{
    "type": "bundle",
    "id": "bundle--0c13feae-f597-43df-b04e-89afabab4ac8",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--71744950-6fe5-4398-9ea3-38dad07c82b7",
            "created": "2025-05-18T23:37:18.015579Z",
            "modified": "2025-05-18T23:37:18.015614Z",
            "name": "Shubho57",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--94977db4-0446-447e-889e-d6679de26724",
            "created": "2026-06-24T21:10:40.060207Z",
            "modified": "2026-06-24T21:10:40.060207Z",
            "name": "YARA Rule",
            "pattern": "rule Inline_CSharp_ShowWindow_Hider\r\n{\r\nmeta:\r\ndescription = \u201cDetects PowerShell using inline C# with ShowWindow from user32.dll to hide windows\u201d\r\nauthor = \u201cChatGPT\u201d\r\nreference = \u201cThreat behavior: stealth hiding via API\u201d\r\ndate = \u201c2025\u201305\u201310\u201d\r\nseverity = \u201cmedium\u201d\r\nstrings:\r\n$ps_add_type = \u201cAdd-Type\u201d nocase\r\n$dll_import = \u201c[DllImport(\\\u201duser32.dll\\\u201d)]\u201d nocase\r\n$show_window = \u201cShowWindow\u201d nocase\r\n$hide_call = \u201cShowWindow(hWnd, 0\u201d nocase\r\n$powershell_indicator = \u201cSystem.Management.Automation\u201d wide ascii\r\ncondition:\r\n(1 of ($ps_add_type, $powershell_indicator)) and\r\n$dll_import and\r\n$show_window and\r\n$hide_call\r\n}",
            "pattern_type": "yara",
            "valid_from": "2025-05-12T00:00:00Z"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--0804a7e5-0902-415f-9441-605670d36cdc",
            "value": "92.119.114.128"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--0d14bc7f-50a3-4426-8db6-b7e880b4478a",
            "value": "185.235.128.114"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1",
            "created": "2026-06-24T21:10:40.064006Z",
            "modified": "2026-06-24T21:10:40.064006Z",
            "name": "Kimsuky"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--5286ecd7-107f-450d-bb8b-086328557da7",
            "created_by_ref": "identity--71744950-6fe5-4398-9ea3-38dad07c82b7",
            "created": "2026-06-24T21:10:40.066746Z",
            "modified": "2026-06-24T21:10:40.066746Z",
            "name": "Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)",
            "published": "2025-05-12T00:00:00Z",
            "object_refs": [
                "identity--71744950-6fe5-4398-9ea3-38dad07c82b7",
                "indicator--94977db4-0446-447e-889e-d6679de26724",
                "ipv4-addr--0804a7e5-0902-415f-9441-605670d36cdc",
                "ipv4-addr--0d14bc7f-50a3-4426-8db6-b7e880b4478a",
                "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://medium.com/@shubhandrew/analysis-of-kimsuky-apt-group-powershell-payloads-one-of-them-attributed-to-xworm-rat-ea8a96ea53fe"
                }
            ]
        }
    ]
}