{ "type": "bundle", "id": "bundle--e582fc9a-8c93-48b2-b1ca-16ac85fc90d2", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--6a16bd7d-6e00-43e6-baec-647912444b87", "created": "2023-07-02T07:40:27.587151Z", "modified": "2023-07-02T07:40:27.5872Z", "name": "UKNCSC", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--37d150e6-44d7-4903-b56d-d14b3e88dcd6", "hashes": { "SHA-256": "6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59" } }, { "type": "file", "spec_version": "2.1", "id": "file--a18257f1-808d-4ceb-9d02-2df104c53bb1", "hashes": { "SHA-256": "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67" } }, { "type": "file", "spec_version": "2.1", "id": "file--2e6afb58-6238-4cc3-aeed-d95b8332679b", "hashes": { "SHA-256": "e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--7bbf57a7-7525-420f-8f76-6cfcab5c1304", "value": "visualstudiofactory.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--0e4151c7-e343-4b9e-be74-b0b7253bd2de", "value": "akamaitechcloudservices.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1261a3e1-65b9-48fc-995e-87aa055fe362", "value": "msedgepackageinfo.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--da81accb-0ce4-4da3-8990-28fc71882569", "value": "msstorageazure.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c60b5916-fccb-4162-960f-84bc43606851", "value": "azureonlinestorage.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5312488a-0968-4892-be2b-0fdf9904d1a3", "value": "zacharryblogs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c84f9e68-157d-4676-9d6c-c99bbd66b160", "value": "officestoragebox.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--845d879b-c10e-4300-8f74-c3c3db743cfb", "value": "pbxphonenetwork.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dd084def-4e31-425a-a506-14ab670a4217", "value": "sourceslabs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--8a5ae2ad-2984-42e1-9f92-6c6da70b7ff2", "value": "officeaddons.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--64bf44fb-e8c0-4489-91ee-1b825ed8a3a4", "value": "glcloudservice.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--bdb722f7-40ee-479b-90a9-7c1b2499583a", "value": "pbxcloudeservices.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b1fbc5f9-cac3-49fc-8e32-3a2c1ddb65db", "value": "azuredeploystore.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a48ec800-3909-4026-9391-567a8f5f7c84", "value": "pbxsources.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--76b49f68-671a-479e-a126-9cf5564ac27f", "value": "msstorageboxes.com" }, { "type": "url", "spec_version": "2.1", "id": "url--9740950d-39e8-46e8-9079-5e598b60f584", "value": "https://sbmsa.wiki/blog/_insert" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b53aaf51-0e38-45b6-8f16-b7539699ac8e", "value": "sbmsa.wiki" }, { "type": "url", "spec_version": "2.1", "id": "url--417f6d82-fe2d-4a80-8f4f-e613c2567d29", "value": "https://akamaitechcloudservices.com/v2/fileapi" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4a3f27b7-1123-4a7f-8cb1-a53442685bcd", "created": "2026-06-24T15:59:43.015592Z", "modified": "2026-06-24T15:59:43.015592Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_II {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies strings observed in the\r\nsecond stage of Smooth Operator.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"9e9a5f8d86356796162cee881c843cde9eaedfb3\"\r\nstrings:\r\n$ = \"3cx_auth_id=%s;3cx_auth_token_content=%s;__tutma=true\"\r\n$ = \"AccountName\\\":\"\r\n$ = \"url\\\": \\\"https://\"\r\n$ = \"%s/Library/Application Support/3CX Desktop\r\nApp/.main_storage\"\r\n$ = \"%s/Library/Application Support/3CX Desktop App/config.json\"\r\n$ = \"read_config\"\r\n$ = \"enc_text\"\r\n$ = \"send_post\"\r\n$ = \"parse_json_config\"\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and 5 of them\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--24a9ef78-1d1c-4a0d-b28f-18353b859ef4", "created": "2026-06-24T15:59:43.016271Z", "modified": "2026-06-24T15:59:43.016271Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_Sleeps {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies algorithms used by the\r\nmalware developer to generate random time values in Smooth Operator.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"769383fc65d1386dd141c960c9970114547da0c2\"\r\nstrings:\r\n$ =\r\n{E8[4]E8[4]89C14869C93FC5254348C1E9246BC93D29C86BE83C81C5100E0000B80F0000\r\n00} // between beacon time generation\r\n$ = {E8[4]E8[4]89C1490FAFCE48C1E9238D0C898D0C4929C8} // C2 index\r\n$ =\r\n{89E8D1E841BE932449924C0FAFF049C1EE224489F0C1E0044489F129C14101EE4101CE48\r\n8DBC24[4]4C892FE8} // initial sleep\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and any of them\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3a132c09-253b-4edd-a78d-cce5cc613fd6", "created": "2026-06-24T15:59:43.016908Z", "modified": "2026-06-24T15:59:43.016908Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_C2_codes {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies sections of code which are\r\nresponsible for parsing tasking command codes in Smooth Operator.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"769383fc65d1386dd141c960c9970114547da0c2\"\r\nstrings:\r\n$ = {80340F7A48FFC14839C8} // XOR deobfuscate tasking\r\n$ = {8B073D4938000074??3D018000008B4C24??0F[3-6]3D01900000} // C2\r\ncodes\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--77c7faaa-c509-408f-a27f-4cdb35fcf964", "created": "2026-06-24T15:59:43.017499Z", "modified": "2026-06-24T15:59:43.017499Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_Strings {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies broader functionality across\r\nSmooth Operator, identifying strings observed throughout.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"769383fc65d1386dd141c960c9970114547da0c2\"\r\nstrings:\r\n$ = {80 [2] 7A 48 FF C0 48 83 F8 38} // .main_storage XOR loop\r\n$ = \"ProductVersion\"\r\n$ = \".session-lock\"\r\n$ = \"%s/.main_storage\"\r\n$ = \"%s/UpdateAgent\"\r\n$ =\r\n{3715001316161B554F544A5A522D13141E150D095A342E5A4B4A544A415A2D13144C4E41\r\n5A024C4E535A3B0A0A161F2D1F1831130E554F494D54494C5A5231322E3736565A1613111\r\nF5A3D1F191115535A39120815171F554B4A42544A544F494F43544B48425A291B1C1B0813\r\n554F494D54494C} // XOR'd UA\r\n$ = {B02D[0-8]88470888470D884712884717C6472400} // victim ID\r\ngeneration\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and 4 of them\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0dcc682-7e55-4eed-a728-d4b094141e6d", "created": "2026-06-24T15:59:43.018079Z", "modified": "2026-06-24T15:59:43.018079Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_Obfuscation_2 {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies unique code sections in the\r\nC2 string obfuscation algorithm.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"769383fc65d1386dd141c960c9970114547da0c2\"\r\nhash2 = \"9e9a5f8d86356796162cee881c843cde9eaedfb3\"\r\nstrings:\r\n$a_1 = {4869C8616060604889CA48C1EA3F48C1F92501D16BC95529C8[03]83F807}\r\n$b_1 = {438D1C24F7DB41F7DC} // neg\r\n$b_2 = {478D3C3641F7DF41F7DE} // neg\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and any of ($b*)\r\nand $a_1\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5382b32b-dd80-4d8c-a06c-65d526052c0f", "created": "2026-06-24T15:59:43.018662Z", "modified": "2026-06-24T15:59:43.018662Z", "name": "YARA Rule", "pattern": "rule Smooth_Operator_Obfuscation {\r\nmeta:\r\nauthor = \"NCSC\"\r\ndescription = \"This rule identifies unique strings and code\r\npresent in the C2 string obfuscation code of Smooth Operator.\"\r\ndate = \"2023-06-29\"\r\nhash1 = \"769383fc65d1386dd141c960c9970114547da0c2\"\r\nhash2 = \"9e9a5f8d86356796162cee881c843cde9eaedfb3\"\r\nstrings:\r\n$ = {48 69 ?? 61 60 60 60 48 89 ?? 48 C1 EA 3F 48 C1 ?? 25 01\r\n?? 6B ?? 55}\r\n$ = \"!#$%&()*+.0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]_abcdefghi\"\r\n$ = {3E00C7[5-6]26706572} // &per\r\n$ = {3E00C7[5-6]26646F6C} // &dol\r\n$ = {75733E00C7[5-6]26706C75} // &plus\r\n$ = {6D693E00C7[5-6]2673656D} // &semi\r\ncondition:\r\n((uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xFEEDFACE) or\r\n(uint32(0) == 0xCAFEBABE) or (uint32(0) == 0xCAFEBABF)) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2023-06-29T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--aad6da30-2c53-4b08-a82f-718518ed1bfd", "hashes": { "MD5": "5faf36ca90f6406a78124f538a03387a" } }, { "type": "file", "spec_version": "2.1", "id": "file--162c31bd-4605-4a0c-8bb1-20b2e4621503", "hashes": { "MD5": "88470888470d884712884717c6472400" } }, { "type": "url", "spec_version": "2.1", "id": "url--8beac1be-401f-4912-8af8-ff22b63579c1", "value": "https://pbxcloudeservices.com/network" }, { "type": "url", "spec_version": "2.1", "id": "url--1e740260-2492-4b5c-8c8a-4c9c24420718", "value": "https://officeaddons.com/quality" }, { "type": "url", "spec_version": "2.1", "id": "url--5d7fe206-ef0d-401d-84b9-71af666c1a77", "value": "https://msstorageboxes.com/xbox" }, { "type": "url", "spec_version": "2.1", "id": "url--ddedd133-0e39-47d1-bd5c-74227ec16fea", "value": "https://officestoragebox.com/api/biosync" }, { "type": "url", "spec_version": "2.1", "id": "url--03672c42-3ac8-4df0-a4ca-04dc61fc5f4a", "value": "https://azuredeploystore.com/cloud/images" }, { "type": "url", "spec_version": "2.1", "id": "url--f5263688-b8f6-44c6-9400-e11e01761c52", "value": "https://azureonlinestorage.com/google/storage" }, { "type": "url", "spec_version": "2.1", "id": "url--9071419d-acee-45df-8f1e-5ae987a168e0", "value": "https://msedgepackageinfo.com/ms-webview" }, { "type": "url", "spec_version": "2.1", "id": "url--efc38819-4c23-4175-93ca-8f488b2d0654", "value": "https://pbxphonenetwork.com/phone" }, { "type": "url", "spec_version": "2.1", "id": "url--7bf934b8-3ba1-41bf-9cf9-5dfee3686a4e", "value": "https://glcloudservice.com/v1/status" }, { "type": "url", "spec_version": "2.1", "id": "url--1b741b7d-9bac-45b6-b8a3-1ac7e38e6fb3", "value": "https://msstorageazure.com/analysis" }, { "type": "url", "spec_version": "2.1", "id": "url--45144aab-e819-4d89-9482-b83a7227475a", "value": "https://visualstudiofactory.com/groupcore" }, { "type": "url", "spec_version": "2.1", "id": "url--7fcf02dc-198d-4669-b41b-871dfce782c4", "value": "https://sourceslabs.com/status" }, { "type": "url", "spec_version": "2.1", "id": "url--5b2d32e9-aba3-46d3-b56c-392ff876ce97", "value": "https://zacharryblogs.com/xmlquery" }, { "type": "file", "spec_version": "2.1", "id": "file--8c4c915f-10fd-400f-ad49-9e0772ce9103", "hashes": { "SHA-1": "9e9a5f8d86356796162cee881c843cde9eaedfb3" } }, { "type": "file", "spec_version": "2.1", "id": "file--01574dac-db42-4c08-8303-044ee8491f12