From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

    Tuesday, September 30, 2025 In: Threat Research Print

    Date: 09/30/2025

    Severity: High

    Summary

    The intrusion started with a JavaScript file linked to the Lunar Spider group, disguised as a tax form, which downloaded and executed Brute Ratel via an MSI installer. Throughout the attack, various malware strains were deployed, including Latrodectus, Brute Ratel C4, Cobalt Strike, BackConnect, and a custom .NET backdoor. The attackers harvested credentials from multiple sources, such as LSASS, backup tools, browsers, and a Windows Answer file used for automated system setup. Data exfiltration began around 20 days in, using Rclone and FTP. The threat actor remained active for nearly two months, maintaining intermittent C2 connections and carrying out discovery, lateral movement, and further data theft.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    workspacin.cloud

    illoskanawer.com

    grasmetral.com

    jarkaairbo.com

    scupolasta.store

    cloudmeri.com

    anikvan.com

    altynbe.com

    boriz400.com

    ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io

    uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io

    erbolsan.com

    samderat200.com

    dauled.com

    kasymdev.com

    kasym500.com

    avtechupdate.com

    https://workspacin.cloud/live

    https://illoskanawer.com/live

    http://45.129.199.214/vodeo/wg01ck01

    IP Address : 

    45.135.232.3

    185.93.221.12

    193.168.143.196

    162.0.209.121

    95.164.68.73

    138.124.183.215

    91.194.11.183

    94.232.249.100

    94.131.108.254

    94.232.249.108

    45.150.65.85

    195.123.225.161

    195.211.98.249

    195.123.225.251

    217.196.98.61

    206.206.123.209

    45.129.199.214

    31.13.248.153

    Hash : 

    9eaa8464110883a15115b68ffa1ecf7d

    5348970723b378c7cae35bb03d8736f8e5a9f0ac

    37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe

    50abc42faa70062e20cd5e2a2e2b6633

    97d72c8bbcf367be6bd5e80021e3bd3232ac309a

    203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592

    c8ea31665553cbca19b22863eea6ca2c

    ba99cd73b74c64d6b1257b7db99814d1dc7d76b1

    411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2

    4b3e9c9e018659d1cf04daf82abe3b64

    333e1c5967a9a6c881c9573a3222bed6ada911c6

    1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed

    ad3c52316e0059c66bc1dd680cf9edad

    8dfa63c0bb611e18c8331ed5b89decf433ac394a

    100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168

    495363b0262b62dfc38d7bfb7b5541aa

    2d92890374904b49d3c54314d02b952e1a714e99

    77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28

    ccb6d3cb020f56758622911ddd2f1fcb

    4a013f752c2bf84ca37e418175e0d9b6f61f636d

    f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de

    d7bd590b6c660716277383aa23cb0aa9

    38999890b3a2c743e0abea1122649082a5fa1281

    6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f

    91889658f1c8e1462f06f019b842f109

    33a6b39fbe8ec45afab14af88fd6fa8e96885bf1

    36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24

    A2B6479A69B51AE555F695B243E4FDA1

    23FFF588E3E5CC6678E1F77FAB9318D60F3AC55F

    8FB5034AEDF41F8C8C4C4022FDDE7DB3C70A5A7C7B5B4DEC7F6A57715C18A5BF

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "illoskanawer.com" or url like "illoskanawer.com" or siteurl like "illoskanawer.com" or domainname like "boriz400.com" or url like "boriz400.com" or siteurl like "boriz400.com" or domainname like "uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io" or url like "uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io" or siteurl like "uncertain-kitten-gw.aws-euc1.cloud-ara.tyk.io" or domainname like "altynbe.com" or url like "altynbe.com" or siteurl like "altynbe.com" or domainname like "workspacin.cloud" or url like "workspacin.cloud" or siteurl like "workspacin.cloud" or domainname like "anikvan.com" or url like "anikvan.com" or siteurl like "anikvan.com" or domainname like "ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io" or url like "ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io" or siteurl like "ridiculous-breakpoint-gw.aws-use1.cloud-ara.tyk.io" or domainname like "erbolsan.com" or url like "erbolsan.com" or siteurl like "erbolsan.com" or domainname like "samderat200.com" or url like "samderat200.com" or siteurl like "samderat200.com" or domainname like "dauled.com" or url like "dauled.com" or siteurl like "dauled.com" or domainname like "kasymdev.com" or url like "kasymdev.com" or siteurl like "kasymdev.com" or domainname like "avtechupdate.com" or url like "avtechupdate.com" or siteurl like "avtechupdate.com" or domainname like "https://workspacin.cloud/live" or url like "https://workspacin.cloud/live" or siteurl like "https://workspacin.cloud/live" or domainname like "https://illoskanawer.com/live" or url like "https://illoskanawer.com/live" or siteurl like "https://illoskanawer.com/live" or domainname like "http://45.129.199.214/vodeo/wg01ck01" or url like "http://45.129.199.214/vodeo/wg01ck01" or siteurl like "http://45.129.199.214/vodeo/wg01ck01"

    Detection Query 2 : 

    dstipaddress IN ("45.135.232.3","94.232.249.108","185.93.221.12","193.168.143.196","162.0.209.121","95.164.68.73","138.124.183.215","91.194.11.183","94.232.249.100","94.131.108.254","45.150.65.85","195.123.225.161","195.211.98.249","195.123.225.251","217.196.98.61","206.206.123.209","45.129.199.214","31.13.248.153") or srcipaddress IN ("45.135.232.3","94.232.249.108","185.93.221.12","193.168.143.196","162.0.209.121","95.164.68.73","138.124.183.215","91.194.11.183","94.232.249.100","94.131.108.254","45.150.65.85","195.123.225.161","195.211.98.249","195.123.225.251","217.196.98.61","206.206.123.209","45.129.199.214","31.13.248.153")

    Detection Query 3 :

    sha256hash IN ("37471af00673af4080ee21bd248536147e450d2eff45e8701a95d1163a9d62fe","203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592","411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2","1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed","100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168","77eede38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28","f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de","6c3b2490e99cd8397fb79d84a5638c1a0c4edb516a4b0047aa70b5811483db8f","36bc32becf287402bf0e9c918de22d886a74c501a33aa08dcb9be2f222fa6e24","8FB5034AEDF41F8C8C4C4022FDDE7DB3C70A5A7C7B5B4DEC7F6A57715C18A5BF")

    Detection Query 4 :

    md5hash IN ("9eaa8464110883a15115b68ffa1ecf7d","ccb6d3cb020f56758622911ddd2f1fcb","91889658f1c8e1462f06f019b842f109","50abc42faa70062e20cd5e2a2e2b6633","d7bd590b6c660716277383aa23cb0aa9","c8ea31665553cbca19b22863eea6ca2c","4b3e9c9e018659d1cf04daf82abe3b64","ad3c52316e0059c66bc1dd680cf9edad","495363b0262b62dfc38d7bfb7b5541aa","A2B6479A69B51AE555F695B243E4FDA1")

    Detection Query 5 : 

    sha1hash IN ("5348970723b378c7cae35bb03d8736f8e5a9f0ac","97d72c8bbcf367be6bd5e80021e3bd3232ac309a","ba99cd73b74c64d6b1257b7db99814d1dc7d76b1","333e1c5967a9a6c881c9573a3222bed6ada911c6","8dfa63c0bb611e18c8331ed5b89decf433ac394a","2d92890374904b49d3c54314d02b952e1a714e99","4a013f752c2bf84ca37e418175e0d9b6f61f636d","38999890b3a2c743e0abea1122649082a5fa1281","33a6b39fbe8ec45afab14af88fd6fa8e96885bf1","23FFF588E3E5CC6678E1F77FAB9318D60F3AC55F")

    Reference:

    https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/#indicators


    Tags

    MalwareThreat ActorBackdoorLunar SpiderBrute RatelLatrodectusCobalt StrikeBackConnectCustom .NETRcloneCredential HarvestingExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.