ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator

Date: 02/03/2025

Severity: High

Summary

Since 2022, Threat Intelligence Group has tracked cyber espionage campaigns by China-nexus actors using POISONPLUG.SHADOW. These operations leverage a custom obfuscating compiler, "ScatterBrain," to target entities across Europe and the Asia-Pacific region. ScatterBrain represents a significant evolution of ScatterBee, previously analyzed by PWC. GTIG assesses POISONPLUG as an advanced modular backdoor used by multiple China-based threat groups, with POISONPLUG.SHADOW appearing to be primarily linked to APT41.

Indicators of Compromise (IOC) List

Hash :

5C62CDF97B2CAA60448619E36A5EB0B6

0009F4B9972660EEB23FF3A9DCCD8D86

EB42EF53761B118EFBC75C4D70906FE4

4BF608E852CB279E61136A895A6912A9

1F1361A67CE4396C3B9DBC198207EF52

79313BE39679F84F4FCB151A3394B8B3

704FB67DFFE4D1DCE8F22E56096893BE

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Hash:

md5hash IN ("5C62CDF97B2CAA60448619E36A5EB0B6","704FB67DFFE4D1DCE8F22E56096893BE","0009F4B9972660EEB23FF3A9DCCD8D86","EB42EF53761B118EFBC75C4D70906FE4","4BF608E852CB279E61136A895A6912A9","1F1361A67CE4396C3B9DBC198207EF52","79313BE39679F84F4FCB151A3394B8B3")

Reference:

https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator

ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments