China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence

June 18, 2024, 9:39 p.m.

Description

External References

https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/

https://otx.alienvault.com/pulse/6671f7ae535c8ea5406bdab2

Tags

python

plugx

lsass

trojan

2024-06-18

sygnia

c server

shadowpad

wmiexec

virustotal

earthworm

impacket

f5 bigip

command

f5 appliance

svchost

velvet ant

wireshark

guard

protect

Date

Created: June 18, 2024, 9:10 p.m.
Published: June 18, 2024, 9:10 p.m.
Modified: June 18, 2024, 9:39 p.m.

Indicators

3d9aaac0a8e5c7eadd79d8d5c16119d04f4e9db7107fc44a1e32a8746a1ec375
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

202.61.136.158
103.138.13.31

http://202.61.136.158:8443

Download all indicators here!

Attack Patterns

Velvet Ant