Recent OTX pulses indicate a surge in diverse, high-impact threat activity ranging from financially motivated crimeware to state-sponsored espionage. The data highlights three distinct campaigns active as of June 2026:
- DesckVB RAT Campaign: A sophisticated malspam operation leveraging dynamic lures and Google DoubleClick redirections to deliver an in-memory RAT (VenomRAT variant).
- Kali365 Expansion: A PhaaS (Phishing-as-a-Service) operator has expanded their "Token Bingo" operation to target Microsoft 365, Okta, and Xerox DocuShare using OAuth 2.0 device code flow attacks to bypass MFA.
- Gamaredon (FSB) Activity: The Russian APT group continues relentless cyberespionage against Ukraine, utilizing HTML smuggling and RAR exploits (CVE-2025-8088) to deploy GammaWorm and Pteranodon malware.
Collectively, these campaigns demonstrate a trend toward abusing legitimate infrastructure (DoubleClick, OAuth flows, Cloudflare tunnels) to evade detection and bypass traditional authentication controls.
Threat Actor / Malware Profile
DesckVB RAT (VenomRAT)
- Distribution: Malspam with personalized HTML lures. Routes through Google DoubleClick for reputation bypass.
- Payload Behavior: Five-stage infection chain: HTML Redirect -> JScript Loader -> PowerShell Dropper -> In-Memory Execution.
- C2 Communication: Connects to DDNS domains (e.g.,
xtadts.ddns.net). - Persistence/Anti-Analysis: Heavily relies on "fileless" in-memory execution and includes AMSI bypass mechanisms within the JScript/PowerShell loaders.
Kali365 (EKZ Infostealer)
- Distribution: Phishing-as-a-Service platform. Uses device code phishing pages.
- Payload Behavior: Steals session tokens via OAuth 2.0 device authorization grant abuse. Targets AWS, Microsoft, Okta, Xerox, and MAX Messenger.
- C2 Communication: Uses specific panel infrastructure (e.g.,
panel.securehubcloud.com). - Persistence: N/A (Theft of authentication tokens allows persistence without malware installation on the endpoint).
Gamaredon Group (Pteranodon / GammaWorm)
- Distribution: Spear-phishing containing weaponized xHTML files using HTML smuggling. Delivers RAR archives exploiting CVE-2025-8088.
- Payload Behavior: Extracts HTA files to Windows Startup directories. Deploys GammaWorm (worming capability) and Pteranodon (backdoor).
- C2 Communication: Uses cloud storage providers (Supabase) and Cloudflare tunnels for C2.
- Persistence: HTA files in Startup folders; Scheduled Tasks.
IOC Analysis
The provided IOCs offer a mix of network and file-based artifacts essential for detection:
- Domains & Hostnames: A significant number of C2 domains utilize dynamic DNS (
ddns.net) or generic-sounding registered domains (optimizationprime.com,securehubcloud.com). SOC teams should immediately block these at the perimeter and DNS layer. - File Hashes: SHA256 (DesckVB) and MD5 (Gamaredon) hashes are provided for the payload droppers and loaders. These should be added to EDR blocklists and used to retrospectively hunt for historical execution.
- URLs & IPs: Includes C2 panels and Cloudflare tunnel endpoints.
104.194.140.6is a raw IP associated with Gamaredon infrastructure. - CVEs: CVE-2025-8088 (RAR exploit) is critical for patch management prioritization.
Tooling:
- IOC Extraction: Use MISP or OpenCTI to normalize data.
- Network Hunting: Zeek or Suricata signatures can be generated from the domain lists.
- Endpoint Scanning: Custom YARA rules based on the provided file hashes.
Detection Engineering
Sigma Rules
YAML
---
title: Potential DesckVB RAT PowerShell Loader
description: Detects suspicious PowerShell execution patterns often associated with DesckVB RAT loaders, specifically obfuscated commands and AMSI bypass attempts observed in the malspam campaign.
references:
- https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
author: Security Arsenal
date: 2026/06/04
status: experimental
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
- attack.t1562.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'FromBase64String'
- 'AMSIBypass'
- 'System.Management.Automation.AmsiUtils'
filter_legit:
ParentProcessName|contains:
- '\System32\\'
- '\Program Files\\'
condition: selection and not filter_legit
falsepositives:
- Legitimate administrative scripts
level: high
---
title: Kali365 OAuth Device Code Phishing Attempt
description: Detects attempts to activate OAuth 2.0 device codes, a technique used by Kali365 operators to bypass MFA and steal tokens for Microsoft, Okta, and AWS.
references:
- https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
author: Security Arsenal
date: 2026/06/04
status: experimental
tags:
- attack.credential_access
- attack.impact
- attack.t1528
logsource:
product: azure
service: signinlogs
detection:
selection:
AppDisplayName|contains:
- 'Microsoft Office'
- 'Okta'
- 'AWS'
AuthenticationRequirement: 'singleFactorAuthentication'
DeviceDetail|isnotnull
Status|contains:
'Success'
timeframe: 1h
condition: selection
falsepositives:
- Legitimate device code login flow for IoT or Headless devices
level: medium
---
title: Gamaredon HTML Smuggling and HTA Persistence
description: Detects the creation of HTA files in startup folders or suspicious child processes of mshta.exe, indicative of Gamaredon GammaWorm or Pteranodon deployment.
references:
- https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
author: Security Arsenal
date: 2026/06/04
status: experimental
tags:
- attack.initial_access
- attack.persistence
- attack.t1059.005
- attack.t1547.001
logsource:
product: windows
service: security
detection:
selection_mshta:
EventID: 4688
NewProcessName|contains: '\mshta.exe'
selection_hta_creation:
EventID: 11
TargetFilename|endswith:
- '.hta'
TargetFilename|contains:
- '\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: 1 of selection_*
falsepositives:
- Legacy administrative tools
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for DesckVB and Gamaredon Network IOCs
let IoC_Domains = pack_array(
'xtadts.ddns.net', 'afxwd.ddns.net', 'catalogo.castrouria.com',
'attachedfile.com', 'greatness-marketing.top', 'securehubcloud.com',
'quitethepastry.ru'
);
let IoC_IPs = pack_array('104.194.140.6');
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IoC_Match = iff(RemoteUrl in (IoC_Domains), "Domain", "IP")
PowerShell Hunt Script
PowerShell
# IOC Hunt for DesckVB RAT and Gamaredon Payloads
$TargetHashes = @(
"c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18",
"c61b1941cf756eb7551f7c661743802362728b785adc22e860d269713dfb01a6",
"d5b7247c497788cf0031ceb06e3df77a45fef59f1e49633dc7159816d64759b5",
"f1c3ebe78bd8c38559bf3cfcc9a9fa37d221e31780774a3787e26160a61f5348",
"1794369214b7f62e70a0485e61335c61", # MD5 Gamaredon
"8e1624d110c090ff57d4b493a9107c66" # MD5 Gamaredon
)
Write-Host "[+] Scanning for known malicious file hashes..."
# Check common download directories and temp folders
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData", "$env:APPDATA")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if (-not $Hash) {
# Fallback to MD5 if SHA256 fails (for small files/system constraints in this script)
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
}
if ($TargetHashes -contains $Hash) {
Write-Host "[!] ALERT: Malicious file found: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
}
}
}
}
# Check for Gamaredon Persistence (HTA in Startup)
Write-Host "[+] Checking for Gamaredon persistence mechanisms..."
$StartupPaths = @("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup")
foreach ($StartPath in $StartupPaths) {
if (Test-Path $StartPath) {
Get-ChildItem -Path $StartPath -Filter "*.hta" -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "[!] Suspicious HTA file in Startup: $($_.FullName)" -ForegroundColor Yellow
}
}
}
Response Priorities
-
Immediate (0-4h):
- Block all listed domains, hostnames, and IPs at the firewall and proxy level.
- Push file hash blocklists to EDR agents for DesckVB and Gamaredon payloads.
- Isolate endpoints exhibiting PowerShell AMSI bypass behaviors.
-
24 Hours:
- Review Azure AD/Entra ID and Okta logs for suspicious device code activations (Kali365).
- Revoke tokens for accounts that authenticated from unfamiliar locations or contexts during the campaign window.
- Hunt for HTML smuggling artifacts (
.htmlfiles with large encoded blobs) in email quarantines and user downloads.
-
1 Week:
- Patch systems against CVE-2025-8088 (RAR exploit) used by Gamaredon.
- Implement strict filtering for malspam utilizing dynamic lures (e.g., sandboxing email links).
- Configure Conditional Access policies to block or require strong authentication for OAuth device code flows.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwaredesckvb-ratkali365gamaredonmalware-campaignscredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.