otx.alienvault.com
Open in
urlscan Pro
13.227.222.104
Public Scan
URL:
https://otx.alienvault.com/pulse/6139c6cffcb1a0ba0ed60bc5?utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=otx&utm_c...
Submission: On September 09 via api from US — Scanned from DE
Submission: On September 09 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
× On Friday, September 10th, 2021 at 5pm US/Central time, OTX will be undergoing an internal migration. It is not expected that there will be any downtime, but all such migrations come with some risk. If you see any unexpected behavior, please report it to otx-support@alienvault.com. Screenshots and error messages, if available, would be very useful to diagnose problems. * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (157081) Suggest Edit Clone Embed Download Report Spam BLADEHAWK GROUP: ANDROID ESPIONAGE AGAINST KURDISH ETHNIC GROUP * Created 38 minutes ago by AlienVault * Public * TLP: White ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters. Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content. Data from a download site indicates at least 1,481 downloads from URLs promoted in just a few Facebook posts. Reference: https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/ Tags: android, kasablanka, rat, facebook, kurdish, spynote, bladehawk Adversary: BladeHawk Targeted Countries: Turkey , Iran, Islamic Republic of , Iraq , Syrian Arab Republic Malware Families: Android , Kasablanka Att&ck IDs: T1036 - Masquerading , T1070 - Indicator Removal on Host , T1566 - Phishing , T1402 - Broadcast Receivers , T1411 - Input Prompt , T1412 - Capture SMS Messages , T1418 - Application Discovery , T1420 - File and Directory Discovery , T1429 - Capture Audio , T1430 - Location Tracking , T1432 - Access Contact List , T1433 - Access Call Log , T1444 - Masquerade as Legitimate Application , T1447 - Delete Device Data , T1508 - Suppress Application Icon , T1509 - Uncommonly Used Port , T1512 - Capture Camera , T1513 - Screen Capture , T1533 - Data from Local System , T1582 - SMS Control Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (36) * Related Pulses (1) * Comments (0) * History (0) URL (9)Domain (2)FileHash-MD5 (4)FileHash-SHA256 (4)FileHash-SHA1 (17) TYPES OF INDICATORS Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses domainapkup.xyzSep 9, 2021, 8:33:20 AM1 domain888-tools.comSep 9, 2021, 8:33:20 AM0 FileHash-SHA256e69699299e9718936826bb4b9a99b80a0094480911861f7d0cf1303caf7d19b2TrojanSpy:AndroidOS/Krbot.A!MTBSep 9, 2021, 8:33:20 AM1 FileHash-SHA256bf64e31acf11bc27ea489429e84676f1ec7afaff2bc108b75bcfde6614f3497eTrojanSpy:AndroidOS/Krbot.A!MTBSep 9, 2021, 8:33:20 AM1 FileHash-SHA256bc0c55efffe32ba0d2bdc23d5aa9d60200b50c5a373bce9822af6316cdd4f2fbTrojanSpy:AndroidOS/Krbot.A!MTBSep 9, 2021, 8:33:20 AM1 FileHash-SHA2562a4cf22220b95ad1f802efd1ae8abea56e83dc598d66eb073d75882d20858e39TrojanSpy:AndroidOS/InfoStealer.L!MTBSep 9, 2021, 8:33:20 AM0 FileHash-SHA1fed42ab6665649787c6d6164a6787b13513b4a41Sep 9, 2021, 8:33:20 AM1 FileHash-SHA1f26ada23739366b9ebbf08babd5000023921465cSep 9, 2021, 8:33:20 AM1 FileHash-SHA1f0751f2715bea20a6d5cd7e9792dba0fa45394a5Sep 9, 2021, 8:33:20 AM1 FileHash-SHA1ef9d9bf1876270393615a21ab3917fcbe91bfc60Sep 9, 2021, 8:33:20 AM1 SHOWING 1 TO 10 OF 36 ENTRIES 1 2 3 4 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2021 AlienVault, Inc. * Legal * Status