OTX Pulse Analysis: 4BID Hacktivist Operations & PAN-OS Zero-Day Exploitation (CL-STA-1132)

Excerpt: 4BID group leverages ProxyShell/Sliver to target Gov/Healthcare; CL-STA-1132 exploits PAN-OS zero-day; GriefLure hits Vietnam/Philippines.

Threat Summary

Recent OTX pulses indicate a surge in diverse threat activities targeting critical infrastructure and government entities globally. The 4BID hacktivist collective has significantly expanded its operational scope beyond political motivations, targeting the Healthcare, Government, and Manufacturing sectors in Belarus, Russia, Kazakhstan, and the UAE. Their attack chain exploits ProxyShell vulnerabilities to deploy fd.aspx web shells, followed by a "zoo" of modern post-exploitation frameworks including Sliver, Havoc, and Mythic Apollo.

Simultaneously, a likely state-sponsored actor tracked as CL-STA-1132 is actively exploiting a critical buffer overflow vulnerability in PAN-OS (CVE-2026-1340/CVE-2026-1731). Attackers are achieving unauthenticated Remote Code Execution (RCE) with root privileges on PA-Series and VM-Series firewalls to deploy tunneling tools like EarthWorm and ReverseSocks5.

In a separate campaign, Operation GriefLure utilizes sophisticated spear-phishing lures involving legal documents to target military telecom in Vietnam and healthcare in the Philippines, delivering payloads such as sfsvc.exe.

Threat Actor / Malware Profile

Adversary: 4BID & Associated Hacktivists

Objective: Disruption, espionage, and cross-border targeting.
Malware/Families: BlackReaperRAT, Warp RAT, Sliver, Havoc, Mythic Apollo, AdaptixC2, ValleyRAT.
Techniques:
- Initial Access: Exploitation of Microsoft Exchange ProxyShell vulnerabilities.
- Persistence: Deployment of fd.aspx web shells.
- C2: Usage of commercial-grade C2 frameworks (Sliver/Havoc) allowing for modular command and control.

Adversary: CL-STA-1132 (PAN-OS Exploit)

Objective: Network infiltration and persistence via edge infrastructure.
Malware/Families: EarthWorm, ReverseSocks5.
Techniques:
- Initial Access: Exploitation of PAN-OS User-ID Authentication Portal buffer overflow (CVE-2026-1340, CVE-2026-1731).
- Execution: Shellcode injection into nginx processes to gain root privileges.
- Networking: Establishment of SOCKS5 proxies via EarthWorm to tunnel traffic internal to the victim network.

Campaign: Operation GriefLure

Target: Viettel Group (Vietnam), St. Luke's Medical Center (Philippines).
Malware: sfsvc.exe, 360.dll.
Techniques: Spear-phishing with weaponized legal documents and fraudulent whistleblower complaints.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors requiring immediate attention:

CVEs: Multiple CVEs were identified, including CVE-2026-1340 and CVE-2026-1731 (PAN-OS RCE) and CVE-2023-44976. SOC teams must prioritize patching PAN-OS firewalls immediately.
Network Infrastructure: C2 IPs such as 185.221.153.121 and 45.112.194.82 are associated with the 4BID campaigns. The domain www.whatsappcenter.com is linked to GriefLure phishing.
File Hashes: A significant volume of MD5 and SHA256 hashes (e.g., 008cd423ca45134d3343f66cced1d104, 197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6) correspond to the various RAT and payload loaders. These should be blocked in EDR solutions and used to retro-hunt endpoint logs.

Operationalization:

Firewalls: Block listed IP ranges and the malicious domain.
EDR: Create allow/block lists for the file hashes.
SIEM: Correlate web logs for fd.aspx access with process creation events on Exchange servers.

Detection Engineering

Sigma Rules

YAML

---
title: Potential ProxyShell Webshell Access
id: 85e0d7e8-6f7a-4e3c-9a1a-2c6d7a1f1e1b
description: Detects access to fd.aspx web shells often dropped after ProxyShell exploitation.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2021.26855
    - cve.2021.27065
logsource:
    category: webserver
product: iis
detection:
    selection:
        cs-uri-stem|contains: '/fd.aspx'
    condition: selection
falsepositives:
    - Unknown
level: critical

---
title: EarthWorm Tunneling Tool Execution
id: 3a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
description: Detects command line parameters associated with EarthWorm tunneling tool used by CL-STA-1132.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ew.exe'
        - OriginalFileName: 'ew.exe'
    selection_cli:
        CommandLine|contains:
            - '-s rcsocks'
            - '-s rssocks'
            - '-s lcx_listen'
            - '-s lcx_tran'
    condition: 1 of selection_*
falsepositives:
    - Legitimate admin usage of tunneling tools
level: high

---
title: Operation GriefLure Malware Execution
id: b4c5d6e7-f8a9-0b1c-2d3e-4f5a6b7c8d9e
description: Detects execution of sfsvc.exe or loading of 360.dll associated with Operation GriefLure.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\sfsvc.exe'
        or
        ImageLoaded|contains:
            - '\360.dll'
    condition: selection
falsepositives:
    - Rare legitimate software
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for GriefLure and 4BID IOCs in Process Events
let IOCs = dynamic(["008cd423ca45134d3343f66cced1d104", "038cab0c60c53cf12f048272014024c0", "06bed0a0906e52c764b3b7016d6a4428", "08c069f133ac27cbc02a0ed79e4e87ba", "6c6cbed6aad96564ed87094785be07a1", "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6"]);
DeviceProcessEvents
| where SHA256 in IOCs or MD5 in IOCs
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessFileName
| extend Threat = iff(FolderPath contains "sfsvc", "GriefLure", "4BID/RAT")

// Hunt for network connections to malicious IPs
let MaliciousIPs = dynamic(["185.221.153.121", "45.112.194.82", "138.226.236.52"]);
DeviceNetworkEvents
| where RemoteIP in MaliciousIPs
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunt script for 4BID Webshells and GriefLure Payloads
.DESCRIPTION
    Scans the file system for IOCs related to the June 2026 OTX Pulses.
#>

$MD5Hashes = @(
    "008cd423ca45134d3343f66cced1d104",
    "038cab0c60c53cf12f048272014024c0",
    "06bed0a0906e52c764b3b7016d6a4428",
    "08c069f133ac27cbc02a0ed79e4e87ba",
    "6c6cbed6aad96564ed87094785be07a1"
)

$SHA256Hashes = @(
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
    "61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f",
    "7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
    "91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067"
)

Write-Host "[+] Hunting for 4BID Webshells (fd.aspx)..." -ForegroundColor Cyan
$ExchangePaths = @("C:\inetpub\wwwroot\", "D:\inetpub\wwwroot\")
foreach ($path in $ExchangePaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -Filter "fd.aspx" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[!] ALERT: Webshell found at $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunting for GriefLure Payloads (sfsvc.exe)..." -ForegroundColor Cyan
Get-CimInstance Win32_Process -Filter "Name='sfsvc.exe'" | ForEach-Object {
    Write-Host "[!] ALERT: Malicious process running PID $($_.ProcessId) at $($_.ExecutablePath)" -ForegroundColor Red
}

Write-Host "[+] Scanning specific file locations for IOCs..." -ForegroundColor Cyan
$UserDirs = @("C:\Users\", "C:\ProgramData\")
foreach ($hash in $SHA256Hashes) {
    foreach ($dir in $UserDirs) {
        if (Test-Path $dir) {
            Get-ChildItem -Path $dir -Recurse -Include *.exe,*.dll -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $_.Hash -eq $hash } | ForEach-Object {
                Write-Host "[!] ALERT: Malicious file found at $($_.Path)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[+] Hunt complete."

Response Priorities

Immediate (0-4h):
- Block all listed IP addresses and www.whatsappcenter.com at the perimeter.
- Identify and isolate any systems running PAN-OS versions vulnerable to CVE-2026-1340/CVE-2026-1731 and apply emergency patches or mitigations.
24h:
- Perform a forensic triage of Exchange servers to detect fd.aspx webshells.
- Hunt for the execution of sfsvc.exe and the presence of the listed file hashes across endpoints.
1 Week:
- Conduct a review of external-facing Exchange server security configurations.
- Implement strict segmentation for User-ID authentication portals on firewalls.
- Review email filtering rules for keywords related to "legal documents" and "whistleblower" to mitigate GriefLure phishing.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub