Trusted Design

Cmstar Downloader: Lurid and Enfal's New Cousin

概要

In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.

Created: 2026-02-23

Indicators

• FileHash-SHA256 - b65dd4da9f83c11fcb5beaec43fabd0df0f7cb61de94d874f969ca926e085515 -
• FileHash-SHA256 - a0aeb172a72442d2c2c02e1d32b48accb9975c4da7742df24d9350a8ccd401f2 -
• FileHash-SHA256 - 13c1d7eb2fd64591e224dec9534d8252f4b91e425e8f047b36605138d15cbf2d -
• YARA - c9b5b484c3a839f51d5824e3327ac9fe034a2a02 -
• FileHash-MD5 - 3fff0bf6847d0d056636caef9c3056c3 -
• hostname - help.redhag.com -
• FileHash-SHA256 - 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d -
• FileHash-MD5 - 94499ff857451ab7ef8823bf067189e7 -
• FileHash-MD5 - 9da10a36daf845367e0fc2f3e7e54336 -
• FileHash-SHA256 - df34aa9c8021f1f0bdf33249908efc4a9628941453ad79b281b3a46bf9a7f37f -
• FileHash-SHA256 - d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23 -
• FileHash-SHA256 - 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02 -
• FileHash-SHA256 - 1cf44815f9eb735e095f68c929d5549e0ebc44af9988cccaf1852baeb96bb386 -
• FileHash-SHA256 - 0a10d7bb317dceccd05d18408fd6b8b12c784910e5f7e035ee22c2c5d7e4cbf5 -
• FileHash-MD5 - e0417547ba54b58bb2c8f795bca0345c -
• FileHash-SHA256 - 5b338decffe665a2141d1079c32b2d612057d1fdbfddf198cc28003dae7f0516 -
• domain - brabbq.com -
• FileHash-MD5 - 5aeb8a5aa8f6e2408016cbd13b3dfaf0 -
• FileHash-SHA256 - e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9 -
• FileHash-SHA256 - 87bcc6d18c6a81d92d826b232703dee84b522bd1d0cae56f74bcf58fdca0930e -
• hostname - help.ubxpi0s.com -
• FileHash-MD5 - 6fdeadacfe1dafd2293ce5c4e178b668 -
• hostname - happy.launchtrue.com -
• FileHash-SHA256 - e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5 -
• hostname - question.eboregi.com -
• FileHash-MD5 - f7d47e1de4f5f4ad530bca0fc080ea53 -
• FileHash-SHA1 - 6c7c8b804cc76e2c208c6e3b6453cb134d01fa41 -
• FileHash-SHA1 - 6d484daba3927fc0744b1bbd7981a56ebef95790 -
• FileHash-SHA1 - 9639ec9aca4011b2724d8e7ddd13db19913e3e16 -
• hostname - links.dogsforhelp.com -
• email - wangminghua6@gmail.com -
• URL - http://happy.launchtrue.com:8080/cgl-bin/update.cgi -
• YARA - 2c4fa3992f8843108d75535822b79cad14375cce -
• FileHash-SHA256 - 9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c -
• FileHash-MD5 - 46bf922d9ae07a9bc3667a374605bdbb -
• Mutex - {53A4988C-F91F-4054-9076-220AC5EC03F3} -
• domain - diskfunc.com -
• hostname - stone.timmf.com -
• FileHash-SHA256 - c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c -
• YARA - d132d5e5bdbd551ae660033e5b28c182b46930ce -
• FileHash-SHA256 - f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da -
• hostname - new.hoticq.com -
• domain - flash-vip.com -
• FileHash-SHA256 - c26c67eac20614038aaadfda19b604862926433333893d65332928b5e36796aa -
• FileHash-SHA256 - 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e -
• domain - cowforhelp.com -
• domain - marubir.com -
• FileHash-SHA256 - 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001 -
• FileHash-SHA256 - b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593 -
• FileHash-SHA256 - a37f337d0bc3cebede2039b0a3bd5afd0624e181d2dcc9614d2f7d816b5a7a6b -
• hostname - dns.thinkttun.com -
• FileHash-MD5 - 783a423f5e285269126d0d98f53c795b -
• FileHash-SHA256 - 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f -
• FileHash-SHA256 - 4883286b8229a2c43db17eb1e1c5bd79d1933e840cdfedff80d5b99a84c9e39f -
• domain - shiesiido.com -
• YARA - e45ed109e5c0d14ef4d874e8f473b259115f7a38 -
• domain - basiccompare.com -
• FileHash-MD5 - 76ffb9c2d8d0ae46e8ea792ffacc8018 -
• hostname - error.yandex-pro.com -
• FileHash-SHA256 - a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f -
• hostname - mssage.hotoicq.com -
• FileHash-MD5 - 30a6c3c7723fe14c4b6960fa3e4e57ba -
• FileHash-SHA256 - a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e -
• domain - suttgte.com -
• FileHash-SHA256 - 45027d11ab783993c413f97e8e29759d04b04564f8916f005f5c632f291697bb -
• FileHash-SHA256 - 7dc78caf515d1d3d2b84be7c023ccbd0b4fd670a42babcbcbd5a5ba65bbdd166 -
• hostname - xphome.mailru-vip.com -
• domain - biortherm.com -
• hostname - bakler.featurvoice.com -
• hostname - three.earewq.com -
• FileHash-MD5 - 3d41e3c902502c8b0ea30f5947307d56 -
• FileHash-MD5 - d05f012c9c1a7fb669a07070be821072 -
• hostname - sarey.phdreport.com -
• hostname - turber.xoxcobbs.com -
• FileHash-SHA1 - d4071272cc1bf944e3867db299b3f5dce126f82b -
• FileHash-SHA256 - adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc -
• FileHash-MD5 - c5ae7bd6aec1e01aa53edcf41962ac04 -
• CVE - CVE-2012-0158 -
• domain - kruptcy.com -
• FileHash-SHA256 - 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7 -
• FileHash-SHA256 - 671dfc4d47a43cf0bd9205a0f654dcd5050175aef54b69388b0c5f4610896c6a -
• FileHash-SHA256 - ab934c6177be0fdc3b6dfbf21f60ce7837a30e6599dcfb111b43008c75ceb91f -
• hostname - here.pechooin.com -
• domain - regebky.com -
• FileHash-MD5 - 510b3272342765743a202373261c08da -

類似Pulses

• Malicious Word document delivers LuminosityLink RAT (score: 0.57)
• PlugX Uses Legitimate Samsung Application for DLL Side-Loading (score: 0.56)
• Unit 42 Technical Analysis: Seaduke (score: 0.55)
• NCCIC / US-CERT: Malware Initial Findings Report (MIFR) - 10120032 (score: 0.54)
• NCCIC / US-CERT: Malware Initial Findings Report (MIFR) - 10120095 (score: 0.54)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る