Operation SalmonSlalom
Feb. 26, 2025, 10:02 a.m.
Description
A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.
Tags
Date
- Created: Feb. 26, 2025, 9:26 a.m.
- Published: Feb. 26, 2025, 9:26 a.m.
- Modified: Feb. 26, 2025, 10:02 a.m.
Indicators
- fd1a608a9e1bfcb845f59fa6b89aa6d27511517d4fb42d3f970f7404dc6ef138
- cb201744a0f50e72ee4fda9298785fa16bfc4bf639a9474457e429278ff376bc
- a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd
- abb2cb43caecac0ca2dcba15ee1cdcc4499ffad18c06265de2ac2f811166d976
- a46b8a14d6e95b3c57ddf7c811092672095563bd2e1336598b74c6d314b82e19
- 9f61bc02326bca563f45642167f5d40a2db0bc40b137bafb3e8c3318db852199
- 7cb4ea591b3932db13ade1d50a94f1cb3b5ff8034cce2c8733b129d4973db661
- 7ad450932e55d2bb6c81dd01cb36a3134c12cf4ba51c743f3a88eb955868c1f9
- 6823b6d1f0ccbc346b061fabcbb556f219ad58e612aaea475178df84a1a9b60c
- 666981117291cc823e3f34a02f7af4fb3d31507f2a57c3d34391b05cdfcab020
- 58ed95527d5dae930308dc5862934ba6811216f4cd68f7aac30ed8df0b180eda
- 55dcd01848a03db4d71876e45397c5395391f708c2445549d26a169a72d9f295
- 559861ad0be5526819650d26566ad6ca25dd0f54df0a81352006e75a5da3d92b
- 4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9
- 07272a51d1f6a7be8c45cc097bf821267d258eb2378d32c95c4601cd000366c9
- 20a418e0de5890e79c9a628eeebe1208244f5d90d12cf8124f4424c8720299ce
- 03045010bd0d618e7aa872e952abb987891befdc5ab70b7f82be30d4f64f6f93
- 013a681ff8c09b5fab6218f4aa493627652c9ec7c6ba88291980b6e00e151201
- 82.156.145.216
- 81.71.1.107
- 8.217.0.16
- 47.57.68.157
- 43.159.192.196
- 47.106.224.107
- 43.155.73.235
- 43.154.68.193
- 43.154.238.130
- 43.139.35.42
- 43.139.101.11
- 43.138.199.241
- 43.138.176.5
- 206.233.130.141
- 42.193.242.180
- 175.178.96.9
- 175.178.89.24
- 175.178.166.216
- 156.236.67.181
- 154.91.227.32
- 154.39.238.101
- 123.207.8.204
- 139.199.168.63
- 134.122.137.252
- 123.207.79.195
- 123.207.55.60
- 123.207.44.193
- 123.207.35.145
- 123.207.1.145
- 123.207.16.43
- 122.152.231.146
- 120.78.173.89
- 120.79.91.168
- 119.29.219.211
- 114.132.56.175
- 114.132.46.48
- 114.132.121.130
- 111.230.91.145
- 111.230.93.174
- 111.230.45.217
- 111.230.32.52
- 111.230.108.14
- 111.230.10.93
- 107.148.54.105
- 107.148.52.242
- 107.148.52.176
- 106.52.216.112
- 107.148.50.113
- 103.144.29.211
- 103.144.29.123
- 1.12.37.113
- 101.33.243.31
- 154.197.6.103
- 154.206.236.9
- 123.207.58.147
- 119.29.235.38
- 111.230.15.48
- 107.148.50.116
- 107.148.52.241
- 107.148.50.112
- http://svp7.net:9874/UltraViewer.exe
- http://svp7.net:9874/AnyDesk.exe
- http://82.156.145.216:6000
- http://81.71.1.107:6000
- http://8.217.0.16:6000
- http://47.106.224.107:6000
- http://47.57.68.157:8080
- http://43.159.192.196:6000
- http://43.154.68.193:6000
- http://43.154.238.130:8081
- http://43.154.238.130:6000
- http://43.139.35.42:6000
- http://43.138.199.241:6000
- http://43.139.101.11:6000
- http://42.193.242.180:6000
- http://43.138.176.5:6000
- http://206.233.130.141:6000
- http://175.178.96.9:8081
- http://175.178.89.24:6000
- http://175.178.166.216:6000
- http://156.236.67.181:6000
- http://154.91.227.32:6000
- http://154.39.238.101:6000
- http://154.206.236.9:6000
- http://139.199.168.63:6000
- http://154.197.6.103:6000
- http://134.122.137.252:6000
- http://123.207.8.204:6000
- http://123.207.79.195:6000
- http://123.207.55.60:6000
- http://123.207.58.147:6000
- http://123.207.44.193:6000
- http://123.207.35.145:6000
- http://123.207.16.43:6000
- http://123.207.1.145:6000
- http://122.152.231.146:6000
- http://120.79.91.168:6000
- http://120.78.173.89:6000
- http://119.29.235.38:6000
- http://119.29.219.211:6000
- http://114.132.56.175:6000
- http://114.132.46.48:6000
- http://114.132.121.130:6000
- http://111.230.93.174:8081
- http://111.230.91.145:8081
- http://111.230.45.217:8081
- http://111.230.32.52:6000
- http://111.230.15.48:8081
- http://111.230.108.14:6000
- http://111.230.10.93:6000
- http://107.148.54.105:6000
- http://107.148.52.242:6000
- http://107.148.52.241:6000
- http://107.148.52.176:6000
- http://107.148.50.113:6000
- http://107.148.50.112:6000
- http://107.148.50.116:6000
- http://106.52.216.112:6000
- http://103.144.29.211:6000
- http://103.144.29.123:6000
- http://101.33.243.31:82/initialsubmission?windows_version=17134&computer_name=MYTEST:DESKTOP-CROB74D
- http://101.33.243.31:82
- http://1.12.37.113:8081
- nbs2012.novadector.xyz
- 34.kosdage.asia
- 110.kkftodesk110.top
- 109.kkftodesk109.top
- 108.kkftodesk108.top
- 107.kkftodesk107.top
- 106.kkftodesk106.top
- 105.kkftodesk105.top
- 104.kkftodesk104.top
- 102.kkftodesk102.top
- 101.kkftodesk101.top
- xindajiema.info
- svp7.net
- novadector.xyz
- microsoftmiddlename.tk
- microsoftupdatesoftware.ga
- cloudservicesdevc.tk
- 0a305ffb2a1d41f6870eac02f9afce89.xyz
- api.youkesdt.asia
Attack Patterns
- Zegost
- SimayRAT
- FatalRAT
- Moudoor
- Mydoor
- gh0st RAT - S0032
- T1543.003
- T1070.001
- T1574.002
- T1012
- T1056.001
- T1573
- T1547
- T1518
- T1218
- T1082
- T1057
- T1105
- T1083
- T1071
- T1102
- T1055
- T1140
- T1132
- T1033
- T1027
- T1053
- T1112
- T1059
Additional Informations
- Information Technology
- Construction
- Healthcare
- Energy
- Telecommunications
- Government
- Manufacturing
- Hong Kong
- Singapore
- Taiwan
- China
- Thailand
- Japan
- Malaysia
- Philippines