Pulse Detail-

Angler EK leads to fileless Gootkit

概要

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.

Created: 2026-02-23

Indicators

類似Pulses

Angler EK installs bedep, vawtrak and POS malware (score: 0.71)
Gootkit banking Trojan jumps the Channel (score: 0.66)
2015-08-31 Angler EK pushing Bedep (score: 0.66)
GootKit- Banker Malware (possibly) Botnet Attacking Italian Companies (score: 0.62)
Trojan:Win32/Kolweb (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

APT32

Score: 17.66

Matched TTPs:

T1027.011 - Fileless Storage
T1574.001 - DLL
T1608.001 - Upload Malware
T1055 - Process Injection
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Turla

Score: 16.51

Matched TTPs:

T1027.011 - Fileless Storage
T1140 - Deobfuscate/Decode Files or Information
T1055 - Process Injection
T1102.002 - Bidirectional Communication
T1189 - Drive-by Compromise
T1584.004 - Server
T1204.001 - Malicious Link

MITREへのリンク →

Winnti Group

Score: 3.29

Matched TTPs:

T1014 - Rootkit

MITREへのリンク →

APT41

Score: 15.70

Matched TTPs:

T1014 - Rootkit
T1069 - Permission Groups Discovery
T1574.001 - DLL
T1055 - Process Injection
T1218.001 - Compiled HTML File
T1203 - Exploitation for Client Execution

MITREへのリンク →

Rocke

Score: 8.47

Matched TTPs:

T1014 - Rootkit
T1140 - Deobfuscate/Decode Files or Information
T1027.004 - Compile After Delivery

MITREへのリンク →

TeamTNT

Score: 6.83

Matched TTPs:

T1014 - Rootkit
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware

MITREへのリンク →

APT28

Score: 20.95

Matched TTPs:

T1014 - Rootkit
T1140 - Deobfuscate/Decode Files or Information
T1546.015 - Component Object Model Hijacking
T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1137.002 - Office Test
T1204.001 - Malicious Link

MITREへのリンク →

UNC3886

Score: 8.91

Matched TTPs:

T1014 - Rootkit
T1205.001 - Port Knocking
T1203 - Exploitation for Client Execution

MITREへのリンク →

Scattered Spider

Score: 3.29

Matched TTPs:

T1069 - Permission Groups Discovery

MITREへのリンク →

TA505

Score: 12.03

Matched TTPs:

T1069 - Permission Groups Discovery
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1553.005 - Mark-of-the-Web Bypass
T1204.001 - Malicious Link

MITREへのリンク →

Volt Typhoon

Score: 7.69

Matched TTPs:

T1069 - Permission Groups Discovery
T1140 - Deobfuscate/Decode Files or Information
T1584.004 - Server

MITREへのリンク →

APT3

Score: 7.87

Matched TTPs:

T1069 - Permission Groups Discovery
T1574.001 - DLL
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

FIN13

Score: 6.59

Matched TTPs:

T1069 - Permission Groups Discovery
T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Cinnamon Tempest

Score: 3.30

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

MuddyWater

Score: 12.18

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution
T1027.004 - Compile After Delivery
T1204.001 - Malicious Link

MITREへのリンク →

Velvet Ant

Score: 4.19

Matched TTPs:

T1574.001 - DLL
T1055 - Process Injection

MITREへのリンク →

RTM

Score: 3.50

Matched TTPs:

T1574.001 - DLL
T1189 - Drive-by Compromise

MITREへのリンク →

Tonto Team

Score: 3.23

Matched TTPs:

T1574.001 - DLL
T1203 - Exploitation for Client Execution

MITREへのリンク →

Patchwork

Score: 9.50

Matched TTPs:

T1574.001 - DLL
T1055.012 - Process Hollowing
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

Higaisa

Score: 7.95

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1203 - Exploitation for Client Execution
T1027.015 - Compression

MITREへのリンク →

Storm-1811

Score: 3.30

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Evilnum

Score: 3.09

Matched TTPs:

T1574.001 - DLL
T1204.001 - Malicious Link

MITREへのリンク →

Tropic Trooper

Score: 4.80

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1203 - Exploitation for Client Execution

MITREへのリンク →

Earth Lusca

Score: 11.23

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1189 - Drive-by Compromise
T1584.004 - Server
T1204.001 - Malicious Link

MITREへのリンク →

LuminousMoth

Score: 5.07

Matched TTPs:

T1574.001 - DLL
T1608.001 - Upload Malware
T1204.001 - Malicious Link

MITREへのリンク →

BRONZE BUTLER

Score: 6.56

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise

MITREへのリンク →

BlackTech

Score: 4.59

Matched TTPs:

T1574.001 - DLL
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

Mustang Panda

Score: 18.85

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1027.012 - LNK Icon Smuggling
T1203 - Exploitation for Client Execution
T1027.007 - Dynamic API Resolution
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

SideCopy

Score: 3.71

Matched TTPs:

T1574.001 - DLL
T1608.001 - Upload Malware

MITREへのリンク →

Daggerfly

Score: 7.69

Matched TTPs:

T1574.001 - DLL
T1189 - Drive-by Compromise
T1584.004 - Server
T1204.001 - Malicious Link

MITREへのリンク →

Lazarus Group

Score: 18.67

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1584.004 - Server
T1027.007 - Dynamic API Resolution
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Threat Group-3390

Score: 18.97

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1608.002 - Upload Tool
T1055.012 - Process Hollowing
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1027.015 - Compression

MITREへのリンク →

APT19

Score: 5.07

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1189 - Drive-by Compromise

MITREへのリンク →

Sidewinder

Score: 4.59

Matched TTPs:

T1574.001 - DLL
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

menuPass

Score: 6.45

Matched TTPs:

T1574.001 - DLL
T1140 - Deobfuscate/Decode Files or Information
T1055.012 - Process Hollowing

MITREへのリンク →

APT39

Score: 5.33

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1204.001 - Malicious Link

MITREへのリンク →

Gorgon Group

Score: 4.72

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1055.012 - Process Hollowing

MITREへのリンク →

Kimsuky

Score: 16.75

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1055 - Process Injection
T1027.012 - LNK Icon Smuggling
T1055.012 - Process Hollowing
T1102.002 - Bidirectional Communication
T1204.001 - Malicious Link

MITREへのリンク →

Moonstone Sleet

Score: 3.54

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware

MITREへのリンク →

APT38

Score: 14.44

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1055 - Process Injection
T1553.005 - Mark-of-the-Web Bypass
T1218.001 - Compiled HTML File
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

Molerats

Score: 6.08

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1204.001 - Malicious Link
T1027.015 - Compression

MITREへのリンク →

Darkhotel

Score: 4.83

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise

MITREへのリンク →

ZIRCONIUM

Score: 5.33

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1102.002 - Bidirectional Communication
T1204.001 - Malicious Link

MITREへのリンク →

OilRig

Score: 17.12

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1218.001 - Compiled HTML File
T1203 - Exploitation for Client Execution
T1137.004 - Outlook Home Page
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Gamaredon Group

Score: 24.22

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1055 - Process Injection
T1480 - Execution Guardrails
T1027.012 - LNK Icon Smuggling
T1102.002 - Bidirectional Communication
T1027.004 - Compile After Delivery
T1204.001 - Malicious Link
T1027.015 - Compression

MITREへのリンク →

FIN7

Score: 7.30

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1102.002 - Bidirectional Communication
T1204.001 - Malicious Link

MITREへのリンク →

Winter Vivern

Score: 4.69

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

BlackByte

Score: 13.00

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1055 - Process Injection
T1480 - Execution Guardrails
T1055.012 - Process Hollowing

MITREへのリンク →

Leviathan

Score: 12.17

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1584.004 - Server
T1204.001 - Malicious Link
T1027.015 - Compression

MITREへのリンク →

Sandworm Team

Score: 15.47

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1592.002 - Software
T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution
T1584.004 - Server
T1204.001 - Malicious Link

MITREへのリンク →

TA2541

Score: 12.09

Matched TTPs:

T1608.001 - Upload Malware
T1055 - Process Injection
T1055.012 - Process Hollowing
T1204.001 - Malicious Link
T1027.015 - Compression

MITREへのリンク →

Mustard Tempest

Score: 5.10

Matched TTPs:

T1608.001 - Upload Malware
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

LazyScripter

Score: 3.33

Matched TTPs:

T1608.001 - Upload Malware
T1204.001 - Malicious Link

MITREへのリンク →

BITTER

Score: 3.47

Matched TTPs:

T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution

MITREへのリンク →

HEXANE

Score: 4.37

Matched TTPs:

T1608.001 - Upload Malware
T1102.002 - Bidirectional Communication

MITREへのリンク →

Saint Bear

Score: 4.83

Matched TTPs:

T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

Contagious Interview

Score: 9.92

Matched TTPs:

T1608.001 - Upload Malware
T1480 - Execution Guardrails
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

EXOTIC LILY

Score: 4.83

Matched TTPs:

T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

Silence

Score: 5.90

Matched TTPs:

T1055 - Process Injection
T1218.001 - Compiled HTML File

MITREへのリンク →

Wizard Spider

Score: 6.56

Matched TTPs:

T1055 - Process Injection
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Cobalt Group

Score: 5.31

Matched TTPs:

T1055 - Process Injection
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

APT37

Score: 8.12

Matched TTPs:

T1055 - Process Injection
T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise

MITREへのリンク →

PLATINUM

Score: 8.76

Matched TTPs:

T1055 - Process Injection
T1189 - Drive-by Compromise
T1056.004 - Credential API Hooking

MITREへのリンク →

Medusa Group

Score: 8.67

Matched TTPs:

T1608.002 - Upload Tool
T1218.014 - MMC

MITREへのリンク →

APT29

Score: 6.70

Matched TTPs:

T1553.005 - Mark-of-the-Web Bypass
T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link

MITREへのリンク →

PROMETHIUM

Score: 5.90

Matched TTPs:

T1205.001 - Port Knocking
T1189 - Drive-by Compromise

MITREへのリンク →

Dark Caracal

Score: 5.20

Matched TTPs:

T1218.001 - Compiled HTML File
T1189 - Drive-by Compromise

MITREへのリンク →

Magic Hound

Score: 9.37

Matched TTPs:

T1592.002 - Software
T1102.002 - Bidirectional Communication
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

Andariel

Score: 7.10

Matched TTPs:

T1592.002 - Software
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise

MITREへのリンク →

APT12

Score: 3.89

Matched TTPs:

T1102.002 - Bidirectional Communication
T1203 - Exploitation for Client Execution

MITREへのリンク →

Dragonfly

Score: 6.09

Matched TTPs:

T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1584.004 - Server

MITREへのリンク →

Axiom

Score: 3.26

Matched TTPs:

T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise

MITREへのリンク →

Sea Turtle

Score: 5.12

Matched TTPs:

T1203 - Exploitation for Client Execution
T1027.004 - Compile After Delivery

MITREへのリンク →

Transparent Tribe

Score: 4.62

Matched TTPs:

T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

Elderwood

Score: 4.62

Matched TTPs:

T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

APT33

Score: 5.60

Matched TTPs:

T1203 - Exploitation for Client Execution
T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Windshift

Score: 3.13

Matched TTPs:

T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

Machete

Score: 3.13

Matched TTPs:

T1189 - Drive-by Compromise
T1204.001 - Malicious Link

MITREへのリンク →

FIN8

Score: 4.11

Matched TTPs:

T1204.001 - Malicious Link
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Mofang

Score: 4.51

Matched TTPs:

T1204.001 - Malicious Link
T1027.015 - Compression

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Gamaredon Group

Score: 0.80

Matched TTPs:

T1480 - Execution Guardrails
T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1027.004 - Compile After Delivery
T1055 - Process Injection
T1027.012 - LNK Icon Smuggling
T1027.015 - Compression
T1102.002 - Bidirectional Communication

MITREへのリンク →

APT28

Score: 0.70

Matched TTPs:

T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1014 - Rootkit
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1102.002 - Bidirectional Communication
T1546.015 - Component Object Model Hijacking
T1137.002 - Office Test

MITREへのリンク →

Threat Group-3390

Score: 0.64

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution
T1189 - Drive-by Compromise
T1055.012 - Process Hollowing
T1027.015 - Compression
T1574.001 - DLL
T1608.002 - Upload Tool

MITREへのリンク →

Mustang Panda

Score: 0.63

Matched TTPs:

T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
T1027.007 - Dynamic API Resolution
T1027.012 - LNK Icon Smuggling
T1574.001 - DLL

MITREへのリンク →

Lazarus Group

Score: 0.63

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1584.004 - Server
T1203 - Exploitation for Client Execution
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
T1027.007 - Dynamic API Resolution
T1574.001 - DLL
T1189 - Drive-by Compromise
T1102.002 - Bidirectional Communication

MITREへのリンク →

APT32

Score: 0.61

Matched TTPs:

T1204.001 - Malicious Link
T1608.001 - Upload Malware
T1203 - Exploitation for Client Execution
T1027.011 - Fileless Storage
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
T1055 - Process Injection
T1189 - Drive-by Compromise
T1574.001 - DLL

MITREへのリンク →

Turla

Score: 0.60

Matched TTPs:

T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1584.004 - Server
T1027.011 - Fileless Storage
T1055 - Process Injection
T1189 - Drive-by Compromise
T1102.002 - Bidirectional Communication

MITREへのリンク →

OilRig

Score: 0.57

Matched TTPs:

T1137.004 - Outlook Home Page
T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1218.001 - Compiled HTML File
T1203 - Exploitation for Client Execution
T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

MITREへのリンク →

Kimsuky

Score: 0.56

Matched TTPs:

T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1055 - Process Injection
T1027.012 - LNK Icon Smuggling
T1055.012 - Process Hollowing
T1102.002 - Bidirectional Communication

MITREへのリンク →

APT41

Score: 0.55

Matched TTPs:

T1069 - Permission Groups Discovery
T1014 - Rootkit
T1218.001 - Compiled HTML File
T1203 - Exploitation for Client Execution
T1055 - Process Injection
T1574.001 - DLL

MITREへのリンク →

Sandworm Team

Score: 0.55

Matched TTPs:

T1204.001 - Malicious Link
T1140 - Deobfuscate/Decode Files or Information
T1608.001 - Upload Malware
T1584.004 - Server
T1203 - Exploitation for Client Execution
T1592.002 - Software
T1102.002 - Bidirectional Communication

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る

Angler EK leads to fileless Gootkit

概要

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

Pulse – 脅威アクター グラフ

Pulse – 脅威アクターグラフ