{ "Event": { "analysis": "1", "date": "2026-04-27", "extends_uuid": "", "info": "[Threat Intel] Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence", "protected": false, "publish_timestamp": "1779545871", "published": true, "threat_level_id": "2", "timestamp": "1779545871", "uuid": "19eb9d1a-b193-4c8c-bd9f-d6f1e045e52c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Multi-hop Proxy - T1090.003\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777546814", "to_ids": false, "type": "link", "uuid": "4a5e882b-ab96-40a1-a9b6-2b309d76062e", "value": "https://www.360.cn/n/13005.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777546814", "to_ids": false, "type": "text", "uuid": "7596595b-a9d9-4d59-ab43-36384095a0c8", "value": "APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777546814", "to_ids": false, "type": "text", "uuid": "7c36bfea-08b9-459a-9f7f-512a7debb6bf", "value": "Name: Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence\nAuthor: AlienVault\nAdversary: APT-C-13, Sandworm, FROZENBARENTS\nTags: [\"sandworm\", \"obfs4\", \"apt-c-13\", \"spearphishing\", \"ssh tunneling\", \"persistence mechanism\", \"tor network\", \"scheduled tasks\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.005\", \"T1036.005\", \"T1204.002\", \"T1497.001\", \"T1021.004\", \"T1566.001\", \"T1140\", \"T1021.002\", \"T1036.004\", \"T1041\", \"T1059.001\", \"T1547.001\", \"T1090.003\", \"T1027\", \"T1573.002\", \"T1070.004\", \"T1071.001\", \"T1021.001\", \"T1564.001\", \"T1090.001\"]\nIndustries: [\"Government\", \"Defense\", \"Energy\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777686824", "to_ids": false, "type": "threat-actor", "uuid": "295bd28c-74c2-4b61-841c-720a499ef46f", "value": "APT-C-13", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689790", "to_ids": true, "type": "domain", "uuid": "62458ea8-7bd4-43d0-9a7d-d387e69dc763", "value": "2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689811", "to_ids": true, "type": "domain", "uuid": "4c0bb23b-0676-4b11-80f1-64a1390a2f35", "value": "3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689832", "to_ids": true, "type": "domain", "uuid": "3677bc20-1373-4285-8779-1f3a84aceee5", "value": "e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689853", "to_ids": true, "type": "domain", "uuid": "75dba713-1dce-4cb6-bfb8-24f55307621c", "value": "imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689874", "to_ids": true, "type": "domain", "uuid": "bfe55c08-d1b0-44d9-a7ac-26391964c53c", "value": "kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689895", "to_ids": true, "type": "domain", "uuid": "cad57808-e1e8-46ad-aa51-7e678774bf36", "value": "nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545871", "uuid": "915b3234-1b83-45fa-8a4f-ea8150610b9c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545870", "to_ids": true, "type": "md5", "uuid": "f3b12b0e-5d8d-4631-8382-9d92726f8831", "value": "2156c270ffe8e4b23b67efed191b9737", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545871", "to_ids": true, "type": "sha1", "uuid": "9bb0f602-3692-46c2-8d23-6615f924848b", "value": "975d8bdfec6b58ae9004d526fa9f852108026a9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545871", "to_ids": true, "type": "sha256", "uuid": "a54c8b22-f88a-4d1a-a9f3-6a02ceb441f8", "value": "0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777688137", "to_ids": true, "type": "ssdeep", "uuid": "84a88679-9a11-405a-b454-087f04cd42bd", "value": "196608:BZked/YGndPectif51wK1C809VDAkxILC/hNEHhqisKSW6In9mNkTn6WktcjKCTc:19GBg1XxWC/hNMTnt6BKnJVc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777688137", "to_ids": false, "type": "size-in-bytes", "uuid": "3b08a867-c93d-4694-8525-91323b5f99dd", "value": "12304687" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777688137", "to_ids": true, "type": "vhash", "uuid": "905198bb-ed6d-4429-8b6c-84a37c9d6771", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777688137", "to_ids": true, "type": "filename", "uuid": "82bb95ba-a34f-4d68-8911-0fd5993a110e", "value": "Iskhod_7582_Predstavlenie_na_naznachenie.zip" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777688137", "to_ids": false, "type": "text", "uuid": "a7043393-c0fd-40f2-8891-c593b401f63a", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:38/67\nFirst Submission:2026-01-23T05:53:06.000000+00:00\nLast Submission:2026-01-23T05:53:06.000000+00:00" } ] } ] } }