGINHOSTING\r\nDomain Density: Domains hosted per a single IP address, this value should be low since we did not see a lot of\r\ndomains (except the dropper C2 which had 22 domains) being hosted on the same IP address\r\nURL paths: any IP addresses containing the list of URL paths for the HTTP API and socket.io C2s\r\nRussian Remote Access: Evidence of RDP activity originating from Russian servers\r\nNote: In part 3, we are mainly focusing on the infrastructure discussed in the reports and are not going to comment on the\r\npayloads found in the infection chain. Limited views on the payloads found during the intrusion and the additional samples\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 19 of 27\n\nthat were found using our YARA rules have been shared in the Communicating payloads section.\r\nThere is some considerable overlap between sources 1, 2 and 3 based on the TTPs, targeting and payloads used.\r\nNote: Graph produced by OpenCTI STIX\r\nSource1: Cisco Talos - Beavertail and Ottercookie\r\nIP Address ASN Notes\r\n23.227.202[.]244 HVC-AS Similar HTTP headers to socket.io C2\r\n172.86.88[.]188 ROUTERHOSTING Nothing of significance to mention\r\n138.201.50[.]5 Hetzner Online GmbH Same ASN as Cluster-3\r\n135.181.123[.]177 Hetzner Online GmbH Same ASN as Cluster-3\r\n144.172.96[.]35 ROUTERHOSTING Historically hosted on PONYNET\r\n144.172.112[.]50 ROUTERHOSTING socket.io URL with mismatched pingTimeout parameter\r\n172.86.73[.]46 ROUTERHOSTING Nothing of significance to mention\r\n172.86.113[.]12 ROUTERHOSTING Nothing of significance to mention\r\nObservations\r\nNone of the ports from the C2 URLs mentioned in the source correspond to databases. The URL paths also largely remain\r\ndifferent. While there is no overlap with the ASNs, we can still see one ASN ROUTERHOSTING used more frequently\r\ncompared to others. Domain density is also high compared to what was observed with our clusters. Only one IP address\r\n144.172.96[.]35 was seen to have a shift in their hosting ASNs from PONYNET to ROUTERHOSTING.\r\nThere is nearly a perfect overlap between socket.io HTTP headers from the source and Cluster 4 for IP address\r\n23.227.202[.]244 on port 1224 (which is the documented C2 port) with only the X-Powered-By: Express not matching.\r\nIt is worth mentioning that there is a difference in the C2 port as well (port 443 instead of 1224).\r\nHTTP/1.1 404 Not Found\r\nContent-Length: 139\r\nAccess-Control-Allow-Origin: *\r\nContent-Security-Policy: default-src 'none'\r\nContent-Type: text/html; charset=utf-8\r\nDate: Fri, 17 Oct 2025 08:57:59 GMT\r\nX-Content-Type-Options: nosniff\r\nX-Powered-By: Express\r\nMore specifically, one socket.io URL on 144.172.112[.]50 was spotted with the following value\r\nhxxp://144.172.112[.]50[:]6411/socket.io/?EIO=4\u0026transport=polling\u0026t=hbvxfknl , the paired port is a non-standard\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 20 of 27\n\none that is not assigned to a known service. Upon inspecting the successful raw response, there was a discrepancy in the\r\npingtimeout value equal to 20000 instead of 60000, other parameters maxPayload and pingInterval were the same.\r\nHence, it was determined that the concerned IP address would not be considered as part of cluster 4.\r\nAlso, two IP addresses 138.201.50[.]5 and 135.181.123[.]177 are hosted on Hetzner Online GmbH which is the same\r\nASN as our cluster 3. However, upon further investigation, no conclusive evidence was found to establish a positive link.\r\nSource2: Google (GTIG) - UNC5142 Leverages Etherhiding\r\nIP address Domains ASN Notes\r\n83.217.208[.]130 dns-verify-me[.]pro Partner Hosting LTD\r\nPreviously hosted on OOO Trivon\r\nNetworks (Russia)\r\n80.64.30[.]238\r\npushistike[.]icu\r\nlapkimeow[.]icu\r\nskotobazamiau[.]icu\r\nkiteketiki[.]icu\r\nkotobazamiau[.]icu\r\nChang Way Technologies\r\nCo. Limited\r\nPreviously hosted on LLC Baxet\r\n(Russia)\r\n185.121.235[.]167\r\nsaaadnesss[.]shop\r\nuuukaraokeboss[.]shop\r\nddeapeaceofmind[.]shop\r\nminimeh[.]shop\r\npolovoiinspektor[.]shop\r\nServers Tech Fzco Nothing of significance to mention\r\n138.201.207[.]116 browser-storage[.]com Hetzner Online GmbH Same ASN as Cluster-3\r\nObservations\r\nThe domain density demonstrated in this source is the highest out of all sources. Due to the domains leveraged as C2s, ports\r\n80 and 443 were the primary C2 ports (which is a disconnect from ports used for databases). During examination of the\r\nrelevant HTTP headers and banners for the IP addresses in the above table, there are no infrastructure attributes that are\r\nsimilar to any of the clusters we have created.\r\nThere is not a lot similarity in the hosting infrastructure but except for 138.201.207[.]116 which is hosted on Hetzner\r\nOnline GmbH which is the same ASN as our cluster 3. Both, 83.217.208[.]130 and 80.64.30[.]238 are hosted in Russia\r\nwith the latter also previously hosted on ASN LLC Baxet which was also one of the past ASNs observed for Cluster-X-RDP.\r\nSource3: ESET - Deceptive Development\r\nIP Address ASN Notes\r\n199.188.200[.]147 Namecheap, Inc. Dynamic hosting, driverservices[.]store\r\n116.125.126[.]38 SK Broadband Co Ltd Dynamic hosting, www.royalsevres[.]com\r\n103.231.75[.]101 THE-HOSTING-MNT Currently hosted on WorkTitans B.V\r\n45.159.248[.]110 THE-HOSTING-MNT Currently hosted on WorkTitans B.V\r\n45.8.146[.]93\r\nSTARK INDUSTRIES\r\nSOLUTIONS LTD\r\nCurrently hosted on WorkTitans B.V\r\n86.104.72[.]247\r\nSTARK INDUSTRIES\r\nSOLUTIONS LTD\r\nCurrently hosted on WorkTitans B.V\r\n103.35.190[.]170\r\nSTARK INDUSTRIES\r\nSOLUTIONS LTD\r\nCurrently hosted on WorkTitans B.V with a Russian domain\r\nin one of its resolution\r\nObservations\r\nDomain Density is in sync with what is seen for the clusters, None of the listed IP addresses from the source have remotely\r\nsimilar C2 URL paths for both socket.io and HTTP API. Likewise, there is no overlap in the ASNs. Adding to this, the\r\nHTTP headers identified across the different IP addresses do not match any of the clusters.\r\nThere is a degree of consistency in regards to the selection of the same ASN STARK INDUSTRIES SOLUTIONS LTD which\r\nis well known for its bad reputation as a Bulletproof Hosting Provider (BHP). On the contrary, there is no consistency in the\r\nports being used because they do not map to databases.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 21 of 27\n\nThere appears to be discrepancy in the ASNs referenced in source report and those identified by VirusTotal. Upon retracing\r\nthe routing history for the IP addresses, this shift in the hosted ASN from STARK INDUSTRIES SOLUTIONS LTD to\r\nWorkTitans B.V is quite recent (from 15th October 2025 onwards). This observation is further validated when cross-referencing the first seen dates for the IP addresses in the source report.\r\nThis shift in the ASNs is of significance as all the C2 IP addresses from the source reporting are currently hosted on\r\nWorkTitans B.V which is known as a medium-risk network. There may be other intermediatory ASNs prior to moving to\r\nWorkTitans B.V but the important point to note here is the shift in the ASNs and not the specific ASN itself.