StrikeReady Labs
@strikereadylabs.com
https://strikeready.com/blog.html
Download live malware samples mentioned here: https://github.com/StrikeReady-Inc/samples
If you prefer marketing (our product is great!) subscribe to our main page @strikeready.com
Download live malware samples mentioned here: https://github.com/StrikeReady-Inc/samples
If you prefer marketing (our product is great!) subscribe to our main page @strikeready.com
#mustangpanda #apt e46df5e79880777c4a01ab370bb6f4f3d8d51c57ac0dfdbb9c7370199f363508
SCAN_BC_TH_1389.zip
SCAN_BC_TH_1389.zip
November 25, 2025 at 2:43 PM
#mustangpanda #apt e46df5e79880777c4a01ab370bb6f4f3d8d51c57ac0dfdbb9c7370199f363508
SCAN_BC_TH_1389.zip
SCAN_BC_TH_1389.zip
Gamaredon using one of the RAR vulns to unpack the payload directly into the startup folder 6a3ef719d859d2005dbc5feb68e4a236 #apt #dailyphish
November 24, 2025 at 2:50 PM
Gamaredon using one of the RAR vulns to unpack the payload directly into the startup folder 6a3ef719d859d2005dbc5feb68e4a236 #apt #dailyphish
CN #APT targeting attendees of a diabetes conference in Singapore in December
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 🐴
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 🐴
November 20, 2025 at 8:10 PM
CN #APT targeting attendees of a diabetes conference in Singapore in December
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 🐴
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 🐴
susp muddy #apt Webinar.doc f97650ede0c39a29b0b5c5472f685d11
74e75830252220cbbe7e3adec4340d2d (sentinelone icon spoof) -> stratioai[.]org
74e75830252220cbbe7e3adec4340d2d (sentinelone icon spoof) -> stratioai[.]org
November 18, 2025 at 2:16 PM
susp muddy #apt Webinar.doc f97650ede0c39a29b0b5c5472f685d11
74e75830252220cbbe7e3adec4340d2d (sentinelone icon spoof) -> stratioai[.]org
74e75830252220cbbe7e3adec4340d2d (sentinelone icon spoof) -> stratioai[.]org
Interesting one, Space Flight Logbook.txt.lnk from latvia. uses certutil to download and execute a legit windows binary. perhaps the tinyurl was swapped out. 26cf36ca026dcac0049bd109c904e7bd
links to soigu.rar 1d286ce46904247d899b16bd82698a86 -> 50b94a39590f4e71dc0acdf642b52e31 -> sunmedical[.]st
links to soigu.rar 1d286ce46904247d899b16bd82698a86 -> 50b94a39590f4e71dc0acdf642b52e31 -> sunmedical[.]st
November 15, 2025 at 4:09 PM
Interesting one, Space Flight Logbook.txt.lnk from latvia. uses certutil to download and execute a legit windows binary. perhaps the tinyurl was swapped out. 26cf36ca026dcac0049bd109c904e7bd
links to soigu.rar 1d286ce46904247d899b16bd82698a86 -> 50b94a39590f4e71dc0acdf642b52e31 -> sunmedical[.]st
links to soigu.rar 1d286ce46904247d899b16bd82698a86 -> 50b94a39590f4e71dc0acdf642b52e31 -> sunmedical[.]st
(sourced from VT, not customer)
If you work in email security, any filter you write to detect targeted threats will eventually fire on this actor, plus one more (~supyra). They've emailed governments every single day for 15 years with pages and pages of this content, none of which is ever malicious
If you work in email security, any filter you write to detect targeted threats will eventually fire on this actor, plus one more (~supyra). They've emailed governments every single day for 15 years with pages and pages of this content, none of which is ever malicious
November 14, 2025 at 1:24 PM
(sourced from VT, not customer)
If you work in email security, any filter you write to detect targeted threats will eventually fire on this actor, plus one more (~supyra). They've emailed governments every single day for 15 years with pages and pages of this content, none of which is ever malicious
If you work in email security, any filter you write to detect targeted threats will eventually fire on this actor, plus one more (~supyra). They've emailed governments every single day for 15 years with pages and pages of this content, none of which is ever malicious
#apt targeting Turkish military and Baykar @baykartech.bsky.social
[email protected]
[email protected]
drive[.]google[.]com/file/d/14vgoZqBktuuhdhZSsaK5Py7Y2k1yqymh/view?usp=drive_link
CNSA-SUPARCO MoU.rar f4e0e18d86b06a30cddf61b56fdcf429
[email protected]
[email protected]
drive[.]google[.]com/file/d/14vgoZqBktuuhdhZSsaK5Py7Y2k1yqymh/view?usp=drive_link
CNSA-SUPARCO MoU.rar f4e0e18d86b06a30cddf61b56fdcf429
November 13, 2025 at 11:56 AM
#apt targeting Turkish military and Baykar @baykartech.bsky.social
[email protected]
[email protected]
drive[.]google[.]com/file/d/14vgoZqBktuuhdhZSsaK5Py7Y2k1yqymh/view?usp=drive_link
CNSA-SUPARCO MoU.rar f4e0e18d86b06a30cddf61b56fdcf429
[email protected]
[email protected]
drive[.]google[.]com/file/d/14vgoZqBktuuhdhZSsaK5Py7Y2k1yqymh/view?usp=drive_link
CNSA-SUPARCO MoU.rar f4e0e18d86b06a30cddf61b56fdcf429
Interesting one uploaded from Uzbekistan
ПисьмоМВД.pdf.lnk (Letter from the Ministry of Internal Affairs.pdf.lnk)
00bd4de2bde0461accdd2e79279b08c2
-> document.pdf
->GameHook.exe
-> graphics-hook-filter64.dll
-> simhei.dat
00bd4de2bde0461accdd2e79279b08c2
8ee654d826ca5243e2ed1bc4d07f86be
ПисьмоМВД.pdf.lnk (Letter from the Ministry of Internal Affairs.pdf.lnk)
00bd4de2bde0461accdd2e79279b08c2
-> document.pdf
->GameHook.exe
-> graphics-hook-filter64.dll
-> simhei.dat
00bd4de2bde0461accdd2e79279b08c2
8ee654d826ca5243e2ed1bc4d07f86be
November 12, 2025 at 7:18 PM
Interesting one uploaded from Uzbekistan
ПисьмоМВД.pdf.lnk (Letter from the Ministry of Internal Affairs.pdf.lnk)
00bd4de2bde0461accdd2e79279b08c2
-> document.pdf
->GameHook.exe
-> graphics-hook-filter64.dll
-> simhei.dat
00bd4de2bde0461accdd2e79279b08c2
8ee654d826ca5243e2ed1bc4d07f86be
ПисьмоМВД.pdf.lnk (Letter from the Ministry of Internal Affairs.pdf.lnk)
00bd4de2bde0461accdd2e79279b08c2
-> document.pdf
->GameHook.exe
-> graphics-hook-filter64.dll
-> simhei.dat
00bd4de2bde0461accdd2e79279b08c2
8ee654d826ca5243e2ed1bc4d07f86be
susp IR #APT leveraging Atera to target Israel via [email protected] acct
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
November 11, 2025 at 2:57 PM
susp IR #APT leveraging Atera to target Israel via [email protected] acct
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
fliqr[.]codes/dl/cei8430kc2/Job-search-program.zip
-> תוכנית חיפוש עבודה.msi 7ebea1328b6fe3751dd0250452c466ce
#dailyphish #crimeware decent openai phish that just asks for a credit card
November 10, 2025 at 8:33 PM
#dailyphish #crimeware decent openai phish that just asks for a credit card
a rare .7z delivery from #apt #sidewinder "CC Development Document.7z" -> tubitak-gov-tr[.]adobeonline[.]org with a KeePass lure 317ae3f1081f7b208f84234ea7405c0f
desktop-kspr25q
desktop-kspr25q
November 10, 2025 at 5:17 PM
a rare .7z delivery from #apt #sidewinder "CC Development Document.7z" -> tubitak-gov-tr[.]adobeonline[.]org with a KeePass lure 317ae3f1081f7b208f84234ea7405c0f
desktop-kspr25q
desktop-kspr25q
#gamaredon #apt #dailyphish
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
November 10, 2025 at 1:47 PM
#gamaredon #apt #dailyphish
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.HTA 2a04a7584d90cff161be936b0b3f43c0
Запит командира військової частини А0135.rar 5df7ff42d566156ce7c478f1a40896e3
Now leveraging Turnstile to protect their payload
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
November 7, 2025 at 9:00 PM
Now leveraging Turnstile to protect their payload
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
filesdownld.z13.web.core[.]windows[.]net/A9T3ZB7L1QX5.html
> twilight-voice-2c67.smith93011.workers[.]dev
>Chi Tiết Kế hoạch Chuyển đổi số và BADT. zip
filestoretome.z23.web.core[.]windows[.]net/filelocate.html > oumuenz[.]com >Details[.]zip
Interesting abuse of Railway to host this APT phish, targeting the Sri Lankan government #dailyphish #apt hosted on nrmlgml-production[.]up[.]railway[.]app cc @jazco.dev
November 7, 2025 at 1:57 PM
Interesting abuse of Railway to host this APT phish, targeting the Sri Lankan government #dailyphish #apt hosted on nrmlgml-production[.]up[.]railway[.]app cc @jazco.dev
Interesting one that hit on VT: Έκθεση_Νομικών_Προτεραιοτήτων.docx.lnk.
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
November 5, 2025 at 3:32 PM
Interesting one that hit on VT: Έκθεση_Νομικών_Προτεραιοτήτων.docx.lnk.
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
lnk + dll + exe in a zip? insta detection! 318456a2f2bf90d215cd14ee0314be0e8ae32796b18db49970297c64a3e916d4
#apt targeting the Ministry of Foreign Affairs in Hungary #sidewinder grabfiles[.]org
November 5, 2025 at 2:02 PM
#apt targeting the Ministry of Foreign Affairs in Hungary #sidewinder grabfiles[.]org
#apt CBDT-.rar 8fba8add32ba8c58705d397c8938c885
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
November 4, 2025 at 1:54 PM
#apt CBDT-.rar 8fba8add32ba8c58705d397c8938c885
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
uses luajit with interesting comments, but llm derived regardless
uploaded from India
CBDT.pdf
crycert.dat
lua51.dll
PASSWORD.lnk
update.bin
update.exe
"Scheduled_Internet_Outages.doc" (a9235540208fa6a25614c24a59e19199) hosted on reminders.trahum[.]org. Hebrew decoy
November 4, 2025 at 12:48 PM
"Scheduled_Internet_Outages.doc" (a9235540208fa6a25614c24a59e19199) hosted on reminders.trahum[.]org. Hebrew decoy
"MAK Tata Cara Pengajuan dan Persetujuan Rencana Pengembangan.doc" unknown actor. 98c42969f5016de29d9cb53697ace1d0 -> socket to 43.133.139[.]174:8080
November 4, 2025 at 12:40 PM
"MAK Tata Cara Pengajuan dan Persetujuan Rencana Pengembangan.doc" unknown actor. 98c42969f5016de29d9cb53697ace1d0 -> socket to 43.133.139[.]174:8080
"Liberalization_and_Competition_Telecom.doc" #UNK_SweetSpecter ff22419b8ec3994542f23c78dc21a7c5abcb634008d99b7fa1fff1bb23102a00 #apt
November 3, 2025 at 9:16 PM
"Liberalization_and_Competition_Telecom.doc" #UNK_SweetSpecter ff22419b8ec3994542f23c78dc21a7c5abcb634008d99b7fa1fff1bb23102a00 #apt
New lure from "pakis" actor, leveraging "CrowdStrike-Deployment-Status.xls " 13c1a063409ad73e068604e4a5a605915d96d3c8e87e466bb49c6f41033d5909 -> test.netof66867[.]workers[.]dev #apt
November 3, 2025 at 8:49 PM
New lure from "pakis" actor, leveraging "CrowdStrike-Deployment-Status.xls " 13c1a063409ad73e068604e4a5a605915d96d3c8e87e466bb49c6f41033d5909 -> test.netof66867[.]workers[.]dev #apt
Awesome find and congrats on attrib by @kasperskylab.bsky.social! We apparently found this one as well last year, but couldn't tie it to a group at the time
October 30, 2025 at 4:14 PM
Awesome find and congrats on attrib by @kasperskylab.bsky.social! We apparently found this one as well last year, but couldn't tie it to a group at the time
#dailyphish #gamaredon
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
October 28, 2025 at 3:05 PM
#dailyphish #gamaredon
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62
here's a recent gamaredon phish. cant stop wont stop ->
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
f2368a466c7a67ab3690736dd9d84f62