Summary: 2025/04/17 10:21
First reported date: 2015/03/18
Inquiry period : 2025/04/16 10:21 ~ 2025/04/17 10:21 (1 days), 1 search results
지난 7일 기간대비 동일한 트렌드를 보이고 있습니다.
지난 7일 기간대비 상승한 Top5 연관 키워드는 AsyncRAT Email Exploit Update Windows 입니다.
악성코드 유형 RAT Vawtrak GameoverP2P 도 새롭게 확인됩니다.
공격자 MuddyWater 도 새롭게 확인됩니다.
공격기술 Backdoor 도 새롭게 확인됩니다.
기관 및 기업 Iran United States 도 새롭게 확인됩니다.
기타 EDR ZeroDay Linux Cobalt Strike intelligence 신규 키워드도 확인됩니다.
Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities. - malpedia
* 최근 뉴스기사 Top3:
ㆍ 2025/04/16 How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats
참고로 동일한 그룹의 악성코드 타입은 FormBook QakBot RedLine 등 101개 종이 확인됩니다.
Trend graph by period
Related keyword cloud
Top 100| # | Trend | Count | Comparison |
|---|---|---|---|
| 1 | AsyncRAT | 1 | ▲ 1 (100%) |
| 2 | EDR | 1 | ▲ new |
| 3 | Backdoor | 1 | ▲ new |
| 4 | 1 | ▲ 1 (100%) | |
| 5 | RAT | 1 | ▲ new |
| 6 | Exploit | 1 | ▲ 1 (100%) |
| 7 | ZeroDay | 1 | ▲ new |
| 8 | Update | 1 | ▲ 1 (100%) |
| 9 | Windows | 1 | ▲ 1 (100%) |
| 10 | Linux | 1 | ▲ new |
| 11 | Stealer | 1 | - 0 (0%) |
| 12 | Vawtrak | 1 | ▲ new |
| 13 | GameoverP2P | 1 | ▲ new |
| 14 | XWorm | 1 | ▲ 1 (100%) |
| 15 | Lumma | 1 | - 0 (0%) |
| 16 | Cobalt Strike | 1 | ▲ new |
| 17 | Iran | 1 | ▲ new |
| 18 | powershell | 1 | ▲ 1 (100%) |
| 19 | Victim | 1 | ▲ 1 (100%) |
| 20 | c&c | 1 | ▲ 1 (100%) |
| 21 | IoC | 1 | ▲ 1 (100%) |
| 22 | United States | 1 | ▲ new |
| 23 | Campaign | 1 | ▲ 1 (100%) |
| 24 | Phishing | 1 | ▲ 1 (100%) |
| 25 | Malware | 1 | ▲ 1 (100%) |
| 26 | Vulnerability | 1 | ▲ 1 (100%) |
| 27 | MuddyWater | 1 | ▲ new |
| 28 | NetWireRC | 1 | ▲ 1 (100%) |
| 29 | intelligence | 1 | ▲ new |
Special keyword group
Top 5
Malware Type
This is the type of malware that is becoming an issue.
| Keyword | Average | Label |
|---|---|---|
| AsyncRAT |
|
1 (14.3%) |
| RAT |
|
1 (14.3%) |
| Vawtrak |
|
1 (14.3%) |
| GameoverP2P |
|
1 (14.3%) |
| XWorm |
|
1 (14.3%) |
Attacker & Actors
The status of the attacker or attack group being issued.
| Keyword | Average | Label |
|---|---|---|
| MuddyWater |
|
1 (100%) |
Country & Company
This is a country or company that is an issue.
| Keyword | Average | Label |
|---|---|---|
| Iran |
|
1 (50%) |
| United States |
|
1 (50%) |
Malware Family
Top 5
A malware family is a group of applications with similar attack techniques.
In this trend, it is classified into Ransomware, Stealer, RAT or Backdoor, Loader, Botnet, Cryptocurrency Miner.
Threat info
Last 5SNS
(Total : 0)No data.
