Pulse Detail-

Angler EK leads to fileless Gootkit

概要

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.

Created: 2026-02-23

Indicators

類似Pulses

Angler EK installs bedep, vawtrak and POS malware (score: 0.71)
Gootkit banking Trojan jumps the Channel (score: 0.66)
2015-08-31 Angler EK pushing Bedep (score: 0.66)
GootKit- Banker Malware (possibly) Botnet Attacking Italian Companies (score: 0.62)
Trojan:Win32/Kolweb (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

APT32

Score: 17.66

Matched TTPs:

T1113 - Screen Capture
T1089 - Disabling Security Tools
T1091 - Replication Through Removable Media
T1684 - Social Engineering
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

Turla

Score: 16.51

Matched TTPs:

T1113 - Screen Capture
T1059.010 - AutoHotKey & AutoIT
T1684 - Social Engineering
T1547.002 - Authentication Package
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode

MITREへのリンク →

Winnti Group

Score: 3.29

Matched TTPs:

T1499.001 - OS Exhaustion Flood

MITREへのリンク →

APT41

Score: 15.70

Matched TTPs:

T1499.001 - OS Exhaustion Flood
T1560.003 - Archive via Custom Method
T1089 - Disabling Security Tools
T1684 - Social Engineering
T1048 - Exfiltration Over Alternative Protocol
T1218.010 - Regsvr32

MITREへのリンク →

Rocke

Score: 8.47

Matched TTPs:

T1499.001 - OS Exhaustion Flood
T1059.010 - AutoHotKey & AutoIT
T1059.013 - Container CLI/API

MITREへのリンク →

TeamTNT

Score: 6.83

Matched TTPs:

T1499.001 - OS Exhaustion Flood
T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media

MITREへのリンク →

APT28

Score: 20.95

Matched TTPs:

T1499.001 - OS Exhaustion Flood
T1059.010 - AutoHotKey & AutoIT
T1548.004 - Elevated Execution with Prompt
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1588.003 - Code Signing Certificates
T1027.018 - Invisible Unicode

MITREへのリンク →

UNC3886

Score: 8.91

Matched TTPs:

T1499.001 - OS Exhaustion Flood
T1547.015 - Login Items
T1218.010 - Regsvr32

MITREへのリンク →

Scattered Spider

Score: 3.29

Matched TTPs:

T1560.003 - Archive via Custom Method

MITREへのリンク →

TA505

Score: 12.03

Matched TTPs:

T1560.003 - Archive via Custom Method
T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1138 - Application Shimming
T1027.018 - Invisible Unicode

MITREへのリンク →

Volt Typhoon

Score: 7.69

Matched TTPs:

T1560.003 - Archive via Custom Method
T1059.010 - AutoHotKey & AutoIT
T1546.016 - Installer Packages

MITREへのリンク →

APT3

Score: 7.87

Matched TTPs:

T1560.003 - Archive via Custom Method
T1089 - Disabling Security Tools
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

FIN13

Score: 6.59

Matched TTPs:

T1560.003 - Archive via Custom Method
T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT

MITREへのリンク →

Cinnamon Tempest

Score: 3.30

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT

MITREへのリンク →

MuddyWater

Score: 12.18

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.013 - Container CLI/API
T1027.018 - Invisible Unicode

MITREへのリンク →

Velvet Ant

Score: 4.19

Matched TTPs:

T1089 - Disabling Security Tools
T1684 - Social Engineering

MITREへのリンク →

RTM

Score: 3.50

Matched TTPs:

T1089 - Disabling Security Tools
T1059.012 - Hypervisor CLI

MITREへのリンク →

Tonto Team

Score: 3.23

Matched TTPs:

T1089 - Disabling Security Tools
T1218.010 - Regsvr32

MITREへのリンク →

Patchwork

Score: 9.50

Matched TTPs:

T1089 - Disabling Security Tools
T1001 - Data Obfuscation
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

Higaisa

Score: 7.95

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1546.017 - Udev Rules

MITREへのリンク →

Storm-1811

Score: 3.30

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT

MITREへのリンク →

Evilnum

Score: 3.09

Matched TTPs:

T1089 - Disabling Security Tools
T1027.018 - Invisible Unicode

MITREへのリンク →

Tropic Trooper

Score: 4.80

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32

MITREへのリンク →

Earth Lusca

Score: 11.23

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode

MITREへのリンク →

LuminousMoth

Score: 5.07

Matched TTPs:

T1089 - Disabling Security Tools
T1091 - Replication Through Removable Media
T1027.018 - Invisible Unicode

MITREへのリンク →

BRONZE BUTLER

Score: 6.56

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

BlackTech

Score: 4.59

Matched TTPs:

T1089 - Disabling Security Tools
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

Mustang Panda

Score: 18.85

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1608 - Stage Capabilities
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

SideCopy

Score: 3.71

Matched TTPs:

