{ "type": "bundle", "id": "bundle--7d489cc1-4e0e-477b-9779-16af28321f91", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--e87d30cc-f4d6-47d5-a43d-538bbe542cb5", "created": "2025-04-28T02:16:49.43836Z", "modified": "2025-04-28T02:18:13.400559Z", "name": "HISolutions", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--4419d2ab-2479-4718-a9e5-0d3e6bf6ddcf", "value": "api.ipify.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--df22b2e1-d080-4cb8-92ee-eb027f6849c7", "value": "n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion" }, { "type": "url", "spec_version": "2.1", "id": "url--2143c65a-cbf8-4ddb-8bc5-fdfbffe47351", "value": "https://api.ipify.org" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2db17cf7-8c85-495b-b0cf-c8e67ed5861d", "created": "2026-06-24T18:10:54.33627Z", "modified": "2026-06-24T18:10:54.33627Z", "name": "YARA Rule", "pattern": "rule tsunami_framework : apt {\r\nmeta:\r\nname = \"tsunami_framework\"\r\ncategory = \"framework\"\r\ndescription = \"Detects Tsunami-Framework\"\r\nauthor = \"Nicolas Sprenger (HiSolutions AG)\"\r\ncreated = \"2024-12-18\"\r\nreliability = 100\r\ntlp = \"TLP:clear\"\r\nsample = \"ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527\"\r\nscore = 100\r\nstrings:\r\n$ = \"=/\\x00a\\x00s\\x00s\\x00e\\x00t\\x00s\\x00/\\x00v\\x002\\x00/\\x00t\\x00s\\x00u\\x00n\\x00a\\x00m\\x00i\\x00-\\x00c\\x00l\\x00i\\x00e\\x00n\\x00t\\x00\"\r\n$ = \"/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00b\\x00r\\x00o\\x00w\\x00s\\x00e\\x00r\\x00-\\x00p\\x00a\\x00s\\x00s\\x00w\\x00o\\x00r\\x00d\\x00s\"\r\n$ =\r\n\"/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00i\\x00n\\x00i\\x00t\\x00\\x001/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00e\\x0\r\n0n\\x00v\\x00i\\x00r\\x00o\\x00n\\x00m\\x00e\\x00n\r\n\\x00t\\x00-\\x00i\\x00n\\x00f\\x00o\\x00\"\r\n$ = \"a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00d\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00-\\x00a\\x00c\\x00c\\x00o\\x00u\\x00n\\x00t\\x00s\\x00\"\r\n$ = \"a\\x00s\\x00s\\x00e\\x00t\\x00s\\x00/\\x00v\\x002\\x00/\\x00d\\x00o\\x00t\\x00n\\x00e\\x00t\\x006\\x00-\\x00i\\x00n\\x00s\\x00t\\x00a\\x00l\\x00l\\x00e\\x00r\\x00-\r\n\\x00u\\x00r\\x00l\"\r\n$ = { 5473756E616D692E436F72652E436F6D6D6F6E2E }\r\n$ = { 680074007400700073003A002F002F006100700069002E00690070006900660079002E006F0072006700 } // \"https://api.ipify.org\"\r\n$ = { 68007400740070003A002F002F006900700069006E0066006F002E0069006F002F00 } // \"http://ipinfo.io/\"\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them\r\n}", "pattern_type": "yara", "valid_from": "2025-04-25T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--d47ff3bf-28a6-4a0d-af5c-3750a3970c9f", "hashes": { "SHA-1": "5473756e616d692e436f72652e436f6d6d6f6e2e" } }, { "type": "file", "spec_version": "2.1", "id": "file--ea92178d-9d7f-4616-9e1b-e079416d502f", "hashes": { "SHA-256": "3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086" } }, { "type": "file", "spec_version": "2.1", "id": "file--b44f3fbf-ce67-4c6c-9c97-cdf672a17b45", "hashes": { "SHA-256": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" } }, { "type": "file", "spec_version": "2.1", "id": "file--3ca5af74-76fa-428a-8ff7-6ed1947885c8", "hashes": { "SHA-256": "94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1" } }, { "type": "file", "spec_version": "2.1", "id": "file--11ebcb3a-00a2-484b-8707-35adbd1d36e1", "hashes": { "SHA-256": "e9571e21150d7333bfada0ef836adad555547411a2b56990da632f64d0262ef8" } }, { "type": "file", "spec_version": "2.1", "id": "file--5e037a76-a11c-40bd-b178-0d645dc3fe96", "hashes": { "SHA-256": "a2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb" } }, { "type": "file", "spec_version": "2.1", "id": "file--a0451fdc-c5bf-494c-aafc-388eff490cf0", "hashes": { "SHA-256": "b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d" } }, { "type": "file", "spec_version": "2.1", "id": "file--3f4b6748-b4f8-421d-b49e-dc6a7112c4c9", "hashes": { "SHA-256": "2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770" } }, { "type": "file", "spec_version": "2.1", "id": "file--520fde21-4fa2-4c39-bd76-c0ae4a5d57d9", "hashes": { "SHA-256": "bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed" } }, { "type": "file", "spec_version": "2.1", "id": "file--2c95ed11-2598-4f22-bb2b-6f9fa0d25ca8", "hashes": { "SHA-256": "f96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea" } }, { "type": "file", "spec_version": "2.1", "id": "file--9e81c4b9-d737-4ea9-988c-0f4f44d731b1", "hashes": { "SHA-256": "28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630" } }, { "type": "file", "spec_version": "2.1", "id": "file--5032b49b-21ab-4588-bf5e-0bd3947848ca", "hashes": { "SHA-256": "3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770" } }, { "type": "url", "spec_version": "2.1", "id": "url--4b6c5f2e-6790-41d3-8154-61c111592b23", "value": "http://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion" }, { "type": "url", "spec_version": "2.1", "id": "url--fc273f12-f324-4465-b77c-1c960c15a2e5", "value": "http://ipinfo.io/" }, { "type": "file", "spec_version": "2.1", "id": "file--f7a794d5-e756-4cd1-838f-2b6723a9c96e", "hashes": { "SHA-256": "ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--9132ef0d-0c41-4b29-abd4-0ca6d2087157", "value": "23.254.229.101" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--517f1d6a-514b-592b-8216-43a310ad6d08", "created": "2026-06-24T18:10:54.34792Z", "modified": "2026-06-24T18:10:54.34792Z", "name": "ContagiousInterview" }, { "type": "report", "spec_version": "2.1", "id": "report--3113b067-5c88-4c7c-91df-190c0d168c7c", "created_by_ref": "identity--e87d30cc-f4d6-47d5-a43d-538bbe542cb5", "created": "2026-06-24T18:10:54.374808Z", "modified": "2026-06-24T18:10:54.374808Z", "name": "Rolling in the Deep(Web): Lazarus Tsunami", "published": "2025-04-25T00:00:00Z", "object_refs": [ "identity--e87d30cc-f4d6-47d5-a43d-538bbe542cb5", "domain-name--4419d2ab-2479-4718-a9e5-0d3e6bf6ddcf", "domain-name--df22b2e1-d080-4cb8-92ee-eb027f6849c7", "url--2143c65a-cbf8-4ddb-8bc5-fdfbffe47351", "indicator--2db17cf7-8c85-495b-b0cf-c8e67ed5861d", "file--d47ff3bf-28a6-4a0d-af5c-3750a3970c9f", "file--ea92178d-9d7f-4616-9e1b-e079416d502f", "file--b44f3fbf-ce67-4c6c-9c97-cdf672a17b45", "file--3ca5af74-76fa-428a-8ff7-6ed1947885c8", "file--11ebcb3a-00a2-484b-8707-35adbd1d36e1", "file--5e037a76-a11c-40bd-b178-0d645dc3fe96", "file--a0451fdc-c5bf-494c-aafc-388eff490cf0", "file--3f4b6748-b4f8-421d-b49e-dc6a7112c4c9", "file--520fde21-4fa2-4c39-bd76-c0ae4a5d57d9", "file--2c95ed11-2598-4f22-bb2b-6f9fa0d25ca8", "file--9e81c4b9-d737-4ea9-988c-0f4f44d731b1", "file--5032b49b-21ab-4588-bf5e-0bd3947848ca", "url--4b6c5f2e-6790-41d3-8154-61c111592b23", "url--fc273f12-f324-4465-b77c-1c960c15a2e5", "file--f7a794d5-e756-4cd1-838f-2b6723a9c96e", "ipv4-addr--9132ef0d-0c41-4b29-abd4-0ca6d2087157", "threat-actor--517f1d6a-514b-592b-8216-43a310ad6d08" ], "external_references": [ { "source_name": "source", "url": "https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/" } ] } ] }