\r\nThere is a single instance of a Russian domain us.extip[.]ru that is hosted on IP address 103.35.190[.]170\r\nConclusion\r\nThe primary focus of part 3 was to closely analyse and develop fingerprints for the payload and C2 infrastructure sighted\r\nduring the intrusion. Based on our current findings, we were able to develop and divide the infrastructure clusters with\r\ndiffering degrees of confidence.\r\nOverall Assessment/Ransom-ISAC Views\r\nBased on the clusters identified from intrusion analysis and wider pivoting, it is assessed with low to medium confidence\r\nthat there are two distinct threat actors working with one another that are actively or passively involved in the intrusion.\r\nTheir participation is based on their involvement during setting up the infrastructure used for the intrusion and then the\r\nsubsequent usage of the infrastructure itself during the intrusion.\r\nBased on the timeline, geolocation and the remote access facilitated by the operators prior to the intrusion, it can be assessed\r\nwith low confidence that the pre-attack infrastructure is being facilitated in Russia to then later be used by a DPRK aligned\r\nthreat cluster. Involvement of Russia in the earlier stages is based on the RDP TLS certificate PACKERP-XXXXXXXX\r\nthat was initially discovered with IP addresses in Cluster-2 and later used to create Cluster-X-RDP.\r\nHistoric reporting has suggested that IP address blocks in Russia were used as egress nodes for cybercrime activities aligned\r\nwith North Korea (Famous Chollima). Vast majority of ASNs linked to the IP addresses mentioned in the article are on\r\nStark Industries while others include Evoxt Enterprise (ASN associated with Cluster-1) and Zapbytes Technologies.\r\nWhile we have seen overlap in key indicators from clusters 1 and 2 with the campaign covered by Aikido, they did not make\r\nany attribution to known threat groups over the observed campaign. However, based on the indicator overlap, it can be\r\nassessed with moderate to high confidence that the intrusion we observed is likely part of the campaign despite it lacking\r\nattribution.\r\nA plausible hypothesis that can be assessed with moderate-to-high confidence for the \"Орлан 2.0 (веб-интерфейс)\" login\r\npages observed across Cluster-X-302 infrastructure represent legitimate licensed deployments of Orlan Security's DCAP\r\nsystem (https://orlan-security.ru) being operationally employed by DPRK threat actors to systematically prioritise and\r\noptimise large-scale data exfiltration operations.\r\nGiven the DPRK attribution and the actor's established modus operandi focused on data collection, DPRK operators may be\r\ndeploying legitimate Orlan:DCAP licences on compromised victim networks to automate the identification of high-value\r\ndata targets. This would enable DPRK actors to maximise intelligence and financial value whilst minimising bandwidth\r\nconsumption and detection risk—directly supporting known operational priorities including cryptocurrency exchange data\r\ntheft, intellectual property exfiltration for state economic advancement, and financial fraud operations.\r\nAt this point, there is not enough evidence as such to suggest attribution towards a known specific threat group and we shall\r\ncontinue to monitor the clusters in the near future to determine if connections exist to known threat groups and/or\r\ncampaigns.\r\nIf you have any additional supporting information on the IP addresses listed in the clusters, please feel free to reach out to\r\nRansom-ISAC at contact@ransom-isac.org.