THREAT OPS › Threat News › PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT
PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT
<p>Elastic Security Labs's prior coverage of <a href="https://www.elastic.co/security-labs/phantom-in-the-vault">REF6598</a> documented an intrusion set whose Windows toolchain landed via Obsidian plugin abuse, escalated via an in-memory PE loader (PHANTOMPULL), and finished with a RAT (PHANTOMPULSE). That post focused on delivery. This post analyzes the final stage: PHANTOMPULSE, an implant that
Attributed threat actors
- Sandworm TeamG0034
- APT38G0082
- Contagious InterviewG1052
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- Screen CaptureT1113
- System Owner/User DiscoveryT1033
- Bypass User Account ControlT1548.002
- Boot or Logon Autostart ExecutionT1547
- Clipboard DataT1115
- System Information DiscoveryT1082
- Application Layer ProtocolT1071
- Scheduled Task/JobT1053
- Native APIT1106
- Deobfuscate/Decode Files or InformationT1140
- Process InjectionT1055
- System Binary Proxy ExecutionT1218
- Reflective Code LoadingT1620
- Modify RegistryT1112
- Abuse Elevation Control MechanismT1548
- Command and Scripting InterpreterT1059
- Indicator RemovalT1070
- Virtualization/Sandbox EvasionT1497
- Web ServiceT1102
- Process DiscoveryT1057
- Exfiltration Over C2 ChannelT1041
- PowerShellT1059.001
- PhishingT1566
- Hijack Execution FlowT1574
- Process HollowingT1055.012
- Obfuscated Files or InformationT1027
- Encrypted ChannelT1573
- Input CaptureT1056
- Security Software DiscoveryT1518.001
- File DeletionT1070.004
- Access Token ManipulationT1134
- Web ProtocolsT1071.001
- Software DiscoveryT1518
- Spearphishing via ServiceT1566.003
- Command and Scripting InterpreterAML.T0050
- Process DiscoveryAML.T0089
- Virtualization/Sandbox EvasionAML.T0097
Indicators of compromise
- 33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70fsha256
- 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980sha256
- def66275fa3baffb16e6e4ae0297861d9790ae7161fbc271a2ba05d121f13c70sha256
- 6daa8d486250c20189a803838c3654aad73a541dsha1
- 04b30400b51136a19c739a8ec4dc95d5md5
- f5cc038aa919db19658dfe4430a62114md5
- 9f8ddf9900150c467ada95ad7838bd68md5
- 0xc117688c530b660e15085bF3A2B664117d8672aAeth
- 0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0Eeth
- https://panel.fefea22134.neturl
- https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/url
- https://gchq.github.io/CyberChef/#recipe=From_Hex(url
- https://eth.blockscout.com/url
- https://rastamouse.me/memory-patching-amsi-bypass/url
- 195.3.222.251ipv4
- base.blockscout.comdomain
- optimism.blockscout.comdomain
- ipif.orgdomain
- icanhazip.comdomain
- api4.ipify.orgdomain
- ipv4.icanhazip.comdomain
- 0x666.infodomain
- t.medomain
- thoroughly-publisher-troy-clara.trycloudflare.comdomain