This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.ai Previous Threat Intelligence Updates can be found HERE.
A glossary for terms used in our reporting is available HERE.
Contents
Russian APT BlueAlpha Exploits Cloudflare Tunneling to Deliver Malware Threat Actors Exploit Fake Meeting Apps to Steal Cryptocurrency and Sensitive Data from Web3 Professionals
Executive Summary
Newly Identified Malware Steals Credentials for 77 Financial Applications
A Remote Access Trojan (RAT) named DroidBot has been targeting banking and cryptocurrency apps on Android. Despite a basic design, it uses a dual channel communication model that uses MQTT and HTTPS for C2. Analysis of its files indicates DroidBot’s developers are intending an expansion from Eastern Europe into Latin America.
It is likely that DroidBot will expand into Latin America to test its systems in a region with weak cyber security and with a particular risk to RATs. It is likely that dual channel communication will become increasingly common in malware to defeat HTTPS based C2 countermeasures.
Russian APT BlueAlpha Exploits Cloudflare Tunneling to Deliver Malware
Threat Actors Exploit Fake Meeting Apps to Steal Cryptocurrency and Sensitive Data from Web3 Professionals
Newly Identified Malware Steals Credentials for 77 Financial Applications
A new Android Remote Access Trojan (RAT) has been observed stealing credentials from banking apps and cryptocurrency exchanges across Europe. The malware, named “DroidBot” has so far been identified as successfully stealing credentials from 77 apps with 776 unique infections in the UK, Italy, France, Spain and Portugal. The initial analysis of DroidBot indicates it is being sold on an unnamed platform as part of a Malware as a Service (MaaS) with 17 threat actors collaborating on it.
Elemendar CTI Analyst comment: CTI research indicated that DroidBot has been available for purchase since June 2024 and selling at a $3000 USD monthly subscription. Files within DroidBot are written in Turkish and files are timestamped at Ankara’s timezone. Translated files also indicate plans that the developers intend an expansion into Latin America (LATAM). LATAM is regularly used as a testing ground for proof of concept and TTPs due to its cyber security measures in multiple industries, including banking and finances, being below those seen in North America and Europe. Comment Ends
DroidBot operates both a Virtual Network Computing (VNC) protocol and overlay attack techniques to enable remote access by the attacker and deceive users into unsafe actions respectively. This enables DroidBot to conduct SMS interception, key-logging and screen interaction. DroidBot does not show largescale technical deviations from other RATs on Android. However, Droidbot notably operates a dual-channel communication protocol utilising Message Queuing Telemetry Transport (MQTT) for outbound communication and HTTPS for inbound communications.
Elemendar CTI Analyst Comment: RAT communication on Android tends to utilise HTTPS for both outbound and inbound communications. HTTPS has seen a spike in usage since 2020, due to increasing digitisation in workforces creating exploitation opportunities for threat actors to use HTTPS. However, this has led to the increase in countermeasures being developed to combat HTTPS communicating malware. MQTT is commonly associated with IoT environments and Botnets and is not usually associated with RAT communication. However, over the past 12 months its use has been noted in other banking trojans including Copybara and BRATA/AMEXTroll. Comment Ends.
Elemendar Intelligence Assessment: DroidBot’s technical specifications, price and known target list suggest it is highly likely designed at present to target small to medium sized financial institutions. Its less advanced technical specifications would likely be detected by security solutions more commonly seen in larger, risk aware organisations. DroidBot’s use of dual channel communication is highly likely an attempt to obfuscate its communications and presence to evade less advanced security measures.
The use of MQTT, an uncommon malware communication language on Android, is highly likely to increase DroidBot’s attractiveness to threat actors wishing to evade the increasingly successful HTTPS based countermeasures. This feature is highly likely to increase its attractiveness to threat actors as it is likely to have a greater chance of success than similar malware such as njRAT and NanoCore RAT.
It is likely that DroidBot will expand outside of Europe into LATAM and target regional banking and cryptocurrencies in that region. It is likely this move is to test and adapt DroidBot’s features. Its relatively early development and less advanced systems are likely to have a greater chance of success in LATAM.
It is likely that dual channel communication will become an increasingly used TTP for threat actors over the next 12-18 months to mitigate the increasing countermeasures against HTTPS based malware communication. Assessment Ends.
