コード
371 posts

コード
@21code_talker34
💻️勉強中🖊️📖 AI🧠🤖,Cybersecurity🖥️🔑










🚨 #ThreatIntel: A sophisticated phishing campaign targeting the Greek Military Representation to #NATO has been spotted in the @anyrun_app sandbox. The observed attack chain and infrastructure setup strongly suggest suspected #MustangPanda (#TA416) activity, though definitive attribution remains open. The threat actors utilized a spoofed Montenegro diplomatic email, delivering a highly relevant lure regarding the Ankara Summit. The phishing link redirects through a fake Cloudflare check to a pixel-perfect Google Drive clone, dropping a malicious ZIP archive. Execution relies on a hidden PowerShell script triggered by an LNK file. It uses data carving to extract a TAR archive from the ZIP, unpacks it using the native Windows tar.exe, and establishes persistence via DLL Side-Loading using a legitimate Canon binary (CNMNSST.exe) to decrypt a hidden payload. Indicators of Compromise (IOCs) Network Infrastructure: ▪️ resources.babyafrosapparel[.]com (Phishing Gate) ▪️ drive.babyafrosapparel[.]com (Fake Google Drive Delivery) ▪️ concreteinportland[.]com (C2 Server via HTTPS GET beacons) Associated Cloudflare IPs: ▪️ 104.21.90.16 ▪️ 172.67.151.3 MD5 Hashes: ▪️ B791C416988D068A3E548A0F21CD3518 (MNE_Readout_Alice_Rufo_Briefing_Ankara_Summit_22Jun2026.lnk) ▪️ c836a6bbe16354a21ee688e3eeb32d86 (CNCLID.dll - Malicious Proxy Loader) ▪️ e70a5908e5eaee1bcd15eef82b1bcfdd (Canon.dat - Encrypted Payload) ▪️ adb67ffe941a706b6343f94413f6e5f2 (CNMNSST.exe - Legitimate Canon Executable) Email Artifacts: ▪️ Sender: stasa.stojkovic.mne@gmail[.]com #ThreatIntel #Cybersecurity #MustangPanda #TA416 #MalwareAnalysis @ccdcoe













