@aridjourney.bsky.social
Threat research at HarfangLab. Opinions are my own.
As usual, you will find IOCs and YARA rules on our blog post and on our GitHub repository.
harfanglab.io/insidethelab...
We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter.
20.08.2025 12:38 β π 1 π 0 π¬ 1 π 0These downloaders attempt to retrieve next-stage malware from C2 URLs mimicking existing content and delivering JPEG image files.
An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.
Recently, our team at HarfangLab had a look at samples of archives containing weaponized XLS spreadsheets which drop C# and C++ downloaders, and likely intended to be delivered to targets in Ukraine and in Poland.
20.08.2025 12:38 β π 1 π 0 π¬ 1 π 0
New tunneling services timeline:
ποΈ 2025-04-24: lhr[.]life
ποΈ 2025-05-06: serveo[.]net, workers[.]dev
ποΈ 2025-06-11: euw.devtunnels[.]ms
Updated Yara rule alongside IoCs: github.com/HarfangLab/i...
For more information about PteroLNK, please refer to:
harfanglab.io/insidethelab...
New Infrastructure scripts:
:URLS β Scrapes Telegraph/Telegram for tunnel URLs β Appends .trycloudflare.com β stores in :URL ADS & registry
:IPS β Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 β stores in :IP ADS & registry
The updated downloader now features an improved multi-tier fallback: Registry keys β ADS β Telegraph/Teletype DDRs β hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.
The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)
Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach
Full technical report with IoCs and Yara rules below:
t.co/ycRyLK34H5
Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation
16.06.2025 12:51 β π 0 π 0 π¬ 1 π 0
Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns
16.06.2025 12:51 β π 0 π 0 π¬ 1 π 0
Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities
16.06.2025 12:51 β π 1 π 1 π¬ 1 π 0
