Unfurling Hemlock: Threat group uses cluster bomb campaigns
July 1, 2024, 11:17 a.m.
Tags
External References
Description
A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.
Date
Published: July 1, 2024, 10:54 a.m.
Created: July 1, 2024, 10:54 a.m.
Modified: July 1, 2024, 11:17 a.m.
Indicators
fd7a9b8e52e2fbcb090d5f5046a73d6e42b421abf063083210889f3fcb47dee0
edfb4374d5c586f0690c95ff8cacb36bda6fb4743f20dda5e6f17e7e241edd47
da4f614c983fa226d813de390937389ae4d1e043dd86524aa7a5246fd587826b
be25926929b1aae0257d7f7614dd5ad637b8fd8e139c68f4d717e3dc9913e3cf
94115d0eae0422b6605f0f25841c29b7cc6c029472a983b21d1cedcd7fdcd647
8fe4d34a6a245c5acd3d1741213c1dd195468089b1a3fe80adfa6d8d8c94f2d8
80df101f1f93fa53b3dcbc315d3ec5d8c8330c08b5622ac3207f746d016b66dc
7f101603fbb2821504cf2c71fca0450689dfcd6d1f36e57e27f0392be0f2d1dd
7d18c67c13ec919f3950092319d11eda129c8498e171612e681eebf1c977493d
65923603a6f117c7460b8cc69009105208bdfa544b90446580915db8fe127ae8
5697652d0fd5b4a05ac00f6ec028fd3dc3e34ed7b112c4b8c6048eae72a8d326
35c55b402e770e25adf57ffbd408a428af9ce21a735474b5d94ccdd4123e68f8
301a1c9f4e82fc8f57577ea399a2591557ff57d337472c3f8482a89c5b4105d5
1f224093b9557dd73caaf1c6a823028c286ddd3414bceb0860e0fe084fb8c2ab
0ef7459cebfe9bd9102c5eccc16eedddec5931e69bf705aa44aa3c7af584f209
0c48529d2979698341e89d6ea5f7e9211fa277e40d3f6a55a8996135944ebdad
37b9e74da5fe5e27aaedc25e4aac7678553b6d7d89ec4d99e8b9d0627dcbdc12
229e859dda6cc0bc99a395824f4524693bdd0292b4b9c55d06b4fa38279b3ea2
77.91.124.86
77.91.124.20
77.91.124.1
5.42.92.93
31.192.237.75
194.169.175.235
195.123.218.98
193.233.255.73
193.233.132.12
185.46.46.146
185.172.128.79
176.113.115.145
109.107.182.45
89.23.100.93
185.161.248.142
109.107.182.3
77.91.68.29
77.91.68.21
77.91.124.130
185.215.113.68
http://globalsystemperu.com/forms/gate4.exe
http://77.91.124.1/theme/index.php
http://77.91.124.20/store/games/index.php
http://77.91.68.29/fks/
http://193.233.255.73/loghub/master
http://185.46.46.146/none/vah50.exe
http://185.215.113.68/theme/index.php
http://109.107.182.45/red/line.exe
http://109.107.182.3/some/love.exe
http://109.107.182.3/love/bongo.exe
http://77.91.68.21/nova/foxi.exe
http://77.91.124.130/gallery/photo_570.exe
http://5.42.92.93/i/smo.exe
http://5.42.92.93/39902/from.exe
host-file-host8.com
host-file-host6.com
globalsystemperu.com
Attack Patterns
Mystic Stealer
Amadey - S1025
SmokeLoader
Redline
RisePro
Unfurling Hemlock
T1197
T1027.002
T1071
T1543
T1055
T1036
T1140
T1027
T1195
T1566
T1003
T1059