", "hashes": { "MD5": "d5101c3b86d973a848ab7ed79cd11e5a" } }, { "type": "file", "spec_version": "2.1", "id": "file--743e5262-0a76-41f8-8ae9-71b63c8ed1cf", "hashes": { "MD5": "660ea9b8205fbd2da59fefd26ae5115c" } }, { "type": "file", "spec_version": "2.1", "id": "file--9dab5c41-660c-4722-afa2-646c8b85db8b", "hashes": { "SHA-1": "769383fc65d1386dd141c960c9970114547da0c2" } }, { "type": "file", "spec_version": "2.1", "id": "file--1cf16b01-cad8-4973-a281-a037967aa8fa", "hashes": { "SHA-1": "3dc840d32ce86cebf657b17cef62814646ba8e98" } }, { "type": "url", "spec_version": "2.1", "id": "url--b3deb8d1-23da-4e42-82ae-89610460679a", "value": "https://pbxsources.com/queue" }, { "type": "report", "spec_version": "2.1", "id": "report--d214d7ac-9687-4f88-b127-a7170ce7244b", "created_by_ref": "identity--6a16bd7d-6e00-43e6-baec-647912444b87", "created": "2026-06-24T15:59:43.044846Z", "modified": "2026-06-24T15:59:43.044846Z", "name": "Smooth Operator", "published": "2023-06-29T00:00:00Z", "object_refs": [ "identity--6a16bd7d-6e00-43e6-baec-647912444b87", "file--37d150e6-44d7-4903-b56d-d14b3e88dcd6", "file--a18257f1-808d-4ceb-9d02-2df104c53bb1", "file--2e6afb58-6238-4cc3-aeed-d95b8332679b", "domain-name--7bbf57a7-7525-420f-8f76-6cfcab5c1304", "domain-name--0e4151c7-e343-4b9e-be74-b0b7253bd2de", "domain-name--1261a3e1-65b9-48fc-995e-87aa055fe362", "domain-name--da81accb-0ce4-4da3-8990-28fc71882569", "domain-name--c60b5916-fccb-4162-960f-84bc43606851", "domain-name--5312488a-0968-4892-be2b-0fdf9904d1a3", "domain-name--c84f9e68-157d-4676-9d6c-c99bbd66b160", "domain-name--845d879b-c10e-4300-8f74-c3c3db743cfb", "domain-name--dd084def-4e31-425a-a506-14ab670a4217", "domain-name--8a5ae2ad-2984-42e1-9f92-6c6da70b7ff2", "domain-name--64bf44fb-e8c0-4489-91ee-1b825ed8a3a4", "domain-name--bdb722f7-40ee-479b-90a9-7c1b2499583a", "domain-name--b1fbc5f9-cac3-49fc-8e32-3a2c1ddb65db", "domain-name--a48ec800-3909-4026-9391-567a8f5f7c84", "domain-name--76b49f68-671a-479e-a126-9cf5564ac27f", "url--9740950d-39e8-46e8-9079-5e598b60f584", "domain-name--b53aaf51-0e38-45b6-8f16-b7539699ac8e", "url--417f6d82-fe2d-4a80-8f4f-e613c2567d29", "indicator--4a3f27b7-1123-4a7f-8cb1-a53442685bcd", "indicator--24a9ef78-1d1c-4a0d-b28f-18353b859ef4", "indicator--3a132c09-253b-4edd-a78d-cce5cc613fd6", "indicator--77c7faaa-c509-408f-a27f-4cdb35fcf964", "indicator--b0dcc682-7e55-4eed-a728-d4b094141e6d", "indicator--5382b32b-dd80-4d8c-a06c-65d526052c0f", "file--aad6da30-2c53-4b08-a82f-718518ed1bfd", "file--162c31bd-4605-4a0c-8bb1-20b2e4621503", "url--8beac1be-401f-4912-8af8-ff22b63579c1", "url--1e740260-2492-4b5c-8c8a-4c9c24420718", "url--5d7fe206-ef0d-401d-84b9-71af666c1a77", "url--ddedd133-0e39-47d1-bd5c-74227ec16fea", "url--03672c42-3ac8-4df0-a4ca-04dc61fc5f4a", "url--f5263688-b8f6-44c6-9400-e11e01761c52", "url--9071419d-acee-45df-8f1e-5ae987a168e0", "url--efc38819-4c23-4175-93ca-8f488b2d0654", "url--7bf934b8-3ba1-41bf-9cf9-5dfee3686a4e", "url--1b741b7d-9bac-45b6-b8a3-1ac7e38e6fb3", "url--45144aab-e819-4d89-9482-b83a7227475a", "url--7fcf02dc-198d-4669-b41b-871dfce782c4", "url--5b2d32e9-aba3-46d3-b56c-392ff876ce97", "file--8c4c915f-10fd-400f-ad49-9e0772ce9103", "file--01574dac-db42-4c08-8303-044ee8491f12", "file--743e5262-0a76-41f8-8ae9-71b63c8ed1cf", "file--9dab5c41-660c-4722-afa2-646c8b85db8b", "file--1cf16b01-cad8-4973-a281-a037967aa8fa", "url--b3deb8d1-23da-4e42-82ae-89610460679a" ], "external_references": [ { "source_name": "source", "url": "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/smooth-operator/NCSC_MAR-Smooth-Operator.pdf" } ] } ] }