diff --git a/STX-RAT/readme.md b/STX-RAT/20260505_stx-rat_campaigns.md similarity index 96% rename from STX-RAT/readme.md rename to STX-RAT/20260505_stx-rat_campaigns.md index 6fb1580..44a1ef8 100644 --- a/STX-RAT/readme.md +++ b/STX-RAT/20260505_stx-rat_campaigns.md @@ -1,21 +1,30 @@ ๐Ÿงต Since March 2026, Orange Cyberdefense has been tracking a malware delivery cluster linking a fake FileZilla campaign with other software-themed lures, including LibreOffice and Google Drive Setup, as well as a ClickFix-based one. -Our investigation identified overlaps across these campaigns, and related samples were later publicly identified as STX RAT. #CTI #ThreatIntel #STXRAT +Our investigation identified overlaps across these campaigns, and related samples were later publicly identified as STX RAT. + +#CTI #ThreatIntel #STXRAT + 1/ Our investigation started from the publicly documented FileZilla campaign, which used a fake FileZilla website to distribute trojanized FileZilla 3.69.5 packages. The campaign used two delivery variants: a portable archive containing the legitimate FileZilla package plus a malicious version.dll a single EXE installer dropping the same DLL during installation In both cases, filezilla.exe sideloaded the DLL and triggered a staged infection chain that ultimately delivered a RAT. + 2/ We identified overlaps with: a malvertising chain using VBS lures impersonating Google Drive or LibreOffice a ClickFix lure reported by a private source These branches were supported by shared infrastructure and staging patterns. + 3/ Key overlap points included infrastructure involving supp0v3[.]com, cdn0v3[.]com, and 147.45.178[.]61, multiple pages[.]dev staging hosts, and similar callback / tracking logic observed across the linked chains. + 4/ In the FileZilla branch, the sideloaded loader performed anti-analysis and anti-virtualization checks, resolved C2 via DNS-over-HTTPS, and used callback logic with tracking parameters. In the overlapping script-based activity we tracked, VBS / PowerShell stages and TAR-delivered components (1.bin and 2.txt) led to in-memory payload execution. + 5/ Separately, eSentire later described a related script-based branch involving VBScript โ†’ JScript โ†’ TAR (1.bin + 2.txt) โ†’ PowerShell, which is consistent with the broader staging logic we observed across the cluster. At the malware level, STX RAT is a Windows RAT with infostealer and HVNC capabilities. It uses a custom multi-stage unpacking chain, communicates over a proprietary TCP-based protocol with both clearweb and Tor fallback, and exposes broad post-exploitation functionality. Notably, credential theft is only activated after successful C2 interaction. + 6/ Bottom line: different lures, similar staging, same malware outcome. + 7/ We published a full advisory for our customers on the infection chain, overlaps, and malware analysis. Related IoCs are also available in this public GitHub repository. diff --git a/STX-RAT/iocs b/STX-RAT/iocs new file mode 100644 index 0000000..5574f6b --- /dev/null +++ b/STX-RAT/iocs @@ -0,0 +1,84 @@ + +Domains +filezilla-project[.]live +welcome[.]supp0v3[.]com +supp0v3[.]com +api[.]cdn0v3[.]com +cdn0v3[.]com +appna[.]org + +Related staging hosts +gateway9[.]pages[.]dev +starbytes[.]pages[.]dev +webdata[.]pages[.]dev +spaceoddity[.]pages[.]dev +cassiopeia[.]pages[.]dev +gate2[.]pages[.]dev +world24[.]pages[.]dev +qwen1[.]pages[.]dev +los-santos[.]pages[.]dev +edge25[.]pages[.]dev +webarchives[.]pages[.]dev + +IPs +147.45.178.61 +176.65.144.46 +176.65.144.84 +94.156.119.71 +95.216.51.236 + +Observed callback / staging URLs +hxxps://104[.]21[.]63[.]112/d/callback (NB: may not work) +hxxps://172[.]67[.]145[.]101/d/callback (NB: may not work) +hxxps://welcome[.]supp0v3[.]com/d/callback?utm_tag=tbs2&utm_source=dll +hxxps://gateway9[.]pages[.]dev/tom.tar + +---------- +SHA256 +080cd8cb1611d17f12543ee490d192b12d78335be6ca07979c101e29af224842 +0a60ccf29f89019b1eebbbb8ad9bf0302dba399a26a62449078dda919bbd247b +0e9c8e5ce94641e0b07607647a55c162adb18048f9c1e1e3dbe859cd08b2a797 +2b0d8c8e86dd372b44b99f8be4e4a7cbbfe5ce78bc10b714fc0735c15b7ddb32 +3074a18a349d7e8022fbbdcfc059b7b729862488f1e23adcfe634bb94535fd61 +3511e2bb89f64555acdef3b486717fd517f500c8c630e02e9c6fa0ac5bed8950 +3763b9e6eeb9a18875c45ba7d1a4f9fbfd6e80d1aea434e88ad99ee5b1bbd790 +4be7371837f4af0e9cb8410fa343db66869e7b4dce4343fec17d2d31f2a675aa +51a16ca0535bd7002f540bbfd6ab041d998550ac0a5887824d03534c0a9b3800 +52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6 +58460f8009df7ca5d2a9b2e9346d940388472cd4cd808ac6c797942824bde299 +5c37b35929dac5c640d1d14e6dc74009c5072536d7fbe0c58822bf2387a8a22d +64adf1715483f63fc47283393f89857f0545a45d9e7382417189b5084d19c37b +66a155f6672fbbb041cb754c143db91b30084f98e9102c280ba95ffda156123b +77eea991e5c11da46e10c208fb8920a08a9bbdd8ffd72d0d6548fd8e45aa4647 +799b29f409578c79639c37ea4c676475fd88f55251af28eb49f8199b904a51f3 +7d87381f16670c200602c1fee0f7d7f602c56a6b013a6dca0eb21b472d33358b +8134c4f9d4e51993d28855a39102fe735b6e8e41a3952d40c6086bfc2d309564 +84c2f3b13f5251cf87d1a2c95ac7ca111238f61d56358b2c4228c84ef9ed1ae7 +8a6c39f97fb86a4ff9dc9226fa8b3445c5fe123abab532ea6afb9be2608780e1 +8b28c0568baa7da10200a012a70ff735ccec557678a40d1b3fb16f5c0a31f6b7 +8f7116cfefa56af3e84d57938a537d8929fdcb1859a52ce04ecf7f06d9776827 +a1ac7046e99181fe46edd62c00ca53602e7cd4430365307d0b3a47ddd1e9e670 +a2d703265d61b78837e86527aa2e31994a934c72b6c073db0c4d9c0c59a4e401 +a57683ae49dd24256dab0dd21ca83c4a08892fda92e83206447380a2b6c80221 +aab1f1bdba7083a25d7c841cd2dc3588cc0f3e28e29260bea5c2fd5b033697fb +abd003ab1172cda83731dbe76d20a43c35a452d683d628a4e59eac8aadc68ffa +ac97a49e17bf2a315205a30cf39a68c264b1dc4395b88e3997ec506c778159b0 +af7a76820a42c4cadfc7ff5fd372c99e9c5fd96ee9d14e07bde0902fec1881ab +b3f21d0843fa7106b466c590c97b1b8b201a79ae82ed46b46d2422dd252d7836 +b59ac3088a58ebafdcdf00a5597c0de156de667d498bb8eccdaad5c8ba380e99 +b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60 +c4a5223bcf57b32e036c33c4d0e41aa44ff3eb4632c2fb4ed9c9bd593a04c3ee +ca3bd6f8f4c8170c60896493b0bbfc4629bf94a3d0c5bd3f32397e869e98fb3d +cdbb7a02b788551c05f41dcf29ced9a491a7053c076030e06344475291b2a8dc +d122d6c2ccc69594bbfbca82315aa0803b3b93972a6ab83699797812b35d9679 +d32455fc430ffc13e8a89db9198f17184fd27001fc11a7e9531d6055932853db +da65c30f4dee13d3c85c6a31386018d101d635e28eeb65ac73699787fecc20e0 +e07170d478b9e40563460afa916c382933e69dccaed90a84d6dffdf7c5e6d70f +e1fcba044cb9814cac21d08793a32c0a08446bc7692724de411d81d069dd4414 +e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 +e8704a875928cfa2aed7292ad4b83600fc7688716de2e25effc413f2a6d35853 +f04b0c3a53e3af7699c30ab9adb4d60a71a7da6945cf0ae287a9f67675433a67 +f431ff7bc59df48c137ef63839a5a2af520e0d3b28429468398e3b291f30d1e6 +f4fef313428f7524378233c3740a8449e1f0b987b1aab9ba7e7fd7f6bfcf0731 +f74d052337110c6282f4d9738263b89056d0c89d131b329d5d4e3189b67206ae +f81e14ac7309019208529599a848c2287789f0ccbcd2f7609e9f239f52376763 \ No newline at end of file