{ "id": "fa07efe6-2389-4481-81e9-a9d8a80c7113", "created_at": "2026-04-06T00:22:20.414266Z", "updated_at": "2026-04-10T03:37:49.815738Z", "deleted_at": null, "sha1_hash": "fae4b151d620259893710d712be099fa4789ff1d", "title": "ITG05 leverages malware arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 18087471, "plain_text": "ITG05 leverages malware arsenal\r\nBy Joe Fasulo, Claire Zaboeva, Golo Mühr\r\nPublished: 2024-03-11 · Archived: 2026-04-05 15:32:05 UTC\r\nClaire Zaboeva\r\nSenior Strategic Cyber Threat Analyst\r\nIBM\r\nAs of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to\r\nimitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus,\r\nCentral Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available\r\ndocuments, as well as possible actor-generated documents associated with finance, critical infrastructure, executive\r\nengagements, cyber security, maritime security, healthcare, business, and defense industrial production.\r\nBeginning in November 2023, X-Force observed ITG05 using the “search-ms” URI handler, a new technique for the group,\r\nleading victims to download malware hosted on actor-controlled WebDAV servers. ITG05 was also observed delivering\r\nMASEPIE, a new backdoor replacing Headlace to facilitate follow-on actions. In addition to MASEPIE, ITG05 developed\r\nanother new backdoor dubbed OCEANMAP. X-Force analysis revealed the code basis of CREDOMAP was likely used in\r\nthe creation of OCEANMAP. In place of CREDOMAP, ITG05 has opted for the use of a new simplified PowerShell script\r\nnamed STEELHOOK.\r\nITG05 is a Russian state-sponsored group consisting of multiple activity clusters and shares overlap with APT28, UAC-028,\r\nFancy Bear and Forest Blizzard. The observed tools, tactics and procedures (TTPs) featured in the campaigns strongly\r\ncorrelate to recent ITG05 activity. Given their sustained operations tempo and continuously evolving methodologies, it is\r\nhighly likely that ITG05 will continue to carry out malicious activity against global targets to support state objectives.\r\nKey findings\r\nAs of late February 2024, ITG05 is running multiple phishing campaigns impersonating entities from at least\r\nArgentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States\r\nThe uncovered lures appear to feature a mixture of internal and publicly available documents, including possible\r\nactor-generated lures\r\nITG05 leveraged lures featuring multiple topics including finance, critical infrastructure, executive engagements,\r\ncybersecurity, maritime security, healthcare, and defense industrial production\r\nITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads\r\nX-Force observed several new techniques such as the abuse of the “search-ms” protocol and WebDAV servers to\r\ndeploy malware\r\nITG05 is evolving its malware arsenal, altering older malware such as CREDOMAP and introducing the MASEPIE\r\nbackdoor\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think\r\nNewsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 1 of 31\n\nIn late 2023, X-Force reported ITG05’s use of authentic publicly available government and non-government lure documents\r\nin phishing campaigns across at least 13 nations worldwide. In the reported phishing campaigns, ITG05 delivered Headlace\r\nmalware to victims within specific geographic boundaries. To facilitate operations, ITG05 leveraged freely available\r\ndevelopment services including mocky.io, mockbin and infinityfreeapp to stage malicious payloads.\r\nBeginning in November 2023, X-Force uncovered ITG05’s use of multiple lure documents designed to impersonate\r\ngovernment organizations in Ukraine, Georgia, Kazakhstan, Belarus, Argentina, and the United States. In concert with\r\nreports highlighting ITG05’s campaigns impersonating additional entities in Poland, Armenia and Azerbaijan, the X-Force\r\nuncovered lures are likely predominately derived from a mixture of public and internal documents.\r\nHowever, in an update to their methodologies ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to\r\nstage payloads to enable ongoing operations. To engender victim engagement ITG05 presents an intentionally opaque image\r\nof the lures to entice the victim to click through the content and reveal the document. Upon clicking, the victim ultimately\r\nlaunches the infection chain to deliver MASEPIE malware.\r\nBackground\r\nAnalysis\r\nLures\r\nBetween late November 2023 and February 2024, X-Force uncovered at least 11 unique lures associated with the delivery of\r\nthe ITG05-exclusive MASEPIE malware. The documents appear to be official documents associated with at least five\r\ngovernments throughout Europe, North and South America, Central Asia, and the South Caucuses. The topics of the\r\ndocuments feature multiple themes including finance, critical infrastructure, executive engagements, cyber security,\r\nmaritime security, healthcare, and defense industrial production. Of note, it is possible some of the lures may be actor-created decoy documents.\r\nArgentina\r\nBetween December 2023 and late January 2024, X-Force uncovered three unique Spanish-language lure files that likely\r\nimitate official documents directed at the Executive Branch of the Argentine Republic.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 2 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 3 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 4 of 31\n\nDated January 11, 2024, the first lure appears to imitate a government document of the Republic of Argentina’s National\r\nExecutive Branch. The machine-translated contents reference titled “Notify Refund of Warranty Maintenance Offer” is\r\nassociated with the legitimate Power Construction Corporation of China (POWERCHINA). However, a close examination\r\nof the document reveals multiple misspellings, potentially pointing to evidence that the document is actor-generated.\r\nThe second document dated December 27, 2023, features the hallmark and signature block of the Municipality of Saladas\r\nand reads as an invitation to the President of Argentina, Javier Milei for an event taking place in February 2024. The final\r\ndocument features the translated title “Budgetary Policy of the Jurisdiction”, which describes the role of the Ministry of\r\nEconomy in crafting “strategic guidelines” to assist the President with the creation of national economic policy. In January\r\n2024, Russia expressed regret that Argentina rejected an invitation to join the BRICS and hopes it may reconsider. It is\r\npossible that ITG05 seeks to attain access that may yield insight into the priorities of the Argentine government.\r\nUkraine\r\nWithin 60 days, X-Force discovered four separate Ukrainian-language documents that feature a range of topics from\r\nlegislative amendments and the defense-industrial complex to joint science research initiatives and international healthcare\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 5 of 31\n\nacquisitions. Several of the lures appear to be printed documents from public-facing websites, while others seem to be\r\ninternal policy documents, some of which appear as digital copies of physical documents. Of note, the documents appear to\r\nbe dated between November 2023 and January 2024. The ongoing war in Ukraine virtually guarantees the continued\r\ntargeting of Ukrainian mission-critical entities by ITG05.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 6 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 7 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 8 of 31\n\nGlobal Security and Investment\r\nX-Force uncovered two English language lures leveraged by ITG05. The first appears as a policy paper originating from the\r\nGeorgian NGO, Georgian Center for Security and Development, from December 2023 that details cybersecurity\r\nrecommendations. The second English language document reads as a January 2024 itinerary distributed to participants in the\r\nPacific Indian Ocean Shipping Working Group (PACIOSWG), hosted by the US Navy detailing the 2024 Meeting and\r\nExercise Bell Buoy (XBB24).\r\nIn addition, X-Force uncovered what appears to be an internal document belonging to the Ministry of Defense of the\r\nRepublic of Kazakhstan describing military unit finances. X-Force also discovered a single Belarussian document detailing\r\nproject recommendations for the creation of commercial conditions to facilitate interstate enterprise under the auspices of\r\nthe Eurasian Economic Union Integration initiative by 2025. Finally, X-Force uncovered a single French language document\r\nthat appears to feature a 2024 operating budget proposal by a General Secretariat of the Government. It is likely the\r\ncollection of sensitive information regarding budget concerns and the security posture of global entities is a high-priority\r\ntarget given ITG05’s established mission space.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 9 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 10 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 11 of 31\n\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 12 of 31\n\nThe new infection chain\r\nAs of late November 2023, X-Force observed ITG05 using the FirstCloudIT web hosting provider to stage malicious files\r\nlikely distributed by phishing emails. To avoid victim suspicion, ITG05 crafts what appear as benign subdomains which\r\nfeature keywords such as ‘docs’ and ‘files’. Similar techniques were observed in previously reported campaigns delivering\r\nHeadlace. X-Force observed the URLs hosted on FirstCloudIT were available on average for only one to two days.\r\nThe flowchart below outlines the stages of an infection via the search-ms protocol, custom WebDAV servers and the\r\ndelivery of first and second-stage malware: MASEPIE, OCEANMAP and STEELHOOK respectively.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 13 of 31\n\nFig. 1: Example infection chain of recent ITG05 campaign\r\nAbusing the “search-ms” protocol\r\nOnce a victim visits a weaponized site, they are presented with a blurred image of the lure document. A button prompts the\r\nuser to view the document by clicking.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 14 of 31\n\nFig. 2: Screenshot of a weaponized site used in a campaign impersonating a municipality in Argentina\r\nUpon access, the victim unknowingly executes the following JavaScript code (example from a campaign impersonating the\r\nArgentinian government):\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 15 of 31\n\nA query is executed to an actor-controlled WebDAV server via a “search-ms” URL, stored in the JavaScript command. This\r\naction results in prompting the user for their permission to open the Windows File Explorer before initiating the next stages\r\nof infection.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 16 of 31\n\nFig. 3: Windows Explorer pop-up\r\nIf the victim accepts, the “search-ms” functionality begins by locating the Saved Search XML file (*.search-ms) from the\r\npath specified in the “subquery” parameter:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 17 of 31\n\nSaved Search File used for the Georgia campaign\r\nFrom the victim’s perspective, a new File Explorer window is opened with the name “Documents”, provided in the\r\n“displayname” parameter of the viewInfo element. The .LNK file is presented to the victim from the path specified in the\r\nSaved Search file on the adversary’s server. Should the victim decide to open the malicious .LNK file, a PowerShell\r\ncommand embedded inside is executed:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 18 of 31\n\nAs a result, the lure PDF is opened in MSEdge, while the malicious Python script (Client.py) is executed by the remote\r\nPython interpreter (python.exe) from the actor-controlled WebDAV server.\r\nOf note, X-Force observed that PowerShell was only used in the initial campaigns active in late 2023. The latest builds of\r\nthe .LNK file use the built-in functionality of a relative path target to reference and run the remote Python executable with a\r\nhardcoded argument. The relative path and binary name used on the WebDAV server also mimics the path of the legitimate\r\nMicrosoft Office executable:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 19 of 31\n\nDuring analysis, X-Force was able to access an open directory on an actor-controlled WebDAV server used in multiple\r\nactive campaigns.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 20 of 31\n\nFig. 4: Open directory of a WebDAV server used in multiple campaigns\r\nEach of the *.search-ms files indicates an individual campaign linking to their respective weaponized .LNK file contained in\r\nthe directories. The “User” directory contains the Python interpreter, as well as the MASEPIE payload. Assuming the last-modified timestamps are in standard UTC, these modifications would fall into the regular working hours of 08:46-17:53\r\nMoscow time (UTC+3).\r\nX-Force’s analysis of the infrastructure revealed that the Common Name used in the TLS certificates indicates that both the\r\nWebDAV, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers. On February 15, 2024, the\r\nU.S. Department of Justice published a press release on the disruption of an APT28 botnet hosted on compromised Ubiquiti\r\nrouters. There is a realistic possibility that the takedown featured the same infrastructure leveraged by ITG05.\r\nNTLMv2 hash exfiltration\r\nIn previous campaigns observed by X-Force, the exfiltration of NTLMv2 hashes for offline cracking or NTLM relay attacks\r\nhas been a major objective. Campaigns reported by Zscaler, in April 2023, outline ITG05’s use of modified open-source\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 21 of 31\n\nscripts designed to capture NTLM hashes on an infected machine. In addition, the scripts were part of X-Force’s observed\r\nITG05 campaigns that delivered Headlace, which facilitates follow-on payloads capable of NTLM hash extraction.\r\nAccording to a Palo Alto report, ITG05 also made use of exploits such as CVE-2023-23397, which was actively exploited in\r\nemail campaigns throughout 2023.\r\nIn mid-January 2024, Varonis published a report demonstrating several new vulnerabilities that may be used to leak\r\nNTLMv2 hashes. One notable technique demonstrates the abuse of the “search-ms” protocol, which is used by ITG05 as of\r\nNovember 2023 to deploy MASEPIE. In addition to loading payloads, this technique may attempt forced authentication\r\nwhen trying to load a remote resource hosted on actor-controlled infrastructure and resembles techniques used against CVE-2023-23397.\r\nConsidering ITG05’s prior campaign objectives, this suggests that ITG05 may be using the new vulnerabilities to leak\r\nNTLMv2 hashes in addition to deploying secondary payloads. X-Force also assesses that ITG05 may seek to exploit further\r\nvulnerabilities that enable the theft of NTLMv2 hashes, including Outlook vulnerabilities (CVE-2023-35636, CVE-2024-\r\n21413). The recent Microsoft Exchange vulnerability (CVE-2024-21410) would enable attackers to use exfiltrated NTLMv2\r\nhashes in relay attacks.\r\nWebhooks usage\r\nConsistent with early Headlace campaigns, the latest ITG05 operations heavily rely on the use of public services such as\r\nwebhooks (webhook[.]site) to closely track infections. Webhook services are legitimate development tools but are\r\ncommonly abused for malicious purposes. The ongoing ITG05 campaigns include Interact.sh webhooks in various scripts to\r\nrelay information back to the operators. The webhooks placed by ITG05 activate once a victim accesses a lure site, and\r\nagain if they choose to click on a “VIEW DOCUMENT” button. In addition, the initial variants of MASEPIE included\r\nfurther hooks to notify ITG05 operators upon successful execution of malware.\r\nMASEPIE backdoor\r\nThe first known variant of MASEPIE was reported by CERT-UA in late December 2023 and continues to evolve. Through\r\nanalysis, X-Force discovered that the most recent version of MASEPIE does not include any webhooks. To avoid running\r\nPowerShell from the weaponized .LNK, ITG05 changed to regular .LNK targets with command line arguments and moved\r\nthe functionality into MASEPIE. The new variants will immediately open a remote PDF document containing the lure as a\r\ndecoy with the following Python command:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 22 of 31\n\nThe objective of the MASEPIE backdoor is similar to Headlace but is a separate implementation of the unique ITG05\r\nbackdoor. MASEPIE attempts to connect every 50 seconds to its hardcoded C2 server port via TCP, sending the result of the\r\n“whoami” command together with a random 16-byte key. Then, starts AES-128-CBC encrypted communication listening\r\nfor one of three commands:\r\n“check” which will have MASEPIE return “check-ok”\r\n“send_file” which allows MASEPIE to receive a file\r\n“get_file” which allows MASEPIE to exfiltrate an arbitrary file\r\nAny other command which is not an empty string will be executed on the machine via Python’s os.popen(\u003ccommand\u003e)\r\nmethod and return the response.\r\nOCEANMAP backdoor\r\nThe OCEANMAP backdoor drops a file “EdgeContext.url” into the Windows Startup directory pointing to its executable for\r\npersistence. Then, it starts by logging into the IMAP server used for C2 communication and adds a new email containing the\r\nresult of the “dir” command among other identifying parameters.