Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

June 30, 2025, 4:39 p.m.

Description

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products.

Date

  • Created: June 30, 2025, 4:30 p.m.
  • Published: June 30, 2025, 4:30 p.m.
  • Modified: June 30, 2025, 4:39 p.m.

Indicators

  • fe223090ea59abc54312c48ed89765ea5c8821df78134adc094cd799973dde39
  • f57ac8aa79dbe0a7a746f8de245361d912fe1f59f43d5cde835e94a2dbf0cfdb
  • f4cc2b43480778392d4ea48e6af1ac47f646b3c3f295797752be2be20d13067e
  • f44877b93c347c93a38c05c9144030d144a4af7c243a57957479448c23b081cd
  • f099cb320a26b6284e9ca24b352b19d2109bb3df0beeded3c34377c9b934ed3b
  • eb56af5727614192c73d71b8a7c22933872076cb9e62380320dfe09937d4f052
  • e31eda04b9ee78bb41c990eca89554ffadab27a5c47d5efd66f11f5947958dde
  • dbf6d6a302e7c9f7ef1bbc32e4efd61ded782e08ef16ad86a7a4858b4e1e9d9d
  • d44bae3e448d78cdb976b7f811be53f32efb28d0d2ba964d09edd79a95dcc4b3
  • d3ca4ed0a462c73c55d3aed4cfa5a969eacfdde152f67437fe3bb14fefb17612
  • d244fede5f1b101146f733ec426fc7bb604ee4a7ab51ee88d8055b6866c7f708
  • ccde5a1ae465a65b483f8f97e3d4b97957fc869cc4aca8b4fdd02a821aaf45a8
  • c9065f726d9bce286d1df97516f7fa04004fa4fea0719933926a58b8cb93b9a0
  • b33d93e82b4a964c1306d40b054e6a2703e050357a513ab8873651dd4d669f4b
  • abec75593c542693e475be1d3b6e51cffcb599acaa5089ea578f13f30316d628
  • 9f092c5069fdf376163326428b27d3f44283f6a5cc7fc6e57b5f8584919b7d8b
  • 9dae36cf2664e4bd348b1c7bcd9e886243fdd86e04d854e9a49e80ce358aa868
  • 830703e20378110b1db917fcd498fa731aafed37fb1055c002693662053ad13c
  • 7daf0aa227d0e846edd1229cd744e3afd8ca3898e12836605d8f08038ef34203
  • 7cc53ec159a15cb2eacb8db7de25b35f2ef0e7aef0f3aa712c13560de16ddc20
  • 6d7158bf300a5a8769d106500a60141e63436bfc35cab1d24e047aad1dc880ce
  • 5739aa1e1e86c11fb29cc40451bd55a06f3b8a98a58d364525a571d6b3c5c44c
  • 54468a4c1261c1c3f4136854c29a50080be77416d040b083ac51776c957a1182
  • 4855d6832e2889cfb0047e515b761c365bf8792ff30a84571ace896b7903f702
  • 3d0df3b1329d9f7dae79678325e3855734a0f31f995c32fe2ec6632d5043e40c
  • 2e52628677cd6615c58b99ba3a85b3e41f60d752e2651293dcddcb814b9f6d18
  • 19c4eac334c6218e8a9fae3c0bae8a28beb75c474780f3a567974e96f94cf35a
  • 132ac2a27f43b1a830986c6d74b1e5cc855b248c93fa69893421c79d73a21fdb
  • 0877f1e39454438733df34bfec11fc23023a449c6ece07f0d15a852d140e64c5
  • 07dd7611034b2199726f006f93f144751d1f94e596908f8c5c2f5dcd245530af
  • 0171212441aef19491692062218aaa6fba9684f59e162691ab056a7369569ad9
  • harrysnakelogger@dklak.cam
  • serverhar244@gpsamsterdamqroup.com
  • fiber13.dnsiaas.com

Attack Patterns

  • Snake Keylogger
  • TA-558

Additional Informations

  • Logistic
  • Petroleum
  • Energy
  • Government