T1089 - Disabling Security Tools
T1091 - Replication Through Removable Media

MITREへのリンク →

Daggerfly

Score: 7.69

Matched TTPs:

T1089 - Disabling Security Tools
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode

MITREへのリンク →

Lazarus Group

Score: 18.67

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1055.005 - Thread Local Storage
T1556 - Modify Authentication Process

MITREへのリンク →

Threat Group-3390

Score: 18.97

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1218.003 - CMSTP
T1001 - Data Obfuscation
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.017 - Udev Rules

MITREへのリンク →

APT19

Score: 5.07

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1059.012 - Hypervisor CLI

MITREへのリンク →

Sidewinder

Score: 4.59

Matched TTPs:

T1089 - Disabling Security Tools
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

menuPass

Score: 6.45

Matched TTPs:

T1089 - Disabling Security Tools
T1059.010 - AutoHotKey & AutoIT
T1001 - Data Obfuscation

MITREへのリンク →

APT39

Score: 5.33

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1547.002 - Authentication Package
T1027.018 - Invisible Unicode

MITREへのリンク →

Gorgon Group

Score: 4.72

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1001 - Data Obfuscation

MITREへのリンク →

Kimsuky

Score: 16.75

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1684 - Social Engineering
T1608 - Stage Capabilities
T1001 - Data Obfuscation
T1547.002 - Authentication Package
T1027.018 - Invisible Unicode

MITREへのリンク →

Moonstone Sleet

Score: 3.54

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media

MITREへのリンク →

APT38

Score: 14.44

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1684 - Social Engineering
T1138 - Application Shimming
T1048 - Exfiltration Over Alternative Protocol
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

Molerats

Score: 6.08

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

Darkhotel

Score: 4.83

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

ZIRCONIUM

Score: 5.33

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1547.002 - Authentication Package
T1027.018 - Invisible Unicode

MITREへのリンク →

OilRig

Score: 17.12

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1048 - Exfiltration Over Alternative Protocol
T1218.010 - Regsvr32
T1592.002 - Software
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

Gamaredon Group

Score: 24.22

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1684 - Social Engineering
T1562.010 - Downgrade Attack
T1608 - Stage Capabilities
T1547.002 - Authentication Package
T1059.013 - Container CLI/API
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

FIN7

Score: 7.30

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1547.002 - Authentication Package
T1027.018 - Invisible Unicode

MITREへのリンク →

Winter Vivern

Score: 4.69

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

BlackByte

Score: 13.00

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1684 - Social Engineering
T1562.010 - Downgrade Attack
T1001 - Data Obfuscation

MITREへのリンク →

Leviathan

Score: 12.17

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

Sandworm Team

Score: 15.47

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1187 - Forced Authentication
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode

MITREへのリンク →

TA2541

Score: 12.09

Matched TTPs:

T1091 - Replication Through Removable Media
T1684 - Social Engineering
T1001 - Data Obfuscation
T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

Mustard Tempest

Score: 5.10

Matched TTPs:

T1091 - Replication Through Removable Media
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

LazyScripter

Score: 3.33

Matched TTPs:

T1091 - Replication Through Removable Media
T1027.018 - Invisible Unicode

MITREへのリンク →

BITTER

Score: 3.47

Matched TTPs:

T1091 - Replication Through Removable Media
T1218.010 - Regsvr32

MITREへのリンク →

HEXANE

Score: 4.37

Matched TTPs:

T1091 - Replication Through Removable Media
T1547.002 - Authentication Package

MITREへのリンク →

Saint Bear

Score: 4.83

Matched TTPs:

T1091 - Replication Through Removable Media
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

Contagious Interview

Score: 9.92

Matched TTPs:

T1091 - Replication Through Removable Media
T1562.010 - Downgrade Attack
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

EXOTIC LILY

Score: 4.83

Matched TTPs:

T1091 - Replication Through Removable Media
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

Silence

Score: 5.90

Matched TTPs:

T1684 - Social Engineering
T1048 - Exfiltration Over Alternative Protocol

MITREへのリンク →

Wizard Spider

Score: 6.56

Matched TTPs:

T1684 - Social Engineering
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

Cobalt Group

Score: 5.31

Matched TTPs:

T1684 - Social Engineering
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

APT37

Score: 8.12

Matched TTPs:

T1684 - Social Engineering
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

PLATINUM

Score: 8.76

Matched TTPs:

T1684 - Social Engineering
T1059.012 - Hypervisor CLI
T1686 - Disable or Modify System Firewall

MITREへのリンク →

Medusa Group

Score: 8.67

Matched TTPs:

T1218.003 - CMSTP
T1094 - Custom Command and Control Protocol

MITREへのリンク →

APT29

Score: 6.70

Matched TTPs:

T1138 - Application Shimming
T1218.010 - Regsvr32
T1027.018 - Invisible Unicode

MITREへのリンク →

PROMETHIUM

Score: 5.90

Matched TTPs:

T1547.015 - Login Items
T1059.012 - Hypervisor CLI

MITREへのリンク →

Dark Caracal

Score: 5.20

Matched TTPs:

T1048 - Exfiltration Over Alternative Protocol
T1059.012 - Hypervisor CLI

MITREへのリンク →

Magic Hound

Score: 9.37

Matched TTPs:

T1187 - Forced Authentication
T1547.002 - Authentication Package
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

Andariel

Score: 7.10

Matched TTPs:

T1187 - Forced Authentication
T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

APT12

Score: 3.89

Matched TTPs:

T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

Dragonfly

Score: 6.09

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1546.016 - Installer Packages

MITREへのリンク →

Axiom

Score: 3.26

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI

MITREへのリンク →

Sea Turtle

Score: 5.12

Matched TTPs:

T1218.010 - Regsvr32
T1059.013 - Container CLI/API

MITREへのリンク →

Transparent Tribe

Score: 4.62

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

Elderwood

Score: 4.62

Matched TTPs:

T1218.010 - Regsvr32
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

APT33

Score: 5.60

Matched TTPs:

T1218.010 - Regsvr32
T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

Windshift

Score: 3.13

Matched TTPs:

T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

Machete

Score: 3.13

Matched TTPs:

T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode

MITREへのリンク →

FIN8

Score: 4.11

Matched TTPs:

T1027.018 - Invisible Unicode
T1556 - Modify Authentication Process

MITREへのリンク →

Mofang

Score: 4.51

Matched TTPs:

T1027.018 - Invisible Unicode
T1546.017 - Udev Rules

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Gamaredon Group

Score: 0.80

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1546.017 - Udev Rules
T1608 - Stage Capabilities
T1059.013 - Container CLI/API
T1562.010 - Downgrade Attack
T1027.018 - Invisible Unicode
T1684 - Social Engineering
T1547.002 - Authentication Package

MITREへのリンク →

APT28

Score: 0.70

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1588.003 - Code Signing Certificates
T1499.001 - OS Exhaustion Flood
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode
T1548.004 - Elevated Execution with Prompt
T1547.002 - Authentication Package

MITREへのリンク →

Threat Group-3390

Score: 0.64

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1218.003 - CMSTP
T1091 - Replication Through Removable Media
T1089 - Disabling Security Tools
T1546.017 - Udev Rules
T1001 - Data Obfuscation
T1059.012 - Hypervisor CLI

MITREへのリンク →

Mustang Panda

Score: 0.63

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage
T1091 - Replication Through Removable Media
T1089 - Disabling Security Tools
T1556 - Modify Authentication Process
T1608 - Stage Capabilities
T1027.018 - Invisible Unicode

MITREへのリンク →

Lazarus Group

Score: 0.63

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage
T1089 - Disabling Security Tools
T1546.016 - Installer Packages
T1556 - Modify Authentication Process
T1059.012 - Hypervisor CLI
T1547.002 - Authentication Package

MITREへのリンク →

APT32

Score: 0.61

Matched TTPs:

T1218.010 - Regsvr32
T1091 - Replication Through Removable Media
T1089 - Disabling Security Tools
T1556 - Modify Authentication Process
T1059.012 - Hypervisor CLI
T1027.018 - Invisible Unicode
T1113 - Screen Capture
T1684 - Social Engineering

MITREへのリンク →

Turla

Score: 0.60

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1546.016 - Installer Packages
T1059.012 - Hypervisor CLI
T1684 - Social Engineering
T1027.018 - Invisible Unicode
T1113 - Screen Capture
T1547.002 - Authentication Package

MITREへのリンク →

OilRig

Score: 0.57

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1048 - Exfiltration Over Alternative Protocol
T1091 - Replication Through Removable Media
T1556 - Modify Authentication Process
T1027.018 - Invisible Unicode
T1592.002 - Software

MITREへのリンク →

Kimsuky

Score: 0.56

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1091 - Replication Through Removable Media
T1608 - Stage Capabilities
T1001 - Data Obfuscation
T1027.018 - Invisible Unicode
T1684 - Social Engineering
T1547.002 - Authentication Package

MITREへのリンク →

APT41

Score: 0.55

Matched TTPs:

T1218.010 - Regsvr32
T1048 - Exfiltration Over Alternative Protocol
T1089 - Disabling Security Tools
T1499.001 - OS Exhaustion Flood
T1560.003 - Archive via Custom Method
T1684 - Social Engineering

MITREへのリンク →

Sandworm Team

Score: 0.55

Matched TTPs:

T1059.010 - AutoHotKey & AutoIT
T1218.010 - Regsvr32
T1187 - Forced Authentication
T1091 - Replication Through Removable Media
T1546.016 - Installer Packages
T1027.018 - Invisible Unicode
T1547.002 - Authentication Package

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る

Angler EK leads to fileless Gootkit

概要

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

Pulse – 脅威アクター グラフ

Pulse – 脅威アクターグラフ