News
(Total : 1)
Total keyword
AsyncRAT EDR Backdoor Email RAT Exploit ZeroDay Update Windows Linux Stealer Vawtrak GameoverP2P XWorm Lumma Cobalt Strike Iran powershell Attacker Victim c&c IoC United States Campaign Phishing Malware Vulnerability MuddyWater NetWireRC intelligence
| No | Title | Date |
|---|---|---|
| 1 | How Indicators of Compromise, Attack, and Behavior Help Spot and Stop Cyber Threats - Malware.News | 2025.04.16 |
Additional information
| No | Title | Date |
|---|---|---|
| 1 | Hi, robot: Half of all internet traffic now automated - Malware.News | 2025.04.17 |
| 2 | Zoom Sees Outage With 50,000 Users Reporting Availability Issues - Bloomberg Technology | 2025.04.17 |
| 3 | Nude photos and names: KU Health and Kansas hospital sued for data breach - Malware.News | 2025.04.17 |
| 4 | DeepSeek Poses ‘Profound’ Security Threat, US House Panel Claims - Bloomberg Technology | 2025.04.17 |
| 5 | 6,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in Drag and Drop Multiple File Upload for WooCommerce WordPress Plugin - Malware.News | 2025.04.17 |
| View only the last 5 | ||
| No | Title | Date |
|---|---|---|
| 1 | What’s Trending: Top Cyber Attacker Techniques, December 2024–February 2025 - Malware.News | 2025.04.09 |
| 2 | What’s Trending: Top Cyber Attacker Techniques, December 2024–February 2025 - Malware.News | 2025.04.09 |
| 3 | What’s Trending: Top Cyber Attacker Techniques, December 2024–February 2025 - Malware.News | 2025.04.09 |
| 4 | What’s Trending: Top Cyber Attacker Techniques, December 2024–February 2025 - Malware.News | 2025.04.09 |
| 5 | HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs - Malware.News | 2025.04.06 |
| View only the last 5 | ||
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the CPU name from registry |
| watch | Checks the version of Bios |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Detects VMWare through the in instruction feature |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the processes axplong.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
| Network | ET DNS Query to a *.top domain - Likely Hostile |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
| Network | ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity |
| Network | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
| Network | ET INFO Dotted Quad Host DLL Request |
| Network | ET INFO EXE - Served Attached HTTP |
| Network | ET INFO Executable Download from dotted-quad Host |
| Network | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
| Network | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
| Network | ET INFO HTTP Request to a *.top domain |
| Network | ET INFO Packed Executable Download |
| Network | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in |
| Network | ET MALWARE Possible Kelihos.F EXE Download Common Structure |
| Network | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
| Network | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
| Network | ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 |
| Network | ET MALWARE Win32/Stealc Requesting browsers Config from C2 |
| Network | ET MALWARE Win32/Stealc Requesting plugins Config from C2 |
| Network | ET MALWARE Win32/Stealc Submitting System Information to C2 |
| Network | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 |
| Network | ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io) |
| Network | ET POLICY PE EXE or DLL Windows file download HTTP |
| Network | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
| No | Category | URL | CC | ASN Co | Date |
|---|---|---|---|---|---|
| 1 | c2 | https://steamcommunity.com/profiles/76561199822375128 | US  | AKAMAI-AS | 2025.03.31 |
| 2 | c2 | https://lunoxorn.top/gkELsop | US | CLOUDFLARENET | 2025.03.31 |
| 3 | c2 | http://49.13.143.126/ | DE  | Hetzner Online GmbH | 2025.03.31 |
| 4 | c2 | https://65.21.246.249/ | US | 2025.03.31 | |
| 5 | c2 | https://zefnecho.cyou/api | 2025.02.19 | ||
| View only the last 5 | |||||
| No | URL | CC | ASN Co | Reporter | Date |
|---|---|---|---|---|---|
| 1 | https://www.dropbox.com/scl/fi/xfme3jj5rgt6u5ig7he70/CapCut-Pro.rar?rlkey=ndad0985or8n5rokxmb0pz5k0&... Lumma LummaStealer stealer | US | DROPBOX | iLikeMalware | 2025.04.13 |
| 2 | https://sites.google.com/view/robloxfree2025/roblox-free-hack Lumma LummaStealer stealer | US | iLikeMalware | 2025.04.13 | |
| 3 | https://drive.google.com/file/d/11SRBeq-5b2C7gf5Z24SzNiSxCTSHONLJ/view Lumma LummaStealer stealer | US | iLikeMalware | 2025.04.13 | |
| 4 | https://github.com/Fortnite-Wallhacks-2025/.github/releases/tag/files Lumma LummaStealer stealer | US | MICROSOFT-CORP-MSN-AS-BLOCK | iLikeMalware | 2025.04.13 |
| 5 | https://app.mediafire.com/nv3tqmek5l0sy Lumma LummaStealer stealer | US | CLOUDFLARENET | iLikeMalware | 2025.04.13 |
| View only the last 5 | |||||
Beta Service, If you select keyword, you can check detailed information.