{
	"id": "69a276f5-cacf-4394-83db-0c341e5b3026",
	"created_at": "2026-04-06T00:20:01.739374Z",
	"updated_at": "2026-04-10T13:11:19.86853Z",
	"deleted_at": null,
	"sha1_hash": "d8cce82201cb25f4fd3f0037242fd5b78859d0bd",
	"title": "Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 282425,
	"plain_text": "Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List\r\nPublished: 2024-07-30 · Archived: 2026-04-05 15:54:31 UTC\r\nUSDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing\r\ndetailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu\r\nmalware and SAMBASPIDER threat actor.\r\nA hacker using the alias USDoD, particularly known for the data breach of FBI’s Security Platform InfraGard,\r\nhas leaked what they claim is part one of CrowdStrike’s Indicator of Compromise (IoC) list. The data, a 53MB\r\nCSV file containing 103,000 lines of information, was released on Breach Forums earlier today, Monday, July 29,\r\n2024.\r\nUSDoD hacker on Breach Forums (Screenshot credit: Hackread.com)\r\nThis leak follows an earlier claim made by USDoD on July 24, 2024, where they announced CrowdStrike’s\r\n“entire threat actor list.” In their post on Breach Forums, the hacker claimed “I scraped their entire IOC list tho\r\nwith more than 250 million of data, I will release soon.”\r\nIn response, CrowdStrike presented a measured reaction to USDoD’s claims rather than outright dismissing them.\r\nThe company acknowledged USDoD’s claim of leaking their threat actor and IOC lists and analyzed the provided\r\nsample data.\r\nHowever, CrowdStrike also argued that USDoD has a history of exaggerating claims to enhance their reputation,\r\nsuggesting a degree of scepticism about the current allegations. They specifically mentioned the hacker’s claim of\r\nleaking a scraped LinkedIn database with personal details of over 35 million users in November 2023.\r\nContents of the Leak\r\nThe leaked sample data analysed by Hackread.com’s research team provides detailed information on various\r\nIndicators of Compromise associated with the Mispadu malware, attributed to the notorious threat actor known\r\nas SAMBASPIDER. Here’s a breakdown of the key components found in the leaked file:\r\nhttps://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/\r\nPage 1 of 4\n\n1. Hashes and Malware Information: The CSV file includes various hash types such as MD5, SHA-1, and\r\nSHA-256, which are used to identify specific malicious files linked to the Mispadu malware.\r\n2. Threat Actor: All entries in the leaked sample data seem to be associated with the threat actor\r\nSAMBASPIDER.\r\n3. Kill Chain Phases: The data highlights the “Delivery” and “Installation” phases of the cyber kill chain,\r\nproviding insights into the stages where the malware is delivered and installed on target systems.\r\n4. Confidence Levels: Each entry is marked with a high confidence level, indicating the reliability of the\r\nthreat intelligence.\r\n5. Threat Types: The threats are categorized under various types including Banking, Criminal, and Modular,\r\nhighlighting the multifaceted nature of the Mispadu malware.\r\n6. MITRE ATT\u0026CK Techniques: The IoCs are mapped to several MITRE ATT\u0026CK techniques, such as:\r\nExecution/User Execution\r\nDiscovery/System Checks\r\nCredential Access/Input Capture\r\nCredential Access/Credential Dumping\r\nCommand and Control/Data Obfuscation\r\nDefense Evasion/Obfuscated Files or Information\r\nIt is worth mentioning that while addressing USDoD’s July 24, 2024, post on BreachForums, CrowdStrike\r\nspecifically referred to the timestamp of the data as the “LastActive” date, stating the following:\r\n“The sample data contained data with “LastActive” dates until no later than June 2024; however, the Falcon\r\nportal’s last active dates for some of the referenced actors are as recent as July 2024, suggesting when the actor\r\npotentially obtained the information.”\r\nDiscover more\r\nGaming security guides\r\nProgramming\r\nCisco security solutions\r\nThe latest leak shows the timestamp as “First Seen: 2024-07-01T00:09:56Z” (indicating the IoC was first detected\r\non July 1, 2024, at 00:09:56 UTC) and “Last Seen: 2024-07-01T01:11:27Z” (indicating the IoC was last observed\r\non July 1, 2024, at 01:11:27 UTC).\r\nhttps://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/\r\nPage 2 of 4\n\nScreenshot from the leaked data (Screenshot credit: Hackread.com)\r\nThese timestamps help in understanding the activity period of the IoC, indicating how long it has been active or\r\nrelevant. This information is crucial for threat analysis and response, allowing cybersecurity professionals to\r\ntrack the lifecycle and prevalence of specific threats.\r\nCrowdStrike’s Response\r\nIn response to our article, a CrowdStrike spokesperson stated “There is no CrowdStrike breach. This threat intel\r\ndata is available to tens of thousands of customers, partners, and prospects.”\r\nTo clarify, our article did not claim that a data breach occurred. We reported on the unauthorized scraping and\r\nsubsequent leak of CrowdStrike’s IoC list, which is indeed accessible to a wide range of their clients and partners.\r\nImplications of the Leak\r\nThe disclosure of this detailed Indicator of Compromise (IoC) data might negatively affect organizations that use\r\nthreat intelligence from CrowdStrike to secure their networks. This information could also be exploited by\r\nmalicious actors to avoid detection.\r\nAt the same time, this information can help cybersecurity researchers and experts strengthen their security\r\nmechanism against the Mispadu malware and SAMBASPIDER threat actor.\r\nTroublesome July for CrowdStrike\r\nThe latest security issues came just over a week after CrowdStrike experienced a major problem due to a faulty\r\nupdate to their Falcon sensor software, causing widespread system crashes on Windows devices.\r\nWithin days, threat actors began exploiting the issue by offering fake hotfixes for Windows devices, which in\r\nreality infected them with the notorious Remcos RAT. The situation also led Microsoft to release a tool to address\r\nthe issues caused by the faulty CrowdStrike update.\r\n1. World’s Leading Cybersecurity Firm Kaspersky Hacked\r\nhttps://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/\r\nPage 3 of 4\n\n2. X Account of Google Cybersecurity Firm Mandiant Hacked\r\n3. Ticketmaster Data Breach: Hackers Selling 560 Million Users Data\r\n4. A Minor Typo Brought the Entire Internet Network of Amazon Down\r\n5. Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials\r\nSource: https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/\r\nhttps://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/"
	],
	"report_names": [
		"hacker-scrapes-publishes-crowdstrike-ioc-list"
	],
	"threat_actors": [
		{
			"id": "80edca9f-dcd6-491e-92f3-87ad1f575631",
			"created_at": "2023-10-14T02:03:14.694988Z",
			"updated_at": "2026-04-10T02:00:05.021046Z",
			"deleted_at": null,
			"main_name": "NetSec",
			"aliases": [
				"NetSec",
				"Operation Data Breach",
				"ScarFace_TheOne",
				"USDoD"
			],
			"source_name": "ETDA:NetSec",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "82a51997-1402-41c3-86df-6f9e522b2ba8",
			"created_at": "2024-04-27T02:00:03.554045Z",
			"updated_at": "2026-04-10T02:00:03.63698Z",
			"deleted_at": null,
			"main_name": "USDoD",
			"aliases": [],
			"source_name": "MISPGALAXY:USDoD",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "38f82f9e-484b-447e-b44c-fe4e60fc6a24",
			"created_at": "2024-08-20T02:00:04.540934Z",
			"updated_at": "2026-04-10T02:00:03.687354Z",
			"deleted_at": null,
			"main_name": "SAMBASPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SAMBASPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434801,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8cce82201cb25f4fd3f0037242fd5b78859d0bd.pdf",
		"text": "https://archive.orkl.eu/d8cce82201cb25f4fd3f0037242fd5b78859d0bd.txt",
		"img": "https://archive.orkl.eu/d8cce82201cb25f4fd3f0037242fd5b78859d0bd.jpg"
	}
}