{
	"id": "46c776de-5a32-4ca6-8275-112459f84884",
	"created_at": "2026-04-06T00:15:02.318433Z",
	"updated_at": "2026-04-10T13:12:58.905792Z",
	"deleted_at": null,
	"sha1_hash": "bfea9e9feaa3a2f4c8b22d595dfe01c68731c340",
	"title": "The “EyePyramid” attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 574243,
	"plain_text": "The “EyePyramid” attacks\r\nBy GReAT\r\nPublished: 2017-01-12 · Archived: 2026-04-05 20:26:23 UTC\r\nOn January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks\r\ndirected at top Italian government members and institutions.\r\nThe attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent\r\nfreemasons and law enforcement personalities in Italy. These included Fabrizio Saccomanni, the former deputy\r\ngovernor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge,\r\nMatteo Renzi, former prime minister of Italy and Mario Draghi, president of the European Central Bank.\r\nThe malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware\r\nis flexible enough to grant access to all the resources in the victim’s computer.\r\nDuring the investigation, involved LEAs found more than 100 active victims in the server used to host the\r\nmalware, as well as indications that during the last few years the attackers had targeted around 16,000 victims. All\r\nidentified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican\r\nCardinals.\r\nEvidence found on the C\u0026C servers suggests that the campaign was active since at least March 2014 and lasted\r\nuntil August 2016. However, it is suspected that the malware was developed and probably used years before,\r\npossibly as far back to 2008.\r\nTwo suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio\r\nOcchionero and his 47-year-old sister Francesca Maria Occhionero.\r\nInvestigation\r\nAlthough the Italian Police Report doesn’t include malware hashes, it identified a number of C\u0026C servers and e-mails addresses used by the malware for exfiltration of stolen data.\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 1 of 14\n\nExcerpt from the Italian court order on #EyePyramid\r\n(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf)\r\nSome of the e-mail addresses used for exfiltration and C\u0026C domains outlined by the police report follow:\r\nE-mail Addresses used for exfiltration\r\ngpool@hostpenta[.]com\r\nhanger@hostpenta[.]com\r\nhostpenta@hostpenta[.]com\r\npurge626@gmail[.]com\r\ntip848@gmail[.]com\r\ndude626@gmail[.]com\r\nocto424@gmail[.]com\r\ntim11235@gmail[.]com\r\nplars575@gmail[.]com\r\nCommand-and-Control Servers\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 2 of 14\n\neyepyramid[.]com\r\nhostpenta[.]com\r\nayexisfitness[.]com\r\nenasrl[.]com\r\neurecoove[.]com\r\nmarashen[.]com\r\nmillertaylor[.]com\r\nocchionero[.]com\r\nocchionero[.]info\r\nwallserv[.]com\r\nwestlands[.]com\r\nBased on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it\r\nmatches any samples.\r\nHere’s how our initial “blind”-written YARA rule looked like:\r\nrule crime_ZZ_EyePyramid {\r\nmeta:\r\ncopyright = ” Kaspersky Lab”\r\nauthor = ” Kaspersky Lab”\r\nmaltype = “crimeware”\r\nfiletype = “Win32 EXE”\r\ndate = “2016-01-11”\r\nversion = “1.0”\r\nstrings:\r\n$a0=”eyepyramid.com” ascii wide nocase fullword\r\n$a1=”hostpenta.com” ascii wide nocase fullword\r\n$a2=”ayexisfitness.com” ascii wide nocase fullword\r\n$a3=”enasrl.com” ascii wide nocase fullword\r\n$a4=”eurecoove.com” ascii wide nocase fullword\r\n$a5=”marashen.com” ascii wide nocase fullword\r\n$a6=”millertaylor.com” ascii wide nocase fullword\r\n$a7=”occhionero.com” ascii wide nocase fullword\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 3 of 14\n\n$a8=”occhionero.info” ascii wide nocase fullword\r\n$a9=”wallserv.com” ascii wide nocase fullword\r\n$a10=”westlands.com” ascii wide nocase fullword\r\n$a11=”217.115.113.181″ ascii wide nocase fullword\r\n$a12=”216.176.180.188″ ascii wide nocase fullword\r\n$a13=”65.98.88.29″ ascii wide nocase fullword\r\n$a14=”199.15.251.75″ ascii wide nocase fullword\r\n$a15=”216.176.180.181″ ascii wide nocase fullword\r\n$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword\r\n$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword\r\n$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword\r\n$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword\r\n$a20=”gpool@hostpenta.com” ascii wide nocase fullword\r\n$a21=”hanger@hostpenta.com” ascii wide nocase fullword\r\n$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword\r\n$a23=”ulpi715@gmx.com” ascii wide nocase fullword\r\n$b0=”purge626@gmail.com” ascii wide fullword\r\n$b1=”tip848@gmail.com” ascii wide fullword\r\n$b2=”dude626@gmail.com” ascii wide fullword\r\n$b3=”octo424@gmail.com” ascii wide fullword\r\n$b4=”antoniaf@poste.it” ascii wide fullword\r\n$b5=”mmarcucci@virgilio.it” ascii wide fullword\r\n$b6=”i.julia@blu.it” ascii wide fullword\r\n$b7=”g.simeoni@inwind.it” ascii wide fullword\r\n$b8=”g.latagliata@live.com” ascii wide fullword\r\n$b9=”rita.p@blu.it” ascii wide fullword\r\n$b10=”b.gaetani@live.com” ascii wide fullword\r\n$b11=”gpierpaolo@tin.it” ascii wide fullword\r\n$b12=”e.barbara@poste.it” ascii wide fullword\r\n$b13=”stoccod@libero.it” ascii wide fullword\r\n$b14=”g.capezzone@virgilio.it” ascii wide fullword\r\n$b15=”baldarim@blu.it” ascii wide fullword\r\n$b16=”elsajuliette@blu.it” ascii wide fullword\r\n$b17=”dipriamoj@alice.it” ascii wide fullword\r\n$b18=”izabelle.d@blu.it” ascii wide fullword\r\n$b19=”lu_1974@hotmail.com” ascii wide fullword\r\n$b20=”tim11235@gmail.com” ascii wide fullword\r\n$b21=”plars575@gmail.com” ascii wide fullword\r\n$b22=”guess515@fastmail.fm” ascii wide fullword\r\ncondition:\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 4 of 14\n\n((uint16(0) == 0x5A4D)) and (filesize \u003c 10MB) and\r\n((any of ($a*)) or (any of ($b*)) )\r\n}\r\nTo build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used\r\nfor exfiltration, C\u0026C servers, licenses for the custom mailing library used by the attackers and specific IP\r\naddresses used in the attacks.\r\nOnce the YARA rule was ready, we’ve ran it on our malware collections. Two of the initial hits were:\r\nMD5 778d103face6ad7186596fb0ba2399f2\r\nFile size 1396224 bytes\r\nType Win32 PE file\r\nCompilation Timestamp Fri Nov 19 12:25:00 2010\r\nMD5 47bea4236184c21e89bd1c1af3e52c86\r\nFile size 1307648 bytes\r\nType Win32 PE file\r\nCompilation timestamp Fri Sep 17 11:48:59 2010\r\nThese two samples allowed us to write a more specific and more effective YARA rule which identified 42 other\r\nsamples in our summary collections.\r\nAt the end of this blogpost we include a full list of all related samples identified.\r\nAlthough very thorough, the Police Report does not include any technical details about how the malware was\r\nspread other than the use of spear phishing messages with malicious attachments using spoofed email addresses.\r\nNevertheless, once we were able to identify the samples shown above we used our telemetry to find additional\r\nones used by the attackers for spreading the malware in spear-phishing emails. For example:\r\nFrom: Di Marco Gianmaria\r\nSubject: ricezione e attivazione\r\nTime:2014/01/29 13:57:42\r\nAttachment: contatto.zip//Primarie.accdb (…) .exe\r\nFrom: Michelangelo Giorgianni\r\nSubject: R: Re: CONVOCAZIONE]\r\nTime: 2014/01/28 17:28:56]\r\nAttachment: Note.zip//sistemi.pdf (…) .exe\r\nOther attachment filenames observed in attacks include:\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 5 of 14\n\nNuoveassunzioni.7z\r\nAssunzione.7z\r\nSegnalazioni.doc (…) 7z.exe\r\nRegione.7z\r\nEnergy.7z\r\nRisparmio.7z\r\nPagati.7z\r\nFinal Eight 2012 Suggerimenti Uso Auricolari.exe\r\nFwd Re olio di colza aggiornamento prezzo.exe\r\nApprofondimento.7z\r\nAllegato.zip\r\nEventi.bmp (…) .exe\r\nQuotidiano.mdb (…) _7z.exe\r\nNotifica operazioni in sospeso.exe\r\nAs can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering\r\nto get the victim to open and execute the attachment. The attachments were ZIP and 7zip archives, which\r\ncontained the EyePyramid malware.\r\nAlso the attackers relied on executable files masking the extension of the file with multiple spaces. This technique\r\nis significant in terms of the low sophistication level of this attack.\r\nHigh profile victims\r\nPotential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report)\r\ninclude very relevant Italian politicians such as Matteo Renzi or Mario Draghi.\r\nIt should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that\r\nthey were targeted.\r\nOf the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.\r\nFurther standout victims, organizations, and verticals include:\r\nProfessional firms, Consultants Universities Vaticano\r\nConstruction firms Healthcare\r\nBased on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of\r\nwhich the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected\r\nincludes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland.\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 6 of 14\n\nAssuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the\r\nattacks have been compiled in 2014 and 2015.\r\nConclusions\r\nAlthough the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect,\r\ntheir operation successfully compromised a large number of victims, including high-profile individuals, resulting\r\nin the theft of tens of gigabytes of data.\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 7 of 14\n\nIn general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated\r\nwith their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and,\r\nwhen caught, attempted to delete all the evidence.\r\nThis indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing\r\nconsiderably large amounts of data from their victims.\r\nAs seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile\r\nmalware, rootkits, or zero-days to run long-standing cyberespionage operations.\r\nPerhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran\r\nthis cyber espionage operation for many years before getting caught.\r\nKaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts:\r\nHEUR:Trojan.Win32.Generic\r\nTrojan.Win32.AntiAV.choz\r\nTrojan.Win32.AntiAV.ciok\r\nTrojan.Win32.AntiAV.cisb\r\nTrojan.Win32.AntiAV.ciyk\r\nnot-a-virus:HEUR:PSWTool.Win32.Generic\r\nnot-a-virus:PSWTool.Win32.NetPass.aku\r\nA full report #EyePyramid, including technical details of the malware, is available to customers of\r\nKaspersky APT Intelligence Services. Contact: intelreports (at) kaspersky [dot] com.\r\nTo learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst\r\nSummit. – https://sas.kaspersky.com/#trainings\r\nReferences and Third-Party Articles\r\nhttp://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-\r\ndde65baa5a68.pdf\r\nhttps://ftalphaville.ft.com/2017/01/10/2182125/the-arrested-pair-are-residents-of-london-but-are-domiciled-in-rome-and-are-well-known-in-the-world-of-high-finance/\r\nhttp://www.politico.eu/article/mario-draghi-matteo-renzi-mario-monti-victims-of-cyberattacks/\r\nhttps://github.com/eyepyramid/eyepyramid\r\nhttp://cybersecurity.startupitalia.eu/53903-20170111-eye-pyramid-the-italian-job-storia-malware-spionaggio-massoneria\r\nhttp://www.affaritaliani.it/cronache/cyberspionaggio-massoneria-p4-mire-segreti-ecco-chi-sono-gli-spioni-458076.html\r\nIndicators of Compromise\r\nHashes:\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 8 of 14\n\n09ff13b020de3629b0547e0312a6c135\r\n102bccd95e5d8a56c4f7e8b902f5fb71\r\n12f3635ab1de63fbcb5e1c492424c605\r\n1391d37c6b809f48be7f09aa0dab7657\r\n1498b8d6e946b5d6b529abea13592381\r\n14db577a9b0bfc62f3a25a9a51765bc5\r\n17af7e00936dcc8af376ad899501ad8b\r\n192d5866cbfafae36d5ba321c817bc14\r\n325f5d379c4d091743ca8581f15d3295\r\n36bd8feed1b17c59f3c653e6427661a4\r\n380b0f1921fed82e1b68b4e442b04f05\r\n3c30f0114c600510fdb2573cc48d5c06\r\n3fed695e2a6e63d971c16fd9e825fec5\r\n47bea4236184c21e89bd1c1af3e52c86\r\n47dd1e017aae694abd2b7bc0b12cf1da\r\n47f1f9b1339147fe2d13772b4cb81030\r\n53b41dc0b8fd9663047f71bc91a317df\r\n5bc1b8c07c0f83d438a3e891dc389954\r\n5eb17f400f38c1b65990a8d60c298d95\r\n6de1e478301d59ac14b8e9636b53815d\r\n75621de46a12234af0bec15620be6763\r\n778d103face6ad7186596fb0ba2399f2\r\n859f60cd5d0f0fbd91bde3c3914cbb18\r\n8afb6488655cbea2737d2423843ea077\r\n9173aefe64b7704510c873e2ce7305e0\r\n92c32eb72f5713ca1f2a8dc918f1f770\r\n932bd2ad79cbca4341d853a4b5ea1da5\r\n94eff87eca2f054aa5fbc1877a6cf919\r\n98825a1ce35f46d004c0839e87cc2778\r\n9b8571b5281f3751750d3099049098e0\r\n9c57839b3f8462bd6c2d36db80cd5ecc\r\n9d3ce3246975ae6d545ee9e8ba12d164\r\n9d4b46d3c389e0144238c821670f8537\r\na41c5374a14a2c7cbe093ff6b075e8ac\r\nb39a673a5d2ceaa1fb5571769097ca77\r\nb533b082ed1458c482c3663ee12dc3a4\r\nbcfd544df7d8e9a2efe9d2ed32e74cad\r\nc0243741bfece772f02d1657dc057229\r\nc38e9edc0e4b18ff1fc5b61b771f7946\r\nce76b690dc98844c721e6337cd5e7f4b\r\ncf391937d79ed6650893b1d5fbed0604\r\nd8432ddec880800bfa060af1f8c2e405\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 9 of 14\n\neb604e7e27727a410fc226196c13afe9\r\nfafd293065daf126a9ad9562fc0b00b2\r\nRelated hashes identified by @GaborSzappanos:\r\n014f69777d2e0c87f2954ad252d52810\r\n02965c8a593989ff7051ec24736da6bd\r\n04b3c63907c20d9be255e167de89a398\r\n04e949f64e962e757f5bb8566c07800b\r\n06e47736256c54d9dd3c3c533c73923e\r\n09ff13b020de3629b0547e0312a6c135\r\n0a80fd5abf270ddd8080f93505854684\r\n0b3c1ff3b3b445f46594227ca2babdcd\r\n0c33c00a5f0f5bde8c426c3ce376eb11\r\n0ded0389cbddeeb673836794269ffb3b\r\n0e19913ce9799a05ba97ac172ec5f0bc\r\n11062b36893c4ba278708ec3da07b1dd\r\n12b4d543ae1b98df15c8712d888c54f0\r\n1334a7df1e59380206841d05d8400778\r\n14cb305de2476365ef02d2226532dd34\r\n1748c33cb5ac6f26d55cd1a58b68df8a\r\n18e24ef2791030693a4588bfcae1dec0\r\n192d5866cbfafae36d5ba321c817bc14\r\n1b4d423350cd1159057dd7dbef479328\r\n1deb28ae7b64fb44358e69e5afd1f600\r\n2222a947ebccc8da16badeacca05df4b\r\n23beed8aaac883a5902039e6fd84ee5f\r\n2485e7ae3e0705898b7787ed0961878d\r\n2642990a46c434e7787a599f04742a32\r\n268698314c854bc483d05ffe459dc540\r\n2866ced99b46b39838f56fbe704d387b\r\n2896ae0489451d32f57c68b919b3fa72\r\n28ba7d1a4c5d64a65f2f2bf5f6ced123\r\n28e65b9577abaabf3f8c94d9fda50fc5\r\n2a809644e6d07dc9fc111804a62b8089\r\n30215197622f5c747fc869992768d9c6\r\n325f5d379c4d091743ca8581f15d3295\r\n33890f9268023cd70c762ad2054078c7\r\n3673c155eb6a0bd8a94bea265ebb8b76\r\n369cd42dfabea188fa57f802a83b55d9\r\n380b0f1921fed82e1b68b4e442b04f05\r\n3a0af8bba61734b043edc0f6c61cd189\r\n3c30f0114c600510fdb2573cc48d5c06\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 10 of 14\n\n3db711afc09c0a403a8ccff6a8a958df\r\n3e4365b079239b0a2451f48f33761332\r\n3ebbae038d7bf19baa1bcfbc438bb5e7\r\n3fed695e2a6e63d971c16fd9e825fec5\r\n3ffcd0eedd79a9cc79c2c4a0f7e04b21\r\n4025834a88dcfba3ed1774068c64c546\r\n417593eaf61d45e88adbad259d5585d0\r\n422fe9c78c71fb30d376e28ad1c41884\r\n44d91f49f261da6b1f183ea131d12a7f\r\n45dde4082c0407b9904c5f284080337f\r\n47bea4236184c21e89bd1c1af3e52c86\r\n4a494c20bcfb77afd06908eb5a9718cb\r\n53b41dc0b8fd9663047f71bc91a317df\r\n5523aa1d4ee5f19522299be6f1111b89\r\n5627cb8752c4c0774f822ccf8f1363eb\r\n56499e0b590857f73bb54f500008c656\r\n568895c8340a88316fdc0d77a7f2a91d\r\n5847072fd4db9e83d02d8b40a1d67850\r\n5accd89d6483dec54acc7b1484dfbace\r\n5b5f3f65b372f9e24dbc50b21fe31f81\r\n5bc1b8c07c0f83d438a3e891dc389954\r\n622fb530276a639892398410de03d051\r\n63d9e7cca593360411b5d05a555d52f3\r\n6648a255610c5f60f580098bbc1d387c\r\n690cdf20faf470f828fe468a635da34e\r\n6c25a0974a907d368372ac460d8261d6\r\n6c5693df933924e8a633ccfd7ef2635d\r\n6ff7876db06d9102786ae0e425aeaf37\r\n70882709d86e2a7396779f4111cd02e3\r\n70f094e347d4088573c9af34430a3cd6\r\n72ffb3418d3cde6fdef16b5b5db01127\r\n734cfa84d68506fe6e74eb1b038d9c70\r\n7633748203b705109ededadfbe08dcfa\r\n778d103face6ad7186596fb0ba2399f2\r\n77c2a369d0850c7a75487e8eee54b69e\r\n78b7d1caa4185f02b1c5ef493bf79529\r\n7971c90d7533f2c69e33f2461434096a\r\n7aad90ce44e355f95b820fb59c9f5d56\r\n7bf348005958658ba3fcf5ccb3e2ae22\r\n7cddc3b26bb8f98e9b14d9c988f36f8f\r\n81624dc108e2d3dc712f3e6dd138736a\r\n820ca39f331f068cca71e7a7c281e4ac\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 11 of 14\n\n84c14a1327ae7c0e5a07a67a57451cc4\r\n860f607dbd0d6a2dc69cbc4f3b0eeeaf\r\n889c86aaf22876516964eafa475a2acd\r\n88c31f3b589d64a275608f471163989c\r\n89368652dc98b13f644ec2e356c7707c\r\n89696dbead484bf948c1dd86364672eb\r\n898150dea4d7275f996e7341463db21f\r\n8b27bcfa38205754c8e5fdf6a509d60e\r\n8f419bca20b767b03f128a19b82611ab\r\n915cc3c9c8cb8e200dbe04e425e7018b\r\n92c32eb72f5713ca1f2a8dc918f1f770\r\n932bd2ad79cbca4341d853a4b5ea1da5\r\n98825a1ce35f46d004c0839e87cc2778\r\n98b1157b9f3f3ec183bf322615f1ce41\r\n9b19729531bf15afc38dd73bcc0596f8\r\n9c99ecf33301e4cafdd848a7d3d77ef9\r\n9cf08b15724e0eaf69a63e47690cdee2\r\na16d8cf9a7a52e5c2ad6519766ae6b92\r\na35312a5c0b06ee89ddadaea9ca6bad2\r\na4c551ec6d3b5ab08a252231439e099f\r\na615a4f5e93a63682a8f25b331f62882\r\na6c29f9680fe5ae10a9250e5431754d4\r\nab71ca072d4b526e258c21bd84ec0632\r\nac6fa4005e587ac4b3456a14bd741ff0\r\nafab0fcbf8bc6595f9f2c0051b975a4e\r\nb1ddec2f71727dcf747e1d385272e24d\r\nb2a756f557d273d81a61edc9fbfc9daf\r\nb2e1663647addc92bf253f389ac98027\r\nb39a673a5d2ceaa1fb5571769097ca77\r\nb533b082ed1458c482c3663ee12dc3a4\r\nb6e86ac7d3bbedf18b98437df49c1b60\r\nb70ddb9f6e4e2c85e80cf2079b10e762\r\nb89a8d3442d96161cef07552116407c3\r\nbb2a0aee38980aeb39cac06677936c96\r\nbc333001d3f458ff8fde9d989b53e16d\r\nbd7a2b795419c0b842fd041eaac36d7f\r\nbf850dcb074e0cf2e30fbee6bfaa4cd9\r\nc0d4e5ba26ef3c08dc1a29ac7496f015\r\nc38832f484645b516b57f6813c42d554\r\nc4abb3210f26d4a15a0d4fd41b47ee0e\r\nc547a30fa39f22e2093b51ed254bb1c2\r\nc69c370fcb7b645aaac086b2a3b18286\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 12 of 14\n\nc7ef4c7b12b5ad8198dafc58c4bea2a3\r\nc97ef1f13bf3d74c78f50fa7abe7766b\r\nca010bcdfe3c4965df0c6bc12b40db76\r\nca243796e79c87c55f67a61bc3ee8ddc\r\nca9a7c6b231fadfae3466da890b434c5\r\ncf391937d79ed6650893b1d5fbed0604\r\ncf3b3c796114f6908a35542d4fd02b0e\r\nd034810ddab55c17dcddd2c2990b3ef3\r\nd1273537add3f2282391726489c65e38\r\nd20487e2d2f674bfd849cb8730225dde\r\nd8432ddec880800bfa060af1f8c2e405\r\nd864ad5030d354c1e40a873a335b2611\r\ndac10dcede69eb9b4ccce8e6798f332c\r\ndb95221ebed1793bf5b5527ecb52eb0c\r\ndc64307ef67177449b31c6bb829edbf2\r\ndd734c07b94c8685bb809f83876c7193\r\ne0e862dbf001eb4a169d3340c200b501\r\ne727b444a6a9fa9d40a34a9508b1079f\r\ne7539ed9616b61c12028a663c298f6be\r\ne78ed9fac4f3e9b443abd02bfa9f3db2\r\ne85ff9e3a27899b0d1de8b958af5ad90\r\neb604e7e27727a410fc226196c13afe9\r\neba8aa2572cf0d6ccdf99c34cc26b6f3\r\nec21252421f26072e9fe75586eb6b58a\r\nee9435593494f17f3efc3a795c45482e\r\neeca6409dcf0e46d0182d53d230c701d\r\neff2d3f9f56e9aabcf970c4c09fe7ef8\r\nf0b61a531a72f0cc02d06d2ebfb935ab\r\nf1a037e2edc5ddf4db4e1e7fcd33d5fb\r\nf3802442727c0b614482455d6ad9edc2\r\nf41be516fa8da87a269845c9ea688749\r\nf7d4742d2e746962440bf517b261f126\r\nf96335bf0512c6e65ea374a844ab7ceb\r\nf9b4459f18ca9d2974cf5a58495c5879\r\nfa4266c305aa75a133ebae2a4dcc9b75\r\nfafd293065daf126a9ad9562fc0b00b2\r\nBackdoor Filenames:\r\npnbwz.exe\r\npxcfx.exe\r\nqislg.exe\r\nrqklt.exe\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 13 of 14\n\nrunwt.exe\r\nruzvs.exe\r\nrvhct.exe\r\nvidhdw.exe\r\nwinlng.exe\r\nwxrun.exe\r\nxddrv.exe\r\nxdwdrv.exe\r\nMalicious attachments filenames (weak indicators):\r\ncontatto.zip//Primarie.accdb (…) .exe\r\nNote.zip//sistemi.pdf (…) .exe\r\nNuoveassunzioni.7z\r\nAssunzione.7z\r\nSegnalazioni.doc (…) 7z.exe\r\nRegione.7z\r\nEnergy.7z\r\nRisparmio.7z\r\nPagati.7z\r\nFinal Eight 2012 Suggerimenti Uso Auricolari.exe\r\nFwd Re olio di colza aggiornamento prezzo.exe\r\nApprofondimento.7z\r\nAllegato.zip\r\nEventi.bmp (…) .exe\r\nQuotidiano.mdb (…) _7z.exe\r\nSource: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nhttps://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/"
	],
	"report_names": [
		"the-eyepyramid-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfea9e9feaa3a2f4c8b22d595dfe01c68731c340.pdf",
		"text": "https://archive.orkl.eu/bfea9e9feaa3a2f4c8b22d595dfe01c68731c340.txt",
		"img": "https://archive.orkl.eu/bfea9e9feaa3a2f4c8b22d595dfe01c68731c340.jpg"
	}
}