{ "type": "bundle", "id": "bundle--49aa7f92-0438-4cb3-ba59-341d9fd456af", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "created": "2023-03-08T12:51:48.041368Z", "modified": "2025-01-30T02:20:08.905936Z", "name": "Google", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80cf55ad-4ad4-4d3e-b442-87c68901a27a", "created": "2026-06-24T16:05:41.489578Z", "modified": "2026-06-24T16:05:41.489578Z", "name": "YARA Rule", "pattern": "rule G_Backdoor_WAVESHAPER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-03\"\r\ndate_modified = \"2025-11-03\"\r\nmd5 = \"c91725905b273e81e9cc6983a11c8d60\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\"\r\n$str2 = \"/tmp/.%s\"\r\n$str3 = \"grep \\\"Install Succeeded\\\" /var/log/install.log | awk '{print $1, $2}'\"\r\n$str4 = \"sysctl -n hw.model\"\r\n$str5 = \"sysctl -n machdep.cpu.brand_string\"\r\n$str6 = \"sw_vers --ProductVersion\"\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--e4e4684e-9079-4388-92f1-f85dcfeb93af", "hashes": { "MD5": "c91725905b273e81e9cc6983a11c8d60" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--bfe96fb7-998e-4ba2-a016-a5c0aa0ee292", "value": "mylingocoin.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--6e25855a-2d48-4f4d-8609-92aca37bf715", "value": "zmsupport.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--6ce3f74c-473e-43e5-a6f1-dc45638b07b2", "value": "dreamdie.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--0a8cd70c-821e-4329-8786-a1f3e84a6512", "value": "breakdream.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1045fb89-1e7c-49bb-9236-4c7035c156be", "value": "supportzm.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dbbd9cf4-9b90-4e86-98f6-91db76ef795c", "created": "2026-06-24T16:05:41.49288Z", "modified": "2026-06-24T16:05:41.49288Z", "name": "YARA Rule", "pattern": "rule G_Datamine_CHROMEPUSH_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-06\"\r\ndate_modified = \"2025-11-06\"\r\nrev = 1\r\nstrings:\r\n$s1 = \"%s/CA%02d%02d%02d%02d%02d%02d.dat\"\r\n$s2 = \"%s/tmpCA.dat\"\r\n$s3 = \"mouseStates\"\r\n$s4 = \"touch /Library/Caches/.evt_\"\r\n$s5 = \"cp -f\"\r\n$s6 = \"rm -rf\"\r\n$s7 = \"keylogs\"\r\n$s8 = \"%s/KL%02d%02d%02d%02d%02d%02d.dat\"\r\n$s9 = \"%s/tmpKL.dat\"\r\n$s10 = \"OK: Create data.js success\"\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca) and 8 of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--640be61e-704f-417b-91b1-b6c59cb56d65", "created": "2026-06-24T16:05:41.493491Z", "modified": "2026-06-24T16:05:41.493491Z", "name": "YARA Rule", "pattern": "rule G_Datamine_DEEPBREATH_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$sa1 = \"-fakedel\"\r\n$sa2 = \"-autodat\"\r\n$sa3 = \"-datadel\"\r\n$sa4 = \"-extdata\"\r\n$sa5 = \"TccClickJack\"\r\n$sb1 = \"com.apple.TCC\\\" as alias\"\r\n$sb2 = \"/TCC.db\\\" as alias\"\r\n$sc1 = \"/group.com.apple.notes\\\") as alias\"\r\n$sc2 = \".keepcoder.Telegram\\\")\"\r\n$sc3 = \"Support/Google/Chrome/\\\")\"\r\n$sc4 = \"Support/BraveSoftware/Brave-Browser/\\\")\"\r\n$sc5 = \"Support/Microsoft Edge/\\\")\"\r\n$sc6 = \"& \\\"/Local Extension Settings\\\"\"\r\n$sc7 = \"& \\\"/Cookies\\\"\"\r\n$sc8 = \"& \\\"/Login Data\\\"\"\r\n$sd1 = \"\\\"cp -rf \\\" & quoted form of \"\r\ncondition:\r\n(uint32(0) == 0xfeedfacf) and 2 of ($sa*) and 2 of ($sb*) and 3 of ($sc*) and 1 of ($sd*)\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--243acf8e-c9f2-47c7-91b8-f4b260840780", "created": "2026-06-24T16:05:41.494085Z", "modified": "2026-06-24T16:05:41.494085Z", "name": "YARA Rule", "pattern": "rule G_APTFIN_Downloader_SUGARLOADER_2 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$m1 = \"__mod_init_func\\x00lko2\\x00\"\r\n$m2 = \"__mod_term_func\\x00lko2\\x00\"\r\n$m3 = \"/usr/lib/libcurl.4.dylib\"\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xfeedfacf or uint32(0) == 0xcefaedfe or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe) and (all of ($m1, $m2, $m3))\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ebe8f183-5a81-4eaa-8c40-6292e634b425", "created": "2026-06-24T16:05:41.49467Z", "modified": "2026-06-24T16:05:41.49467Z", "name": "YARA Rule", "pattern": "rule G_APTFIN_Downloader_SUGARLOADER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nmd5 = \"3712793d3847dd0962361aa528fa124c\"\r\ndate_created = \"2025/10/15\"\r\ndate_modified = \"2025/10/15\"\r\nrev = 1\r\nstrings:\r\n$ss1 = \"/Library/OSRecovery/com.apple.os.config\"\r\n$ss2 = \"/Library/Group Containers/OSRecovery\"\r\n$ss4 = \"_wolfssl_make_rng\"\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b51b4676-6b57-4a3d-bde9-6571be7cd3f5", "created": "2026-06-24T16:05:41.495278Z", "modified": "2026-06-24T16:05:41.495278Z", "name": "YARA Rule", "pattern": "rule G_Backdoor_SILENCELIFT_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nmd5 = \"4e4f2dfe143ba261fd8a18d1c4b58f2e\"\r\ndate_created = \"2025/10/23\"\r\ndate_modified = \"2025/10/28\"\r\nrev = 2\r\nstrings:\r\n$ss1 = \"/usr/libexec/PlistBuddy -c \\\"print :IOConsoleUsers:0:CGSSessionScreenIsLocked\\\" /dev/stdin 2>/dev/null <<< \\\"$(ioreg -n Root -d1 -a)\\\"\" ascii fullword\r\n$ss2 = \"pkill -CONT -f\" ascii fullword\r\n$ss3 = \"pkill -STOP -f\" ascii fullword\r\n$ss4 = \"/Library/Caches/.Logs.db\" ascii fullword\r\n$ss5 = \"/Library/Caches/.evt_\"\r\n$ss6 = \"{\\\"bot_id\\\":\\\"\"\r\n$ss7 = \"\\\", \\\"status\\\":\"\r\n$ss8 = \"/Library/Fonts/.analyzed\" ascii fullword\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2d054f5-665b-4524-acd4-4b403efbb5ca", "created": "2026-06-24T16:05:41.495871Z", "modified": "2026-06-24T16:05:41.495871Z", "name": "YARA Rule", "pattern": "rule G_Downloader_HYPERCALL_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-10-24\"\r\ndate_modified = \"2025-10-24\"\r\nrev = 1\r\nstrings:\r\n$go_build = \"Go build ID:\"\r\n$go_inf = \"Go buildinf:\"\r\n$lib1 = \"/inject_mac/inject.go\"\r\n$lib2 = \"github.com/gorilla/websocket\"\r\n$func1 = \"t_loader/inject_mac.Inject\"\r\n$func2 = \"t_loader/common.rc4_decode\"\r\n$c1 = { 48 BF 00 AC 23 FC 06 00 00 00 0F 1F 00 E8 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 32 48 8B 52 ?? 48 8B 76 ?? 48 89 CF 48 89 D9 48 89 C3 48 89 D0 FF D6 }\r\n$c2 = { 48 89 D6 48 F7 EA 48 01 DA 48 01 CA 48 C1 FA 1A 48 C1 FE 3F 48 29 F2 48 69 D2 00 E1 F5 05 48 29 D3 48 8D 04 19 }\r\ncondition:\r\n(uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) and all of ($go*) and any of ($lib*) and any of ($func*) and all of ($c*)\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--74c9b7d9-a580-4c87-8059-fc222c3ac7d6", "created": "2026-06-24T16:05:41.496443Z", "modified": "2026-06-24T16:05:41.496443Z", "name": "YARA Rule", "pattern": "rule G_Backdoor_WAVESHAPER_2 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-03\"\r\ndate_modified = \"2025-11-03\"\r\nmd5 = \"eb7635f4836c9e0aa4c315b18b051cb5\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"__Z10RunCommand\"\r\n$str2 = \"__Z11GenerateUID\"\r\n$str3 = \"__Z11GetResponse\"\r\n$str4 = \"__Z13WriteCallback\"\r\n$str5 = \"__Z14ProcessRequest\"\r\n$str6 = \"__Z14SaveAndExecute\"\r\n$str7 = \"__Z16MakeStatusString\"\r\n$str8 = \"__Z24GetCurrentExecutablePath\"\r\n$str9 = \"__Z7Execute\"\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--bc1a6b80-03eb-4ec2-b436-a1b727275680", "hashes": { "MD5": "3712793d3847dd0962361aa528fa124c" } }, { "type": "file", "spec_version": "2.1", "id": "file--c17e855d-4d20-4764-8994-2709add01518", "hashes": { "MD5": "4e4f2dfe143ba261fd8a18d1c4b58f2e" } }, { "type": "file", "spec_version": "2.1", "id": "file--d1e45c69-1211-4705-a6da-3b964dde7edc", "hashes": { "MD5": "eb7635f4836c9e0aa4c315b18b051cb5" } }, { "type": "url", "spec_version": "2.1", "id": "url--8cb709a3-7485-492c-83fa-abcdac80caf5", "value": "http://mylingocoin.com/audio/fix/6454694440" }, { "type": "url", "spec_version": "2.1", "id": "url--9a77fcd0-2336-435c-8c27-5d2654fd7a1c", "value": "http://cmailer.pro:80/upload" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a8575ee2-274a-4961-a245-81a9d2802e16", "value": "cmailer.pro" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--b1fc54ae-4fb3-5833-9e0f-4873d16620f8", "created": "2026-06-24T16:05:41.504132Z", "modified": "2026-06-24T16:05:41.504132Z", "name": "UNC1069" }, { "type": "report", "spec_version": "2.1", "id": "report--ca39ad4c-fda4-462f-b589-963e6def3c83", "created_by_ref": "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "created": "2026-06-24T16:05:41.508075Z", "modified": "2026-06-24T16:05:41.508075Z", "name": "UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering", "published": "2026-02-10T00:00:00Z", "object_refs": [ "identity--703b0d0d-f70a-4de2-bff5-d252e8d966f9", "indicator--80cf55ad-4ad4-4d3e-b442-87c68901a27a", "file--e4e4684e-9079-4388-92f1-f85dcfeb93af", "domain-name--bfe96fb7-998e-4ba2-a016-a5c0aa0ee292", "domain-name--6e25855a-2d48-4f4d-8609-92aca37bf715", "domain-name--6ce3f74c-473e-43e5-a6f1-dc45638b07b2", "domain-name--0a8cd70c-821e-4329-8786-a1f3e84a6512", "domain-name--1045fb89-1e7c-49bb-9236-4c7035c156be", "indicator--dbbd9cf4-9b90-4e86-98f6-91db76ef795c", "indicator--640be61e-704f-417b-91b1-b6c59cb56d65", "indicator--243acf8e-c9f2-47c7-91b8-f4b260840780", "indicator--ebe8f183-5a81-4eaa-8c40-6292e634b425", "indicator--b51b4676-6b57-4a3d-bde9-6571be7cd3f5", "indicator--a2d054f5-665b-4524-acd4-4b403efbb5ca", "indicator--74c9b7d9-a580-4c87-8059-fc222c3ac7d6", "file--bc1a6b80-03eb-4ec2-b436-a1b727275680", "file--c17e855d-4d20-4764-8994-2709add01518", "file--d1e45c69-1211-4705-a6da-3b964dde7edc", "url--8cb709a3-7485-492c-83fa-abcdac80caf5", "url--9a77fcd0-2336-435c-8c27-5d2654fd7a1c", "domain-name--a8575ee2-274a-4961-a245-81a9d2802e16", "threat-actor--b1fc54ae-4fb3-5833-9e0f-4873d16620f8" ], "external_references": [ { "source_name": "source", "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering" } ] } ] }