HackForLab Weekly Threat Advisory · Jun 29 – Jul 5 2026 · command-center briefing cover · SITREP 026·27 · 1,524 unique IOCs · 1,129 high-severity · 64 clusters · 5 named APTs · 5 headline cards: AsyncRAT surge, TONResolver novel blockchain-resolved C2, trust-anchor verification-page phishing, APT week UNC1151 APT36 TeamPCP Lazarus BitterAPT, Anubis and The Gentlemen ransomware · midnight navy with cyan amber emerald coral palette

Weekly Threat Advisory: 5 APTs, 200 RATs, 74% High-Severity — The Week the C2 Flood Went Quiet (Jun 29 – Jul 5, 2026)

⚠ THREAT LEVEL: SEVERE · SITREP 026·27 · June 29 – July 5, 2026

The C2-flood feeds went quiet this week and the named operators showed up. Five state-aligned APT clusters ran in parallel. AsyncRAT surged to 200+ IOCs — the largest RAT footprint year-to-date. A novel malware family (TONResolver) resolves command-and-control endpoints through a public open blockchain — takedown-resistant by design. Trust-anchor phishing hit at scale (Fake trust-anchor verification-page campaign campaign, 54 IOCs, two subnet anchors). 74 percent of this week’s catalogue is high-severity — roughly ten times the normal baseline. If your SOC was quiet this week, that is the incident.

Sectioned for the working analyst: cluster catalogue, deep-dives on the high-tempo names, ATT&CK technique mapping per adversary, subnet anchors for cheap perimeter blocking, top 15 IOCs per indicator type, four production-ready Sigma rules, 60-minute operationalisation plan. Vendor-neutral. Operator-grade. Archive of prior advisories.

OPERATOR-GRADE INTELLIGENCE → ONE QUERY AWAY

HuntIntel ships every IOC behind this advisory with provenance, confidence score, ATT&CK technique, and adversary cluster pre-mapped — queryable in the operator console, exportable to your SIEM in seconds. Stop reading PDFs. Start querying the catalogue.

Open HuntIntel →

01 · This week in numbers

Look at the topline before you look at anything else: 1,524 unique IOCs, 64 adversary clusters, 1,129 high-severity records (74 percent of the catalogue). That severity share is roughly ten times the normal weekly baseline. The C2-listener-flood feeds that usually dominate the topline volume went quiet, and the named-adversary layer — the intelligence layer — produced the bulk of the intake. Domain volume beat IP volume for the first time in this catalogue’s year-to-date window. That inversion matters: the adversaries were building operator-controlled infrastructure faster than they were burning C2 listeners.

// SITREP 026·27 · June 29 – July 5, 2026
1,592
Records this window
1,524
Unique IOCs
1,129
High-severity (74%)
64
Clusters
5
Named APTs
2
Ransomware operators

Catalogued, ML-scored, technique-tagged. Refreshed continuously across open-source intelligence, sandbox, TLS, DNS, and honeynet plane sources. Every record carries adversary attribution, technique tag, severity, and confidence.

02 · Five headlines — what defined this week

If you read nothing else, read these five.

Headline 01 · The C2 flood went quiet, the operators came out

The largest volume-contributing feeds — the passive C2-listener-flood sources that usually push 50,000+ IPs per week into the catalogue — produced only 126 records this cycle. Instead, the narrow-indicator layer (domains, hashes, URLs) surged. Result: DOMAIN volume beat IP volume for the first time year-to-date, and 74 percent of the catalogue is high-severity (roughly ten times the normal baseline). The operational signal is that infrastructure-building activity outpaced infrastructure-consumption activity — a leading indicator of a coming operational tempo increase. Prepare next week’s SOC for higher signal-to-noise but also higher incident-fidelity alerts.

Headline 02 · AsyncRAT surged to 200+ IOCs — largest RAT footprint YTD

AsyncRAT contributed 204 unique indicators across two cluster entries (a “malware campaign” tier at 132 IOCs and a “C2” tier at 72 IOCs) — the largest single-family RAT footprint recorded in this catalogue year-to-date. The C2-tier entry covered all four primary IOC types (domain, hash, IP, URL); the malware-campaign tier covered domain, hash, and IP. The ATT&CK technique chain (T1566.001 → T1204 → T1105 → T1071.001 → T1041 → T1547.001) is standard for the family; what is unusual is the scale. Push all 204 indicators to the blocking lane; hunt for the spearphish-attachment-then-registry-run-key sequence across the last 90 days.

Headline 03 · TONResolver — malware resolves C2 via a public open blockchain

TONResolver contributed 125 IOCs across DOMAIN, HASH, and URL — and introduces a novel command-and-control pattern the catalogue has not observed at scale before. The malware resolves its C2 endpoints through the a public open blockchain: the operator publishes the current C2 address as a data record on-chain, the implant reads the record, and every rotation is a new blockchain transaction rather than a new DNS registration. The pattern is takedown-resistant by design. Traditional DNS-based blocking cannot break the resolution chain because the resolution never touches conventional DNS. Detection must move to the endpoint layer (observed process behaviour) and the network layer (any outbound connection to public-blockchain RPC endpoints from a non-development host is highly suspicious).

Headline 04 · Trust-anchor phishing at scale — Fake trust-anchor verification-page campaign

A single campaign contributed 54 IOCs across DOMAIN + HASH + IP with two subnet anchors (85.239.149.0/24 and 93.152.224.0/24). The campaign impersonates the visual verification flows used by the internet’s largest trust-anchor providers — the CAPTCHA / verification screens users have been trained by legitimate security infrastructure to trust implicitly. The operational impact is asymmetric: user-awareness training tells users to trust these flows, so the phishing lure defeats the training. Detection must move to the perimeter (subnet blocking) and the DNS layer (the campaign uses generic-looking domain names like 100furniture[.]com and 123clocks[.]com that seem unrelated until you notice the pattern of 100+ such domains registered in a short window). Block both anchor /24s and hunt for the domain-registration-velocity pattern.

Headline 05 · 5 named APTs active — UNC1151, APT36, TeamPCP, Lazarus, BitterAPT + CyberAv3ngers

Five state-aligned threat-actor clusters produced high-severity indicators this cycle. UNC1151 (41 IOCs, DGA pattern targeting account-verification services), APT36 (13 IOCs across all four types), TeamPCP (27 IOCs with a subnet anchor at 83.142.209.0/24), Lazarus (5 URLs with a distinctive REST-API-style C2 path pattern at 216.126.236.244), and BitterAPT (1 hash with a compact TTP set). Separately, CyberAv3ngers produced the week’s largest subnet anchor — 7 IPs concentrated in 185.82.73.0/24. Ransomware category is also active: The Gentlemen (32 IOCs) and Anubis (27 IOCs with a full four-type footprint) are both operationally live. Watch the ransomware layer for double-extortion leak-site infrastructure.


03 · Indicator type, severity, and category mix

The catalogue inverted this week. Where prior weeks saw IP addresses account for 95+ percent of records (from passive C2-listener feeds), this week has DOMAIN as the largest indicator type at 35.4 percent — and only 22.8 percent IP. When the narrow-indicator layer dominates the topline, the intelligence density is higher: every record is more likely to carry adversary attribution and ATT&CK mapping.

By indicator type

Type Observations Share %
Domains 539
35.37%
File hashes 422
27.69%
IPs 347
22.77%
URLs 207
13.58%
Other artefacts 8
0.52%
Emails 1
0.07%

By severity

Severity Observations Share %
High 1,129
74.03%
Medium 373
24.46%
Low 23
1.51%

By category

Category Observations Share %
Malware-Activity 475
30.96%
RAT 300
19.56%
C&C Server 133
8.67%
C&C 126
8.21%
APT 124
8.08%
Malicious Infrastructure 123
8.02%
Ransomware-as-a-service 64
4.17%
Phishing 47
3.06%
Trojan 44
2.87%
Backdoor 39
2.54%
Botnet 20
1.30%
Cryptomining 14
0.91%
Loader 14
0.91%
Spyware 6
0.39%
Vulnerability 3
0.20%
Hacktivist Group 2
0.13%

Reading the inversion. When 74 percent of the catalogue is high-severity, treat every SIEM alert this week as more likely to be a real incident than a normal week. Ratchet the SOC’s escalation thresholds tighter for the next seven days. If your normal on-call rotation is calibrated for a 1-2% high-severity baseline, this week’s rotation will hit fatigue faster than expected.

04 · Top 31 adversary clusters by indicator footprint

The table ranks every named adversary cluster by unique indicator count this week. AsyncRAT tops the list at 132 IOCs (with a separate C2 entry at 72 IOCs, totalling 204 across the family). TONResolver is the novel entry at 125 IOCs. Named APT clusters (UNC1151, APT36, TeamPCP) appear in the upper third — a heavier APT week than most.

# Adversary cluster Relative footprint Unique IOCs Severity
01 AsyncRAT (malware campaign entry)

Malware Campaign · DOMAIN, HASH, IP
132 HIGH
02 Commodity C2 framework A (framework infrastructure)

C2 · IP
126 MEDIUM
03 TONResolver

Malware (RAT) · DOMAIN, HASH, URL
125 HIGH
04 KuinaExtractor

Malware · HASH, IP
78 HIGH
05 AsyncRAT (C2 tier)

C2 · DOMAIN, HASH, IP, URL
72 MEDIUM
06 Fake trust-anchor verification-page campaign

Malware Campaign · DOMAIN, HASH, IP
54 HIGH
07 Millenium

Malware (RAT) · HASH, URL
50 HIGH
08 DCloud Uni-App

Supply Chain · DOMAIN
49 HIGH
09 StegoAd (steganographic ad malware)

Malware Campaign · DOMAIN, URL
47 HIGH
10 Operation DragonReturn

Malware Campaign · DOMAIN, HASH, IP
41 HIGH
11 UNC1151

Threat Actor (APT) · DOMAIN, HASH, IP
41 HIGH
12 BusySnake

Malware · DOMAIN, HASH, IP
40 HIGH
13 Backdoor.Mistic

Malware (Backdoor) · DOMAIN, HASH, IP, URL
39 HIGH
14 Open remote-management framework

C2 · IP
39 MEDIUM
15 Open exploitation framework

C2 · IP
34 MEDIUM
16 The Gentlemen

Ransomware · HASH, IP
32 HIGH
17 Ousaban

Malware (Trojan) · DOMAIN, HASH, IP
29 HIGH
18 TeamPCP

Threat Actor (APT) · DOMAIN, HASH, IP
27 HIGH
19 Anubis

Ransomware · DOMAIN, HASH, IP, URL
27 HIGH
20 Bladabindi

C2 (RAT) · DOMAIN, IP, URL
23 MEDIUM
21 Phishing AI agents cluster

Malware Campaign · DOMAIN, URL
21 HIGH
22 PamStealer

Malware (Stealer) · HASH, URL
18 HIGH
23 JokerStat

Malware · DOMAIN, URL
18 HIGH
24 Champion Reward

Phishing Campaign · DOMAIN, IP, URL
17 LOW
25 ClickFix

Malware Campaign · DOMAIN, HASH, IP, URL
16 HIGH
26 ChocoPoC

Malware · HASH, URL
15 HIGH
27 LokiBot

Malware · DOMAIN, HASH, IP, URL
15 HIGH
28 RustDuck

Malware · DOMAIN, HASH
15 HIGH
29 Hijacked package-registry entries

Supply Chain · IP, OTHERS, URL
15 HIGH
30 Silent Swap

Cryptomining Campaign · HASH, IP, URL
14 HIGH
31 APT36

Threat Actor (APT) · DOMAIN, HASH, IP, URL
13 HIGH

How to read this. Prioritise clusters that span three or more IOC types — that breadth indicates active operator tempo and a full kill chain. This week’s four-type footprints: AsyncRAT (C2 tier), Backdoor.Mistic, C2, Anubis, ClickFix, LokiBot, APT36. Each is a candidate for retrospective hunt as well as forward blocking.


05 · Cluster deep-dives — the names to act on

05.1 · AsyncRAT surge — 200+ IOCs across the family

Two catalogued cluster entries for the same family contributed 132 IOCs (malware-campaign tier) and 72 IOCs (C2 tier), for a combined 204 unique indicators. The C2-tier entry carries a full four-type footprint (domain, hash, IP, URL); the malware-campaign tier covers domain, hash, and IP. TTP signature is the family standard: T1566.001 spearphishing attachment, T1204 user-execution, T1105 ingress tool transfer, T1071.001 web-protocol C2, T1041 exfil over C2, T1547.001 registry-run-key persistence.

Defensive actions: Push all 204 hashes and IPs to blocking lanes; sinkhole the domains at the resolver. Hunt for the spearphish-attachment-then-registry-run-key sequence across the last 90 days — the sequence is more resilient than any single IOC.

05.2 · TONResolver — blockchain-resolved C2

Novel malware family with 125 IOCs across DOMAIN, HASH, and URL. The distinguishing feature: the malware resolves its C2 endpoints through a public open blockchain rather than DNS. The operator publishes the current C2 address as an on-chain record; the implant reads the record; every rotation is a new blockchain transaction. Result: takedown-resistant infrastructure. Traditional DNS-based blocking cannot break the resolution chain because the resolution never touches conventional DNS.

Defensive actions: Push the 125 catalogued IOCs to blocking. But recognise the strategic limit — when the operator rotates, the new C2 address will not surface in DNS-based catalogues. Detection has to move to (a) endpoint behavioural detection on the process’s TON-RPC library calls or (b) network detection of any outbound connection to public public-blockchain RPC endpoints from a non-development host. Audit your outbound egress policy to explicitly deny public-blockchain RPC traffic unless business use is documented.

05.3 · Fake trust-anchor verification-page campaign — trust-anchor phishing at scale

54 IOCs across DOMAIN + HASH + IP with two subnet anchors: 85.239.149.0/24 and 93.152.224.0/24. The campaign impersonates the visual verification flows used by the internet’s largest trust-anchor providers — the CAPTCHA/verification screens users have been trained by legitimate security infrastructure to accept without hesitation. Domain naming is deliberately generic: 100furniture[.]com, 123clocks[.]com, and dozens more that seem unrelated until you notice the registration-velocity pattern.

Defensive actions: Block both /24 subnets at the perimeter (cost: zero; operational risk: none). Deploy a passive-DNS or CT-log monitor for the domain-registration-velocity pattern (100+ generic-sounding domains registered by the same registrar in a short window). Update user-awareness content to warn users about verification flows on unfamiliar domains — the visual convincingness of these lures defeats standard training.

05.4 · UNC1151 — DGA targeting account-verification services

41 IOCs across DOMAIN + HASH + IP. The domain layer shows a deliberate targeting pattern: every domain has a name adjacent to legitimate account-verification services (account-email-verification[.]cc[.]cd, account-protection-support[.]icu, account.check-profile[.]digital). The naming discipline is the fingerprint — DGA output that looks like legitimate service subdomains rather than random alphanumeric strings.

Defensive actions: Block the 21 catalogued domains at DNS. Deploy a regex-based DNS filter for the account-*-verification.* and account-protection-*.* patterns. Route inbound emails carrying links matching those patterns to secondary review.

05.5 · Lazarus (APT38 sub-cluster) — REST-API-style C2

Small footprint but high-fidelity signal: 5 catalogued URLs to a single infrastructure anchor at 216.126.236.244 with a distinctive REST-API-style path pattern (/api/service/makelog, /api/service/process/, /api/service/98cb54c0b4ac259d30c9c1ca1ae87c68, /upload, and port 4801 / 4806 endpoints). The API-path structure is itself a fingerprint — any other host serving this exact path shape is candidate compromise infrastructure.

Defensive actions: Push the anchor IP to blocking. Hunt for outbound traffic matching the API path patterns (/api/service/makelog, /api/service/process) to any destination other than known-legitimate infrastructure.

05.6 · CyberAv3ngers — the week’s largest subnet anchor

7 IPs concentrated in 185.82.73.0/24 — the week’s largest APT infrastructure anchor. When 7 IPs from a single named cluster land in the same /24, treat the entire /24 as suspect. The 249 addresses outside the catalogued 7 are almost certainly future rotation candidates.

Defensive actions: Block 185.82.73.0/24 at the perimeter now. Cost: zero. Operational risk: bounded (256 addresses). Amortised leverage: every rotation inside the block hits the same wall.

05.7 · The Gentlemen + Anubis (Ransomware)

Two ransomware operators active this week: The Gentlemen (32 IOCs across HASH + IP) and Anubis (27 IOCs across all four IOC types). Both signal typical double-extortion kill-chain infrastructure — encryption-for-impact + recovery inhibition + exfil to operator-controlled leak site.

Defensive actions: Push all ransomware-tagged hashes to endpoint quarantine. Hunt for the classic ransomware kill-chain sequence: valid-account login from unusual source → remote-management tool execution → large outbound transfer to non-corporate domain within 1 hour.

05.8 · StegoAd — steganography-based ad malware

47 IOCs across DOMAIN + URL. Steganographic malware family where the payload data is hidden inside image files delivered through legitimate ad-serving infrastructure. Detection must inspect the image content, not the transport. Traditional URL and domain blocking works only against the delivery hosts (which the campaign will rotate); the harder problem is content inspection at the image-decode layer.

Defensive actions: Block the 47 catalogued endpoints. If your environment runs an ad-network gateway, enable image-content inspection where feasible (recognising the false-positive cost). For most environments, network-perimeter blocking of the catalogued endpoints is the operational answer.

05.9 · Phishing AI agents cluster — AI-agent-driven phishing

21 IOCs across DOMAIN + URL. A campaign in which the lure-generation and victim-conversation layers are automated by AI agents — each phishing target receives a personalised, contextually-aware lure. Traditional pattern-based phishing detection (template matching, common-phrase lexical filters) fails because the lure content is unique per victim. Detection has to move to behavioural layers: outbound clicks from the lure landing on unfamiliar domains, credential-entry telemetry, unusual authentication sequences.

Defensive actions: Block the 21 catalogued endpoints. Promote hardware-bound credentials (FIDO2 / passkeys) so successful credential capture cannot replay against your services. For long-term defence, invest in identity-verification workflows that survive AI-generated social-engineering pressure.

05.10 · Hijacked package-registry entries

15 IOCs across IP + OTHERS + URL. Compromised package-registry entries with command-interpreter execution at install-time. CI build agents that pull from an unrestricted public package registry are the exposed surface. This continues the multi-week supply-chain trend and is now a routine background campaign category rather than an exotic one.

Defensive actions: Package allow-listing in CI build agents. Outbound-domain monitoring from build runners. Publisher-identity verification on the package registry.

06 · ATT&CK technique mapping per named cluster

The table below maps each named cluster to the ATT&CK techniques observed in its catalogued indicators, with an operational narrative on how the technique chain plays in practice. Use this table to drive detection-engineering priorities this week — content that fires on these techniques catches the cluster even after IOC rotation.

Cluster ATT&CK techniques observed Operational narrative
UNC1151 (APT) T1583.001 · T1566.002 · T1566.003 · T1204.001 · T1027 · T1102 Belarusian-aligned cluster running a deliberate domain-generation pattern targeting account-verification services (account-email-verification, account-protection-support, check-profile). Trust-anchor abuse at scale — the operator counts on defenders and users being unable to distinguish these from legitimate verification flows.
APT36 T1566 · T1204 · T1059 · T1105 · T1041 · T1547.001 Regional cluster with full four-type footprint. Standard spearphish → user-execute → command-interpreter → second-stage pull → registry-run-key persistence → exfil over C2 chain. Detection content targeting the sequence catches the cluster even after rotation.
TeamPCP (APT) T1583.001 · T1566 · T1027 · T1105 · T1071 · T1041 Multi-pivot APT cluster with 27 IOCs and a subnet anchor at 83.142.209.0/24. Adversary-acquired domains + obfuscated payload + web-protocol C2 + exfil over C2.
Lazarus (APT38 sub-cluster) T1071 · T1071.001 · T1105 · T1041 · T1102 · T1568 REST-API-style C2 pattern with paths like /api/service/makelog, /api/service/process/, and /upload endpoints. The API path structure is itself a fingerprint — any host serving this path shape is candidate compromise infrastructure.
BitterAPT T1204 · T1059 · T1105 User-execution driven initial access, command-interpreter follow-on, second-stage payload pull. Compact TTP set — the cluster runs a tight kill chain and rotates minimally.
CyberAv3ngers T1071 · T1105 · T1078 · T1190 The week’s largest APT subnet anchor — 7 IPs concentrated in 185.82.73.0/24. Treat the entire /24 as suspect. Public-app exploitation + valid-account abuse are the historical initial-access pattern.
The Gentlemen (Ransomware) T1078 · T1021.001 · T1219 · T1486 · T1490 · T1567 Valid-account initial access, remote-desktop lateral movement, remote-access tooling, encryption for impact, recovery inhibition, exfil to web service. Classic double-extortion ransomware pattern.
Anubis (Ransomware) T1486 · T1490 · T1567 · T1041 · T1027 · T1071 Full four-type footprint with 27 IOCs. Encryption-for-impact + recovery inhibition + exfil to operator-controlled web service. Watch for double-extortion leak-site infrastructure.
TONResolver (novel C2) T1102 · T1568 · T1071 · T1027 Malware resolves C2 endpoints via the a public open blockchain — a takedown-resistant technique. Traditional DNS-based blocking cannot break the resolution chain because the resolution happens on-chain.
Fake trust-anchor verification-page campaign T1583.001 · T1566.002 · T1036.005 · T1102 Adversary-acquired domains impersonating trusted platform verification flows. 54 IOCs across DOMAIN+HASH+IP with two subnet anchors (85.239.149.0/24 + 93.152.224.0/24). Trust-anchor social engineering — bypasses user-awareness training because the visual is convincing.
StegoAd (steganography-based) T1027.003 · T1102 · T1583.001 Steganographic ad-network malware — payload data hidden inside image files delivered through legitimate ad-serving infrastructure. Detection must inspect the image content, not the transport.
AsyncRAT (200+ IOC surge) T1566.001 · T1204 · T1105 · T1071.001 · T1041 · T1547.001 Spearphishing attachment → user-execution → second-stage pull → web-protocol C2 → exfil over C2 → registry-run-key persistence. Largest RAT footprint YTD in this catalogue — 200+ IOCs across two cluster entries.
Backdoor.Mistic T1071 · T1105 · T1543 · T1027 · T1041 Full four-type footprint. Web-protocol C2 + system-service abuse for persistence + obfuscated payload + exfil over C2. The multi-type breadth suggests an actively rotating operational build.
ClickFix T1566 · T1204 · T1059 · T1105 Phishing → user-execution → command-interpreter → second-stage pull. The “click-to-fix” social-engineering pattern where a fake CAPTCHA or error page instructs the visitor to paste an attacker-controlled command into their command interpreter.
Hijacked package-registry entries T1195.001 · T1059 · T1027 · T1132 · T1219 Package-registry compromise with command-interpreter execution at install-time. 15 IOCs including OTHERS (package name artefacts). CI build agents that pull from an unrestricted public package registry are the exposed surface.

Detection-engineering takeaway. The technique catalogue this week is dominated by T1071/T1071.001 (web-protocol C2), T1105 (ingress tool transfer), T1059 (command-interpreter), and T1041 (exfil over C2). If your environment lacks coverage on those four techniques specifically, you are blind to roughly 75 percent of this week’s adversary tradecraft. Prioritise coverage above any single-IOC blocklist work.

07 · Tactic-pressure roll-up

Aggregation of technique tags across every IOC where the source feed published an ATT&CK mapping. Rolls up to the parent tactic.

Tactic Top techniques observed What the pressure means in practice IOC count
Initial Access T1566 / T1566.001 / T1566.002 / T1195.001 / T1078 / T1190 Phishing (generic + attachment + via service), supply-chain via dependencies, valid-account abuse, public-app exploit 316
Execution T1059 / T1059.001 / T1204 / T1204.001 / T1204.002 Command-interpreter (PowerShell/CMD), user-execution of malicious link or file 285
Command and Control T1071 / T1071.001 / T1102 / T1568 / T1573.002 / T1090 Web-protocol C2 (HTTP/HTTPS), web-service abuse (including blockchain resolution — see TONResolver), dynamic resolution, asymmetric crypto, proxy 264
Ingress Tool Transfer T1105 Second-stage payload pull — observed in every multi-stage cluster this cycle 218
Persistence T1547.001 / T1543 / T1176 Registry-run keys, system-service abuse, malicious browser extensions 145
Defense Evasion T1027 / T1027.003 / T1218 / T1036.005 / T1132 Obfuscated payload, steganography (StegoAd), signed-binary proxy, masquerading, data encoding 128
Exfiltration T1041 / T1567 Exfil over C2 channel; exfil to operator-controlled web service (double-extortion pattern) 96
Collection T1056 / T1056.001 / T1113 / T1185 / T1005 / T1082 Input capture, keylogging, screen capture, browser session hijack, local data, system-info enum 82
Credential Access T1555 / T1003 / T1110 / T1539 Password store theft, OS credential dumping, brute force, session-cookie theft 71
Impact T1486 / T1490 / T1498 Data encryption (ransomware), recovery inhibition, network DoS 48
Resource Development T1583.001 / T1219 Adversary-acquired domains (heavy this cycle — trust-anchor phishing), legitimate remote-access tooling co-opted for adversary use 61
Lateral Movement T1021.001 / T1078 Remote Desktop for ransomware kill chain, valid-account abuse within the environment 24

08 · Subnet clustering — shared-infrastructure anchors

The /24 subnet group-by surfaces five operator anchors this week — the highest count in three weeks. Each is a candidate for subnet-level perimeter blocking. The 185.82.73.0/24 anchor (CyberAv3ngers) is the week’s highest-leverage block.

Subnet (/24) IP count Adversary cluster Operator observation
185.82.73.0/24 7 CyberAv3ngers (APT) The week’s largest APT infrastructure anchor. Treat entire /24 as suspect.
185.252.24.0/24 3 RedLine Stealer infrastructure concentration
83.142.209.0/24 3 TeamPCP APT-tier subnet anchor — cheap perimeter block
85.239.149.0/24 3 Fake trust-anchor verification-page campaign Trust-anchor phishing infrastructure
93.152.224.0/24 3 Fake trust-anchor verification-page campaign Second anchor for same campaign — same operator, different tenant

The asymmetric block. Two subnets serve the same “Fake trust-anchor verification-page campaign” campaign (85.239.149.0/24 and 93.152.224.0/24). Same operator, different hosting tenants — the pattern is a hedge against one tenant being taken down. Block both to defeat the hedge.

09 · Top 15 IOCs per indicator type

Operator-grade extractions. All indicators are defanged per publish-safe convention (re-fang on import: replace [.] with . and hxxp with http).

Top 15 · IP addresses (High severity)

# Indicator Adversary Category Severity
01 103.229.53.18 KuinaExtractor Malware HIGH
02 111.88.74.246 UNC1151 APT HIGH
03 118.107.0.197 Operation DragonReturn Malware HIGH
04 135.181.171.40 Fake trust-anchor verification-page campaign Malware HIGH
05 142.93.242.144 Backdoor.Mistic Backdoor HIGH
06 144.202.14.75 Anubis Ransomware HIGH
07 144.31.53.78 Backdoor.Mistic Backdoor HIGH
08 146.19.248.120 Fake trust-anchor verification-page campaign Malware HIGH
09 149.28.66.79 Anubis Ransomware HIGH
10 151.240.151.126 Fake trust-anchor verification-page campaign Malware HIGH
11 151.240.151.46 Fake trust-anchor verification-page campaign Malware HIGH
12 153.117.34.2 Mirai Botnet HIGH
13 158.94.211.95 LokiBot Botnet HIGH
14 159.198.32.222 BusySnake Malware HIGH
15 159.198.41.140 BusySnake Malware HIGH

Top 15 · Domains (High severity)

# Indicator Adversary Category Severity
01 100furniture[.]com Fake trust-anchor verification-page campaign Malware HIGH
02 123clocks[.]com Fake trust-anchor verification-page campaign Malware HIGH
03 345rodeoslot[.]com Branded Gambling Campaign Malware HIGH
04 87roulettino12[.]com Branded Gambling Campaign Malware HIGH
05 Ikkkkddd[.]com Operation DragonReturn Malware HIGH
06 Kkxqbh[.]top Operation DragonReturn Malware HIGH
07 a[.]dev-tunnels[.]com Djinn Malware HIGH
08 aboutbookphoto[.]pro TONResolver RAT HIGH
09 acasiallc[.]shop RedLine Stealer HIGH
10 account-email-verification[.]cc[.]cd UNC1151 (APT) APT HIGH
11 account-emails-verification[.]cc[.]cd UNC1151 (APT) APT HIGH
12 account-protection-support[.]icu UNC1151 (APT) APT HIGH
13 account-protection-team[.]icu UNC1151 (APT) APT HIGH
14 account[.]check-profile[.]digital UNC1151 (APT) APT HIGH
15 XAEL-AI investment scam (DCloud Uni-App campaign artefact) DCloud Uni-App Supply Chain HIGH

Top 15 · File hashes (High severity)

# Indicator Adversary Category Severity
01 0041FD1B2358CD08DBCBC28EA8FC3D20 BusySnake Malware HIGH
02 006887732CA4A4A46A97989CF4DEEEF6 BusySnake Malware HIGH
03 00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c Djinn Malware HIGH
04 00f341a353de29dfe19e4796d27c1879 DeskRAT RAT HIGH
05 0129e1e1666d5bcce8c3f12c866fdb23 ClickFix Phishing HIGH
06 01325880EFFFEC546F59490089A3B415 AsyncRAT RAT HIGH
07 0234E3188F2883A438B3F2BEAB7A78B2 Fake trust-anchor verification-page campaign Malware HIGH
08 02944C8A5535CDB5B2CBB893DB2D5ACF The Gentlemen Ransomware HIGH
09 03418b5196affd9519c6eef53f4e0092fab19ac2f9da6ff59e4d0180a40b1c7e KuinaExtractor Malware HIGH
10 03d2b73ecde0575a1e5ea24d6e4f12987cc081c0bc22dadf8c4219e8e38ca6e0 Operation DragonReturn Malware HIGH
11 04688dc699b886a661c98e78922c6e2e637ccfaf7ded10a4b244464930f74ed8 BitterAPT APT HIGH
12 053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 Silent Swap Cryptomining HIGH
13 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce TeamPCP (APT) APT HIGH
14 06fdd1d97df1105c542ddb881d751b659d555b5522c266f6364dae9f350fcfd0 PamStealer Malware HIGH
15 07213C419489C02791E8D67B91E404EF BusySnake Malware HIGH

Top 15 · URLs (High severity)

# Indicator Adversary Category Severity
01 hxxp[://]130.12.180.43/files/7924412375/upOSLDn.exe Millenium RAT HIGH
02 hxxp[://]153.117.34.2:52680/Mozi.m Mirai Botnet HIGH
03 hxxp[://]154.92.16.22/xz.bin ValleyRAT RAT HIGH
04 hxxp[://]158.94.208.168/files/8514679081/DRTjyu7.exe Millenium RAT HIGH
05 hxxp[://]158.94.211.95/kelly/five/fre.php LokiBot Botnet HIGH
06 hxxp[://]166.88.134.62 Hijacked package-registry entries Supply Chain HIGH
07 hxxp[://]166.88.134.62:443 Hijacked package-registry entries Supply Chain HIGH
08 hxxp[://]175.173.79.123:35540/Mozi.m Mirai Botnet HIGH
09 hxxp[://]198.105.127.210 Hijacked package-registry entries Supply Chain HIGH
10 hxxp[://]198.105.127.210:443 Hijacked package-registry entries Supply Chain HIGH
11 hxxp[://]216.126.236.244/api/service/98cb54c0b4ac259d30c9c1ca1ae87c68 Lazarus (APT38) APT HIGH
12 hxxp[://]216.126.236.244/api/service/makelog Lazarus (APT38) APT HIGH
13 hxxp[://]216.126.236.244/api/service/process/ Lazarus (APT38) APT HIGH
14 hxxp[://]216.126.236.244:4801 Lazarus (APT38) APT HIGH
15 hxxp[://]216.126.236.244:4806/upload Lazarus (APT38) APT HIGH
Need the full set — not just the top 15? The catalogue carries 1,524 unique IOCs for this week alone. The operator console exposes the full set with severity, confidence, ATT&CK technique, adversary attribution, and source-feed provenance per record. Open HuntIntel to query the full catalogue.

10 · Sigma detection rules — four for this week’s standout patterns

Drop into your detection-content pipeline, normalise field names to your SIEM’s schema, tune the false-positive filters against your allowlist, ship.

Sigma 01 · public-blockchain RPC outbound traffic (TONResolver detection)

title: Outbound Traffic to Non-Development public-blockchain RPC Endpoints
id: 8f2e1c9a-4b7d-4023-a591-6d8f3c1e5b90
status: experimental
description: Detects outbound connections from non-development hosts to public
  the public open blockchain RPC endpoints. TONResolver-family malware resolves
  C2 addresses via a public open blockchain — takedown-resistant by design. Any
  outbound public-blockchain RPC traffic from a non-engineering host is candidate compromise.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
  - attack.command_and_control
  - attack.t1102
  - attack.t1568
logsource:
  category: proxy
detection:
  selection:
    cs-host|contains:
      - '.ton.org'
      - 'toncenter'
      - 'ton-rpc'
      - 'tonapi'
  exclusion:
    src-ip|cidr: '10.engineering.0.0/16'   # replace with your engineering subnet
  condition: selection and not exclusion
falsepositives:
  - Blockchain-adjacent engineering workloads (allowlist explicitly)
level: high

Sigma 02 · UNC1151 account-verification DGA

title: UNC1151 Account-Verification DGA Pattern
id: 3c1b7d5f-9a82-4e60-b471-2f8e6d4a1c93
status: experimental
description: Detects DNS queries or HTTP host headers matching the UNC1151
  domain-generation pattern targeting account-verification and profile-check
  services.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
  - attack.initial_access
  - attack.t1566
  - attack.resource_development
  - attack.t1583.001
logsource:
  category: dns_query
detection:
  selection:
    QueryName|re:
      - '^account-(email|emails)-verification\.'
      - '^account-protection-(support|team)\.'
      - '^account\.check-profile\.'
      - '^account-profile-check\.'
  condition: selection
falsepositives:
  - Very rare — this naming convention is not used by legitimate services
level: critical

Sigma 03 · CyberAv3ngers subnet anchor

title: CyberAv3ngers Subnet Anchor Contact
id: b7c9e2a4-6d13-4820-a58f-3e9b7c1d4f60
status: experimental
description: Detects any outbound connection to the CyberAv3ngers subnet anchor
  observed this cycle (185.82.73.0/24, 7 concentrated APT IPs). Treat entire /24
  as suspect — the remaining 249 addresses are likely rotation candidates.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.t1105
logsource:
  category: network_connection
detection:
  selection:
    DestinationIp|cidr: '185.82.73.0/24'
  condition: selection
falsepositives:
  - Unlikely — the /24 has no documented business use
level: critical

Sigma 04 · Lazarus REST-API-style C2 pattern

title: Lazarus REST-API-Style C2 Path Pattern
id: 4d6b8f1c-3a92-4570-b108-9e2c7d5f6a41
status: experimental
description: Detects HTTP requests matching the distinctive REST-API-style C2
  path pattern observed in the Lazarus sub-cluster this cycle. The path shape
  itself is a fingerprint — any host serving this exact API shape is candidate
  compromise infrastructure.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
  - attack.command_and_control
  - attack.t1071.001
  - attack.exfiltration
  - attack.t1041
logsource:
  category: proxy
detection:
  selection_path:
    cs-uri-stem|re:
      - '^/api/service/makelog$'
      - '^/api/service/process/?'
      - '^/api/service/[a-f0-9]{32}$'
      - '^/upload$'
  selection_port:
    cs-server-port:
      - 4801
      - 4806
  condition: selection_path or (selection_port and cs-uri-stem|startswith: '/api/')
falsepositives:
  - Internal legacy services on those ports (audit and allowlist)
level: high

11 · Hunt queries — SIEM-agnostic pseudo-syntax

Hunt 01 · First-seen contact with this week’s APT anchors

// Pseudo-query
FROM network_flows
WHERE dest_ip IN (
  '111.88.74.246',       -- UNC1151
  '135.181.171.40',      -- Fake trust-anchor verification
  '144.202.14.75',       -- Anubis
  '146.19.248.120',      -- Fake trust-anchor verification
  '149.28.66.79',        -- Anubis
  '216.126.236.244'      -- Lazarus
)
  AND first_seen_pair(src_ip, dest_ip) WITHIN 60d
| AGGREGATE BY src_ip, dest_ip
| SORT BY flow_count DESC

Any new first-seen pairing to these anchors within the last 60 days is an in-progress incident.

Hunt 02 · public-blockchain RPC outbound from non-engineering hosts

// Pseudo-query
FROM proxy_logs
WHERE dest_host MATCHES regex '(?i)(toncenter|\.ton\.org|ton-rpc|tonapi)'
  AND src_host NOT IN (allowlisted_engineering_hosts)
| AGGREGATE BY src_host, dest_host
  COUNT(*) AS req_count,
  MIN(request_time) AS first_seen
| SORT BY first_seen DESC

Catches TONResolver-style malware without needing to know the C2 IP — the resolution behaviour itself is the signal.

Hunt 03 · Account-verification lookalike domain queries

// Pseudo-query
FROM dns_queries
WHERE query_name MATCHES regex '^(account-.*(verification|protection|profile-check)|.*check-profile\.)'
  AND query_name NOT IN (allowlisted_verification_services)
| AGGREGATE BY src_host, query_name
| SORT BY COUNT DESC

Catches UNC1151-style DGA output at the resolver.

Hunt 04 · REST-API-style C2 pattern (Lazarus shape)

// Pseudo-query
FROM proxy_logs
WHERE cs_uri_stem MATCHES regex '^/api/service/(makelog|process|[a-f0-9]{32})'
  OR (cs_server_port IN (4801, 4806) AND cs_uri_stem STARTS WITH '/api/')
| AGGREGATE BY src_host, dest_host
| SORT BY request_count DESC

12 · Operationalise this advisory in 60 minutes

Minute 00 – 15 · Block + sinkhole

  • Block 185.82.73.0/24 at the perimeter (CyberAv3ngers APT anchor). Cost: zero. Risk: none.
  • Block 85.239.149.0/24 and 93.152.224.0/24 (Fake trust-anchor verification-page campaign anchors).
  • Block 83.142.209.0/24 (TeamPCP APT anchor).
  • Block 216.126.236.244 (Lazarus sub-cluster anchor).
  • Push the 15 top IPs and 15 top hashes to blocking lanes.

Minute 15 – 30 · Detection content

  • Deploy the four Sigma rules from Section 10.
  • Add explicit outbound-deny for public-blockchain RPC endpoints from non-engineering hosts (blocks TONResolver-style malware even after C2 rotation).
  • Tune false-positive filters against your engineering allowlist.

Minute 30 – 45 · Retrospective hunt

  • Run Hunt 01 (APT anchor first-seen) across the last 60 days.
  • Run Hunt 03 (account-verification DGA queries) baseline scan.
  • Run Hunt 04 (Lazarus REST-API path pattern) against the last 30 days.

Minute 45 – 60 · Awareness + policy

  • Update user-awareness content on trust-anchor phishing — verification flows on unfamiliar domains should be treated as suspicious.
  • Audit outbound egress policy for public-blockchain RPC and any blockchain-adjacent RPC traffic. Deny by default from non-engineering hosts.
  • Brief developers on the sustained supply-chain trend. Package allow-listing and publisher-identity verification remain non-optional.
// CONTINUE WITH HUNTINTEL

This advisory ships 15 indicators per type. The catalogue carries the full 1,524 unique IOCs, each with adversary attribution, ATT&CK technique, confidence score, and source provenance.

Open HuntIntel →

13 · Frequently asked questions

74% high-severity is unusual. Should I trust the number?

Yes. The severity classification is machine-learning-scored per record based on adversary attribution, ATT&CK-technique coverage, indicator freshness, and source pedigree. When the C2-listener-flood feeds go quiet (as this week), the remaining indicators are the narrow, high-fidelity layer where high-severity classification is normal. The 74% share reflects the composition of this week’s catalogue, not a threshold change.

What is public open blockchain and why is TONResolver a problem?

the public open blockchain is a public blockchain. It supports arbitrary data records on-chain. TONResolver-family malware publishes its C2 endpoint address as an on-chain record; the implant queries the blockchain to retrieve the current C2 address. Because DNS is not involved, DNS-based blocking cannot break the resolution chain. Rotation is a new on-chain transaction, essentially free and instant for the operator. Detection must happen at the endpoint or in the outbound network egress.

How do I detect the Lazarus REST-API pattern without a known C2 IP?

Sigma 04 and Hunt 04 fire on the path shape rather than on the destination IP. Any host serving /api/service/makelog, /api/service/process/, or /api/service/<32-hex-chars>, or receiving traffic on ports 4801/4806 with an /api/ path prefix, is candidate compromise infrastructure regardless of whether the IP is catalogued.

How do I prioritise the 1,129 high-severity records?

Three-tier triage. First: subnet-block the five /24 anchors from Section 08. Second: push the top 15 IPs and top 15 hashes to your blocking lane. Third: deploy the four Sigma rules. After that, work down the deep-dive clusters in Section 05 by category relevance to your industry vertical.

Why did the C2-flood feeds go quiet this week?

Multiple explanations are consistent with the observed pattern: a temporary decrease in publicly-observable listener rotation, feed-level ingestion changes upstream, or a genuine operator lull between campaigns. The catalogue does not distinguish between these causes. What matters is that this week the intelligence density is higher — use the operational surplus to catch up on the tactical / TTP-tier detection work that usually gets deprioritised during flood weeks.

How current is each indicator?

Every record carries first_seen, last_seen, and confidence fields. This advisory’s window is the seven-day last_updated span — every indicator was either added or reaffirmed in that window.

What confidence threshold should the SOC use for automated blocking?

For automatic blocklist promotion: high confidence only. For watchlist enrichment: medium and above. For retrospective hunting: include low.

How does trust-anchor phishing differ from ordinary phishing?

Trust-anchor phishing impersonates the visual verification flows of internet infrastructure that users have been explicitly trained by legitimate security messaging to trust (CAPTCHAs, third-party verification screens, browser safety warnings). Ordinary phishing impersonates a specific service brand. The trust-anchor variant defeats user-awareness training because the visual is convincing and the training told the user to accept the flow. Defence must move upstream to the perimeter (subnet blocking) and downstream to identity (hardware-bound credentials).

Where can I see this advisory’s intelligence in operational form?

The HuntIntel operator console exposes every IOC behind this advisory with adversary attribution, ATT&CK technique, severity, confidence, and source provenance pre-joined. Open at huntintel.hackforlab.com/login.html. For the underlying frameworks reference, see Indicators of Compromise and Threat Intelligence: A Practitioner Reference.

Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions