Madmxshell Deployed via Trojanized Installer for Globalprotect

    Date: 05/08/2025

    Severity: Critical

    Summary

    We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer. GlobalProtect is a VPN and remote access tool used by Palo Alto Networks customers.

    Indicators of Compromise (IOC) List 

    Domains \ Urls :

    cristox.cl

    deuscapacitaciones.cl

    parusiafm.cl

    pathernostrum.org

    sancupertino.cl

    helpdesklocal.onmicrosoft.com

    ithelpdepartment.onmicrosoft.com

    pathernostrum.onmicrosoft.com

    vaihonet.com

    dnscomp.com

    leafinet.com

    netsapi.com

    nodicomtel.com

    okoqi.com

    webtpd.com

    zehful.com

    live-up.co

    vpn-pa.com

    vpnpalo.com

    helpdesk-rating.com

    vpn.fastcall.cc

    IP Address : 

    164.92.67.56

    45.61.136.238

    45.61.136.214

    107.170.37.233

    161.35.151.75

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Domains\Urls : 

    domainname like "zehful.com" or url like "zehful.com" or domainname like "okoqi.com" or url like "okoqi.com" or domainname like "cristox.cl" or url like "cristox.cl" or siteurl like "cristox.cl" or domainname like "deuscapacitaciones.cl" or url like "deuscapacitaciones.cl" or siteurl like "deuscapacitaciones.cl" or domainname like "parusiafm.cl" or url like "parusiafm.cl" or siteurl like "parusiafm.cl" or domainname like "pathernostrum.org" or url like "pathernostrum.org" or siteurl like "pathernostrum.org" or domainname like "sancupertino.cl" or url like "sancupertino.cl" or siteurl like "sancupertino.cl" or domainname like "helpdesklocal.onmicrosoft.com" or url like "helpdesklocal.onmicrosoft.com" or siteurl like "helpdesklocal.onmicrosoft.com" or domainname like "ithelpdepartment.onmicrosoft.com" or url like "ithelpdepartment.onmicrosoft.com" or siteurl like "ithelpdepartment.onmicrosoft.com" or domainname like "pathernostrum.onmicrosoft.com" or url like "pathernostrum.onmicrosoft.com" or siteurl like "pathernostrum.onmicrosoft.com" or domainname like "vaihonet.com" or url like "vaihonet.com" or siteurl like "vaihonet.com" or domainname like "dnscomp.com" or url like "dnscomp.com" or siteurl like "dnscomp.com" or domainname like "leafinet.com" or url like "leafinet.com" or siteurl like "leafinet.com" or domainname like "netsapi.com" or url like "netsapi.com" or siteurl like "netsapi.com" or domainname like "nodicomtel.com" or url like "nodicomtel.com" or siteurl like "nodicomtel.com" or domainname like "webtpd.com" or url like "webtpd.com" or siteurl like "webtpd.com" or domainname like "live-up.co" or url like "live-up.co" or siteurl like "live-up.co" or domainname like "vpn-pa.com" or url like "vpn-pa.com" or siteurl like "vpn-pa.com" or domainname like "vpnpalo.com" or url like "vpnpalo.com" or siteurl like "vpnpalo.com" or domainname like "helpdesk-rating.com" or url like "helpdesk-rating.com" or siteurl like "helpdesk-rating.com" or domainname like "vpn.fastcall.cc" or url like "vpn.fastcall.cc" or siteurl like "vpn.fastcall.cc" 

    IP Address : 

    dstipaddress IN ("45.61.136.214","164.92.67.56","45.61.136.238","107.170.37.233","161.35.151.75") or srcipaddress IN ("45.61.136.214","164.92.67.56","45.61.136.238","107.170.37.233","161.35.151.75")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-07-IOCs-from-Teams-phishing-for-MadMxShell.txt


    Tags

    Threat ActorMADMXSHELLExploitMicrosoftMicrosoft TeamsPalo Alto NetworksGlobalProtect

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags