{ "type": "bundle", "id": "bundle--a4e4449a-0fdb-4a03-9934-f8e1eccd781f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "created": "2025-11-15T02:03:14.609594Z", "modified": "2025-11-15T02:28:49.217997Z", "name": "RansomISAC", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "value": "api.trongrid.io" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "value": "fullnode.mainnet.aptoslabs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2a40b9e1-b258-4413-a7a2-9aeca001ef4b", "value": "aptoslabs.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--60084b69-ae94-4275-ac71-e0c3d5bc8969", "value": "23.27.20.143" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "value": "bsc-dataseed.binance.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "value": "bsc-rpc.publicnode.com" }, { "type": "url", "spec_version": "2.1", "id": "url--d839c504-71c7-4a7f-9d66-9300d7e0a796", "value": "https://bsc-dataseed.binance.org" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--477bd231-59b3-445e-8a0b-cdec29e2f4e1", "created": "2026-06-24T18:41:56.521577Z", "modified": "2026-06-24T18:41:56.521577Z", "name": "YARA Rule", "pattern": "rule DPRKObfuscatedJavaScript2 {\r\nmeta:\r\ndescription = \"Flexible RepoCrossChainTxDataHiding detection\"\r\nauthor = \"Ransom-ISAC\"\r\nstrings:\r\n$s1 = \"global['_V']\"\r\n$s2 = \"global['r']\"\r\n$obf = \".charAt\" nocase\r\n$req = \"require\"\r\ncondition:\r\nfilesize < 100KB and\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2025-11-13T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--46bcf427-c32c-4641-9f00-cea34c44366a", "created": "2026-06-24T18:41:56.522233Z", "modified": "2026-06-24T18:41:56.522233Z", "name": "YARA Rule", "pattern": "rule DPRKObfuscatedJavaScript1 {\r\nmeta:\r\ndescription = \"RepoCrossChainTxDataHiding detection with specific + generic indicators\"\r\nauthor = \"Ransom-ISAC\"\r\nstrings:\r\n// High-confidence specific strings\r\n$s1 = \"global['_V']\"\r\n$s2 = \"global['r']\"\r\n// Generic obfuscation patterns\r\n$obf1 = \".charAt(\" nocase\r\n$obf2 = \".substr(\" nocase\r\n$obf3 = /function \\w{3}\\(\\w\\)\\{/\r\n// Suspicious execution patterns\r\n$exec1 = \"require\"\r\n$exec2 = /\\(\\)\\)\\(\\)/\r\ncondition:\r\nfilesize < 50KB and\r\nall of ($s*) and\r\n2 of ($obf*) and\r\n1 of ($exec*)\r\n}", "pattern_type": "yara", "valid_from": "2025-11-13T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--48891109-a753-4d09-96f3-c7e1c7a46e01", "hashes": { "SHA-256": "f3c46284d1f89f33427b332a7b9357165a3d55a2b3a74f9d9b977b9673ad7c60" } }, { "type": "file", "spec_version": "2.1", "id": "file--d0996f7f-a725-48ec-b79e-a81c93d79d05", "hashes": { "SHA-256": "16df15306f966ae5c5184901747a32087483c03eebd7bf19dbfc38e2c4d23ff8" } }, { "type": "url", "spec_version": "2.1", "id": "url--fb3ca530-54f4-4294-8010-696c311c0d1a", "value": "https://api.trongrid.io/v1/accounts/TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP/transactions?only_confirmed=true&only_from=true&limit=1" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--1d227bee-f26c-5f74-a3f8-5bdb18774b64", "created": "2026-06-24T18:41:56.526317Z", "modified": "2026-06-24T18:41:56.526317Z", "name": "FamousChollima" }, { "type": "report", "spec_version": "2.1", "id": "report--70482707-d118-43d4-b8ae-5aa5468b949c", "created_by_ref": "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "created": "2026-06-24T18:41:56.52892Z", "modified": "2026-06-24T18:41:56.52892Z", "name": "Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)", "published": "2025-11-13T00:00:00Z", "object_refs": [ "identity--62791516-e53e-4728-ae58-19ce2cf2fa82", "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "domain-name--2a40b9e1-b258-4413-a7a2-9aeca001ef4b", "ipv4-addr--60084b69-ae94-4275-ac71-e0c3d5bc8969", "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "url--d839c504-71c7-4a7f-9d66-9300d7e0a796", "indicator--477bd231-59b3-445e-8a0b-cdec29e2f4e1", "indicator--46bcf427-c32c-4641-9f00-cea34c44366a", "file--48891109-a753-4d09-96f3-c7e1c7a46e01", "file--d0996f7f-a725-48ec-b79e-a81c93d79d05", "url--fb3ca530-54f4-4294-8010-696c311c0d1a", "threat-actor--1d227bee-f26c-5f74-a3f8-5bdb18774b64" ], "external_references": [ { "source_name": "source", "url": "https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist/" } ] } ] }