{ "type": "bundle", "id": "bundle--d73a70cc-58dc-4251-8a98-11c12f2b7df8", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--e7b5e8a5-3766-4c1b-b7e3-122b0f2ad4f8", "created": "2025-01-05T23:52:51.250742Z", "modified": "2025-02-21T08:49:02.162004Z", "name": "PriyaPatel", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--23d7e3b2-63c7-451d-8b58-e1ec2f7eb812", "value": "trycloudflare.com" }, { "type": "file", "spec_version": "2.1", "id": "file--4ec55163-fdda-4a14-9008-e637299fef81", "hashes": { "SHA-256": "268640934dd1f0cfe3a3653221858851a33cbf49a71adfb4d54a04641df11547" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--10767494-29f4-467a-9e7b-be260f04783c", "created": "2026-06-24T20:57:05.13892Z", "modified": "2026-06-24T20:57:05.13892Z", "name": "YARA Rule", "pattern": "rule detect_sidecopy\r\n{\r\nmeta:\r\nauthor = \"Priya\"\r\nDescription = \"This rule is to detect malicious lnk file of Sidecopy \"\r\nstrings:\r\n$cmd_args = /\\/c\\s*m\\^s\\^i\\^e\\^x\\^e\\^c\\.exe\\s*\\/q\\s*\\/i\\s*h\\^t\\^t\\^p\\^s\\^:\\^\\/\\^\\/\\^n\\^h\\^p\\^\\.\\^m\\^o\\^w\\^r\\^\\.\\^g\\^o\\^v\\^\\.\\^i\\^n\\^\\/\\^N\\^H\\^P\\^M\\^I\\^S\\^\\/\\^T\\^r\\^a\\^i\\^n\\^i\\^n\\^g\\^M\\^a\\^t\\^e\\^r\\^i\\^a\\^l\\^\\/\\^a\\^s\\^p\\^x\\^\\/\\^S\\^e\\^c\\^u\\^r\\^i\\^t\\^y\\^\\-\\^G\\^u\\^i\\^d\\^e\\^l\\^i\\^n\\^e\\^s\\^\\/\\^w\\^o\\^n\\^t\\^\\//i\r\ncondition:\r\n$cmd_args\r\n}", "pattern_type": "yara", "valid_from": "2025-02-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--71d3b797-1f6e-4533-a3b4-c5a2c2d68f26", "created": "2026-06-24T20:57:05.139632Z", "modified": "2026-06-24T20:57:05.139632Z", "name": "YARA Rule", "pattern": "rule hta_file\r\n{\r\nmeta:\r\nauthor = \"Priya\"\r\nDescription = \"This rule is to check for malicious hta file\"\r\nstrings:\r\n$url_name = \"trycloudflare\"\r\n$payload = \"shortlyqXW.tif\"\r\n$ip_add = \"102.237.232.209\"\r\n$login = \"https://passport.i.ua/login/?\"\r\ncondition:\r\n$url_name and $payload or $ip_add or $login\r\n}", "pattern_type": "yara", "valid_from": "2025-02-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8d6a166e-20f7-4cde-9cdb-81ed464ee549", "created": "2026-06-24T20:57:05.14026Z", "modified": "2026-06-24T20:57:05.14026Z", "name": "YARA Rule", "pattern": "rule detect_lnk\r\n{\r\nmeta:\r\nauthor = \"Priya\"\r\ndescription = \"This yara rule detects malicious lnk file\"\r\nstrings:\r\n$filename = \"d.ps1\"\r\n$filesize = \"0x1be8\"\r\n$susnname = \"jooyoung\"\r\ncondition:\r\nany 2 of them\r\n}", "pattern_type": "yara", "valid_from": "2025-02-21T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a03a796-3f16-404a-bb1b-f04dd1d20b7a", "created": "2026-06-24T20:57:05.140965Z", "modified": "2026-06-24T20:57:05.140965Z", "name": "YARA Rule", "pattern": "rule sidewinder\r\n{\r\nmeta:\r\naurhor = \"Priya\"\r\ndescription = \"This rule detects malicious sidewinder payload\"\r\nstrings:\r\n$url_name = \"https://pubad-gov-lk.org-co.net/10472857/\"\r\n$rtf_name = \"Profile.rtf\"\r\ncondition:\r\n$url_name or $rtf_name\r\n}", "pattern_type": "yara", "valid_from": "2025-02-21T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--6f08d7bc-33c8-47f7-9fce-bc6e8cd18c7e", "hashes": { "SHA-256": "cc90bf946b495aec9133f6c970dc873977592277d003248361cfea1d0706c811" } }, { "type": "file", "spec_version": "2.1", "id": "file--c4679f8e-16d9-417e-b582-9eb4b798eff5", "hashes": { "SHA-256": "95f5db1826819d8d61b85eec206ec6cba350ba3fd684941ae24fe363de1df2cb" } }, { "type": "file", "spec_version": "2.1", "id": "file--2cfd0d3b-3c20-4435-8327-ec65599bad2f", "hashes": { "SHA-256": "541039d4eb67935884830657213991ba5da85f0650df6329c7153702a577a26a" } }, { "type": "file", "spec_version": "2.1", "id": "file--cba4ce47-422d-48d8-abc2-22870fce3233", "hashes": { "SHA-256": "47d77499968244911d0179fb858578de00dbb98079e33f5ed5d229d03eb04d67" } }, { "type": "url", "spec_version": "2.1", "id": "url--ed63e25c-b09d-4b09-8a11-78466e2c67e1", "value": "https://louise-gzip-think-air.trycloudflare.com/OD/rotI7D/shortlyqXW.tif" }, { "type": "url", "spec_version": "2.1", "id": "url--fc8e8afc-ba76-4528-b326-8963133725a6", "value": "https://passport.i.ua/login/" }, { "type": "url", "spec_version": "2.1", "id": "url--b9e451fe-7cb8-4b89-862a-a5f70e8e4106", "value": "https://passport.i.ua/login/?" }, { "type": "url", "spec_version": "2.1", "id": "url--aa97c1c5-4382-42ae-9678-4a4171626412", "value": "https://pubad-gov-lk.org-co.net/10472857/Profile.rtf" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--69f65356-63e0-45f0-a46b-1821487f1622", "value": "louise-gzip-think-air.trycloudflare.com" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--94e45efa-c185-4a39-9130-3a38b2f1469e", "value": "102.237.232.209" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T20:57:05.149622Z", "modified": "2026-06-24T20:57:05.149622Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--3c77c30e-26e0-4248-873b-c339e57b6f63", "created_by_ref": "identity--e7b5e8a5-3766-4c1b-b7e3-122b0f2ad4f8", "created": "2026-06-24T20:57:05.152601Z", "modified": "2026-06-24T20:57:05.152601Z", "name": "Looking into Initial Access Payloads by APT Groups", "published": "2025-02-21T00:00:00Z", "object_refs": [ "identity--e7b5e8a5-3766-4c1b-b7e3-122b0f2ad4f8", "domain-name--23d7e3b2-63c7-451d-8b58-e1ec2f7eb812", "file--4ec55163-fdda-4a14-9008-e637299fef81", "indicator--10767494-29f4-467a-9e7b-be260f04783c", "indicator--71d3b797-1f6e-4533-a3b4-c5a2c2d68f26", "indicator--8d6a166e-20f7-4cde-9cdb-81ed464ee549", "indicator--1a03a796-3f16-404a-bb1b-f04dd1d20b7a", "file--6f08d7bc-33c8-47f7-9fce-bc6e8cd18c7e", "file--c4679f8e-16d9-417e-b582-9eb4b798eff5", "file--2cfd0d3b-3c20-4435-8327-ec65599bad2f", "file--cba4ce47-422d-48d8-abc2-22870fce3233", "url--ed63e25c-b09d-4b09-8a11-78466e2c67e1", "url--fc8e8afc-ba76-4528-b326-8963133725a6", "url--b9e451fe-7cb8-4b89-862a-a5f70e8e4106", "url--aa97c1c5-4382-42ae-9678-4a4171626412", "domain-name--69f65356-63e0-45f0-a46b-1821487f1622", "ipv4-addr--94e45efa-c185-4a39-9130-3a38b2f1469e", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://prii308.github.io/Looking-into-Initial-Access-Payloads-by-APT-Groups/" } ] } ] }