\r\nPart 4\r\nOur next analysis will be covering dedicated blockchain infrastructure and cryptocurrency tracking. Through comprehensive\r\nblockchain analysis, we'll trace the flow of stolen funds across multiple chains and reveal the financial infrastructure\r\nunderpinning this campaign. Such a siloed approach ensures that unintended biases are reduced to the best of our analytical\r\nabilities, providing an independent view of the threat actor's financial operations.\r\nIn Part 4, we'll expose the wallet networks, fund routing patterns, and laundering techniques used to monetise this\r\nsophisticated attack chain. From initial theft to final destination, discover how DPRK threat actors move and obfuscate\r\nstolen cryptocurrency at scale.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 22 of 27\n\nAcknowledgements\r\nRansom-ISAC extends sincere thanks to our collaborators at Bridewell and Crystal Intelligence for their invaluable\r\ncontributions to this investigation. Special recognition goes to the Bridewell team for their expertise in infrastructure\r\nanalysis and attribution assessment that formed the foundation of Part 3. We also wish to thank Crystal Intelligence for\r\nbringing this case to our attention and their continued partnership throughout the investigation. Finally, we're grateful to all\r\nindividuals and organisations who have reached out requesting assistance or sharing intelligence—your collaboration\r\nstrengthens our collective defense against sophisticated threat actors and advances the broader cybersecurity community's\r\nunderstanding of evolving threats.\r\nIndicators of Compromise (IOCs)\r\n1. ASN IOCs (High-Medium Degree of Confidence)\r\nIP Address First Seen Malware/Activity\r\n23.26.237.237 Nov-25 Rhadamanthys Stealer\r\n23.26.237.117 Oct-25 Rhadamanthys Stealer\r\n23.27.24.90 Oct-25 Sliver C2\r\n23.27.168.222 Oct-25 Rhadamanthys Stealer\r\n136.0.141.91 Sep-25 Rhadamanthys Stealer\r\n136.0.141.245 Sep-25 Rhadamanthys Stealer\r\n166.88.117.240 Sep-25 Remcos\r\n23.27.124.91 Sep-25 Remcos\r\n156.227.0.60 Sep-25 Rhadamanthys Stealer\r\n96.126.191.167 Sep-25 Xworm\r\n108.165.147.181 Sep-25 SuperShell C2\r\n216.173.65.45 Sep-25 Remcos\r\n166.88.194.123 Aug-25 Cobalt Strike (Watermark: 0)\r\n23.27.163.245 Aug-25 VenomRAT\r\n23.27.169.64 Aug-25 DCRAT\r\n23.27.24.227 Aug-25 GoPhish\r\n166.88.132.69 Aug-25 Remcos\r\n166.0.132.184 Aug-25 Sliver C2\r\n38.211.230.55 Jun-25 Remcos\r\n23.27.201.30 Jun-25 Sliver C2\r\n166.88.61.58 Jun-25 AdaptixC2\r\n166.88.114.78 May-25 Sliver C2\r\n166.88.100.85 May-25 Cobalt Strike (Watermark: 391144938)\r\n23.27.48.77 May-25 Remcos\r\n166.88.95.137 May-25 Mythic C2\r\n23.27.48.113 Apr-25 Red Guard (C2 Redirector)\r\n166.88.14.137 Apr-25 Cobalt Strike (Watermark: 391144938)\r\n216.173.64.63 Feb-25 XWorm\r\n166.88.90.22 Feb-25 AsyncRAT\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 23 of 27\n\nIP Address First Seen Malware/Activity\r\n23.27.169.4 Feb-25 Viper C2\r\n166.88.98.221 Feb-25 Cobalt Strike (Watermark: 0)\r\n23.27.240.252 Feb-25 Cobalt Strike (Watermark: 666666666)\r\n23.27.48.179 Feb-25 Cobalt Strike (Watermark: 666666666)\r\n166.88.141.40 Feb-25 Cobalt Strike (Watermark: 666666666)\r\n23.27.48.4 Jan-25 Cobalt Strike (Watermark: 987654321)\r\n23.27.12.214 Dec-24 SuperShell C2\r\n23.27.201.57 Dec-24 UNAM C2 Panel\r\n156.235.89.227 Dec-24 Sliver C2\r\n23.27.240.237 Dec-24 Cobalt Strike\r\n45.194.27.99 Oct-24 Sliver C2\r\n166.88.57.117 Sep-24 SuperShell C2\r\n136.0.11.193 Sep-24 Cobalt Strike (Watermark: 100000)\r\n23.27.244.39 Aug-24 Remcos\r\n172.121.5.230 Apr-24 Cobalt Strike (Watermark: 100000)\r\n166.88.132.139 Feb-24 QuasarRAT\r\n166.88.97.138 Aug-25 PlugX\r\n166.88.61.35 Jul-25 China Aligned Espionage, Cobalt Strike (Watermark: 100000)\r\n166.88.96.120 Jun-25 Cobalt Strike (Watermark: 100000)\r\n166.88.4.2 Jun-25 NPM Supply Chain\r\n166.88.2.90 Aug-25 Dark Peony (Operation Controlplug)\r\n166.88.194.53 Apr-25 Earth Kurma\r\n166.88.61.53 Apr-25 Russian Infra with DPRK\r\n166.88.117.11 Apr-25 Dark Peony (Operation Controlplug)\r\n166.88.35.203 Mar-25 Dark Peony (Operation Controlplug)\r\n166.88.2.184 Mar-25 Cobalt Strike (Watermark: 666666666)\r\n166.88.14.52 Dec-24 Cobalt Strike (Watermark: 987654321)\r\n166.88.14.44 Mar-25 Xworm\r\n166.88.101.20 Feb-25 DeimosC2\r\n166.88.99.15 Feb-25 Cobalt Strike (Watermark: Unknown)\r\n166.88.55.54 Feb-25 Cobalt Strike (Watermark: Unknown)\r\n166.88.132.39 Nov-25 DPRK Lazarus, Contagious Interview\r\n166.88.159.187 Jun-25 FIN7\r\n166.88.159.37 Oct-24 FIN7\r\n193.57.57.121 Jan-25 Cobalt Strike (Watermark: 100000)\r\n198.105.127.98 May-24 DPRK Lazarus (through domain resolution)\r\n198.105.127.124 May-25 PoC Exploit for Critical Zero Day\r\n223.165.6.30 Jul-24 VenomRAT\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 24 of 27\n\nIP Address First Seen Malware/Activity\r\n38.211.230.5 Jul-25 Dark Peony (Operation Controlplug)\r\n38.246.73.120 Jun-25 Dark Peony (Operation Controlplug)\r\n45.195.76.82 Feb-24 Cobalt Strike (Watermark: 100000)\r\n45.195.76.26 Dec-23 ShadowPad\r\n50.114.5.82 Sep-24 Supershell\r\n91.218.183.90 Apr-23 Cobalt Strike (Threat Actor (QUARTERRIG (APT29))\r\n103.179.142.121 Jun-23 AveMaria\r\n136.0.3.250 Jan-25 AsyncRAT\r\n136.0.3.71 Mar-24 Bianlian\r\n136.0.3.240 Jan-24 Bianlian\r\n136.0.8.169 Feb-25 Danabot\r\n136.0.9.8 Jun-25 NPM Supply Chain (Ports: 27017 and 3306)\r\n142.111.77.196 Jul-24 DPRK Moonsleet NPM\r\n154.81.220.233 Feb-25 Redline Stealer\r\n155.254.60.160 May-25 ViciousTrap CVE exploitation\r\n156.227.0.187 Apr-24 Agent Tesla Targeting Entities\r\n156.236.76.90 Jun-25 PoC Exploit for Critical Zero Day\r\n2. All Clusters IOCs (Low Degree of Confidence)\r\nCluster Name First Seen Indicator\r\nCluster-1 Sep 2025 23.27.20[.]143\r\nCluster-1 Sep 2025 136.0.9[.]8\r\nCluster-1 Sep 2025 166.88.4[.]2\r\nCluster-1 Sep 2025 23.27.202[.]27\r\nCluster-1 Oct 2025 23.27.120[.]142\r\nCluster-1 Feb 2025 154.91.0[.]103\r\nCluster-2 May 2025 85.239.62[.]36\r\nCluster-2 Feb 2025 85.239.60[.]213\r\nCluster-3 June 2025 91.99.83[.]196\r\nCluster-3 June 2025 37.27.108[.]244\r\nCluster-3 May 2025 57.128.212[.]19\r\nCluster-X-RDP Nov 2024 91.242.241[.]31\r\nCluster-X-RDP Apr 2025 91.242.241[.]170\r\nCluster-X-RDP Apr 2025 91.242.241[.]117\r\nCluster-X-RDP May 2025 91.242.241[.]122\r\nCluster-X-RDP Dec 2024 91.242.241[.]15\r\nCluster-X-RDP Nov 2024 91.242.241[.]174\r\nCluster-X-RDP Nov 2024 91.242.241[.]55\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 25 of 27\n\nCluster Name First Seen Indicator\r\nCluster-X-RDP Dec2024 91.242.241[.]183\r\nCluster-X-RDP Dec 2024 62.106.66[.]151\r\nCluster-X-RDP Apr 2025 45.129.199[.]127\r\nCluster-X-RDP Jan 2025 45.86.231[.]67\r\nCluster-X-302 Dec 2024 78.25.123[.]242\r\nCluster-X-302 Nov 2024 78.25.123[.]66\r\nCluster-X-302 Nov 2024 78.25.122[.]218\r\nCluster-X-302 Nov 2024 78.25.109[.]155\r\nCluster-X-302 Nov 2024 78.25.108[.]249\r\nCluster-X-302 Dec 2024 78.25.111[.]63\r\nCluster-X-302 Nov 2024 78.25.121[.]187\r\nCluster-X-302 Nov 2024 78.25.123[.]153\r\nCluster-X-302 Nov 2024 78.25.123[.]240\r\nCluster-X-302 Nov 2024 78.25.123[.]249\r\nCluster-X-302 Nov 2024 85.26.218[.]114\r\nCluster-4 Sep 2025 136.0.9[.]8\r\nCluster-4 Sep 2025 23.27.202[.]27\r\nCluster-4 Sep 2025 166.88.4[.]2\r\nCluster-4 Oct 2025 23.27.120[.]142\r\nCluster-4 Mar 2025 181.117.128[.]64\r\nCluster-4 Oct 2025 183.101.157[.]30\r\nCluster-4 Nov 2025 195.122.31[.]246\r\nCluster-4 Nov 2025 202.155.8[.]173\r\nsocket.io URL (Status 200) Sep 2025 45.138.16[.]208\r\nsocket.io URL (Status 200) Sep 2024 154.216.19[.]19\r\nsocket.io URL (Status 200) Jul 2025 23.131.92[.]195\r\nsocket.io URL (No Status) Nov 2022 5.252.178[.]86\r\nsocket.io URL (No Status) Unknown 34.231.213[.]130\r\nsocket.io URL (Status 400) May 2024 191.96.53[.]163\r\nsocket.io URL (Status 400) May 2023 34.250.221[.]219\r\n3. File Hashes (High Degree of Confidence)\r\nYARA Rule Name SHA256 Hash\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25 742016f01fa89be4d43916d5d2349c8d86dc89f096302501\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_1_1Oct25 a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25 236ff897dee7d21319482cd67815bd22391523e37e0452fa\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25 742016f01fa89be4d43916d5d2349c8d86dc89f096302501\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25 a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 26 of 27\n\nYARA Rule Name SHA256 Hash\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25 24cad593f02db847d1302ee7c486d0756708521d5ae69faa\r\nActor_APT_DPRK_Unknown_MAL_Script_PY_Stealer_Unknown_Strings_2_Oct25 a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b5\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c854\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521f\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 83a84588a941e463c981083555a2e7814887fa8816e7cca5\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_Loader_Unknown_Strings_Oct25 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25 eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c\r\nActor_APT_DPRK_Unknown_MAL_Script_JS_RAT_Unknown_Strings_Oct25 43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 908696f3ec522e846575061e90747ddf29fccab0e5936459\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c854\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 83a84588a941e463c981083555a2e7814887fa8816e7cca5\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521f\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf58\r\nActor_APT_DPRK_Unknown_MAL_Indicators_Strings_Oct25 a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a\r\nSource: https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/" ], "report_names": [ "cross-chain-txdatahiding-crypto-heist-part-3" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "222835b0-22fb-406e-8fd5-f36dae694212", "created_at": "2025-06-29T02:01:56.985922Z", "updated_at": "2026-04-10T02:00:04.666399Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "ETDA:Earth Kurma", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DMLOADER", "DUNLOADER", "KRNRAT", "Moriya", "ODRIZ", "SIMPOBOXSPY", "TESDAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "f161dc2b-a18e-43b9-9786-2285bc745a10", "created_at": "2025-05-29T02:00:03.214326Z", "updated_at": "2026-04-10T02:00:03.867482Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "MISPGALAXY:Earth Kurma", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5f2a17c6-6168-4d2a-9e57-f93890151d02", "created_at": "2026-02-04T02:00:03.702522Z", "updated_at": "2026-04-10T02:00:03.948138Z", "deleted_at": null, "main_name": "ViciousTrap", "aliases": [], "source_name": "MISPGALAXY:ViciousTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b61e4c6ba0bf6f9658599075cdee2c82a340f909.pdf", "text": "https://archive.orkl.eu/b61e4c6ba0bf6f9658599075cdee2c82a340f909.txt", "img": "https://archive.orkl.eu/b61e4c6ba0bf6f9658599075cdee2c82a340f909.jpg" } }