{ "type": "bundle", "id": "bundle--4d7395fb-9f34-4b77-8c1d-f57301d9a466", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "created": "2023-03-08T12:51:48.041368Z", "modified": "2025-01-30T02:20:08.905936Z", "name": "Google", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--9915c9bf-525f-4f00-a266-524e57912f79", "value": "sfrclak.com" }, { "type": "file", "spec_version": "2.1", "id": "file--e1c69ddd-9282-4fea-8b19-56289e7e718e", "hashes": { "SHA-256": "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09" } }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--80e7e8d8-7edf-47e2-af5e-d83f1479276b", "value": "ifstap@proton.me" }, { "type": "url", "spec_version": "2.1", "id": "url--15d803c1-f248-4623-af7b-f379f2a36962", "value": "http://sfrclak.com:8000/6202033" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f", "value": "142.11.206.73" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b3b95bf6-20c0-4805-b3fa-c3220a2c640c", "created": "2026-06-24T22:43:38.686863Z", "modified": "2026-06-24T22:43:38.686863Z", "name": "YARA Rule", "pattern": "rule G_Hunting_Downloader_SILKBELL_1\r\n{\r\nmeta:\r\ndescription = \"Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2\"\r\nauthor = \"GTIG\"\r\nmd5 = \"7658962ae060a222c0058cd4e979bfa1\"\r\ndate_created = \"2026/03/31\"\r\ndate_modified = \"2026/03/31\"\r\nrev = 1\r\nplatforms = \"Any\"\r\nstrings:\r\n$ss1 = \"OrDeR_7077\" ascii wide fullword\r\n$ss2 = \"String.fromCharCode(S^a^333)\" ascii wide\r\n$ss3 = \"\\\"TE9DQUw^\\\".replaceAll(\\\"^\\\",\\\"=\\\")\" ascii wide\r\n$ss4 = \"\\\"UFM_\\\".replaceAll(\\\"_\\\",\\\"=\\\")\" ascii wide\r\n$ss5 = \"\\\"U0NSXw--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\n$ss6 = \"\\\"UFNfQg--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\n$ss7 = \"\\\"d2hlcmUgcG93ZXJzaGVsbA((\\\".replaceAll(\\\"(\\\",\\\"=\\\")\" ascii wide\r\ncondition:\r\nuint16(0) != 0x5A4D and filesize < 100KB and all of them\r\n}", "pattern_type": "yara", "valid_from": "2026-04-01T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d647cfb7-3e49-49b1-b6b8-e306ee614eda", "created": "2026-06-24T22:43:38.687774Z", "modified": "2026-06-24T22:43:38.687774Z", "name": "YARA Rule", "pattern": "rule G_Hunting_Downloader_suspected_UNC1069_PS_1\r\n{\r\nmeta:\r\ndescription = \"Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2\"\r\nauthor = \"GTIG\"\r\nmd5 = \"089e2872016f75a5223b5e02c184dfec\"\r\ndate_created = \"2026/03/31\"\r\ndate_modified = \"2026/03/31\"\r\nrev = 1\r\nplatforms = \"Windows\"\r\nstrings:\r\n$ss1 = \"start /min powershell -w h\" ascii wide nocase\r\n$ss2 = \"[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString\" ascii wide nocase\r\n$ss3 = \"Invoke-WebRequest -UseBasicParsing\" ascii wide nocase\r\n$ss4 = \"-Method POST -Body\" ascii wide nocase\r\n$ss5 = \"packages.npm.org/product1\" ascii wide nocase\r\ncondition:\r\nuint16(0) != 0x5A4D and filesize < 5KB and all of them\r\n}", "pattern_type": "yara", "valid_from": "2026-04-01T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--9e21548e-283a-41b8-b997-29bd5c4f7527", "hashes": { "MD5": "7658962ae060a222c0058cd4e979bfa1" } }, { "type": "file", "spec_version": "2.1", "id": "file--19f50324-3aa1-4feb-9ffa-cff6ab7cd120", "hashes": { "MD5": "04e3073b3cd5c5bfcde6f575ecf6e8c1" } }, { "type": "file", "spec_version": "2.1", "id": "file--34c248e0-4148-4dcc-ab9c-9f03aa4cc9cd", "hashes": { "MD5": "089e2872016f75a5223b5e02c184dfec" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--b1fc54ae-4fb3-5833-9e0f-4873d16620f8", "created": "2026-06-24T22:43:38.695168Z", "modified": "2026-06-24T22:43:38.695168Z", "name": "UNC1069" }, { "type": "report", "spec_version": "2.1", "id": "report--313452b6-1e9f-43e8-af27-c1c332ab842a", "created_by_ref": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "created": "2026-06-24T22:43:38.700042Z", "modified": "2026-06-24T22:43:38.700042Z", "name": "North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack", "published": "2026-04-01T00:00:00Z", "object_refs": [ "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "domain-name--9915c9bf-525f-4f00-a266-524e57912f79", "file--e1c69ddd-9282-4fea-8b19-56289e7e718e", "email-addr--80e7e8d8-7edf-47e2-af5e-d83f1479276b", "url--15d803c1-f248-4623-af7b-f379f2a36962", "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f", "indicator--b3b95bf6-20c0-4805-b3fa-c3220a2c640c", "indicator--d647cfb7-3e49-49b1-b6b8-e306ee614eda", "file--9e21548e-283a-41b8-b997-29bd5c4f7527", "file--19f50324-3aa1-4feb-9ffa-cff6ab7cd120", "file--34c248e0-4148-4dcc-ab9c-9f03aa4cc9cd", "threat-actor--b1fc54ae-4fb3-5833-9e0f-4873d16620f8" ], "external_references": [ { "source_name": "source", "url": "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package" } ] } ] }