StrikeReady Labs
@strikereadylabs.com
https://strikeready.com/blog.html
Download live malware samples mentioned here: https://github.com/StrikeReady-Inc/samples
If you prefer marketing (our product is great!) subscribe to our main page @strikeready.com
Download live malware samples mentioned here: https://github.com/StrikeReady-Inc/samples
If you prefer marketing (our product is great!) subscribe to our main page @strikeready.com
susp IR #APT leveraging Atera to target Israel via 13553@rflgroupbd.com acct
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
November 11, 2025 at 2:57 PM
susp IR #APT leveraging Atera to target Israel via 13553@rflgroupbd.com acct
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
#dailyphish #crimeware decent openai phish that just asks for a credit card
November 10, 2025 at 8:33 PM
#dailyphish #crimeware decent openai phish that just asks for a credit card
a rare .7z delivery from #apt #sidewinder "CC Development Document.7z" -> tubitak-gov-tr[.]adobeonline[.]org with a KeePass lure 317ae3f1081f7b208f84234ea7405c0f
desktop-kspr25q
desktop-kspr25q
November 10, 2025 at 5:17 PM
a rare .7z delivery from #apt #sidewinder "CC Development Document.7z" -> tubitak-gov-tr[.]adobeonline[.]org with a KeePass lure 317ae3f1081f7b208f84234ea7405c0f
desktop-kspr25q
desktop-kspr25q
#gamaredon #apt #dailyphish
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
November 10, 2025 at 1:47 PM
#gamaredon #apt #dailyphish
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Now leveraging Turnstile to protect their payload
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
November 7, 2025 at 9:00 PM
Now leveraging Turnstile to protect their payload
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
Interesting abuse of Railway to host this APT phish, targeting the Sri Lankan government #dailyphish #apt hosted on nrmlgml-production[.]up[.]railway[.]app cc @jazco.dev
November 7, 2025 at 1:57 PM
Interesting abuse of Railway to host this APT phish, targeting the Sri Lankan government #dailyphish #apt hosted on nrmlgml-production[.]up[.]railway[.]app cc @jazco.dev
Interesting one that hit on VT: Έκθεση_Νομικών_Προτεραιοτήτων.docx.lnk.
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
November 5, 2025 at 3:32 PM
Interesting one that hit on VT: Έκθεση_Νομικών_Προτεραιοτήτων.docx.lnk.
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
#apt targeting the Ministry of Foreign Affairs in Hungary #sidewinder grabfiles[.]org
November 5, 2025 at 2:02 PM
#apt targeting the Ministry of Foreign Affairs in Hungary #sidewinder grabfiles[.]org
#apt CBDT-.rar 8fba8add32ba8c58705d397c8938c885
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
November 4, 2025 at 1:54 PM
#apt CBDT-.rar 8fba8add32ba8c58705d397c8938c885
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
"Scheduled_Internet_Outages.doc" (a9235540208fa6a25614c24a59e19199) hosted on reminders.trahum[.]org. Hebrew decoy
November 4, 2025 at 12:48 PM
"Scheduled_Internet_Outages.doc" (a9235540208fa6a25614c24a59e19199) hosted on reminders.trahum[.]org. Hebrew decoy
"MAK Tata Cara Pengajuan dan Persetujuan Rencana Pengembangan.doc" unknown actor. 98c42969f5016de29d9cb53697ace1d0 -> socket to 43.133.139[.]174:8080
November 4, 2025 at 12:40 PM
"MAK Tata Cara Pengajuan dan Persetujuan Rencana Pengembangan.doc" unknown actor. 98c42969f5016de29d9cb53697ace1d0 -> socket to 43.133.139[.]174:8080
"Liberalization_and_Competition_Telecom.doc" #UNK_SweetSpecter ff22419b8ec3994542f23c78dc21a7c5abcb634008d99b7fa1fff1bb23102a00 #apt
November 3, 2025 at 9:16 PM
"Liberalization_and_Competition_Telecom.doc" #UNK_SweetSpecter ff22419b8ec3994542f23c78dc21a7c5abcb634008d99b7fa1fff1bb23102a00 #apt
New lure from "pakis" actor, leveraging "CrowdStrike-Deployment-Status.xls " 13c1a063409ad73e068604e4a5a605915d96d3c8e87e466bb49c6f41033d5909 -> test.netof66867[.]workers[.]dev #apt
November 3, 2025 at 8:49 PM
New lure from "pakis" actor, leveraging "CrowdStrike-Deployment-Status.xls " 13c1a063409ad73e068604e4a5a605915d96d3c8e87e466bb49c6f41033d5909 -> test.netof66867[.]workers[.]dev #apt
Awesome find and congrats on attrib by @kasperskylab.bsky.social! We apparently found this one as well last year, but couldn't tie it to a group at the time
October 30, 2025 at 4:14 PM
Awesome find and congrats on attrib by @kasperskylab.bsky.social! We apparently found this one as well last year, but couldn't tie it to a group at the time
#dailyphish #gamaredon
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
October 28, 2025 at 3:05 PM
#dailyphish #gamaredon
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
Do you want to find muddy campaigns like sondouq.doc, uploaded from Egypt today 14fb6a186166577fab71d56cbe1c74d9? Check out our new blog, and thanks to all the partners whose work we referenced strikeready.com/blog/finding...
Finding the Unknown Unknowns, Part 4 (NilePhish, SneakyChef, Muddy Water, and a bonus unc)
Follow along as StrikeReady Labs highlights four techniques that were useful to surface four different clusters of targeted threat activity in 2025
strikeready.com
October 21, 2025 at 4:02 PM
Do you want to find muddy campaigns like sondouq.doc, uploaded from Egypt today 14fb6a186166577fab71d56cbe1c74d9? Check out our new blog, and thanks to all the partners whose work we referenced strikeready.com/blog/finding...
#dailyphish interesting phish spoofing UK gov drive[.]usercontent[.]google[.]com/download?id=11Qu_rF2cmNQomQ8J_kYfz_CCHtyYelAH&export=download -> inftrimool[.]xyz
October 20, 2025 at 12:58 PM
#dailyphish interesting phish spoofing UK gov drive[.]usercontent[.]google[.]com/download?id=11Qu_rF2cmNQomQ8J_kYfz_CCHtyYelAH&export=download -> inftrimool[.]xyz
"sorry, we havent written any linux malware yet!"
#dailyopendir 2oomw0rk[.]run
#dailyopendir 2oomw0rk[.]run
October 13, 2025 at 4:59 PM
"sorry, we havent written any linux malware yet!"
#dailyopendir 2oomw0rk[.]run
#dailyopendir 2oomw0rk[.]run
this #dailyphish may look like #apt, but it is actually 419-style scammers
October 10, 2025 at 12:44 PM
this #dailyphish may look like #apt, but it is actually 419-style scammers
Thx greg! If any home gamers is looking to test your JS deobfuscation skills on a lazy friday, grab the samples here : github.com/StrikeReady-...
October 3, 2025 at 2:31 PM
Thx greg! If any home gamers is looking to test your JS deobfuscation skills on a lazy friday, grab the samples here : github.com/StrikeReady-...
Quite a bit of CN APT activity in europe in the past week
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
CN APT targets Serbian Government
Mustang Panda continues targeting European governments
strikeready.com
October 3, 2025 at 2:30 PM
Quite a bit of CN APT activity in europe in the past week
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
strikeready.com/blog/cn-apt-...
As always, if you're interested in tuning your skills, download the samples here github.com/StrikeReady-...
Decoy tracking is a great indicator for potentially interesting payloads --- decoys that contain 'defence' or
'nato' related keywords have paid dividends for many years
218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740
utensils\.zip
cseconline[.]org
'nato' related keywords have paid dividends for many years
218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740
utensils\.zip
cseconline[.]org
September 30, 2025 at 1:29 PM
Decoy tracking is a great indicator for potentially interesting payloads --- decoys that contain 'defence' or
'nato' related keywords have paid dividends for many years
218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740
utensils\.zip
cseconline[.]org
'nato' related keywords have paid dividends for many years
218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740
utensils\.zip
cseconline[.]org
blocking vt via htaccess ... pretty good indicator that you may not be up to any good ....
September 17, 2025 at 1:17 PM
blocking vt via htaccess ... pretty good indicator that you may not be up to any good ....