Date: 07/30/2025
Severity: Medium
Summary
An emerging threat cluster, tracked as CL-STA-0969, has been targeting telecommunications infrastructure in Southwest Asia. The activity involves compromising interconnected mobile roaming networks, though no data exfiltration or device tracking was confirmed. The threat actors demonstrated strong operational security and used defense evasion tactics to maintain stealth. They deployed specialized tools, such as Cordscan, which indicates an interest in collecting victim location data. This activity is assessed with high confidence to be linked to a nation-state and closely aligns with operations attributed to the adversary known as Liminal Panda.
Indicators of Compromise (IOC) List
Hash |
bacbe2a793d8ddca0a195b67def527e66d280a13a8d4df90b507546b76e87d29
1852473ca6a0b5d945e989fb65fa481452c108b718f0f6fd7e8202e9d183e707
705a035e54ce328227341ff9d55de15f4e16d387829cba26dc948170dac1c70f
44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879
e3b06f860b8584d69a713127f7d3a4ee5f545ad72e41ec71f9e8692c3525efa0
efa04c33b289e97a84ec6ab1f1b161f900ed3b4521a9a69fb6986bd9991ecfc6
827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161
3c42194d6c18a480d9a7f3f7550f011c69ff276707e2bae5e6143f7943343f74
b9f67565b56c9464462fa52d937202eef0b5554993c6b2bec8c955db64460cc7
188861d7f0861103886543eff63a96c314c8262dbf52c6e0cf9372cf1e889d52
4985de6574ff34009b6c72504af602a21c152ec104b022d6be94e2fec607eb43
0bb3b4d8b72fec995c56a8a0baf55f2a07d2b361ee127c2b9deced24f67426fd
aa661e149f0a6a9a61cadcca47a83893a9e6a5cdb41c3b075175da28e641a80f
3191e1516f39d72191e6c89460f7273826e12d493577b75b6fdee036c85e5a7e
9e1f5a134d13167a9148f2d5a1e6a96136d22ecdfbc502aa974544e7efe16a22
edb6ab4bba4d474e60ff266af230cb6c438056937b262f86d3779bdc14de72a4
b1e473dd70732ba34b7e985422bfd44f3883379569d89bee523f4263c7070fd9
8e2dd7ed7c7bec7ff6ab69990c3172b1a9c2028f67b02f6f8c5429e968d2f8d2
3e186c24bae58de14b14332a6b14d269b84235a25a892f1327002149f0547739
432125ca41a2c5957013c8bff09c4037ad18addccab872d46230dd662a2b8123
540f60702ee5019cd2b39b38b07e17da69bde1f9ed3b4543ff26e9da7ba6e0be
cd754125657f1d52c08f9274fda57600e12929847eee3f7bea2e60ca5ba7711d
b9c91face6ddfecc26d444f891c24796dbc953fb33145749f30b17445400c87c |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : |
sha256hash IN ("efa04c33b289e97a84ec6ab1f1b161f900ed3b4521a9a69fb6986bd9991ecfc6","1852473ca6a0b5d945e989fb65fa481452c108b718f0f6fd7e8202e9d183e707","827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161","3c42194d6c18a480d9a7f3f7550f011c69ff276707e2bae5e6143f7943343f74","432125ca41a2c5957013c8bff09c4037ad18addccab872d46230dd662a2b8123","aa661e149f0a6a9a61cadcca47a83893a9e6a5cdb41c3b075175da28e641a80f","bacbe2a793d8ddca0a195b67def527e66d280a13a8d4df90b507546b76e87d29","44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879","b9f67565b56c9464462fa52d937202eef0b5554993c6b2bec8c955db64460cc7","705a035e54ce328227341ff9d55de15f4e16d387829cba26dc948170dac1c70f","e3b06f860b8584d69a713127f7d3a4ee5f545ad72e41ec71f9e8692c3525efa0","188861d7f0861103886543eff63a96c314c8262dbf52c6e0cf9372cf1e889d52","4985de6574ff34009b6c72504af602a21c152ec104b022d6be94e2fec607eb43","0bb3b4d8b72fec995c56a8a0baf55f2a07d2b361ee127c2b9deced24f67426fd","3191e1516f39d72191e6c89460f7273826e12d493577b75b6fdee036c85e5a7e","9e1f5a134d13167a9148f2d5a1e6a96136d22ecdfbc502aa974544e7efe16a22","edb6ab4bba4d474e60ff266af230cb6c438056937b262f86d3779bdc14de72a4","b1e473dd70732ba34b7e985422bfd44f3883379569d89bee523f4263c7070fd9","8e2dd7ed7c7bec7ff6ab69990c3172b1a9c2028f67b02f6f8c5429e968d2f8d2","3e186c24bae58de14b14332a6b14d269b84235a25a892f1327002149f0547739","540f60702ee5019cd2b39b38b07e17da69bde1f9ed3b4543ff26e9da7ba6e0be","cd754125657f1d52c08f9274fda57600e12929847eee3f7bea2e60ca5ba7711d","b9c91face6ddfecc26d444f891c24796dbc953fb33145749f30b17445400c87c") |
Reference:
https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/