aridjourney
@aridjourney.bsky.social
Threat research at HarfangLab. Opinions are my own.
As usual, you will find IOCs and YARA rules on our blog post and on our GitHub repository.
harfanglab.io/insidethelab...
harfanglab.io/insidethelab...
UAC-0057 keeps applying pressure on Ukraine and Poland
Identifier: TRR250801. Summary In late July, we identified two clusters of malicious archives that were leveraged to target Ukraine and Poland since April 2025, and that we could link together from th...
harfanglab.io
August 20, 2025 at 12:38 PM
As usual, you will find IOCs and YARA rules on our blog post and on our GitHub repository.
harfanglab.io/insidethelab...
harfanglab.io/insidethelab...
We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter.
August 20, 2025 at 12:38 PM
We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter.
These downloaders attempt to retrieve next-stage malware from C2 URLs mimicking existing content and delivering JPEG image files.
An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.
An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.
August 20, 2025 at 12:38 PM
These downloaders attempt to retrieve next-stage malware from C2 URLs mimicking existing content and delivering JPEG image files.
An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.
An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.
New tunneling services timeline:
🗓️ 2025-04-24: lhr[.]life
🗓️ 2025-05-06: serveo[.]net, workers[.]dev
🗓️ 2025-06-11: euw.devtunnels[.]ms
Updated Yara rule alongside IoCs: github.com/HarfangLab/i...
For more information about PteroLNK, please refer to:
harfanglab.io/insidethelab...
🗓️ 2025-04-24: lhr[.]life
🗓️ 2025-05-06: serveo[.]net, workers[.]dev
🗓️ 2025-06-11: euw.devtunnels[.]ms
Updated Yara rule alongside IoCs: github.com/HarfangLab/i...
For more information about PteroLNK, please refer to:
harfanglab.io/insidethelab...
Inside Gamaredon's PteroLNK: Dead Drop Resolvers and evasive Infrastructure
Identifier: TRR250401. Proactively hunting for Russian-nexus threats, we identified samples from the Pterodo malware family, commonly associated with Gamaredon, uploaded to a public malware analysis p...
harfanglab.io
June 23, 2025 at 5:08 PM
New tunneling services timeline:
🗓️ 2025-04-24: lhr[.]life
🗓️ 2025-05-06: serveo[.]net, workers[.]dev
🗓️ 2025-06-11: euw.devtunnels[.]ms
Updated Yara rule alongside IoCs: github.com/HarfangLab/i...
For more information about PteroLNK, please refer to:
harfanglab.io/insidethelab...
🗓️ 2025-04-24: lhr[.]life
🗓️ 2025-05-06: serveo[.]net, workers[.]dev
🗓️ 2025-06-11: euw.devtunnels[.]ms
Updated Yara rule alongside IoCs: github.com/HarfangLab/i...
For more information about PteroLNK, please refer to:
harfanglab.io/insidethelab...
New Infrastructure scripts:
:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry
:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry
:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry
:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry
June 23, 2025 at 5:08 PM
New Infrastructure scripts:
:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry
:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry
:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry
:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry
The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.
The LNK dropper maintains core functionality with tweaked execution command.
June 23, 2025 at 5:08 PM
The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.
The LNK dropper maintains core functionality with tweaked execution command.
The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
June 23, 2025 at 5:08 PM
The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation
June 16, 2025 at 12:52 PM
Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation
Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns
June 16, 2025 at 12:52 PM
Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns