Trusted Design

BBSRAT Attacks Targeting Russian Organizations

概要

In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed “Roaming Tiger”. The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware family. ESET did not attribute the attacks to a particular attack group, but noted that the objective of the campaign was espionage and general information stealing. The adversaries behind these attacks continued to target Russia and other Russian speaking nations using similar exploits and attack vectors. However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT.”

Created: 2026-02-23

Indicators

• hostname - adobeflashupdate.dynu.com -
• hostname - wap.kylxt.com -
• domain - futuresgolda.com -
• FileHash-SHA256 - 2d81d65d09bf1b864d8964627e13515cee7deddfbd0dc70b1e67f123ab91421e -
• FileHash-SHA256 - 95f198ed29cf3f7d4ddd7cf688bfec9e39d92b78c0a1fd2288e13a92459bdb35 -
• FileHash-SHA256 - 22592a32b1193587a707d8b20c04d966fe61b37f7def7613d9bb91ff2fe9b13b -
• hostname - pagbine.ofhloe.com -
• hostname - cdaklle.housejjk.com -
• hostname - jowwln.cocolco.com -
• hostname - systemupdate5.dtdns.net -
• YARA - d86e4e29a47311ed239cbefc31616e431bf2d008 -
• hostname - prdaio.unbrtel.com -
• FileHash-SHA256 - 4ea23449786b655c495edf258293ac446f2216464b3d1bccb314ef4c61861101 -
• FileHash-SHA256 - 44171afafca54129b89a0026006eca03d5307d79a301e4a8a712f796a3fdec6e -
• hostname - windowsupdate.dyn.nu -
• hostname - adobeflashupdate1.strangled.net -
• hostname - loomon.gupdiicc.com -
• FileHash-SHA256 - 6fae5305907ce99f9ab51e720232ef5acf1950826db520a847bf8892dc9578de -
• FileHash-SHA256 - 13d0bd83a023712b54c1dd391dfc1bc27b22d9df4fe3942e2967ec82d7c95640 -
• hostname - wap.hbwla.com -
• FileHash-SHA256 - 61a692e615e31b97b47a215479e6347fbd8e6e33d7c9d044766b4c1d1ae1b1fb -
• hostname - herman.eergh.com -
• hostname - www.testzake.com -
• hostname - www.yunw.top -
• FileHash-SHA256 - 71dc584564b726ed2e6b1423785037bfb178184419f3c878e02c7da8ba87c64d -
• FileHash-SHA256 - 7438ed5f0fbe4b26afed2fe0e4e4531fc129a44d8ea416f12a77d0c0cd873520 -
• hostname - wap.gxqtc.com -
• FileHash-SHA256 - 0fc52c74dd54a97459e964b340d694d8433a3229f61e1c305477f8c56c538f27 -
• FileHash-SHA256 - e049bd90028a56b286f4b0b9062a8df2ab2ddf492764e3962f295e9ce33660e3 -
• domain - transactiona.com -
• FileHash-SHA256 - b1737f3a1c50cb39cd9938d5ec3b4a6a10b711f17e917886481c38967b93e259 -
• hostname - winwordupdate.dynu.com -
• hostname - panaba.empleoy-plan.com -
• FileHash-SHA256 - 567a5b54d6c153cdd2ddd2b084f1f66fc87587dd691cd2ba8e30d689328a673f -
• hostname - kop.gupdiic.com -
• FileHash-SHA256 - 012ec51657d8724338a76574a39db4849579050f02c0103d46d406079afa1e8b -
• FileHash-SHA256 - fc4b465ee8d2053e9e41fb0a6ae32843e4e23145845967a069e584f582279725 -
• FileHash-SHA256 - 0baf36ca2d3772fdff989e2b7e762829d30db132757340725bb50dee3b51850c -
• hostname - peak.measurepeak.com -
• FileHash-SHA256 - 77a2e26097285a794e42c9e813d14936d0e7a1dd3504205dd6b28a71626f8c3c -
• FileHash-SHA256 - 5aa7db3344aa76211bbda3eaaccf1fc1b2e76df97ff9c30e7509701a389bd397 -
• hostname - support.yandexmailru.kr -
• FileHash-SHA256 - d579255852720d794349ae2238f084c6393419af38479f3d0e3d2a21c9eb8e18 -

類似Pulses

• BBSRAT Attacks Targeting Russian Orgs Linked to Roaming Tiger (score: 0.97)
• Targeted Attack Distributes PlugX in Russia (score: 0.71)
• A Look Into Fysbis: Sofacy’s Linux Backdoor (score: 0.65)
• BlackEnergy by the SSHBearDoor (score: 0.64)
• Defending the White Elephant (score: 0.64)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る