{ "type": "bundle", "id": "bundle--894a7968-7d8a-4cfb-818e-2f0ad76ac147", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "created": "2023-03-08T12:51:46.256897Z", "modified": "2023-03-09T23:01:57.67829Z", "name": "ESET", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--9795d5c5-3400-4c0d-8f34-000f40dadf9c", "hashes": { "SHA-1": "bf84712c5314df2aa851b8d4356ea51a9ad50257" } }, { "type": "file", "spec_version": "2.1", "id": "file--3cf16d6f-309d-41dd-9633-efc7370e4e6a", "hashes": { "SHA-1": "77daf77d9d2a08cc22981c004689b870f74544b5" } }, { "type": "url", "spec_version": "2.1", "id": "url--2a31b32b-1856-4ec9-b224-0afe6b2bbb52", "value": "https://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly/" }, { "type": "url", "spec_version": "2.1", "id": "url--3951b2fc-5fcf-4aff-a801-66a4325dc119", "value": "http://ubfofxonwdb32wpcmgmcpfos5tdskfizdft6j54l76x3nrwu2idaigid.onion/" }, { "type": "url", "spec_version": "2.1", "id": "url--e55bff1c-c78e-405f-a73d-905142805da7", "value": "http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--307529d7-d425-459d-9284-36151903ffe6", "value": "ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--15d0e3ed-801d-41f5-ad25-e6ce0f49e6dd", "value": "ubfofxonwdb32wpcmgmcpfos5tdskfizdft6j54l76x3nrwu2idaigid.onion" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2e777299-0272-490b-acfa-5880b0efbe53", "value": "ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion.ly" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--441acdc1-9f93-4036-b006-b74f8eadb320", "value": "45.32.210.151" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5b9d8423-5156-422d-9263-10921ad50f44", "value": "92.243.64.200" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--938e1720-8dda-491c-a337-e74f18529f84", "value": "45.32.206.169" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--341f7e8b-3198-4ec0-9d9d-f903479729fe", "value": "1.2.0.1" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--3937cb8b-52a4-43f1-bf35-a92d326e21f1", "value": "149.154.158.222" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--2dc33388-9651-4c67-b936-08dcbc556637", "value": "130.185.75.198" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--7f6b573e-f324-445c-9691-f390e1b0add2", "value": "2.6.0.1" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--82249156-f8a4-499b-a2f9-38034ec50426", "value": "79.124.58.130" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--048f2cbd-3d3b-4753-a8b8-24d7952929b9", "value": "1.6.0.1" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--779b8f52-56c4-5aee-b87a-0e7e139d8eff", "created": "2026-06-24T21:11:12.506278Z", "modified": "2026-06-24T21:11:12.506278Z", "name": "Andariel" }, { "type": "report", "spec_version": "2.1", "id": "report--8f39aa34-a893-49e8-b7ca-646d1657bad8", "created_by_ref": "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "created": "2026-06-24T21:11:12.508895Z", "modified": "2026-06-24T21:11:12.508895Z", "name": "Shifting the sands of RansomHub\u2019s EDRKillShifter", "published": "2025-03-26T00:00:00Z", "object_refs": [ "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "file--9795d5c5-3400-4c0d-8f34-000f40dadf9c", "file--3cf16d6f-309d-41dd-9633-efc7370e4e6a", "url--2a31b32b-1856-4ec9-b224-0afe6b2bbb52", "url--3951b2fc-5fcf-4aff-a801-66a4325dc119", "url--e55bff1c-c78e-405f-a73d-905142805da7", "domain-name--307529d7-d425-459d-9284-36151903ffe6", "domain-name--15d0e3ed-801d-41f5-ad25-e6ce0f49e6dd", "domain-name--2e777299-0272-490b-acfa-5880b0efbe53", "ipv4-addr--441acdc1-9f93-4036-b006-b74f8eadb320", "ipv4-addr--5b9d8423-5156-422d-9263-10921ad50f44", "ipv4-addr--938e1720-8dda-491c-a337-e74f18529f84", "ipv4-addr--341f7e8b-3198-4ec0-9d9d-f903479729fe", "ipv4-addr--3937cb8b-52a4-43f1-bf35-a92d326e21f1", "ipv4-addr--2dc33388-9651-4c67-b936-08dcbc556637", "ipv4-addr--7f6b573e-f324-445c-9691-f390e1b0add2", "ipv4-addr--82249156-f8a4-499b-a2f9-38034ec50426", "ipv4-addr--048f2cbd-3d3b-4753-a8b8-24d7952929b9", "threat-actor--779b8f52-56c4-5aee-b87a-0e7e139d8eff" ], "external_references": [ { "source_name": "source", "url": "https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/" } ] } ] }