{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] Komari Red: The Monitoring Tool with a Built-in Reverse Shell", "protected": false, "publish_timestamp": "1779545926", "published": true, "threat_level_id": "2", "timestamp": "1779545925", "uuid": "dc655dd4-393d-4707-8647-cd6516f2ab29", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#8efd0f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Account Manager - T1003.002\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#dac154", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#7b759a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"RDP Hijacking - T1563.002\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777546826", "to_ids": false, "type": "link", "uuid": "c81ccb82-b8a1-4037-b29b-cffabf305313", "value": "https://www.huntress.com/blog/komari-c2-agent-abuse" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777546826", "to_ids": false, "type": "text", "uuid": "f84d3081-9805-4766-a5a8-71c5e865dbcb", "value": "On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777546826", "to_ids": false, "type": "text", "uuid": "4f059d4d-693c-4665-a629-51d1dc822808", "value": "Name: Komari Red: The Monitoring Tool with a Built-in Reverse Shell\nAuthor: AlienVault\nAdversary: \nTags: [\"rdp-enablement\", \"credential-theft\", \"sslvpn-compromise\", \"impacket\", \"nssm-persistence\", \"reverse-shell\", \"komari\", \"github-infrastructure\"]\nTgtd countries: []\nMlwr families: [\"Komari\"]\nAttack_ids: [\"T1133\", \"T1003.002\", \"T1543.003\", \"T1082\", \"T1021.002\", \"T1112\", \"T1036.004\", \"T1049\", \"T1059.001\", \"T1078\", \"T1571\", \"T1059.003\", \"T1071.001\", \"T1563.002\", \"T1018\", \"T1105\", \"T1021.001\", \"T1569.002\", \"T1090.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "SSLVPN ingress source", "deleted": false, "disable_correlation": false, "timestamp": "1777767405", "to_ids": true, "type": "ip-dst", "uuid": "cff33b5e-6c03-4240-b032-565ad72c1472", "value": "45.153.34.132", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Komari agent install script URL", "deleted": false, "disable_correlation": false, "timestamp": "1777767427", "to_ids": true, "type": "url", "uuid": "03d5bd32-9bbd-44ac-a060-85d2c8df45cc", "value": "https://raw.githubusercontent.com/komari-monitor/komari-agent/refs/heads/main/install.ps1", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "FortiGate-assigned SSLVPN tunnel IP", "deleted": false, "disable_correlation": false, "timestamp": "1777767448", "to_ids": true, "type": "ip-dst", "uuid": "9af8d155-a4e1-48a8-8016-20fd8d5965aa", "value": "10.212.134.200", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545925", "uuid": "40624385-b42d-4fe2-9ea2-c61997cdccaf", "Attribute": [ { "category": "Payload delivery", "comment": "komari-agent.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545924", "to_ids": true, "type": "md5", "uuid": "09455b08-af7e-4d4b-a5c6-f26717fff29a", "value": "a4c537b05574e34424e9a05ed9023057", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "komari-agent.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545925", "to_ids": true, "type": "sha1", "uuid": "5ce94e1c-cc37-4af3-ac84-f06eff078e89", "value": "192e419f4446c57ad3b672fd835ef26b88b203c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "komari-agent.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545925", "to_ids": true, "type": "sha256", "uuid": "ad34aa1e-9b90-4830-b054-22664734c651", "value": "039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777765661", "to_ids": true, "type": "ssdeep", "uuid": "ee7ea866-3eae-4750-9481-8979d76cdb98", "value": "98304:DIe6BxTQmGi1EtUqnIePGP/jEYGLSalEi6D9dfk6B40yA1B/6BFBGrElAp1vjRJs:sQmGi1EtnnImZEHfl40Pv6BHGrlxm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777765661", "to_ids": false, "type": "size-in-bytes", "uuid": "5c70f0a6-714c-47a3-b618-864d341e0e57", "value": "14774272" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777765661", "to_ids": true, "type": "vhash", "uuid": "b2ea6cdb-ceac-41be-8c82-abb69dcd2c08", "value": "0170f6655d55551555757az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777765661", "to_ids": true, "type": "filename", "uuid": "eaf9c344-f72d-49a2-8e07-3ce86ebd55fb", "value": "octet-stream" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777765661", "to_ids": false, "type": "text", "uuid": "e2f91e4e-201c-48e9-9ec6-4f46eb7667c3", "value": "komari-agent.exe\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2026-04-08T16:13:14.000000+00:00\nLast Submission:2026-04-08T16:13:39.000000+00:00" } ] } ] } }