{ "id": "1818e797-c1f9-4345-9426-00d1ca162367", "created_at": "2026-04-06T01:31:35.510056Z", "updated_at": "2026-04-10T03:33:18.531013Z", "deleted_at": null, "sha1_hash": "b7f822d02be9d514969b28cb01b3e6ee8e543e44", "title": "TA428 Group abusing recent conflict between Iran and USA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82631, "plain_text": "TA428 Group abusing recent conflict between Iran and USA\r\nPublished: 2020-01-09 · Archived: 2026-04-06 00:14:30 UTC\r\nRecently, a suspicious document has caught our attention due to its recent creation date (06-01-2020) and its title\r\n“How Swuleimani’s death will affect India and Pakistan.doc” which is directly related to recent political events\r\nbetween Iran and the USA.\r\nThe document is in RTF format, and has an OLE object related with the Equation Editor. During the last years,\r\nthis OLE objects have been a good indicator that a document may aim to exploit the CVE-2018-0798 vulnerability\r\nin order to infect with some kind of malware. This particular document turns out to be one of these examples, and\r\ndoes it by dropping a binary called 8.t. in the “% TEMP%” folder of the user.\r\nUp to this point, everything coincides in terms of TTPs with what is described in the following report, from\r\nProofPoint related with a suspected Chinese cybercrime Group known as TA428.\r\nAfter this infection chain, what we get is a DLL executable file with extension “.wll” used for “Word.addin.8”\r\nfiles, that is installed in the path “%APPDATA%\\Microsoft\\Word\\STARTUP” which causes that MSWord at the\r\nnext application startup to load this “.wll” executable file. (Which also coincides with the TTPs described in the\r\nprevious post)\r\nhttps://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/\r\nPage 1 of 2\n\nThis DLL consists in a packed version of a PoisonIvy RAT sample, that after a few seconds makes traffic to the\r\nC2 server “95.179.131.29”, through port 443, and in case of error, through port 8080 using HTTP traffic.\r\nThe IP address is part of the infrastructure that appears in the post, indicating that it is probably the same actor\r\nreusing his old infrastructure in a new campaign, taking advantage of the conflict mentioned at the beginning of\r\nthe article.\r\nIt is always critical to remain alert with any attachments that is related to any recent geopolitical conflict, as\r\npreviously stated, the attackers usually take advantage of them as a mean of infecting their victims through this\r\nkind of phishing campaings.\r\nDocument\r\nSHA256\r\n0eb7ba6457367f8f5f917f37ebbf1e7ccf0e971557dbe5d7547e49d129ac0e98\r\nPoison Ivy\r\nSHA256\r\n02dec90a18545d4bfbac5de19c6499142e141c3c0abaecdc8ac56b8eede167aa\r\nPoison Ivy\r\nC2\r\n95.179.131.29\r\nReader Interactions\r\nSource: https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/\r\nhttps://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/" ], "report_names": [ "icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439095, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7f822d02be9d514969b28cb01b3e6ee8e543e44.pdf", "text": "https://archive.orkl.eu/b7f822d02be9d514969b28cb01b3e6ee8e543e44.txt", "img": "https://archive.orkl.eu/b7f822d02be9d514969b28cb01b3e6ee8e543e44.jpg" } }