Russian APT BlueAlpha Exploits Cloudflare Tunneling to Deliver Malware
Russian state-sponsored APT, BlueAlpha has been identified using new TTPs to conceal its infrastructure and mask its malware delivery from security measures. Cloudflare tunnels are being used by the APT to obfuscate detection and conceal its servers true location, masking their GammaDrop staging infrastructure from network detection mechanisms. The use of the tunnels can also mask its C2 communications once the malware has been delivered to the target.
Elemendar CTI Analyst Comment: BlueAlpha (aka Gamaredon, Shuckworm, Hive0051 and UNC530) has been operational since 2014. It has operated primarily against Ukrainian targets since the annexation of Crimea and the subsequent conflict following the Russian invasion in 2022. Comment Ends
In addition, BlueAlpha has been seen embedding JavaScript in HTML attachments in emails sent out in phishing campaigns. Written within the HTML is the GammaDrop malware. Again, this obfuscates BlueAlpha’s activity by enabling the malicious code to evade email security filters.
Elemendar CTI Analyst Comment: GammaDrop is a dropper which once infected onto a system writes the GammaLoad malware onto the affected device's disk thereby increasing the likelihood of persistence. GammaLoad is a custom loader which is used to beacon back to the C2 node and can execute additional malware. GammaLoad is notable for using VBScript in its malware, a common scripting language used for automating tasks in Windows. This has allowed it previously to leverage built-in Windows functionalities and increases the difficulty for network security to detect its presence. BlueAlpha has used GammaDrop and GammaLoad since 2023 to target Ukrainian organisations. The functions of GammaLoad that have been employed by BlueAlpha include credential theft, data exfiltration and to maintain a persistent access to targeted networks. Comment ends.
Elemendar Intelligence Assessment: It is highly likely that BlueAlpha will continue to utilise legitimate services as part of its attacks. The use of such services is almost certain to make detection harder especially for less advanced security systems.
Using legitimate services to obfuscate malicious activity is likely a response to increased security apparatus and as such it is likely to become a common feature of other Russian sponsored groups in the next 3-6 months.
It is likely that the primary target for BlueAlpha will be Ukrainian organisations, however there is a realistic possibility that such a TTP will proliferate to other threat actors that may cause it to spread geographically. Such TTPs are almost certain to still require user interaction to infect the network. Assessment ends.
Threat Actors Exploit Fake Meeting Apps to Steal Cryptocurrency and Sensitive Data from Web3 Professionals
Threat actors are targeting Web3 users through fake video conferencing platforms, posing as legitimate meeting software, to distribute the Realst information-stealing malware.
Elemendar CTI Analyst comment: Web3 is used by a diverse group including developers, cryptocurrency enthusiasts, investors, artists, gamers, entrepreneurs, privacy advocates, institutions, governments, and general consumers, attracted by its decentralised, user-centric approach to blockchain technology and digital interactions.Dubbed "Meeten," by cybersecurity research at Cado Security Labs, this campaign has been active since September 2024, targeting both Windows and macOS users under the guise of fake business meetings. Threat actors are known to frequently rebrand the fake meeting software, previously operating under names such as "Clusee," "Cuesee," "Meetone," and "Meetio." Comment Ends.
Threat actors create realistic websites and social media profiles for fake brands (such as “Meetio”) using AI-generated content to increase credibility. Victims are approached through social engineering tactics, such as phishing or impersonating trusted contacts on platforms like Telegram. After establishing contact, targets are encouraged to download the malicious "meeting app" from these fraudulent sites. Once installed, the malware targets various sensitive data, including:
Cryptocurrency wallets (Ledger, Trezor, Phantom, and Binance)
Browser credentials (autofill data, cookies, and history from Chrome, Opera, Brave, and others)
Banking information
Telegram credentials
macOS Keychain credentials
In addition to the malware, the Meeten websites use JavaScript to steal cryptocurrency stored in browsers, even before the malware is installed.
Fig. 01: One of the Websites spreading Realst stealer (Source: Cado)
On macOS, the malware prompts victims to enter their system password via the 'osascript' tool, granting attackers elevated privileges. Following this, a decoy error message is displayed while data is stealthily exfiltrated in the background.
On Windows, the malware disguises itself as a digitally signed installer, using advanced techniques such as Electron apps and Rust-based binaries to evade detection. It establishes persistence through registry modifications and exfiltrates sensitive information to attacker-controlled domains.
