Whose IOC is this?

Phobos-derived 8Base ransomware payload analyzed by VMware Carbon Black in the June 2023 spike of double-extortion intrusions. Loaded via SmokeLoader with SystemBC for C2.

8Base ransom note dropped after Phobos-based encryption in the campaigns documented by VMware Carbon Black researchers.

SystemBC C2 / staging domain in the 8Base infrastructure cluster (admlogs25, admhexlogs25, admlog2, serverlogs37, dnm777, dexblog, blogstat355, blogstatserv25, wlaexfpxrs) listed by VMware Carbon Black.

SHA-256 of Akira_v2, a Rust-based variant of the Akira ransomware that targets VMware ESXi servers. Published in Table 2 of CISA AA24-109A.

SHA-256 of the Megazord encryptor — the Rust-based Akira variant that appends a `.powerranges` extension. Listed in the Megazord row of Table 2 of CISA AA24-109A.

SHA-256 of the Akira ransomware encryptor `w.exe`. Listed in Table 2 of CISA AA24-109A as the canonical C++ Akira encryptor observed in early intrusions.

SHA-256 of an ALPHV BlackCat Linux encryptor sample listed in CISA/FBI/HHS joint advisory AA23-353A (Table 2).

SHA-256 of an ALPHV BlackCat Windows encryptor sample listed in CISA/FBI/HHS joint advisory AA23-353A (Table 2).

Command-and-control domain used by ALPHV BlackCat affiliates, published in the Network Indicators table of CISA/FBI/HHS advisory AA23-353A.

Maui ransomware sample (maui.exe). FBI / CISA / Treasury advisory AA22-187A documents its use by DPRK state actors against U.S. Healthcare and Public Health sector targets from at least May 2021. Encryption combines AES, RSA and XOR and is driven manually via CLI by the operator.

Andariel implant sample listed in CISA / FBI / NSA joint advisory AA24-207A (25 July 2024) covering the RGB 3rd Bureau group also tracked as Onyx Sleet / Stonefly / Silent Chollima. The advisory ties the group to defence, aerospace, nuclear and engineering espionage in support of DPRK military and nuclear programs.

Primary Telegram handle/channel branding used by Anonymous Sudan to claim DDoS attacks (also operated companion bot @InfraShutdown_bot and channel 'Skynet/Godzilla-BotNet'). Documented verbatim throughout the DOJ indictment of the Omer brothers (Central District of California, March 2024, unsealed October 2024).

Operator name for the Distributed Cloud Attack Tool (DCAT) used by Anonymous Sudan to launch 35,000+ DDoS attacks. Aliased as 'Skynet' and 'Godzilla Botnet' in the same Telegram channels. Tool seized and operators charged by DOJ in the unsealed October 2024 indictment of brothers Ahmed and Alaa Salah Yusuuf Omer.

Dynamic-DNS C2 hostname listed in PwC's Operation Cloud Hopper Annex A domain table. Used by APT10 across MSP-pivot intrusions documented in the 2016-2017 Cloud Hopper campaign.

RedLeaves is a custom RAT first publicly associated with APT10 / menuPass in PwC and BAE Systems' Operation Cloud Hopper report. The Cloud Hopper IOC annex enumerates RedLeaves implant paths such as `C:\windows\system32\RedLeaves.exe` on victim hosts.

UPPERCUT (a.k.a. ANEL) backdoor attributed to APT10 / menuPass by MITRE ATT&CK (S0275). Deployed in long-running espionage campaigns against Japanese targets and tracked alongside the Cloud Hopper MSP intrusion set.

Linux malware toolset attributed by NSA and FBI to GRU 85th GTsSS Military Unit 26165 (APT28 / Fancy Bear / Strontium). Comprises a kernel-module rootkit, client, agent, and file-transfer / port-forwarding server, all communicating via JSON over WebSockets. Disclosed in joint advisory AA20-280A on 13 August 2020.

Primary first-stage command-and-control domain used by the SUNBURST backdoor inside trojanized SolarWinds Orion updates. Subdomains under this domain encoded victim identifiers.

Custom Windows RAT used by APT3 (Gothic Panda / TG-0110 / UPS) in browser zero-day campaigns. Group is attributed to Guangzhou Bo Yu Information Technology Co., Ltd. (Boyusec), a MSS contractor. On 27 November 2017 the U.S. DOJ unsealed an indictment against Boyusec employees Wu Yingzhuo, Dong Hao and Xia Lei for intrusions into Moody's, Siemens and Trimble between 2011 and 2017.

Tickler custom multi-stage backdoor sample published by Microsoft Threat Intelligence in August 2024 as part of Peach Sandstorm operations against satellite, oil-and-gas, communications and US/UAE federal and state government targets observed April-July 2024.

User-agent string Microsoft observed in the Feb-Jul 2023 Peach Sandstorm password-spray wave against thousands of organizations in satellite, defense and pharmaceutical sectors. Sprays were routed through TOR exit nodes; Microsoft attributes the activity to overlaps with APT33 / Elfin / Refined Kitten.

Azure App Service C2 subdomain associated with Tickler backdoor activity. Microsoft's August 2024 Peach Sandstorm report lists this in the IOC appendix alongside other actor-controlled azurewebsites.net subdomains used to abuse fraudulent Azure tenants for command-and-control.

Malicious Excel document 'Confirmation Receive Document.xls' used by APT34 to drop the Saitama backdoor in the April 2022 Jordanian Foreign Ministry spearphishing campaign analyzed by Malwarebytes.

Saitama .NET backdoor payload (update.exe) attributed by Malwarebytes/ThreatDown to APT34 (OilRig / Helix Kitten / Hazel Sandstorm) in a May 2022 spearphishing operation against a Jordanian Ministry of Foreign Affairs official. Saitama uses DNS tunneling for C2.

DNS-tunneling C2 domain used by APT34's Saitama backdoor per the May 2022 Malwarebytes analysis; one of three actor-controlled domains (alongside asiaworldremit.com and joexpediagroup.com) impersonating legitimate travel and remittance brands.

MediaPl custom backdoor (MediaPl.dll) masquerading as Windows Media Player, attributed by Microsoft in January 2024 to a Mint Sandstorm subgroup (APT35 / Charming Kitten / Phosphorus) targeting Middle East affairs researchers at universities in BE, FR, IL, UK and US. Communicates with C2 via AES-CBC encrypted, Base64-encoded channels.

PowerShell reconnaissance backdoor named by Microsoft in the January 2024 Mint Sandstorm advisory; deployed post-intrusion alongside MediaPl to write recon output to documentLoger.txt and pull additional tools onto victim hosts at Middle East research organizations.

BLUELIGHT backdoor sample published by Volexity on 17 August 2021 in the 'InkySquid' blog. BLUELIGHT uses the Microsoft Graph API (OneDrive appfolder) for C2 and was deployed via IE / legacy-Edge zero-days CVE-2020-1380 and CVE-2021-26411 from a strategic web compromise of dailynk.com. Volexity attributes InkySquid to APT37 / ScarCruft.

RokRAT (DOGCALL) backdoor sample documented by Cisco Talos in 'ROKRAT Reloaded' (November 2017). RokRAT abuses legitimate cloud services (pCloud, Box, Dropbox, Yandex) as C2 and is consistently attributed to APT37 / ScarCruft / Reaper / Group 123 (DPRK MSS).

APT37 / InkySquid C2 root. Subdomains ui.jquery.services and storage.jquery.services served BLUELIGHT loader scripts via a strategic web compromise of South Korean news site dailynk.com starting April 2021. Reported by Volexity.

Identifier for the CISA-hosted STIX bundle accompanying the FBI Malware Analysis Report on Rana / APT39 tooling, released alongside Treasury press release SM1127 on 17 Sep 2020. The bundle enumerates hashes, file names and C2 infrastructure for the eight malware sets attributed to MOIS through Rana.

Composite designation Treasury and the FBI used on 17 Sep 2020 for the eight malware sets (VBS/AutoIt scripts, BITS 1.0 and BITS 2.0 variants, a Firefox-impersonating binary, a Python tool, Android malware and Depot.dat) operated by MOIS front company Rana Intelligence Computing Company (APT39 / Chafer / Remix Kitten). Released as FBI advisory MAR-10303705 the same day Treasury sanctioned the front company and 45 associated individuals.

AIRBREAK (a.k.a. Orz) JavaScript-based backdoor enumerated in the malware-family list of CISA AA21-200A as part of APT40's toolkit. Cross-referenced to MITRE S0229.

Typosquat of `huntingtoningalls.com` (Huntington Ingalls Industries, a U.S. Navy shipbuilder) listed in the domain appendix of CISA AA21-200A. Characteristic of APT40's MSS Hainan-directed targeting of the U.S. maritime defense industrial base.

Typosquat of Thyssenkrupp Marine Systems (German naval shipbuilder) listed in the domain appendix of CISA AA21-200A as APT40 infrastructure - consistent with the Hainan State Security Department's interest in naval technology.

MD5 of an `aclui.dll` DUSTPAN in-memory dropper sample, listed in the host-based IOC table of Mandiant's 'APT41 Has Arisen From the DUST' report. DUSTPAN is a C++ ChaCha20 loader masked as `w3wp.exe` / `conn.exe`.

MD5 of a `dbgeng.dll` DUSTTRAP plugin-framework sample listed in the host-based IOC table of Mandiant's APT41 DUST report. DUSTTRAP is a multi-stage backdoor that AES-128-CFB decrypts an on-disk payload and runs it in memory.

DUSTTRAP command-and-control FQDN observed by Mandiant during the APT41 DUST campaign (first observed 2024-02-21, last observed 2024-07-16). Listed in the Network-Based Indicators table of the Google Cloud / Mandiant report.

Likely Black Basta Cobalt Strike infrastructure first seen October 14, 2024 per Table 7 of the November 8, 2024 update to AA24-131A.

Suspected Black Basta Cobalt Strike domain first seen October 2, 2024, listed alongside moereng.com in Table 8 of the November 8, 2024 update to AA24-131A.

Suspected Black Basta Cobalt Strike domain first seen October 9, 2024 and listed in Table 8 of the November 8, 2024 update to joint FBI/CISA/HHS/MS-ISAC advisory AA24-131A. Black Basta is a Conti-spinoff RaaS that hit more than 500 organizations across 12 critical-infrastructure sectors, including healthcare.

Black Basta ransom note filename described in AA24-131A; the note omits a payment amount and directs victims to a .onion site (Basta News). Encrypted files receive a .basta or random extension after ChaCha20+RSA-4096 encryption.

SHA256 of the Chisel TCP/UDP-over-HTTP tunneling tool used by Royal/BlackSuit operators for C2 egress, listed in Table 4 of AA23-061A as of January 2023.

SHA256 of 1.exe, the BlackSuit encryptor identified by FBI in threat-response activity through July 2024 and published in Table 10 of the August 7, 2024 update to joint FBI/CISA advisory AA23-061A - the rebrand of Royal ransomware (active September 2022 through June 2023).

Royal/BlackSuit malicious domain last observed December 2022 and published in Table 3 of AA23-061A.

BlackSuit ransom note filename documented in YARA rules and IOC tables of the August 7, 2024 update to AA23-061A. Royal-era victims received README.TXT with the .royal extension; BlackSuit demands have totaled $500M+ with individual asks up to $60M.

SHA-256 of the KANDYKORN macOS backdoor staged via SUGARLOADER in the Elastic-tracked REF7001 intrusion against a cryptocurrency exchange. Capabilities include arbitrary command execution, file upload/download, directory listing, and secure deletion.

C2 domain associated with the RustBucket macOS malware family attributed to BlueNoroff in Jamf Threat Labs' April 2023 disclosure. The malware was delivered via a backdoored 'Internal PDF Viewer' application targeting finance-sector users.

Command-and-control domain used by the SUGARLOADER stage of the KANDYKORN intrusion chain; identified in Elastic Security Labs' REF7001 report on the DPRK macOS campaign against blockchain engineers.

WhisperGate stage1.exe - MBR-corrupting destructive payload disguised as ransomware, deployed against Ukrainian organisations from 13 January 2022. Hash from Microsoft MSTIC, republished in CISA / FBI AA22-057A Table 1. Microsoft renamed the responsible actor Cadet Blizzard (DEV-0586) in June 2023 and attributed it to a GRU subgroup.

WhisperGate stage2.exe - the file-corruption stage that overwrites files matching a hardcoded extension list, downloaded over Discord CDN. Hash from Microsoft MSTIC via CISA / FBI AA22-057A Table 1.

SHA256 of a LEMURLOOT web-shell ASPX sample listed in the MOVEit Campaign IOC table of AA23-158A; one of the ~40 hashes the FBI/CISA released June 7, 2023 covering TA505 web-shell deployments against MOVEit Transfer.

SHA256 of a compiled DLL generated from a human2.aspx LEMURLOOT payload, referenced in the Mandiant YARA rule M_Webshell_LEMURLOOT_DLL_1 included in AA23-158A as a hunting sample for the CL0P MOVEit zero-day intrusion set.

LEMURLOOT web-shell filename masquerading as MOVEit's legitimate human.aspx, dropped via CVE-2023-34362 starting May 27, 2023. Primary breach indicator per joint FBI/CISA advisory AA23-158A on the CL0P/TA505 MOVEit campaign.

CL0P negotiation email address published in ransom notes during the MOVEit and GoAnywhere campaigns, listed in the email-address IOC table of AA23-158A.

SPICA - Rust backdoor delivered as 'Proton-decrypter.exe' in a fake PDF-decryption lure. Google Threat Analysis Group disclosed the sample on 18 January 2024 as the first custom malware they have attributed to COLDRIVER (Star Blizzard / Callisto / SEABORGIUM), assessed as FSB Centre 18.

Long-running FSB Centre 18 spear-phishing cluster targeting academia, defence, NGOs and government in the UK, US and allied countries. NCSC UK and Five Eyes partners published a joint advisory on 7 December 2023; same day, US Treasury (OFAC) and UK sanctioned FSB officer Ruslan Peretyatko and Andrey Korinets for their role in the operation.

Cobalt Strike C2 server IP identified in artifacts leaked with the Conti 'playbook' and republished in the March 9, 2022 update to joint CISA/FBI/NSA/USSS advisory AA21-265A as previously used by Conti affiliates.

Cobalt Strike C2 server IP attributed to Conti operators in the leaked-playbook artifacts referenced in the March 2022 update to AA21-265A. Conti relied on Cobalt Strike alongside TrickBot for post-exploitation.

One of 98 lookalike domains sharing registration and naming characteristics of Conti-distribution infrastructure published by CISA in the February-March 2022 update to AA21-265A.

IP address listed as 'suspected' in the original CISA AA23-335A appendix as associated with Crucio Ransomware activity tied to CyberAv3ngers. Indicator fidelity in the source is Suspected; the advisory's December 2024 revision removed all IOCs.

MD5 hash listed as 'suspected' in the original (14 Dec 2023) version of CISA AA23-335A as associated with Crucio Ransomware activity attributed to CyberAv3ngers. CISA marked the indicator fidelity as Suspected, not Confirmed; the December 2024 update of the advisory removed IOCs as outdated.

DarkSide command-and-control domain documented in Mandiant's May 11, 2021 report on the DARKSIDE ransomware-as-a-service operation, contemporaneous with the Colonial Pipeline incident addressed in joint CISA/FBI advisory AA21-131A.

DarkSide data-leak Tor hidden service URL embedded in victim ransom notes during the campaigns Mandiant profiled in its May 11, 2021 'Shining a Light on DARKSIDE' report covering UNC2628, UNC2659 and UNC2465 affiliates - the same RaaS used against Colonial Pipeline on May 7, 2021 (CISA AA21-131A).

DarkSide encryptor binary name observed across the intrusions Mandiant documented in 'Shining a Light on DARKSIDE' (May 11, 2021) - the public report on the Carbon Spider-aligned RaaS responsible for the Colonial Pipeline shutdown.

Spoofed clone of German tabloid Bild used in the Doppelganger influence operation; among the 32 domains seized by the U.S. DOJ on 4 September 2024.

Spoofed clone of French daily Le Monde used in the Doppelganger influence operation; among the 32 domains seized by the U.S. DOJ on 4 September 2024. The same operation was sanctioned by US Treasury on 5 March 2024 (naming SDA founder Ilya Gambashidze) and exposed earlier by EU DisinfoLab in 2022.

Spoofed clone of The Washington Post used to host Doppelganger propaganda targeting U.S. audiences. Seized by the U.S. DOJ on 4 September 2024 as part of an action against 32 Doppelganger domains operated by Russia's Social Design Agency (SDA), Structura and ANO Dialog at the direction of the Russian Presidential Administration.

OPC-aware RAT used by Dragonfly / Energetic Bear from 2013 in supply-chain compromises of ICS vendor websites (MESA Imaging, eWON/Talk2M, MB Connect Line). Activity is named as BERSERK BEAR in CISA / FBI joint advisory AA22-110A (20 April 2022), which attributes the group to FSB Centre 16 (Military Unit 71330).

On 24 March 2022 the U.S. DOJ unsealed an indictment charging three FSB Centre 16 officers - Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov - for a 2012-2017 energy-sector intrusion campaign tracked publicly as Dragonfly / Berserk Bear / Energetic Bear / Crouching Yeti, including the Wolf Creek nuclear plant compromise.

WastedLocker ransomware sample published in Symantec's June 2020 analysis of Evil Corp attacks against US organizations.

Second WastedLocker payload hash from Symantec's June 2020 report on Evil Corp's coordinated US ransomware campaign.

Full-featured remote backdoor family (a.k.a. Anunak) catalogued by MITRE ATT&CK as S0030 and historically attributed to the Carbanak group (G0008) and FIN7 (G0046). Used by FIN7 as part of post-exploitation toolchains delivered via POWERTRASH / EugenLoader.

PowerShell-based downloader (a.k.a. heavily modified DNSMessenger) tracked by MITRE ATT&CK as S0145 and attributed to FIN7. Used as a first-stage stager in 2017-era FIN7 phishing campaigns to retrieve the TEXTMATE and Carbanak follow-on payloads.

SHA-1 fingerprint of a TLS certificate observed on Flax Typhoon SoftEther VPN bridge infrastructure, published in the August 2023 Microsoft Threat Intelligence disclosure `Flax Typhoon using legitimate software to quietly access Taiwanese organizations`.

SoftEther VPN bridge binary renamed by Flax Typhoon to `conhost.exe` or `dllhost.exe` to masquerade as Windows system components. Microsoft's August 2023 advisory describes this as the actor's signature persistence mechanism, used to tunnel SoftEther over HTTPS to TCP/443.

Tier-2 C2 root domain for the `Oriole` campaign of the Raptor Train IoT botnet operated by Flax Typhoon - linked by DOJ/FBI to Beijing-based Integrity Technology Group. Active June 2023 through the FBI takedown announced September 2024; documented by Lumen Black Lotus Labs.

QuietSieve information-stealer sample associated with Gamaredon and published in Microsoft's February 2022 ACTINIUM indicator list.

Pterodo backdoor sample listed in Microsoft Threat Intelligence Center's February 2022 ACTINIUM report on Gamaredon activity against Ukrainian organizations.

GammaSteel PowerShell infostealer component recovered from the February–March 2025 Shuckworm intrusion into a foreign military mission in Ukraine, documented by Symantec's Threat Hunter Team.

Handala PowerShell wiper component MD5 from Check Point Research's 2026 Handala Hack report. Distributed via Group Policy logon scripts as a scheduled task; the batch loader 'handala.bat' chains the executable and the PowerShell script to overwrite files and corrupt the MBR.

Handala Wiper executable ('handala.exe') MD5 published in Check Point Research's 2026 'Handala Hack - Unveiling Group's Modus Operandi' follow-up to the May 2024 'Bad Karma, No Justice' report. CPR explicitly attributes the Handala persona to Void Manticore (aka Red Sandstorm / Banished Kitten), affiliated with Iran's MOIS Counter-Terrorism Division.

Handala-controlled VPS IP listed in Check Point Research's 2026 report. Used alongside 31.57.35.223 and 107.189.19.52 for hands-on-keyboard operations via RDP and NetBird remote access tooling during MOIS-attributed destructive intrusions in Israel.

Hive affiliate staging server hosting a malicious HTA file used during intrusions, listed in Table 2 of AA22-321A. The .pw infrastructure cluster was seized alongside the Hive back-end on Jan. 26, 2023 in the DOJ/FBI takedown announcement.

Hive ransom note dropped into every encrypted directory; instructs victims not to modify the *.key file in C:\ or /root and links to the HiveLeaks Tor chat panel. Listed in Table 2 of joint FBI/CISA/HHS advisory AA22-321A (Nov. 17, 2022).

Hive ransomware Windows 64-bit encryptor binary listed as a known IOC in Table 2 of AA22-321A. Hive shipped matching Linux, ESXi and FreeBSD variants and victimized over 1,300 organizations for ~$100M in payments before the FBI infiltrated its network in July 2022.

Disk wiper 'cl.exe' MD5 published in Appendix A of CISA AA22-264A on the July 2022 HomeLand Justice destructive attack against the Government of Albania. Pairs with the 'rwdsk.sys' RawDisk driver (MD5 8f6e7653807ebb57ecc549cef991d505) to wipe raw disk drives. Mandiant tracks the same payload as a ZEROCLEAR variant.

'Pickers.aspx' webshell MD5 from CISA AA22-264A Appendix A. Used by the HomeLand Justice operators for persistence after initial access via CVE-2019-0604 on an Internet-facing SharePoint server roughly 14 months before the July 2022 destructive attack on Albanian government networks.

'GoXML.exe' ransomware-style file encryptor MD5 from CISA AA22-264A Appendix A. Drops the ransom note How_To_Unlock_MyFiles.txt and is propagated across the victim print-server network by 'mellona.exe'. Mandiant tracks the same family as ROADSWEEP, which dropped a politically themed anti-MEK note for the HomeLand Justice persona.

CHIMNEYSWEEP backdoor MD5 published in Mandiant's August 2022 'Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government' report. CHIMNEYSWEEP was deployed alongside ROADSWEEP ransomware and a ZEROCLEAR-variant wiper in the HomeLand Justice operation; Mandiant assesses involvement of one or more actors operating in support of Iranian goals with moderate confidence.

INC Encryptor binary (PDB string 'C:\source\INC Encryptor\Release\INC Encryptor.pdb') used in the early INC Ransom intrusions investigated by Huntress and mapped to MITRE ATT&CK software entry S1139.

