Date: 06/24/2025
Severity: Medium
Summary
Cybercriminals are leveraging social media platforms to distribute malware by disguising it as cracked versions of popular software. Victims are lured to download ZIP files containing password-protected 7-Zip archives, with the passwords often displayed in the file names or download pages. These campaigns frequently use non-ASCII characters in file names to evade detection. Previously identified malware from such campaigns includes Lumma Stealer and StealC v2, although newer, yet-to-be-analyzed malware families are also emerging.
Indicators of Compromise (IOC) List
URL/Domain | https://allsoftscr.college/download https://allsoftscr.college/ https://securefilelink.info/?h=4de1cee3a27c39875809f1646fd153c0&user=55 https://securefilesdownload.pro/?z=55&n=Downlaod https://jholismylol.it.com/?13G54H6h7UcJMuRI0nDmKwst2xOeQTpgZvqAfjPl=V2UNGAz6wlh7f9CysFxrkg1cep0EbnJiYuLM8dIKZSv=7WAEl6BuX5gjhraFDzMCyS2GQs98bndNtxpkPURwicHOTVf&h=55 https://mega.nz/file/BIg1lbyD#HjWc16uo0jJVLNK7T1TWktJGBz4JP4zku3hs4gwr0ww b1.encountergulf.world http://h4.chatterscalded.top/shrk.bin |
Hash | b6de56ec93a5e13c801162e7e4720b522283ed8478c5936e14de3edcb10604f9
0b7f4bea23943cc98753636d844c2906680f7c5dbf74ad710dc18f8f2c3d65d9
13dabd761823e65a34dd3de0bff1ba4156539589e5c165c405f3524c2c12b575
136e8d2ff3bc0ed0f9581f0efb04c04e598f0a942f5ba0b7a598ccea46ec6f1d
21d0bd2f5870c46cafa2a3ac4771ce0d907e1e03b926ae8820298f639e3b4fb6
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://h4.chatterscalded.top/shrk.bin" or siteurl like "http://h4.chatterscalded.top/shrk.bin" or url like "http://h4.chatterscalded.top/shrk.bin" or domainname like "b1.encountergulf.world" or siteurl like "b1.encountergulf.world" or url like "b1.encountergulf.world" or domainname like "https://mega.nz/file/BIg1lbyD#HjWc16uo0jJVLNK7T1TWktJGBz4JP4zku3hs4gwr0ww" or siteurl like "https://mega.nz/file/BIg1lbyD#HjWc16uo0jJVLNK7T1TWktJGBz4JP4zku3hs4gwr0ww" or url like "https://mega.nz/file/BIg1lbyD#HjWc16uo0jJVLNK7T1TWktJGBz4JP4zku3hs4gwr0ww" or domainname like "https://securefilesdownload.pro/?z=55&n=Downlaod" or siteurl like "https://securefilesdownload.pro/?z=55&n=Downlaod" or url like "https://securefilesdownload.pro/?z=55&n=Downlaod" or domainname like "https://securefilelink.info/?h=4de1cee3a27c39875809f1646fd153c0&user=55" or siteurl like "https://securefilelink.info/?h=4de1cee3a27c39875809f1646fd153c0&user=55" or url like "https://securefilelink.info/?h=4de1cee3a27c39875809f1646fd153c0&user=55" or domainname like "https://allsoftscr.college/download" or siteurl like "https://allsoftscr.college/download" or url like "https://allsoftscr.college/download" or domainname like "https://allsoftscr.college/" or siteurl like "https://allsoftscr.college/" or url like "https://allsoftscr.college/" or domainname like "https://jholismylol.it.com/?13G54H6h7UcJMuRI0nDmKwst2xOeQTpgZvqAfjPl=V2UNGAz6wlh7f9CysFxrkg1cep0EbnJiYuLM8dIKZSv=7WAEl6BuX5gjhraFDzMCyS2GQs98bndNtxpkPURwicHOTVf&h=55" or siteurl like "https://jholismylol.it.com/?13G54H6h7UcJMuRI0nDmKwst2xOeQTpgZvqAfjPl=V2UNGAz6wlh7f9CysFxrkg1cep0EbnJiYuLM8dIKZSv=7WAEl6BuX5gjhraFDzMCyS2GQs98bndNtxpkPURwicHOTVf&h=55" or url like "https://jholismylol.it.com/?13G54H6h7UcJMuRI0nDmKwst2xOeQTpgZvqAfjPl=V2UNGAz6wlh7f9CysFxrkg1cep0EbnJiYuLM8dIKZSv=7WAEl6BuX5gjhraFDzMCyS2GQs98bndNtxpkPURwicHOTVf&h=55" |
Detection Query 2 : | sha256hash IN ("136e8d2ff3bc0ed0f9581f0efb04c04e598f0a942f5ba0b7a598ccea46ec6f1d","21d0bd2f5870c46cafa2a3ac4771ce0d907e1e03b926ae8820298f639e3b4fb6","13dabd761823e65a34dd3de0bff1ba4156539589e5c165c405f3524c2c12b575","b6de56ec93a5e13c801162e7e4720b522283ed8478c5936e14de3edcb10604f9","0b7f4bea23943cc98753636d844c2906680f7c5dbf74ad710dc18f8f2c3d65d9")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-06-20-IOCs-for-malware-disgused-as-cracked-software.txt