{ "type": "bundle", "id": "bundle--81f607d5-2b83-477c-95f5-342030de6570", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-12T12:42:41.000Z", "modified": "2023-07-12T12:42:41.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--81f607d5-2b83-477c-95f5-342030de6570", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-12T12:42:41.000Z", "modified": "2023-07-12T12:42:41.000Z", "name": "Chinese Threat Actors Targeting Europe in SmugX Campaign", "published": "2023-07-12T12:42:53Z", "object_refs": [ "indicator--918d4b5b-4477-49a0-a9fb-0085e9992b07", "indicator--57317342-6458-427e-89b2-9a3ba097bfcb", "indicator--f588c595-946f-4d8b-94c9-f217b5956e17", "indicator--236c2d6a-3c41-4369-a4e3-9b371371b6cb", "indicator--9eb2e07d-4dd1-48a1-930e-ea58ecfb0268", "indicator--38427789-8f29-4e78-b8c8-5d2fbfb2671b", "indicator--b879469e-f585-487b-8be5-e42d7f58cd3d", "indicator--c640cf82-25b2-4bc9-b687-a6d2fc9b7b45", "indicator--f7862093-0ace-4081-8bcc-87757be6df7c", "indicator--030ac331-5f4a-480d-a8ce-85b886c460b3", "indicator--d02a5889-c523-4239-af4e-47432c36bfb9", "indicator--f7442091-f412-415c-a8de-dbb3fbd77d11", "indicator--dc275756-44a8-410c-ac12-e5ad42cf0c24", "indicator--d648e16e-8955-4d59-8f5c-f60021a8e321", "indicator--c303a4a0-0f51-444c-bca8-5a81b9b7b007", "indicator--ade041fe-db67-4a5d-b52f-4a0eb90cf238", "indicator--fed631dc-e32b-4126-a750-19f671bc4e19", "indicator--7d600d01-043a-4e0b-8351-65470c9383ae", "indicator--6b87864c-b0ca-4be8-9b60-19e2134b0eec", "indicator--c4b96fad-75ad-44a8-a961-e1e1d23d5eea", "indicator--5201eecc-c54e-41d9-81a4-847be85b77b7", "indicator--d97638bc-4323-4f3a-bdda-5e5fa6c0c29d", "indicator--8e31f890-9f9d-4859-99a4-6492a27c929f", "indicator--c4d542d1-127a-4cc4-9449-1b8a12e2abac", "indicator--2f9be8b8-9990-46c3-b127-1ad96f0be1b5", "indicator--83a9b04d-1c87-43a5-8998-49c02e0acb65", "indicator--62cd6350-dffb-4795-84b1-ca2c0ef4b783", "indicator--87d95afd-9f4e-4ee3-9de8-3d792f5a1928", "indicator--e899a5f1-895f-4398-8e36-549f535eb7c0", "indicator--98da3f2f-aed7-433d-a085-2bd3385c8d3a", "indicator--15135495-f94c-4d8e-8710-57892fcc53a1", "indicator--2fd6059c-4e54-4cfb-84bf-f411cf6bab9b", "indicator--2731a46e-cecc-495c-9a1e-4a860ccbe51f", "indicator--7fd7ac52-df1a-46c9-a496-b0479f65dd9a", "indicator--ede4804b-e2e8-46c3-8770-ed7a59e12e82", "indicator--8be04fa0-a8a5-4120-bf5d-2a65f6e79d92", "indicator--1a4d83aa-71c5-41bb-bc17-cef04dc5bf35", "indicator--a59c4e78-186d-4e1e-a435-74b21ea3f13d", "indicator--ef63127f-e3b8-4521-892b-127b0f2a063c", "indicator--169b95c2-6a5d-43b1-a35a-301332d91695", "indicator--1a299fc1-af8a-4b29-8228-b3947a88db2c", "indicator--970bc7bf-375e-467c-9d2a-8ddb7c18c1bb", "indicator--88995009-ec15-4814-b8f9-b7e89eb2eaf6", "indicator--5fac55a3-27a6-4829-9178-c00f9d88bed9", "indicator--be7699e0-c556-47d3-ac9a-24b3c4bd72bd", "indicator--c2316ec7-09ef-467b-9c70-e545bd619fe7", "indicator--e12b5bd9-03fc-4db1-a097-d6ced8fbc05b", "indicator--1f567817-4fc4-489b-a97f-dbd64c8bf1e2", "indicator--fcfe2c30-fa5c-4613-8b7c-cebf940aef43", "x-misp-object--bba1dd1a-32ef-465a-89eb-6f5b3ccab59d" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "tlp:clear", "misp-galaxy:malpedia=\"RedDelta\"", "misp-galaxy:malpedia=\"PlugX\"", "misp-galaxy:mitre-intrusion-set=\"Mustang Panda - G0129\"", "misp-galaxy:threat-actor=\"Mustang Panda\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--918d4b5b-4477-49a0-a9fb-0085e9992b07", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = 'edb5d4b454b6c7d3abecd6de7099e05575b8f28bb09dfc364e45ce8c16a34fcd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57317342-6458-427e-89b2-9a3ba097bfcb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = '736451c2593bc1601c52b45c16ad8fd1aec56f868eb3bba333183723dea805af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f588c595-946f-4d8b-94c9-f217b5956e17", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = '0e4b81e04ca77762be2afb8bd451abb2ff46d2831028cde1c5d0ec45199f01a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--236c2d6a-3c41-4369-a4e3-9b371371b6cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = '989ede1df02e4d9620f6caf75a88a11791d156f62fdea4258e12d972df76bc05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9eb2e07d-4dd1-48a1-930e-ea58ecfb0268", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = '10cad59ea2a566597d933b1e8ba929af0b4c7af85481eacaab708ef4ddf6e0ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--38427789-8f29-4e78-b8c8-5d2fbfb2671b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = 'c96723a68fc939c835578ff746f7d4c5371cb82a9c0dffe360bb656acea4d6e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b879469e-f585-487b-8be5-e42d7f58cd3d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:47:32.000Z", "modified": "2023-07-07T07:47:32.000Z", "description": "html", "pattern": "[file:hashes.SHA256 = '9ce5abd02d397689d99f62dfbd2a6a396876c6629cb5db453f1dcbbc3465ac9a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c640cf82-25b2-4bc9-b687-a6d2fc9b7b45", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:51:03.000Z", "modified": "2023-07-07T07:51:03.000Z", "description": "Archives", "pattern": "[file:hashes.SHA256 = '5f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:51:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f7862093-0ace-4081-8bcc-87757be6df7c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:51:03.000Z", "modified": "2023-07-07T07:51:03.000Z", "description": "Archives", "pattern": "[file:hashes.SHA256 = 'baca1159acc715545a787d522950117eae5b7dc65efacfe86383f62e6b9b59d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:51:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--030ac331-5f4a-480d-a8ce-85b886c460b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:51:03.000Z", "modified": "2023-07-07T07:51:03.000Z", "description": "Archives", "pattern": "[file:hashes.SHA256 = '720a70ca6ee1fbaf06c7cb60d14e27391130407e34e13a092d19f1df2c9c6d05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:51:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d02a5889-c523-4239-af4e-47432c36bfb9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:51:03.000Z", "modified": "2023-07-07T07:51:03.000Z", "description": "Archives", "pattern": "[file:hashes.SHA256 = '460c459db77c5625ed1c029b2dd6c6eae5e631b81a169494fb0182d550769f76']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:51:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f7442091-f412-415c-a8de-dbb3fbd77d11", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:51:03.000Z", "modified": "2023-07-07T07:51:03.000Z", "description": "Archives", "pattern": "[file:hashes.SHA256 = '277390cc50e00f52e76a6562e6e699b0345497bd1df26c7c41bd56da5b6d1347']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T07:51:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dc275756-44a8-410c-ac12-e5ad42cf0c24", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:05:20.000Z", "modified": "2023-07-07T08:05:20.000Z", "description": "JavaScripts", "pattern": "[file:hashes.SHA256 = '3c6ace055527877778d989f469a5a70eb5ef7700375b850f0b1b8414151105ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:05:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d648e16e-8955-4d59-8f5c-f60021a8e321", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:05:20.000Z", "modified": "2023-07-07T08:05:20.000Z", "description": "JavaScripts", "pattern": "[file:hashes.SHA256 = '27a61653ce4e503334413cf80809647ce5dca02ff4aea63fb3a39bc62c9c258c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:05:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c303a4a0-0f51-444c-bca8-5a81b9b7b007", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:05:20.000Z", "modified": "2023-07-07T08:05:20.000Z", "description": "JavaScripts", "pattern": "[file:hashes.SHA256 = 'ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:05:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ade041fe-db67-4a5d-b52f-4a0eb90cf238", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:07:09.000Z", "modified": "2023-07-07T08:07:09.000Z", "description": "MSI", "pattern": "[file:hashes.SHA256 = 'fd0711a50c8af1dbc5c7ba42b894b2af8a2b03dd7544d20f5a887c93b9834429']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:07:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fed631dc-e32b-4126-a750-19f671bc4e19", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:07:09.000Z", "modified": "2023-07-07T08:07:09.000Z", "description": "MSI", "pattern": "[file:hashes.SHA256 = '3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:07:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d600d01-043a-4e0b-8351-65470c9383ae", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:07:09.000Z", "modified": "2023-07-07T08:07:09.000Z", "description": "MSI", "pattern": "[file:hashes.SHA256 = '04b99518502774deb4a9d9cf6b54d43ff8f333d8ec5b4b230c0e995542bb2c61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:07:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6b87864c-b0ca-4be8-9b60-19e2134b0eec", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:07:09.000Z", "modified": "2023-07-07T08:07:09.000Z", "description": "MSI", "pattern": "[file:hashes.SHA256 = 'bd3881964e351a7691bfc7e997e8a2c8ce4a8e26b79e3712d0cbdc484a5646b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:07:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c4b96fad-75ad-44a8-a961-e1e1d23d5eea", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:07:09.000Z", "modified": "2023-07-07T08:07:09.000Z", "description": "MSI", "pattern": "[file:hashes.SHA256 = 'ea2869424df2ffbb113017d95ae48ae8ed9897280fd21b26e046c75b3e43b25a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:07:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5201eecc-c54e-41d9-81a4-847be85b77b7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "pattern": "[file:name = 'RoboForm.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d97638bc-4323-4f3a-bdda-5e5fa6c0c29d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = 'b00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8e31f890-9f9d-4859-99a4-6492a27c929f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = '2bc30ced135acd6a506cfb557734407f21b70fecd2f645c5b938e14199b24f1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c4d542d1-127a-4cc4-9449-1b8a12e2abac", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = '0d13a503d86a6450f71408eb82a196718324465744bf6b8c4e0a780fd5be40c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2f9be8b8-9990-46c3-b127-1ad96f0be1b5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = '0bdfb922a39103658195d1d37ff584d24f7bd88464e7a119e86d6e3579958cc1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83a9b04d-1c87-43a5-8998-49c02e0acb65", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = 'a0879dd439c7f1ed520aad0c309fe1dbf1a2fc41e2468f4174489a0ec56c47c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--62cd6350-dffb-4795-84b1-ca2c0ef4b783", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = 'bddbc529f23ab6b865bc750508403ef57c8cf77284d613d030949bd37078d880']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--87d95afd-9f4e-4ee3-9de8-3d792f5a1928", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = '4547914e17c127d9b53bbc9d44de0e5b867f1a86d2e5ede828cd3188ed7fe838']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e899a5f1-895f-4398-8e36-549f535eb7c0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T08:08:37.000Z", "modified": "2023-07-07T08:08:37.000Z", "description": "RoboForm.dll", "pattern": "[file:hashes.SHA256 = '0032d5430f1b5fcfb6a380b4f1d226b6b919f2677340503f04df04235409b2d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T08:08:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--98da3f2f-aed7-433d-a085-2bd3385c8d3a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = '62c2e246855d589eb1ec37a9f3bcc0b6f3ba9946532aff8a39a4dc9d3a93f42c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--15135495-f94c-4d8e-8710-57892fcc53a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = 'f7d35cb95256513c07c262d4b03603e073e58eb4cd5fa9aac1e04ecc6e870d42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2fd6059c-4e54-4cfb-84bf-f411cf6bab9b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = 'bf4f8a5f75e9e5ecd752baa73abddd37b014728722ac3d74b82bffa625bf09b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2731a46e-cecc-495c-9a1e-4a860ccbe51f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = '8a6ef9aa3f0762b03f983a1e53e8c731247273aafa410ed884ecd4c4e02c7db8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7fd7ac52-df1a-46c9-a496-b0479f65dd9a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = 'ec3e491a831b4057fc0e2ebe9f43c32f1f07959b6430b323d35d6d409d2b31e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ede4804b-e2e8-46c3-8770-ed7a59e12e82", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = 'bf8e512921522e49d16c638dc8d01bd0a2803a4ef019afbfc2f0941875019ea1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8be04fa0-a8a5-4120-bf5d-2a65f6e79d92", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:18:01.000Z", "modified": "2023-07-07T10:18:01.000Z", "description": "Encrypted payload", "pattern": "[file:hashes.SHA256 = 'ba55542c6fa12865633d6d24f4a81bffd512791a6e0a9b77f6b17a53e2216659']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:18:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a4d83aa-71c5-41bb-bc17-cef04dc5bf35", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = '8ea34b85dd4fb64f7e6591e4f1c24763fc3421caa7c0f0d8350c67b9bafa4d32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a59c4e78-186d-4e1e-a435-74b21ea3f13d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = '8cac6dfb2a894ff3f530c29e79dcd37810b4628279b9570a34f7e22bd4d416b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ef63127f-e3b8-4521-892b-127b0f2a063c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = 'ea5825fa1f39587a88882e87064caae9dd3b79f02438dc3a229c5b775b530c7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--169b95c2-6a5d-43b1-a35a-301332d91695", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = '1acb061ce63ee8ee172fbdf518bd261ef2c46d818ffd4b1614db6ce3daa5a885']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1a299fc1-af8a-4b29-8228-b3947a88db2c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = '08661f40f40371fc8a49380ad3d57521f9d0c2aa322ae4b0a684b27e637aed12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--970bc7bf-375e-467c-9d2a-8ddb7c18c1bb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:20:37.000Z", "modified": "2023-07-07T10:20:37.000Z", "description": "Decrypted payload", "pattern": "[file:hashes.SHA256 = '324bfb2f414be221e24aaa9fb22cb49e4d4c0904bd7c203afdff158ba63fe35b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:20:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--88995009-ec15-4814-b8f9-b7e89eb2eaf6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.90.58.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5fac55a3-27a6-4829-9178-c00f9d88bed9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.233.57.136']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--be7699e0-c556-47d3-ac9a-24b3c4bd72bd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.207.164']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c2316ec7-09ef-467b-9c70-e545bd619fe7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '152.152.12.12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e12b5bd9-03fc-4db1-a097-d6ced8fbc05b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[domain-name:value = 'jcswcd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1f567817-4fc4-489b-a97f-dbd64c8bf1e2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T10:25:23.000Z", "modified": "2023-07-07T10:25:23.000Z", "pattern": "[domain-name:value = 'newsmailnet.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T10:25:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fcfe2c30-fa5c-4613-8b7c-cebf940aef43", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T13:31:11.000Z", "modified": "2023-07-07T13:31:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.134.83.29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-07-07T13:31:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bba1dd1a-32ef-465a-89eb-6f5b3ccab59d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2023-07-07T07:42:43.000Z", "modified": "2023-07-07T07:42:43.000Z", "labels": [ "misp:name=\"report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "link", "value": "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/", "category": "External analysis", "uuid": "96f066f4-4fd7-466e-82fe-8e707db62917" }, { "type": "text", "object_relation": "summary", "value": "- Check Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.\r\n- The campaign leverages HTML Smuggling, a technique in which attackers hide malicious payloads inside HTML documents.\r\n- Following a complex infection chain involving either archives or MSI files, the attacks deploy PlugX, an implant commonly associated with Chinese threat actors.\r\n- The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.", "category": "Other", "uuid": "992411e4-4c16-4f45-a642-2a0e5a65866e" }, { "type": "text", "object_relation": "type", "value": "Report", "category": "Other", "uuid": "45f7986c-ea72-46bb-91e9-16d191fbbfec" } ], "x_misp_meta_category": "misc", "x_misp_name": "report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }