Unfurling Hemlock: Threat group uses cluster bomb campaigns

July 1, 2024, 11:17 a.m.

Description

A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.

External References

https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/
https://otx.alienvault.com/pulse/66828af454bc977c19ec8c74
Tags
amadey
redline
smokeloader
2024-07-01
risepro
mystic stealer
cluster bomb
mass distribution
eastern european
stealers

Date

  • Created: July 1, 2024, 10:54 a.m.
  • Published: July 1, 2024, 10:54 a.m.
  • Modified: July 1, 2024, 11:17 a.m.

Indicators

  • fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0
  • edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47
  • da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b
  • be25926929b1aae0257d7f7614dd5ad637b8fd8e139c68f4d717e3dc9913e3cf
  • 94115d0eae0422b6605f0f25841c29b7cc6c029472a983b21d1cedcd7fdcd647
  • 8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8
  • 80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc
  • 7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd
  • 7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d
  • 65923603a6f117c7460b8cc69009105208bdfa544b90446580915db8fe127ae8
  • 5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326
  • 35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8
  • 301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5
  • 1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab
  • 0ef7459cebfe9bd9102c5eccc16eedddec5931e69bf705aa44aa3c7af584f209
  • 0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad
  • 37b9e74da5fe5e27aaedc25e4aac7678553b6d7d89ec4d99e8b9d0627dcbdc12
  • 229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
  • 77.91.124.86
  • 77.91.124.20
  • 77.91.124.1
  • 5.42.92.93
  • 31.192.237.75
  • 194.169.175.235
  • 195.123.218.98
  • 193.233.255.73
  • 193.233.132.12
  • 185.46.46.146
  • 185.172.128.79
  • 176.113.115.145
  • 109.107.182.45
  • 89.23.100.93
  • 185.161.248.142
  • 109.107.182.3
  • 77.91.68.29
  • 77.91.68.21
  • 77.91.124.130
  • 185.215.113.68
  • http://globalsystemperu.com/forms/gate4.exe
  • http://77.91.124.1/theme/index.php
  • http://77.91.124.20/store/games/index.php
  • http://77.91.68.29/fks/
  • http://193.233.255.73/loghub/master
  • http://185.46.46.146/none/vah50.exe
  • http://185.215.113.68/theme/index.php
  • http://109.107.182.45/red/line.exe
  • http://109.107.182.3/some/love.exe
  • http://109.107.182.3/love/bongo.exe
  • http://77.91.68.21/nova/foxi.exe
  • http://77.91.124.130/gallery/photo_570.exe
  • http://5.42.92.93/i/smo.exe
  • http://5.42.92.93/39902/from.exe
  • host-file-host8.com
  • host-file-host6.com
  • globalsystemperu.com
Download all indicators here!

Attack Patterns

  • Mystic Stealer
  • Amadey - S1025
  • SmokeLoader
  • Redline
  • RisePro
  • Unfurling Hemlock