Threat Summary
Recent OTX pulses reveal a coordinated escalation in credential theft methodologies, moving beyond traditional infostealers to include blockchain-based C2 infrastructure and Adversary-in-the-Middle (AiTM) phishing-as-a-service. The campaigns span diverse sectors:
- Maritime & Manufacturing (South Korea): A RedLine Stealer campaign pivots into a broader Business Email Compromise (BEC) cluster using shared infrastructure (IPs 194.156.79.122, 85.17.40.98) and multiple malware families (Formbook, Metamorfo).
- Hospitality (Japan): The TONResolver malware abuses The Open Network (TON) blockchain as a dead drop resolver to hide C2 infrastructure during phishing attacks against Booking.com partners.
- General Enterprise: The "Blacksite" AiTM kit (sold via Cloaked.gg) actively bypasses MFA, while malicious browser extensions ("VPN Go") hijack clipboards via staged updates.
- Infrastructure Defense: Sophisticated post-exploitation chains involving ColdFusion vulnerabilities (CVE-2023-26360) are delivering steganographic webshells and Mimikatz for defense impairment.
Collectively, these pulses indicate a trend toward "living-off-the-land" cloud abuse (blockchain, CDNs) and infrastructure sharing to evade static detections.
Threat Actor / Malware Profile
1. RedLine Stealer & Associated Cluster
- Distribution: Spear-phishing emails targeting maritime/logistics sectors.
- Behavior: Info-stealing (browser data, credentials, crypto wallets).
- Infrastructure: Pivots between specific C2 IPs on port 55615.
- Persistence: Registry run keys or scheduled tasks (common to Formbook/Metamorfo variants).
2. TONResolver
- Distribution: Phishing emails with malicious ZIP files containing LNK shortcuts posing as photos.
- Behavior: Uses TON blockchain transactions to retrieve C2 addresses (dead drop resolver), bypassing traditional domain blacklisting.
- Target: Japanese hotel industry (Booking.com credential theft).
3. Blacksite (AiTM Phishing Kit)
- Distribution: Phishing-as-a-Service (PhaaS) platform.
- Behavior: Reverse-proxy attack intercepting session cookies and 2FA codes in real-time.
- Evasion: Uses Cloaked.gg to hide malicious URLs from security scanners.
4. Malicious Browser Extensions (VPN Go)
- Distribution: Chrome Web Store and Firefox Add-ons (supply chain).
- Behavior: Initially benign proxy tools, later updated to include clipboard hijacking logic.
IOC Analysis
The provided indicators require immediate triage:
- IPv4 & Ports: High-confidence C2 servers (e.g.,
194.156.79.122:55615) associated with RedLine. These should be blocked at the perimeter. - Domains: Hosts associated with the Blacksite kit (
cloaked.gg,allegro-pl.top) and TONResolver (zloapobikahy23.bond,photobook-reserv.pro). These indicate active phishing infrastructure. - File Hashes (SHA256): Several hashes relate to the ColdFusion webshell/Mimikatz defense impairment campaign. These should be used to scan web servers and temporary directories.
- CVEs:
CVE-2023-26360andCVE-2023-29298are critical for patching exposed Adobe ColdFusion instances.
Operational Guidance: Feed the IPs and Domains into network firewalls and SIEM correlation rules. Use the file hashes to scan webroot directories and endpoint logs for the steganographic payloads.
Detection Engineering
Sigma Rules
title: Potential RedLine Stealer C2 Connection
id: 4d8f5a6b-1a2b-4c3d-9e8f-1a2b3c4d5e6f
description: Detects outbound connections to known RedLine Stealer C2 infrastructure on non-standard port 55615.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6684xxxxx/
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
detection:
selection:
DestinationIp|startswith:
- '194.156.79.122'
- '85.17.40.98'
- '185.252.24.52'
- '176.114.8.101'
DestinationPort: 55615
condition: selection
falsepositives:
- Legitimate traffic to these specific IPs (unlikely given port usage)
level: high
---
title: Suspicious Browser Extension Update Activity
id: 5e9f6b7c-2b3c-4d5e-0f9a-2b3c4d5e6f7a
description: Detects processes downloading executable content from IPs associated with the VPN Go malicious update campaign.
status: experimental
date: 2026/07/03
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6684xxxxx/
tags:
- attack.initial_access
- attack.attack_surface
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri|contains:
- '/html/continue.php'
c-ip|startswith:
- '77.91.123.187'
- '178.236.252.'
condition: selection
falsepositives:
- Unknown
level: high
---
title: ColdFusion Steganography Webshell Activity
date: 2026/07/03
author: Security Arsenal
status: experimental
description: Detects the presence of file hashes associated with the Defence Impairment campaign utilizing steganography.
references:
- https://otx.alienvault.com/pulse/6684xxxxx/
tags:
- attack.persistence
- attack.t1505
logsource:
category: file_event
detection:
selection:
TargetFilename|contains: 'cfusion'
Hashes|contains:
- '40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c6'
- '793768ce4fadab044c7502ea5ec4d8e1569283f289dfd73419e119f32d56d0f3'
condition: selection
falsepositives:
- Legitimate ColdFusion files (unlikely given specific hashes)
level: critical
KQL (Microsoft Sentinel)
// Hunt for connections to TONResolver and Blacksite Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("zloapobikahy23.bond", "photobook-reserv.pro", "cloaked.gg", "allegro-pl.site", "allegro-pl.top")
or RemoteIP in ("176.114.8.101", "176.114.8.90", "185.252.24.74")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend FullURL = strcat("http://", RemoteIP, ":", RemotePort)
PowerShell Hunt Script
<#
.SYNOPSIS
Hunt for indicators associated with the RedLine, VPN Extension, and ColdFusion campaigns.
.DESCRIPTION
Scans specific file paths for known malicious hashes and checks registry for suspicious browser extensions.
#>
$MaliciousHashes = @(
"40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c6",
"793768ce4fadab044c7502ea5ec4d8e1569283f289dfd73419e119f32d56d0f3",
"94cd18f3f030fcc9b259dc410b17ea72a1f9800ee654f8e0f07a87bb9443b593",
"bd74a00f4d2ec3bf50d13ddf324bb368b2464d547abd0c572ef5e2f77943a920",
"f0ff36ecdc843351913dbfbd9122b62563894936ff64215a7a2f89181ebdb57f",
"43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56",
"b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c"
)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
# Scan C: drive for specific hashes (Note: This is a resource-intensive operation)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue |
Where-Object { $MaliciousHashes -contains $_.Hash } |
Select-Object Path, Hash |
Format-Table -AutoSize
Write-Host "[+] Checking for suspicious network connections (Port 55615)..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
Where-Object { $_.RemotePort -eq 55615 } |
ForEach-Object {
$process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
ProcessName = $process.ProcessName
PID = $_.OwningProcess
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
}
} | Format-Table -AutoSize
Response Priorities
- Immediate: Block all identified IP addresses and domains at the perimeter firewall and proxy servers. Specifically, block traffic to/from
194.156.79.122and thecloaked.ggdomain set. - 24h: Initiate credential resets for identities with potential exposure to the RedLine or Blacksite campaigns. If your organization uses Booking.com or operates in the maritime sector, treat all user credentials in those departments as compromised.
- 1 Week: Patch all Adobe ColdFusion instances against
CVE-2023-26360andCVE-2023-29298. Conduct a review of installed browser extensions, removing any "Free VPN" or "VPN Go" variants.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.