Dragons in Thunder

Nov. 28, 2025, 10:21 a.m.

Description

This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.

External References

https://ptsecurity.com/research/pt-esc-threat-intelligence/dragons-in-thunder
https://otx.alienvault.com/pulse/69295039f12135a4c2de7692
Tags
lockbit
ivanti
sliver
babuk
sharepoint
krustyloader
CVE-2025-4427
CVE-2025-4428
russian targets
CVE-2025-53770
2025-11-28
rce vulnerabilities
thor
cyberspionage

Date

  • Created: Nov. 28, 2025, 7:33 a.m.
  • Published: Nov. 28, 2025, 7:33 a.m.
  • Modified: Nov. 28, 2025, 10:21 a.m.

Indicators

  • f7c0917e19af0282da27d54dd951f78042965fe6d27551430bbae490c9c881cc
  • f6665f41a2ea7c5eacbd908210ab332ba9a1f60c14fe855c52124fc81a4f13f9
  • ea41a8f0aa1c0dc365258902bde3e87529e4af2a882b19fb35e3b5584a9832ac
  • e5abc07aa76e6c1997d6a732cbd1b51b14badfbed80f55afd1864c9736985049
  • e4e7c6bd2250b513383839f6ff805cb333a9575304ce43847b8748eeda9b1dbb
  • dd4f25657c4df7983c0d12b597df1ce737eeebd1c0b2bf185c93ec74a5f195c7
  • db88cb8ee5672afab012376a8add1e8362e75c1e6221d40e0dfff9ed3c9592b2
  • dad3d871e48ecf1bc022914f6ba471dbc2e0f861495337138b0766064d640911
  • d3be673d536574b4027f2d9176457760f109b77e140a29b67a448d1830fe958d
  • cfb7968331bf1289b3ec71765ca42549d2aa17669162248f36a8dfbdc4c8c9d2
  • c8d64b4eb7c21ae03595576cb633b2b831e824964e367f1859a6856ce6f6b3fa
  • bdb9a4c1532b5ba38fd8a9c01430f2db4cd74ee0123deaa65cfdf61196fc7d3a
  • a92e51dfc17216802cb9a74f043bf6feabfd0cad3bfd7b3e699120dcd9f29b3e
  • b3e8dff5de434fd4057526e56367c2b9a3115814002253dc1817e229a6dd13bf
  • 9558d1f46182f5275c8a5578bc8dad63ad776b7f1ccff1528cc8a04f50a2cc4c
  • a2326928c3ec6630e60642f0284ed994185efbfcea2516e6ae17728a6fe62a6b
  • 929e3fdd3068057632b52ecdfd575ab389390c852b2f4e65dc32f20c87521600
  • 8f651136b7ba3d63d018a6f12ffd073d1c0033e7b1f39920757fef36de2254d0
  • 8e551182f760435151052778c9f51e8cfa6637ef258c6f88f32dac3b00e0ffef
  • 7c2dcf05663b71877e2650d63c52a624ca7319e407d462db1dce6a4c65cd5ae9
  • 6b938659bc6f705c0665220d234e4c4d158fd10a9b6af8efd7fe30040bb29936
  • 53c69869a6e186f1cd5f3908e59f2d77d25385642ec97b720550bb5fb4a64a35
  • 52ec5c307cc5ba5790434bbf334168d22ed8b7e20b304485ee6d27e790b5f62c
  • 36dc557b4ea173d9537392f64c1a9527a5832ca99718150fb430e0c13762758b
  • 359eb9d53218b243653bcf9d64fd394302d2ea597dc43ca58289cfd604f12264
  • 3581d7ef15130fe82e34ee431985f101fbeb96857b5855ccfa504ab5d0022756
  • 32b40914bf7d01b2b0c3536835314f03f07ea810830ac1bea6c7169bdb0d731f
  • 301b292e8ee27a366c78231b61a47bae9fcaf4cd8ab5c0224a3754bf600d12a2
  • 2890a9970502a7c20477a437571a260cb96375e6fe44912495daa77cb03ba470
  • 288eed2f19b5087d074a291a55abafa206bdc7b9367785abff0ca6628c2dea38
  • 21b8e487d5879ff08d01316dbfb298e1c5e93b56054f04b70489d6732dcfb15d
  • 20683be010f0ca076bf5b0a0ee0838c116f7554cee50648d5ab4c28417965eb5
  • 1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60
  • 1a17367608e79dba1e63348e5d791ff1658621bf8799b0a81ec7dc26ab0b3b6d
  • 18a98a738138aacbcdaac1164e422be12e14b1abee595f285456b63dc1e1c98b
  • 1703df147df01e0487d5419b87bb7452cff6b9e5f582b44e887bb0e8d7f5d44e
  • 15fbedc076f10b630e724ace21f6b7ef34235cf1e304089cd7e4e7047eb149f3
  • 1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344
  • 14aa7dd13b4724a9e195eee5260ee53d96dc4feddfff68211e054095bc5f2d7c
  • b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8
  • 91.231.186.5
  • 8.211.157.186
  • 23.95.193.164
  • 64.226.98.34
  • 223.76.236.179
  • 223.76.236.178
  • 216.45.58.177
  • 213.183.57.51
  • 213.183.54.111
  • 194.68.44.151
  • 194.14.217.63
  • 192.121.171.245
  • 192.121.113.123
  • 188.127.241.179
  • 178.128.53.239
  • 178.128.124.227
  • 174.138.95.60
  • 167.172.77.125
  • 157.245.175.86
  • 161.97.136.74
  • 143.198.8.180
  • 139.59.39.19
  • 138.68.94.205
  • 134.122.25.236
  • 95.142.40.51
  • 165.232.162.99
  • 167.172.64.55
  • video-dev.learnstore.vip
  • update.learnstore.vip
  • music.learnstore.vip
  • music-dev.learnstore.vip
  • check.learnstore.vip
  • check-dev.learnstore.vip
  • api.learnstore.vip
  • api-dev.learnstore.vip
Download all indicators here!

Attack Patterns

  • KrustyLoader
  • Vasa Locker
  • Babyk
  • Babuk - S0638
  • Sliver
  • LockBit
  • QuietCrabs

Additional Informations

  • Technology
  • Healthcare
  • Defense
  • Government
  • Manufacturing
  • Iran, Islamic Republic of
  • Czechia
  • Taiwan
  • Germany
  • Philippines
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America
  • Russian Federation

Linked vulnerabilities

CVE-2021-27065

None
Published:

CVE-2025-4427

None
Published:

CVE-2025-4428

None
Published:

CVE-2025-53770

9.8
    Microsoft
  • Sharepoint Server
Published: July 20, 2025