Distribution of PebbleDash Malware in March 2025

    Tuesday, April 29, 2025 In: Threat Research Print

    Date: 04/29/2025

    Severity: Medium

    Summary

    In March 2025, the PebbleDash backdoor malware, previously linked to the Lazarus group, was observed being distributed in new campaigns targeting individuals. The latest activity includes the use of additional malware and modules alongside PebbleDash to enhance its capabilities. Notably, attackers have shifted from using open-source RDP Wrapper tools to directly patching the termsrv.dll file, enabling unauthorized remote desktop access and demonstrating evolving techniques for persistence and control.

    Indicators of Compromise (IOC) List

    IP Address

    159.100.13.216

    213.145.86.223

    216.219.87.41

    64.20.59.148

    Hash

    641593eea5f235e27d7cff27d5b7ca2a

    70d92e2b00ec6702e17e266b7742bbab

    876dbd9529f00d708a42f470a21a6f79

    a5cca2b56124e8e9e0371b6f6293e729

    a8976e7dc409525a77b0eef0d0c3c4f2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("159.100.13.216","64.20.59.148","216.219.87.41","213.145.86.223") or srcipaddress IN ("159.100.13.216","64.20.59.148","216.219.87.41","213.145.86.223")

    Detection Query 2

    hash IN ("a5cca2b56124e8e9e0371b6f6293e729","641593eea5f235e27d7cff27d5b7ca2a","70d92e2b00ec6702e17e266b7742bbab","876dbd9529f00d708a42f470a21a6f79","a8976e7dc409525a77b0eef0d0c3c4f2")

    Reference:  

    https://asec.ahnlab.com/en/87621/


    Tags

    MalwarePebbleDashBackdoorRDPRemoteAccessTool

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.