Recent OTX pulses indicate a convergence of high-activity threat actors leveraging diverse toolsets to target critical infrastructure and corporate sectors. APT28 (Pawn Storm) is aggressively utilizing the PRISMEX malware suite, exploiting CVE-2026-21509 and CVE-2026-21513 to compromise government and energy sectors in Eastern Europe. Simultaneously, MuddyWater has deployed "DinDoor," a Deno-based backdoor, against finance entities in the US and Russia, marking a shift toward abusing JavaScript runtimes. In parallel, the Void Arachne group (Silver Fox) is weaponizing Japan's tax season with ValleyRAT-laced spearphishing campaigns against manufacturing firms.
Collectively, these campaigns demonstrate a sophisticated blend of zero-day exploitation (APT28), emerging runtime abuse (MuddyWater), and social engineering (Void Arachne).
Threat Actor / Malware Profile
APT28 (Pawn Storm) – PRISMEX Suite
- Distribution: Exploits CVE-2026-21509 and CVE-2026-21513; likely spearphishing.
- Payload Behavior: Utilizes a modular suite (PrismexDrop, PrismexStager, PrismexLoader). Employs advanced steganography to hide payloads within image files.
- C2 Communication: Abuses cloud service infrastructure, specifically observed using
filen.iohostnames for command and control. - Persistence: COM hijacking to maintain access without tripping standard startup autorun checks.
MuddyWater – DinDoor
- Distribution: Malicious MSI installers.
- Payload Behavior: A backdoor written to exploit the Deno JavaScript/TypeScript runtime. It executes obfuscated JavaScript, with variants capable of running entirely in-memory to evade disk-based scanning.
- C2 Communication: Uses dynamic DNS domains (e.g., DuckDNS) and generates unique victim IDs for fingerprinting.
Void Arachne (Silver Fox) – ValleyRAT
- Distribution: Targeted spearphishing emails with tax compliance and HR themes.
- Payload Behavior: Delivers ValleyRAT, a Remote Access Trojan designed for espionage and data theft.
- Persistence: Standard RAT persistence mechanisms (Registry Run keys/Scheduled Tasks).
IOC Analysis
The provided IOCs span multiple categories requiring distinct triage approaches:
- Network Hostnames (APT28): The
filen.ioandfilen-*.netdomains represent a specific C2 infrastructure shift. SOC teams should block these at the perimeter and inspect logs for any historical DNS resolution to these hosts. - Network Domains (MuddyWater): Indicators include
duckdns.organd*.cyoudomains. These are often associated with fast-flux botnets or abuse of legitimate dynamic DNS services. Hunting for connections to generic DDNS providers is necessary if specific sinkholing isn't possible. - File Hashes (DinDoor/ValleyRAT): A significant number of SHA256, MD5, and SHA1 hashes are provided. These should be immediately added to EDR blocking lists.
Operational Guidance:
- SIEM: Correlate the domains with
DeviceNetworkEventsto identify potential beaconing. - EDR: Isolate endpoints matching the provided hashes.
- Network: Sinkhole the
filen.iodomains if traffic is observed.
Detection Engineering
YAML
title: Potential PRISMEX C2 Communication - Filen.io Domains
id: 48c02e5a-9f3c-4b2a-8c1d-123456789012
description: Detects potential network connections to PRISMEX C2 infrastructure using Filen.io domains observed in recent APT28 campaigns.
status: experimental
date: 2026/04/29
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/662f8d7c7e1e8
logsource:
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'filen.io'
- 'filen-1.net'
- 'filen-2.net'
condition: selection
falsepositives:
- Legitimate use of Filen.io cloud storage (rare in enterprise)
level: high
tags:
- attack.command_and_control
- apt28
- prismex
---
title: Deno Runtime Suspicious Execution - DinDoor Activity
id: 92d13f1b-8a4d-4e3c-9b2e-987654321098
description: Detects the execution of Deno runtime with flags indicative of running remote code or eval scripts, associated with DinDoor backdoor activity.
status: experimental
date: 2026/04/29
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/662e95c8e1e8
logsource:
category: process_creation
detection:
selection_img:
Image|endswith:
- '\deno.exe'
- '/deno'
selection_cli:
CommandLine|contains:
- ' run '
- ' eval '
- ' -A '
condition: all of selection_*
falsepositives:
- Developer activity using Deno
level: medium
tags:
- attack.execution
- muddywater
- dindoor
---
title: Suspicious Domain Usage - DuckDNS and Cyou TLDs
id: 11a22b33-c44d-55e6-66f7-778889990000
description: Detects processes connecting to DuckDNS or .cyou domains often used by MuddyWater DinDoor for C2.
status: experimental
date: 2026/04/29
author: Security Arsenal
logsource:
category: network_connection
detection:
selection_tld:
DestinationHostname|endswith:
- '.duckdns.org'
- '.cyou'
selection_suspicious:
DestinationHostname|contains:
- 'serialmenot'
- 'justtalken'
condition: 1 of selection_*
falsepositives:
- Legitimate personal DNS usage (should be blocked in corp)
level: high
tags:
- attack.command_and_control
- c2
kql
// Hunt for PRISMEX C2 Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("filen.io", "filen-1.net", "filen-2.net", "filen-3.net", "filen-4.net", "filen-5.net")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
// Hunt for DinDoor Process Activity (Deno Runtime)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "deno.exe" or ProcessCommandLine contains "deno"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
// Hunt for MuddyWater Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("duckdns.org", ".cyou", ".site")
| extend DomainName = tostring(split(RemoteUrl, "/")[0])
| project Timestamp, DeviceName, InitiatingProcessFileName, DomainName, RemoteIP
// Hunt for ValleyRAT / Silver Fox Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db",
"8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72",
"55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba"
)
| project Timestamp, DeviceName, FileName, SHA256, FolderPath
powershell
# IOC Hunt Script for PRISMEX, DinDoor, and ValleyRAT
# Requires Admin privileges
Write-Host "[+] Starting Threat Hunt for OTX Pulses (2026-04-29)..." -ForegroundColor Cyan
# Define IOCs
$MaliciousHashes = @(
"2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5", # DinDoor
"244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db", # ValleyRAT
"8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72", # ValleyRAT
"55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba" # ValleyRAT
)
$C2Domains = @(
"filen.io",
"filen-1.net",
"duckdns.org"
)
# 1. Check Hosts File for C2 Domains
Write-Host "[*] Checking Hosts file for C2 indicators..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
$Content = Get-Content $HostsPath
foreach ($Domain in $C2Domains) {
if ($Content -match $Domain) {
Write-Host "[!] WARNING: Found $Domain in hosts file!" -ForegroundColor Red
}
}
}
# 2. Scan for Malicious Hashes (Simple Scan of Common Folders)
Write-Host "[*] Scanning for malicious file hashes (User Profile & Temp)..." -ForegroundColor Yellow
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop", "$env:TEMP")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
if ($MaliciousHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
# Uncomment to quarantine: Remove-Item $_.FullName -Force
}
} catch {
# Ignore access errors
}
}
}
}
# 3. Check for Registry Persistence (ValleyRAT / DinDoor often use Run keys)
Write-Host "[*] Checking Registry Run keys for suspicious persistence..." -ForegroundColor Yellow
$RunKeys = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($Key in $RunKeys) {
if (Test-Path $Key) {
Get-ItemProperty -Path $Key | ForEach-Object {
$Values = $_.PSObject.Properties | Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" }
foreach ($Val in $Values) {
# Check for Deno or obscure exe paths
if ($Val.Value -match "deno" -or $Val.Value -match ".js") {
Write-Host "[!] Suspicious Run Key Entry in $Key : $($Val.Name) = $($Val.Value)" -ForegroundColor Yellow
}
}
}
}
}
Write-Host "[+] Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block all
filen.io,filen-*.net, and listed DuckDNS domains at the DNS/Web Proxy level. - Isolate any endpoints with positive hash matches for DinDoor or ValleyRAT.
- Apply emergency patches for CVE-2026-21509 and CVE-2026-21513 (if vendor patch is available).
- Block all
-
24h:
- Hunt for
deno.exeexecutions across the enterprise; if Deno is not approved software, ban it immediately via application whitelisting. - Review email gateways for HR/Tax-themed lures targeting Japanese subsidiaries or contacts.
- Hunt for
-
1 Week:
- Conduct a review of outbound connections to generic cloud storage services (anon files, etc.) to identify potential C2 channel abuse.
- Update awareness training to include specific lures: "Tax Compliance," "Salary Adjustments," and "Organizational Changes."
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareprismexdindoorvalleyratapt28muddywater
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.