HackForLab Weekly Threat Advisory · Jul 6-12 2026 · seismic topo intelligence briefing cover · SITREP 026·28 · 2,504 records · 2,433 unique IOCs · 1,958 high-severity · 124 clusters · HASH beats IP · 5 headline cards: Akira surge 292 IOCs, HASH beats IP, BianLian full pivot, UAT-7810 APT port fingerprint 2222/8088/99, Multi-stage LNK JavaScript-runtime backdoor · 19 ransomware families active including Akira BianLian Anubis GodDamn BlackNevas Beast Clop BlackSuit

Weekly Threat Advisory: Ransomware Week — 19 Families, Akira Surge, HASH Beats IP (Jul 6 – 12, 2026)

● SITREP 026·28 · RANSOMWARE TEMPO SEVERE · July 6 – 12, 2026

Ransomware week. 19 families active in parallel, 559 catalogued IOCs, and the largest single-cluster footprint year-to-date — Akira at 292 IOCs. HASH beat IP for the first time in this catalogue’s history: 1,209 hashes vs 603 IPs, driven by the ransomware payload-rotation surge. A distinctive APT infrastructure signature emerged (UAT-7810: port trio 2222 / 8088 / 99 shared across three IPs). A novel loader pattern showed up at scale (multi-stage LNK + JavaScript-runtime backdoor, 135 IOCs). And macOS finally got its own ClickFix variant. If your SOC saw a busier alert queue this week, that is why.

Sectioned for the working analyst: cluster catalogue, deep-dives on the high-tempo names, ATT&CK technique mapping per adversary, subnet anchors + port-pattern signatures for cheap perimeter blocking, top 15 IOCs per indicator type, four production-ready Sigma rules, 60-minute operationalisation plan. Vendor-neutral. Operator-grade. Archive of prior advisories.

OPERATOR-GRADE INTELLIGENCE → ONE QUERY AWAY

HuntIntel ships every IOC behind this advisory with provenance, confidence score, ATT&CK technique, and adversary cluster pre-mapped — queryable in the operator console, exportable to your SIEM in seconds. Stop reading PDFs. Start querying the catalogue.

Open HuntIntel →

01 · This week in numbers

Two-and-a-half thousand records this cycle, and 78 percent of them are HIGH severity. The catalogue produced 2,433 unique IOCs across 124 adversary clusters — a busy week by any measure and the most diverse cluster count observed year-to-date. The composition story matters more than the topline: HASH indicators outpaced IP indicators for the first time, driven almost entirely by the ransomware payload-rotation surge (Akira alone contributed 292 hashes, RedWing 111, Multi-Stage LNK backdoor 135).

// SITREP 026·28 · July 6 – 12, 2026
2,504
Records
2,433
Unique IOCs
1,958
High-sev (78%)
124
Clusters
19
Ransomware families
10
Named APTs

Catalogued, ML-scored, ATT&CK-tagged. Refreshed continuously across open-source, sandbox, TLS, DNS, and honeynet plane sources. Every record carries adversary attribution, technique tag, severity, and confidence.

02 · Five headlines — what defined this week

If you read nothing else, read these five.

Headline 01 · Ransomware week — 19 families active in parallel

Nineteen named ransomware families surfaced with fresh operational indicators this cycle. Combined footprint: 559 IOCs in the Ransomware-as-a-Service category — the largest single-category concentration observed this year. Beyond the top-line names (Akira, BianLian, Anubis, GodDamn, BlackNevas, Beast, Clop, BlackSuit), fifteen additional families surfaced with 5+ IOCs each. The technique overlap is striking: every ransomware cluster this week carries the T1486 → T1490 chain (encrypt-for-impact + inhibit recovery). Detection content that fires on that pair catches every operator regardless of family. If you deploy nothing else this week, deploy the volume-shadow-copy deletion detector.

Headline 02 · Akira surged to 292 IOCs — largest single-cluster footprint YTD

Akira produced 292 unique indicators in seven days — the largest single-cluster footprint recorded in this catalogue year-to-date. The distribution skews entirely toward HASH + OTHERS (leak-site artefacts, victim-list identifiers), reflecting active payload rotation and active data-leak-site publication. The TTP chain: T1078 valid-account access, T1133 external remote services, T1021.001 remote-desktop lateral movement, T1047 WMI execution, T1560 archive collected data, T1041 exfil over C2, then T1486 encryption for impact and T1490 inhibit recovery. Push every hash to endpoint quarantine and every OTHERS artefact (victim-slug patterns) to your data-leak-site monitor.

Headline 03 · HASH beat IP for the first time in catalogue history

For the first time since this catalogue began publishing, HASH indicator volume beat IP indicator volume: 1,209 hashes vs 603 IPs (35 percent vs 22 percent of the catalogue). The inversion is entirely attributable to ransomware payload rotation and the multi-stage-loader family activity. What it tells the SOC: signature-based endpoint detection had a busier week than perimeter-based network detection. If your EDR content pipeline is slower than your firewall content pipeline, the ratio inversion this week is a leading indicator that you should invest more in the endpoint layer.

Headline 04 · UAT-7810 APT signature — port trio 2222 / 8088 / 99 shared across three IPs

The UAT-7810 APT cluster contributed 89 IOCs across HASH + IP + URL with a distinctive infrastructure signature: the three catalogued IPs (194.233.92.26, 217.15.160.247, 217.15.164.147) each expose the same trio of ports — 2222, 8088, 99 — serving what appears to be the same C2 stack across all three anchors. The port trio is the fingerprint. Any host serving that specific combination on those specific ports is candidate operator infrastructure regardless of whether the catalogued IPs are still active. Sigma rule 04 below fires on the port-pattern signature.

Headline 05 · Novel loader + macOS technique surface + supply-chain campaign

Three notable emerging patterns worth flagging:

  • Multi-Stage LNK + JavaScript-runtime backdoor — 135 IOCs across DOMAIN + HASH. Novel loader technique using an LNK dropper to spawn a JavaScript-runtime process that pulls and executes second-stage payload. Defenders without instrumentation on the JS-runtime interpreter (node.exe equivalents) miss the execution chain entirely.
  • macOS ClickFix — 18 IOCs across DOMAIN + URL. First observation of the ClickFix technique targeting macOS in this catalogue. Users get a fake-instruction lure and paste attacker-controlled shell commands into their terminal.
  • Coordinated package-registry supply-chain campaign — 57 IOCs across HASH + URL. Two public package registries hit in coordinated fashion. Install-time command-interpreter execution + obfuscated payload + data-encoded exfil.

03 · Indicator type, severity, and category mix

The composition story of the week. HASH volume tops IP for the first time — 49.7 percent vs 24.8 percent. Ransomware category leads the category mix at 23 percent, followed closely by Malware-Activity (520 IOCs, 21 percent) and Cryptomining (248, 10 percent). APT is at 202 (8 percent) — a heavy APT week too.

By indicator type

Type Observations Share %
File hashes 1,209
49.69%
IPs 603
24.78%
Domains 343
14.10%
URLs 180
7.40%
Emails 62
2.55%
Other artefacts 36
1.48%

By severity

Severity Observations Share %
High 1,958
80.21%
Medium 408
16.71%
Low 75
3.07%

By category

Category Observations Share %
Ransomware-as-a-service 559
22.83%
Malware-Activity 520
21.23%
Cryptomining 248
10.13%
APT 202
8.25%
RAT 195
7.96%
Phishing 147
6.00%
C&C 146
5.96%
Backdoor 145
5.92%
Botnet 142
5.80%
C&C Server 110
4.49%
Spyware 14
0.57%
Vulnerability 10
0.41%
Supply Chain 6
0.24%
Payload Delivery 2
0.08%
Malicious Infrastructure 2
0.08%
Hacktivist Group 1
0.04%

Reading the mix. Ransomware leads the categories with 23 percent share — the highest concentration observed this year. Combined with the HASH-over-IP inversion, this week is a payload-week: your EDR and file-scanning content is doing the heavy lifting, your perimeter blocks are catching relatively less.

04 · Top adversary clusters by indicator footprint

Akira leads at 292 IOCs. RuRAT (cryptomining) at 244. Open-framework infrastructure entries in grey to preserve visual clarity of the campaign-attributed clusters. BianLian ransomware sits at 145 IOCs across all four primary IOC types — the full-pivot signature.

# Adversary cluster Relative footprint Unique IOCs Severity
01 Akira

Ransomware · HASH, OTHERS
292 HIGH
02 RuRAT

Malware Campaign · DOMAIN, HASH
244 HIGH
03 Commodity C2 framework A (framework infra)

C2 · IP
146 MEDIUM
04 BianLian

Ransomware · EMAIL, HASH, IP, OTHERS
145 HIGH
05 Multi-Stage LNK + JavaScript-runtime backdoor

Malware Campaign · DOMAIN, HASH
135 HIGH
06 Vidar

Malware (Stealer) · DOMAIN, HASH, IP, URL
117 HIGH
07 RedWing

Malware · DOMAIN, HASH, URL
111 HIGH
08 UAT-7810

Threat Actor (APT) · HASH, IP, URL
89 HIGH
09 ClickFix

Malware Campaign · DOMAIN, HASH, IP, URL
61 HIGH
10 Coordinated package-registry supply-chain campaign

Malware Campaign · HASH, URL
57 HIGH
11 Open remote-management framework

C2 · IP
51 MEDIUM
12 Millenium RAT v4

Malware (RAT) · HASH, URL
50 HIGH
13 GoodPersonRAT

Malware (RAT) · DOMAIN, HASH, IP
45 HIGH
14 Open exploitation framework

C2 · IP
38 MEDIUM
15 DPRK cluster

Threat Actor (APT) · DOMAIN, EMAIL, HASH, IP, URL
37 HIGH
16 Dcrat

C2 (RAT) · DOMAIN, HASH, IP, URL
37 MEDIUM
17 SCMBANKER

Malware · DOMAIN, HASH, IP
36 HIGH
18 GodDamn

Ransomware · HASH
36 HIGH
19 Fake Interview Phishing Campaign

Phishing Campaign · DOMAIN
32 LOW
20 PlugX

Malware · HASH, IP, URL
31 HIGH
21 Lazarus

Threat Actor (APT) · DOMAIN, URL
30 HIGH
22 BlackNevas

Ransomware · HASH
27 HIGH
23 Fake payment-service impersonation campaign

Malware Campaign · HASH, URL
26 HIGH
24 Anubis

Ransomware · HASH, OTHERS
26 HIGH
25 AsyncRAT

Malware (RAT) · DOMAIN, HASH, IP, URL
21 HIGH
26 Cavern Manticore

Threat Actor (APT) · DOMAIN, HASH, URL
20 HIGH
27 Fake tax-return phishing campaign

Malware Campaign · DOMAIN, HASH, IP
18 HIGH
28 macOS ClickFix Campaign

Malware Campaign · DOMAIN, URL
18 HIGH
29 Remcos

Malware (RAT) · IP
16 HIGH
30 Beast

Ransomware · EMAIL, HASH, OTHERS
15 HIGH
31 EtherRAT

Malware (RAT) · DOMAIN, EMAIL, HASH, URL
15 HIGH
32 Open C2 framework B (labelled AdaptixC2 upstream)

C2 · IP
14 MEDIUM
33 Tsundere botnet

C2 · IP
13 MEDIUM
34 Fake remote-desktop tool phishing

Phishing Campaign · DOMAIN, HASH, IP
13 LOW
35 MODBEACON

Malware · DOMAIN, HASH, IP
11 HIGH
36 Forg365

Phishing Kit · DOMAIN, IP, URL
11 MEDIUM

How to read this. Pay disproportionate attention to clusters that span three or more IOC types — that breadth is a full-kill-chain signal. This week’s full-four-type footprints: BianLian (5 types actually with EMAIL+HASH+IP+OTHERS), Vidar, Dcrat, AsyncRAT, ClickFix, EtherRAT. The DPRK cluster spans five IOC types (DOMAIN + EMAIL + HASH + IP + URL) — the broadest single-cluster IOC-type spread this cycle.


05 · Cluster deep-dives — the names to act on

05.1 · Akira — 292 IOCs, largest single-cluster footprint YTD

Every ransomware kill-chain signature is present: valid-account initial access, external remote services, remote-desktop lateral movement, WMI execution, archive-then-exfil, and finally encrypt-for-impact + inhibit-recovery. The 292 catalogued indicators lean heavily toward HASH (payload rotation) and OTHERS (leak-site artefacts, victim identifiers). The operator is actively publishing to their leak site this week — watch the data-leak-site infrastructure indicators alongside the operational indicators.

Defensive actions: Push all catalogued hashes to endpoint scan-and-quarantine. Deploy the volume-shadow-copy deletion detector (vssadmin delete shadows is the canonical signal). Hunt for the kill-chain sequence valid-account login from an unusual source → remote-desktop or WMI execution → large outbound transfer to non-corporate destination. If your organisation is exposed to double-extortion operators, subscribe to the leak-site infrastructure watch.

05.2 · BianLian — full multi-pivot ransomware kill chain

145 IOCs across EMAIL + HASH + IP + OTHERS with two subnet anchors (151.236.16.0/24 and 172.96.137.0/24). The email indicators are victim-contact channels the operator uses for ransom negotiation. The IP indicators concentrate heavily in the 104.168.x, 104.200.x, and 104.225.x ranges — treat those provider blocks as candidates for expanded blocking. TTP profile is one of the broadest in the catalogue: 30+ ATT&CK techniques observed.

Defensive actions: Block both /24 anchors at the perimeter. Push the 145 hashes to endpoint scan. Watch for the credential-dumping-to-encrypt sequence: lsass.exe access → remote-desktop / SMB lateral move → volume-shadow-copy deletion.

05.3 · UAT-7810 APT — port-trio infrastructure fingerprint

The signature of the week. 89 IOCs across HASH + IP + URL. Three catalogued IP anchors — 194.233.92.26, 217.15.160.247, 217.15.164.147 — each serving the same trio of ports: 2222 (typically SSH-alternate), 8088, and 99. The trio is not a coincidence — it is the operator’s deployed C2-stack configuration. Any other host on the internet serving that exact port trio is candidate operator infrastructure regardless of whether it appears in this week’s catalogue.

Defensive actions: Block all three catalogued anchor IPs. Hunt for outbound traffic on the port trio to any destination outside your engineering allowlist — Sigma rule 04 below implements this. If you have JARM or JA4 fingerprinting on your egress, cluster the C2 stack signature and hunt for lookalikes across your telemetry.

05.4 · DPRK cluster — broadest 5-type IOC-type spread this week

37 IOCs across DOMAIN + EMAIL + HASH + IP + URL — the broadest indicator-type spread from any single cluster this week. The cluster maintains multi-layered infrastructure: acquired domains for recruitment lures, phishing email addresses, second-stage payload hashes, C2 IPs, and staging URLs. The operational implication: an ecosystem intrusion, not a single-lure campaign.

Defensive actions: All 37 catalogued indicators to blocking / watchlist by tier. Watch for the recruitment-lure phishing pattern (Lazaruscameradriverupdates.compaxos-apply.com-style domain naming) targeting developers, cryptocurrency-exchange staff, and defense-adjacent research organisations. Hunt for outbound to 144.172.110.53 across the last 60 days.

05.5 · PlugX — two subnet anchors, classic APT loader signature

31 IOCs across HASH + IP + URL with two subnet anchors: 172.111.233.0/24 (5 IPs concentrated) and 172.94.9.0/24 (3 IPs). The 172.111.233.0/24 anchor is the week’s largest APT-malware infrastructure concentration. Treat both /24 blocks as suspect — the operator is likely to rotate into unlisted addresses within the same blocks.

Defensive actions: Perimeter-block both /24 subnets. Push all hashes to endpoint scan. Hunt for the classic PlugX loader chain — DLL side-loading with signed binary + malicious sideload DLL + payload file.

05.6 · Multi-Stage LNK + JavaScript-runtime backdoor — novel loader technique

135 IOCs across DOMAIN + HASH. The technique: an LNK shortcut file drops and executes a JavaScript-runtime process (Windows JScript engine, server-side JavaScript runtime, or equivalent) that fetches and executes a second-stage payload from an operator-controlled domain. The technique defeats detection content that only inspects powershell.exe and cmd.exe as the loader — the JS runtime is the executor here.

Defensive actions: Instrument the JavaScript-runtime process as a suspicious loader in your endpoint content. Watch for node.exe, wscript.exe, and cscript.exe spawned from an LNK-file execution context. Hunt for parent-process = explorer.exe + child-process = JS runtime + outbound to any of the 135 catalogued domain / hash indicators.

05.7 · Coordinated package-registry supply-chain campaign

57 IOCs across HASH + URL. Two public package registries hit in coordinated fashion — the coordination itself is the signal, suggesting an operator with development pipeline access or automated typosquat publishing capability. Post-install command-interpreter execution + obfuscated payload + data-encoded exfil.

Defensive actions: Package allow-listing in CI build agents. Outbound-domain monitoring from build runners. Publisher-identity verification on the package registries used. Hunt for install-time process trees where a package installer spawns a shell that pulls from an unfamiliar domain.

05.8 · macOS ClickFix Campaign — first observation of macOS variant

18 IOCs across DOMAIN + URL. The first observation of the ClickFix social-engineering technique adapted for macOS. Users encounter a fake-instruction lure (“your Mac is missing X, run this command to fix it”) and paste attacker-controlled shell commands into their terminal. The technique is a pure social-engineering flow — no exploitation involved. User awareness is the primary defence.

Defensive actions: Update user-awareness content to include macOS-specific ClickFix lures. Block the 18 catalogued endpoints at the DNS resolver. Deploy endpoint content that flags terminal execution of curl-piped-to-shell or bash-piped commands from clipboard sources.

05.9 · RuRAT — 244 IOCs, cryptocurrency-wallet theme campaign

The domain layer shows deliberate theming — every catalogued domain adjacent to cryptocurrency-wallet names (anchorwallet[.]org, aptwallet[.]org, arkwallet[.]org, and similar). The victim-targeting profile is cryptocurrency users. The category tag is Cryptomining but the operational profile combines wallet-drainer and mining components.

Defensive actions: Block the 244 catalogued domains and hashes. Deploy regex-based DNS filtering for the *-wallet.* / *wallet-update.* patterns to catch operator rotation.

06 · ATT&CK mapping per named cluster

Per-cluster technique mapping with operational narrative. Detection content that fires on these techniques catches the cluster even after IOC rotation.

Cluster ATT&CK techniques observed Operational narrative
Akira (Ransomware) T1486 · T1490 · T1078 · T1133 · T1021.001 · T1047 · T1560 · T1041 Full ransomware kill chain: encrypt-for-impact, inhibit recovery, valid-account initial access, external remote services, remote-desktop lateral movement, archive-then-exfil. 292 IOCs across HASH + OTHERS makes this the week’s largest single-cluster footprint YTD.
BianLian (Ransomware) T1078 · T1133 · T1190 · T1059 · T1021.001 · T1547.001 · T1543.003 · T1105 · T1562.001 · T1070.001 · T1003.001 · T1486 · T1490 · T1567 · T1041 Extensive TTP profile — valid accounts, external remote services, public-app exploit, command interpreter, remote desktop, registry-run + service persistence, defence disabling, credential dumping, encryption for impact, recovery inhibition, exfil to web service. 145 IOCs across EMAIL + HASH + IP + OTHERS with two subnet anchors.
UAT-7810 (APT) T1071 · T1071.001 · T1105 · T1041 · T1568 Distinctive infrastructure signature — port trio 2222/8088/99 served across three IPs. Web-protocol C2 + second-stage tool transfer + exfil over C2 with dynamic resolution. 89 IOCs across HASH + IP + URL.
DPRK cluster T1190 · T1105 · T1041 · T1082 Full 5-type indicator footprint (DOMAIN + EMAIL + HASH + IP + URL) — the broadest single-cluster IOC-type spread this week. Public-app exploit + ingress tool transfer + exfil over C2 + system info discovery.
Lazarus (APT sub-cluster) T1059 · T1105 · T1041 · T1021 Continuing from prior weeks. 30 IOCs across DOMAIN + URL. Command-interpreter + second-stage pull + exfil + remote services.
PlugX (Malware) T1071.001 · T1105 · T1041 · T1547.001 · T1055 Classic APT-loader family. Two subnet anchors (172.111.233.0/24 and 172.94.9.0/24 with 3 IPs each). Web-protocol C2 + second-stage transfer + exfil + registry persistence + process injection.
MustangPanda (APT) T1059 · T1204 · T1105 Compact TTP profile. Command-interpreter driven by user-execution + second-stage payload pull. IP anchor at 103.247.19.204.
MuddyWater (APT) T1566 · T1059 · T1071 · T1105 · T1041 Phishing initial access + command-interpreter + web-protocol C2 + ingress tool transfer + exfil.
Cavern Manticore (APT) T1583.001 · T1566 · T1071 · T1105 · T1027 Acquired-domain infrastructure (adserviceupdate[.]com pattern) + phishing + web-protocol C2 + obfuscation. 20 IOCs across DOMAIN + HASH + URL.
AsyncRAT (RAT) T1566.001 · T1204 · T1105 · T1071.001 · T1041 · T1547.001 Spearphish-attachment → user-execution → ingress tool → web-protocol C2 → exfil → registry persistence. Full four-type footprint.
ClickFix (Malware Campaign) T1566 · T1204 · T1059 · T1105 Fake-instruction lure tricks the visitor into pasting attacker-controlled command into their own command interpreter. 61 IOCs across all four primary IOC types.
macOS ClickFix Campaign T1204 · T1059.004 · T1105 · T1071 First observation of ClickFix technique targeting macOS in this catalogue. User-execution + Unix shell + second-stage pull + web-protocol C2. 18 IOCs across DOMAIN + URL.
Multi-Stage LNK + JS-runtime backdoor T1204.002 · T1059.005 · T1059.007 · T1105 · T1027 · T1543 Novel loader pattern — LNK dropper triggers a JavaScript-runtime process to fetch and execute a second-stage payload. Defenders without instrumentation on the JS-runtime interpreter miss the execution chain. 135 IOCs across DOMAIN + HASH.
Coordinated package-registry supply chain T1195.001 · T1059 · T1027 · T1132 · T1219 Two public package registries hit in coordinated fashion. Command-interpreter execution at install-time, obfuscated payload, data encoding for exfil, remote-access tooling. 57 IOCs across HASH + URL.

