@darfplatypus
This python dropper is tracked as "CastleLoader", there are a few actors that are leveraging it.
Also, happy to talk via email or another medium if desired. (My email is Squiblydoo@pm.me)
S
squiblydoo@infosec.exchange
@squiblydoo@infosec.exchange
Posts
-
I don't know how to feel about this domain: maybedontbanplease[.]com -
I don't know how to feel about this domain: maybedontbanplease[.]com@darfplatypus Hello! Thanks for the question. Unfortunately, I didn't see the payload. Do you happen to have it?
-
Orange Cyberdefence recently published their research on SmokedHam.The full report can be found here and is well worth the read. https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf
2/2 -
Orange Cyberdefence recently published their research on SmokedHam.Orange Cyberdefence recently published their research on SmokedHam. We're glad to see Cert Graveyard and the code-signing certs mentioned.
While CertGraveyard tracks the campaigns, we can't investigate them to their full depth (due to capacity), so this is great to see.
1/2 -
I don't know how to feel about this domain: maybedontbanplease[.]comI don't know how to feel about this domain: maybedontbanplease[.]com
What to do? Chat, can you help me out?
(CastleLoader
4ba0d3ae41a0ae3143e8c2c3307c24b0d548593f97c79a30c0387b3d62504c31 signed "SERPENTINE SOLAR LIMITED"
NSIS -> Python execution -> loads remote resource) -
Golden Eye Dog (APT-Q-27) seems to have come back from breakGolden Eye Dog (APT-Q-27) seems to have come back from break.
We've seen 6 unique EV code-signing certs for campaigns in April already.All of these get reported and all get revoked.
More about them in the thread.h/t @g0njxa, @malwrhunterteam
1/4