aridjourney
@aridjourney.bsky.social
Threat research at HarfangLab. Opinions are my own.
The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.
The LNK dropper maintains core functionality with tweaked execution command.
June 23, 2025 at 5:08 PM
The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.
The LNK dropper maintains core functionality with tweaked execution command.
The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
June 23, 2025 at 5:08 PM
The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
June 23, 2025 at 5:08 PM
Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation
June 16, 2025 at 12:52 PM
Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation
Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns
June 16, 2025 at 12:52 PM
Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities
June 16, 2025 at 12:52 PM
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities