

Askar Dyussekeyev
133 posts

@askardyuss
A malware researcher from Kazakhstan | All views are my own





🚨 #ThreatIntel: Attack on Russian aerospace and electronics sectors ✈️🛰️ Recently, I found a highly suspicious EML file discovered in the @anyrun_app sandbox. The phishing email targeted a Russian manufacturer of semiconductor and electronic components. While attribution is always tricky and I cannot state this as a hard fact, the operational tempo, targeting, and toolset heavily suggest a suspected Rare Werewolf (Librarian Ghouls) campaign. 🔍 Infection Chain: 1️⃣ Phishing email masquerades as a billing request from a legitimate Russian institute. 2️⃣ Attached is a password-protected RAR containing a PE32 payload disguised as a .com file. 3️⃣ The payload is a Smart Install Maker dropper. It executes curl.exe with the --resolve flag to bypass DNS filtering and download the next stage. 4️⃣ WinRAR extracts the payload (password: limpid29033). 5️⃣ Legitimate tools are abused: Tray Minimizer is used to hide a portable AnyDesk instance from the user for persistent, undetected remote access. 🛑 Indicators of Compromise (IOCs): Domains: aviatronika[.]online vniir-avia[.]space fgub-vniir[.]space vniir-info[.]space nova-stream[.]site IP Addresses: 198.54.120[.]13 194.87.57[.]81 2.23.88[.]201 Hashes (MD5): eabd440c996846d0992e37ab01d01208 (Dropper) 6cc3c68c56e099792fdeadde76256d56 (Payload RAR) #InfoSec #CyberSecurity #Phishing #RareWerewolf #LibrarianGhouls #Malware #APT











Reeeeeversing....









'взвод розвідки.rar' seen from Ukraine @abuse_ch CVE-2025-8088 exploit. 420f1931af9b3f7d02c5edfc78eb69abdad6e71d2c3e9b81f9cbc3823a503654 bazaar.abuse.ch/sample/420f193…

🚨 #ThreatIntel: A sophisticated phishing campaign targeting the Greek Military Representation to #NATO has been spotted in the @anyrun_app sandbox. The observed attack chain and infrastructure setup strongly suggest suspected #MustangPanda (#TA416) activity, though definitive attribution remains open. The threat actors utilized a spoofed Montenegro diplomatic email, delivering a highly relevant lure regarding the Ankara Summit. The phishing link redirects through a fake Cloudflare check to a pixel-perfect Google Drive clone, dropping a malicious ZIP archive. Execution relies on a hidden PowerShell script triggered by an LNK file. It uses data carving to extract a TAR archive from the ZIP, unpacks it using the native Windows tar.exe, and establishes persistence via DLL Side-Loading using a legitimate Canon binary (CNMNSST.exe) to decrypt a hidden payload. Indicators of Compromise (IOCs) Network Infrastructure: ▪️ resources.babyafrosapparel[.]com (Phishing Gate) ▪️ drive.babyafrosapparel[.]com (Fake Google Drive Delivery) ▪️ concreteinportland[.]com (C2 Server via HTTPS GET beacons) Associated Cloudflare IPs: ▪️ 104.21.90.16 ▪️ 172.67.151.3 MD5 Hashes: ▪️ B791C416988D068A3E548A0F21CD3518 (MNE_Readout_Alice_Rufo_Briefing_Ankara_Summit_22Jun2026.lnk) ▪️ c836a6bbe16354a21ee688e3eeb32d86 (CNCLID.dll - Malicious Proxy Loader) ▪️ e70a5908e5eaee1bcd15eef82b1bcfdd (Canon.dat - Encrypted Payload) ▪️ adb67ffe941a706b6343f94413f6e5f2 (CNMNSST.exe - Legitimate Canon Executable) Email Artifacts: ▪️ Sender: stasa.stojkovic.mne@gmail[.]com #ThreatIntel #Cybersecurity #MustangPanda #TA416 #MalwareAnalysis @ccdcoe