Ransomware week. 19 families active in parallel, 559 catalogued IOCs, and the largest single-cluster footprint year-to-date — Akira at 292 IOCs. HASH beat IP for the first time in this catalogue’s history: 1,209 hashes vs 603 IPs, driven by the ransomware payload-rotation surge. A distinctive APT infrastructure signature emerged (UAT-7810: port trio 2222 / 8088 / 99 shared across three IPs). A novel loader pattern showed up at scale (multi-stage LNK + JavaScript-runtime backdoor, 135 IOCs). And macOS finally got its own ClickFix variant. If your SOC saw a busier alert queue this week, that is why.
Sectioned for the working analyst: cluster catalogue, deep-dives on the high-tempo names, ATT&CK technique mapping per adversary, subnet anchors + port-pattern signatures for cheap perimeter blocking, top 15 IOCs per indicator type, four production-ready Sigma rules, 60-minute operationalisation plan. Vendor-neutral. Operator-grade. Archive of prior advisories.
02 · Five headlines
03 · IOC / severity / category mix
04 · Top adversary clusters
05 · Cluster deep-dives
06 · ATT&CK per adversary
07 · Tactic-pressure roll-up
08 · Subnet + port anchors
09 · Top 15 IOCs per type
10 · Sigma detection rules
11 · Hunt queries
12 · Operationalise in 60 min
13 · FAQ
HuntIntel ships every IOC behind this advisory with provenance, confidence score, ATT&CK technique, and adversary cluster pre-mapped — queryable in the operator console, exportable to your SIEM in seconds. Stop reading PDFs. Start querying the catalogue.
01 · This week in numbers
Two-and-a-half thousand records this cycle, and 78 percent of them are HIGH severity. The catalogue produced 2,433 unique IOCs across 124 adversary clusters — a busy week by any measure and the most diverse cluster count observed year-to-date. The composition story matters more than the topline: HASH indicators outpaced IP indicators for the first time, driven almost entirely by the ransomware payload-rotation surge (Akira alone contributed 292 hashes, RedWing 111, Multi-Stage LNK backdoor 135).
Catalogued, ML-scored, ATT&CK-tagged. Refreshed continuously across open-source, sandbox, TLS, DNS, and honeynet plane sources. Every record carries adversary attribution, technique tag, severity, and confidence.
02 · Five headlines — what defined this week
If you read nothing else, read these five.
Headline 01 · Ransomware week — 19 families active in parallel
Nineteen named ransomware families surfaced with fresh operational indicators this cycle. Combined footprint: 559 IOCs in the Ransomware-as-a-Service category — the largest single-category concentration observed this year. Beyond the top-line names (Akira, BianLian, Anubis, GodDamn, BlackNevas, Beast, Clop, BlackSuit), fifteen additional families surfaced with 5+ IOCs each. The technique overlap is striking: every ransomware cluster this week carries the T1486 → T1490 chain (encrypt-for-impact + inhibit recovery). Detection content that fires on that pair catches every operator regardless of family. If you deploy nothing else this week, deploy the volume-shadow-copy deletion detector.
Headline 02 · Akira surged to 292 IOCs — largest single-cluster footprint YTD
Akira produced 292 unique indicators in seven days — the largest single-cluster footprint recorded in this catalogue year-to-date. The distribution skews entirely toward HASH + OTHERS (leak-site artefacts, victim-list identifiers), reflecting active payload rotation and active data-leak-site publication. The TTP chain: T1078 valid-account access, T1133 external remote services, T1021.001 remote-desktop lateral movement, T1047 WMI execution, T1560 archive collected data, T1041 exfil over C2, then T1486 encryption for impact and T1490 inhibit recovery. Push every hash to endpoint quarantine and every OTHERS artefact (victim-slug patterns) to your data-leak-site monitor.
Headline 03 · HASH beat IP for the first time in catalogue history
For the first time since this catalogue began publishing, HASH indicator volume beat IP indicator volume: 1,209 hashes vs 603 IPs (35 percent vs 22 percent of the catalogue). The inversion is entirely attributable to ransomware payload rotation and the multi-stage-loader family activity. What it tells the SOC: signature-based endpoint detection had a busier week than perimeter-based network detection. If your EDR content pipeline is slower than your firewall content pipeline, the ratio inversion this week is a leading indicator that you should invest more in the endpoint layer.
Headline 04 · UAT-7810 APT signature — port trio 2222 / 8088 / 99 shared across three IPs
The UAT-7810 APT cluster contributed 89 IOCs across HASH + IP + URL with a distinctive infrastructure signature: the three catalogued IPs (194.233.92.26, 217.15.160.247, 217.15.164.147) each expose the same trio of ports — 2222, 8088, 99 — serving what appears to be the same C2 stack across all three anchors. The port trio is the fingerprint. Any host serving that specific combination on those specific ports is candidate operator infrastructure regardless of whether the catalogued IPs are still active. Sigma rule 04 below fires on the port-pattern signature.
Headline 05 · Novel loader + macOS technique surface + supply-chain campaign
Three notable emerging patterns worth flagging:
- Multi-Stage LNK + JavaScript-runtime backdoor — 135 IOCs across DOMAIN + HASH. Novel loader technique using an LNK dropper to spawn a JavaScript-runtime process that pulls and executes second-stage payload. Defenders without instrumentation on the JS-runtime interpreter (
node.exeequivalents) miss the execution chain entirely. - macOS ClickFix — 18 IOCs across DOMAIN + URL. First observation of the ClickFix technique targeting macOS in this catalogue. Users get a fake-instruction lure and paste attacker-controlled shell commands into their terminal.
- Coordinated package-registry supply-chain campaign — 57 IOCs across HASH + URL. Two public package registries hit in coordinated fashion. Install-time command-interpreter execution + obfuscated payload + data-encoded exfil.
03 · Indicator type, severity, and category mix
The composition story of the week. HASH volume tops IP for the first time — 49.7 percent vs 24.8 percent. Ransomware category leads the category mix at 23 percent, followed closely by Malware-Activity (520 IOCs, 21 percent) and Cryptomining (248, 10 percent). APT is at 202 (8 percent) — a heavy APT week too.
By indicator type
| Type | Observations | Share | % |
|---|---|---|---|
| File hashes | 1,209 | 49.69% | |
| IPs | 603 | 24.78% | |
| Domains | 343 | 14.10% | |
| URLs | 180 | 7.40% | |
| Emails | 62 | 2.55% | |
| Other artefacts | 36 | 1.48% |
By severity
| Severity | Observations | Share | % |
|---|---|---|---|
| High | 1,958 | 80.21% | |
| Medium | 408 | 16.71% | |
| Low | 75 | 3.07% |
By category
| Category | Observations | Share | % |
|---|---|---|---|
| Ransomware-as-a-service | 559 | 22.83% | |
| Malware-Activity | 520 | 21.23% | |
| Cryptomining | 248 | 10.13% | |
| APT | 202 | 8.25% | |
| RAT | 195 | 7.96% | |
| Phishing | 147 | 6.00% | |
| C&C | 146 | 5.96% | |
| Backdoor | 145 | 5.92% | |
| Botnet | 142 | 5.80% | |
| C&C Server | 110 | 4.49% | |
| Spyware | 14 | 0.57% | |
| Vulnerability | 10 | 0.41% | |
| Supply Chain | 6 | 0.24% | |
| Payload Delivery | 2 | 0.08% | |
| Malicious Infrastructure | 2 | 0.08% | |
| Hacktivist Group | 1 | 0.04% |
Reading the mix. Ransomware leads the categories with 23 percent share — the highest concentration observed this year. Combined with the HASH-over-IP inversion, this week is a payload-week: your EDR and file-scanning content is doing the heavy lifting, your perimeter blocks are catching relatively less.
04 · Top adversary clusters by indicator footprint
Akira leads at 292 IOCs. RuRAT (cryptomining) at 244. Open-framework infrastructure entries in grey to preserve visual clarity of the campaign-attributed clusters. BianLian ransomware sits at 145 IOCs across all four primary IOC types — the full-pivot signature.
| # | Adversary cluster | Relative footprint | Unique IOCs | Severity |
|---|---|---|---|---|
| 01 | Akira
Ransomware · HASH, OTHERS
|
292 | HIGH | |
| 02 | RuRAT
Malware Campaign · DOMAIN, HASH
|
244 | HIGH | |
| 03 | Commodity C2 framework A (framework infra)
C2 · IP
|
146 | MEDIUM | |
| 04 | BianLian
Ransomware · EMAIL, HASH, IP, OTHERS
|
145 | HIGH | |
| 05 | Multi-Stage LNK + JavaScript-runtime backdoor
Malware Campaign · DOMAIN, HASH
|
135 | HIGH | |
| 06 | Vidar
Malware (Stealer) · DOMAIN, HASH, IP, URL
|
117 | HIGH | |
| 07 | RedWing
Malware · DOMAIN, HASH, URL
|
111 | HIGH | |
| 08 | UAT-7810
Threat Actor (APT) · HASH, IP, URL
|
89 | HIGH | |
| 09 | ClickFix
Malware Campaign · DOMAIN, HASH, IP, URL
|
61 | HIGH | |
| 10 | Coordinated package-registry supply-chain campaign
Malware Campaign · HASH, URL
|
57 | HIGH | |
| 11 | Open remote-management framework
C2 · IP
|
51 | MEDIUM | |
| 12 | Millenium RAT v4
Malware (RAT) · HASH, URL
|
50 | HIGH | |
| 13 | GoodPersonRAT
Malware (RAT) · DOMAIN, HASH, IP
|
45 | HIGH | |
| 14 | Open exploitation framework
C2 · IP
|
38 | MEDIUM | |
| 15 | DPRK cluster
Threat Actor (APT) · DOMAIN, EMAIL, HASH, IP, URL
|
37 | HIGH | |
| 16 | Dcrat
C2 (RAT) · DOMAIN, HASH, IP, URL
|
37 | MEDIUM | |
| 17 | SCMBANKER
Malware · DOMAIN, HASH, IP
|
36 | HIGH | |
| 18 | GodDamn
Ransomware · HASH
|
36 | HIGH | |
| 19 | Fake Interview Phishing Campaign
Phishing Campaign · DOMAIN
|
32 | LOW | |
| 20 | PlugX
Malware · HASH, IP, URL
|
31 | HIGH | |
| 21 | Lazarus
Threat Actor (APT) · DOMAIN, URL
|
30 | HIGH | |
| 22 | BlackNevas
Ransomware · HASH
|
27 | HIGH | |
| 23 | Fake payment-service impersonation campaign
Malware Campaign · HASH, URL
|
26 | HIGH | |
| 24 | Anubis
Ransomware · HASH, OTHERS
|
26 | HIGH | |
| 25 | AsyncRAT
Malware (RAT) · DOMAIN, HASH, IP, URL
|
21 | HIGH | |
| 26 | Cavern Manticore
Threat Actor (APT) · DOMAIN, HASH, URL
|
20 | HIGH | |
| 27 | Fake tax-return phishing campaign
Malware Campaign · DOMAIN, HASH, IP
|
18 | HIGH | |
| 28 | macOS ClickFix Campaign
Malware Campaign · DOMAIN, URL
|
18 | HIGH | |
| 29 | Remcos
Malware (RAT) · IP
|
16 | HIGH | |
| 30 | Beast
Ransomware · EMAIL, HASH, OTHERS
|
15 | HIGH | |
| 31 | EtherRAT
Malware (RAT) · DOMAIN, EMAIL, HASH, URL
|
15 | HIGH | |
| 32 | Open C2 framework B (labelled AdaptixC2 upstream)
C2 · IP
|
14 | MEDIUM | |
| 33 | Tsundere botnet
C2 · IP
|
13 | MEDIUM | |
| 34 | Fake remote-desktop tool phishing
Phishing Campaign · DOMAIN, HASH, IP
|
13 | LOW | |
| 35 | MODBEACON
Malware · DOMAIN, HASH, IP
|
11 | HIGH | |
| 36 | Forg365
Phishing Kit · DOMAIN, IP, URL
|
11 | MEDIUM |
How to read this. Pay disproportionate attention to clusters that span three or more IOC types — that breadth is a full-kill-chain signal. This week’s full-four-type footprints: BianLian (5 types actually with EMAIL+HASH+IP+OTHERS), Vidar, Dcrat, AsyncRAT, ClickFix, EtherRAT. The DPRK cluster spans five IOC types (DOMAIN + EMAIL + HASH + IP + URL) — the broadest single-cluster IOC-type spread this cycle.
05 · Cluster deep-dives — the names to act on
05.1 · Akira — 292 IOCs, largest single-cluster footprint YTD
Every ransomware kill-chain signature is present: valid-account initial access, external remote services, remote-desktop lateral movement, WMI execution, archive-then-exfil, and finally encrypt-for-impact + inhibit-recovery. The 292 catalogued indicators lean heavily toward HASH (payload rotation) and OTHERS (leak-site artefacts, victim identifiers). The operator is actively publishing to their leak site this week — watch the data-leak-site infrastructure indicators alongside the operational indicators.
Defensive actions: Push all catalogued hashes to endpoint scan-and-quarantine. Deploy the volume-shadow-copy deletion detector (vssadmin delete shadows is the canonical signal). Hunt for the kill-chain sequence valid-account login from an unusual source → remote-desktop or WMI execution → large outbound transfer to non-corporate destination. If your organisation is exposed to double-extortion operators, subscribe to the leak-site infrastructure watch.
05.2 · BianLian — full multi-pivot ransomware kill chain
145 IOCs across EMAIL + HASH + IP + OTHERS with two subnet anchors (151.236.16.0/24 and 172.96.137.0/24). The email indicators are victim-contact channels the operator uses for ransom negotiation. The IP indicators concentrate heavily in the 104.168.x, 104.200.x, and 104.225.x ranges — treat those provider blocks as candidates for expanded blocking. TTP profile is one of the broadest in the catalogue: 30+ ATT&CK techniques observed.
Defensive actions: Block both /24 anchors at the perimeter. Push the 145 hashes to endpoint scan. Watch for the credential-dumping-to-encrypt sequence: lsass.exe access → remote-desktop / SMB lateral move → volume-shadow-copy deletion.
05.3 · UAT-7810 APT — port-trio infrastructure fingerprint
The signature of the week. 89 IOCs across HASH + IP + URL. Three catalogued IP anchors — 194.233.92.26, 217.15.160.247, 217.15.164.147 — each serving the same trio of ports: 2222 (typically SSH-alternate), 8088, and 99. The trio is not a coincidence — it is the operator’s deployed C2-stack configuration. Any other host on the internet serving that exact port trio is candidate operator infrastructure regardless of whether it appears in this week’s catalogue.
Defensive actions: Block all three catalogued anchor IPs. Hunt for outbound traffic on the port trio to any destination outside your engineering allowlist — Sigma rule 04 below implements this. If you have JARM or JA4 fingerprinting on your egress, cluster the C2 stack signature and hunt for lookalikes across your telemetry.
05.4 · DPRK cluster — broadest 5-type IOC-type spread this week
37 IOCs across DOMAIN + EMAIL + HASH + IP + URL — the broadest indicator-type spread from any single cluster this week. The cluster maintains multi-layered infrastructure: acquired domains for recruitment lures, phishing email addresses, second-stage payload hashes, C2 IPs, and staging URLs. The operational implication: an ecosystem intrusion, not a single-lure campaign.
Defensive actions: All 37 catalogued indicators to blocking / watchlist by tier. Watch for the recruitment-lure phishing pattern (Lazaruscameradriverupdates.compaxos-apply.com-style domain naming) targeting developers, cryptocurrency-exchange staff, and defense-adjacent research organisations. Hunt for outbound to 144.172.110.53 across the last 60 days.
05.5 · PlugX — two subnet anchors, classic APT loader signature
31 IOCs across HASH + IP + URL with two subnet anchors: 172.111.233.0/24 (5 IPs concentrated) and 172.94.9.0/24 (3 IPs). The 172.111.233.0/24 anchor is the week’s largest APT-malware infrastructure concentration. Treat both /24 blocks as suspect — the operator is likely to rotate into unlisted addresses within the same blocks.
Defensive actions: Perimeter-block both /24 subnets. Push all hashes to endpoint scan. Hunt for the classic PlugX loader chain — DLL side-loading with signed binary + malicious sideload DLL + payload file.
05.6 · Multi-Stage LNK + JavaScript-runtime backdoor — novel loader technique
135 IOCs across DOMAIN + HASH. The technique: an LNK shortcut file drops and executes a JavaScript-runtime process (Windows JScript engine, server-side JavaScript runtime, or equivalent) that fetches and executes a second-stage payload from an operator-controlled domain. The technique defeats detection content that only inspects powershell.exe and cmd.exe as the loader — the JS runtime is the executor here.
Defensive actions: Instrument the JavaScript-runtime process as a suspicious loader in your endpoint content. Watch for node.exe, wscript.exe, and cscript.exe spawned from an LNK-file execution context. Hunt for parent-process = explorer.exe + child-process = JS runtime + outbound to any of the 135 catalogued domain / hash indicators.
05.7 · Coordinated package-registry supply-chain campaign
57 IOCs across HASH + URL. Two public package registries hit in coordinated fashion — the coordination itself is the signal, suggesting an operator with development pipeline access or automated typosquat publishing capability. Post-install command-interpreter execution + obfuscated payload + data-encoded exfil.
Defensive actions: Package allow-listing in CI build agents. Outbound-domain monitoring from build runners. Publisher-identity verification on the package registries used. Hunt for install-time process trees where a package installer spawns a shell that pulls from an unfamiliar domain.
05.8 · macOS ClickFix Campaign — first observation of macOS variant
18 IOCs across DOMAIN + URL. The first observation of the ClickFix social-engineering technique adapted for macOS. Users encounter a fake-instruction lure (“your Mac is missing X, run this command to fix it”) and paste attacker-controlled shell commands into their terminal. The technique is a pure social-engineering flow — no exploitation involved. User awareness is the primary defence.
Defensive actions: Update user-awareness content to include macOS-specific ClickFix lures. Block the 18 catalogued endpoints at the DNS resolver. Deploy endpoint content that flags terminal execution of curl-piped-to-shell or bash-piped commands from clipboard sources.
05.9 · RuRAT — 244 IOCs, cryptocurrency-wallet theme campaign
The domain layer shows deliberate theming — every catalogued domain adjacent to cryptocurrency-wallet names (anchorwallet[.]org, aptwallet[.]org, arkwallet[.]org, and similar). The victim-targeting profile is cryptocurrency users. The category tag is Cryptomining but the operational profile combines wallet-drainer and mining components.
Defensive actions: Block the 244 catalogued domains and hashes. Deploy regex-based DNS filtering for the *-wallet.* / *wallet-update.* patterns to catch operator rotation.
06 · ATT&CK mapping per named cluster
Per-cluster technique mapping with operational narrative. Detection content that fires on these techniques catches the cluster even after IOC rotation.
| Cluster | ATT&CK techniques observed | Operational narrative |
|---|---|---|
| Akira (Ransomware) | T1486 · T1490 · T1078 · T1133 · T1021.001 · T1047 · T1560 · T1041 | Full ransomware kill chain: encrypt-for-impact, inhibit recovery, valid-account initial access, external remote services, remote-desktop lateral movement, archive-then-exfil. 292 IOCs across HASH + OTHERS makes this the week’s largest single-cluster footprint YTD. |
| BianLian (Ransomware) | T1078 · T1133 · T1190 · T1059 · T1021.001 · T1547.001 · T1543.003 · T1105 · T1562.001 · T1070.001 · T1003.001 · T1486 · T1490 · T1567 · T1041 | Extensive TTP profile — valid accounts, external remote services, public-app exploit, command interpreter, remote desktop, registry-run + service persistence, defence disabling, credential dumping, encryption for impact, recovery inhibition, exfil to web service. 145 IOCs across EMAIL + HASH + IP + OTHERS with two subnet anchors. |
| UAT-7810 (APT) | T1071 · T1071.001 · T1105 · T1041 · T1568 | Distinctive infrastructure signature — port trio 2222/8088/99 served across three IPs. Web-protocol C2 + second-stage tool transfer + exfil over C2 with dynamic resolution. 89 IOCs across HASH + IP + URL. |
| DPRK cluster | T1190 · T1105 · T1041 · T1082 | Full 5-type indicator footprint (DOMAIN + EMAIL + HASH + IP + URL) — the broadest single-cluster IOC-type spread this week. Public-app exploit + ingress tool transfer + exfil over C2 + system info discovery. |
| Lazarus (APT sub-cluster) | T1059 · T1105 · T1041 · T1021 | Continuing from prior weeks. 30 IOCs across DOMAIN + URL. Command-interpreter + second-stage pull + exfil + remote services. |
| PlugX (Malware) | T1071.001 · T1105 · T1041 · T1547.001 · T1055 | Classic APT-loader family. Two subnet anchors (172.111.233.0/24 and 172.94.9.0/24 with 3 IPs each). Web-protocol C2 + second-stage transfer + exfil + registry persistence + process injection. |
| MustangPanda (APT) | T1059 · T1204 · T1105 | Compact TTP profile. Command-interpreter driven by user-execution + second-stage payload pull. IP anchor at 103.247.19.204. |
| MuddyWater (APT) | T1566 · T1059 · T1071 · T1105 · T1041 | Phishing initial access + command-interpreter + web-protocol C2 + ingress tool transfer + exfil. |
| Cavern Manticore (APT) | T1583.001 · T1566 · T1071 · T1105 · T1027 | Acquired-domain infrastructure (adserviceupdate[.]com pattern) + phishing + web-protocol C2 + obfuscation. 20 IOCs across DOMAIN + HASH + URL. |
| AsyncRAT (RAT) | T1566.001 · T1204 · T1105 · T1071.001 · T1041 · T1547.001 | Spearphish-attachment → user-execution → ingress tool → web-protocol C2 → exfil → registry persistence. Full four-type footprint. |
| ClickFix (Malware Campaign) | T1566 · T1204 · T1059 · T1105 | Fake-instruction lure tricks the visitor into pasting attacker-controlled command into their own command interpreter. 61 IOCs across all four primary IOC types. |
| macOS ClickFix Campaign | T1204 · T1059.004 · T1105 · T1071 | First observation of ClickFix technique targeting macOS in this catalogue. User-execution + Unix shell + second-stage pull + web-protocol C2. 18 IOCs across DOMAIN + URL. |
| Multi-Stage LNK + JS-runtime backdoor | T1204.002 · T1059.005 · T1059.007 · T1105 · T1027 · T1543 | Novel loader pattern — LNK dropper triggers a JavaScript-runtime process to fetch and execute a second-stage payload. Defenders without instrumentation on the JS-runtime interpreter miss the execution chain. 135 IOCs across DOMAIN + HASH. |
| Coordinated package-registry supply chain | T1195.001 · T1059 · T1027 · T1132 · T1219 | Two public package registries hit in coordinated fashion. Command-interpreter execution at install-time, obfuscated payload, data encoding for exfil, remote-access tooling. 57 IOCs across HASH + URL. |
Detection-engineering takeaway. Every ransomware cluster this week carries the
T1486 → T1490chain (encrypt-for-impact + inhibit recovery). A single detector fired on volume-shadow-copy deletion (vssadmin delete shadows, WMI shadow-copy deletion, PowerShell Remove-Cim methods) catches every catalogued ransomware family regardless of variant. If you deploy nothing else this week, deploy that one detector.
07 · ATT&CK tactic-pressure roll-up
Aggregation of technique tags rolled up to the parent tactic. Impact tactics lead this week (ransomware); Discovery is elevated (ransomware pre-encrypt reconnaissance).
| Tactic | Top techniques observed | What the pressure means | IOC count |
|---|---|---|---|
| Impact | T1486 · T1490 · T1489 · T1485 · T1531 | Data encryption for impact (present in every ransomware cluster), recovery inhibition, service stop, data destruction, account access removal | 617 |
| Initial Access | T1078 · T1133 · T1190 · T1566 · T1195.001 | Valid-account abuse, external remote services, public-app exploit, phishing, supply-chain via package registry | 434 |
| Execution | T1059 · T1059.001 · T1059.003 · T1059.005 · T1204 · T1047 | Command-interpreter (PowerShell / CMD / Visual Basic), user-execution, WMI | 372 |
| Command and Control | T1071 · T1071.001 · T1105 · T1102 · T1568 · T1573.002 · T1090 | Web-protocol C2, ingress tool transfer, web-service abuse, dynamic resolution, asymmetric crypto, proxy | 328 |
| Persistence | T1547.001 · T1543.003 · T1053.005 | Registry-run keys, Windows service creation, scheduled tasks | 189 |
| Defense Evasion | T1027 · T1027.002 · T1112 · T1070 · T1070.001 · T1562.001 · T1218 · T1036 | Obfuscation, indicator removal on host, disable security tools, masquerading | 267 |
| Credential Access | T1003 · T1003.001 · T1555 · T1110 | OS credential dumping (including LSASS), password store theft, brute force | 156 |
| Discovery | T1082 · T1057 · T1083 · T1087 · T1016 · T1046 · T1018 · T1033 · T1135 | System info + process + file + account + network configuration + share + system-owner discovery | 234 |
| Lateral Movement | T1021 · T1021.001 · T1021.002 · T1570 | Remote-desktop, SMB / Admin shares, lateral tool transfer | 141 |
| Collection | T1560 · T1560.001 · T1005 · T1056.001 · T1113 | Archive collected data (native + tool-based), local data, keylogging, screen capture | 87 |
| Exfiltration | T1041 · T1567 · T1020 · T1537 | Exfil over C2 channel, exfil to operator-controlled web service, automated exfil, transfer to cloud account | 219 |
| Reconnaissance | T1190 · T1595 | Public-app scanning and exploit | 42 |
08 · Subnet anchors and port-pattern signatures
Subnet anchors (/24 blocks with 3+ concentrated IPs)
| Subnet (/24) | IPs | Adversary cluster | Note |
|---|---|---|---|
| 172.111.233.0/24 | 5 | PlugX | The week’s largest APT-malware subnet anchor. Treat the entire /24 as suspect. |
| 91.92.43.0/24 | 4 | Tsundere botnet | Botnet C2 concentration |
| 151.236.16.0/24 | 3 | BianLian | Ransomware operator infrastructure anchor |
| 172.96.137.0/24 | 3 | BianLian | Second BianLian anchor — hedged hosting tenants |
| 172.94.9.0/24 | 3 | PlugX | Second PlugX anchor |
| 45.74.7.0/24 | 3 | Remcos | Commodity-RAT C2 concentration |
| 77.92.95.0/24 | 3 | Open exploitation framework | Framework listener farm |
Port-pattern signature — UAT-7810 APT
Signature: Three catalogued IPs each expose the same port trio — 2222, 8088, 99.
Anchors: 194.233.92.26, 217.15.160.247, 217.15.164.147.
Detection value: Any host serving that exact combination is candidate operator infrastructure — regardless of whether the IP is in this week’s catalogue. Sigma rule 04 below implements the port-trio signature detection.
Combined with the fact that all three catalogued anchors serve identical C2 stacks, the port trio is a stable operator fingerprint. Rotation into new IPs preserves the port choice.
The asymmetric block. Block the three UAT-7810 anchor IPs at the perimeter now (cost: zero). Deploy the port-trio Sigma rule to catch rotation. Total operator cost to defeat: they must reconfigure their C2 stack to a different port pattern — expensive across three IPs.
09 · Top 15 IOCs per indicator type
Operator-grade extractions. All indicators are defanged (re-fang on import: replace [.] with . and hxxp with http).
Top 15 · IP addresses (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 103.125.217.129 | BianLian | Ransomware | HIGH |
| 02 | 103.217.253.29 | ClickFix | Phishing | HIGH |
| 03 | 103.247.19.204 | MustangPanda | APT | HIGH |
| 04 | 103.30.77.80 | BianLian | Ransomware | HIGH |
| 05 | 103.97.131.179 | Fake tax-assessment campaign | Malware | HIGH |
| 06 | 104.168.140.238 | BianLian | Ransomware | HIGH |
| 07 | 104.168.151.112 | BianLian | Ransomware | HIGH |
| 08 | 104.200.67.252 | BianLian | Ransomware | HIGH |
| 09 | 104.200.72.146 | BianLian | Ransomware | HIGH |
| 10 | 104.200.72.15 | BianLian | Ransomware | HIGH |
| 11 | 104.200.73.216 | BianLian | Ransomware | HIGH |
| 12 | 104.225.129.101 | BianLian | Ransomware | HIGH |
| 13 | 104.225.129.141 | BianLian | Ransomware | HIGH |
| 14 | 194.233.92.26 | UAT-7810 (APT) | APT | HIGH |
| 15 | 217.15.160.247 | UAT-7810 (APT) | APT | HIGH |
Top 15 · Domains (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 3w[.]jxuw3[.]com | The SilverFox (APT) | APT | HIGH |
| 02 | 52facc3b24f8bad9c5c56819e385f3a1[.]testewin[.]com | Banana RAT | RAT | HIGH |
| 03 | Lazaruscameradriverupdates[.]compaxos-apply[.]com | Lazarus (APT) | APT | HIGH |
| 04 | Quima[.]org | QuimaRAT | RAT | HIGH |
| 05 | a1673dscrakamay[.]com | RuRAT | Cryptomining | HIGH |
| 06 | aboutbookphoto[.]pro | Multi-Stage LNK JS-runtime | Backdoor | HIGH |
| 07 | adserviceupdate[.]com | Cavern Manticore (APT) | APT | HIGH |
| 08 | anchorupdate[.]com | RuRAT | Cryptomining | HIGH |
| 09 | anchorv2[.]info | RuRAT | Cryptomining | HIGH |
| 10 | anchorwallet[.]org | RuRAT | Cryptomining | HIGH |
| 11 | ancupdate[.]top | RuRAT | Cryptomining | HIGH |
| 12 | api-sync-service.mdkd1184.workers[.]dev | RedWing | Malware | HIGH |
| 13 | aptwallet[.]org | RuRAT | Cryptomining | HIGH |
| 14 | arkupdate[.]com | RuRAT | Cryptomining | HIGH |
| 15 | arkwallet[.]org | RuRAT | Cryptomining | HIGH |
Top 15 · File hashes (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 000fad96a85dd6933c22d3dbec9aed47b7f1f066 | PlugX | Malware | HIGH |
| 02 | 005c650353052ace090b2a56c2d0023b | Akira (Ransomware) | Ransomware | HIGH |
| 03 | 013642fa369e3f4686339f4de1f7e331bef2c5ece9f1682bc18c02c2f344e797 | RedWing | Malware | HIGH |
| 04 | 0172d3b9f79c9f91907ba085d3840818a2571c004668db28209a324f5bd463d9 | RuRAT | Cryptomining | HIGH |
| 05 | 01acbba573f577f19d156111af07fdbd0c08b51e8403a6fdc103f286d32d00fb | RedWing | Malware | HIGH |
| 06 | 01feb8f50b5195328f27195b0e4d82da | Akira (Ransomware) | Ransomware | HIGH |
| 07 | 0225c25e9e7462a80ec157c76e2479487c8508bd | Multi-Stage LNK JS-runtime | Backdoor | HIGH |
| 08 | 0248bf2afb70642288646760bb25a38d | Akira (Ransomware) | Ransomware | HIGH |
| 09 | 025d3b9b2536394a3e2dfd950f4a4caa53cc05002e990199372ead2e709ae738 | RedWing | Malware | HIGH |
| 10 | 028475763a1ca5bf5d0166d2b980d0fa1850c8ad3a923d4b1a535ddad8b7cda7 | RuRAT | Cryptomining | HIGH |
| 11 | 02e90a8321fffd0c45e88bcb8aec3839c5971eb3ded89dd9e44960ef48c95564 | ClickFix | Phishing | HIGH |
| 12 | 030b90666a581934de0683ef9232f137867db804f6100c0479958826dc2e4cbb | Fake tax-return phishing | Malware | HIGH |
| 13 | 0315d4a7bc14654ad66d4c2b98920b92ca18cbc231b3ce5fba1fcac70b828e19 | SCMBANKER | Malware | HIGH |
| 14 | 0352f3e338261d98895df4c7b7a76b296485b2290c72bce56603351d167d0601 | UAT-7810 (APT) | APT | HIGH |
| 15 | 03926e3da998f32ad898b640bd15cf145768f9e849e6f18d81350234254c424e | UAT-7810 (APT) | APT | HIGH |
Top 15 · URLs (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | hxxp[://]103.217.253.29 | ClickFix | Phishing | HIGH |
| 02 | hxxp[://]130.12.180.43/files/7924412375/upOSLDn.exe | Millenium RAT v4 | RAT | HIGH |
| 03 | hxxp[://]144.172.110.53 | DPRK cluster | APT | HIGH |
| 04 | hxxp[://]158.94.208.168/files/8514679081/DRTjyu7.exe | Millenium RAT v4 | RAT | HIGH |
| 05 | hxxp[://]188.127.246.183 | FortiBleed | Vulnerability | HIGH |
| 06 | hxxp[://]194.233.92.26:2222/ | UAT-7810 (APT) | APT | HIGH |
| 07 | hxxp[://]194.233.92.26:8088/ | UAT-7810 (APT) | APT | HIGH |
| 08 | hxxp[://]213.171.17.74 | FortiBleed | Vulnerability | HIGH |
| 09 | hxxp[://]216.126.227.38 | NetSupport (Malware) | RAT | HIGH |
| 10 | hxxp[://]217.15.160.247:2222/ | UAT-7810 (APT) | APT | HIGH |
| 11 | hxxp[://]217.15.160.247:8088/ | UAT-7810 (APT) | APT | HIGH |
| 12 | hxxp[://]217.15.160.247:99/ | UAT-7810 (APT) | APT | HIGH |
| 13 | hxxp[://]217.15.164.147:2222/ | UAT-7810 (APT) | APT | HIGH |
| 14 | hxxp[://]217.15.164.147:8088/ | UAT-7810 (APT) | APT | HIGH |
| 15 | hxxp[://]217.15.164.147:99/ | UAT-7810 (APT) | APT | HIGH |
10 · Sigma detection rules — four for this week’s standout patterns
Drop into your detection-content pipeline, normalise field names to your SIEM’s schema, tune the false-positive filters, ship.
Sigma 01 · Universal ransomware kill-chain detector (VSS delete)
title: Volume Shadow Copy Deletion — Universal Ransomware Kill-Chain Detector
id: 5c1a8d3f-4b92-4e70-a58c-6f9e7c1b3d40
status: experimental
description: Detects the universal ransomware pre-encrypt behaviour — deletion of
volume shadow copies. Every catalogued ransomware family this week executes this
step. A single detector catches Akira, BianLian, Anubis, GodDamn, BlackNevas,
Beast, Clop, BlackSuit, and 11+ other active families.
references:
- https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
- attack.impact
- attack.t1490
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
vssadmin_delete:
Image|endswith: '\vssadmin.exe'
CommandLine|contains|all:
- 'delete'
- 'shadows'
wmi_delete:
Image|endswith: '\wmic.exe'
CommandLine|contains|all:
- 'shadowcopy'
- 'delete'
powershell_delete:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Remove-CimInstance'
- 'Win32_ShadowCopy'
condition: 1 of them
falsepositives:
- Legitimate backup operations (verify + allowlist known-good scripts)
level: critical
Sigma 02 · BianLian subnet anchors
title: BianLian Ransomware Subnet Anchor Contact
id: 8a4c7d1e-6b93-4f20-a58d-2e9c1b3f4c60
status: experimental
description: Detects outbound connections to catalogued BianLian ransomware subnet
anchors. Both /24 blocks catalogued this week with concentrated indicators —
treat any traffic to these blocks as high-fidelity.
references:
- https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
- attack.command_and_control
- attack.t1071
- attack.impact
- attack.t1486
logsource:
category: network_connection
detection:
selection:
DestinationIp|cidr:
- '151.236.16.0/24'
- '172.96.137.0/24'
- '104.168.140.0/23' # concentrated BianLian IP block
- '104.200.72.0/22' # multiple catalogued BianLian addresses in this range
- '104.225.129.0/24'
condition: selection
falsepositives:
- Unlikely — these CIDRs have no documented business use
level: critical
Sigma 03 · Multi-Stage LNK + JS-runtime loader
title: Multi-Stage LNK + JavaScript-Runtime Loader Detection
id: 3f7b9c2e-1d84-4a50-b721-5c8e6d4f2a10
status: experimental
description: Detects an LNK file execution that spawns a JavaScript-runtime process
which then initiates an outbound connection. Catches the multi-stage LNK loader
observed with 135 IOCs this cycle.
references:
- https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
parent_shell:
ParentImage|endswith:
- '\explorer.exe'
- '\Shell.exe'
js_runtime_child:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\node.exe'
- '\jscript.exe'
CommandLine|contains|any:
- '.lnk'
- '.js'
- '.jse'
- '.vbs'
condition: parent_shell and js_runtime_child
falsepositives:
- Legitimate developer / build-agent workflows (allowlist by user + host)
level: high
Sigma 04 · UAT-7810 APT port-trio signature
title: UAT-7810 APT Port-Trio Signature (2222 / 8088 / 99)
id: 7d1a4b8e-5c62-4930-a8f1-3e9c7d5b2a40
status: experimental
description: Detects outbound connections to any destination serving the UAT-7810
APT port-trio signature (2222, 8088, 99). The port combination is a stable
operator fingerprint — matches even after IP rotation.
references:
- https://hackforlab.com/weekly-threat-advisory-july-6-12-2026/
author: HackForLab Threat Intelligence
date: 2026/07/13
tags:
- attack.command_and_control
- attack.t1071
- attack.t1571
logsource:
category: network_connection
detection:
selection_ip:
DestinationIp:
- '194.233.92.26'
- '217.15.160.247'
- '217.15.164.147'
selection_port_trio:
DestinationPort:
- 2222
- 8088
- 99
# Fire on either the known IPs OR any destination on all three ports within 5 min
condition: selection_ip or (selection_port_trio | count(DestinationIp) by 5min > 2)
falsepositives:
- Legitimate SSH-alternate (2222) or internal service (99) use — allowlist by dest
level: high
11 · Hunt queries — SIEM-agnostic pseudo-syntax
Hunt 01 · First-seen contact with UAT-7810 APT port-trio
// Pseudo-query FROM network_flows WHERE (dest_port IN (2222, 8088, 99)) AND first_seen_pair(src_ip, dest_ip) WITHIN 60d | AGGREGATE BY src_ip, dest_ip COUNT(DISTINCT dest_port) AS unique_ports_hit WHERE unique_ports_hit >= 2 | SORT BY unique_ports_hit DESC
Catches the port-trio pattern even against unlisted destinations. Any endpoint contacting 2+ of the three ports on the same destination host is candidate compromise.
Hunt 02 · Ransomware pre-encrypt reconnaissance sequence
// Pseudo-query
FROM process_creates
WHERE process_name IN ('net.exe', 'net1.exe', 'nltest.exe',
'systeminfo.exe', 'ipconfig.exe', 'whoami.exe',
'quser.exe', 'tasklist.exe')
AND host IN (
SELECT host FROM process_creates
WHERE command_line MATCHES '(?i)(vssadmin.*delete.*shadows|Remove-CimInstance.*ShadowCopy)'
AND event_time BETWEEN NOW() - 24h AND NOW()
)
| AGGREGATE BY host, COUNT(DISTINCT process_name) AS distinct_recon
WHERE distinct_recon >= 4
| SORT BY distinct_recon DESC
Ransomware operators run 4+ discovery utilities in quick succession before encrypting. The sequence itself is the signal.
Hunt 03 · LNK + JavaScript-runtime loader chain
// Pseudo-query
FROM process_creates
WHERE parent_process_name IN ('explorer.exe', 'Shell.exe')
AND process_name IN ('wscript.exe', 'cscript.exe', 'node.exe')
AND (command_line CONTAINS '.lnk' OR command_line CONTAINS '.js')
| JOIN network_flows AS n
ON process_creates.host = n.src_host
AND n.flow_time BETWEEN process_creates.create_time
AND process_creates.create_time + 300s
WHERE n.dest_domain NOT IN (allowlisted_domains)
| PROJECT process_creates.host, process_creates.command_line, n.dest_domain
| SORT BY create_time DESC
Catches the LNK-shortcut → JS-runtime → outbound sequence characteristic of the novel loader observed this week.
Hunt 04 · Wallet-drainer domain-registration-velocity pattern (RuRAT)
// Pseudo-query FROM dns_queries WHERE query_name MATCHES regex '.*wallet(-update)?\.' OR query_name MATCHES regex '.*wallet\.(org|com|top|info)$' AND query_name NOT IN (allowlisted_wallet_services) | AGGREGATE BY src_host, query_name | SORT BY COUNT DESC
12 · Operationalise in 60 minutes
Minute 00 – 15 · Block + sinkhole
- Block 172.111.233.0/24 (PlugX — largest APT-malware anchor this week).
- Block 91.92.43.0/24 (Tsundere botnet).
- Block 151.236.16.0/24 + 172.96.137.0/24 (BianLian ransomware).
- Block 194.233.92.26, 217.15.160.247, 217.15.164.147 (UAT-7810 APT).
- DNS-deny the RuRAT wallet-drainer domain cluster (regex
.*wallet(-update)?.).
Minute 15 – 30 · Detection content
- Deploy Sigma 01 (universal volume-shadow-copy deletion detector).
- Deploy Sigma 04 (UAT-7810 port-trio signature).
- Deploy Sigma 03 (multi-stage LNK + JS-runtime loader).
- Add outbound-deny for ports 2222/8088/99 to any destination outside your engineering allowlist.
Minute 30 – 45 · Retrospective hunt
- Run Hunt 01 (port-trio pattern) across last 60 days.
- Run Hunt 02 (ransomware pre-encrypt reconnaissance) across last 30 days.
- Run Hunt 03 (LNK + JS-runtime chain) across last 30 days.
Minute 45 – 60 · Awareness + policy
- Update macOS user-awareness content on the ClickFix technique.
- Brief developers on the coordinated package-registry supply-chain campaign — package allow-listing not optional.
- Audit backup posture: any ransomware operator this week defeats defence-in-depth if backups are online-accessible. Verify air-gapped or immutable backups.
This advisory ships 15 indicators per type. The catalogue carries the full 2,433 unique IOCs, each with adversary attribution, ATT&CK technique, confidence score, and source provenance.
13 · Frequently asked questions
19 ransomware families in one week. Is that unusual?
The concurrent-family count is the highest observed year-to-date. The typical week sees 5-8 named families active with fresh indicators; this week saw 19. The concurrent tempo suggests either coordinated timing (multiple operators executing simultaneously) or a shared upstream initial-access broker feeding several families — the catalogue does not distinguish between these hypotheses. What matters operationally: the ransomware category share of the catalogue is triple the normal baseline.
HASH beat IP for the first time. What should the SOC do differently?
Concretely: prioritise the endpoint-detection content pipeline this week over the perimeter-network content pipeline. Push all catalogued hashes to endpoint scan and quarantine. Verify your EDR content is receiving fresh indicator feeds on a daily cadence. If your EDR content ships weekly while your firewall content ships daily, this week is a leading indicator that the priorities are backwards for the current threat mix.
The UAT-7810 port-trio signature (2222 / 8088 / 99) — why is this a detection asset?
The port trio is an operator-side configuration choice preserved across three different IP anchors. When operators rotate infrastructure they typically rotate IPs; the port pattern is preserved because it is baked into the deployed C2 stack. Rewriting the C2 stack to serve on different ports is significantly more expensive for the operator than registering new IPs. Detection content that fires on the port trio catches rotation attempts by default.
How do I prioritise the 292 Akira indicators?
Three-stage triage. First: push every hash to endpoint scan-and-quarantine. Second: deploy Sigma 01 (VSS delete detector) — catches Akira and every other ransomware family this week regardless of variant. Third: subscribe to the operator’s data-leak-site infrastructure feed so you know when your organisation appears on their published victim list within hours instead of days.
How does the coordinated package-registry campaign differ from ordinary typosquatting?
Two features distinguish it. First, the coordination across two separate public package registries (typically operators target one at a time) suggests either automation or shared upstream tooling. Second, the post-install command-interpreter execution is followed by an obfuscated payload with data encoding — more mature tradecraft than typical typosquat drops which usually stop at credential theft.
What confidence threshold should the SOC use for automated blocking?
For automatic blocklist promotion: high confidence only. For watchlist enrichment: medium and above. For retrospective hunting: include low.
Why is the macOS ClickFix observation important?
It signals that the ClickFix technique has matured beyond the initial Windows target set. macOS environments have historically been under-instrumented for terminal-execution telemetry — many macOS-heavy organisations run no equivalent of endpoint process-create logging. The observation raises the importance of investing in macOS endpoint telemetry parity with Windows.
Where can I see this advisory’s intelligence in operational form?
The HuntIntel operator console exposes every IOC behind this advisory with adversary attribution, ATT&CK technique, severity, confidence, and source provenance pre-joined. Open at huntintel.hackforlab.com/login.html. For the underlying frameworks reference, see Indicators of Compromise and Threat Intelligence: A Practitioner Reference.
Previous week (Jun 29 – Jul 5) ·
Two weeks back (Jun 22-28) ·
Practitioner Reference (IOC + TI) ·
AWS Threat Hunting Library ·
15-Month Threat Hunter Roadmap ·
Threat Intelligence archive










