NordDragonScan: Quiet Data-Harvester on Windows

    Tuesday, July 8, 2025 In: Threat Research Print

    Date: 07/08/2025

    Severity: Medium

    Summary

    An active delivery site was recently identified hosting a weaponized HTA script that silently deploys the infostealer “NordDragonScan” onto victim systems. Once executed, NordDragonScan performs host reconnaissance, exfiltrates documents, harvests entire Chrome and Firefox browser profiles, and captures screenshots. The collected data is transmitted over TLS to its command-and-control server, kpuszkiev.com, which also functions as a heartbeat server to monitor victim activity and issue further data collection requests when necessary.

    Indicators of Compromise (IOC) List

    URL/Domain

    secfileshare.com

    kpuszkiev.com

    Hash

    2102c2178000f8c63d01fd9199400885d1449501337c4f9f51b7e444aa6fbf50

    e07b33b5560bbef2e4ae055a062fdf5b6a7e5b097283a77a0ec87edb7a354725

    3f3e367d673cac778f3f562d0792e4829a919766460ae948ab2594d922a0edae

    f8403e30dd495561dc0674a3b1aedaea5d6839808428069d98e30e19bd6dc045

    fbffe681c61f9bba4c7abcb6e8fe09ef4d28166a10bfeb73281f874d84f69b3d

    39c68962a6b0963b56085a0f1a2af25c7974a167b650cf99eb1acd433ecb772b

    9d1f587b1bd2cce1a14a1423a77eb746d126e1982a0a794f6b870a2d7178bd2c

    7b2b757e09fa36f817568787f9eae8ca732dd372853bf13ea50649dbb62f0c5b

    f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    sha256hash IN ("e07b33b5560bbef2e4ae055a062fdf5b6a7e5b097283a77a0ec87edb7a354725","3f3e367d673cac778f3f562d0792e4829a919766460ae948ab2594d922a0edae","39c68962a6b0963b56085a0f1a2af25c7974a167b650cf99eb1acd433ecb772b","7b2b757e09fa36f817568787f9eae8ca732dd372853bf13ea50649dbb62f0c5b","f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0","9d1f587b1bd2cce1a14a1423a77eb746d126e1982a0a794f6b870a2d7178bd2c","2102c2178000f8c63d01fd9199400885d1449501337c4f9f51b7e444aa6fbf50","f8403e30dd495561dc0674a3b1aedaea5d6839808428069d98e30e19bd6dc045","fbffe681c61f9bba4c7abcb6e8fe09ef4d28166a10bfeb73281f874d84f69b3d")

    Detection Query 2 : 

    domainname like "kpuszkiev.com" or siteurl like "kpuszkiev.com" or url like "kpuszkiev.com" or domainname like "secfileshare.com" or siteurl like "secfileshare.com" or url like "secfileshare.com"

    Reference:    

    https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows


    Tags

    InfostealerNordDragonScanMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.