threatintel
actor tracker
IOC pivot
ioc · sha-256

5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6

KP · DPRKAPT37confidence · high

BLUELIGHT backdoor sample published by Volexity on 17 August 2021 in the 'InkySquid' blog. BLUELIGHT uses the Microsoft Graph API (OneDrive appfolder) for C2 and was deployed via IE / legacy-Edge zero-days CVE-2020-1380 and CVE-2021-26411 from a strategic web compromise of dailynk.com. Volexity attributes InkySquid to APT37 / ScarCruft.

family
BLUELIGHT
first seen
Aug 16, 2021
publisher
Volexity
source citation