Date: 02/09/2026
Severity: High
Summary
The Threat Analysis reports examine emerging threats and offer practical guidance for mitigating them. In this report, Security Services analyzes a fake installer attack recently observed multiple times. The investigation uncovered findings not previously documented and revealed new threat intelligence. The malware impersonated a LINE installer and exhibited several previously unknown capabilities. Notably, related samples used PoolParty Variant 7 for code injection and targeted Chinese-speaking users.
Indicators of Compromise (IOC) List
IP Address : | 143.92.38.217 206.238.221.165 |
Hash : | b02a99344f2fa81636ad913f805b52051debe529
b4feadbada51e68852a8a732f0e79ae725a755a4
51330636e299128c026c77cbc77dc24f3db49336
9120e22231ea9f597d8bb62d46e4775bd3fe5ccb
fab0802c3978f096223ff3b29188c3617e3cfa62
da64ac77059050fdf30143da3671d41fff872689
8e7e3a910f06310ca9fe1d07fd1a4208eeb53a25
2fd374f17e059cb16e530c3b73b883d5c57ce0f0
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("206.238.221.165","143.92.38.217") or srcipaddress IN ("206.238.221.165","143.92.38.217") |
Detection Query 2 : | sha1hash IN ("fab0802c3978f096223ff3b29188c3617e3cfa62","b4feadbada51e68852a8a732f0e79ae725a755a4","b02a99344f2fa81636ad913f805b52051debe529","51330636e299128c026c77cbc77dc24f3db49336","9120e22231ea9f597d8bb62d46e4775bd3fe5ccb","da64ac77059050fdf30143da3671d41fff872689","8e7e3a910f06310ca9fe1d07fd1a4208eeb53a25","2fd374f17e059cb16e530c3b73b883d5c57ce0f0")
|
Reference:
https://www.cybereason.com/blog/fake-installer-valleyrat