The C2-flood feeds went quiet this week and the named operators showed up. Five state-aligned APT clusters ran in parallel. AsyncRAT surged to 200+ IOCs — the largest RAT footprint year-to-date. A novel malware family (TONResolver) resolves command-and-control endpoints through a public open blockchain — takedown-resistant by design. Trust-anchor phishing hit at scale (Fake trust-anchor verification-page campaign campaign, 54 IOCs, two subnet anchors). 74 percent of this week’s catalogue is high-severity — roughly ten times the normal baseline. If your SOC was quiet this week, that is the incident.
Sectioned for the working analyst: cluster catalogue, deep-dives on the high-tempo names, ATT&CK technique mapping per adversary, subnet anchors for cheap perimeter blocking, top 15 IOCs per indicator type, four production-ready Sigma rules, 60-minute operationalisation plan. Vendor-neutral. Operator-grade. Archive of prior advisories.
02 · Five headlines
03 · IOC / severity / category mix
04 · Top 31 adversary clusters
05 · Cluster deep-dives
06 · ATT&CK per adversary
07 · Tactic pressure roll-up
08 · Subnet clustering
09 · Top 15 IOCs per type
10 · Sigma detection rules
11 · Hunt queries
12 · Operationalise in 60 min
13 · FAQ
HuntIntel ships every IOC behind this advisory with provenance, confidence score, ATT&CK technique, and adversary cluster pre-mapped — queryable in the operator console, exportable to your SIEM in seconds. Stop reading PDFs. Start querying the catalogue.
01 · This week in numbers
Look at the topline before you look at anything else: 1,524 unique IOCs, 64 adversary clusters, 1,129 high-severity records (74 percent of the catalogue). That severity share is roughly ten times the normal weekly baseline. The C2-listener-flood feeds that usually dominate the topline volume went quiet, and the named-adversary layer — the intelligence layer — produced the bulk of the intake. Domain volume beat IP volume for the first time in this catalogue’s year-to-date window. That inversion matters: the adversaries were building operator-controlled infrastructure faster than they were burning C2 listeners.
Catalogued, ML-scored, technique-tagged. Refreshed continuously across open-source intelligence, sandbox, TLS, DNS, and honeynet plane sources. Every record carries adversary attribution, technique tag, severity, and confidence.
02 · Five headlines — what defined this week
If you read nothing else, read these five.
Headline 01 · The C2 flood went quiet, the operators came out
The largest volume-contributing feeds — the passive C2-listener-flood sources that usually push 50,000+ IPs per week into the catalogue — produced only 126 records this cycle. Instead, the narrow-indicator layer (domains, hashes, URLs) surged. Result: DOMAIN volume beat IP volume for the first time year-to-date, and 74 percent of the catalogue is high-severity (roughly ten times the normal baseline). The operational signal is that infrastructure-building activity outpaced infrastructure-consumption activity — a leading indicator of a coming operational tempo increase. Prepare next week’s SOC for higher signal-to-noise but also higher incident-fidelity alerts.
Headline 02 · AsyncRAT surged to 200+ IOCs — largest RAT footprint YTD
AsyncRAT contributed 204 unique indicators across two cluster entries (a “malware campaign” tier at 132 IOCs and a “C2” tier at 72 IOCs) — the largest single-family RAT footprint recorded in this catalogue year-to-date. The C2-tier entry covered all four primary IOC types (domain, hash, IP, URL); the malware-campaign tier covered domain, hash, and IP. The ATT&CK technique chain (T1566.001 → T1204 → T1105 → T1071.001 → T1041 → T1547.001) is standard for the family; what is unusual is the scale. Push all 204 indicators to the blocking lane; hunt for the spearphish-attachment-then-registry-run-key sequence across the last 90 days.
Headline 03 · TONResolver — malware resolves C2 via a public open blockchain
TONResolver contributed 125 IOCs across DOMAIN, HASH, and URL — and introduces a novel command-and-control pattern the catalogue has not observed at scale before. The malware resolves its C2 endpoints through the a public open blockchain: the operator publishes the current C2 address as a data record on-chain, the implant reads the record, and every rotation is a new blockchain transaction rather than a new DNS registration. The pattern is takedown-resistant by design. Traditional DNS-based blocking cannot break the resolution chain because the resolution never touches conventional DNS. Detection must move to the endpoint layer (observed process behaviour) and the network layer (any outbound connection to public-blockchain RPC endpoints from a non-development host is highly suspicious).
Headline 04 · Trust-anchor phishing at scale — Fake trust-anchor verification-page campaign
A single campaign contributed 54 IOCs across DOMAIN + HASH + IP with two subnet anchors (85.239.149.0/24 and 93.152.224.0/24). The campaign impersonates the visual verification flows used by the internet’s largest trust-anchor providers — the CAPTCHA / verification screens users have been trained by legitimate security infrastructure to trust implicitly. The operational impact is asymmetric: user-awareness training tells users to trust these flows, so the phishing lure defeats the training. Detection must move to the perimeter (subnet blocking) and the DNS layer (the campaign uses generic-looking domain names like 100furniture[.]com and 123clocks[.]com that seem unrelated until you notice the pattern of 100+ such domains registered in a short window). Block both anchor /24s and hunt for the domain-registration-velocity pattern.
Headline 05 · 5 named APTs active — UNC1151, APT36, TeamPCP, Lazarus, BitterAPT + CyberAv3ngers
Five state-aligned threat-actor clusters produced high-severity indicators this cycle. UNC1151 (41 IOCs, DGA pattern targeting account-verification services), APT36 (13 IOCs across all four types), TeamPCP (27 IOCs with a subnet anchor at 83.142.209.0/24), Lazarus (5 URLs with a distinctive REST-API-style C2 path pattern at 216.126.236.244), and BitterAPT (1 hash with a compact TTP set). Separately, CyberAv3ngers produced the week’s largest subnet anchor — 7 IPs concentrated in 185.82.73.0/24. Ransomware category is also active: The Gentlemen (32 IOCs) and Anubis (27 IOCs with a full four-type footprint) are both operationally live. Watch the ransomware layer for double-extortion leak-site infrastructure.
03 · Indicator type, severity, and category mix
The catalogue inverted this week. Where prior weeks saw IP addresses account for 95+ percent of records (from passive C2-listener feeds), this week has DOMAIN as the largest indicator type at 35.4 percent — and only 22.8 percent IP. When the narrow-indicator layer dominates the topline, the intelligence density is higher: every record is more likely to carry adversary attribution and ATT&CK mapping.
By indicator type
| Type | Observations | Share | % |
|---|---|---|---|
| Domains | 539 | 35.37% | |
| File hashes | 422 | 27.69% | |
| IPs | 347 | 22.77% | |
| URLs | 207 | 13.58% | |
| Other artefacts | 8 | 0.52% | |
| Emails | 1 | 0.07% |
By severity
| Severity | Observations | Share | % |
|---|---|---|---|
| High | 1,129 | 74.03% | |
| Medium | 373 | 24.46% | |
| Low | 23 | 1.51% |
By category
| Category | Observations | Share | % |
|---|---|---|---|
| Malware-Activity | 475 | 30.96% | |
| RAT | 300 | 19.56% | |
| C&C Server | 133 | 8.67% | |
| C&C | 126 | 8.21% | |
| APT | 124 | 8.08% | |
| Malicious Infrastructure | 123 | 8.02% | |
| Ransomware-as-a-service | 64 | 4.17% | |
| Phishing | 47 | 3.06% | |
| Trojan | 44 | 2.87% | |
| Backdoor | 39 | 2.54% | |
| Botnet | 20 | 1.30% | |
| Cryptomining | 14 | 0.91% | |
| Loader | 14 | 0.91% | |
| Spyware | 6 | 0.39% | |
| Vulnerability | 3 | 0.20% | |
| Hacktivist Group | 2 | 0.13% |
Reading the inversion. When 74 percent of the catalogue is high-severity, treat every SIEM alert this week as more likely to be a real incident than a normal week. Ratchet the SOC’s escalation thresholds tighter for the next seven days. If your normal on-call rotation is calibrated for a 1-2% high-severity baseline, this week’s rotation will hit fatigue faster than expected.
04 · Top 31 adversary clusters by indicator footprint
The table ranks every named adversary cluster by unique indicator count this week. AsyncRAT tops the list at 132 IOCs (with a separate C2 entry at 72 IOCs, totalling 204 across the family). TONResolver is the novel entry at 125 IOCs. Named APT clusters (UNC1151, APT36, TeamPCP) appear in the upper third — a heavier APT week than most.
| # | Adversary cluster | Relative footprint | Unique IOCs | Severity |
|---|---|---|---|---|
| 01 | AsyncRAT (malware campaign entry)
Malware Campaign · DOMAIN, HASH, IP
|
132 | HIGH | |
| 02 | Commodity C2 framework A (framework infrastructure)
C2 · IP
|
126 | MEDIUM | |
| 03 | TONResolver
Malware (RAT) · DOMAIN, HASH, URL
|
125 | HIGH | |
| 04 | KuinaExtractor
Malware · HASH, IP
|
78 | HIGH | |
| 05 | AsyncRAT (C2 tier)
C2 · DOMAIN, HASH, IP, URL
|
72 | MEDIUM | |
| 06 | Fake trust-anchor verification-page campaign
Malware Campaign · DOMAIN, HASH, IP
|
54 | HIGH | |
| 07 | Millenium
Malware (RAT) · HASH, URL
|
50 | HIGH | |
| 08 | DCloud Uni-App
Supply Chain · DOMAIN
|
49 | HIGH | |
| 09 | StegoAd (steganographic ad malware)
Malware Campaign · DOMAIN, URL
|
47 | HIGH | |
| 10 | Operation DragonReturn
Malware Campaign · DOMAIN, HASH, IP
|
41 | HIGH | |
| 11 | UNC1151
Threat Actor (APT) · DOMAIN, HASH, IP
|
41 | HIGH | |
| 12 | BusySnake
Malware · DOMAIN, HASH, IP
|
40 | HIGH | |
| 13 | Backdoor.Mistic
Malware (Backdoor) · DOMAIN, HASH, IP, URL
|
39 | HIGH | |
| 14 | Open remote-management framework
C2 · IP
|
39 | MEDIUM | |
| 15 | Open exploitation framework
C2 · IP
|
34 | MEDIUM | |
| 16 | The Gentlemen
Ransomware · HASH, IP
|
32 | HIGH | |
| 17 | Ousaban
Malware (Trojan) · DOMAIN, HASH, IP
|
29 | HIGH | |
| 18 | TeamPCP
Threat Actor (APT) · DOMAIN, HASH, IP
|
27 | HIGH | |
| 19 | Anubis
Ransomware · DOMAIN, HASH, IP, URL
|
27 | HIGH | |
| 20 | Bladabindi
C2 (RAT) · DOMAIN, IP, URL
|
23 | MEDIUM | |
| 21 | Phishing AI agents cluster
Malware Campaign · DOMAIN, URL
|
21 | HIGH | |
| 22 | PamStealer
Malware (Stealer) · HASH, URL
|
18 | HIGH | |
| 23 | JokerStat
Malware · DOMAIN, URL
|
18 | HIGH | |
| 24 | Champion Reward
Phishing Campaign · DOMAIN, IP, URL
|
17 | LOW | |
| 25 | ClickFix
Malware Campaign · DOMAIN, HASH, IP, URL
|
16 | HIGH | |
| 26 | ChocoPoC
Malware · HASH, URL
|
15 | HIGH | |
| 27 | LokiBot
Malware · DOMAIN, HASH, IP, URL
|
15 | HIGH | |
| 28 | RustDuck
Malware · DOMAIN, HASH
|
15 | HIGH | |
| 29 | Hijacked package-registry entries
Supply Chain · IP, OTHERS, URL
|
15 | HIGH | |
| 30 | Silent Swap
Cryptomining Campaign · HASH, IP, URL
|
14 | HIGH | |
| 31 | APT36
Threat Actor (APT) · DOMAIN, HASH, IP, URL
|
13 | HIGH |
How to read this. Prioritise clusters that span three or more IOC types — that breadth indicates active operator tempo and a full kill chain. This week’s four-type footprints: AsyncRAT (C2 tier), Backdoor.Mistic, C2, Anubis, ClickFix, LokiBot, APT36. Each is a candidate for retrospective hunt as well as forward blocking.