Ransom note filename dropped per directory by INC Ransom (also seen as INC-README.html / *.inc-readme.txt). Documented in Huntress and Secureworks (GOLD IONIC) analyses.

VBS-based first-stage loader staged via mshta.exe and HTA files. CISA / FBI / CNMF advisory AA20-301A (27 October 2020) attributes BabyShark to Kimsuky and documents its delivery via spearphishing against U.S. and South Korean think tanks, nuclear-policy experts and the cryptocurrency industry.

Kimsuky lookalike domain (.pw ccTLD spoofing the Naver portal). Listed in CISA / FBI / CNMF advisory AA20-301A, Table 1.

Kimsuky credential-phishing domain impersonating Naver (Korean portal). Listed in CISA / FBI / CNMF advisory AA20-301A, Table 1 (Domains used by Kimsuky). The campaign registered many lookalikes of Naver, Daum and Hanmail to harvest webmail credentials from South Korean targets.

WannaCry kill-switch domain. Discovery and sinkholing by a security researcher ("MalwareTech") on 12 May 2017 halted the ransomware's worldwide spread within hours of the outbreak.

Tool-download domain contacted by adobelib.dll POST requests in the LockBit 3.0 Citrix Bleed campaign; resolved to 172.67.129.176 and 104.21.1.180 as of November 16, 2023. Table 3 of AA23-325A.

SHA256 of Mag.dll, the persistence module identified running within the UpdateAdobeTask scheduled job on victims of the LockBit 3.0 Citrix Bleed campaign. Table 3 of AA23-325A.

LockBit 3.0 affiliates' primary initial-access vector during the October-November 2023 wave documented in joint CISA/FBI/MS-ISAC/ACSC advisory AA23-325A - NetScaler ADC and Gateway session-token theft used against Boeing, ICBC, Allen & Overy, and DP World.

SHA256 of adobelib.dll dropped to C:\Users\Public\ by the 123.ps1 PowerShell loader during the LockBit 3.0 Citrix Bleed campaign, executed via rundll32 with a 104-hex-character key. Table 3 of AA23-325A.

Adversary-controlled C2 IP hard-coded in the newly identified MuddyWater PowerShell backdoor sample published in CISA AA22-055A; the script encrypts traffic with a single-byte XOR key 0x02 and beacons over HTTP to /index.php with a victim identifier.

Small Sieve NSIS installer 'gram_app.exe' analyzed by NCSC-UK and published in Appendix B of CISA AA22-055A. Drops the Python-based Telegram-Bot-API backdoor index.exe and persists via the registry Run key OutlookMicrosift.

Small Sieve Python backdoor payload 'index.exe' (PyInstaller-bundled Python 3.9) - hash published in Appendix B Table 3 of CISA AA22-055A. Beacons via the Telegram Bot API with hex byte-shuffling traffic obfuscation.

PowerShell backdoor family attributed to MuddyWater in joint CISA/FBI/CNMF/NCSC-UK advisory AA22-055A, which catalogues POWERSTATS, Small Sieve, Mori, Canopy/Starwhale and PowGoop tooling used since approximately 2018 by this MOIS subordinate APT group (also tracked as Static Kitten, Mango Sandstorm, MERCURY, Seedworm, TEMP.Zagros).

PlugX USB-worm command-and-control IP attributed to Mustang Panda. Sinkholed by Sekoia in September 2023 (the address had lapsed and was re-registered for USD 7). This is the same C2 the FBI/DOJ used for the court-authorized self-delete operation that cleaned ~4,258 U.S. hosts (announced Jan 2025).

SHA-256 of `AvastSvc.exe`, the legitimate Avast binary abused for DLL side-loading by the Mustang Panda PlugX USB worm. Listed alongside the malicious DLL in the Sophos IOC table; drops the side-load triad into `%userprofile%/AvastSvcpCP/`.

SHA-256 of the malicious `wsc.dll` PlugX loader from the border-hopping USB-worm variant attributed by Sophos X-Ops to PKPLUG / Mustang Panda. Listed in the IOC table of the March 2023 Sophos News disclosure and re-confirmed by Sekoia's September 2023 sinkholing report.

Aria-body backdoor payload sample published in Appendix C of Check Point's 2020 Naikon report.

RainyDay rdmin.src encrypted payload sample (C2 asp.asphspes.com) published in Bitdefender's 2021 Naikon whitepaper IOC section.

Naikon Aria-body C2 domain listed in Check Point's 2020 Aria-body IOC appendix.

Naikon Aria-body command-and-control domain identified by Check Point Research in the 2020 'Cyber Espionage Reloaded' campaign against APAC government targets.

DigitalOcean-hosted IP observed by FBI in Pioneer Kitten operations January-August 2024, listed in Table 10 of CISA AA24-241A. The group exploits edge devices (Citrix Netscaler CVE-2019-19781/CVE-2023-3519, F5 BIG-IP CVE-2022-1388, Ivanti CVE-2024-21887, PanOS CVE-2024-3400, Check Point CVE-2024-24919) for initial access.

Recent infrastructure domain listed in Table 10 of CISA AA24-241A (FBI/CISA/DC3 joint advisory, 28 Aug 2024) on Iran-based Pioneer Kitten / Fox Kitten / UNC757 / Parisite / Lemon Sandstorm / Br0k3r enabling ransomware affiliates NoEscape, RansomHouse and ALPHV/BlackCat. First observed September 2022, most recently August 2024.

Pioneer Kitten infrastructure domain listed in CISA AA24-241A Table 10 (Indicators of Compromise - Recent). First observed February 2024 and still active through August 2024 per the joint FBI/CISA/DC3 advisory.

Credential-capturing webshell artifact dropped by Pioneer Kitten on compromised Citrix Netscaler appliances - the file collects login credentials and is placed in the same directory as a PHP webshell (ctxHeaderLogon.php / netscaler.php) per CISA AA24-241A.

SHA-256 of an SVCHost.dll backdoor associated with Play ransomware operators, published in the June 2025 update to CISA/FBI/ACSC joint advisory AA23-352A (Table 2).

SHA-256 of the GRIXBA information-stealer / custom data gathering tool used by Play ransomware affiliates, published in the June 2025 update to CISA/FBI/ACSC advisory AA23-352A.

SHA-256 of a SystemBC malware DLL used by Play ransomware actors for SOCKS proxy / C2 traffic, listed in the June 2025 update to CISA/FBI/ACSC joint advisory AA23-352A (Table 2).

'Stardust' wiper variant documented by Check Point Research from earlier Indra/Predatory Sparrow operations against Syrian targets (Katerji Group, Arfada Petroleum, Cham Wings) in 2019-2020. Listed alongside Meteor and Comet in the August 2021 attribution of the Iran Railways attack.

'Meteor' wiper sample documented in Check Point Research's August 2021 analysis of the 9-10 July 2021 cyberattack on Iranian Railways and the Ministry of Roads and Urban Development. The payload 'msapp.exe' writes 'Meteor has started.' to its encrypted log file, locks the host and wipes contents. Check Point ties the campaign to a self-identified 'Indra' persona that the wider community tracks as Predatory Sparrow / Gonjeshke Darande.

Original Go-based ransomware family name used by Qilin affiliates from mid-2022 before the Rust rewrite. Group-IB and SentinelOne both track Qilin/Agenda as one lineage; the operators encrypted Synnovis pathology systems on 3 June 2024 causing the south-London NHS hospital outage.

Qilin ransomware Windows sample referenced in vendor emulation packs (AttackIQ, MyCERT) drawing on Group-IB's Qilin Revisited 2024 technical analysis.

RansomHub Windows encryptor sample published in Symantec's August 2024 analysis tying the family back to its Knight / Cyclops origins. Sample uses Curve25519 with intermittent encryption as described in CISA AA24-242A.

RansomHub affiliate staging host serving second-stage payloads (NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.exe and helper DLLs under /555/) per Table 4 of CISA joint advisory AA24-242A.

RansomHub affiliate contact address listed in Table 5 of CISA AA24-242A (2023-2024).

Sodinokibi/REvil encryptor DLL side-loaded by a renamed MsMpEng.exe in the July 2, 2021 Kaseya VSA supply-chain compromise. Vasinskyi was indicted Nov. 8, 2021 by DOJ for deploying this code through Kaseya's auto-update channel to roughly 1,500 downstream customers.

Malware family DOJ identified by name in the November 8, 2021 unsealed indictment of Ukrainian national Yaroslav Vasinskyi as the payload deployed through the Kaseya VSA agent on July 2, 2021. Vasinskyi was sentenced May 1, 2024 to 13 years 7 months and $16M restitution.

Typosquat of advanced-ip-scanner.com used by Storm-0978 (Microsoft's tracker for the RomCom operator) to deliver trojanized installers - documented in the Microsoft Security Blog write-up that disclosed CVE-2023-36884 exploitation.

ROMCOM RAT sample observed by Palo Alto Networks Unit 42 in the August 2022 Tropical Scorpius / Cuba ransomware intrusions - the first public attribution of the backdoor to this operator.

Tropical Scorpius staging domain documented by Unit 42 in their August 2022 Cuba ransomware / ROMCOM report. Listed alongside optasko[.]com as actor-controlled infrastructure.

MD5 of the Demodex kernel-mode rootkit driver published by Kaspersky in the September 2021 disclosure that originally named the actor `GhostEmperor` - the cluster now publicly tracked by U.S. agencies as Salt Typhoon. Loaded by bypassing Driver Signature Enforcement via the signed Cheat Engine driver `dbk64.sys`.

MD5 of `cmd3`, a Linux/Go SFTP staging client paired with `cmd1` in Salt Typhoon intrusions. Listed in Table 4 of the joint AA25-239A advisory; written by the same developer as `cmd1` based on shared Go build paths (`C:/work/sync/cmd/...`).

SHA-256 of `cmd1`, a Linux/Go custom SFTP client used by the Salt Typhoon / GhostEmperor cluster to stage and exfiltrate encrypted archives. Listed in Table 5 of the September 2025 joint advisory `Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System` (AA25-239A).

HermeticWiper / Trojan.Killdisk sample (Symantec Threat Hunter Team), deployed against Ukrainian organisations from 23 February 2022. Listed in CISA / FBI joint advisory AA22-057A appendix Table 2. The campaign is widely attributed to GRU Unit 74455 (Sandworm).

AcidRain - MIPS ELF wiper (filename 'ukrop') that bricked modems on Viasat's KA-SAT network on 24 February 2022, disrupting service across Ukraine and downstream wind-turbine telemetry in Germany. SentinelLabs published the hash and noted code overlap with VPNFilter (attributed to Sandworm).

Industroyer2 sample (108_100.exe), an IEC-104 ICS-disruption tool that Sandworm deployed against a Ukrainian energy provider on 8 April 2022. Discovery and IOC publication by ESET working with CERT-UA; ESET assesses Sandworm responsibility with high confidence.

Commodity remote-access trojan (also tracked as WarZone, MITRE S0670) used by Scattered Spider for hands-on-keyboard access post-compromise, per Table 2 of CISA AA23-320A.

Information stealer (credentials, browser history, cookies) named in Table 2 of CISA/FBI joint advisory AA23-320A as part of Scattered Spider's post-access toolset.

Information stealer listed in Table 2 of CISA AA23-320A as used by Scattered Spider for credential and cookie theft after initial help-desk social engineering.

Sample VPS exfiltration IP (ALEXHOST SRL, AS200019) used by UNC5537 to stage stolen Snowflake-customer data. Listed in Mandiant's June 2024 disclosure.

Custom Snowflake reconnaissance utility (.NET and Java variants, attacker-named 'rapeflake') deployed by UNC5537 / ShinyHunters during the 2024 Snowflake-customer extortion campaign disclosed by Mandiant in June 2024.

RaaS brand launched on a Scattered Lapsus$ Hunters Telegram channel in August 2025, marketed alongside the Trinity of Chaos data-leak site that went live on the TOR network on 3 October 2025 listing 39 Salesforce/Salesloft victims.

Inauthentic outlet operated by DURINBRIDGE, identified by Google Threat Intelligence Group as republishing DRAGONBRIDGE articles within the broader GLASSBRIDGE ecosystem of PRC-aligned fake news sites.

Inauthentic news site operated by Shenzhen Bowen Media as part of the GLASSBRIDGE network used to launder pro-PRC and DRAGONBRIDGE narratives, per Google Threat Intelligence Group's November 2024 disclosure.

Inauthentic news site operated by Shanghai Haixun Technology within the GLASSBRIDGE network and used to distribute pro-PRC content amplifying DRAGONBRIDGE narratives, per Google/Mandiant November 2024 reporting.

Sophisticated modular peer-to-peer implant attributed to FSB Center 16 (Turla). Known under multiple names — Snake, Uroburos, Turla, EkulturaFS — across ~20 years of operation. Disrupted by the U.S. DOJ's Operation MEDUSA in May 2023.

IP address listed in Check Point Research's Void Manticore IOC appendix (May 2024 report on destructive activities in Israel).

SHA-256 listed in Check Point Research's May 2024 'Bad Karma, No Justice' report on Void Manticore. The actor uses BiBi wiper (Linux and Windows variants) along with CIWiper and partition wipers in destructive operations against Israeli and Albanian targets.

Operator-named botnet family running on compromised end-of-life SOHO routers (predominantly Cisco RV320/325, NETGEAR ProSAFE, Axis IP cameras). Used as obfuscation infrastructure for Volt Typhoon operations; the DOJ disrupted the network in Operation Dying Ember (announced 31 Jan 2024).