{ "type": "bundle", "id": "bundle--7653cd40-7618-40f7-8f1d-0577ef869aea", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "created": "2026-04-13T05:27:30.708162Z", "modified": "2026-04-22T01:03:40.519059Z", "name": "BreakGlassIntelligence", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--ab2529dc-f6db-4b81-b72b-19be7c915b16", "hashes": { "MD5": "82a8292007e682f1a127ba8dcebfae96" } }, { "type": "file", "spec_version": "2.1", "id": "file--13b0f504-bef2-41a7-803c-058c157ab840", "hashes": { "MD5": "655221b6bcad7b5b0b9766142cbc257a" } }, { "type": "file", "spec_version": "2.1", "id": "file--9fe82d2d-4042-44be-8e84-945fbbc4a110", "hashes": { "MD5": "60aaafce354ae5e0b8115729464a8b24" } }, { "type": "file", "spec_version": "2.1", "id": "file--986a301f-d4a9-45ab-b285-0b5acde622ce", "hashes": { "SHA-1": "28978e987bc59e75ca22562924eab93355cf679e" } }, { "type": "file", "spec_version": "2.1", "id": "file--76bf7257-8450-4e45-88e9-2027ad302853", "hashes": { "MD5": "00b4f860f1798b62b3531f1b4e8bb6e0" } }, { "type": "file", "spec_version": "2.1", "id": "file--4e85cc68-639c-4d95-96cb-4628e8c9bebb", "hashes": { "MD5": "447557d5236f1b97be0314b317ca9fff" } }, { "type": "file", "spec_version": "2.1", "id": "file--5b04484e-03e5-4f83-8329-3b7f0be0d73d", "hashes": { "MD5": "3be2401da21dfed104c9aa52bb620344" } }, { "type": "file", "spec_version": "2.1", "id": "file--07cafdaf-80af-451d-a9c0-6cd1fe8a1179", "hashes": { "MD5": "aea72dfcf492037a6d15755a74645c7d" } }, { "type": "file", "spec_version": "2.1", "id": "file--0ec10915-4e08-493d-adbd-94db204dd0ac", "hashes": { "MD5": "c8040dd3ff2f4afd042efd4ebe1a43c6" } }, { "type": "file", "spec_version": "2.1", "id": "file--f3d5a8ff-4fe5-40da-841e-5201bd326c32", "hashes": { "SHA-256": "aeebcd8c8b15645d7e71b68ac05e21e9a4c94f832c64044725d870b87b9573c7" } }, { "type": "file", "spec_version": "2.1", "id": "file--64e6bee8-2a9c-4810-8475-fc3c6b7c8e65", "hashes": { "SHA-1": "53948d9596ebab5c4cf2ac04e7fb70c429e0cbbf" } }, { "type": "url", "spec_version": "2.1", "id": "url--7ccb5baa-be8a-47ee-9d78-2a355cb25895", "value": "http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/00b4f860f1798b62b3531f1b4e8bb6e0" }, { "type": "url", "spec_version": "2.1", "id": "url--49185c3f-40e1-41e6-8ceb-a28a97ef1757", "value": "http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/" }, { "type": "url", "spec_version": "2.1", "id": "url--b3451a0e-9b5c-417f-afbd-07e30f11e234", "value": "http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/" }, { "type": "url", "spec_version": "2.1", "id": "url--c7d9f414-b93e-4c0d-a3bd-2e728bcfe8e2", "value": "http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/" }, { "type": "url", "spec_version": "2.1", "id": "url--3142f674-e9d9-4ce5-b5ee-db8462028415", "value": "https://utox.org/uTox_win64.exe" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5b6fb480-571a-4f68-8c5c-279340e4a2c0", "value": "xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f24bb387-6eaf-4659-ad38-89b5867ec602", "value": "uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a886ed23-3dff-450d-8a23-37b773a4496a", "value": "utox.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--43c3d288-4dbf-474a-ae89-885e736e1ab6", "value": "s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--942e144f-ac98-4667-b9c6-0c689ae3a954", "value": "7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion" }, { "type": "file", "spec_version": "2.1", "id": "file--ac84a187-527a-4bf1-a3bc-b69d9989ddcf", "hashes": { "SHA-256": "15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3de6ba6d-4aee-4ad7-a210-c4bdf41f21e8", "created": "2026-06-24T21:17:22.930335Z", "modified": "2026-06-24T21:17:22.930335Z", "name": "YARA Rule", "pattern": "rule Lazarus_Medusa_Campaign_Config {\r\nmeta:\r\ndescription = \"Detects XOR-encoded Medusa configuration block with Tor onion addresses\"\r\nauthor = \"Breakglass Intelligence\"\r\ndate = \"2026-03-09\"\r\ntlp = \"TLP:CLEAR\"\r\nseverity = \"HIGH\"\r\nstrings:\r\n$onion1_xor = { 56 42 5A 4E 66 4A 44 5B } // \"xfv4jzck\" XOR 0x2E\r\n$tox_marker = \"AEA72DFCF492037A6D15755A74645C7D\" ascii\r\n$victim_id = \"00b4f860f1798b62b3531f1b4e8bb6e0\" ascii\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nany of them\r\n}", "pattern_type": "yara", "valid_from": "2026-03-12T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e027cb3b-5abe-42bd-a640-e5cdc2bac778", "created": "2026-06-24T21:17:22.930992Z", "modified": "2026-06-24T21:17:22.930992Z", "name": "YARA Rule", "pattern": "rule Lazarus_TSMSISrv_IME_Loader {\r\nmeta:\r\ndescription = \"Detects Lazarus IME SDK-based DLL sideloading loader (TSMSISrv.dll)\"\r\nauthor = \"Breakglass Intelligence\"\r\ndate = \"2026-03-09\"\r\ntlp = \"TLP:CLEAR\"\r\nseverity = \"HIGH\"\r\nreference = \"https://intel.breakglass.tech\"\r\nstrings:\r\n$ime1 = \"SampleIME\" ascii wide\r\n$ime2 = \"The Sample code of Windows 8 IME\" ascii wide\r\n$ime3 = \"SampleIM.dll\" ascii wide\r\n$exp1 = \"OnSessionChange\" ascii\r\n$exp2 = \"StartComponent\" ascii\r\n$exp3 = \"StopComponent\" ascii\r\n$exp4 = \"DllRegisterServer\" ascii\r\n$rtti1 = \"CSampleIME\" ascii\r\n$rtti2 = \"CCompositionProcessorEngine\" ascii\r\n$msft = \"MSFT\" ascii wide\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nuint16(0x18) != 0x0040 and // Not a .NET assembly\r\n2 of ($ime*) and\r\n3 of ($exp*) and\r\n1 of ($rtti*) and\r\nfilesize > 500KB and filesize < 2MB\r\n}", "pattern_type": "yara", "valid_from": "2026-03-12T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d53d93f2-a5d7-461d-85b3-eac09c0b3ea8", "created": "2026-06-24T21:17:22.931579Z", "modified": "2026-06-24T21:17:22.931579Z", "name": "YARA Rule", "pattern": "rule Lazarus_Medusa_Gaze_Ransomware {\r\nmeta:\r\ndescription = \"Detects Lazarus-deployed Medusa ransomware (gaze.exe) via PDB path and XOR config\"\r\nauthor = \"Breakglass Intelligence\"\r\ndate = \"2026-03-09\"\r\ntlp = \"TLP:CLEAR\"\r\nseverity = \"CRITICAL\"\r\nreference = \"https://intel.breakglass.tech\"\r\nstrings:\r\n$pdb = \"G:\\\\Medusa\\\\Release\\\\gaze.pdb\" ascii\r\n$ransom_note = \"!!!READ_ME_MEDUSA\" ascii wide\r\n$xor_key = { 2E }\r\n$shadow1 = \"vssadmin Delete Shadows\" ascii wide nocase\r\n$shadow2 = \"vssadmin resize shadowstorage\" ascii wide nocase\r\n$bcrypt1 = \"BCryptImportKeyPair\" ascii\r\n$bcrypt2 = \"BCryptGenerateSymmetricKey\" ascii\r\n$bcrypt3 = \"BCryptEncrypt\" ascii\r\n$svc1 = \"Sophos\" ascii wide\r\n$svc2 = \"Veeam\" ascii wide\r\n$svc3 = \"McAfee\" ascii wide\r\n$svc4 = \"BackupExec\" ascii wide\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\n($pdb or $ransom_note) and\r\n1 of ($shadow*) and\r\n2 of ($bcrypt*) and\r\n2 of ($svc*)\r\n}", "pattern_type": "yara", "valid_from": "2026-03-12T00:00:00Z" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T21:17:22.935452Z", "modified": "2026-06-24T21:17:22.935452Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--8a3cad19-d293-496b-96b2-aff1a0fe1a17", "created_by_ref": "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "created": "2026-06-24T21:17:22.956312Z", "modified": "2026-06-24T21:17:22.956312Z", "name": "Lazarus Group Caught Running Medusa Ransomware: XOR-Decoded Config Exposes Tor C2, IME-Based Loader, and a 7-Month Intrusion Timeline", "published": "2026-03-12T00:00:00Z", "object_refs": [ "identity--48edf75c-7cd8-480a-8950-deb15067ea29", "file--ab2529dc-f6db-4b81-b72b-19be7c915b16", "file--13b0f504-bef2-41a7-803c-058c157ab840", "file--9fe82d2d-4042-44be-8e84-945fbbc4a110", "file--986a301f-d4a9-45ab-b285-0b5acde622ce", "file--76bf7257-8450-4e45-88e9-2027ad302853", "file--4e85cc68-639c-4d95-96cb-4628e8c9bebb", "file--5b04484e-03e5-4f83-8329-3b7f0be0d73d", "file--07cafdaf-80af-451d-a9c0-6cd1fe8a1179", "file--0ec10915-4e08-493d-adbd-94db204dd0ac", "file--f3d5a8ff-4fe5-40da-841e-5201bd326c32", "file--64e6bee8-2a9c-4810-8475-fc3c6b7c8e65", "url--7ccb5baa-be8a-47ee-9d78-2a355cb25895", "url--49185c3f-40e1-41e6-8ceb-a28a97ef1757", "url--b3451a0e-9b5c-417f-afbd-07e30f11e234", "url--c7d9f414-b93e-4c0d-a3bd-2e728bcfe8e2", "url--3142f674-e9d9-4ce5-b5ee-db8462028415", "domain-name--5b6fb480-571a-4f68-8c5c-279340e4a2c0", "domain-name--f24bb387-6eaf-4659-ad38-89b5867ec602", "domain-name--a886ed23-3dff-450d-8a23-37b773a4496a", "domain-name--43c3d288-4dbf-474a-ae89-885e736e1ab6", "domain-name--942e144f-ac98-4667-b9c6-0c689ae3a954", "file--ac84a187-527a-4bf1-a3bc-b69d9989ddcf", "indicator--3de6ba6d-4aee-4ad7-a210-c4bdf41f21e8", "indicator--e027cb3b-5abe-42bd-a640-e5cdc2bac778", "indicator--d53d93f2-a5d7-461d-85b3-eac09c0b3ea8", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://intel.breakglass.tech/post/lazarus-group-caught-running-medusa-ransomware-xor-decoded-config-exposes-tor-c2-ime-based-loader-and-a-7-month-intrusion-timeline" } ] } ] }