Shares tag: Sharpshooter • Same author: Mcafee • Published within a week
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
2018-12-12 • Mcafee •
McAfee reported Operation Sharpshooter as a global campaign against nuclear, defense, energy, and financial organizations, with many observed Rising Sun infections in the United States and defense or government-related targets. The activity masqueraded as legitimate job recruitment and used weaponized documents or macros to download an in-memory next stage. Rising Sun gathered host and network intelligence and exfiltrated victim data to attacker C2; its framework reused source code from Lazarus Group's 2015 Duuzer backdoor, but McAfee warned the links could be false flags and did not make a final attribution. The report supports detection for multi-stage reconnaissance, remote access, and C2 patterns tied to job-themed payload delivery.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 31e79093d452426247a56ca0eff860b… | 2018-12-12 | 2018-12-12 |
| HASH | 9b0f22e129c73ce4c21be4122182f6d… | 2018-12-12 | 2018-12-12 |
| HASH | 66776c50bcc79bbcecdbe99960e6ee3… | 2018-12-12 | 2018-12-12 |
| HASH | 668b0df94c6d12ae86711ce24ce79db… | 2018-12-12 | 2018-12-12 |
| HASH | 8106a30bd35526bded384627d8eebce… | 2018-12-12 | 2018-12-12 |
| URL | http://www.dropbox.com/s/2shp23… | 2018-12-12 | 2018-12-12 |
| DOMAIN | kingkoil.com | 2018-12-12 | 2018-12-12 |
| IPv4 | 208.117.44.112 | 2018-12-12 | 2018-12-12 |
| IPv4 | 137.74.41.56 | 2018-12-12 | 2018-12-12 |
| IPv4 | 34.214.99.20 | 2018-12-12 | 2018-12-12 |
Related Reports
Shares tag: Sharpshooter
2023-01-05 •
40% Match
#Trend
#DreamJob
#Inception
#MagicRAT
#ThreatNeedle
#Sharpshooter
#T1082
#T1041
#T1071.001
#T1046
#T1112
#T1083
#T1057
#T1547.001
#T1053.005
#T1036.005
#T1003
#T1105
#T1055
#T1220
#T1049
#T1016
#T1074.001
#T1218.011
#T1218.010
#T1047
#T1025
#T1033
#T1543.003
#T1012
#T1007
#T1572
#T1552.002
#T1003.002
#T1048.001
Shares tag: Sharpshooter