ioc · sha-256

e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

Saitama .NET backdoor payload (update.exe) attributed by Malwarebytes/ThreatDown to APT34 (OilRig / Helix Kitten / Hazel Sandstorm) in a May 2022 spearphishing operation against a Jordanian Ministry of Foreign Affairs official. Saitama uses DNS tunneling for C2.

family: Saitama
first seen: Apr 25, 2022
publisher: Malwarebytes (ThreatDown)

source citation