Detection-engineering takeaway. Every ransomware cluster this week carries the T1486 → T1490 chain (encrypt-for-impact + inhibit recovery). A single detector fired on volume-shadow-copy deletion (vssadmin delete shadows, WMI shadow-copy deletion, PowerShell Remove-Cim methods) catches every catalogued ransomware family regardless of variant. If you deploy nothing else this week, deploy that one detector.

07 · ATT&CK tactic-pressure roll-up

Aggregation of technique tags rolled up to the parent tactic. Impact tactics lead this week (ransomware); Discovery is elevated (ransomware pre-encrypt reconnaissance).

Tactic Top techniques observed What the pressure means IOC count
Impact T1486 · T1490 · T1489 · T1485 · T1531 Data encryption for impact (present in every ransomware cluster), recovery inhibition, service stop, data destruction, account access removal 617
Initial Access T1078 · T1133 · T1190 · T1566 · T1195.001 Valid-account abuse, external remote services, public-app exploit, phishing, supply-chain via package registry 434
Execution T1059 · T1059.001 · T1059.003 · T1059.005 · T1204 · T1047 Command-interpreter (PowerShell / CMD / Visual Basic), user-execution, WMI 372
Command and Control T1071 · T1071.001 · T1105 · T1102 · T1568 · T1573.002 · T1090 Web-protocol C2, ingress tool transfer, web-service abuse, dynamic resolution, asymmetric crypto, proxy 328
Persistence T1547.001 · T1543.003 · T1053.005 Registry-run keys, Windows service creation, scheduled tasks 189
Defense Evasion T1027 · T1027.002 · T1112 · T1070 · T1070.001 · T1562.001 · T1218 · T1036 Obfuscation, indicator removal on host, disable security tools, masquerading 267
Credential Access T1003 · T1003.001 · T1555 · T1110 OS credential dumping (including LSASS), password store theft, brute force 156
Discovery T1082 · T1057 · T1083 · T1087 · T1016 · T1046 · T1018 · T1033 · T1135 System info + process + file + account + network configuration + share + system-owner discovery 234
Lateral Movement T1021 · T1021.001 · T1021.002 · T1570 Remote-desktop, SMB / Admin shares, lateral tool transfer 141
Collection T1560 · T1560.001 · T1005 · T1056.001 · T1113 Archive collected data (native + tool-based), local data, keylogging, screen capture 87
Exfiltration T1041 · T1567 · T1020 · T1537 Exfil over C2 channel, exfil to operator-controlled web service, automated exfil, transfer to cloud account 219
Reconnaissance T1190 · T1595 Public-app scanning and exploit 42

08 · Subnet anchors and port-pattern signatures

Subnet anchors (/24 blocks with 3+ concentrated IPs)

Subnet (/24) IPs Adversary cluster Note
172.111.233.0/24 5 PlugX The week’s largest APT-malware subnet anchor. Treat the entire /24 as suspect.
91.92.43.0/24 4 Tsundere botnet Botnet C2 concentration
151.236.16.0/24 3 BianLian Ransomware operator infrastructure anchor
172.96.137.0/24 3 BianLian Second BianLian anchor — hedged hosting tenants
172.94.9.0/24 3 PlugX Second PlugX anchor
45.74.7.0/24 3 Remcos Commodity-RAT C2 concentration
77.92.95.0/24 3 Open exploitation framework Framework listener farm

Port-pattern signature — UAT-7810 APT

Signature: Three catalogued IPs each expose the same port trio — 2222, 8088, 99.

Anchors: 194.233.92.26, 217.15.160.247, 217.15.164.147.

Detection value: Any host serving that exact combination is candidate operator infrastructure — regardless of whether the IP is in this week’s catalogue. Sigma rule 04 below implements the port-trio signature detection.

Combined with the fact that all three catalogued anchors serve identical C2 stacks, the port trio is a stable operator fingerprint. Rotation into new IPs preserves the port choice.

The asymmetric block. Block the three UAT-7810 anchor IPs at the perimeter now (cost: zero). Deploy the port-trio Sigma rule to catch rotation. Total operator cost to defeat: they must reconfigure their C2 stack to a different port pattern — expensive across three IPs.

09 · Top 15 IOCs per indicator type

Operator-grade extractions. All indicators are defanged (re-fang on import: replace [.] with . and hxxp with http).

Top 15 · IP addresses (High severity)

# Indicator Adversary Category Severity
01 103.125.217.129 BianLian Ransomware HIGH
02 103.217.253.29 ClickFix Phishing HIGH
03 103.247.19.204 MustangPanda APT HIGH
04 103.30.77.80 BianLian Ransomware HIGH
05 103.97.131.179 Fake tax-assessment campaign Malware HIGH
06 104.168.140.238 BianLian Ransomware HIGH
07 104.168.151.112 BianLian Ransomware HIGH
08 104.200.67.252 BianLian Ransomware HIGH
09 104.200.72.146 BianLian Ransomware HIGH
10 104.200.72.15 BianLian Ransomware HIGH
11 104.200.73.216 BianLian Ransomware HIGH
12 104.225.129.101 BianLian Ransomware HIGH
13 104.225.129.141 BianLian Ransomware HIGH
14 194.233.92.26 UAT-7810 (APT) APT HIGH
15 217.15.160.247 UAT-7810 (APT) APT HIGH

Top 15 · Domains (High severity)

# Indicator Adversary Category Severity
01 3w[.]jxuw3[.]com The SilverFox (APT) APT HIGH
02 52facc3b24f8bad9c5c56819e385f3a1[.]testewin[.]com Banana RAT RAT HIGH
03 Lazaruscameradriverupdates[.]compaxos-apply[.]com Lazarus (APT) APT HIGH
04 Quima[.]org QuimaRAT RAT HIGH
05 a1673dscrakamay[.]com RuRAT Cryptomining HIGH
06 aboutbookphoto[.]pro Multi-Stage LNK JS-runtime Backdoor HIGH
07 adserviceupdate[.]com Cavern Manticore (APT) APT HIGH
08 anchorupdate[.]com RuRAT Cryptomining HIGH
09 anchorv2[.]info RuRAT Cryptomining HIGH
10 anchorwallet[.]org RuRAT Cryptomining HIGH
11 ancupdate[.]top RuRAT Cryptomining HIGH
12 api-sync-service.mdkd1184.workers[.]dev RedWing Malware HIGH
13 aptwallet[.]org RuRAT Cryptomining HIGH
14 arkupdate[.]com RuRAT Cryptomining HIGH
15 arkwallet[.]org RuRAT Cryptomining HIGH

Top 15 · File hashes (High severity)

# Indicator Adversary Category Severity
01 000fad96a85dd6933c22d3dbec9aed47b7f1f066 PlugX Malware HIGH
02 005c650353052ace090b2a56c2d0023b Akira (Ransomware) Ransomware HIGH
03 013642fa369e3f4686339f4de1f7e331bef2c5ece9f1682bc18c02c2f344e797 RedWing Malware HIGH
04 0172d3b9f79c9f91907ba085d3840818a2571c004668db28209a324f5bd463d9 RuRAT Cryptomining HIGH
05 01acbba573f577f19d156111af07fdbd0c08b51e8403a6fdc103f286d32d00fb RedWing Malware HIGH
06 01feb8f50b5195328f27195b0e4d82da Akira (Ransomware) Ransomware HIGH
07 0225c25e9e7462a80ec157c76e2479487c8508bd Multi-Stage LNK JS-runtime Backdoor HIGH
08 0248bf2afb70642288646760bb25a38d Akira (Ransomware) Ransomware HIGH
09 025d3b9b2536394a3e2dfd950f4a4caa53cc05002e990199372ead2e709ae738 RedWing Malware HIGH
10 028475763a1ca5bf5d0166d2b980d0fa1850c8ad3a923d4b1a535ddad8b7cda7 RuRAT Cryptomining HIGH
11 02e90a8321fffd0c45e88bcb8aec3839c5971eb3ded89dd9e44960ef48c95564 ClickFix Phishing HIGH
12 030b90666a581934de0683ef9232f137867db804f6100c0479958826dc2e4cbb Fake tax-return phishing Malware HIGH
13 0315d4a7bc14654ad66d4c2b98920b92ca18cbc231b3ce5fba1fcac70b828e19 SCMBANKER Malware HIGH
14 0352f3e338261d98895df4c7b7a76b296485b2290c72bce56603351d167d0601 UAT-7810 (APT) APT HIGH
15 03926e3da998f32ad898b640bd15cf145768f9e849e6f18d81350234254c424e UAT-7810 (APT) APT HIGH

Top 15 · URLs (High severity)

# Indicator Adversary Category Severity
01 hxxp[://]103.217.253.29 ClickFix Phishing HIGH
02 hxxp[://]130.12.180.43/files/7924412375/upOSLDn.exe Millenium RAT v4 RAT HIGH
03 hxxp[://]144.172.110.53 DPRK cluster APT HIGH
04 hxxp[://]158.94.208.168/files/8514679081/DRTjyu7.exe Millenium RAT v4 RAT HIGH
05 hxxp[://]188.127.246.183 FortiBleed Vulnerability HIGH
06 hxxp[://]194.233.92.26:2222/ UAT-7810 (APT) APT HIGH
07 hxxp[://]194.233.92.26:8088/ UAT-7810 (APT) APT HIGH
08 hxxp[://]213.171.17.74 FortiBleed Vulnerability HIGH
09 hxxp[://]216.126.227.38 NetSupport (Malware) RAT HIGH
10 hxxp[://]217.15.160.247:2222/ UAT-7810 (APT) APT HIGH
11 hxxp[://]217.15.160.247:8088/ UAT-7810 (APT) APT HIGH
12 hxxp[://]217.15.160.247:99/ UAT-7810 (APT) APT HIGH
13 hxxp[://]217.15.164.147:2222/ UAT-7810 (APT) APT HIGH
14 hxxp[://]217.15.164.147:8088/ UAT-7810 (APT) APT HIGH
15 hxxp[://]217.15.164.147:99/ UAT-7810 (APT) APT HIGH
Need the full set? The catalogue carries 2,433 unique IOCs for this week alone. The operator console exposes the full set with severity, confidence, ATT&CK technique, adversary attribution, and source-feed provenance per record. Open HuntIntel to query the full catalogue.

10 · Sigma detection rules — four for this week’s standout patterns

Drop into your detection-content pipeline, normalise field names to your SIEM’s schema, tune the false-positive filters, ship.

Sigma 01 · Universal ransomware kill-chain detector (VSS delete)

title: Volume Shadow Copy Deletion — Universal Ransomware Kill-Chain Detector
id: 5c1a8d3f-4b92-4e70-a58c-6f9e7c1b3d40
status: experimental
description: Detects the universal ransomware pre-encrypt behaviour — deletion of
  volume shadow copies. Every catalogued ransomware family this week executes this
  step. A single detector catches Akira, BianLian, Anubis, GodDamn, BlackNevas,
  Beast, Clop, BlackSuit, and 11+ other active families.
references:
  - https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
  - attack.impact
  - attack.t1490
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  vssadmin_delete:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'shadows'
  wmi_delete:
    Image|endswith: '\wmic.exe'
    CommandLine|contains|all:
      - 'shadowcopy'
      - 'delete'
  powershell_delete:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Remove-CimInstance'
      - 'Win32_ShadowCopy'
  condition: 1 of them
falsepositives:
  - Legitimate backup operations (verify + allowlist known-good scripts)
level: critical

Sigma 02 · BianLian subnet anchors

title: BianLian Ransomware Subnet Anchor Contact
id: 8a4c7d1e-6b93-4f20-a58d-2e9c1b3f4c60
status: experimental
description: Detects outbound connections to catalogued BianLian ransomware subnet
  anchors. Both /24 blocks catalogued this week with concentrated indicators —
  treat any traffic to these blocks as high-fidelity.
references:
  - https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.impact
  - attack.t1486
logsource:
  category: network_connection
detection:
  selection:
    DestinationIp|cidr:
      - '151.236.16.0/24'
      - '172.96.137.0/24'
      - '104.168.140.0/23'   # concentrated BianLian IP block
      - '104.200.72.0/22'    # multiple catalogued BianLian addresses in this range
      - '104.225.129.0/24'
  condition: selection
falsepositives:
  - Unlikely — these CIDRs have no documented business use
level: critical

Sigma 03 · Multi-Stage LNK + JS-runtime loader

title: Multi-Stage LNK + JavaScript-Runtime Loader Detection
id: 3f7b9c2e-1d84-4a50-b721-5c8e6d4f2a10
status: experimental
description: Detects an LNK file execution that spawns a JavaScript-runtime process
  which then initiates an outbound connection. Catches the multi-stage LNK loader
  observed with 135 IOCs this cycle.
references:
  - https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
  - attack.execution
  - attack.t1204.002
  - attack.t1059.005
  - attack.t1059.007
logsource:
  category: process_creation
  product: windows
detection:
  parent_shell:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\Shell.exe'
  js_runtime_child:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
      - '\node.exe'
      - '\jscript.exe'
    CommandLine|contains|any:
      - '.lnk'
      - '.js'
      - '.jse'
      - '.vbs'
  condition: parent_shell and js_runtime_child
falsepositives:
  - Legitimate developer / build-agent workflows (allowlist by user + host)
level: high

Sigma 04 · UAT-7810 APT port-trio signature

title: UAT-7810 APT Port-Trio Signature (2222 / 8088 / 99)
id: 7d1a4b8e-5c62-4930-a8f1-3e9c7d5b2a40
status: experimental
description: Detects outbound connections to any destination serving the UAT-7810
  APT port-trio signature (2222, 8088, 99). The port combination is a stable
  operator fingerprint — matches even after IP rotation.
references:
  - https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.t1571
logsource:
  category: network_connection
detection:
  selection_ip:
    DestinationIp:
      - '194.233.92.26'
      - '217.15.160.247'
      - '217.15.164.147'
  selection_port_trio:
    DestinationPort:
      - 2222
      - 8088
      - 99
  # Fire on either the known IPs OR any destination on all three ports within 5 min
  condition: selection_ip or (selection_port_trio | count(DestinationIp) by 5min > 2)
falsepositives:
  - Legitimate SSH-alternate (2222) or internal service (99) use — allowlist by dest
level: high

11 · Hunt queries — SIEM-agnostic pseudo-syntax

Hunt 01 · First-seen contact with UAT-7810 APT port-trio

// Pseudo-query
FROM network_flows
WHERE (dest_port IN (2222, 8088, 99))
  AND first_seen_pair(src_ip, dest_ip) WITHIN 60d
| AGGREGATE BY src_ip, dest_ip
  COUNT(DISTINCT dest_port) AS unique_ports_hit
WHERE unique_ports_hit >= 2
| SORT BY unique_ports_hit DESC

Catches the port-trio pattern even against unlisted destinations. Any endpoint contacting 2+ of the three ports on the same destination host is candidate compromise.

Hunt 02 · Ransomware pre-encrypt reconnaissance sequence

// Pseudo-query
FROM process_creates
WHERE process_name IN ('net.exe', 'net1.exe', 'nltest.exe',
                       'systeminfo.exe', 'ipconfig.exe', 'whoami.exe',
                       'quser.exe', 'tasklist.exe')
  AND host IN (
    SELECT host FROM process_creates
    WHERE command_line MATCHES '(?i)(vssadmin.*delete.*shadows|Remove-CimInstance.*ShadowCopy)'
    AND event_time BETWEEN NOW() - 24h AND NOW()
  )
| AGGREGATE BY host, COUNT(DISTINCT process_name) AS distinct_recon
WHERE distinct_recon >= 4
| SORT BY distinct_recon DESC

Ransomware operators run 4+ discovery utilities in quick succession before encrypting. The sequence itself is the signal.

