Rainbow Hyena Strikes Again: New Backdoor and Shift in Tactics

    Monday, July 21, 2025 In: Threat Research Print

    Date: 07/21/2025

    Severity: High

    Summary

    In late June, a phishing campaign targeted Russian healthcare and IT organizations using compromised email accounts from legitimate sources. The attacks were attributed to the Rainbow Hyena cluster, which deployed a new custom-built backdoor named PhantomRemote. Threat actors impersonated well-known brands to enhance credibility and used techniques like polyglot files to bypass email filters. Traditional malicious document delivery methods are being replaced by alternative formats like LNK files.

    Indicators of Compromise (IOC) List 

    IP Address

    185.225.17.104

    188.127.254.44

    91.239.148.21

    Hash

    75a26a138783032ee18dcfc713b1b34c

    7e52be17fd33a281c70fec14805113a8

    be990a49fa1e3789ebc5c55961038029

    b586cf958334415777719bf512304fbd

    65967d019076e700deb20dcbc989c99c

    b49a7ef89cfb317a540996c3425fcdc2

    698337a1be374f3ebb9556ccdc794389

    88453eb954669b5c7ac712ecf1e0179c

    08a92ba1d1d9e5c498dcaf53af7cd071

    1dff0bcf719f3509c597a8955e49af38

    1dff0bcf719f3509c597a8955e49af38

    9f8e2e09e37142a21c16b37ba310e009

    04d364d7cc98379352e89757d62521271cb410cb

    6942e07e7d08781cba571211a08e779838e72e9a

    851157c01da6e85ffa94ded7f42cab19aa8528d6

    775b7e726ba6cf6d9a6463a62797c97612018066

    49a18dc1d8f84394d3373481dbac89d11e373dbd

    d9a4fd39a55cd20d55e00d3cace3f637b8888213

    dc149c042747ddf4f58c7ac6bf23e6a02ce1fc77

    2a14a9dd1032479ab5bf8ed945ef9a22ebd4999d

    c52d70b92e41db70d4ca342c8dc32eff7883c861

    4ce5e6e0b21323409db8cd8ed2a7ed251656d18a

    4ce5e6e0b21323409db8cd8ed2a7ed251656d18a

    efe10ad0b49e6889597b5c3254139b92ed72064c

    ed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728

    204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e

    01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be

    4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314

    413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08

    b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a

    e3e3f7d9abb9696904684d8e32f36818e1939c8122dcc73299a1b7f6b6b700b2

    4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5

    a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c

    47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c

    47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c

    da53c49641b05e00cde09d47260da927ec403f01ac388605b785eac98306f9c2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("185.225.17.104","91.239.148.21","188.127.254.44") or srcipaddress IN ("185.225.17.104","91.239.148.21","188.127.254.44")

    Detection Query 2 : 

    md5hash IN ("b586cf958334415777719bf512304fbd","75a26a138783032ee18dcfc713b1b34c","b49a7ef89cfb317a540996c3425fcdc2","7e52be17fd33a281c70fec14805113a8","65967d019076e700deb20dcbc989c99c","08a92ba1d1d9e5c498dcaf53af7cd071","be990a49fa1e3789ebc5c55961038029","88453eb954669b5c7ac712ecf1e0179c","698337a1be374f3ebb9556ccdc794389","1dff0bcf719f3509c597a8955e49af38","1dff0bcf719f3509c597a8955e49af38","9f8e2e09e37142a21c16b37ba310e009")

    Detection Query 3 : 

    hash IN ("49a18dc1d8f84394d3373481dbac89d11e373dbd","775b7e726ba6cf6d9a6463a62797c97612018066","851157c01da6e85ffa94ded7f42cab19aa8528d6","2a14a9dd1032479ab5bf8ed945ef9a22ebd4999d","6942e07e7d08781cba571211a08e779838e72e9a","c52d70b92e41db70d4ca342c8dc32eff7883c861","04d364d7cc98379352e89757d62521271cb410cb","d9a4fd39a55cd20d55e00d3cace3f637b8888213","dc149c042747ddf4f58c7ac6bf23e6a02ce1fc77","4ce5e6e0b21323409db8cd8ed2a7ed251656d18a","4ce5e6e0b21323409db8cd8ed2a7ed251656d18a","efe10ad0b49e6889597b5c3254139b92ed72064c")

    Detection Query 4 : 

    sha256hash IN ("01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be","4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5","ed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728","a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c","204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e","4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314","e3e3f7d9abb9696904684d8e32f36818e1939c8122dcc73299a1b7f6b6b700b2","413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08","b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a","47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c","47262571a87e70238bd6afd376560e9cfdc94bfacae72f36b6aa9fb6e769eb9c","da53c49641b05e00cde09d47260da927ec403f01ac388605b785eac98306f9c2")

    Reference:    

    https://bi.zone/eng/expertise/blog/rainbow-hyena-snova-atakuet-novyy-bekdor-i-smena-taktik/


    Tags

    PolyglotRussiaHealthcare and Public HealthInformation TechnologyLNKMalwareThreat ActorPhishingRainbow HyenaBackdoorPhantomRemote

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.