Simon Kenin
@k3yp0d.bsky.social
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
November 16, 2025 at 3:36 PM
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
November 16, 2025 at 3:36 PM
1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
October 28, 2025 at 5:23 PM
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
October 25, 2025 at 9:19 AM
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
October 25, 2025 at 9:19 AM
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
2/5
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
October 25, 2025 at 9:19 AM
2/5
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
October 25, 2025 at 9:19 AM
1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT
Email 55ffcf6f4df8ab3f11a405794aa5f4d8
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
October 5, 2025 at 12:44 PM
1/4
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
PDQ which downloads ScreenConnect, the "one weird" RMM trick combo move threat actors don't want you to find out...
vanzen[.]store
services.google.com/fh/files/mis...
services.google.com/fh/files/mis...
September 28, 2025 at 12:45 PM
vanzen[.]store
services.google.com/fh/files/mis...
services.google.com/fh/files/mis...
2/3
Iranian POV:
60%!!! that's basically free, the Israelis won't resist and will register with their Microsoft account!
Israeli POV:
Vanzen??? Never heard about them...
60% off to register with MS account? I don't even have a MS account WTF is this shit?
vanzen[.]org :
Iranian POV:
60%!!! that's basically free, the Israelis won't resist and will register with their Microsoft account!
Israeli POV:
Vanzen??? Never heard about them...
60% off to register with MS account? I don't even have a MS account WTF is this shit?
vanzen[.]org :
September 28, 2025 at 12:33 PM
2/3
Iranian POV:
60%!!! that's basically free, the Israelis won't resist and will register with their Microsoft account!
Israeli POV:
Vanzen??? Never heard about them...
60% off to register with MS account? I don't even have a MS account WTF is this shit?
vanzen[.]org :
Iranian POV:
60%!!! that's basically free, the Israelis won't resist and will register with their Microsoft account!
Israeli POV:
Vanzen??? Never heard about them...
60% off to register with MS account? I don't even have a MS account WTF is this shit?
vanzen[.]org :
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
September 28, 2025 at 12:33 PM
1/3
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
UNC4444 Watering Hole
vanzen.co[.]il compromised to display an overlay pop-up for 60% discount when registering to the site.
5/8
Additional HTML vector:
a6c618134fc314dbc7f25a542f838467
8fc5e49e7b0e008f2f7513c6a479ce05416a4ce3
1f6e3bfabb8b85bf7442da91179828762f3cb5c85b8e5fea55798d29c5441b0c
Additional HTML vector:
a6c618134fc314dbc7f25a542f838467
8fc5e49e7b0e008f2f7513c6a479ce05416a4ce3
1f6e3bfabb8b85bf7442da91179828762f3cb5c85b8e5fea55798d29c5441b0c
September 28, 2025 at 9:25 AM
5/8
Additional HTML vector:
a6c618134fc314dbc7f25a542f838467
8fc5e49e7b0e008f2f7513c6a479ce05416a4ce3
1f6e3bfabb8b85bf7442da91179828762f3cb5c85b8e5fea55798d29c5441b0c
Additional HTML vector:
a6c618134fc314dbc7f25a542f838467
8fc5e49e7b0e008f2f7513c6a479ce05416a4ce3
1f6e3bfabb8b85bf7442da91179828762f3cb5c85b8e5fea55798d29c5441b0c
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
September 28, 2025 at 9:25 AM
1/8
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
Sales Contract.pdf
9af100c85c1a58702dfb016c4cb95840
867d16c7150ea010ecbea787bd9939ea4fe93769
688a2ccc09e30bad2d235ce3895afecbbf9b5c5950c8ef2cf3eaba57f6445bb2
5/7
CCSD 15 Staff Compensation Statement (Available on Vistra Global).pdf
d989aba36f0268f7d34d278dab90abd9
fbd891af13b5ccf4ff5b292f60492adf30a0649d
573b40d7729c315bf7593f668cd4f4b55532bd5414260e78377b689036bb4221
redirect to msks[.]pics
CCSD 15 Staff Compensation Statement (Available on Vistra Global).pdf
d989aba36f0268f7d34d278dab90abd9
fbd891af13b5ccf4ff5b292f60492adf30a0649d
573b40d7729c315bf7593f668cd4f4b55532bd5414260e78377b689036bb4221
redirect to msks[.]pics
September 3, 2025 at 9:32 AM
5/7
CCSD 15 Staff Compensation Statement (Available on Vistra Global).pdf
d989aba36f0268f7d34d278dab90abd9
fbd891af13b5ccf4ff5b292f60492adf30a0649d
573b40d7729c315bf7593f668cd4f4b55532bd5414260e78377b689036bb4221
redirect to msks[.]pics
CCSD 15 Staff Compensation Statement (Available on Vistra Global).pdf
d989aba36f0268f7d34d278dab90abd9
fbd891af13b5ccf4ff5b292f60492adf30a0649d
573b40d7729c315bf7593f668cd4f4b55532bd5414260e78377b689036bb4221
redirect to msks[.]pics
3/7
August Compensation Statement.exe is actually LogMeIn Resolve installer
Same installer used in other variations:
August Compensation Statement.exe is actually LogMeIn Resolve installer
Same installer used in other variations:
September 3, 2025 at 9:32 AM
3/7
August Compensation Statement.exe is actually LogMeIn Resolve installer
Same installer used in other variations:
August Compensation Statement.exe is actually LogMeIn Resolve installer
Same installer used in other variations:
1/7
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
September 3, 2025 at 9:32 AM
1/7
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
🎯EDU 🎯
drive.google[.]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->
Updated 2025 Compensation for NCSU Faculty and Staff.pdf
9db4cccb4745a533ac4c41f8aac2e18bcf7e8198
7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88
@ncsulibraries.bsky.social
8/10
v2.msi
6795c530e941ee7e4b0ee0458362c95d
a2b70ca589a584e5ac214283935a6c3af890aa3a
649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
Velociraptor configured with velo[.]qaubctgg[.]workers[.]dev
Same MSI was also at stoaccinfoniqaveeambkp.blob[.core.windows[.net
v2.msi
6795c530e941ee7e4b0ee0458362c95d
a2b70ca589a584e5ac214283935a6c3af890aa3a
649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
Velociraptor configured with velo[.]qaubctgg[.]workers[.]dev
Same MSI was also at stoaccinfoniqaveeambkp.blob[.core.windows[.net
August 27, 2025 at 7:16 PM
8/10
v2.msi
6795c530e941ee7e4b0ee0458362c95d
a2b70ca589a584e5ac214283935a6c3af890aa3a
649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
Velociraptor configured with velo[.]qaubctgg[.]workers[.]dev
Same MSI was also at stoaccinfoniqaveeambkp.blob[.core.windows[.net
v2.msi
6795c530e941ee7e4b0ee0458362c95d
a2b70ca589a584e5ac214283935a6c3af890aa3a
649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
Velociraptor configured with velo[.]qaubctgg[.]workers[.]dev
Same MSI was also at stoaccinfoniqaveeambkp.blob[.core.windows[.net
7/10
site.msi (v2)
61555d9b134ae5c390ccccf4706fef2128bba33f
67687b54f9cfee0b551c6847be7ed625e170d8bb882f888e3d0b22312db146cd
msi executes run.bat
d66d5c66fb8c477fdd15ae829af97f24bc18a15b
568d9e675244e3950457fe95e99a83d414372ee550148111411eb435aef12de0
site.msi (v2)
61555d9b134ae5c390ccccf4706fef2128bba33f
67687b54f9cfee0b551c6847be7ed625e170d8bb882f888e3d0b22312db146cd
msi executes run.bat
d66d5c66fb8c477fdd15ae829af97f24bc18a15b
568d9e675244e3950457fe95e99a83d414372ee550148111411eb435aef12de0
August 27, 2025 at 7:16 PM
7/10
site.msi (v2)
61555d9b134ae5c390ccccf4706fef2128bba33f
67687b54f9cfee0b551c6847be7ed625e170d8bb882f888e3d0b22312db146cd
msi executes run.bat
d66d5c66fb8c477fdd15ae829af97f24bc18a15b
568d9e675244e3950457fe95e99a83d414372ee550148111411eb435aef12de0
site.msi (v2)
61555d9b134ae5c390ccccf4706fef2128bba33f
67687b54f9cfee0b551c6847be7ed625e170d8bb882f888e3d0b22312db146cd
msi executes run.bat
d66d5c66fb8c477fdd15ae829af97f24bc18a15b
568d9e675244e3950457fe95e99a83d414372ee550148111411eb435aef12de0