Hunt 03 · LNK + JavaScript-runtime loader chain

// Pseudo-query
FROM process_creates
WHERE parent_process_name IN ('explorer.exe', 'Shell.exe')
  AND process_name IN ('wscript.exe', 'cscript.exe', 'node.exe')
  AND (command_line CONTAINS '.lnk' OR command_line CONTAINS '.js')
| JOIN network_flows AS n
  ON process_creates.host = n.src_host
  AND n.flow_time BETWEEN process_creates.create_time
                     AND process_creates.create_time + 300s
WHERE n.dest_domain NOT IN (allowlisted_domains)
| PROJECT process_creates.host, process_creates.command_line, n.dest_domain
| SORT BY create_time DESC

Catches the LNK-shortcut → JS-runtime → outbound sequence characteristic of the novel loader observed this week.

Hunt 04 · Wallet-drainer domain-registration-velocity pattern (RuRAT)

// Pseudo-query
FROM dns_queries
WHERE query_name MATCHES regex '.*wallet(-update)?\.'
   OR query_name MATCHES regex '.*wallet\.(org|com|top|info)$'
  AND query_name NOT IN (allowlisted_wallet_services)
| AGGREGATE BY src_host, query_name
| SORT BY COUNT DESC

12 · Operationalise in 60 minutes

Minute 00 – 15 · Block + sinkhole

  • Block 172.111.233.0/24 (PlugX — largest APT-malware anchor this week).
  • Block 91.92.43.0/24 (Tsundere botnet).
  • Block 151.236.16.0/24 + 172.96.137.0/24 (BianLian ransomware).
  • Block 194.233.92.26, 217.15.160.247, 217.15.164.147 (UAT-7810 APT).
  • DNS-deny the RuRAT wallet-drainer domain cluster (regex .*wallet(-update)?.).

Minute 15 – 30 · Detection content

  • Deploy Sigma 01 (universal volume-shadow-copy deletion detector).
  • Deploy Sigma 04 (UAT-7810 port-trio signature).
  • Deploy Sigma 03 (multi-stage LNK + JS-runtime loader).
  • Add outbound-deny for ports 2222/8088/99 to any destination outside your engineering allowlist.

Minute 30 – 45 · Retrospective hunt

  • Run Hunt 01 (port-trio pattern) across last 60 days.
  • Run Hunt 02 (ransomware pre-encrypt reconnaissance) across last 30 days.
  • Run Hunt 03 (LNK + JS-runtime chain) across last 30 days.

Minute 45 – 60 · Awareness + policy

  • Update macOS user-awareness content on the ClickFix technique.
  • Brief developers on the coordinated package-registry supply-chain campaign — package allow-listing not optional.
  • Audit backup posture: any ransomware operator this week defeats defence-in-depth if backups are online-accessible. Verify air-gapped or immutable backups.
// CONTINUE WITH HUNTINTEL

This advisory ships 15 indicators per type. The catalogue carries the full 2,433 unique IOCs, each with adversary attribution, ATT&CK technique, confidence score, and source provenance.

Open HuntIntel →

13 · Frequently asked questions

19 ransomware families in one week. Is that unusual?

The concurrent-family count is the highest observed year-to-date. The typical week sees 5-8 named families active with fresh indicators; this week saw 19. The concurrent tempo suggests either coordinated timing (multiple operators executing simultaneously) or a shared upstream initial-access broker feeding several families — the catalogue does not distinguish between these hypotheses. What matters operationally: the ransomware category share of the catalogue is triple the normal baseline.

HASH beat IP for the first time. What should the SOC do differently?

Concretely: prioritise the endpoint-detection content pipeline this week over the perimeter-network content pipeline. Push all catalogued hashes to endpoint scan and quarantine. Verify your EDR content is receiving fresh indicator feeds on a daily cadence. If your EDR content ships weekly while your firewall content ships daily, this week is a leading indicator that the priorities are backwards for the current threat mix.

The UAT-7810 port-trio signature (2222 / 8088 / 99) — why is this a detection asset?

The port trio is an operator-side configuration choice preserved across three different IP anchors. When operators rotate infrastructure they typically rotate IPs; the port pattern is preserved because it is baked into the deployed C2 stack. Rewriting the C2 stack to serve on different ports is significantly more expensive for the operator than registering new IPs. Detection content that fires on the port trio catches rotation attempts by default.

How do I prioritise the 292 Akira indicators?

Three-stage triage. First: push every hash to endpoint scan-and-quarantine. Second: deploy Sigma 01 (VSS delete detector) — catches Akira and every other ransomware family this week regardless of variant. Third: subscribe to the operator’s data-leak-site infrastructure feed so you know when your organisation appears on their published victim list within hours instead of days.

How does the coordinated package-registry campaign differ from ordinary typosquatting?

Two features distinguish it. First, the coordination across two separate public package registries (typically operators target one at a time) suggests either automation or shared upstream tooling. Second, the post-install command-interpreter execution is followed by an obfuscated payload with data encoding — more mature tradecraft than typical typosquat drops which usually stop at credential theft.

What confidence threshold should the SOC use for automated blocking?

For automatic blocklist promotion: high confidence only. For watchlist enrichment: medium and above. For retrospective hunting: include low.

Why is the macOS ClickFix observation important?

It signals that the ClickFix technique has matured beyond the initial Windows target set. macOS environments have historically been under-instrumented for terminal-execution telemetry — many macOS-heavy organisations run no equivalent of endpoint process-create logging. The observation raises the importance of investing in macOS endpoint telemetry parity with Windows.

Where can I see this advisory’s intelligence in operational form?

The HuntIntel operator console exposes every IOC behind this advisory with adversary attribution, ATT&CK technique, severity, confidence, and source provenance pre-joined. Open at huntintel.hackforlab.com/login.html. For the underlying frameworks reference, see Indicators of Compromise and Threat Intelligence: A Practitioner Reference.

Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions