# EGOMANIAC: AN UNSCRUPULOUS
 TURKISH-NEXUS THREAT ACTOR

Authors: Juan Andres Guerrero-Saade, Igor Tsemakhovich September 2021 SentinelLABS Research Team


-----

## TABLE OF
 CONTENTS


#### 3 EXECUTIVE SUMMMARY

 4  THE HUNT FOR AHTAPOT

 7  EGOMANIAC’S
 ‘RAD’ TOOLKIT

 12  WHO IS EGOMANIAC?

 15  REFERENCES

 16  TECHNICAL APPENDIX A:
 AHTAPOT (2010-2011)

 18  TECHNICAL APPENDIX B:
 RAD (2010-2015)

 16  TECHNICAL APPENDIX C:
 HACKING TEAM (2013)

 25  ABOUT SENTINELLABS


-----

## EXECUTIVE SUMMARY

- This report sets the scope of a previously unknown threat actor we call ‘EGoManiac’.

- EGoManiac operated during the 2010-2016 timeframe, focusing primarily on

Turkey and Turkish politics.

- EGoManiac is responsible for the previously reported ‘Octopus Brain’ campaign

where the operators interdicted the machines of OdaTV journalists to place

malware and incriminating documents, effectively framing them before arrest.

- Our research connects Octopus Brain to a toolkit called Rad, in development

as early as 2010 and used until 2015.

- Rad samples use hardcoded email addresses for exfiltration.

- One of those email addresses is cited in connection to the prosecution of rogue

members of the Turkish National Police along with executives of a company

called ‘Datalink Analiz’. They refer to Rad as ‘HORTUM’.

- Following the trail of ‘Datalink Analiz’, we suspect that EGoManiac activity

includes the use of HackingTeam’s Remote Control System (RCS) contracted

under this same front company with a series of irregularities as early as 2011.

- In 2013, a report emerged on the use of RCS against a Turkish victim in

the United States. The victim voiced an unverified suspicion that its use

represented the unsanctioned interests of rogue Gülenist elements within

the Turkish government.

#### S e n t i n e l L a b s Te a m


-----

### THE HUNT FOR AHTAPOT


In the world of cyberespionage research, the human-interest element is often lost amidst a barrage

of technical indicators. The absence of a human dimension can make our research seem overly

technical and dry, something we write for defenders to block and other researchers to enjoy. When

we can see the impact that some of these campaigns have on civil society and the weakening of

public institutions, it invokes a certain doggedness that won’t let sleeping dogs lie. ‘EGoManiac’

is one that’s been in the back of our heads for the past five years. The research involved multiple

dead ends, false starts, and layers of conspiratorial mystery.

What we refer to as EGoManiac is a cluster of two notable campaigns starting as early as 2010.

The first campaign came to be known in research circles as ‘Octopus Brain’, based on the Turkish

strings ‘Ahtapot’ and ‘Bejin’ left in the malware. This original campaign used a combination of

publicly available RATs (including Turkojan and Bandook) as well as the closed-source Ahtapot,

with delivery methods ranging from malicious documents to personal visits by the attackers.

Our initial awareness of this case came from Turkish court documents surrounding arrests of

journalists at OdaTV. Much greater detail came to light thanks to the excellent work of the folks at

[Arsenal Consulting. Their forensic investigation not only proved the presence of the malware and](https://arsenalexperts.com/Case-Studies/Odatv/)

the physical interdiction of the victim systems, but also established the attacker’s access as the

definitive source of the incriminating documents on those systems that were then used to justify

arrests by the Turkish National Police. The journalists were ultimately acquitted by a court in

2017– six years after the attacks.

This scenario is one of the often-ignored dirty edge cases of ‘lawful intercept’ malware, stated


plainly: what’s the expectation of evidential integrity when it comes to an infected device?


1


While these particular operators resorted to physically tampering with the devices they were

monitoring, there’s little keeping malware operators from placing incriminating or damaging files on

systems infected with malware that has file download capabilities, as most rudimentary malware does.

In the face of such an unscrupulous actor, we are left to wonder if this activity is part of a cluster

we already track, and if not, what else has this actor been up to in the shadows? Octopus Brain

provided few answers. Despite finding a handful of Ahtapot modules, there were no newer samples

nor connections to other toolkits. The trail went cold… until now.

1This question is currently playing out further in the Bhima Koregaon case in India, where it appears malware was used to

[upload incriminating letters onto the victim’s machine– https://www.washingtonpost.com/world/asia_pacific/india-bhima-](https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8)

[koregaon-activists-jailed/2021/02/10/8087f172-61e0-11eb-a177-7765f29a9524_story.html](https://www.washingtonpost.com/world/asia_pacific/india-bhima-koregaon-activists-jailed/2021/02/10/8)


-----

### EXPERIMENTS IN INNOVATIVE PIVOTING


As threat hunting technology continued to improve, there were different attempts to once again

pick up the scent of the attackers behind the Octopus Brain campaign. Code similarity analysis is

one of the favorite tools in our research arsenal. However, initial attempts to cluster new samples

based on shared unique code snippets were not fruitful.

We decided to take a different approach. Rather than focusing on unique code snippets, we can

instead focus on a bulk of shared common code as a way of profiling the development environment

that produced the samples and attempt to find other samples produced in the same way– same

compiler, same optimizations, relying on the same statically-linked libraries, etc. Limited testing

of this method has yielded positive results under specific circumstances – like allowing us to

cluster a set of samples based off of the analysis of a single original sample and without needing

to spend cycles conducting extensive goodware testing.

Fig 1: Ahtapot campaign components connect to newer Rad toolkit


-----

To our surprise, applying this experimental approach to Octopus Brain yielded results. By generating

a rule based off of the bulk of common code of Ahtapot components, we stumbled upon a set of

samples we’ll call ‘Rad’, based on a persistent typo in symbol paths left within the binaries.


Expanding on this initial finding, we found a cluster of more than 50 samples and subcomponents

for a modular espionage toolkit almost entirely undetected at the time of discovery.

Fig 2: Unique code segment connecting Ahtapot and Rad campaigns

Our friends at Kaspersky’s GReAT were able to blind confirm our finding using their KTAE

attribution engine, honing in on a unique code segment shared by the first-stage components

of both Ahtapot and Rad.


-----

### EGOMANIAC’S ‘RAD’ TOOLKIT

Rad is a modular espionage malware toolkit built around the [POCO C++](https://pocoproject.org/)

cross-platform development libraries. The design entails a form of

organized development but not a particularly savvy or sophisticated

one at that. POCO is doing most of the heavy lifting. Functionality is

split into modules contained within a ‘RadApplicationInstaller’ and

orchestrated by a ‘RadStarter’ module that takes its cues from an

encrypted configuration XML file.

Fig 3: Extracted Rad configuration XML

(92abdfa8d72cd42f6e6f3ad903380df5397e6ea8328c47422f8e016ee204f3bc)

The XML tells Rad which modules to switch on or off, specific

configurations like the time intervals for screen captures and max

filesize for sound recordings, and most importantly – what email to

use for exfiltration. All of the Rad samples we’ve found rely on email

exfiltration with a hardcoded address belonging to either Gmail,

Yandex, or Woxmail (defunct at the time of writing). This style of

exfiltration entails both pros and cons for the attackers.


-----

Pros:

  - Email traffic is unlikely to be blocked or considered suspicious in the target environment

  - There’s no obvious infrastructure for defenders to track, pivot on, or sinkhole for victim data

Cons:

  - Exfiltrated data is subject to size limitations

  - Exfiltrated data is available to the hosting providers as well as anyone able to reverse


engineer the malware configuration


2


The more bizarre angle of the malware’s functionality is its lack of command-and-control

capabilities. The malware will follow its original configuration without recourse to additional

commands, updates, or changes. This is perhaps the most unusual aspect of the malware.

Exfiltration via email is unlikely to be favored by an experienced group operating on the world

stage. It’s perhaps more acceptable to mercenaries or a regionally focused threat group. In this

case, rather than cause another research dead-end, one of those email addresses might provide


the greatest attribution connection of all, more on that later.


3


2It’s worth noting that the attackers obfuscated the exfiltrated data to provide some level of protection against third-party

prying eyes and fourth-party collection.

3See §A Wilderness of Mirrors.


-----

### TOOLKIT STRUCTURE

Fig 4

The execution flow of the Rad toolkit is straightforward. ‘wsms.exe’ (RadStarter) is the main

module that runs from a registry key set by the installer. It, in turn, runs the other modules as

separate processes. These include:


-----

The main package also includes the POCO dependency DLLs used by

the modules:

  - PocoFoundation.dll is the core dependency

  - PocoCrypto.dll wraps OpenSSL library APIs

  - PocoXML.dll provides XML parsing primitives

  - PocoNet.dll and PocoNetSSL.dll are communication libraries

based on socket and SSL APIs, respectively.

This is not the first malware family developed using the POCO C++ libraries.

Russian APTs have relied on POCO in the past, including a [downloader](https://blogs.blackberry.com/en/2019/08/inside-the-apt28-dll-backdoor-blitz)

[associated with APT28 (‘PocoDown’) and the fabled Drovorub.](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF)

### DEVELOPMENT NOTES

The modules’ internal names are derived from PDB paths consistently

left within the binaries, allowing for an appreciation of the developers’

organizational skills and lack of regard for operational security. This sets

the general tone for Rad’s development consisting of straightforward

method implementations around standard APIs. Screen capture relies

on GDI APIs, keylogging is done via GetAsyncKeyState, and sound

recording is done via a multimedia library. Binaries are not obfuscated

and export names are in plaintext.

Charitably, the developers may have intended to avoid arousing the

suspicion of anti-malware software by doing everything in a documented

and innocent looking way devoid of evasion. Low detection numbers at

the time of discovery support the value of this approach. However, the

loud multi-process structure of the malware and absence of checks for

security software on target systems suggest the developers are simply

inexperienced in the world of malware development.

Further supporting the general timeline of the Rad campaign,

development of the main Rad components was carried out using Visual

Studio 2010 and dependency DLLs built in 2012. As with all compilation

timestamps, it’s possible that these were altered.


-----

### INFECTION VECTORS

We were only able to recover a small subset of infection vectors utilized by EGoManiac to place the


Rad malware on target systems. In one case, we see an email

local telecommunications provider:


4 in Turkish pretending to be from a


6, roughly translated


The email contains a zip archive


5 with the executable ‘Turkcell_hediye.exe’


to ‘Turkcell Gift’. The executable is a straightforward RadApplicationInstaller package meant to

infect the victim with no attempt at displaying a lure or feigning benign functionality for the user.


Additional early-stage droppers include a RAR archive named ‘gercekler.rar’


7 (containing an


executable of the same name), as well as a variant that actually displays a lure for the victim

(internally referred to as FileTrojen). The lure is a Turkish PowerPoint presentation on the

development of management skills. The malware is connected to EGoManiac via a consistent PDB

path convention. FileTrojen appears to be an earlier version of the Rad FileSystemModule built

before the adoption of the POCO C++ libraries. It includes functionality for tracking USB keys

connected to victim systems and their contents.

Fig 5: FileTrojen configuration headers

Interestingly, the configuration for this variant is encapsulated within the tags ‘SPARTACUS_

START_V1.0’ and ‘SPARTACUS_END’ perhaps suggesting its internal naming convention.

45e02f7d0337750be8dd36c96638b8f44127d6fdabe5d7ae04b11fd3ca2d14de4, Turkcell Müşteri Hizmetleri.eml

5dd60b8f2144de64ed1e2182d511d68ca0c60e1de0d8fa4a6bf80c9701c0ced52, turkcell_hediye.zip

63d3f208e54da010a571bc53296621428786cecb624f4c433d83dd4f40908820c, turkcell_hediye.exe

74cbb8e0bde66af241819c7492db0a9084b9c504dc3f69b7d8e5ef77198008991, gercekler.rar


-----

### WHO IS EGOMANIAC?

Attribution based solely on technical indicators is complicated and inexact. Most technical

indicators are subject to modification and require interpretation based on limited visibility. Lacking

a greater understanding of local context and closed-source intelligence, it’s difficult to extend

attribution beyond abstract entities (like an APT group name) to specific people or organizations.

On the surface, EGoManiac activity revolves around a Turkish nexus. Malware is riddled with

Turkish language, lures are written in Turkish, victims are Turkish and relevant to local politics.

The connection to Ahtapot and the OdaTV incident entails the actor’s ability to physically interdict

systems within Turkey. Additionally, most PDB paths for Rad components have a root folder of

[‘EGM’, from which we derived the name ‘EGoManiac’.](https://en.wikipedia.org/wiki/General_Directorate_of_Security_(Turkey))


Three samples deviate from this PDB naming convention to use a root folder of ‘SEA’


8, a reference


to the Syrian Electronic Army. This association is further reinforced by the inclusion of throwaway

strings like ‘Syrian Electronic Army’, ‘sea.sy’, and ‘Codename Assad’ in the binaries. The compilation

timestamp maps onto the emergence of the Syrian Electronic Army in late 2011. This is likely an

early attempt at misdirection and is not sustained in any of the later samples.

As we dig deeper into this Turkish nexus, the attribution angle only gets more complicated.

8bcd5e2ac31b250e665691487f8eda0d2d170a4f31fad0aba158f73445351654f,

0a9357e9db888a601ade886fb54fa4eacdcfee72e3145dfbb26ae9492abfd877,

3d3f208e54da010a571bc53296621428786cecb624f4c433d83dd4f40908820c.


-----

### A WILDERNESS OF MIRRORS

EGoManiac’s Rad toolkit relies on hardcoded email addresses for communication. Obfuscated logs

and other exfiltrated materials are sent to the following emails across multiple service providers:

While email comms might usually lead to another research dead-end, the address ‘johndown@

woxmail.com’ raised an interesting connection.

In 2016, Turkish websites reported sparse details of an ongoing attempt to prosecute members

of the Turkish national police and executives of an IT company called ‘Datalink’ suspected of

leaking information on active police operations. The leaks were reportedly used by FETO/Gülenist

movement social media accounts to fuel conspiratorial elements in an ongoing power struggle

within the country.

Reports cite the use of spyware called ‘HORTUM’ (roughly translated as ‘garden hose’) to siphon

data from infected machines within public institutions in Turkey including the Intelligence

department of the General Directorate of Security (EGM). Some of the reporting mistakenly

conflates HORTUM with HackingTeam’s RCS. The siphoned data was sent to ‘johndown@

woxmail.com’ and from there allegedly redistributed by Datalink. The capabilities of HORTUM

and its communication methods match those of EGoManiac’s Rad, including the hardcoded

Woxmail address.

Fig 6: Encrypted configuration using johndown@woxmail for exfiltration
(b79df7817ac1f39692927a593bf0569fd57e3faaebbbf4a0c7b452e7928157cb)

[We cannot independently verify the veracity of the initial reporting. An independent investigation](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)

[to that effect was conducted by Kim Zetter, who obtained extensive details including a report](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)

[by the prosecutor handling the case. Taking the information we have at face value, we uncover](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)

another possible facet of the EGoManiac story.


-----

### THE HACKING TEAM CONNECTION


As early as 2012, victims of HackingTeam’s Remote Control System (RCS) ‘Da Vinci’ [began to show](https://securelist.com/spyware-hackingteam/37064/)

[up in Turkey. In 2013, Wired reported that](https://securelist.com/spyware-hackingteam/37064/) [a woman in the United States was targeted with RCS.](https://www.wired.com/2013/06/spy-tool-sold-to-governments/)

The victim suspected that she was targeted by Gülenist elements that had infiltrated the Turkish

government. However, HackingTeam continued to assert that it only sells its tools to governments and

did not confirm Turkey’s status as a customer. Now, in the aftermath of Phineas Fisher’s devastating

hack-and-leak operation against HackingTeam, we can independently confirm that Turkey was in fact

a customer of HackingTeam at the time –but who exactly was their customer in Turkey?

[Fig 7: Leaked HackingTeam email on an invoice confusion involving](https://wikileaks.org/hackingteam/emails/emailid/584566)

an Istanbul company ‘Datalink Analiz’

The leaked HackingTeam treasure trove contains communications with officials claiming to be a part of

[the Turkish National Police as early as 2011. Citing problems with their mail server, they proceed to use](https://www.wikileaks.com/hackingteam/emails/emailid/564943)


three Gmail accounts


9 to plan their purchase of RCS. A Gmail account is also used for communication


[with the HackingTeam support portal. HackingTeam officials note further irregularities as the first deal](https://wikileaks.org/hackingteam/emails/emailid/765131)

goes through. Though the purchase is intended under the umbrella of a UAE-based shell company

(‘Foresys Information Technology-FZE’), HackingTeam receives payment from a company registered

in Istanbul– ‘Datalink Analiz LTD’.

9tnp.notcenter@gmail.com, tnpnotcenter2@gmail.com, akocak005@gmail.com


-----

Fig 8: Revalence of EGoManiac-related malware families by compilation timestamp

To be thorough, we chart the use of Hacking Team RCS by the Turkish National Police (Appendix C)

based on the company’s internal watermarking scheme used to track the origin of leaked samples

among their customer base. The graphic above notes the coincidental cadence of the use of the

different malware families related to the EGoManiac cluster. However, we can’t go as far as to equate

the two clusters without resolving the murky allegiances of the operators involved.

The connection between the EGoManiac umbrella and this specific sub-cluster of Hacking Team RCS

is built on the admittedly thin strand of the ‘Datalink Analiz’ shell company. [That thread merits an](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)

[investigation beyond the purely technical to straighten out an abundance of conspiratorial claims,](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)

[alleged foreign money laundering, and ambiguous finger pointing.](https://zetter.substack.com/p/hacking-team-customer-in-turkey-was)


-----

### CONCLUSION

The case of EGoManiac is far from straightforward. It involves difficult investigative connections

that test the boundaries of our visibility, the efficacy of our research tools, and the limits of purely

technical attribution. Beyond the technical exercise, it’s a profile of a threat actor willing to spy on

both friend and foe and to use that access to malign and entrap journalists without compunction.

While this particular intrusion set is outdated, the questions it raises speak to the friction between the

unsupervised governmental use of malware and the integrity of public institutions, rule of law, and

evidentiary standards. They are more relevant now than ever before.

### REFERENCES

1 : [h t t p s : // w w w.v i c e . c o m /e n /a r t i c l e / n z 74 w q / t u r k i s h - j o u r n a l i s t - j a i l e d -](https://www.vice.com/en/article/nz74wq/turkish-journalist-jailed-for-terrorism-was-framed-forensic-r)
[f o r - t e r r o r i s m - w a s - f r a m e d - f o r e n s i c - r e p o r t - s h o w s - 1](https://www.vice.com/en/article/nz74wq/turkish-journalist-jailed-for-terrorism-was-framed-forensic-r)

2 : [h t t p s : //a r s e n a l e x p e r t s . c o m / C a s e - S t u d i e s / O d a t v/](https://arsenalexperts.com/Case-Studies/Odatv/ )

3 : [h t t p s : // w w w.v i c e . c o m /e n /a r t i c l e /e z p k j z /s o m e - m a l w a r e - v i c t i m s -](https://www.vice.com/en/article/ezpkjz/some-malware-victims-in-turkey-have-no-idea-theyve-been-targe)
[i n - t u r k e y - h a v e - n o - i d e a - t h e y v e - b e e n - t a r g e t e d](https://www.vice.com/en/article/ezpkjz/some-malware-victims-in-turkey-have-no-idea-theyve-been-targe)

4 : [h t t p s : //s e c u r e l i s t . c o m /s p y w a r e - h a c k i n g t e a m / 3 7 0 6 4 /](https://securelist.com/spyware-hackingteam/37064/ )

5 : [h t t p s : //c i t i z e n l a b . c a / 2 0 1 4 / 0 2 / m a p p i n g - h a c k i n g - t e a m s -](https://citizenlab.ca/2014/02/mapping-hacking-teams-untraceable-spyware/ )
[u n t r a c e a b l e - s p y w a r e /](https://citizenlab.ca/2014/02/mapping-hacking-teams-untraceable-spyware/ )

6 : [h t t p s : // w w w.w i r e d . c o m / 2 0 1 3 / 0 6 /s p y - t o o l - s o l d - t o - g o v e r n m e n t s /](https://www.wired.com/2013/06/spy-tool-sold-to-governments/ )

7 : [h t t p s : // w w w. d a i l y d o t . c o m /d e b u g / h a c k i n g - t e a m - t u r k e y/](https://www.dailydot.com/debug/hacking-team-turkey/ )

8 : [h t t p s : // w w w. k a r a r. c o m /e m n i y e t e - p a r a l e l - c a s u s - h o r t u m u - 1 4 2 74 9](https://www.karar.com/emniyete-paralel-casus-hortumu-142749 )

9 : [h t t p s : // w w w. k a r a r. c o m / p a r a l e l - s i z i n t i - c a s u s - h o r t u m d a n - 1 4 6 7 9 2](https://www.karar.com/paralel-sizinti-casus-hortumdan-146792 )

[1 0 : h t t p : // w w w. a y o r u m . c o m / h a b e r _ o k u . a s p ? h a b e r = 4 2 4 5](http://www.ayorum.com/haber_oku.asp?haber=4245)


-----

### TECHNICAL APPENDIX A: AHTAPOT (2010-2011)

P D B s

_E:\Projeler\Ahtapot\Release\Ahtapot_h[Beta]\Release\Kol_8_h.pdb_

_E:\Projeler\Ahtapot\Source\Binder_h\Release\Binder_h.pdb_

_E:\Projeler\Ahtapot\Release\Ahtapot_h[Beta]\Release\Tohum_h.pdb_

_E:\Projeler\Ahtapot\Release\Ahtapot_h[Beta]\Release\Beyin_h.pdb_

C a m p a i g n I n f r a s t r u c t u r e


-----

H a s h e s


-----

### TECHNICAL APPENDIX B: RAD (2010-2015)

P D B P a t h s

_J:\opt\project\vs2010\Rat\RatStarter\Release Md\RatStarter.pdb_

_C:\SEA\RadApplicationInstaller\Release\RadApplicationInstaller.pdb_

_J:\egm\egm_projes_int\vc\FileTrojen\Release\FileTrojen.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatFileSystemModule.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatScreenModule.pdb_

_J:\egm\egm_projes_int\vc2\RadApplicationInstaller\Release\RadApplicationInstaller.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatStarter.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatKeyboardModule.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatBrowserModule.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatSoundModule.pdb_

_J:\egm\egm_projes_int\vc2\RatStarter\Release Md\RatMailModule.pdb_

E m a i l s f o r C o m m s


-----

E G M h a s h e s b y C o m p o n e n t Ty p e


-----

-----

-----

-----

### TECHNICAL APPENDIX C: HACKING TEAM (2013)

Wa t e r m a r k s

**RCS Version** **TNP Watermark**

_Pre 9.2_ _ZjvOuN3m_

_Post 9.2_ _IdQcUI52_

H a s h e s


**SHA256**


_04d659739849d16c2e75c803b67f88cb54a722335625b7b509407a52f7e6003e_


_0a786bfcee6e1ad12bd9cae585e5bbbd7a05c02b4aadb0fc660880f931c23e6a_

_139958f77cf97d879185613a546c489a1026aacceb966f5242d80dc6e0f29ec7_

_26271b82e892a8fdcd3e9e3141f3893dd8f60bc2a2c4a958f77cb3159b64471d_

_4d632459ed7f2a4f6f89f72cfe6bf834052dbeddca72e7a96798132895b62a66_

_8303321cd9389ec20ae0df8dc5f8d69d598b63e27e3a80ec3ec2fbfe4ec3a796_

_b18793cb17b9bb8fdb89c60491584bf79fac95f85783ab1a53cb5b351918f2e2_

_b1bb0108cad31bdc127fa4bcb133f5f0311c7c8ff950a822502596350eeed944_

_b30e2d39ad6dc94d9c2995c5db38ab406d4475ff22a68a26ebaeeb5240fb17de_

_b45bd4f6a7a5ba26b194dc6ac5ec2b5b6e0160c2944b99c1acd06a92be941364_

_e0be88ec83d63823f5fde48002131a6f2fa5e4a232a55ecf1d5630dbbfa2bd9d_

_ecb4779c87ea2c0a95ccd1d0231ba063e4b53d86d28b29d0566a8ef0192f485d_


-----

C a m p a i g n I n f r a s t r u c t u r e

_46.251.239.67_

_199.175.51.16_

_146.185.30.109_

_46.166.167.215_

_http://halkinsesitv[.]com_

_212.57.8.226_

_95.9.71.180_

_46.183.220.222_

Ya r a R u l e s


-----

-----

-----

-----

-----

## ABOUT SENTINELLABS

InfoSec works on a rapid iterative cycle where new discoveries occur daily and authoritative sources are
easily drowned in the noise of partial information. SentinelLabs is an open venue for our threat researchers

and vetted contributors to reliably share their latest findings with a wider community of defenders. No
sales pitches, no nonsense. We are hunters, reversers, exploit developers, and tinkerers shedding light
on the world of malware, exploits, APTs, and cybercrime across all platforms. SentinelLabs embodies our
commitment to sharing openly –providing tools, context, and insights to strengthen our collective mission of

a safer digital life for all. In addition to Microsoft operating systems, we also provide coverage and guidance

on the evolving landscape that lives on Apple and macOS devices. https://labs.sentinelone.com/


-----