Recent OTX Pulse data reveals three distinct but equally concerning high-impact threat activities. A stealthy new backdoor, Mistic, has been linked to the initial access broker Woodgnat, potentially paving the way for multiple ransomware operations. Concurrently, the North Korean APT group Kimsuky has continued to evolve its long-standing KimJongRAT by leveraging legitimate services like GitHub. Separately, a new threat actor, GhostShell, has launched a targeted supply chain attack against Ukraine's UAV (Unmanned Aerial Vehicle) industry using Besomar-themed lures to deliver the Vidar stealer. Collectively, these campaigns demonstrate the diverse and evolving tactics of nation-state and cybercrime actors, leveraging everything from initial access brokering and sideloading to sophisticated supply chain compromises to achieve their objectives of espionage, persistence, and financial gain.
Threat Actor / Malware Profile
-
Woodgnat / Mistic Backdoor
- Distribution: The campaign begins with social engineering, likely using initial access broker techniques. Mistic is delivered via sideloading, a method where malicious code is loaded by executing a legitimate, signed application.
- Payload Behavior: Mistic is a stealthy backdoor used for remote control and establishing a foothold. It has been observed alongside ModeloRAT, another tool attributed to Woodgnat.
- C2 Communication: Establishes a command-and-control channel using domain names like
mail.authorized-logins.netandupdate.update-fall.comto receive instructions and exfiltrate data. - Persistence & Anti-Analysis: The use of sideloading provides a degree of persistence and helps evade detection by appearing as a trusted process. Its stealthy nature suggests capabilities to evade analysis.
-
Kimsuky / KimJongRAT & MeshAgent
- Distribution: A classic phishing campaign where emails contain shortened URLs. These URLs redirect to legitimate-looking GitHub Releases pages that host malicious ZIP archives.
- Payload Behavior: The ZIP file contains the KimJongRAT payload. This malware combines remote access Trojan (RAT) capabilities with information-stealing functionalities. The attack chain also deploys MeshAgent, a remote management tool, which provides threat actors with persistent remote access.
- C2 Communication: C2 infrastructure is hosted on domains like
lutkdd.corpsecs.comand communicates over specific ports, such as 8443, using URLs likehttp://googleoba.servequake.com:8443/agent.ashx. - Persistence & Anti-Analysis: By leveraging GitHub for hosting, the attackers bypass traditional network defenses that may not flag the domain as malicious. The use of MeshAgent provides a legitimate-seeming persistence mechanism, as it is a real software tool.
-
GhostShell / Vidar Stealer
- Distribution: A highly targeted supply chain attack. Malicious archives are distributed, likely via spear-phishing, containing decoy documents. These documents impersonate Besomar, a Ukrainian manufacturer of high-precision interceptor drones.
- Payload Behavior: The ultimate payload is the Vidar information stealer. Its objective is to infiltrate defense and procurement networks to steal sensitive data related to UAV supply chains.
- C2 Communication: The C2 infrastructure for Vidar is established to receive the stolen data from the compromised systems.
- Persistence & Anti-Analysis: The attack relies on the highly deceptive lure to gain initial access. The specific persistence mechanisms for Vidar are not detailed in the pulse but typically involve creating scheduled tasks or modifying registry keys.
IOC Analysis
The provided Indicators of Compromise (IOCs) from the OTX pulses are varied and require different operational approaches:
- Domains & Hostnames: (
mueleer.com,googleoba.servequake.com, etc.) These should be blocked at the perimeter (DNS firewall, web proxy) and on endpoints. SOC teams can operationalize them by ingesting them into threat intelligence platforms (TIPs) and SIEMs to generate alerts on DNS queries or network connections. - IP Addresses: (
104.200.67.46) These should be blocked on firewalls and added to watchlists. Correlating this IP with other telemetry (e.g., user-agent, process) can strengthen alerts. - File Hashes (SHA256, MD5, SHA1): These are critical for endpoint detection and response (EDR). EDR solutions can be configured to alert on the execution of any file matching these hashes. In a post-incident context, these hashes are used for scoping—finding all systems that have been compromised by searching for the malicious file's presence.
- URLs: (
http://googleoba.servequake.com:8443/agent.ashx) Similar to domains, these should be blocked. Web gateways can be configured to block access to these full paths. In proxy logs, seeing a GET request to such a URL is a high-fidelity detection.
SOC teams can use standard tooling like Splunk or Microsoft Sentinel to hunt for these indicators. For example, a simple search in Sentinel for a domain would look like DeviceNetworkEvents | where RemoteUrl has "googleoba.servequake.com". Decoding these IOCs often involves cross-referencing them with sandbox detonation results (e.g., Hybrid Analysis, VirusTotal) to understand the malware's full behavior and related artifacts.
Detection Engineering
The following detection content targets the specific behaviors and IOCs identified in the OTX pulses.
YAML
---
title: Potential Mistic Backdoor C2 Activity
date: 2026/06/26
status: experimental
description: Detects potential network connections to known C2 infrastructure associated with the Mistic backdoor campaign.
references:
- https://otx.alienvault.com/pulse/667b0f12c8d1e
author: Security Arsenal Research
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: zeek
detection:
selection:
dest.host|endswith:
- 'authorized-logins.net'
- 'mueleer.com'
- 'grande-luna.top'
- 'oeannon.com'
- 'thomphon.com'
- 'human-check.top'
- 'update-fall.com'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious MeshAgent Execution from Untrusted Parent
date: 2026/06/26
status: experimental
description: Detects execution of MeshAgent, a legitimate tool abused by Kimsuky for persistence, initiated from a suspicious parent process like an archiver or script interpreter.
references:
- https://otx.alienvault.com/pulse/667c9e8a9f2b1
author: Security Arsenal Research
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\meshagent.exe'
- '\meshagent.msi'
selection_parent:
ParentImage|endswith:
- '\explorer.exe'
- '\winrar.exe'
- '\7zFM.exe'
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
filter_legit:
ParentImage|contains:
- '\Program Files\'
- '\Program Files (x86)\'
condition: selection_img and selection_parent and not filter_legit
falsepositives:
- Legitimate administrative software deployment
level: high
---
title: Execution of Known Vidar Stealer Samples
date: 2026/06/26
status: experimental
description: Detects the execution of processes with known file hashes associated with the Vidar stealer used in the Besomar supply chain attack.
references:
- https://otx.alienvault.com/pulse/667b1f4d5e3a2
author: Security Arsenal Research
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
- 'SHA256=ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3'
- 'SHA256=8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25'
- 'SHA256=b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012'
- 'MD5=16a59e1fece21ca5394a8ec9ea596fec'
- 'MD5=6da30ad8677b058fad4d3d3031a428ec'
- 'MD5=d0a66dd44ee64b76de79cddab13d2745'
- 'SHA1=4b5f407f5966f49f8c1005a94a822c83b20fa325'
- 'SHA1=52a1b02e4fe0998069c777bec37eb394781e8fda'
condition: selection_hashes
falsepositives:
- None (execution of these specific hashes is malicious)
level: critical
kql
// Hunt for KimJongRAT and MeshAgent network activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("corpsecs.com", "servequake.com")
| summarize count(), make_set(RemoteIP), make_set(RemotePort) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName
| project-reorder Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName
powershell
# Hunt for artifacts related to Mistic backdoor and ModeloRAT
# This script checks for the existence of suspicious scheduled tasks and processes.
Write-Host "[+] Hunting for Mistic Backdoor Persistence Artifacts..."
# Check for suspicious scheduled tasks that could be used for persistence
$tasks = Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*rundll32*" -or $_.Actions.Execute -like "*powershell*" -and $_.TaskPath -notlike "*Microsoft*" }
if ($tasks) {
Write-Host "[!] Found potentially suspicious scheduled tasks:"
$tasks | Format-List TaskName, TaskPath, Author, Actions.Execute
} else {
Write-Host "[-] No obvious suspicious scheduled tasks found."
}
# Check for running processes with known suspicious characteristics or names
Write-Host "[+] Checking for running processes..."
$suspiciousProcesses = @("ModeloRAT", "GateKeeper", "MintsLoader", "D3F@ck", "MeshAgent")
$processes = Get-Process | Where-Object { $suspiciousProcesses -contains $_.ProcessName }
if ($processes) {
Write-Host "[!] Found running processes with suspicious names:"
$processes | Format-Table ProcessName, Id, Path, StartTime
} else {
Write-Host "[-] No suspicious processes currently running."
}
# Check for connections to known C2 domains
Write-Host "[+] Checking active network connections for known C2 domains..."
$knownC2Domains = @("authorized-logins.net", "mueleer.com", "grande-luna.top", "corpsecs.com", "servequake.com")
$connections = Get-NetTCPConnection | ForEach-Object {
try {
$owningProcess = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
$remoteHost = [System.Net.Dns]::GetHostEntry($_.RemoteAddress).HostName
PSCustomObject @{
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
RemoteHost = $remoteHost
State = $_.State
OwningProcess = $owningProcess.ProcessName
PID = $_.OwningProcess
}
} catch { # If hostname resolution fails, continue silently
}
} | Where-Object { $knownC2Domains -contains $_.RemoteHost }
if ($connections) {
Write-Host "[!] Found active network connections to known C2 hosts:"
$connections | Format-Table RemoteAddress, RemoteHost, RemotePort, State, OwningProcess, PID
} else {
Write-Host "[-] No active connections to known C2 domains found."
}
Response Priorities
- Immediate:
- Block IOCs: Immediately block all domains, hostnames, and IP addresses identified in the IOC Analysis at your firewalls, DNS resolvers, and web proxies.
- Hunt for Malicious Files: Execute the PowerShell script or equivalent EDR hunts to search for the presence of malicious files identified by their SHA256, MD5, and SHA1 hashes.
- Within 24 Hours:
- Identity Verification: Given the credential-stealing nature of Vidar and KimJongRAT, initiate a review of authentication logs for all users who may have been targeted. Look for anomalous login attempts, especially from new locations or devices. Force password resets for any compromised accounts.
- Within 1 Week:
- Architecture Hardening: Based on the supply chain attack vector, review and harden your software supply chain processes. Implement controls to verify the integrity of software downloads and signed executables. Conduct phishing awareness training, specifically highlighting the use of lures related to high-interest topics (e.g., drones, critical events) and the abuse of legitimate services like GitHub.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptmistic-backdoorkimjongratsupply-chainkimsukyuav
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.