blog.morphisec.com
Open in
urlscan Pro
2606:2c40::c73c:67e1
Public Scan
URL:
https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates
Submission Tags: falconsandbox
Submission: On December 17 via api from US — Scanned from US
Submission Tags: falconsandbox
Submission: On December 17 via api from US — Scanned from US
Form analysis
4 forms found in the DOM/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input form-control" name="term" placeholder="Search" autocomplete="off" aria-label="Search">
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7
<form id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7"
class="hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_f489c7c3-3acb-4eca-9943-b5b6ff5b03a7 hs-form stacked hs-custom-form"
target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" data-instance-id="f489c7c3-3acb-4eca-9943-b5b6ff5b03a7" data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169"
data-test-id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field smart-field"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="firstname" required="" placeholder="First Name*" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field smart-field"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="lastname" required="" placeholder="Last Name*" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your " for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="email" required="" placeholder="Email*" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field smart-field"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" class="" placeholder="Enter your "
for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132"><span></span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" name="company" required="" placeholder="Company*" type="text" class="hs-input" inputmode="text" autocomplete="organization" value=""></div>
</div>
<div class="hs_recaptcha hs-recaptcha field hs-form-field">
<div class="input">
<div class="grecaptcha-badge" data-style="inline" style="width: 256px; height: 60px; box-shadow: gray 0px 0px 5px;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-7z8begx4uvq" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6Ld_ad8ZAAAAAAqr0ePo1dUfAi0m4KPkCMQYwPPm&co=aHR0cHM6Ly9ibG9nLm1vcnBoaXNlYy5jb206NDQz&hl=en&v=zIriijn3uj5Vpknvt_LnfNbF&size=invisible&badge=inline&cb=3os50yd7cflv"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="hidden" name="g-recaptcha-response" id="hs-recaptcha-response" value="">
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1734432526134","formDefinitionUpdatedAt":"1729278041068","lang":"en","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","pageTitle":"CoinLurker: The Stealer Powering the Next Generation of Fake Updates","pageUrl":"https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates","pageId":"183781340986","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates","contentType":"blog-post","hutk":"9044de6007d5c10c969678d42327e96e","__hsfp":1372317473,"__hssc":"182053752.1.1734432526869","__hstc":"182053752.9044de6007d5c10c969678d42327e96e.1734432526869.1734432526869.1734432526869.1","formTarget":"#hs_form_target_module_1541132004988163","formInstanceId":"5132","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"a1be56ce3431d0467c3d7051910c77fd","pageName":"CoinLurker: The Stealer Powering the Next Generation of Fake Updates","rumScriptExecuteTime":430.9000015258789,"rumTotalRequestTime":608.6000003814697,"rumTotalRenderTime":771.9000015258789,"rumServiceResponseTime":177.69999885559082,"rumFormRenderTime":163.30000114440918,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1734432527228,"originalEmbedContext":{"portalId":"1534169","formId":"37b11fda-a2aa-4805-9c0e-bae8eaccd6b7","region":"na1","target":"#hs_form_target_module_1541132004988163","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"5132","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"a1be56ce3431d0467c3d7051910c77fd","pageName":"CoinLurker: The Stealer Powering the Next Generation of Fake Updates","pageId":"183781340986","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"f489c7c3-3acb-4eca-9943-b5b6ff5b03a7","renderedFieldsIds":["firstname","lastname","email","company"],"captchaStatus":"LOADED","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.6926","sourceName":"forms-embed","sourceVersion":"1.6926","sourceVersionMajor":"1","sourceVersionMinor":"6926","allPageIds":{"embedContextPageId":"183781340986","analyticsPageId":"183781340986","contentPageId":183781340986,"contentAnalyticsPageId":"183781340986"},"_debug_embedLogLines":[{"clientTimestamp":1734432526201,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1734432526201,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"CoinLurker: The Stealer Powering the Next Generation of Fake Updates\",\"pageUrl\":\"https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\",\"pageId\":\"183781340986\",\"contentAnalyticsPageId\":\"183781340986\",\"contentPageId\":183781340986,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1734432526203,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"US\""},{"clientTimestamp":1734432526880,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"9044de6007d5c10c969678d42327e96e\",\"canonicalUrl\":\"https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\",\"contentType\":\"blog-post\",\"pageId\":\"183781340986\"}"}]}"><iframe
name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5132" style="display: none;"></iframe>
</form>
/hs-search-results
<form data-hs-do-not-collect="true" action="/hs-search-results" data-cb-wrapper="true">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
</form>
Text Content
Recent Webinar: Building an Adaptive Cyber Resilient Cloud Watch now * Support * Partners * Under Attack? * Products * Product Overview * Morphisec for Managed Services * Adaptive Exposure Management * Morphisec for Windows Endpoints * Morphisec for Windows Servers & Workloads * Morphisec for Linux Server Protection * Incident Response Services * About Moving Target Defense * Solutions * By Industry * Managed Services * Finance * Hedge Funds * Healthcare * Technology * Manufacturing * Legal * K-12 Education * SMB * By Use Case * Microsoft Defender AV * Microsoft Defender for Endpoint * Virtual Desktop Protection * Cloud Workload Protection * Remote Employee Security * Ransomware Prevention * Virtual Patching and Compliance * Supply Chain Attack Protection * Browser Attack Protection * Company * About Us * News & Events * Careers * Contact Us * Resources * Blog * Learning Center * Customer Stories Read the Blog Get A Demo * Products * Main Menu * Products * Product Overview * Adaptive Exposure Management * Morphisec for Windows Endpoints * Morphisec for Windows Servers & Workloads * Morphisec for Linux Server Protection * Incident Response Services * About Moving Target Defense * Solutions * Main Menu * Solutions * By Industry * Finance * Hedge Funds * Healthcare * Technology * Manufacturing * Legal * K-12 Education * SMB * By Use Case * Microsoft Defender AV * Microsoft Defender for Endpoint * Virtual Desktop Protection * Cloud Workload Protection * Remote Employee Security * Ransomware Prevention * Virtual Patching and Compliance * Supply Chain Attack Protection * Browser Attack Protection * Company * Main Menu * Company * About Us * News & Events * Careers * Contact Us * Resources * Main Menu * Resources * Learning Center * Customer Stories * Blog * Support * Partners * Under Attack? * Read the Blog * Get A Demo Cybersecurity Blog Cybersecurity News, Threat Research, and more from the Team Spearheading the Evolution of Endpoint Security COINLURKER: THE STEALER POWERING THE NEXT GENERATION OF FAKE UPDATES Posted by Nadav Lorber on December 16, 2024 Find me on: Twitter * * Share * The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. INTRODUCTION Building on the deceptive strategies of SocGolish, ClearFake, ClickFix and FakeCAPTCHA, attackers now combine highly convincing fake update prompts with stealthy payloads like CoinLurker. These campaigns leverage innovative methods, such as EtherHiding and in-memory execution, to bypass traditional security defenses and obscure the malware’s origin. In this blog, we examine the evolution of fake update campaigns, the techniques enabling CoinLurker’s success, and actionable strategies for defending against this next-generation threat. DELIVERY TACTICS AND TECHNIQUES Fake update campaigns initiate infections through various deceptive entry points that exploit user trust in common actions like: * Fake Software Update Notifications Malicious websites prompt users to download fake updates, disguised as essential software patches. This vector is often observed on compromised WordPress sites, where attackers exploit vulnerabilities to deliver fake update prompts. * Malvertising Redirects Compromised ads on legitimate sites redirect users to malicious pages, prompting fake updates or CAPTCHA verifications. * Phishing Emails Emails link to spoofed update or CAPTCHA pages, tricking users into downloading malware disguised as security updates. * Fake CAPTCHA Prompts FakeCAPTCHA introduces malicious CAPTCHA prompts that deliver malware instead of verifying users. * Direct Downloads from Fake or Compromised Sites Malicious actors host fake updates on compromised or deceptive download sites, luring users into installing malware. * Social Media and Messaging Links Links shared on social platforms lead to malicious sites disguised as update or verification pages. Each of these vectors effectively disguises malware as routine actions, initiating the infection chain with minimal user suspicion. LEVERAGING MICROSOFT EDGE WEBVIEW2 AS A STAGER Microsoft Edge Webview2 is utilized by the stager to execute the malware, presenting a GUI that mimics legitimate browser update tools. Any interaction with the GUI—clicking buttons or even closing the window—triggers the payload execution. Figure 1: Fake Browser Update Webview2 GUI Figure 2: Chrome fake update Webview2 GUI Webview2’s dependency on pre-installed components and user interaction complicates dynamic and sandbox analysis. Sandboxes often lack Webview2 or fail to replicate user actions, allowing the malware to evade automated detection. Figure 3: Screenshot of Webview2 installation within Sandbox THE OBFUSCATION CHAIN: SMART CONTRACTS TO TRUSTED PLATFORMS Binance Smart Contract → Actor-controlled C2 → Bitbucket Repository Fake update campaigns like those deploying CoinLurker have adopted advanced techniques to evade detection, including EtherHiding, which leverages Web3 infrastructure to conceal malicious payloads. This campaign employs a multi-stage chain to deliver its payload seamlessly while remaining under the radar. 1. Binance Smart Contract: This process begins with encoded data embedded within a Binance Smart Contract. By leveraging the decentralized and immutable properties of blockchain, attackers store payload instructions that are resistant to tampering or removal. 2. Actor-controlled Command-and-Control (C2) Server: The encoded data directs the malware to an actor-controlled C2 server, which serves as a pivot point in the chain. Here, the server dynamically fetches further instructions or payload links, ensuring the malware does not carry any static indicators that could trigger detection. 3. Bitbucket Repository The final stage involves a Bitbucket repository that initially hosts a benign executable. Once downloaded and deemed safe by security scans, this executable is later replaced by a malicious version. This tactic capitalizes on Bitbucket’s reputation as a trusted platform while reducing the chances of immediate detection. The use of a clean file in the initial stage ensures the campaign avoids raising alarms during early stages of distribution. Figure 4: Screenshot of repositories used by the actor with high downloads count TIMELINE OF FILENAMES (AUGUST TO OCTOBER 2024) CoinLurker’s evolution includes a notable timeline of filenames used in the Bitbucket repository, often masquerading as legitimate tools to enhance deception. From August to October 2024, the filenames observed include: BrowserUpdateTool.exe BrowserTool.exe BrowserUpdater.exe UpdateNow.exe UpdateMe.exe Updater.exe UpdaterSetup.exe Updating.exe SecurityPatch.exe Each filename aligns with the fake update theme, designed to appear as genuine system utilities or browser update tools. Additionally, those executables are signed with a legitimate Extended Validation (EV) certificate, adding another layer of credibility. While the origin of the certificate cannot be confirmed, it is likely stolen, enabling the attackers to bypass security warnings and enhance the perceived legitimacy of the malicious files. Figure 5: EV Certificate parsed in VirusTotal LAYERED INJECTION TACTICS TO EVADE DETECTION CoinLurker utilizes a sophisticated multi-layered injector to stealthily deploy malicious payloads into multiple instances of legitimate msedge.exe processes. This approach ensures that the malware evades detection, blends seamlessly into legitimate system activity, and bypasses network security rules that rely on process behavior for filtering. Below are the key obfuscation techniques observed during analysis. INFECTION VALIDATION THROUGH REGISTRY CHECKS CoinLurker employs a heavily obfuscated function to determine if the system has already been infected. This method dynamically constructs a unique registry key, such as SOFTWARE\<GUID>-<ID>, using system-specific data like the machine’s GUID and custom input strings. The malware then attempts to access the key using the Windows OpenKey API. If the key exists and contains the expected values, CoinLurker identifies the system as already infected and terminates its execution. If the key is missing or does not match the expected values, the malware proceeds with its infection routine. While this technique serves as a mutex to prevent multiple infections, the obfuscation within the function—such as dynamic API resolution and a layered execution flow—makes it challenging for analysts to reverse-engineer the logic or identify the key construction process. Figure 6: .gif - Runtime Validation Obfuscated Function RUNTIME STRING DECODING AND INJECTION CoinLurker employs a sophisticated injection process that relies on dynamic string decoding and obfuscation to conceal its activities. The malware targets msedge.exe, launching each instance with unique, obfuscated command-line arguments. Examples include: * WSCOGJJEZZWL * NTOCBJPKZPNT * XXEZGQVPKJGS * PEQDTHUEORHX * RLZXCUVFFESG These arguments are dynamically generated and transformed at runtime, passing through layered transformations like Base64 decoding, UTF-16 conversion, and dynamic resource mapping. The final values only emerge during execution, leaving minimal static traces. The payload itself is decrypted in memory using obfuscated routines, ensuring traditional detection methods are bypassed. Figure 7: Main Loader Function The injection logic incorporates heavily obfuscated control flow, including nested state machines and conditional checks that obscure the actual execution path. Redundant resource assignments and iterative memory manipulations further complicate analysis, keeping critical data hidden until runtime. SOCKET-BASED COMMUNICATION FOR C2 OPERATIONS CoinLurker communicates with its C2 servers using a socket-based framework. It employs functions like GetAddrInfoW for DNS resolution, WSASocketW for socket creation, and ConnectEx for establishing connections. Data exchange is handled via WSASend and WSARecv, with asynchronous operations using CreateIoCompletionPort to enhance efficiency. Domains dynamically resolved by CoinLurker include: * zovik[.]info * analfucker[.]lol * paveldurov[.]sbs FILE ENUMERATION TARGETING CRYPTOCURRENCY WALLETS CoinLurker demonstrates a highly targeted approach to data collection, focusing on directories associated with cryptocurrency wallets and financial applications. Through systematic enumeration, it attempts to access a variety of locations that are commonly used for storing sensitive user data. Key targets include: Major Cryptocurrency Wallets: * Bitcoin\wallets * Ethereum\keystore * Ledger Live\Local Storage\leveldb * Exodus\exodus.wallet Alternative Cryptocurrencies and Lesser-Known Wallets: * Examples include BBQCoin, Lucky7Coin, MemoryCoin, and many others, showcasing its effort to cover a wide range of cryptocurrencies. Related Applications: * Directories such as Telegram Desktop\tdata, Discord\Local Storage\leveldb, and FileZilla This comprehensive scanning underscores CoinLurker's primary goal of harvesting valuable cryptocurrency-related data and user credentials. Its targeting of both mainstream and obscure wallets demonstrates its versatility and adaptability, making it a significant threat to users in the cryptocurrency ecosystem. HOW MORPHISEC CAN HELP Morphisec’s pioneering Automated Moving Target Defense (AMTD) technology stops sophisticated attacks at the earliest stage without relying on outdated signature or behavioral-based detection methods. By preemptively blocking memory and application-based attacks, Morphisec eliminates threats before they can take hold and become business impacting. Schedule a demo today to see how Morphisec stops fake update campaigns like CoinLurker and other new and emerging threats. IOCS FAKE INSTALLERS SHA256: * 324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4 * c8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064 * 1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399 * a7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac * be5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8 * 93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0 * 44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2 * 2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c * f79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef * 11cefe96966858c237a3aff132e5c54d0d1bcd343a23b23fcc24735bcefc811c * 8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb * 9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2 * a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14 * 487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120 * 9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41 * cc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b * 7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899 * 2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe * 6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de * 269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d * 397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97 * 82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9 * 2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a * 0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21 * 9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a * b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa * a612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142 * a3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2 * 9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6 * 0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d * 80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21 * c643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83 * 3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a * 18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304 * 15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210 * 162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9 * 8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d * 9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f * Fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6 STAGER URLS: * md928zs[.]shop/endpoint * smolcatkgi[.]shop/endpoint * dais7nsa[.]shop/endpoint * ajsdiaolke[.]shop/endpoint * peskpdfgif[.]shop/endpoint * ndas8m92[.]shop/endpoint * test-1627838[.]shop/endpoint * smkn1leuwimunding[.]com/Updating.zip * bitbucket[.]org/browsertools/tools/downloads/ * bitbucket[.]org/targetfile/download/downloads/UpdateRequest.exe * bitbucket[.]org/browserupdater/download/downloads/BrowserUpdater.exe * bitbucket[.]org/cleopatrall/upds/downloads/updater.exe * bitbucket[.]org/stoptrackme/updatings/downloads/UpdateMe.exe * bitbucket[.]org/napoleon_bonaparte/browtool/downloads/BrowserUpdateTool.exe C2 DOMAINS: * paveldurov[.]sbs * zovik[.]info * analfucker[.]lol Sensitive data discovery paths: * c:\users\<username>\appdata\local\google * c:\users\<username>\appdata\roaming\mozilla\firefox * c:\users\<username>\appdata\local\microsoft\edge * c:\users\<username>\appdata\local\bravesoftware\brave-browser * c:\users\<username>\appdata\local\360chrome * c:\users\<username>\appdata\roaming\opera software * c:\users\<username>\appdata\local\vivaldi * c:\users\<username>\appdata\local\coccoc * c:\users\<username>\appdata\local\yandex * c:\users\<username>\appdata\local\chromium * c:\users\<username>\appdata\local\tencent * c:\users\<username>\appdata\roaming\jupitercoin * c:\users\<username>\appdata\roaming\memorycoin * c:\users\<username>\appdata\roaming\ledger live\local storage\leveldb * c:\users\<username>\appdata\roaming\bbqcoin * c:\users\<username>\appdata\roaming\bitbar * c:\users\<username>\appdata\roaming\crimecoin * c:\users\<username>\appdata\roaming\globalcoin * c:\users\<username>\appdata\roaming\grain * c:\users\<username>\appdata\roaming\lucky7coin * c:\users\<username>\appdata\roaming\maples * c:\users\<username>\appdata\roaming\ethereum\keystore * c:\users\<username>\appdata\roaming\bits * c:\users\<username>\appdata\roaming\colossuscoin * c:\users\<username>\appdata\roaming\frankocoin * c:\users\<username>\appdata\roaming\freecoin * c:\users\<username>\appdata\roaming\zccoin * c:\users\<username>\appdata\roaming\zcash * c:\users\<username>\appdata\roaming\bountycoin * c:\users\<username>\appdata\roaming\earthcoin * c:\users\<username>\appdata\roaming\androidstokens * c:\users\<username>\appdata\roaming\peoplecoin * c:\users\<username>\appdata\roaming\redcoin * c:\users\<username>\appdata\roaming\florincoin * c:\users\<username>\appdata\roaming\sexcoin * c:\users\<username>\appdata\roaming\lebowskis * c:\users\<username>\appdata\roaming\skycoin * c:\users\<username>\appdata\roaming\ezcoin * c:\users\<username>\appdata\roaming\joulecoin * c:\users\<username>\appdata\roaming\last coin * c:\users\<username>\appdata\roaming\dogecoin * c:\users\<username>\appdata\roaming\megacoin * c:\users\<username>\appdata\roaming\unobtanium * c:\users\<username>\appdata\roaming\extremecoin * c:\users\<username>\appdata\roaming\grandcoin * c:\users\<username>\appdata\roaming\richcoin * c:\users\<username>\appdata\roaming\infinitecoin * c:\users\<username>\appdata\roaming\uscoin * c:\users\<username>\appdata\roaming\exodus\exodus.wallet * c:\users\<username>\appdata\roaming\avingcoin * c:\users\<username>\appdata\roaming\goldcoin * c:\users\<username>\appdata\roaming\atomic_qt * c:\users\<username>\appdata\roaming\bitcoin\wallets * c:\users\<username>\appdata\roaming\namecoin * c:\users\<username>\appdata\roaming\primecoin * c:\users\<username>\appdata\roaming\luckycoin * c:\users\<username>\appdata\roaming\onecoin * c:\users\<username>\appdata\roaming\quarkcoin * c:\users\<username>\appdata\roaming\asiccoin * c:\users\<username>\appdata\roaming\cosmoscoin * c:\users\<username>\appdata\roaming\ticketscoin * c:\users\<username>\appdata\roaming\cloudcoin * c:\users\<username>\appdata\roaming\mavro * c:\users\<username>\appdata\roaming\secondscoin * c:\users\<username>\appdata\roaming\supercoin * c:\users\<username>\appdata\roaming\tagcoin * c:\users\<username>\appdata\roaming\armory * c:\users\<username>\appdata\roaming\beaocoin * c:\users\<username>\appdata\roaming\freicoin * c:\users\<username>\appdata\roaming\nanotokens * c:\users\<username>\appdata\roaming\orbitcoin * c:\users\<username>\appdata\roaming\royalcoin * c:\users\<username>\appdata\roaming\worldcoin * c:\users\<username>\appdata\roaming\alphacoin * c:\users\<username>\appdata\roaming\ferretcoin * c:\users\<username>\appdata\roaming\galaxycoin * c:\users\<username>\appdata\roaming\unitedscryptcoin * c:\users\<username>\appdata\roaming\ybcoin * c:\users\<username>\appdata\local\coinomi\coinomi\wallets * c:\users\<username>\appdata\roaming\bottlecaps * c:\users\<username>\appdata\roaming\neocoin * c:\users\<username>\appdata\roaming\protosharescoin * c:\users\<username>\appdata\roaming\novacoin * c:\users\<username>\appdata\roaming\terracoin * c:\users\<username>\appdata\roaming\com.liberty.jaxx\indexeddb\file__0.indexeddb.leveldb * c:\users\<username>\appdata\roaming\americancoin * c:\users\<username>\appdata\roaming\gamecoin * c:\users\<username>\appdata\roaming\kingcoin * c:\users\<username>\appdata\roaming\securecoin * c:\users\<username>\appdata\roaming\franko * c:\users\<username>\appdata\roaming\nxtcoin * c:\users\<username>\appdata\roaming\walletwasabi\client\wallets * c:\users\<username>\appdata\roaming\fastcoin * c:\users\<username>\appdata\roaming\nuggets * c:\users\<username>\appdata\roaming\sifcoin * c:\users\<username>\appdata\roaming\argentum * c:\users\<username>\appdata\roaming\philosopherstone * c:\users\<username>\appdata\roaming\xencoin * c:\users\<username>\appdata\roaming\devcoin * c:\users\<username>\appdata\roaming\elephantcoin * c:\users\<username>\appdata\roaming\hobonickels * c:\users\<username>\appdata\roaming\protoshares * c:\users\<username>\appdata\roaming\zetacoin * c:\users\<username>\appdata\roaming\atomic\local storage\leveldb * c:\users\<username>\appdata\roaming\craftcoin * c:\users\<username>\appdata\roaming\cryptogenicbullion * c:\users\<username>\appdata\roaming\krugercoin * c:\users\<username>\appdata\roaming\guarda * c:\users\<username>\appdata\roaming\valuecoin * c:\users\<username>\appdata\roaming\bytecoin * c:\users\<username>\appdata\roaming\diamond * c:\users\<username>\appdata\roaming\feathercoin * c:\users\<username>\appdata\roaming\pennies * c:\users\<username>\appdata\roaming\realcoin * c:\users\<username>\appdata\roaming\electrum\wallets * c:\users\<username>\appdata\roaming\ixcoin * c:\users\<username>\appdata\roaming\naanayam * c:\users\<username>\appdata\roaming\zenithcoin * c:\users\<username>\appdata\roaming\bitgem * c:\users\<username>\appdata\roaming\digitalcoin * c:\users\<username>\appdata\roaming\ppcoin * c:\users\<username>\appdata\roaming\mincoin * c:\users\<username>\appdata\roaming\peercoin * c:\users\<username>\appdata\roaming\shitcoin * c:\users\<username>\appdata\roaming\liquidcoin * c:\users\<username>\appdata\roaming\mastercoin * c:\users\<username>\appdata\roaming\memecoin * c:\users\<username>\appdata\roaming\tekcoin * c:\users\<username>\appdata\roaming\tumcoin * c:\users\<username>\appdata\roaming\yacoin * c:\users\<username>\appdata\roaming\netcoin * c:\users\<username>\appdata\roaming\paycoin * c:\users\<username>\appdata\roaming\spots * c:\users\<username>\appdata\roaming\chncoin * c:\users\<username>\appdata\roaming\dollarpounds * c:\users\<username>\appdata\roaming\playtoken * c:\users\<username>\appdata\roaming\cryptogenicbullionc * c:\users\<username>\appdata\roaming\eaglecoin * c:\users\<username>\appdata\roaming\opensourcecoin * c:\users\<username>\appdata\roaming\phenixcoin * c:\users\<username>\appdata\roaming\sauron rings * c:\users\<username>\appdata\roaming\bitcoin * c:\users\<username>\appdata\roaming\anoncoin * c:\users\<username>\appdata\roaming\copper bars * c:\users\<username>\appdata\roaming\growthcoin * c:\users\<username>\appdata\roaming\italycoin * c:\users\<username>\appdata\roaming\42coin * c:\users\<username>\appdata\roaming\blakecoin * c:\users\<username>\appdata\roaming\casinocoin * c:\users\<username>\appdata\roaming\ghisler * c:\users\<username>\appdata\roaming\psi+\profiles\default * c:\users\<username>\appdata\roaming\telegram desktop\tdata * c:\users\<username>\appdata\roaming\discord\local storage\leveldb * c:\users\<username>\appdata\roaming\filezilla SUBSCRIBE TO OUR BLOG Stay in the loop with industry insight, cyber security trends, and cyber attack information and company updates. SEARCH OUR SITE RECENT POSTS * CoinLurker: The Stealer Powering the Next Generation of Fake Updates * Morphisec's Automated Moving Target Defense Technology in new Security Services from Atea Sweden * 2025 Prediction: New U.S. Administration Will Impact Cybersecurity and AI * The Countdown to Windows 10 End of Life: What IT Teams Need to Know * Fileless Malware Will Beat Your EDR * Preemptive Cyber Defense: Defending Against Sophisticated Threats Like Salt Typhoon * How Hackers Compromise Virtual Desktop Infrastructure * 2025 Prediction: Preemptive Cyber Defense Will Shake Up Cybersecurity Planning * NTLM Privilege Escalation: The Unpatched Microsoft Vulnerabilities No One is Talking About * Securing a Clear Vision: How Houston Eye Associates Focuses on Cybersecurity POSTS BY TAG * Automated Moving Target Defense (157) * Threat Research (135) * Cyber Security News (131) * Morphisec Labs (124) * Morphisec News (55) * Adaptive Exposure Management (13) * Defense-in-Depth (12) * Ransomware (12) * Gartner (10) * Threat and Vulnerability Management (9) * Continuous Threat Exposure Management (CTEM) (8) * Microsoft (8) * In-Memory Attacks (7) * Preemptive Security (7) * Advanced Threat Defense (6) * Legacy Security (5) * Financial Cybersecurity (4) * Healthcare Cybersecurity (4) * Linux Cybersecurity (4) * Runtime Attacks (4) * ChatGPT (3) * Evasive Loader (3) * Fileless Malware (3) * Patch Management (3) * Product Blogs (3) * Artificial Intelligence (2) * Anti-tampering (1) * Blockchain (1) * Case Study (1) * Cryptocurrency (1) * IoT Security (1) * Managed Service Providers (1) * Server Security (1) See all * Products * Product Overview * Morphisec for Managed Services * Morphisec for Windows Endpoints * Morphisec for Windows Servers & Workloads * Morphisec for Linux Server Protection * Morphisec Vulnerability Visibility & Prioritization * Incident Response Services * About Moving Target Defense * Solutions By Industry * Managed Services * Banking & Finance * Hedge Funds * Healthcare * Technology * Manufacturing * Legal * K-12 Education * SMB * Solutions by Use Case * Microsoft Defender for Endpoint * Microsoft Defender AV * Virtual Desktop Protection * Ransomware Protection * Supply Chain Attack Protection * Cloud Workload Protection * Remote Employee Security * Virtual Patching & Compliance * Browser Attack Protection * Company * About Us * News & Events * Careers * Blog * Support * Partners * Contact Us * Privacy & Legal * Contact Sales * Inquire via Azure * * * © 2024 Morphisec Ltd. | All rights reserved Privacy policy | WE USE COOKIES We may place these for analysis of our visitor data, to improve our website, show personalised content and to give you a great website experience. For more information about the cookies we use open the settings. Your consent and the cookie policy apply to all websites of "Morphisec Group", including: morphisec.com, Morphisec Blog, Engage Morphisec. Deny No, adjust Accept all