Germany’s economy is a precision machine: finance fuels it, manufacturing builds it, telecom connects it, IT optimizes it, and healthcare sustains it. The country sits at the crossroads of industrial power and digital transformation, making it irresistibly attractive to attackers.

In this article, we explore real-world attacks targeting five critical German industries, analyzed by ANY.RUN’s analysts using Interactive Sandbox and Threat Intelligence Lookup. Each case is not theory. It is a live wire, recently observed, carefully dissected.

Executive Summary 

• Germany’s top industries are under coordinated pressure, not isolated attacks. 

• Identity is the new perimeter: attackers are bypassing infrastructure defenses by hijacking sessions and abusing legitimate authentication flows. 

• Phishing has evolved into real-time session interception, rendering traditional MFA insufficient on its own. 

• Attackers adapt lures to business context, increasing success rates against employees. 

• Threat intelligence is no longer optional: it is critical for reducing detection time, preventing escalation, and protecting revenue 

Germany’s Digital Landscape: A High-Value Target 

Why Germany? 

• Largest economy in Europe with strong global ties; 

• Highly digitized enterprise sector; 

• Deep reliance on Microsoft 365, cloud services, and SaaS ecosystems; 

• Critical industries interconnected across supply chains. 

Germany’s industrial backbone — the Mittelstand of small and medium-sized enterprises, alongside globally recognized corporations in chemicals, automotive, and engineering — represents a vast attack surface. These organizations often store sensitive IP, manage critical infrastructure, and handle large financial transactions, yet historically have underinvested in cybersecurity relative to their size and importance. 

Geopolitics adds fuel to the fire provoking a sharp increase in professional, often state-directed attacks by APT groups (Advanced Persistent Threats) linked to geopolitical conflicts. Germany’s role in the EU, NATO, and global trade makes it a high-value intelligence target for foreign actors. 

• In 2024, cyberattacks caused approximately €178.6 billion in financial losses to German businesses, equivalent to 67% of all damage from corporate crime. (Bitkom). 

• 83% of German businesses fell victim to ransomware in 2024, according to the Cyber Security Report 2025 by Schwarz Digits. 

• The BSI’s 2024/2025 reports describe the IT security situation as “tense,” with 309,000 new malware variants appearing daily, ransomware attacks up 77%, and 22 state-sponsored APT groups active on German soil. 

Phishing remains the most prevalent attack vector. The BSI confirmed that phishing attacks expanded well beyond the financial sector in 2024, with attackers impersonating streaming services, logistics firms, government agencies, and enterprise software platforms like Microsoft 365. 

How German Companies Can Discover Industry-Specific Cyberattacks  

ANY.RUN’s Threat Intelligence Lookup, a searchable database of threat data from live malware analysis by a community of over 15K SOC teams, supports the mapping of attack indicators to specific sectors and regions.  

A local cyberthreat landscape can be revealed by combining lookups for an industry and a malware sample submission country, and by limiting the search period to see the most recent threats.   

industry:”Telecommunications” AND submissionCountry:”DE” 

Search for a threat, country, and industry, switch to the Analyses tab in the results, and see a selection of sandbox analyses.  

industry:”Telecommunications” AND submissionCountry:”DE” AND threatName:”xworm” 

Pivot your research via TI Lookup using IOCs from search results and sandbox analyses and boost triage, detection, and threat hunting in your SOC.  

1. Finance: FlowerStorm Targets a German Investment Firm 

Financial organizations in Germany operate in a high-trust, high-value environment: 

• Sensitive investment and client data; 

• Heavy use of cloud-based collaboration tools; 

• Strict compliance requirements 

This makes employee credentials a golden key. Microsoft 365 credential theft is a dominant threat vector in this sector. Attackers seek to compromise corporate email accounts to intercept transactions, conduct Business Email Compromise (BEC) fraud, or use valid credentials as a launchpad for deeper network intrusion. 

Threat in Focus: Spearphishing with FlowerStorm 

Target 
A German investment company managing portfolios in private equity, real estate, and hedge funds. The attack was precision-targeted: the victim’s corporate email address was embedded directly into the phishing link, encoded in Base64. 

Attack Type 
Spearphishing (targeted credential theft) for Microsoft 365 accounts. ANY.RUN’s sandbox classified this threat as FlowerStorm — a sophisticated phishing-as-a-service platform known for its multi-stage evasion techniques and precision targeting. 

Kill Chain 

1. In this case, the attacks starts with a malicious URL. However, as we can see in other analysis sessions, such links are usually delivered via phishing emails containing a PDF attachment. Inside the PDF is a QR code — a deliberate choice to bypass email-based URL scanners that cannot decode visual content. 

2. The victim scans the QR code and is taken to a landing page with a salary-related lure.  

3. The page loads a FingerprintJS script to profile the victim’s browser before showing any phishing content. This profiling helps attackers filter out security researchers and automated scanners. 

4. Cloudflare Turnstile CAPTCHA is activated, blocking automated analysis tools and sandbox detection attempts. 

5. The victim is redirected to the main phishing domain, which presents a pixel-perfect replica of the Microsoft 365 sign-in page, including a full OAuth flow simulation with client_id, redirect_uri, and response_type parameters. 

6. Credentials entered by the victim are immediately exfiltrated to attacker-controlled infrastructure. 

Why It Works 
FlowerStorm combines multiple layers of evasion (QR codes, browser fingerprinting, CAPTCHA, Base64 encoding) with surgical targeting. The salary-themed lure is psychologically effective: employees in a finance firm expect payroll-related communications, reducing suspicion. The Microsoft 365 OAuth imitation is technically convincing enough to fool even security-conscious users. 

2. Healthcare: Microsoft OAuth Abuse Targets a Research Center 

Healthcare in Germany is: 

• Highly decentralized; 

• Data-sensitive (patient records, research); 

• Often underfunded in cybersecurity. 

This creates a perfect storm for authentication abuse attacks. 

Healthcare breaches carry compounded consequences: regulatory penalties under GDPR, reputational damage, potential disruption to patient care, and the loss of research data that may represent years of work and significant public investment. 

Threat in Focus: Microsoft OAuth Abuse with Fake Outlook Login 

Target 
Germany’s largest medical research center. The attack was highly targeted: the victim’s corporate email appeared in plaintext in the OAuth state parameter and in Base64 in the URL fragment of the phishing page. 

Attack Type 
Phishing via Microsoft OAuth abuse combined with a fake Outlook login page. The attackers exploited Microsoft’s legitimate OAuth 2.0 authentication mechanism, substituting a malicious redirect_uri to capture credentials after the authentication handshake. 

Kill Chain 

1. The victim receives a link that begins as a legitimate request to login.microsoftonline.com. The redirect_uri, however, points to a compromised website. The state parameter contains the victim’s email address in plaintext. 

2. If no active Microsoft session exists, Microsoft returns an error=interaction_required response and redirects the user to the redirect_uri, the compromised WordPress site (saicares.com.au), which loads an intermediate invoice.html page. 

3. The intermediate page pulls content from ArDrive (a decentralized storage platform), adding another layer of obfuscation and hosting that is difficult to block. 

4. The victim is redirected to ogbarberschool[.]com — the primary phishing page. The victim’s email appears in the URL fragment both in Base64 and in plaintext, creating a personalized login experience. 

5. The phishing page contains obfuscated JavaScript and displays a convincing fake Outlook login form.  

6. Credentials entered by the victim are exfiltrated via a POST request to jewbreats[.]org/rexuzo/owa/apiowa[.]php. Suricata network rules flagged this as a suspicious unencrypted POST request transmitting an email address. 

Why It Works 
This attack is particularly dangerous because it begins with a genuine Microsoft domain. A victim who inspects the initial link sees a legitimate login.microsoftonline.com URL, providing false reassurance. By the time the malicious redirect occurs, the victim is already engaged. The use of a compromised WordPress site and decentralized storage makes the infrastructure difficult to detect and take down quickly. 

3. Technology: Reverse Proxy Phishing Targets an IT Company 

IT companies: 

• Manage infrastructure and credentials; 

• Have privileged access across systems; 

• Are often stepping stones for supply chain attacks. 

The sector’s familiarity with technology can create a paradoxical blind spot: IT professionals may be more likely to click links in emails that appear technical or work-related, assuming their technical knowledge makes them immune to social engineering. 

Threat in Focus: EvilProxy + EvilGinx2 Combined Attack 

Target 
A German IT company. The attack targeted a specific employee, whose email was extracted from the data parameter of a Microsoft Safe Links wrapper, indicating the attacker had prior visibility into the target’s email infrastructure. 

Attack Type 
Phishing via a combination of EvilProxy and EvilGinx2: two reverse proxy tools used in tandem. EvilProxy serves as the primary credential harvesting platform, while EvilGinx2 handles session token interception. Together, they create a real-time proxy of Microsoft’s login infrastructure capable of bypassing multi-factor authentication. 

Kill Chain 

1. The victim receives a phishing email urging them to “Review document,” a work-relevant lure that fits the daily workflow of an IT professional. 

2. The embedded link routes through a Mailchimp tracking URL (aviture[.]us7[.]list-manage[.]com), a legitimate email marketing service that lends the link apparent credibility and bypasses reputation-based URL filters. 

3. Mailchimp redirects to larozada[.]com, a compromised WordPress site hosting an intermediate page with a Cloudflare Turnstile CAPTCHA. 

4. After CAPTCHA verification, the victim is routed through a Cloudflare Workers serverless function, which performs additional routing to frustrate analysis and attribution. 

5. The final destination is the main phishing domain (googlmicrozonfaceb0xfileshar3instacloud0fftkdoctormedixxqqw[.]digital) — an EvilProxy instance that reverse-proxies the real Microsoft Login page in real time. The victim sees an authentic Microsoft experience. 

6. As the victim authenticates, EvilProxy intercepts the session cookie. The attacker now has a valid authenticated session. No password or MFA code required. 

Why It Works 
The use of legitimate services (Mailchimp, Cloudflare Workers, WordPress) at each stage of the attack chain makes it nearly impossible for conventional email filters and web gateways to block. The final EvilProxy stage defeats MFA entirely by hijacking the post-authentication session rather than attempting to steal the second factor. This is an adversary-in-the-middle attack that neutralizes one of the most commonly recommended security controls. 

Using TI Lookup, we can see that larozada[.]com is intensely correlated with this attack scenario:  
 
domainName:”larozada.com” 

Integrate Threat Intelligence Feeds in your security stack to have it continuously updated with a real-time stream of indicators (domains, URLs, IPs) for early detection and timely response.  

4. Telecom: Phishing-as-a-Service at Scale 

Telecom companies: 

• Sit at the heart of communications infrastructure; 

• Handle massive volumes of user data; 

• Operate complex, distributed environments. 

Telecom companies are targeted for multiple strategic reasons: access to customer data at scale, the potential for SIM-swapping attacks, the ability to intercept communications, and the value of internal network access for espionage or infrastructure disruption.  

Account takeover via Microsoft 365 credential theft is a priority threat for this sector, as telecom employees use cloud platforms extensively for internal communications, customer management, and operational coordination. 

Threat in Focus: EvilProxy without personalization 

Target 
An employee of a German telecommunications company. Unlike the finance and healthcare cases, this campaign used a non-personalized phishing page (no email embedded in the URL) suggesting a broader campaign that may target multiple companies simultaneously rather than a single individual. 

Attack Type 
Phishing via EvilProxy (Phishing-as-a-Service) — a commercial reverse proxy platform that proxies the real Microsoft login page in real time, intercepting session tokens and bypassing MFA without ever needing to steal a password. 

Kill Chain 

1. The victim receives a link pointing to portfolio-hrpcjqg[.]format.com/gallery — a legitimate portfolio hosting platform (Format.com). Using a reputable platform as the first hop bypasses domain reputation filters.

2. Format.com redirects to signin[.]securedocsportal.com/cyb3rusr131 — a phishing domain crafted to resemble a secure document signing portal, a plausible context for a telecom business user. 

3. Cloudflare Turnstile CAPTCHA filters automated scanners and security tools. 

4. After passing CAPTCHA, the victim reaches a page mimicking Microsoft 365 OAuth authorization, complete with client_id and redirect_uri parameters pointing to office.com for added legitimacy. 

5. EvilProxy proxies the real Microsoft Login through its own subdomains, giving the victim a fully functional Microsoft login experience. 

6. The victim enters credentials and completes MFA. EvilProxy intercepts the session cookie in real time, granting the attacker full authenticated access to the victim’s Microsoft 365 account without needing the password or MFA token. 

Why It Works 
EvilProxy is commercially available as a service, dramatically lowering the skill threshold for attackers. The use of a legitimate portfolio platform as the initial URL makes detection by email gateways extremely difficult. The MFA bypass via session cookie theft is highly effective against organizations that believe MFA alone is sufficient protection. 

5. Manufacturing: Brand-Impersonation and Teams Lure 

Germany’s manufacturing sector: 

• Is globally dominant; 

• Relies on internal communication platforms; 

• Often integrates IT and OT environments. 

Germany’s manufacturing sector is the engine of its economy, encompassing global leaders in chemicals, automotive, engineering, and consumer goods. They are also increasingly connected: Industry 4.0 technologies, IoT sensors, operational technology (OT), and cloud-integrated production systems have blurred the line between IT and physical operations. 

The consequences of a successful attack extend beyond data loss to potential operational shutdown, physical equipment damage, and supply chain disruption. 

Social engineering attacks targeting manufacturing employees are particularly effective because plant-floor and operations staff are not traditionally cybersecurity-trained, and Microsoft Teams has become a standard communication tool across these large organizations. 

Threat in Focus: Teams Voice Message Phishing 

Target 
A large German industrial conglomerate, a global producer of chemical products and consumer goods. This attack was unusually specific: the phishing domains were registered to include the target company’s name, and the fake login page was styled to match the company’s Microsoft Teams branding — indicating advance reconnaissance. 

Attack Type 
Phishing via EvilProxy using a Microsoft Teams voice message as bait. The attack was delivered via Amazon SES, a legitimate email delivery infrastructure, making it difficult for email security tools to flag based on sender reputation. 

Kill Chain 

1. The victim receives an email sent through Amazon SES, notifying them of a missed voice message in Microsoft Teams — a common notification that workers in large organizations receive regularly

2. The link leads to voicbx[.]com, a redirect service mimicking a Teams voice notification interface. 

3. Redirects to noncrappyandroidapps[.]com for an anti-bot verification step. 

4. TinyURL then routes the victim to teams-ms365[.]cloud, a phishing domain mimicking Microsoft Teams infrastructure. 

5. The victim lands on a fake Teams voice message page, styled specifically to match the target company’s branding — a degree of customization that indicates prior research into the target. 

6. When the victim attempts to play the voice message, they are redirected to EvilProxy domains that also contain the company’s name in the URL. 

7. The victim enters their credentials into a fake Okta authentication page and completes MFA. EvilProxy intercepts the session cookie, granting the attacker full access to the corporate Microsoft 365 environment without requiring the password or MFA factor. 

Why It Works 
The combination of a highly plausible lure (missed Teams voice message), delivery via Amazon SES (bypassing sender reputation filters), and company-branded phishing pages makes this attack unusually convincing. The use of Okta for the fake authentication page suggests the attackers were aware of the target company’s specific identity infrastructure. 

Food for Thought: What CISOs Need to Be Aware Of 

1. Five Critical German Industries Are Under Active Attack Right Now 

All five cases have been collected between January and March 2026. Finance, healthcare, IT, telecommunications, and manufacturing, the five most economically significant sectors in Germany, are not theoretical targets. They are active targets. This is systematic pressure on the German economy, not isolated incidents. 
 
ANY.RUN’s Threat Intelligence Lookup data reinforces this: searching for EvilProxy and FlowerStorm threats linked to German organizations over the past 60 days returned more than 220 analyses, confirming that these campaigns are ongoing and widespread. 

(threatName:”flowerstorm” OR threatName:”evilproxy”) and submissionCountry:”DE”

2. Selective Targeting Is a Growing Trend 

Several of these attacks show clear signs of advance reconnaissance. Phishing domains were registered with the target company’s name embedded, pages were styled to match corporate branding, and victim email addresses were pre-loaded into URLs. This level of preparation (particularly in the manufacturing case) goes beyond generic mass phishing and suggests attackers are investing in targeted intelligence gathering before launching campaigns. Some cases also used universal phishing pages, indicating a mix of targeted and mass-scale approaches within the same threat actor ecosystem. 

3. Social Engineering Is Being Adapted to Professional Context 

The lures used in these attacks are not generic. A salary-themed document for a finance employee, a missed Teams voice message for a manufacturing executive, a “Review document” prompt for an IT professional. Attackers appear to be selecting bait that fits the professional context of their targets, increasing click rates and reducing suspicion. This contextual adaptation of social engineering is a significant evolution in phishing tradecraft. 

4. Phishing-as-a-Service Platforms Have Democratized MFA Bypass 

EvilProxy, EvilGinx2, and FlowerStorm are not bespoke tools used by elite threat actors. They are commercially available phishing platforms sold as services. This means the barrier to launching a sophisticated, MFA-bypassing attack against a German enterprise is now accessible to a broad range of cybercriminals. These platforms proxy real Microsoft login pages in real time, intercept session cookies after successful MFA completion, and provide the attacker with a fully authenticated session — all without ever knowing the victim’s password or one-time code. 

Organizations that rely on MFA as their primary defense against credential theft need to understand that adversary-in-the-middle phishing renders standard MFA ineffective. Phishing-resistant MFA (such as FIDO2 hardware keys) and Zero Trust session validation are required to defend against these techniques. 

Protecting High-Risk Organizations: A Practical Approach for Decision-Makers 

For executives across finance, healthcare, telecom, IT, and manufacturing, cybersecurity is no longer just a technical function. It is a business continuity and risk management discipline. 

The attacks described in this article share a common trait: they move fast, abuse trusted services, and bypass traditional defenses. 

To counter this, organizations need more than tools. They need a workflow-driven approach, where threat intelligence and malware analysis directly improve how the SOC operates. 

Here is how this translates into measurable protection across core SOC workflows. 

1. Monitoring: Detect Earlier, Reduce Exposure 

The Challenge: 
Detection gaps, delayed visibility into new campaigns, and high volumes of low-context alerts. 

What to do: 

• Integrate TI Feeds into SIEM, EDR, and email gateways 

• Leverage sandbox-verified indicators tied to real attack activity 

• Continuously monitor infrastructure linked to phishing and session hijacking campaigns 

Instead of waiting for alerts, your SOC gains early visibility into attacker infrastructure, often within hours of campaign emergence 

Business impact: 

• Higher detection rates across environments (36% DR increase); 

• Earlier identification of threats before user interaction; 

• Reduced likelihood of successful initial compromise. 

Executive outcome: lower probability of high-severity incidents and reduced exposure window. 

2. Triage: Increase Speed, Reduce Cost per Incident 

The Challenge: 
Slow investigations, manual enrichment, and excessive escalation to senior analysts. 

What to do: 

• Use TI Lookup to instantly enrich indicators with behavioral and campaign context; 

• Combine enrichment with interactive sandbox analysis for rapid validation; 

• Enable Tier 1 analysts to resolve more alerts independently. 

Analysts move from fragmented investigation to instant, evidence-based decisions, with average detection times measured in seconds. 

Business impact: 

• Faster MTTD and MTTR; 

• Up to 30% fewer escalations to higher tiers; 

• Reduced cost per investigation. 

Executive outcome: more efficient SOC operations with lower staffing pressure and faster decision cycles. 

3. Incident Response: Contain Faster, Minimize Damage 

The Challenge: 
Limited visibility into attack scope and delayed containment decisions. 

What to do: 

• Use Interactive Sandbox to analyze full attack chains (redirects, payloads, exfiltration); 

• Correlate findings with TI Lookup to understand spread and related infrastructure; 

• Generate detailed reports for response and compliance. 

Incidents are no longer black boxes. Teams gain full kill-chain visibility within seconds and reduce response time significantly 

Business impact: 

• Faster containment and remediation (90% of threats visible in 60 seconds); 

• Reduced operational disruption; 

• Lower likelihood of repeat incidents. 

Executive outcome: minimized financial and operational impact from active threats. 

4. Threat Hunting: Shift from Reactive to Proactive Security 

The Challenge: 
Outdated data, manual validation, and lack of prioritization based on business risk. 

What to do: 

• Use TI Feeds to track emerging threats targeting your industry and region; 

• Pivot with TI Lookup across related indicators and campaigns; 

• Use sandbox insights to refine detection logic and hunt hypotheses. 

Threat hunting becomes data-driven and context-aware, leveraging live attack activity across thousands of organizations. 

Business impact: 

• Detection of threats before alerts trigger; 

• Reduced attacker dwell time; 

• More precise prioritization of high-risk threats. 

Executive outcome: improved risk visibility and proactive defense posture. 

Operational Impact → Business Outcomes 

When these capabilities are aligned across workflows, the effect compounds: 

Operational gains: 

• Faster case processing (minutes saved per investigation); 

• Higher detection rates (up to +36%); 

• Fewer escalations and analyst overload; 

• Shorter incident lifecycle. 

Business outcomes: 

• Reduced risk of breaches and account takeover; 

• Lower cost of security operations; 

• Minimized downtime and service disruption; 

• Stronger compliance and audit readiness;  

The difference between a resilient organization and a vulnerable one is not whether attacks happen. It is whether your teams can see threats early, understand them instantly, and act before impact spreads. 

By combining TI Feeds (visibility), TI Lookup (context), and Interactive Sandbox (depth), you turn security operations into a measurable business advantage, not just a defensive necessity. 

Conclusion 

The five attacks documented in this report share a common thread: they are sophisticated, targeted, and actively exploiting the trust that German employees place in familiar platforms like Microsoft 365, Outlook, and Teams. They represent a new generation of phishing campaigns that have moved far beyond bulk spam — into precision-engineered operations that research their targets, customize their lures, and deploy infrastructure specifically designed to survive detection. 

The good news is that these attacks are detectable. ANY.RUN’s Interactive Sandbox can analyze suspicious URLs and files in real time, tracing every redirect, every script, every network connection in the attack chain. The Threat Intelligence Lookup provides historical context — showing how many organizations have seen the same indicators, which industries are most targeted, and what threat families are most active. 

In an economy where a single successful breach can cost billions and disrupt national supply chains, visibility and speed of response will define resilience. 

About ANY.RUN  

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.  

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.  

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

FAQ

The post How Phishing Is Targeting Germany’s Economy: Active Threats from Finance to Manufacturing appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,960 vulnerabilities last week, reflecting a continued surge in vulnerability disclosures across enterprise and cloud ecosystems.

Of these, 248 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks and accelerating exploitation timelines.

Additionally, at least 5 vulnerabilities were actively discussed across underground forums, indicating strong attacker interest and rapid weaponization.

A total of 214 vulnerabilitieswere rated critical under CVSS v3.1, while 57 were rated critical under CVSS v4.0.

Furthermore, CISA added 4 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 7 ICS advisories covering 10 vulnerabilities, impacting vendors such as Schneider Electric, WAGO, and PTC.

Weekly Vulnerability Report’s Top 5 CVE’s

CVE-2026-32917 — OpenClaw (Critical)

CVE-2026-32917 is a critical remote command injection vulnerability affecting OpenClaw, an AI agent framework.

The flaw occurs in the iMessage attachment staging workflow, allowing attackers to inject commands into remote systems. Successful exploitation enables arbitrary command execution, potentially leading to full system compromise.

CVE-2026-4747 — FreeBSD RPCSEC_GSS (Critical)

CVE-2026-4747 is a critical stack-based buffer overflow vulnerability in FreeBSD caused by improper bounds checking in packet handling.

Attackers can send specially crafted requests to trigger a stack overflow, resulting in remote code execution with kernel-level privileges, enabling full system takeover.

CVE-2026-31883 — FreeRDP (Critical)

CVE-2026-31883 is a heap-based buffer overflow vulnerability in FreeRDP’s audio decoding components.

A malicious RDP server or man-in-the-middle attacker can exploit this flaw to execute arbitrary code, potentially compromising remote desktop clients and enterprise environments.

CVE-2026-1207 — Django (High)

CVE-2026-1207 is a SQL injection vulnerability in Django applications using PostGIS RasterField lookups.

Insufficient input validation allows attackers to inject malicious SQL queries, leading to data exposure, modification, and potential lateral movement within backend systems.

CVE-2025-53521 — F5 BIG-IP APM (Critical)

CVE-2025-53521 is a critical vulnerability in F5 BIG-IP Access Policy Manager, initially classified as a DoS flaw but later reclassified as unauthenticated remote code execution following active exploitation.

This vulnerability allows attackers to gain full control of access management systems, posing significant risks to enterprise networks.

Vulnerabilities Added to CISA KEV

CISA continued expanding its KEV catalog, reflecting active exploitation trends.

Notable addition:

CVE-2025-53521 — F5 BIG-IP APM
Initially considered a denial-of-service flaw, it was reclassified as a remote code execution vulnerability after evidence of active exploitation emerged.

This shows how vulnerabilities can evolve in severity over time, reinforcing the need for continuous reassessment and monitoring.

Critical ICS Vulnerabilities

CISA issued 7 ICS advisories covering 10 vulnerabilities, with several rated critical.

CVE-2026-2417 — Pharos Controls (Critical)

This vulnerability involves missing authentication for critical functions in Mosaic Show Controller firmware.

Attackers can exploit this flaw to gain unauthorized control over industrial systems, potentially disrupting operations.

CVE-2025-49844 — Schneider Electric Plant iT/Brewmaxx (Critical)

A use-after-free vulnerability in Schneider Electric’s industrial automation platform can lead to memory corruption and system compromise.

The presence of multiple vulnerabilities in this platform reflects systemic risk across widely deployed industrial environments.

CVE-2026-3587 — WAGO Managed Switches (Critical)

This vulnerability exposes hidden functionality in industrial switches, potentially enabling attackers to bypass controls and gain unauthorized access.

CVE-2026-4681 — PTC Windchill PDMLink (Critical)

This vulnerability involves improper control of code generation and currently has no available patch, leaving organizations exposed.

Grassroots DICOM (High, Unpatched)

A memory management flaw in Grassroots DICOM impacts healthcare imaging systems, with no vendor patch available, increasing risk to medical infrastructure.

Impacted Critical Infrastructure Sectors

Analysis shows that:

Commercial Facilities appear in 70% of ICS vulnerabilities

Critical Manufacturing and Energy each account for 60%

Healthcare, communications, and transportation sectors also face exposure.

This distribution shows the strong cross-sector dependencies, where vulnerabilities in industrial platforms can cascade into multiple critical infrastructure domains.

Conclusion

This week’s findings highlight a convergence of:

• Increasing vulnerability volume and severity
• Rapid exploitation cycles driven by PoC availability
• Active underground discussion and weaponization
• Persistent weaknesses in industrial control systems

With 248 publicly available PoCs, KEV additions confirming active exploitation, and unpatched ICS vulnerabilities, organizations face significant risk across both enterprise IT and operational technology environments.

Key Recommendations

• Prioritize vulnerabilities based on exploit availability and operational impact
• Patch critical enterprise systems and externally exposed services immediately
• Implement strong input validation and secure coding practices
• Harden remote access and RDP environments
• Segment IT and OT networks to limit lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Continuously monitor threat intelligence and underground forums
• Conduct regular vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can effectively mitigate evolving risks across enterprise and critical infrastructure environments

The post The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs appeared first on Cyble.

Cyble – ​Read More

• Cisco Talos uncovered a cluster of activity we track as UAT-10362 conducting spear-phishing campaigns against Taiwanese non-governmental organizations (NGOs) and suspected universities to deliver a newly identified malware family, “LucidRook.” 
• LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and execute staged Lua bytecode payloads. The dropper “LucidPawn” uses region-specific anti-analysis checks and executes only in Traditional Chinese language environments associated with Taiwan. 
• Talos identified two distinct infection chains used to deliver LucidRook, involving malicious LNK and EXE files disguised as antivirus software. In both cases, the actor abused an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for command-and-control (C2) infrastructure. 
• Through hunting for LucidRook, we discovered “LucidKnight,” a companion reconnaissance tool that exfiltrates system information via Gmail. Its presence alongside LucidRook suggests the actor operatesa tiered toolkit, potentially using LucidKnight to profile targets before escalating to full stager deployment. 
• The multi-language modular design, layered anti-analysis features, stealth-focused payload handling of the malware, and reliance on compromised or public infrastructure indicate UAT-10362 is a capable threat actor with mature operational tradecraft.

---

Spear-phishing campaigns against Taiwanese NGOs and universities 

Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities.

The email contained a shortened URL that leads to the download of a password protected and encrypted RAR archive. The decryption password was included in the email body. Based on this email and the collected samples, Talos observed two distinct infection chains originating from the delivered archives. 

Decoy files 

In the infection chain, the threat actor deployed a dropper that opens the decoy documents included in the bundle. One example decoy file is a letter issued by the Taiwanese government to universities in Taiwan. This document is a formal directive reminding national universities that teachers with administrative roles are legally required to obtain prior approval and file attendance records before traveling to China. An official version of this document can be found on the Taiwanese government website.

Two infection chains 

Talos identified two infection chains used to deploy LucidRook. Both were multi-stage and began with either an LNK or an EXE launcher. The LNK infection chain uses an initial dropper Talos tracks as LucidPawn. 

LNK-based infection chain

The LNK-based infection chain was observed in both the sample targeting Taiwanese NGOs (which were distributed via spear-phishing emails) and the sample we suspect targeted Taiwanese universities. Both samples were delivered as an archive, containing an LNK file with a document file with substituted PDF file icon, as well as a hidden directory in the folder, as shown in Figure 3.

The hidden directory contains four layers of nested folders designed to evade analysis. The fourth-level directory contains the LucidPawn dropper sample (DismCore.dll), a legitimate EXE file (install.exe), and a decoy file. An example folder structure is shown in Figure 4.

When the user clicks the LNK file, it executes the PowerShell testing framework script C:Program FilesWindowsPowerShellModulesPester3.4.0Build.bat, passing the path to binaries located in the hidden directory in order to launch the embedded malware. This is a known technique that leverages living-off-the-land binaries and scripts (LOLBAS) to evade detection.

The PowerShell process executes the following command:

The index.exe file is a legitimate Windows binary associated with the Deployment Image Servicing and Management (DISM) framework. It is abused as a loader to sideload LucidPawn via DLL search order hijacking.

The LucidPawn dropper embeds two AES-encrypted binaries: a legitimate DISM executable and the LucidRook stager. Upon execution, both binaries are decrypted and written to %APPDATA%LocalMicrosoftWindowsApps, with the DISM executable renamed to msedge.exe to impersonate the Microsoft Edge browser and the LucidRook stager written as DismCore.dll. Persistence is established via a LNK file in the Startup folder that launches msedge.exe. After dropping the binaries, LucidPawn launches the DISM executable to sideload the LucidRook stager.  

The LucidPawn dropper also handles decoy documents by locating files with specific document extensions (.pdf, .docx, .doc, .xlsx) in the working directory, copying them to the first layer directory, deleting the original lure LNK file, and opening the decoy using Microsoft Edge to distract the victim.

EXE-based infection chain  

The second infection chain leverages only a malicious EXE written in the .NET framework without the LucidPawn dropper.

Talos observed the EXE-based infection chain in samples uploaded to public malware repositories in December 2025. The samples were distributed as password protected 7-Zip archives named “Cleanup(密碼：33665512).7z”. Based on the Traditional Chinese language used in the archive filename, the language shown in the malicious dropper, and the geographic context of the sample upload locations, we assess with moderate to high confidence that the campaign was intended to target Taiwanese entities.

The 7-Zip archive contains a single executable file named Cleanup.exe. The extracted binary masquerades as Trend Micro™ Worry-Free™ Business Security Services, using a forged application name and icon to impersonate a legitimate security product. In addition, the binary contains a compilation timestamp that is clearly falsified (2065-01-12 14:12:28 UTC).

The executable is a simple dropper written with the .NET framework. It embeds three binary files as Base64-encoded data within its code and, upon execution, decodes and drops these files into the C:ProgramData directory. The dropped files include a legitimate DISM executable, the LucidRook stager, and a LNK file placed in the Startup folder to establish persistence.

After execution, the program displays a decoy message box claiming that the cleanup process has completed.

LucidRook Lua-based stager 

LucidRook is a sophisticated 64-bit Windows DLL stager consisting of a Lua interpreter, embedded Rust-compiled libraries, and Lua bytecode payload. The DLL embeds a Lua 5.4.8 interpreter and retrieves a staged payload (in our sample named archive1.zip) from its C2 over FTP. After unpacking and validating the downloaded stage, the implant loads and executes the resulting Lua bytecode on the compromised host. Embedding the Lua interpreter effectively turns the native DLL into a stable execution platform while allowing the threat actor to update or tailor behavior for each target or campaigns by updating the Lua bytecode payload with a lighter and more flexible development process. This approach also improves operational security, since the Lua stage can be hosted only briefly and removed from C2 after delivery, and it can hinder post-incident reconstruction when defenders recover only the loader without the externally delivered Lua payload.  

Due to the embedded Lua interpreter and stripped Rust-compiled components, the DLL is complex to reverse engineer. The binary is approximately 1.6MB in size and contains over 3,800 functions, reflecting the amount of runtime and library code bundled into a single module. Execution is initiated via the DllGetClassObject export; however, the sample implements no COM functionality and uses the export solely as an entry point.

Upon execution, the malware’s core workflow is twofold. First, it performs host reconnaissance, collecting system information that is encrypted, packaged, and exfiltrated to the C2 infrastructure. It then retrieves an encrypted, staged Lua bytecode payload from the C2 server, which is subsequently decrypted and executed on the compromised host.

Lua interpreter embedding implementation 

LucidRook embeds a Lua 5.4.8 interpreter directly inside the DLL and uses it to execute a downloaded Lua bytecode stage. Before handing the stage to the VM, the loader verifies that the decrypted blob begins with the standard Lua bytecode magic (x1bLua), indicating the payload is a compiled Lua chunk rather than plaintext script.

The Lua runtime is also wrapped with additional controls. Notably, the malware implements a non-standard “safe mode” that disables package.loadlib (as shown by the unique error string “package.loadlibis disabled in safe mode”), which prevents Lua payloads from loading arbitrary external DLL-based modules via the standard require/loader pathway. Additionally, in the library initialization flow observed, the malware opens common standard libraries (e.g., io, os, string, math, package) but does not open the debug library, which would normally provide powerful introspection primitives; this omission is consistent with an anti-analysis hardening choice.

String obfuscation scheme 

The LucidRook samples employ a sophisticated string obfuscation scheme. The obfuscation was applied to almost all the embedded strings including file extensions, internal identifiers, and C2 addresses. This transformation increases the difficulty of analysis and detection.

The deobfuscation follows a structured two-stage runtime process: 

1. Address calculation: Rather than using direct offsets, the malware calculates the memory address of an encrypted string through a unique series of arithmetic operations for each string. This design prevents cross-referencing encrypted data blocks to their use-sites for reverse engineering.  
2. Runtime key reconstruction and XOR decryption: Each 4-byte chunk is decrypted using XOR with a key that is not hardcoded directly. Instead, the key is reconstructed at runtime by combining a constant seed value (ending in 0x00) and a single-byte mask read from a parallel lookup table: Plaintext = Ciphertext ^ (Seed | Mask)

The use of a parallel lookup table for masks significantly complicates the creation of automated “unpacking” scripts, as the relationship between the encrypted string and its corresponding mask is obscured by the flattened control flow.

Host reconnaissance 

The malware collects several system information including user account name, computer name, driver information, user profile directory, installed applications, running process, and so on. The collected information is stored into three files (named 1.bin, 2.bin, 3.bin) with two layers of encryptions: RSA and a password-encrypted ZIP archive. The BIN files are encrypted with an embedded RSA public key (DER hash ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175) and then compressed into a ZIP file encrypted with password !,OO5*+ZEYORE%&.K1PQHxiODU^RA046. With these encryptions in place, the exfiltrated data can only be decrypted by the threat actor. The decrypted RSA public key used to encrypt exfiltrated data is:

-----BEGIN RSA PUBLIC KEY----- 
MIIBCgKCAQEA3YeM0FbZO8QB3/ctZd2+oS8weSUwmgp33c5lVJ8InJx5yJJnXF+8 
qLL+nzwcItVQyAQbZBymN9ueIgkNRBQuRJgZOxLHG2cbNIWXMImKb5zkkyIUfCz1 
hLprvBu4i2IIeWTFyTLfIpwZ/rUn+lARRmIeWTmJezOaSh5QvVaF6Oqk5qoTXk9A 
MivxKnfFiMhlBh3/V6S4+gTzqy7IwgSuPv8IL6n5LF+N8DmIvAVCck1e2KIYMu54 
UT7ef16N60LVksADJsnk+E5CSOeD4FzSTjS9G9c3sZFP/7r7xAbr5CbKvaBvJ+49 
7OlzJjaq1H+M7aOAPKaf/hyewEHIr+W1EQIDAQAB 
-----END RSA PUBLIC KEY----- 

The encrypted data is archived into a file named archive4.zip and uploaded to the C2 FTP server using authenticated credentials obfuscated and embedded in the stager. 

C2 communication 

The LucidRook stager communicates with the abused/compromised FTP servers to not only upload the collected system information but also to download and execute Lua bytecode payload to achieve remote code execution. 

FTP servers with publicly exposed credentials 

LucidRook uses plaintext FTP for both staging and exfiltration. In the observed captures, the implant authenticates with embedded credentials, switches to binary mode (TYPE I), enters passive mode (PASV), and uploads the exfiltrated information in an archive named archive4.zip via STOR before closing the session. It then establishes a second FTP session and attempts to retrieve archive1.zip (payload) via RETR.

The LucidRook samples connect to C2 infrastructure that appears to abuse FTP servers with exposed credentials to retrieve staged payloads. Talos identified two such C2 servers, both located in Taiwan and operated by printing companies. Initially, it was unclear why the threat actor selected this infrastructure; however, further investigation revealed that both companies publicly listed FTP credentials on their official websites as part of a “file uploading service”. We observed that this practice is common among local printing companies and effectively creates a pool of publicly accessible, low‑cost infrastructure that can be repurposed by threat actors as low-cost C2 staging servers.

Stealthy payload protections 

Besides what we previously mentioned about the encryption for the exfiltrated data, the threat actor also employed stealthy protection for the downloaded payload. The LucidRook sample Talos obtained (edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809) uses the password ?.aX$p8dpiP$+4a$x?=0LC=M>^>f6N]a to decrypt the archive when it’s protected and requires that an index.bin file be found within the ZIP archive. After decryption, it uses a different RSA private key (DER hash 7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33) embedded and encrypted inside the malware to decrypt the payload. The corresponding public key (DER hash a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a) for this private key is:

-----BEGIN PUBLIC KEY----- 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQ9deG1+FiOgxT2eX78n 
3Ni/PmrV/V6iuf+bc+ii+9wD6Pyc7QyicaZODr2YlKifwJabJuDsIcANRIQGBLf2 
8j0yG3x25rP4XTnavTyPB6s+fJgNebmB9Hhgx3AY25ufJvNAelnmXnPn/xp6tZ/V 
kup72tiwKWeBVJOZYW3qYno4n5hffdNqTFIgUZDDLhqa+nT1gD6LZ6W/BidIM70O 
gn2h8ppc8aKc893FkfvNYwhgubiDFv9rgvSVvxt0uTVERtBsCyAScD1MMvswEyK6 
LrgnyTz7KwOv5wyPfE3BPs8lpMQIyi/jcIIroyk9uLarfV/XIbgTOqEYf5/9bDSs 
iQIDAQAB 
-----END PUBLIC KEY----- 

During investigation, Talos obtained a payload from a private source which matched the index.bin file structure. However, the password from the LucidRook sample we got was not able to decrypt the archive. We also obtained another version of the payload from the FTP C2 server, but this payload includes four files that does not match the version of LucidRook sample we analyzed as shown in Figure 16.

Based on this information, we suspect that the threat actor is generating different payloads using different sets of passwords for different targets, even though they share the same C2 server. The files inside the payload also suggest it potentially leverages different modules for different capabilities for the stager. 

LucidPawn dropper 

The LucidPawn dropper shares some similarity with LucidRook, including the same COM DLL masquerade technique, obfuscation scheme, and Rust-compiled code. 

Leveraging an OAST service 

Upon execution, the LucidPawn dropper sends a DNS request to a domain “D.2fcc7078.digimg[.]store”. The domain “digimg[.]store” redirects to “dnslog[.]ink”, a public Chinese Out-of-band Application Security Testing (OAST) service. It is widely used by security researchers, penetration testers, and threat actors to verify network connectivity and vulnerability exploitation. By using this service, LucidRookoperators receive confirmation once the exploitation succeeds without setting up their own infrastructure. It is worth noting that the same service domain has been leveraged in other targeted campaigns; however, because the service is publicly accessible and can be used by any threat actor, Talos avoids making attribution based solely on this linkage.

Geo-targeting anti-analysis 

LucidPawn implements a geo-targeting anti-analysis execution gate by querying the host’s Windows UI language via the GetUserDefaultUILanguage() API. Execution continues only when the system UI language matches Traditional Chinese environments associated with Taiwan.

The implementation compares a masked LANGID against 0x0404 (zh-TW). The mask and 0xF7FF clears bit 0x0800, causing only 0x0404 (zh-TW) and 0x0C04 (zh-HK) to normalize to the same value and satisfy the check. As a result, the sample exits early on most analysis sandboxes, which commonly use 0x0409 (en-US). This control reduces exposure by limiting execution to the intended victim geography and suppressing behavior in common analyst environments.

The LucidKnight reconnaissance tool 

While hunting for additional LucidPawn samples, we identified a variant of LucidPawn (d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964). This sample shares the same geo-targeting anti-analysis logic observed in other samples used to deliver LucidRook. Compared with the LucidPawn samples associated with LucidRook delivery, however, this variant omits the callback to the out-of-band interactive service domain and functions solely as a dropper, deploying the reconnaissance tool LucidKnight (aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1) after execution.

Like other malware in the Lucid family, LucidKnight is a 64-bit Windows DLL that contains embedded Rust-compiled components to implement various functions. The malware also uses a string obfuscation scheme similar to those observed in LucidPawn and LucidRook to conceal its C2 configuration.

Upon execution, LucidKnight collects system information including the computer name, OS version, processor architecture, CPU usage, running processes, and installed software. The collected data are written to four TXT files, encrypted with an embedded RSA public key, and packaged into a password-protected ZIP archive named archive.zip using the password xZh>1<{Km1YD3[V>x]X>=1u(Da)Y=N>u. The embedded RSA public key (DER hash 852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66) is shown below:

-----BEGIN RSA PUBLIC KEY----- 
MIIBCgKCAQEAuvXyx+rPGjS/bI6cvl8LIVVatwD6JU19EvJPlBWlmPqVm/se+3QS 
9av+X8PFgwoGXJZTEanAY4JhOMXKYSbErwrLktbEY2tFi7w3/WyPPcB6/I6zD2yU 
Mqcoqy1Z3+4CsLz4D/LZtOst4alSGOgTDeKtrWKHCyigFvndfds4pdCy78KBRtQb 
kV3UUlKQZm/37tP0CPXkKwxQ1n/+DTh265gRaVrhr4+VUagNmYta1faMLsvM8O3F 
Lu2tQiOxeSZC21z6V3kcifYiBLT0khx11JqD3jTfA41OcngZfwWYHbitDBZF7rpL 
26ZSitNxMAq1O6DrXzI5wdVn0fZgSXNEbwIDAQAB 
-----END RSA PUBLIC KEY----- 

Unlike LucidRook, which uploads collected system information to a compromised FTP server, LucidKnight exfiltrates reconnaissance data via email using the embedded Rust lettre crate, which provides SMTP message creation and delivery functionality.

Specifically, the malware constructs an email with the Traditional Chinese subject “運動資訊平台” (“Sports Information Platform”) and includes the collected data as a MIME attachment. It then resolves “smtp.gmail.com”, authenticates to the Gmail account “fexopuboriw972@gmail.com” with an embedded application key, and sends the data to the temporary email address “crimsonanabel@powerscrews.com”. The following email shows an example of the content crafted by LucidKnight:

From: fexopuboriw972@gmail.com 
To: crimsonanabel@powerscrews.com 
Subject: =?utf-8?b?6YGL5YuV6LOH6KiK5bmz5Y+w?= 
MIME-Version: 1.0 
Date: Tue, 17 Feb 2026 02:05:49 +0000 
Content-Type: multipart/mixed; 
 boundary="vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd" 
--vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd 
Content-Type: text/plain; charset=utf-8 
Content-Transfer-Encoding: base64 
5oKo6KqN54K65Y+w54Gj55uu5YmN5Zyo6Jed5paH5rC457qM55m85bGV55qE5pS/562W5LiK5pyJ 
5ZOq5Lqb5YW36auU55qE5oiQ5Yqf5qGI5L6L5oiW5YC85b6X5pS56YCy55qE5Zyw5pa577yf 
--vlOcEyPfxrLCR89C5RuARsViLsqzv1brB2u8YvNd 
Content-Type: application/zip 
Content-Disposition: attachment; filename="archive.zip" 
Content-Transfer-Encoding: base64 
UEsDBDMAAQBjALgQUVwEOkfvkhkAAHEZAAAFAAsAMS50eHQBmQcAAQBBRQMIAEF/fb/F6o3HptX3 
(redacted)

The discovery of LucidKnight suggests that the actor maintains a modular toolkit and may select components based on the operational context of each target, rather than deploying a fixed infection chain. LucidKnight may be used independently when lightweight reconnaissance is sufficient, or as a precursor to assess targets before committing the more complex LucidRook stager. 

The bottom line 

Based on the tactics, techniques, and procedures (TTPs) and the level of engineering investment observed across these infection chains, we assess with medium confidence that this activity reflects a targeted intrusion rather than broad, opportunistic malware distribution. Delivery via spearphishing, combined with LucidRook’s sophisticated design, suggests a sophisticated threat actor prioritizing flexibility, stealth, and victim-specific tasking.

Although Talos has not yet found a decryptable Lua bytecode payload executed by LucidRook, we are publishing these findings to make early detection possible and encourage community sharing, with the goal of uncovering additional indicators that may facilitate stronger clustering and attribution in the future.

Coverage 

The following ClamAV signature detects and blocks this threat:

• Win.Backdoor.LucidRook-10059729-0  
• Lnk.Tool.UAT-10362-10059730-0  
• Win.Dropper.UAT-10362-10059731-0  
• Win.Tool.CobaltStrike-10059732-0 

The following SNORT® rules cover this threat:  

• Snort2 Rules: 66108, 66109, 66110, 66111 
• Snort3 Rules: 301447, 301448 

Indicators of compromise (IOCs)  

IOCs for this research can also be found at our GitHub repository here.

d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a (malicious 7z) 

adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143 (malicious archive) 

b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d (Forged EXE dropper that drops LucidRook) 

c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc (Forged EXE dropper that drops LucidRook) 

6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9 (LucidPawn, DismCore.dll) 

bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d (LucidPawn dropper, DismCore.dll) 

f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839 (malicious LNK) 

166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d (malicious LNK) 

11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae (LucidRook stager, DismCore.dll) 

edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 (LucidRook stager, DismCore.dll) 

0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34 (LucidRook stager, DismCore.dll) 

d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 (LucidPawn dropper dropping LucidKnight) 

aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1 (LucidKnight, DismCore.dll) 

fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056 (archive1.zip download from C2)

1.34.253[.]131 (abused FTP server) 

59.124.71[.]242 (abused FTP server) 

D.2fcc7078.digimg[.]store (DNS beaconing domain) 

fexopuboriw972@gmail.com 

crimsonanabel@powerscrews.com 

Cisco Talos Blog – ​Read More