THE "GHOST IN THE IT" CAMPAIGN: SIGNED RMM & WORD-MASHUP DOMAIN

    Thursday, March 26, 2026 In: Threat Research Print

    Date: 03/26/2026

    Severity: Medium

    Summary

    A stealthy malware campaign is abusing digitally signed remote monitoring and management (RMM) tools to gain persistent access and evade detection. The attack leverages legitimate file-hosting updater mechanisms to execute cloud-syncing processes, enabling disguised traffic and potential data exfiltration. It also uses word-mashup domains to bypass basic filtering and appear benign. Active since mid-2024 with a surge in 2025, the campaign involves hundreds of samples and infrastructure nodes, highlighting a large-scale, covert operation focused on persistence and evasion.

    Indicators of Compromise (IOC) List

    Domains/Urls

    strongfitdealsforman.top

    greenlandsforcowfoods.top

    mensshoppinguputfitsdeals.shop

    glutebikes.top

    snakeintheeagleshadow.top

    Hash

    0e3689992d777f511103e9692ae294ac6a06eabcd9e93296b93307a153b5f734

    5d735a005e96b32029101eb00b88ebae6e837a8573a6218ef1417836033ec5a9

    0546656a1c33d0a625af88b81956e5221890bc15dd1afe0f70be169134f7ba04

    eb6d0b0cdf97f4e932548f19ae10ce7a2f59007686972a2456d8bbe08115411f

    a851240b0283561d207ba2721c20c1fd78deefd2fd8d0ee03088a97f5e439c9d

    17465b9af3af8fadb441ff59ba703de3e5d5574a633d822b727c8fe3bfbb3efa

    1de17aa9b846203402adb255444976558feb4330b0122cac254a729b328021a7

    28b233759ef83f7841eb8916767539b5c166e1f65c31bc39152791736a07143f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "mensshoppinguputfitsdeals.shop" or siteurl like "mensshoppinguputfitsdeals.shop" or url like "mensshoppinguputfitsdeals.shop" or domainname like "strongfitdealsforman.top" or siteurl like "strongfitdealsforman.top" or url like "strongfitdealsforman.top" or domainname like "snakeintheeagleshadow.top" or siteurl like "snakeintheeagleshadow.top" or url like "snakeintheeagleshadow.top" or domainname like "glutebikes.top" or siteurl like "glutebikes.top" or url like "glutebikes.top" or domainname like "greenlandsforcowfoods.top" or siteurl like "greenlandsforcowfoods.top" or url like "greenlandsforcowfoods.top"

    Detection Query 2 :

    sha256hash IN ("5d735a005e96b32029101eb00b88ebae6e837a8573a6218ef1417836033ec5a9","28b233759ef83f7841eb8916767539b5c166e1f65c31bc39152791736a07143f","0546656a1c33d0a625af88b81956e5221890bc15dd1afe0f70be169134f7ba04","17465b9af3af8fadb441ff59ba703de3e5d5574a633d822b727c8fe3bfbb3efa","eb6d0b0cdf97f4e932548f19ae10ce7a2f59007686972a2456d8bbe08115411f","a851240b0283561d207ba2721c20c1fd78deefd2fd8d0ee03088a97f5e439c9d","0e3689992d777f511103e9692ae294ac6a06eabcd9e93296b93307a153b5f734","1de17aa9b846203402adb255444976558feb4330b0122cac254a729b328021a7")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-19-THE-GHOST-IN-CAMPAIGN.txt


    Tags

    MalwareStealerRemote monitoring and management (RMM)Exfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.