Unmasking the Infrastructure of a Spear‑phishing Campaign

June 11, 2025, 10:15 a.m.

Description

Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation techniques employed, and the infrastructure's lifecycle.

External References

https://otx.alienvault.com/pulse/68494f081b7474f8fb19f291
Tags
spearphishing
remcos
asyncrat
dcrat
2025-06-11
limerat
opendir

Date

  • Created: June 11, 2025, 9:40 a.m.
  • Published: June 11, 2025, 9:40 a.m.
  • Modified: June 11, 2025, 10:15 a.m.

Indicators

  • ed6643adcd866ebe085c51be955c632a8fce08efce99cf87f8a42dcf1e5ef36a
  • d5095fc28d9b189698d2feebe96eceb5ee9d31877a0f2ed970356ff079455d73
  • d8119df3e735dba78bc6c528f2737d8acb2e87f442596c810afcb5fa85261ad5
  • cfb58601339563b1fc1ecf3f9db1ce704e515cad7eacacf69a7e88704646304f
  • bf7fd17c0c92daa075224804a037b5940872ac4011f161e49bc0c790bbfa7d43
  • bc017dce8d74cef666069fa07d66e3f1ea952d0b1a0e50f51a8cc3b920da0966
  • b7d205a1560b07a92d744053744c29823064e2c415a71887fccd8524a3cad3fb
  • ad8ff8bba2c5ebc9781993dd7512f904b4acd65337e134951ed47432ceb554a2
  • b0ae166bcd563139925f2203f90e31efd0b067cf16fcce390a0e149f57d4c94d
  • b07d45eff14b4f083365d736010157724ac0e2f89770aece807fe67fa59ef7ce
  • 95f61fba6418c812c4c62d0c7ee4c8e5c369fc76e044cab6de3b6ddf787db2ed
  • 81d75922646f0d7fab2613307117867cba27e9c71c3f57d8ca6627666df709c7
  • 7dde62518fe19b2e6c8a17b29339e7c11f655da8adfbfc8d1c6d499c967f0a15
  • 657e021f0dfdd8c628a428a824da278d14d674aefd248f86a58f5bbe4472f0dc
  • 59339b7d2ca67b55eef533e66eede5cda4b6b62e5823786ef881d387dff902a5
  • 4ff7dc3005e7c33836c224ef8715ab09280d0d2c4e0c441e19bd59bc3af6b7b9
  • 4297de28d569560bf2cd287e1a44771ec4f8deac993cb69b54b36fa497af52d3
  • 474ce68f3ade2dd6a215ea7ae6d5d9fb6a1298bdda55417e9ed58ca8ad143955
  • 41781819707c4d4b0173d63da71b0c3b7b2ae8794b08c4cc26dc201e1adb5f0f
  • 319a560130015fa1c53149234321ba5313e5a93f06de6675f5da4a8c2dfa1cf1
  • 3a98f55acd11e08e9a8090f8955bc51cb7de692c865074f9f5a68de813860df2
  • 274db7b7ec6f0e233a791b06f00bf82fe570a6869ed7df804e5b3e47006c3763
  • 147d83d58ba5ab7429dea557c9d5579a609b8d460522a745b841ee22e73c5b33
  • 06469b3dd05621ecca3f37422c35d29a9225247b518e88788ae5b2d36d6ad765
  • 89.117.77.234
  • 78.142.18.221
  • 45.141.233.60
  • 216.250.253.13
  • 213.209.150.22
  • 213.199.55.238
  • 193.23.3.29
  • 193.142.146.50
  • 154.26.154.57
  • 186.169.80.199
  • http://89.117.77.234:2404
  • http://78.142.18.221:2401
  • http://45.141.233.60:55330
  • http://45.133.180.26:3010
  • http://216.250.253.13:2404
  • http://213.209.150.22:55140
  • http://213.199.55.238:5555
  • http://193.23.3.29:2404
  • http://193.142.146.50:2404
  • http://186.169.80.199:1515
  • http://154.26.154.57:2404
  • trabajonuevos.duckdns.org
  • sosten38999.duckdns.org
  • romanovas.duckdns.org
  • remc21.duckdns.org
  • rem25rem.duckdns.org
  • purelogs2025.duckdns.org
  • gotemburgoxm.duckdns.org
  • dgflex.duckdns.org
  • dcupdate.duckdns.org
Download all indicators here!

Attack Patterns

  • Remcos
  • LimeRAT
  • dcrat
  • AsyncRAT