Trusted Design

Tofsee – modular spambot

概要

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network). Bot communicates with the botmaster using non-standard protocol built on top of TCP. The first message after establishing the connection is always sent by the server – the most important thing it contains is a random 128-byte key used for encrypting further communication. It is therefore impossible to decode the communication if one wasn’t listening right from its beginning.

Created: 2026-02-23

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Sandworm Team

Score: 16.78
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1584.005 - Botnet
  • T1571 - Non-Standard Port
  • T1102.002 - Bidirectional Communication
  • T1071.001 - Web Protocols
MITREへのリンク →

Patchwork

Score: 9.80
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1598.003 - Spearphishing Link
  • T1189 - Drive-by Compromise
  • T1680 - Local Storage Discovery
MITREへのリンク →

APT42

Score: 12.28
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1608.001 - Upload Malware
  • T1070 - Indicator Removal
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
MITREへのリンク →

BRONZE BUTLER

Score: 12.98
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1080 - Taint Shared Content
  • T1550.003 - Pass the Ticket
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
MITREへのリンク →

TA551

Score: 6.68
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1218.010 - Regsvr32
  • T1071.001 - Web Protocols
MITREへのリンク →

Lazarus Group

Score: 45.43
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1560.003 - Archive via Custom Method
  • T1070 - Indicator Removal
  • T1036.004 - Masquerade Task or Service
  • T1574.013 - KernelCallbackTable
  • T1571 - Non-Standard Port
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1027.007 - Dynamic API Resolution
  • T1008 - Fallback Channels
  • T1680 - Local Storage Discovery
  • T1055.001 - Dynamic-link Library Injection
  • T1566.003 - Spearphishing via Service
  • T1090.001 - Internal Proxy
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Tropic Trooper

Score: 12.44
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
  • T1055.001 - Dynamic-link Library Injection
MITREへのリンク →

MuddyWater

Score: 6.33
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1102.002 - Bidirectional Communication
  • T1071.001 - Web Protocols
MITREへのリンク →

APT19

Score: 8.45
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1218.010 - Regsvr32
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
MITREへのリンク →

APT33

Score: 9.08
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1571 - Non-Standard Port
  • T1071.001 - Web Protocols
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

HAFNIUM

Score: 15.53
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1583.005 - Botnet
  • T1584.005 - Botnet
  • T1071.001 - Web Protocols
  • T1550.001 - Application Access Token
MITREへのリンク →

FIN6

Score: 13.26
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1036.004 - Masquerade Task or Service
  • T1573.002 - Asymmetric Cryptography
  • T1566.003 - Spearphishing via Service
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

CopyKittens

Score: 3.15
Matched TTPs:
  • T1560.003 - Archive via Custom Method
MITREへのリンク →

Mustang Panda

Score: 23.81
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1176.002 - IDE Extensions
  • T1070 - Indicator Removal
  • T1071.001 - Web Protocols
  • T1027.007 - Dynamic API Resolution
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Kimsuky

Score: 29.19
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1071.003 - Mail Protocols
  • T1036.004 - Masquerade Task or Service
  • T1071.002 - File Transfer Protocols
  • T1218.010 - Regsvr32
  • T1102.002 - Bidirectional Communication
  • T1598 - Phishing for Information
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
MITREへのリンク →

UNC3886

Score: 8.69
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1036.004 - Masquerade Task or Service
  • T1008 - Fallback Channels
MITREへのリンク →

Lotus Blossom

Score: 6.08
Matched TTPs:
  • T1560.003 - Archive via Custom Method
  • T1090.001 - Internal Proxy
MITREへのリンク →

Darkhotel

Score: 5.20
Matched TTPs:
  • T1080 - Taint Shared Content
  • T1189 - Drive-by Compromise
MITREへのリンク →

RedCurl

Score: 7.37
Matched TTPs:
  • T1080 - Taint Shared Content
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
MITREへのリンク →

Gamaredon Group

Score: 20.07
Matched TTPs:
  • T1080 - Taint Shared Content
  • T1608.001 - Upload Malware
  • T1102.003 - One-Way Communication
  • T1001 - Data Obfuscation
  • T1571 - Non-Standard Port
  • T1102.002 - Bidirectional Communication
  • T1071.001 - Web Protocols
MITREへのリンク →

Cinnamon Tempest

Score: 3.44
Matched TTPs:
  • T1080 - Taint Shared Content
MITREへのリンク →

Sidewinder

Score: 7.27
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1598.002 - Spearphishing Attachment
  • T1071.001 - Web Protocols
MITREへのリンク →

Scattered Spider

Score: 10.03
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1598 - Phishing for Information
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

ZIRCONIUM

Score: 10.39
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1036.004 - Masquerade Task or Service
  • T1102.002 - Bidirectional Communication
  • T1598 - Phishing for Information
MITREへのリンク →

APT32

Score: 24.50
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1071.003 - Mail Protocols
  • T1550.003 - Pass the Ticket
  • T1036.004 - Masquerade Task or Service
  • T1571 - Non-Standard Port
  • T1218.010 - Regsvr32
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Magic Hound

Score: 18.27
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1071 - Application Layer Protocol
  • T1036.004 - Masquerade Task or Service
  • T1571 - Non-Standard Port
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

APT28

Score: 27.74
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1071.003 - Mail Protocols
  • T1102.002 - Bidirectional Communication
  • T1598 - Phishing for Information
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1550.001 - Application Access Token
  • T1001.001 - Junk Data
  • T1669 - Wi-Fi Networks
MITREへのリンク →

Star Blizzard

Score: 8.05
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1598.002 - Spearphishing Attachment
MITREへのリンク →

Moonstone Sleet

Score: 11.58
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1598 - Phishing for Information
  • T1071.001 - Web Protocols
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

CURIUM

Score: 6.75
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1189 - Drive-by Compromise
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Dragonfly

Score: 11.47
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1598.002 - Spearphishing Attachment
  • T1071.002 - File Transfer Protocols
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT5

Score: 7.47
Matched TTPs:
  • T1583.005 - Botnet
  • T1070 - Indicator Removal
MITREへのリンク →

Ke3chang

Score: 5.03
Matched TTPs:
  • T1583.005 - Botnet
  • T1071.001 - Web Protocols
MITREへのリンク →

Rocke

Score: 7.03
Matched TTPs:
  • T1071 - Application Layer Protocol
  • T1571 - Non-Standard Port
  • T1071.001 - Web Protocols
MITREへのリンク →

INC Ransom

Score: 3.44
Matched TTPs:
  • T1071 - Application Layer Protocol
MITREへのリンク →

Velvet Ant

Score: 11.51
Matched TTPs:
  • T1071 - Application Layer Protocol
  • T1571 - Non-Standard Port
  • T1573.002 - Asymmetric Cryptography
  • T1090.001 - Internal Proxy
MITREへのリンク →

TeamTNT

Score: 9.43
Matched TTPs:
  • T1071 - Application Layer Protocol
  • T1608.001 - Upload Malware
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
MITREへのリンク →

TA2541

Score: 4.72
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1573.002 - Asymmetric Cryptography
MITREへのリンク →

Earth Lusca

Score: 3.74
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1189 - Drive-by Compromise
MITREへのリンク →

LuminousMoth

Score: 3.16
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1071.001 - Web Protocols
MITREへのリンク →

Mustard Tempest

Score: 3.74
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1189 - Drive-by Compromise
MITREへのリンク →

OilRig

Score: 14.62
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
  • T1008 - Fallback Channels
  • T1566.003 - Spearphishing via Service
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

Threat Group-3390

Score: 4.93
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
MITREへのリンク →

SideCopy

Score: 5.59
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1598.002 - Spearphishing Attachment
MITREへのリンク →

TA505

Score: 6.09
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1071.001 - Web Protocols
  • T1055.001 - Dynamic-link Library Injection
MITREへのリンク →

BlackByte

Score: 3.16
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1071.001 - Web Protocols
MITREへのリンク →

BITTER

Score: 5.26
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1036.004 - Masquerade Task or Service
  • T1071.001 - Web Protocols
MITREへのリンク →

HEXANE

Score: 4.37
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1102.002 - Bidirectional Communication
MITREへのリンク →

Contagious Interview

Score: 17.46
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1071.003 - Mail Protocols
  • T1571 - Non-Standard Port
  • T1204.004 - Malicious Copy and Paste
  • T1566.003 - Spearphishing via Service
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

FIN7

Score: 12.30
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1036.004 - Masquerade Task or Service
  • T1571 - Non-Standard Port
  • T1102.002 - Bidirectional Communication
  • T1008 - Fallback Channels
MITREへのリンク →

EXOTIC LILY

Score: 4.50
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

MoustachedBouncer

Score: 4.54
Matched TTPs:
  • T1659 - Content Injection
MITREへのリンク →

Turla

Score: 14.49
Matched TTPs:
  • T1071.003 - Mail Protocols
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1055.001 - Dynamic-link Library Injection
  • T1090.001 - Internal Proxy
MITREへのリンク →

SilverTerrier

Score: 8.09
Matched TTPs:
  • T1071.003 - Mail Protocols
  • T1071.002 - File Transfer Protocols
  • T1071.001 - Web Protocols
MITREへのリンク →

APT29

Score: 6.37
Matched TTPs:
  • T1550.003 - Pass the Ticket
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Carbanak

Score: 4.49
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1102.002 - Bidirectional Communication
MITREへのリンク →

FIN13

Score: 6.21
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1071.001 - Web Protocols
  • T1090.001 - Internal Proxy
MITREへのリンク →

APT-C-36

Score: 4.49
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1571 - Non-Standard Port
MITREへのリンク →

Winter Vivern

Score: 5.05
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
MITREへのリンク →

Wizard Spider

Score: 8.96
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1071.001 - Web Protocols
  • T1055.001 - Dynamic-link Library Injection
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

PROMETHIUM

Score: 3.86
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1189 - Drive-by Compromise
MITREへのリンク →

Higaisa

Score: 9.05
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

Storm-0501

Score: 8.97
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1218.010 - Regsvr32
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

BackdoorDiplomacy

Score: 5.02
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1055.001 - Dynamic-link Library Injection
MITREへのリンク →

APT41

Score: 10.34
Matched TTPs:
  • T1036.004 - Masquerade Task or Service
  • T1071.002 - File Transfer Protocols
  • T1071.001 - Web Protocols
  • T1008 - Fallback Channels
MITREへのリンク →

Axiom

Score: 9.93
Matched TTPs:
  • T1584.005 - Botnet
  • T1189 - Drive-by Compromise
  • T1001.002 - Steganography
MITREへのリンク →

Volt Typhoon

Score: 9.38
Matched TTPs:
  • T1584.005 - Botnet
  • T1680 - Local Storage Discovery
  • T1090.001 - Internal Proxy
MITREへのリンク →

Leviathan

Score: 11.57
Matched TTPs:
  • T1102.003 - One-Way Communication
  • T1218.010 - Regsvr32
  • T1189 - Drive-by Compromise
  • T1055.001 - Dynamic-link Library Injection
MITREへのリンク →

WIRTE

Score: 6.33
Matched TTPs:
  • T1571 - Non-Standard Port
  • T1218.010 - Regsvr32
  • T1071.001 - Web Protocols
MITREへのリンク →

RedEcho

Score: 6.33
Matched TTPs:
  • T1571 - Non-Standard Port
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
MITREへのリンク →

Cobalt Group

Score: 6.68
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
MITREへのリンク →

Inception

Score: 3.93
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1071.001 - Web Protocols
MITREへのリンク →

APT37

Score: 5.35
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
MITREへのリンク →

APT39

Score: 6.51
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1071.001 - Web Protocols
  • T1090.001 - Internal Proxy
MITREへのリンク →

Medusa Group

Score: 3.93
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
MITREへのリンク →

FIN8

Score: 6.68
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1071.001 - Web Protocols
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
MITREへのリンク →

PLATINUM

Score: 6.30
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1056.004 - Credential API Hooking
MITREへのリンク →

Windshift

Score: 5.48
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Dark Caracal

Score: 5.48
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1071.001 - Web Protocols
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Chimera

Score: 4.02
Matched TTPs:
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
MITREへのリンク →

Confucius

Score: 4.02
Matched TTPs:
  • T1071.001 - Web Protocols
  • T1680 - Local Storage Discovery
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1564.005 - Hidden File System
MITREへのリンク →

Strider

Score: 7.06
Matched TTPs:
  • T1564.005 - Hidden File System
  • T1090.001 - Internal Proxy
MITREへのリンク →

ToddyCat

Score: 5.36
Matched TTPs:
  • T1680 - Local Storage Discovery
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Lazarus Group

Score: 0.77
Matched TTPs:
  • T1132.001 - Standard Encoding
  • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
  • T1566.003 - Spearphishing via Service
  • T1036.004 - Masquerade Task or Service
  • T1574.013 - KernelCallbackTable
  • T1189 - Drive-by Compromise
  • T1090.001 - Internal Proxy
  • T1008 - Fallback Channels
  • T1560.003 - Archive via Custom Method
  • T1571 - Non-Standard Port
  • T1027.007 - Dynamic API Resolution
  • T1680 - Local Storage Discovery
  • T1055.001 - Dynamic-link Library Injection
  • T1070 - Indicator Removal
  • T1102.002 - Bidirectional Communication
  • T1071.001 - Web Protocols
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る