05 · Cluster deep-dives — the names to act on
05.1 · AsyncRAT surge — 200+ IOCs across the family
Two catalogued cluster entries for the same family contributed 132 IOCs (malware-campaign tier) and 72 IOCs (C2 tier), for a combined 204 unique indicators. The C2-tier entry carries a full four-type footprint (domain, hash, IP, URL); the malware-campaign tier covers domain, hash, and IP. TTP signature is the family standard: T1566.001 spearphishing attachment, T1204 user-execution, T1105 ingress tool transfer, T1071.001 web-protocol C2, T1041 exfil over C2, T1547.001 registry-run-key persistence.
Defensive actions: Push all 204 hashes and IPs to blocking lanes; sinkhole the domains at the resolver. Hunt for the spearphish-attachment-then-registry-run-key sequence across the last 90 days — the sequence is more resilient than any single IOC.
05.2 · TONResolver — blockchain-resolved C2
Novel malware family with 125 IOCs across DOMAIN, HASH, and URL. The distinguishing feature: the malware resolves its C2 endpoints through a public open blockchain rather than DNS. The operator publishes the current C2 address as an on-chain record; the implant reads the record; every rotation is a new blockchain transaction. Result: takedown-resistant infrastructure. Traditional DNS-based blocking cannot break the resolution chain because the resolution never touches conventional DNS.
Defensive actions: Push the 125 catalogued IOCs to blocking. But recognise the strategic limit — when the operator rotates, the new C2 address will not surface in DNS-based catalogues. Detection has to move to (a) endpoint behavioural detection on the process’s TON-RPC library calls or (b) network detection of any outbound connection to public public-blockchain RPC endpoints from a non-development host. Audit your outbound egress policy to explicitly deny public-blockchain RPC traffic unless business use is documented.
05.3 · Fake trust-anchor verification-page campaign — trust-anchor phishing at scale
54 IOCs across DOMAIN + HASH + IP with two subnet anchors: 85.239.149.0/24 and 93.152.224.0/24. The campaign impersonates the visual verification flows used by the internet’s largest trust-anchor providers — the CAPTCHA/verification screens users have been trained by legitimate security infrastructure to accept without hesitation. Domain naming is deliberately generic: 100furniture[.]com, 123clocks[.]com, and dozens more that seem unrelated until you notice the registration-velocity pattern.
Defensive actions: Block both /24 subnets at the perimeter (cost: zero; operational risk: none). Deploy a passive-DNS or CT-log monitor for the domain-registration-velocity pattern (100+ generic-sounding domains registered by the same registrar in a short window). Update user-awareness content to warn users about verification flows on unfamiliar domains — the visual convincingness of these lures defeats standard training.
05.4 · UNC1151 — DGA targeting account-verification services
41 IOCs across DOMAIN + HASH + IP. The domain layer shows a deliberate targeting pattern: every domain has a name adjacent to legitimate account-verification services (account-email-verification[.]cc[.]cd, account-protection-support[.]icu, account.check-profile[.]digital). The naming discipline is the fingerprint — DGA output that looks like legitimate service subdomains rather than random alphanumeric strings.
Defensive actions: Block the 21 catalogued domains at DNS. Deploy a regex-based DNS filter for the account-*-verification.* and account-protection-*.* patterns. Route inbound emails carrying links matching those patterns to secondary review.
05.5 · Lazarus (APT38 sub-cluster) — REST-API-style C2
Small footprint but high-fidelity signal: 5 catalogued URLs to a single infrastructure anchor at 216.126.236.244 with a distinctive REST-API-style path pattern (/api/service/makelog, /api/service/process/, /api/service/98cb54c0b4ac259d30c9c1ca1ae87c68, /upload, and port 4801 / 4806 endpoints). The API-path structure is itself a fingerprint — any other host serving this exact path shape is candidate compromise infrastructure.
Defensive actions: Push the anchor IP to blocking. Hunt for outbound traffic matching the API path patterns (/api/service/makelog, /api/service/process) to any destination other than known-legitimate infrastructure.
05.6 · CyberAv3ngers — the week’s largest subnet anchor
7 IPs concentrated in 185.82.73.0/24 — the week’s largest APT infrastructure anchor. When 7 IPs from a single named cluster land in the same /24, treat the entire /24 as suspect. The 249 addresses outside the catalogued 7 are almost certainly future rotation candidates.
Defensive actions: Block 185.82.73.0/24 at the perimeter now. Cost: zero. Operational risk: bounded (256 addresses). Amortised leverage: every rotation inside the block hits the same wall.
05.7 · The Gentlemen + Anubis (Ransomware)
Two ransomware operators active this week: The Gentlemen (32 IOCs across HASH + IP) and Anubis (27 IOCs across all four IOC types). Both signal typical double-extortion kill-chain infrastructure — encryption-for-impact + recovery inhibition + exfil to operator-controlled leak site.
Defensive actions: Push all ransomware-tagged hashes to endpoint quarantine. Hunt for the classic ransomware kill-chain sequence: valid-account login from unusual source → remote-management tool execution → large outbound transfer to non-corporate domain within 1 hour.
05.8 · StegoAd — steganography-based ad malware
47 IOCs across DOMAIN + URL. Steganographic malware family where the payload data is hidden inside image files delivered through legitimate ad-serving infrastructure. Detection must inspect the image content, not the transport. Traditional URL and domain blocking works only against the delivery hosts (which the campaign will rotate); the harder problem is content inspection at the image-decode layer.
Defensive actions: Block the 47 catalogued endpoints. If your environment runs an ad-network gateway, enable image-content inspection where feasible (recognising the false-positive cost). For most environments, network-perimeter blocking of the catalogued endpoints is the operational answer.
05.9 · Phishing AI agents cluster — AI-agent-driven phishing
21 IOCs across DOMAIN + URL. A campaign in which the lure-generation and victim-conversation layers are automated by AI agents — each phishing target receives a personalised, contextually-aware lure. Traditional pattern-based phishing detection (template matching, common-phrase lexical filters) fails because the lure content is unique per victim. Detection has to move to behavioural layers: outbound clicks from the lure landing on unfamiliar domains, credential-entry telemetry, unusual authentication sequences.
Defensive actions: Block the 21 catalogued endpoints. Promote hardware-bound credentials (FIDO2 / passkeys) so successful credential capture cannot replay against your services. For long-term defence, invest in identity-verification workflows that survive AI-generated social-engineering pressure.
05.10 · Hijacked package-registry entries
15 IOCs across IP + OTHERS + URL. Compromised package-registry entries with command-interpreter execution at install-time. CI build agents that pull from an unrestricted public package registry are the exposed surface. This continues the multi-week supply-chain trend and is now a routine background campaign category rather than an exotic one.
Defensive actions: Package allow-listing in CI build agents. Outbound-domain monitoring from build runners. Publisher-identity verification on the package registry.
06 · ATT&CK technique mapping per named cluster
The table below maps each named cluster to the ATT&CK techniques observed in its catalogued indicators, with an operational narrative on how the technique chain plays in practice. Use this table to drive detection-engineering priorities this week — content that fires on these techniques catches the cluster even after IOC rotation.
| Cluster | ATT&CK techniques observed | Operational narrative |
|---|---|---|
| UNC1151 (APT) | T1583.001 · T1566.002 · T1566.003 · T1204.001 · T1027 · T1102 | Belarusian-aligned cluster running a deliberate domain-generation pattern targeting account-verification services (account-email-verification, account-protection-support, check-profile). Trust-anchor abuse at scale — the operator counts on defenders and users being unable to distinguish these from legitimate verification flows. |
| APT36 | T1566 · T1204 · T1059 · T1105 · T1041 · T1547.001 | Regional cluster with full four-type footprint. Standard spearphish → user-execute → command-interpreter → second-stage pull → registry-run-key persistence → exfil over C2 chain. Detection content targeting the sequence catches the cluster even after rotation. |
| TeamPCP (APT) | T1583.001 · T1566 · T1027 · T1105 · T1071 · T1041 | Multi-pivot APT cluster with 27 IOCs and a subnet anchor at 83.142.209.0/24. Adversary-acquired domains + obfuscated payload + web-protocol C2 + exfil over C2. |
| Lazarus (APT38 sub-cluster) | T1071 · T1071.001 · T1105 · T1041 · T1102 · T1568 | REST-API-style C2 pattern with paths like /api/service/makelog, /api/service/process/, and /upload endpoints. The API path structure is itself a fingerprint — any host serving this path shape is candidate compromise infrastructure. |
| BitterAPT | T1204 · T1059 · T1105 | User-execution driven initial access, command-interpreter follow-on, second-stage payload pull. Compact TTP set — the cluster runs a tight kill chain and rotates minimally. |
| CyberAv3ngers | T1071 · T1105 · T1078 · T1190 | The week’s largest APT subnet anchor — 7 IPs concentrated in 185.82.73.0/24. Treat the entire /24 as suspect. Public-app exploitation + valid-account abuse are the historical initial-access pattern. |
| The Gentlemen (Ransomware) | T1078 · T1021.001 · T1219 · T1486 · T1490 · T1567 | Valid-account initial access, remote-desktop lateral movement, remote-access tooling, encryption for impact, recovery inhibition, exfil to web service. Classic double-extortion ransomware pattern. |
| Anubis (Ransomware) | T1486 · T1490 · T1567 · T1041 · T1027 · T1071 | Full four-type footprint with 27 IOCs. Encryption-for-impact + recovery inhibition + exfil to operator-controlled web service. Watch for double-extortion leak-site infrastructure. |
| TONResolver (novel C2) | T1102 · T1568 · T1071 · T1027 | Malware resolves C2 endpoints via the a public open blockchain — a takedown-resistant technique. Traditional DNS-based blocking cannot break the resolution chain because the resolution happens on-chain. |
| Fake trust-anchor verification-page campaign | T1583.001 · T1566.002 · T1036.005 · T1102 | Adversary-acquired domains impersonating trusted platform verification flows. 54 IOCs across DOMAIN+HASH+IP with two subnet anchors (85.239.149.0/24 + 93.152.224.0/24). Trust-anchor social engineering — bypasses user-awareness training because the visual is convincing. |
| StegoAd (steganography-based) | T1027.003 · T1102 · T1583.001 | Steganographic ad-network malware — payload data hidden inside image files delivered through legitimate ad-serving infrastructure. Detection must inspect the image content, not the transport. |
| AsyncRAT (200+ IOC surge) | T1566.001 · T1204 · T1105 · T1071.001 · T1041 · T1547.001 | Spearphishing attachment → user-execution → second-stage pull → web-protocol C2 → exfil over C2 → registry-run-key persistence. Largest RAT footprint YTD in this catalogue — 200+ IOCs across two cluster entries. |
| Backdoor.Mistic | T1071 · T1105 · T1543 · T1027 · T1041 | Full four-type footprint. Web-protocol C2 + system-service abuse for persistence + obfuscated payload + exfil over C2. The multi-type breadth suggests an actively rotating operational build. |
| ClickFix | T1566 · T1204 · T1059 · T1105 | Phishing → user-execution → command-interpreter → second-stage pull. The “click-to-fix” social-engineering pattern where a fake CAPTCHA or error page instructs the visitor to paste an attacker-controlled command into their command interpreter. |
| Hijacked package-registry entries | T1195.001 · T1059 · T1027 · T1132 · T1219 | Package-registry compromise with command-interpreter execution at install-time. 15 IOCs including OTHERS (package name artefacts). CI build agents that pull from an unrestricted public package registry are the exposed surface. |
Detection-engineering takeaway. The technique catalogue this week is dominated by
T1071/T1071.001(web-protocol C2),T1105(ingress tool transfer),T1059(command-interpreter), andT1041(exfil over C2). If your environment lacks coverage on those four techniques specifically, you are blind to roughly 75 percent of this week’s adversary tradecraft. Prioritise coverage above any single-IOC blocklist work.
07 · Tactic-pressure roll-up
Aggregation of technique tags across every IOC where the source feed published an ATT&CK mapping. Rolls up to the parent tactic.
| Tactic | Top techniques observed | What the pressure means in practice | IOC count |
|---|---|---|---|
| Initial Access | T1566 / T1566.001 / T1566.002 / T1195.001 / T1078 / T1190 | Phishing (generic + attachment + via service), supply-chain via dependencies, valid-account abuse, public-app exploit | 316 |
| Execution | T1059 / T1059.001 / T1204 / T1204.001 / T1204.002 | Command-interpreter (PowerShell/CMD), user-execution of malicious link or file | 285 |
| Command and Control | T1071 / T1071.001 / T1102 / T1568 / T1573.002 / T1090 | Web-protocol C2 (HTTP/HTTPS), web-service abuse (including blockchain resolution — see TONResolver), dynamic resolution, asymmetric crypto, proxy | 264 |
| Ingress Tool Transfer | T1105 | Second-stage payload pull — observed in every multi-stage cluster this cycle | 218 |
| Persistence | T1547.001 / T1543 / T1176 | Registry-run keys, system-service abuse, malicious browser extensions | 145 |
| Defense Evasion | T1027 / T1027.003 / T1218 / T1036.005 / T1132 | Obfuscated payload, steganography (StegoAd), signed-binary proxy, masquerading, data encoding | 128 |
| Exfiltration | T1041 / T1567 | Exfil over C2 channel; exfil to operator-controlled web service (double-extortion pattern) | 96 |
| Collection | T1056 / T1056.001 / T1113 / T1185 / T1005 / T1082 | Input capture, keylogging, screen capture, browser session hijack, local data, system-info enum | 82 |
| Credential Access | T1555 / T1003 / T1110 / T1539 | Password store theft, OS credential dumping, brute force, session-cookie theft | 71 |
| Impact | T1486 / T1490 / T1498 | Data encryption (ransomware), recovery inhibition, network DoS | 48 |
| Resource Development | T1583.001 / T1219 | Adversary-acquired domains (heavy this cycle — trust-anchor phishing), legitimate remote-access tooling co-opted for adversary use | 61 |
| Lateral Movement | T1021.001 / T1078 | Remote Desktop for ransomware kill chain, valid-account abuse within the environment | 24 |
08 · Subnet clustering — shared-infrastructure anchors
The /24 subnet group-by surfaces five operator anchors this week — the highest count in three weeks. Each is a candidate for subnet-level perimeter blocking. The 185.82.73.0/24 anchor (CyberAv3ngers) is the week’s highest-leverage block.
| Subnet (/24) | IP count | Adversary cluster | Operator observation |
|---|---|---|---|
| 185.82.73.0/24 | 7 | CyberAv3ngers (APT) | The week’s largest APT infrastructure anchor. Treat entire /24 as suspect. |
| 185.252.24.0/24 | 3 | RedLine | Stealer infrastructure concentration |
| 83.142.209.0/24 | 3 | TeamPCP | APT-tier subnet anchor — cheap perimeter block |
| 85.239.149.0/24 | 3 | Fake trust-anchor verification-page campaign | Trust-anchor phishing infrastructure |
| 93.152.224.0/24 | 3 | Fake trust-anchor verification-page campaign | Second anchor for same campaign — same operator, different tenant |
The asymmetric block. Two subnets serve the same “Fake trust-anchor verification-page campaign” campaign (
85.239.149.0/24and93.152.224.0/24). Same operator, different hosting tenants — the pattern is a hedge against one tenant being taken down. Block both to defeat the hedge.
09 · Top 15 IOCs per indicator type
Operator-grade extractions. All indicators are defanged per publish-safe convention (re-fang on import: replace [.] with . and hxxp with http).
Top 15 · IP addresses (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 103.229.53.18 | KuinaExtractor | Malware | HIGH |
| 02 | 111.88.74.246 | UNC1151 | APT | HIGH |
| 03 | 118.107.0.197 | Operation DragonReturn | Malware | HIGH |
| 04 | 135.181.171.40 | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 05 | 142.93.242.144 | Backdoor.Mistic | Backdoor | HIGH |
| 06 | 144.202.14.75 | Anubis | Ransomware | HIGH |
| 07 | 144.31.53.78 | Backdoor.Mistic | Backdoor | HIGH |
| 08 | 146.19.248.120 | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 09 | 149.28.66.79 | Anubis | Ransomware | HIGH |
| 10 | 151.240.151.126 | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 11 | 151.240.151.46 | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 12 | 153.117.34.2 | Mirai | Botnet | HIGH |
| 13 | 158.94.211.95 | LokiBot | Botnet | HIGH |
| 14 | 159.198.32.222 | BusySnake | Malware | HIGH |
| 15 | 159.198.41.140 | BusySnake | Malware | HIGH |
Top 15 · Domains (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 100furniture[.]com | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 02 | 123clocks[.]com | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 03 | 345rodeoslot[.]com | Branded Gambling Campaign | Malware | HIGH |
| 04 | 87roulettino12[.]com | Branded Gambling Campaign | Malware | HIGH |
| 05 | Ikkkkddd[.]com | Operation DragonReturn | Malware | HIGH |
| 06 | Kkxqbh[.]top | Operation DragonReturn | Malware | HIGH |
| 07 | a[.]dev-tunnels[.]com | Djinn | Malware | HIGH |
| 08 | aboutbookphoto[.]pro | TONResolver | RAT | HIGH |
| 09 | acasiallc[.]shop | RedLine | Stealer | HIGH |
| 10 | account-email-verification[.]cc[.]cd | UNC1151 (APT) | APT | HIGH |
| 11 | account-emails-verification[.]cc[.]cd | UNC1151 (APT) | APT | HIGH |
| 12 | account-protection-support[.]icu | UNC1151 (APT) | APT | HIGH |
| 13 | account-protection-team[.]icu | UNC1151 (APT) | APT | HIGH |
| 14 | account[.]check-profile[.]digital | UNC1151 (APT) | APT | HIGH |
| 15 | XAEL-AI investment scam (DCloud Uni-App campaign artefact) | DCloud Uni-App | Supply Chain | HIGH |
Top 15 · File hashes (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | 0041FD1B2358CD08DBCBC28EA8FC3D20 | BusySnake | Malware | HIGH |
| 02 | 006887732CA4A4A46A97989CF4DEEEF6 | BusySnake | Malware | HIGH |
| 03 | 00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c | Djinn | Malware | HIGH |
| 04 | 00f341a353de29dfe19e4796d27c1879 | DeskRAT | RAT | HIGH |
| 05 | 0129e1e1666d5bcce8c3f12c866fdb23 | ClickFix | Phishing | HIGH |
| 06 | 01325880EFFFEC546F59490089A3B415 | AsyncRAT | RAT | HIGH |
| 07 | 0234E3188F2883A438B3F2BEAB7A78B2 | Fake trust-anchor verification-page campaign | Malware | HIGH |
| 08 | 02944C8A5535CDB5B2CBB893DB2D5ACF | The Gentlemen | Ransomware | HIGH |
| 09 | 03418b5196affd9519c6eef53f4e0092fab19ac2f9da6ff59e4d0180a40b1c7e | KuinaExtractor | Malware | HIGH |
| 10 | 03d2b73ecde0575a1e5ea24d6e4f12987cc081c0bc22dadf8c4219e8e38ca6e0 | Operation DragonReturn | Malware | HIGH |
| 11 | 04688dc699b886a661c98e78922c6e2e637ccfaf7ded10a4b244464930f74ed8 | BitterAPT | APT | HIGH |
| 12 | 053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 | Silent Swap | Cryptomining | HIGH |
| 13 | 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce | TeamPCP (APT) | APT | HIGH |
| 14 | 06fdd1d97df1105c542ddb881d751b659d555b5522c266f6364dae9f350fcfd0 | PamStealer | Malware | HIGH |
| 15 | 07213C419489C02791E8D67B91E404EF | BusySnake | Malware | HIGH |
Top 15 · URLs (High severity)
| # | Indicator | Adversary | Category | Severity |
|---|---|---|---|---|
| 01 | hxxp[://]130.12.180.43/files/7924412375/upOSLDn.exe | Millenium | RAT | HIGH |
| 02 | hxxp[://]153.117.34.2:52680/Mozi.m | Mirai | Botnet | HIGH |
| 03 | hxxp[://]154.92.16.22/xz.bin | ValleyRAT | RAT | HIGH |
| 04 | hxxp[://]158.94.208.168/files/8514679081/DRTjyu7.exe | Millenium | RAT | HIGH |
| 05 | hxxp[://]158.94.211.95/kelly/five/fre.php | LokiBot | Botnet | HIGH |
| 06 | hxxp[://]166.88.134.62 | Hijacked package-registry entries | Supply Chain | HIGH |
| 07 | hxxp[://]166.88.134.62:443 | Hijacked package-registry entries | Supply Chain | HIGH |
| 08 | hxxp[://]175.173.79.123:35540/Mozi.m | Mirai | Botnet | HIGH |
| 09 | hxxp[://]198.105.127.210 | Hijacked package-registry entries | Supply Chain | HIGH |
| 10 | hxxp[://]198.105.127.210:443 | Hijacked package-registry entries | Supply Chain | HIGH |
| 11 | hxxp[://]216.126.236.244/api/service/98cb54c0b4ac259d30c9c1ca1ae87c68 | Lazarus (APT38) | APT | HIGH |
| 12 | hxxp[://]216.126.236.244/api/service/makelog | Lazarus (APT38) | APT | HIGH |
| 13 | hxxp[://]216.126.236.244/api/service/process/ | Lazarus (APT38) | APT | HIGH |
| 14 | hxxp[://]216.126.236.244:4801 | Lazarus (APT38) | APT | HIGH |
| 15 | hxxp[://]216.126.236.244:4806/upload | Lazarus (APT38) | APT | HIGH |
10 · Sigma detection rules — four for this week’s standout patterns
Drop into your detection-content pipeline, normalise field names to your SIEM’s schema, tune the false-positive filters against your allowlist, ship.
Sigma 01 · public-blockchain RPC outbound traffic (TONResolver detection)
title: Outbound Traffic to Non-Development public-blockchain RPC Endpoints
id: 8f2e1c9a-4b7d-4023-a591-6d8f3c1e5b90
status: experimental
description: Detects outbound connections from non-development hosts to public
the public open blockchain RPC endpoints. TONResolver-family malware resolves
C2 addresses via a public open blockchain — takedown-resistant by design. Any
outbound public-blockchain RPC traffic from a non-engineering host is candidate compromise.
references:
- https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
- attack.command_and_control
- attack.t1102
- attack.t1568
logsource:
category: proxy
detection:
selection:
cs-host|contains:
- '.ton.org'
- 'toncenter'
- 'ton-rpc'
- 'tonapi'
exclusion:
src-ip|cidr: '10.engineering.0.0/16' # replace with your engineering subnet
condition: selection and not exclusion
falsepositives:
- Blockchain-adjacent engineering workloads (allowlist explicitly)
level: high
Sigma 02 · UNC1151 account-verification DGA
title: UNC1151 Account-Verification DGA Pattern
id: 3c1b7d5f-9a82-4e60-b471-2f8e6d4a1c93
status: experimental
description: Detects DNS queries or HTTP host headers matching the UNC1151
domain-generation pattern targeting account-verification and profile-check
services.
references:
- https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
- attack.initial_access
- attack.t1566
- attack.resource_development
- attack.t1583.001
logsource:
category: dns_query
detection:
selection:
QueryName|re:
- '^account-(email|emails)-verification\.'
- '^account-protection-(support|team)\.'
- '^account\.check-profile\.'
- '^account-profile-check\.'
condition: selection
falsepositives:
- Very rare — this naming convention is not used by legitimate services
level: critical
Sigma 03 · CyberAv3ngers subnet anchor
title: CyberAv3ngers Subnet Anchor Contact
id: b7c9e2a4-6d13-4820-a58f-3e9b7c1d4f60
status: experimental
description: Detects any outbound connection to the CyberAv3ngers subnet anchor
observed this cycle (185.82.73.0/24, 7 concentrated APT IPs). Treat entire /24
as suspect — the remaining 249 addresses are likely rotation candidates.
references:
- https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
- attack.command_and_control
- attack.t1071
- attack.t1105
logsource:
category: network_connection
detection:
selection:
DestinationIp|cidr: '185.82.73.0/24'
condition: selection
falsepositives:
- Unlikely — the /24 has no documented business use
level: critical
Sigma 04 · Lazarus REST-API-style C2 pattern
title: Lazarus REST-API-Style C2 Path Pattern
id: 4d6b8f1c-3a92-4570-b108-9e2c7d5f6a41
status: experimental
description: Detects HTTP requests matching the distinctive REST-API-style C2
path pattern observed in the Lazarus sub-cluster this cycle. The path shape
itself is a fingerprint — any host serving this exact API shape is candidate
compromise infrastructure.
references:
- https://hackforlab.com/weekly-threat-advisory-june-29-july-5-2026/
author: HackForLab Threat Intelligence
date: 2026/07/06
tags:
- attack.command_and_control
- attack.t1071.001
- attack.exfiltration
- attack.t1041
logsource:
category: proxy
detection:
selection_path:
cs-uri-stem|re:
- '^/api/service/makelog$'
- '^/api/service/process/?'
- '^/api/service/[a-f0-9]{32}$'
- '^/upload$'
selection_port:
cs-server-port:
- 4801
- 4806
condition: selection_path or (selection_port and cs-uri-stem|startswith: '/api/')
falsepositives:
- Internal legacy services on those ports (audit and allowlist)
level: high
11 · Hunt queries — SIEM-agnostic pseudo-syntax
Hunt 01 · First-seen contact with this week’s APT anchors
// Pseudo-query FROM network_flows WHERE dest_ip IN ( '111.88.74.246', -- UNC1151 '135.181.171.40', -- Fake trust-anchor verification '144.202.14.75', -- Anubis '146.19.248.120', -- Fake trust-anchor verification '149.28.66.79', -- Anubis '216.126.236.244' -- Lazarus ) AND first_seen_pair(src_ip, dest_ip) WITHIN 60d | AGGREGATE BY src_ip, dest_ip | SORT BY flow_count DESC
Any new first-seen pairing to these anchors within the last 60 days is an in-progress incident.
Hunt 02 · public-blockchain RPC outbound from non-engineering hosts
// Pseudo-query FROM proxy_logs WHERE dest_host MATCHES regex '(?i)(toncenter|\.ton\.org|ton-rpc|tonapi)' AND src_host NOT IN (allowlisted_engineering_hosts) | AGGREGATE BY src_host, dest_host COUNT(*) AS req_count, MIN(request_time) AS first_seen | SORT BY first_seen DESC
Catches TONResolver-style malware without needing to know the C2 IP — the resolution behaviour itself is the signal.
Hunt 03 · Account-verification lookalike domain queries
// Pseudo-query FROM dns_queries WHERE query_name MATCHES regex '^(account-.*(verification|protection|profile-check)|.*check-profile\.)' AND query_name NOT IN (allowlisted_verification_services) | AGGREGATE BY src_host, query_name | SORT BY COUNT DESC
Catches UNC1151-style DGA output at the resolver.
Hunt 04 · REST-API-style C2 pattern (Lazarus shape)
// Pseudo-query
FROM proxy_logs
WHERE cs_uri_stem MATCHES regex '^/api/service/(makelog|process|[a-f0-9]{32})'
OR (cs_server_port IN (4801, 4806) AND cs_uri_stem STARTS WITH '/api/')
| AGGREGATE BY src_host, dest_host
| SORT BY request_count DESC
12 · Operationalise this advisory in 60 minutes
Minute 00 – 15 · Block + sinkhole
- Block
185.82.73.0/24at the perimeter (CyberAv3ngers APT anchor). Cost: zero. Risk: none. - Block
85.239.149.0/24and93.152.224.0/24(Fake trust-anchor verification-page campaign anchors). - Block
83.142.209.0/24(TeamPCP APT anchor). - Block
216.126.236.244(Lazarus sub-cluster anchor). - Push the 15 top IPs and 15 top hashes to blocking lanes.
Minute 15 – 30 · Detection content
- Deploy the four Sigma rules from Section 10.
- Add explicit outbound-deny for public-blockchain RPC endpoints from non-engineering hosts (blocks TONResolver-style malware even after C2 rotation).
- Tune false-positive filters against your engineering allowlist.
Minute 30 – 45 · Retrospective hunt
- Run Hunt 01 (APT anchor first-seen) across the last 60 days.
- Run Hunt 03 (account-verification DGA queries) baseline scan.
- Run Hunt 04 (Lazarus REST-API path pattern) against the last 30 days.
Minute 45 – 60 · Awareness + policy
- Update user-awareness content on trust-anchor phishing — verification flows on unfamiliar domains should be treated as suspicious.
- Audit outbound egress policy for public-blockchain RPC and any blockchain-adjacent RPC traffic. Deny by default from non-engineering hosts.
- Brief developers on the sustained supply-chain trend. Package allow-listing and publisher-identity verification remain non-optional.
This advisory ships 15 indicators per type. The catalogue carries the full 1,524 unique IOCs, each with adversary attribution, ATT&CK technique, confidence score, and source provenance.
13 · Frequently asked questions
74% high-severity is unusual. Should I trust the number?
Yes. The severity classification is machine-learning-scored per record based on adversary attribution, ATT&CK-technique coverage, indicator freshness, and source pedigree. When the C2-listener-flood feeds go quiet (as this week), the remaining indicators are the narrow, high-fidelity layer where high-severity classification is normal. The 74% share reflects the composition of this week’s catalogue, not a threshold change.
What is public open blockchain and why is TONResolver a problem?
the public open blockchain is a public blockchain. It supports arbitrary data records on-chain. TONResolver-family malware publishes its C2 endpoint address as an on-chain record; the implant queries the blockchain to retrieve the current C2 address. Because DNS is not involved, DNS-based blocking cannot break the resolution chain. Rotation is a new on-chain transaction, essentially free and instant for the operator. Detection must happen at the endpoint or in the outbound network egress.
How do I detect the Lazarus REST-API pattern without a known C2 IP?
Sigma 04 and Hunt 04 fire on the path shape rather than on the destination IP. Any host serving /api/service/makelog, /api/service/process/, or /api/service/<32-hex-chars>, or receiving traffic on ports 4801/4806 with an /api/ path prefix, is candidate compromise infrastructure regardless of whether the IP is catalogued.
How do I prioritise the 1,129 high-severity records?
Three-tier triage. First: subnet-block the five /24 anchors from Section 08. Second: push the top 15 IPs and top 15 hashes to your blocking lane. Third: deploy the four Sigma rules. After that, work down the deep-dive clusters in Section 05 by category relevance to your industry vertical.
Why did the C2-flood feeds go quiet this week?
Multiple explanations are consistent with the observed pattern: a temporary decrease in publicly-observable listener rotation, feed-level ingestion changes upstream, or a genuine operator lull between campaigns. The catalogue does not distinguish between these causes. What matters is that this week the intelligence density is higher — use the operational surplus to catch up on the tactical / TTP-tier detection work that usually gets deprioritised during flood weeks.
How current is each indicator?
Every record carries first_seen, last_seen, and confidence fields. This advisory’s window is the seven-day last_updated span — every indicator was either added or reaffirmed in that window.
What confidence threshold should the SOC use for automated blocking?
For automatic blocklist promotion: high confidence only. For watchlist enrichment: medium and above. For retrospective hunting: include low.
How does trust-anchor phishing differ from ordinary phishing?
Trust-anchor phishing impersonates the visual verification flows of internet infrastructure that users have been explicitly trained by legitimate security messaging to trust (CAPTCHAs, third-party verification screens, browser safety warnings). Ordinary phishing impersonates a specific service brand. The trust-anchor variant defeats user-awareness training because the visual is convincing and the training told the user to accept the flow. Defence must move upstream to the perimeter (subnet blocking) and downstream to identity (hardware-bound credentials).
Where can I see this advisory’s intelligence in operational form?
The HuntIntel operator console exposes every IOC behind this advisory with adversary attribution, ATT&CK technique, severity, confidence, and source provenance pre-joined. Open at huntintel.hackforlab.com/login.html. For the underlying frameworks reference, see Indicators of Compromise and Threat Intelligence: A Practitioner Reference.
Previous week (Jun 22-28) ·
Two weeks back (Jun 15-21) ·
Practitioner Reference (IOC + TI) ·
AWS Threat Hunting Library ·
15-Month Threat Hunter Roadmap ·
Threat Intelligence archive










