{ "type": "bundle", "id": "bundle--d408ec2c-bd10-4fd5-8d5c-8c5fe6c313d3", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "created": "2023-03-08T12:51:46.782365Z", "modified": "2023-03-08T13:21:39.376208Z", "name": "PWC", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--df980b0b-fa58-42f3-a2e0-b22e10872582", "value": "ukr.net" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8352695c-9f15-4cf0-918f-0ebdc970ac20", "created": "2026-06-24T16:57:03.050042Z", "modified": "2026-06-24T16:57:03.050042Z", "name": "YARA Rule", "pattern": "rule Sliver_Protobuf_Symbol : Heuristic_and_General\r\n{\r\nmeta:\r\ndescription = \"Detects symbol in Sliver implants (PE, ELF, Mach-O and\r\nshellcode) referencing a custom protobuf module\"\r\nTLP = \"AMBER\"\r\nauthor = \"PwC Threat Intelligence\"\r\ncopyright = \"Copyright PwCIL 2022 (C)\"\r\ncreated_date = \"2022-10-18\"\r\nmodified_date = \"2022-10-18\"\r\nrevision = \"0\"\r\nhash = \"41cf473fe535b932c68e9f295680fe228cde0094a8bac70ccb68c21aaff22188\"\r\nhash = \"c12c33111b41bf2be458004d532f1255fd734057d2c7bf59e0877e31dbedfd4e\"\r\nhash = \"3b4c57e04422825609bc70dfa5bf741cded6961df87369b530c45720eee828fd\"\r\nhash = \"4c668595d6767e9cdb68f875aab9d4d39ae0ff94d94e76dc301eb336f1d74096\"\r\nreference = \"https://github.com/BishopFox/sliver\"\r\nstrings:\r\n$ = \".sliverpb.\"\r\ncondition:\r\n// Note, you can remove these file signature checks to wider the rule further\r\n(\r\n// PE\r\nuint16(0) == 0x5A4D or\r\n// Shellcode\r\nuint32be(0) == 0x4883e4f0 or\r\n// Mach-O\r\nuint32be(0) == 0xcffaedfe or\r\n// ELF\r\nuint32be(0) == 0x7f454c46\r\n) and\r\nany of them\r\n}", "pattern_type": "yara", "valid_from": "2023-04-12T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6c60a8ae-b2fb-48da-bea0-a978f7bb8000", "created": "2026-06-24T16:57:03.050742Z", "modified": "2026-06-24T16:57:03.050742Z", "name": "YARA Rule", "pattern": "rule Brute_Ratel_PE_Badger_API_Loading_Routine : Heuristic_and_General\r\n{\r\nmeta:\r\ndescription = \"Detects Brute Ratel Badger payloads (PE and DLL) based on a\r\nunique routine used to dynamically load APIs\"\r\nTLP = \"AMBER\"\r\nauthor = \"PwC Threat Intelligence\"\r\ncopyright = \"Copyright PwCIL 2022 (C)\"\r\ncreated_date = \"2022-09-29\"\r\nmodified_date = \"2022-09-29\"\r\nrevision = \"0\"\r\nhash = \"4de333f164d70b59849c3aa12a9c95cdcbecae3023386ee08c15b38874260941\"\r\nhash = \"dc71c5721fa6b3148a3a0564931dc063d03694ca57aa61e8c2532b5a565b2548\"\r\nhash = \"ef803ea871c974623ceb678548c938826b683c857adc85a6bf8af34c8b61fc52\"\r\nstrings:\r\n// 8B5324\r\nMOV EDX,DWORD PTR [RBX+24]\r\n// 4D01DB\r\nADD R11,R11\r\n// 8B431C\r\nMOV EAX,DWORD PTR [RBX+1C]\r\n// 4D01D3\r\nADD R11,R10\r\n// 410FB71413\r\nMOVZX EDX,WORD PTR [R11+RDX]\r\n// 498D1492\r\nLEA RDX,[R10+RDX*4]\r\n// 8B0402\r\nMOV EAX,DWORD PTR [RDX+RAX]\r\n// 4C01D0\r\nADD RAX,R10\r\n$ = {8B53244D01DB8B431C4D01D3410FB71413498D14928B04024C01D0}\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2023-04-12T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--36db62c9-8205-4e5b-a913-e247b138702f", "hashes": { "SHA-256": "dc71c5721fa6b3148a3a0564931dc063d03694ca57aa61e8c2532b5a565b2548" } }, { "type": "file", "spec_version": "2.1", "id": "file--b0e8dbc2-9196-46d3-8b8e-158c55ef353f", "hashes": { "SHA-256": "4c668595d6767e9cdb68f875aab9d4d39ae0ff94d94e76dc301eb336f1d74096" } }, { "type": "file", "spec_version": "2.1", "id": "file--1840a070-1550-4042-ab33-7151446eedb7", "hashes": { "SHA-256": "b82a587befc34c0db00eed5c4117d88d343b8b895f03fc409a55d9240cf9fde1" } }, { "type": "file", "spec_version": "2.1", "id": "file--502e2649-6994-4045-856a-55632b1f0bb8", "hashes": { "SHA-256": "4de333f164d70b59849c3aa12a9c95cdcbecae3023386ee08c15b38874260941" } }, { "type": "file", "spec_version": "2.1", "id": "file--0ae62cea-5d57-4d2a-a1ee-1ac0f0352005", "hashes": { "SHA-256": "41cf473fe535b932c68e9f295680fe228cde0094a8bac70ccb68c21aaff22188" } }, { "type": "file", "spec_version": "2.1", "id": "file--fc1a4d6b-bc73-43c0-9d80-02e730886d72", "hashes": { "MD5": "71f9b72993614795b4d8ff554c99ef9b" } }, { "type": "file", "spec_version": "2.1", "id": "file--42879021-8eeb-439b-8b7b-1290b5a3d489", "hashes": { "SHA-1": "44b9d089cf734d2478165a8539b23aed51887f7d" } }, { "type": "file", "spec_version": "2.1", "id": "file--52538045-8eae-4f0b-b4e1-1a0fa30e4816", "hashes": { "SHA-256": "c12c33111b41bf2be458004d532f1255fd734057d2c7bf59e0877e31dbedfd4e" } }, { "type": "file", "spec_version": "2.1", "id": "file--75d48443-9421-45cb-b585-64a27023e2bc", "hashes": { "MD5": "68af0db11c5c03e89049da0629ef4d85" } }, { "type": "file", "spec_version": "2.1", "id": "file--ce4a5e88-b76b-4417-bb5d-4fab9eacc490", "hashes": { "SHA-256": "ef803ea871c974623ceb678548c938826b683c857adc85a6bf8af34c8b61fc52" } }, { "type": "file", "spec_version": "2.1", "id": "file--110cf4a8-80f7-4899-92ac-c75060411500", "hashes": { "SHA-256": "3b4c57e04422825609bc70dfa5bf741cded6961df87369b530c45720eee828fd" } }, { "type": "url", "spec_version": "2.1", "id": "url--1ef8f1df-1230-41b1-9784-2bff47cd63da", "value": "https://shipping8.godaddysites.com/dhl" }, { "type": "url", "spec_version": "2.1", "id": "url--633953cd-8461-4424-83a9-626b56abd623", "value": "https://ukrverifikaciyaakkaunta.godaddysites.com/privacy-policy" }, { "type": "url", "spec_version": "2.1", "id": "url--0e1b9cbd-f09f-432e-9a67-f0b2d1023ffd", "value": "https://product808.godaddysites.com/purchase-order" }, { "type": "url", "spec_version": "2.1", "id": "url--7baee7ce-0dad-48ad-a39f-175ef4db99f4", "value": "https://support-domaill.godaddysites.com/ukr" }, { "type": "url", "spec_version": "2.1", "id": "url--302b4ef8-42fc-422a-ab74-6431d32ab212", "value": "https://deutschepost.godaddysites.com/login" }, { "type": "url", "spec_version": "2.1", "id": "url--e08377b0-cbe9-4867-8c73-efada9795d93", "value": "http://secnerd.ir" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c15b15ff-209b-4795-8480-6769aae26c9d", "value": "secnerd.ir" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1e4b91c8-2fbe-4b2a-9fff-bc3cce81ce25", "value": "product808.godaddysites.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2be3763c-a649-4c75-84d8-a0ac1cf71a9b", "value": "support-domaill.godaddysites.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--ad2ea887-2b19-4d18-908b-71d06c40a21a", "value": "evasionlabs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b7ca94b1-4267-4b07-aeec-3d314f0ce2e5", "value": "troopers.de" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f28e984b-26e5-418b-bce3-a4460725f0a0", "value": "deutschepost.godaddysites.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--6e16354d-da53-430b-9733-92f7670f5b0d", "value": "shipping8.godaddysites.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--d98a971f-4c73-4de3-8b7e-32c5d4e144e6", "value": "ukrverifikaciyaakkaunta.godaddysites.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--9669b48e-8c74-4224-8b20-96292f9f0f6c", "value": "79.143.87.14" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91e42a6e-55c0-4825-a8e1-05a94188a101", "value": "18.130.157.66" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--442962e1-9629-4b77-b208-3a98085bba5a", "value": "193.8.172.208" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--7e877b4a-117f-4761-a54d-84558499748b", "value": "18.169.208.15" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2869c62b-252d-43b9-8ae2-02aa721add3c", "value": "news.sky.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--393c62fc-8882-5e42-976f-9ed131152ac4", "created": "2026-06-24T16:57:03.06972Z", "modified": "2026-06-24T16:57:03.06972Z", "name": "BlackDev2" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--69d6836d-ed69-58a4-a440-33747fcd81de", "created": "2026-06-24T16:57:03.071976Z", "modified": "2026-06-24T16:57:03.071976Z", "name": "BlackArtemis" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--da6a0bdd-e672-5472-8528-f46a25c7d852", "created": "2026-06-24T16:57:03.074231Z", "modified": "2026-06-24T16:57:03.074231Z", "name": "BlackAlicanto" }, { "type": "report", "spec_version": "2.1", "id": "report--34440a93-f2d3-459b-bd03-9fb53b5285f3", "created_by_ref": "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "created": "2026-06-24T16:57:03.097417Z", "modified": "2026-06-24T16:57:03.097417Z", "name": "Cyber Threats 2022: A Year in Retrospect", "published": "2023-04-12T00:00:00Z", "object_refs": [ "identity--99f7ec53-5be5-4fbe-8e20-06a244fbb703", "domain-name--df980b0b-fa58-42f3-a2e0-b22e10872582", "indicator--8352695c-9f15-4cf0-918f-0ebdc970ac20", "indicator--6c60a8ae-b2fb-48da-bea0-a978f7bb8000", "file--36db62c9-8205-4e5b-a913-e247b138702f", "file--b0e8dbc2-9196-46d3-8b8e-158c55ef353f", "file--1840a070-1550-4042-ab33-7151446eedb7", "file--502e2649-6994-4045-856a-55632b1f0bb8", "file--0ae62cea-5d57-4d2a-a1ee-1ac0f0352005", "file--fc1a4d6b-bc73-43c0-9d80-02e730886d72", "file--42879021-8eeb-439b-8b7b-1290b5a3d489", "file--52538045-8eae-4f0b-b4e1-1a0fa30e4816", "file--75d48443-9421-45cb-b585-64a27023e2bc", "file--ce4a5e88-b76b-4417-bb5d-4fab9eacc490", "file--110cf4a8-80f7-4899-92ac-c75060411500", "url--1ef8f1df-1230-41b1-9784-2bff47cd63da", "url--633953cd-8461-4424-83a9-626b56abd623", "url--0e1b9cbd-f09f-432e-9a67-f0b2d1023ffd", "url--7baee7ce-0dad-48ad-a39f-175ef4db99f4", "url--302b4ef8-42fc-422a-ab74-6431d32ab212", "url--e08377b0-cbe9-4867-8c73-efada9795d93", "domain-name--c15b15ff-209b-4795-8480-6769aae26c9d", "domain-name--1e4b91c8-2fbe-4b2a-9fff-bc3cce81ce25", "domain-name--2be3763c-a649-4c75-84d8-a0ac1cf71a9b", "domain-name--ad2ea887-2b19-4d18-908b-71d06c40a21a", "domain-name--b7ca94b1-4267-4b07-aeec-3d314f0ce2e5", "domain-name--f28e984b-26e5-418b-bce3-a4460725f0a0", "domain-name--6e16354d-da53-430b-9733-92f7670f5b0d", "domain-name--d98a971f-4c73-4de3-8b7e-32c5d4e144e6", "ipv4-addr--9669b48e-8c74-4224-8b20-96292f9f0f6c", "ipv4-addr--91e42a6e-55c0-4825-a8e1-05a94188a101", "ipv4-addr--442962e1-9629-4b77-b208-3a98085bba5a", "ipv4-addr--7e877b4a-117f-4761-a54d-84558499748b", "domain-name--2869c62b-252d-43b9-8ae2-02aa721add3c", "threat-actor--393c62fc-8882-5e42-976f-9ed131152ac4", "threat-actor--69d6836d-ed69-58a4-a440-33747fcd81de", "threat-actor--da6a0bdd-e672-5472-8528-f46a25c7d852" ], "external_references": [ { "source_name": "source", "url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/pdf/2022-year-in-retrospect-report.pdf" } ] } ] }