Date: 05/29/2026
Severity: High
Summary
In late April 2026, we were retained for incident response after a client detected unauthorized cryptocurrency miners on user workstations. Our investigation revealed the malware was delivered through illicit movie and TV streaming platforms using a deceptive video player plugin update. When users tried to stream content, a prompt claimed their plugin was outdated and blocked playback until the malicious update was installed.
Indicators of Compromise (IOC) List
Domains/URLs : | urush1bar4.online 5d14vnfb.space r7mvjl67.space zgj1tam9.space jeaw520i.space qdmagva5.space m4yuri.online kristina.quest |
IP Address : | 107.172.212.235 |
Hash : | 6A0FE6065D76715FEEBC1526D456DB73
7F624407AE489324E96A708A09C17E6F
02A43B3423367B9DDDC24CC7DFC070DF
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "r7mvjl67.space" or url like "r7mvjl67.space" or siteurl like "r7mvjl67.space" or domainname like "urush1bar4.online" or url like "urush1bar4.online" or siteurl like "urush1bar4.online" or domainname like "5d14vnfb.space" or url like "5d14vnfb.space" or siteurl like "5d14vnfb.space" or domainname like "m4yuri.online" or url like "m4yuri.online" or siteurl like "m4yuri.online" or domainname like "kristina.quest" or url like "kristina.quest" or siteurl like "kristina.quest" or domainname like "qdmagva5.space" or url like "qdmagva5.space" or siteurl like "qdmagva5.space" or domainname like "jeaw520i.space" or url like "jeaw520i.space" or siteurl like "jeaw520i.space" or domainname like "zgj1tam9.space" or url like "zgj1tam9.space" or siteurl like "zgj1tam9.space" |
Detection Query 2 : | dstipaddress IN ("107.172.212.235") or srcipaddress IN ("107.172.212.235") |
Detection Query 3 : | md5hash IN ("7F624407AE489324E96A708A09C17E6F","6A0FE6065D76715FEEBC1526D456DB73","02A43B3423367B9DDDC24CC7DFC070DF")
|
Reference:
https://securelist.com/video-books-pirates-miners-rat/119943/