Elemendar CTI Analyst comment: Key observations include the use of AI-generated content to create convincing websites, enhancing the legitimacy of the campaign. The Realst malware demonstrates sophisticated evolution, building on earlier stealer malware like Atomic macOS Stealer and Rhadamanthys, showcasing continuous innovation. The Meeten campaign is part of a larger trend of using fake meeting platforms to distribute malware. Previous examples include the Markopolo campaign, which deployed stealer malware like Stealc and Rhadamanthys to target cryptocurrency users, and the Meethub.gg campaign, which propagated malware with overlaps to Realst in March 2024. Comment Ends.
Elemendar Intelligence Assessment: The threat actors responsible for this latest campaign leveraged targeted social engineering tactics, such as impersonation via Telegram and other platforms, to gain the trust of their victims and in doing so, lure individuals into downloading malicious software. Coercing the user to download the malware bypasses security solutions which in turn, allows the threat actor to evade detection, escalate privileges to exfiltrate data efficiently.
Web3 is utilised by a broad church of users, this campaign has been constructed to exploit high-value assets and sensitive data, enabling scalable operations. Attacks against Web3 users are significant due to its role in decentralised technologies like blockchain, cryptocurrency, and DeFi, which hold substantial financial value. Breaches exploit high-value assets, disrupt global markets, and harm investor trust. Web3’s decentralised nature and unique security challenges amplify the impact, and is likely to lead to irreparable financial losses. Assessment Ends.
Annex A: References
Newly Identified Malware Steals Credentials for 77 Financial Applications https://www.bleepingcomputer.com/news/security/new-droidbot-android-malware-targets-77-banking-crypto-apps/
Russian APT BlueAlpha Exploits Cloudflare Tunneling to Deliver Malware https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf
Threat Actors Exploit Fake Meeting Apps to Steal Cryptocurrency and Sensitive Data from Web3 Professionals
Annex B: STIX Entities
Newly Identified Malware Steals Credentials for 77 Financial Applications
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1564.003 | Hidden Window | Defense Evasion | Detects hidden processes or windows. | Attackers hide processes to execute malicious activity. | Process creation logs, Window management logs. |
T1587.001 | Malware | Resource Development | Monitor malware creation or deployment activity. | Malware is developed or used by attackers for system access. | Malware samples, Threat intelligence feeds. |
T1021.005 | VNC | Lateral Movement | Monitor VNC connections and unusual remote access. | VNC allows lateral movement within the network. | Remote desktop logs, Authentication logs. |
T1056.001 | Keylogging | Credential Access | Detects keylogging tools or suspicious input capture. | Keylogging steals user credentials by capturing keystrokes. | Process logs, Endpoint detection logs. |
T1526 | Cloud Service Discovery | Discovery | Detects cloud API calls and service discovery patterns. | Attackers enumerate cloud resources for exploitation. | Cloud service logs, API logs. |
T1027 | Obfuscated Files or Information | Defense Evasion | Identify and analyze obfuscated files or scripts. | Obfuscation hides malicious files to avoid detection. | Command line logs, Process creation logs. |
T1543.003 | Windows Service | Persistence | Check for unauthorized service creation in Windows. | Attackers create malicious Windows services for persistence. | Event ID: 7045, Service control logs. |
T1056 | Input Capture | Credential Access | Detect unauthorized input capture techniques. | Attackers capture input to steal sensitive information. | Process logs, Endpoint logs. |
T1113 | Screen Capture | Collection | Monitor for screen capture tools or activities. | Screen captures collect sensitive information for exfiltration. | Application logs, Process logs. |
T1027.013 | Encrypted/Encoded File | Defense Evasion | Detect encrypted or encoded files in unusual locations. | Encrypted files are used to evade detection during exfiltration. | File system logs, Endpoint logs. |
T1071.003 | Mail Protocols | Command and Control | Monitor mail protocol traffic for potential C2 activity. | Mail protocols like SMTP may be used for C2 communication. | Email traffic logs, Network logs. |
T1562 | Impair Defenses | Defense Evasion | Check for disabled security mechanisms or misconfigured defenses. | Attackers impair security to bypass detection systems. | Security logs, Event ID: 7036. |
T1008 | Fallback Channels | Command and Control | Detects backup C2 channels during main channel disruption. | Fallback channels ensure continued communication for C2. | Network traffic logs, IDS logs. |
T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration | Monitor encrypted traffic for data exfiltration attempts. | Encrypted protocols are used to exfiltrate data covertly. | Network logs, TLS/SSL inspection logs. |
T1132 | Data Encoding | Command and Control | Detects encoded payloads in network traffic. | Encoding obfuscates data to evade detection during transfer. | Network traffic logs, Proxy logs. |
T1573.001 | Symmetric Cryptography | Command and Control | Look for symmetric encryption used for C2 communications. | Symmetric cryptography ensures secure C2 communication. | Network traffic logs, Encrypted session logs. |
T1573 | Encrypted Channel | Command and Control | Monitor encrypted channels for malicious activity. | Encrypted channels ensure that C2 is secured against detection. | Network logs, TLS/SSL inspection logs. |
T1560 | Archive Collected Data | Collection | Detects large archive files being created or exfiltrated. | Archiving data facilitates bulk exfiltration. | File system logs, Archive tool logs. |
T1600.001 | Reduce Key Space | Defense Evasion | Analyze weak encryption by key length reduction. | Reducing key space makes it easier for attackers to break encryption. | Cryptographic configuration logs, Application logs. |
T1584.008 | Network Devices | Resource Development | Monitor for changes in network devices. | Network devices are targeted to expand attacker infrastructure. | Network device logs, Configuration logs. |
T1543.002 | Systemd Service | Persistence | Check for unauthorized systems service entries. | Systems services can be used to maintain persistence on Linux. | System logs, Service creation logs. |
T1583.004 | Server | Resource Development | Monitor server setup for suspicious activity. | Servers are used for command and control by attackers. | Hosting logs, Threat intelligence feeds. |
T1590.002 | DNS | Reconnaissance | Monitor DNS queries for reconnaissance activity. | DNS queries help attackers map network infrastructure. | DNS logs, Network logs. |
T1590.006 | Network Security Appliances | Reconnaissance | Monitor network device configuration changes. | Attackers gather details about security appliances. | Network device logs, Configuration logs. |
T1583.005 | Botnet | Resource Development | Monitor traffic patterns suggesting botnet recruitment. | Botnets expand an attacker's control for large-scale attacks. | Network traffic logs, IDS logs. |
T1040 | Network Sniffing | Credential Access | Detect unauthorized packet sniffing activities. | Sniffing network traffic captures credentials and sensitive data. | Network traffic logs, IDS/IPS logs. |
T1608 | Stage Capabilities | Resource Development | Monitor for tools or infrastructure used for staging attacks. | Staging capabilities prepare attackers for future operations. | System logs, Tool installation logs. |
T1589.001 | Credentials | Credential Access | Monitor for stolen or compromised credentials in use. | Stolen credentials enable lateral movement and access. | Authentication logs, Access logs. |
Russian APT BlueAlpha Exploits Cloudflare Tunneling to Deliver Malware
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1566.001 | Spearphishing Attachment | Initial Access | Malicious email attachments targeted at specific users. | Attackers use spearphishing emails with malicious attachments to gain access. | Email logs, Attachment metadata, Antivirus logs, Email filtering logs. |
T1059.005 | Visual Basic | Execution | Executing Visual Basic scripts via email attachments or macros. | Malicious Visual Basic code is used for executing exploits or payloads. | Process creation logs, Script execution logs. |
T1059.007 | JavaScript | Execution | Malicious JavaScript executed through web or email attachments. | JavaScript-based exploits or payloads are delivered to execute on the victim's machine. | Web traffic logs, Email logs, Script execution logs. |
T1204.002 | Malicious File | Execution | Execution of malicious files via social engineering. | Malicious files are executed, often disguised as legitimate documents or software. | File execution logs, Antivirus logs, Process creation logs. |
T1547.001 | Registry Run Keys / Startup Folder | Persistence | Modifying registry keys or adding files to startup folders. | Malware adds registry keys or files to start automatically on boot. | Registry modification logs, Process creation logs, System startup logs. |
T1027.006 | HTML Smuggling | Defense Evasion | Encapsulating malicious payloads within HTML tags or content. | Attackers use HTML smuggling to hide payloads in web traffic, bypassing security checks. | Web traffic logs, IDS/IPS logs, File system logs. |
T1027.013 | Encrypted/Encoded File | Defense Evasion | Using encryption or encoding to hide malicious files. | Attackers encrypt or encode files to evade detection by security tools. | File system logs, Antivirus logs, Network traffic logs (if file is transmitted). |
T1071.001 | Web Protocols | Command and Control | Use of HTTP/HTTPS for C2 communication. | Command and control communications use web protocols to bypass firewalls or proxies. | Web traffic logs, DNS logs, Proxy logs. |
T1568.001 | Fast Flux DNS | Command and Control | Using fast-flux DNS techniques to dynamically change IP addresses. | Attackers use fast-flux DNS to hide C2 servers and make tracking difficult. | DNS query logs, Network traffic logs, DNS resolution logs. |
T1590.002 | DNS | Reconnaissance | Conducting DNS queries for reconnaissance. | DNS queries are used to gather information about the network or systems. | DNS logs, Network traffic logs, Firewall logs. |
T1566 | Phishing | Initial Access | Sending malicious emails to trick users into providing information or downloading malware. | Phishing emails are crafted to appear legitimate, and users are tricked into revealing credentials or downloading malicious attachments. | Email logs, User login logs, Antivirus logs, Web filtering logs. |
T1140 | Deobfuscate/Decode Files or Information | Defense Evasion | Deobfuscating or decoding files and information to reveal malicious code. | Attackers use techniques like base64 encoding to obfuscate the malicious code in files. | Antivirus logs, File system logs, Process logs, Memory analysis. |
T1562 | Impair Defenses | Defense Evasion | Disabling security mechanisms to bypass detection. | Attackers disable security software like antivirus or firewall to avoid detection. | Security tool logs, Event logs, IDS/IPS logs. |
T1569 | System Services | Persistence | Modifying or installing system services to maintain access. | Attackers install system services to maintain persistence across reboots. | Service creation logs, Process creation logs, System logs. |
Threat Actors Exploit Fake Meeting Apps to Steal Cryptocurrency and Sensitive Data from Web3 Professionals
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1005 | Data from Local System | Collection | Harvesting Local Files | Collects files and sensitive information from the local file system. | File access logs: Unusual access to sensitive directories or file downloads. |
T1007 | System Service Discovery | Discovery | Enumerating Running Services | Identifies services running on the system for further exploitation. | Service logs: Commands querying running services such as sc query. |
T1016 | System Network Configuration Discovery | Discovery | Identifying Network Configurations | Gathers information about network configurations, interfaces, and routing. | Network logs: Commands querying configurations like ipconfig or ifconfig. |
T1033 | System Owner/User Discovery | Discovery | Identifying System User Information | Retrieves user account information on the system. | System logs: Commands querying user accounts like whoami or id. |
T1041 | Exfiltration Over C2 Channel | Exfiltration | Data Exfiltration via Command and Control | Exfiltrates sensitive data through established C2 channels. | Network logs: Large or continuous data transfers to external IPs/domains. |
T1059.002 | AppleScript | Execution | Using AppleScript for Execution | Executes malicious payloads using macOS AppleScript. | macOS logs: AppleScript execution logs or scripting activity. |
T1070.004 | File Deletion | Defense Evasion | Deleting Files to Remove Evidence | Deletes files to remove traces of malicious activity. | File system logs: Sudden deletion of logs or critical files. |
T1071.001 | Web Protocols | Command and Control | Command and Control Over HTTPS | Uses web protocols like HTTPS for secure communication with C2 servers. | Network logs: Encrypted traffic to known or suspicious C2 endpoints. |
T1074 | Data Staged | Collection | Preparing Data for Exfiltration | Stores collected data in a staging area before exfiltration. | File system logs: Creation of staging directories or unusual compression activity. |
T1082 | System Information Discovery | Discovery | Enumerating System Details | Gathers information about the target system, such as OS version and hardware details. | System logs: Commands querying system information like uname or systeminfo. |
T1114 | Email Collection | Collection | Harvesting Email Data | Accesses email content through compromised accounts or email servers to collect sensitive information. | Email server logs: Unusual access patterns or bulk email export activities. |
T1204 | User Execution | Execution | Execution Triggered by User Action | Relies on user interaction, such as opening malicious attachments or clicking links, to execute malware. | Email and web logs: Monitor user actions leading to execution of suspicious files or links. |
T1217 | Browser Information Discovery | Discovery | Gathering Browser Information | Collects information about browser settings, extensions, and history. | Browser logs: Access to browser configuration or settings files. |
T1497.001 | System Checks | Defense Evasion | Detecting Analysis Environments | Performs checks to determine if the malware is running in a sandbox or virtualized environment. | System logs: Queries for virtualization or debugging indicators. |
T1539 | Steal Web Session Cookie | Credential Access | Stealing Session Cookies | Captures and uses session cookies to hijack user sessions. | Network logs: Look for unauthorized session cookie use or exports. |
T1547.001 | Registry Run Keys / Startup Folder | Persistence | Persistence via Registry Keys | Adds malicious entries to the registry or startup folders to ensure execution on system boot. | Registry logs: Changes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. |
T1553.001 | Gatekeeper Bypass | Defense Evasion | Bypassing macOS Gatekeeper | Evades security checks on macOS by bypassing Gatekeeper. | macOS security logs: Attempts to disable or bypass Gatekeeper. |
T1553.002 | Code Signing | Defense Evasion | Using or Forging Code Signatures | Signs malicious code to make it appear legitimate or trusted. | File integrity logs: Verification of code signatures for discrepancies. |
T1555.001 | Keychain | Credential Access | Accessing macOS Keychain | Extracts credentials and sensitive information stored in the macOS Keychain. | macOS logs: Unauthorized access or dumps of keychain data. |
T1555.003 | Credentials from Web Browsers | Credential Access | Harvesting Stored Browser Credentials | Extracts credentials and session data stored in web browsers. | Application logs: Access to browser credential storage files. |
T1556.004 | Network Device Authentication | Credential Access | Compromising Network Device Authentication | Exploits network device authentication mechanisms to gain access. | Device logs: Authentication anomalies or failed login attempts. |
T1562.011 | Spoof Security Alerting | Defense Evasion | Generating Fake Security Alerts | Generates or spoofs alerts to mislead defenders and hide activity. | Security tool logs: Unexpected alert configurations or spoofed alert messages. |
T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion | Abusing Installer File Permissions | Exploits weak permissions on installer files to escalate privileges. | File integrity logs: Changes to installer files or permissions. |
T1587.001 | Malware | Resource Development | Developing or Procuring Malware | Creates or acquires malware for use in operations. | Threat intelligence logs: Detection of known malware signatures or variants. |
T1606 | Forge Web Credentials | Credential Access | Generating Fake Web Credentials | Creates forged web credentials for malicious purposes. | Web server logs: Access attempts using fake or invalid credentials. |
T1608 | Stage Capabilities | Resource Development | Staging Malware or Tools | Uploads or prepares tools and payloads on infrastructure for operations. | Network and server logs: Uploads or transfers of suspicious files to staging environments. |
T1657 | Financial Theft | Impact | Stealing Financial Information | Targets financial information, such as bank account details or credit card numbers. | Application and transaction logs: Unusual access or modifications to financial data. |
IOCS
Type | Value |
File Name | CallCSSetup.pkg |
File Name | Meeten.exe |
File Name | UpdateMC.exe |
File Name | MicrosoftRuntimeComponentsX64.exe |
File Name | MeetenApp.exe |
File Name | Package.json |
File Name | index.js |
File Name | Node.js |
File Name | |
File Name | |
Hash | 9b2d4837572fb53663fffece9415ec5a |
Hash | 6a925b71afa41d72e4a7d01034e8501b |
Hash | 209af36bb119a5e070bad479d73498f7 |
Hash | d74a885545ec5c0143a172047094ed59 |
Hash | 09b7650d8b4a6d8c8fbb855d6626e25d |
Domain | clusee[.]com |
Domain | cuesee[.]com |
Domain | meeten[.]gg |
Domain | meeten[.]us |
Domain | meetone[.]gg |
Domain | deliverynetwork[.]observer |
Domain | www[.]meeten[.]us |
Domain | www[.]meetio[.]one |
Domain | www[.]meetone[.]gg |
Domain | www[.]clusee[.]com |
IP Address | 139[.]162[.]179[.]170:8080/new_analytics |
IP Address | 139[.]162[.]179[.]170:8080/opened |
IP Address | 172[.]104[.]133[.]212/opened |
IP Address | 172[.]104[.]133[.]212 |
IP Address | 199[.]247[.]4[.]86 |
IP Address | 139[.]162[.]179[.]170:8080 |
URL | http[:]//172[.]104[.]133[.]212:8880/new_analytics |
URL | http[:]//172[.]104[.]133[.]212:8880/opened |
URL | http[:]//172[.]104[.]133[.]212:8880/metrics |
URL | http[:]//172[.]104[.]133[.]212:8880/sede |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by
Paul Montgomery, CTI Director Elemendar
Matt Orwin, CTI Analyst
Comments