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 23 of 31\n\nFig. 5: OCEANMAP C2 communication (IMAP)\r\nOCEANMAP checks the inbox once every minute for any of the following commands:\r\n“changesecond” which changes the C2 server and credentials of both the primary and secondary servers\r\n“newtime” to change the command checking interval\r\nany other command is executed via cmd exe. If it contains the string “echo” the results are returned to the inbox\r\nTo check for new commands, the malware searches for emails in the “Drafts” mailbox containing its “name_id” string in the\r\nsubject. All remotely initiated configuration changes are performed by patching the binary on disk and restarting the\r\nmalware.\r\nThis new malware variant is a more capable backdoor version of its predecessor CREDOMAP, first discovered by CERT-UA in 2022. X-Force’s analysis revealed that OCEANMAP has a strong overlap in both technique and .NET\r\nimplementation. Several of the functions used in OCEANMAP were repurposed from the original CREDOMAP stealer and\r\nused as a base to build the new persistent backdoor. Of note, the stealing functionality has been removed completely and has\r\nlikely been shifted to a smaller stealer called STEELHOOK.\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 24 of 31\n\nFig. 6: Comparison of OCEANMAP and CREDOMAP functions\r\nThe “Login” functions used to access the inbox of the IMAP server, are identical in both samples. A comparison of the\r\n“create” function, however, reveals several updates:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 25 of 31\n\nFig. 7: Comparison of OCEANMAP and CREDOMAP create() function\r\nThe function above generates the emails placed into the IMAP inbox used for C2 communication to return responses.\r\nOCEANMAP supports two new parameters in the email-type beacons. The first, “name_id” is a Base64 encoded string of\r\nthe formatted machine name, username and OS version. The second new parameter “newtime”, is a hardcoded string\r\n“newtime1:” followed by a long string of zeroes, for example:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 26 of 31\n\nThe integer directly after newtime (1) denotes the time interval in minutes, how regularly the malware checks for new\r\ncommands in the inbox.\r\nSTEELHOOK stealer\r\nSTEELHOOK is a simple PowerShell stealer, likely modified from the PowerShell webhook keylogger found in the PoshC2\r\nframework. It likely replaces the functionality of CREDOMAP as it exfiltrates browser data from Google Chrome and\r\nMicrosoft Edge via a webhook. According to Google TAG, which tracks the stealer as IRONJAW, the malware was used\r\npreviously in campaigns from July through August, and September 2023. The activity was attributed to FROZENLAKE,\r\nwhich overlaps with ITG05.\r\nActions on objective\r\nAs stated in the December 2023 CERT-UA report, operations featuring this new ITG05 activity exhibited near immediate\r\nfollow-on actions, including the deployment of backdoors, initiating network reconnaissance activities, and attempting\r\nlateral movement to access domain controllers within one hour of the initial attack. It should be noted that NTLMv2 hashes\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 27 of 31\n\nexfiltrated during an attack are likely to be used in NTLM relay attacks or used for the offline cracking of credentials. A\r\nsuccessful relay attack for instance against a Microsoft Exchange server facilitated through CVE-2024-21410 could lead to\r\nelevated privileges.\r\nConclusion\r\nITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially\r\navailable infrastructure, while consistently evolving malware capabilities. X-Force assesses with high confidence that ITG05\r\nwill continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced\r\ninsight into emergent policy decisions.\r\nTechnical recommendations\r\nX-Force recommends entities with an increased risk to maintain a defensive security posture and to:\r\nMonitor for emails containing *.firstcloudit[.]com URLs\r\nStay abreast of newly published exploits likely to be used by APT actors\r\nCVE-2024-21413\r\nCVE-2024-21410\r\nCVE-2023-23397\r\nCVE-2023-35636\r\nBlock NTLMv2 authentication, especially for outgoing connections, and use Kerberos for authentication instead\r\nMonitor for abuse of “search-ms” and “wpa” URI handlers\r\nMonitor for abuse of WebDAV\r\nProcess: rundll32.exe C:\\Windows\\system32\\davclnt.dll,DavSetCookie \u003cmalicious_URL\u003e\r\nMonitor for .LNK files downloaded from or referencing WebDAV servers\r\nMonitor network traffic for signs of webhooks/OOB communication services\r\n*.webhook[.]site\r\n*.oast[.]fun\r\n*.oast[.]pro\r\n*.oast[.]live\r\n*.oast[.]site\r\n*.oast[.]online\r\n*.oast[.]me\r\nMonitor for suspicious Python files spawning cmd exe\r\nMonitor for raw TCP traffic containing the string “\u003cSEPARATOR\u003e” as an indicator of a MASEPIE infection\r\nMonitor for suspicious IMAP traffic to unknown servers\r\nMonitor for IMAP traffic containing the string\r\n“newtime1:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\nas an indicator for an OCEANMAP infection\r\nInstall and configure endpoint security software\r\nUpdate relevant network security monitoring rules\r\nEducate staff on the potential threats to the organization\r\nIndicators of compromise\r\nThis table includes campaigns previously reported on by InsideTheLab and CERT-UA for completeness:\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 28 of 31\n\nIndicator Indicator Type Context\r\n18f891a3737bb53cd1ab451e2140654a376a43b2d75\r\nf6695f3133d47a41952b6\r\nSHA256 MASEPIE backdoor\r\n451f3d427ac21632f38619ef96dece25798918866d4\r\n4fe82ff1ed30996f998dc\r\nSHA256 MASEPIE backdoor\r\n40a7fd89b9e51b0a515ac2355036d203357be90a22\r\n00b9c506b95c12db54c7aa\r\nSHA256 MASEPIE backdoor\r\n172.114.170[.]18:55155 URL MASEPIE C2 server\r\n194.126.178[.]8:55555 URL MASEPIE C2 server\r\n148.252.42[.]42:54467 URL MASEPIE C2 server\r\n24fd571600dcc00bf2bb8577c7e4fd67275f7d19d8\r\n52b909395bebcbb1274e04\r\nSHA256 OCEANMAP backdoor\r\n74.124.219[.]71 IPv4 OCEANMAP C2 server\r\nwebmail.facadesolutionsuae[.]com Domain OCEANMAP C2 server\r\nwody-info-files.firstcloudit[.]com Domain Phishing/impersonation site\r\nkzgw-wody.firstcloudit[.]com Domain Phishing/impersonation site\r\nnas-files.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-nas.firstcloudit[.]com Domain Phishing/impersonation site\r\nua-calendar.firstcloudit[.]com Domain Phishing/impersonation site\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 29 of 31\n\ncalendarua.firstcloudit[.]com Domain Phishing/impersonation site\r\ncalendar-ua.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-gov-am.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-gov.firstcloudit[.]com Domain Phishing/impersonation site\r\ninfo-mod.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-mod.firstcloudit[.]com Domain Phishing/impersonation site\r\nrada-zakon.firstcloudit[.]com Domain Phishing/impersonation site\r\nmilitarysupport.firstcloudit[.]com Domain Phishing/impersonation site\r\nsgg-files.firstcloudit[.]com Domain Phishing/impersonation site\r\nsgg-gov.firstcloudit[.]com Domain Phishing/impersonation site\r\npresidencia-docs.firstcloudit[.]com Domain Phishing/impersonation site\r\nfiles-presidencia.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-presidencia.firstcloudit[.]com Domain Phishing/impersonation site\r\npresidencia-files.firstcloudit[.]com Domain Phishing/impersonation site\r\npresidencia-gov.firstcloudit[.]com Domain Phishing/impersonation site\r\npresidencia-gob.firstcloudit[.]com Domain Phishing/impersonation site\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 30 of 31\n\ngcsd.firstcloudit[.]com Domain Phishing/impersonation site\r\nemod.firstcloudit[.]com Domain Phishing/impersonation site\r\ne-military.firstcloudit[.]com Domain Phishing/impersonation site\r\ndls-gov.firstcloudit[.]com Domain Phishing/impersonation site\r\neecommission.firstcloudit[.]com Domain Phishing/impersonation site\r\neecommission-drive.firstcloudit[.]com Domain Phishing/impersonation site\r\n64b0037dde987c78edf807a1bd7f09cdfac072ec2\r\na59954cc4918828b7e608a3\r\nSHA256 STEELHOOK stealer\r\nSource: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nhttps://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/\r\nPage 31 of 31\n\n https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/ \nA query is executed to an actor-controlled WebDAV server via a “search-ms” URL, stored in the JavaScript command. This\naction results in prompting the user for their permission to open the Windows File Explorer before initiating the next stages\nof infection. \n Page 16 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/" ], "report_names": [ "itg05-leverages-malware-arsenal" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434940, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fae4b151d620259893710d712be099fa4789ff1d.pdf", "text": "https://archive.orkl.eu/fae4b151d620259893710d712be099fa4789ff1d.txt", "img": "https://archive.orkl.eu/fae4b151d620259893710d712be099fa4789ff1d.jpg" } }