Threat Summary
Recent OTX pulses indicate a coordinated surge in credential-theft activity spanning diverse infection vectors. The intelligence highlights three distinct but equally concerning operations: a sophisticated CrySome RAT campaign utilizing living-off-the-land (LotL) techniques and logistics-themed phishing; a broad Salat Stealer distribution campaign targeting high-value digital assets (crypto, wallets) via bundled software; and a targeted academic intrusion by UNK_MassTraction exploiting Roundcube vulnerabilities to harvest credentials from physics and engineering departments. The collective objective of these actors is unauthorized access to sensitive systems, financial theft, and persistent surveillance.
Threat Actor / Malware Profile
CrySome RAT & WinDefCtl
- Distribution: Spear-phishing emails containing "logistics rate confirmation" lures.
- Payload Behavior: Multi-stage execution chain. Leverages
ICMLuaUtilCOM interface for User Account Control (UAC) bypass and employs in-memory AMSI (Antimalware Scan Interface) patching to evade detection. - Persistence: Uses living-off-the-land binaries and scripts (LotL) to blend in with normal administrative activity.
- Capabilities: Remote access, credential theft, browser hijacking.
- C2 Infrastructure: Communicates with
signindat.comto retrieve payloads (ElevatorShellCode.exe,update.exe).
Salat Stealer
- Distribution: Likely bundled with legitimate software or cracked tools (implied by "Bundled to Steal").
- Language: Written in Go (Golang).
- Capabilities: aggressive system reconnaissance targeting browser credentials, cryptocurrency wallets, and session tokens for Discord and Steam. Unique "surveillance" features include desktop streaming and audio/video capture via microphone and webcam.
- Evasion: Includes specific techniques to bypass or disable Windows Defender.
UNK_MassTraction (Suspected China-Aligned)
- Distribution: Exploitation of unpatched Roundcube webmail servers.
- Targeting: Physics and engineering departments at universities in the US and Canada.
- Exploits: Actively exploits CVE-2024-42009 and CVE-2025-49113.
- Payloads: Deploys webshells (SquareShell, VShell) or backdoors (IceCube, SNOWLIGHT) into server memory to avoid disk writes.
IOC Analysis
The provided IOCs cover the three attack surfaces:
- File Hashes (SHA256, SHA1, MD5): Multiple samples for CrySome RAT and Salat Stealer are provided. SOC teams should prioritize scanning endpoint filesystems and memory for these specific hashes.
- Network Infrastructure (Domains/IPs):
signindat.com: A key C2 and download domain for CrySome RAT.45.86.229.111,194.213.18.133,45.150.109.151: C2 servers associated with UNK_MassTraction.
- URLs: Specific download paths for stage 1 payloads (
stage.ps1,patch.exe) and a JQuery-based webshell delivery URL.
Operational Guidance: Block the domain signindat.com and the listed IPs at the perimeter firewall and proxy. The URLs should be added to web filtering blocklists. The file hashes should be ingested into EDR quarantine policies immediately.
Detection Engineering
The following detection logic is tailored to the specific behaviors identified in the OTX pulses, including the UAC bypass, C2 communication, and specific file executions.
---
title: CrySome RAT UAC Bypass via ICMLuaUtil
id: 6af4e3dc-2a1b-4c5f-9d1e-3b8a9f7e1c0d
status: experimental
description: Detects UAC bypass activity using the ICMLuaUtil COM interface, a technique specifically observed in the CrySome RAT infection chain.
references:
- https://www.levelblue.com/blogs/spiderlabs-blog/from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis
author: Security Arsenal
date: 2026/07/07
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'ICMLuaUtil'
- 'CreateInstance'
condition: selection
falsepositives:
- Legitimate administrative scripts (rare)
level: high
---
title: Salat Stealer Suspicious Go Binary Execution
id: 7b5f1a4d-8c3e-4a2b-9f0d-1e2c3a4b5c6d
status: experimental
description: Detects potential execution of Salat Stealer, a Go-based infostealer with surveillance capabilities. Looks for Go binaries accessing common webcam/audio libraries immediately after execution.
references:
- https://www.splunk.com/en_us/blog/security/bundled-to-steal-salat-stealer-campaign.html
author: Security Arsenal
date: 2026/07/07
tags:
- attack.collection
- attack.credential_access
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '.exe'
Company|contains:
- '' # Unsigned or missing company info common in Go malware
selection_go:
CommandLine|contains:
- '\AppData\Local\Temp\' # Often executed from temp
selection_libs:
CommandLine|contains:
- 'avicap32'
- 'winmm'
condition: all of selection_*
falsepositives:
- Legitimate VoIP or video conferencing software
level: medium
---
title: UNK_MassTraction C2 Network Connection
id: 8c6g2h5j-9d4k-5l3m-0n1o-2p3q4r5s6t7u
status: experimental
description: Detects outbound network connections to known UNK_MassTraction C2 infrastructure associated with university targeting.
references:
- https://www.proofpoint.com/us/blog/threat-insight/one-email-closer-edge-unkmasstraction-physics-exploitation
author: Security Arsenal
date: 2026/07/07
tags:
- attack.command_and_control
- attack.c2
logsource:
category: network_connection
detection:
selection:
DestinationIp:
- '45.86.229.111'
- '194.213.18.133'
- '45.150.109.151'
DestinationPort|startswith:
- '8' # Ports often observed in descriptions (e.g., 23088) or generic high ports
condition: selection
falsepositives:
- None (Known bad IPs)
level: critical
kql
// Hunt for CrySome RAT and Salat Stealer File Hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
"ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8",
"60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271",
"075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
"7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd",
"a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA256
| extend MITRE = "Credential Access / Execution"
;
// Hunt for Network Connections to UNK_MassTraction C2
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("45.86.229.111", "194.213.18.133", "45.150.109.151")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| extend MITRE = "Command and Control"
powershell
<#
.SYNOPSIS
IOCs Hunter for CrySome RAT, Salat Stealer, and UNK_MassTraction associated artifacts.
.DESCRIPTION
Scans the filesystem for known malicious hashes and checks for specific C2 domains in the hosts file or DNS cache.
#>
$MaliciousHashes = @(
"ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8",
"60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271",
"075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde",
"7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd",
"347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff",
"a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0"
)
$C2Domains = @("signindat.com")
Write-Host "[+] Starting Hunt for OTX Pulse Indicators..." -ForegroundColor Cyan
# 1. Scan common user directories for malicious files
Write-Host "[*] Scanning user profiles for matching file hashes..." -ForegroundColor Yellow
$PathsToScan = @("C:\Users\", "C:\ProgramData\")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object {
$MaliciousHashes -contains $_.Hash
} | ForEach-Object {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
}
}
}
# 2. Check DNS Cache for C2 Domains
Write-Host "[*] Checking DNS Cache for C2 Domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $C2Domains -contains $_.Entry } | ForEach-Object {
Write-Host "[!] SUSPICIOUS DNS ENTRY: $($_.Entry) resolved to $($_.Data)" -ForegroundColor Red
}
Write-Host "[+] Hunt complete. Review findings."
Response Priorities
- Immediate:
- Block all listed IP addresses and
signindat.comat the network perimeter. - Quarantine any endpoints returning positive hits for the provided SHA256 hashes.
- Investigate processes spawned by
powershell.execontacting the specific URLs found in Pulse 1.
- Block all listed IP addresses and
- 24 Hours:
- Initiate credential resets for accounts identified on hosts infected with CrySome RAT or Salat Stealer, prioritizing IT admin and finance users.
- Review web server logs for indicators of the Roundcube exploitation chain (specifically URL paths associated with CVE-2024-42009).
- 1 Week:
- Apply patches for CVE-2024-42009 and CVE-2025-49113 to all Roundcube instances immediately.
- Implement application controls to block unsigned binaries often used as loaders for these campaigns.
- Conduct awareness training regarding logistics-themed phishing lures.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.