A comprehensive review of the latest OTX pulses indicates a concerted surge in credential theft operations acting as precursors to ransomware and espionage. The threat landscape is dominated by TA4922, a Chinese-speaking crime group expanding globally with a sophisticated RAT arsenal (Atlas RAT, ValleyRAT), and the emergence of the Avalon framework, which leverages legal-themed phishing to deliver CrownX ransomware. Concurrently, a supply chain attack via malicious VPN browser extensions and a widespread smishing operation ("Error 524 Decoy") are harvesting credentials and clipboard data at scale. Defense evasion techniques, specifically targeting logging and AV services via Mimikatz and ColdFusion exploits, have also been observed.
Threat Actor & Malware Profile
TA4922 (Suspected Chinese Crime Group)
- Objective: Global credential theft and espionage, expanding from East Asia to Europe and Africa.
- Malware Families: Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT (Winos4.0).
- TTPs: High operational tempo; utilizes loaders to deploy RATs; employs legitimate remote tools (AnyDesk) for persistence;
- Persistence: Establishes C2 channels via observed IPv4 infrastructure; capable of rapid malware switching to evade detection.
Avalon & CrownX Ransomware
- Objective: Credential theft leading to lateral movement and ransomware deployment.
- Distribution: Phishing emails with spoofed legal documents hosted on Proton Drive.
- Payload: Password-protected archives containing ISO images.
- Execution: Uses MSBuild to execute payloads entirely in memory (fileless), bypassing conventional executable detection. Avalon facilitates credential theft before deploying CrownX.
Malicious VPN Extensions (Supply Chain)
- Malware: VPN Go: Free VPN, Free VPN by VPN GO.
- Mechanism: Distributed via Chrome Web Store and Firefox Add-ons. Initially benign proxy tools, later updated with "staged updates" to include clipboard stealers.
- Impact: Data exfiltration via specific C2 IPs (e.g., 77.91.123.187).
IOC Analysis
The provided intelligence combines file artifacts, network infrastructure, and vulnerability identifiers:
- File Hashes (SHA256/MD5/SHA1): A significant volume of hashes (40+) associated with TA4922 loaders, Avalon payloads, and Mimikatz variants. SOC teams should prioritize scanning endpoint telemetry (EDR) against these specific hash values.
- IPv4 Addresses: Infrastructure linked to the VPN clipboard stealers (77.91.123.187, 178.236.252.x) and Smishing operations (43.159.168.186, 45.135.162.90). These should be blocked at perimeter firewalls and proxied.
- CVEs: CVE-2023-26360 and CVE-2023-29298 indicate an active exploitation path against Adobe ColdFusion to deploy webshells and defense impairment tools.
- Operationalization: Decodes and tooling are standard; focus EDR logic on "MSBuild spawning from suspicious parent processes" and "LSASS memory access" patterns.
Detection Engineering
Sigma Rules
title: Potential Avalon Framework Payload Execution
date: 2026/07/03
status: experimental
description: Detects execution of MSBuild from suspicious paths (e.g., inside mounted ISOs or temp directories) associated with Avalon/CrownX infection chains using legal lures.
author: Security Arsenal
references:
- https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/
tags:
- attack.initial_access
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msbuild.exe'
ParentImage|contains:
- '\Temp\'
- 'Desktop'
- 'Downloads'
CommandLine|contains: '.iso'
condition: selection
falsepositives:
- Legitimate software development from temp directories
level: high
---
title: Mimikatz Credential Dumping via LSASS Access
date: 2026/07/03
status: experimental
description: Detects potential credential dumping using Mimikatz or similar tools targeting LSASS memory, associated with Defence Impairment campaigns via ColdFusion exploitation.
author: Security Arsenal
references:
- https://www.huntress.com/blog/mimikatz-credential-dumping-defence-impairment
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess:
- '0x1010'
- '0x143a'
- '0x1410'
- '0x101a'
SourceImage|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wmiprvse.exe'
condition: selection
falsepositives:
- Legitimate antivirus or system management tools accessing lsass
level: critical
---
title: Suspicious VPN Extension C2 Connection
date: 2026/07/03
status: experimental
description: Detects network connections to known C2 infrastructure associated with malicious VPN browser extensions clipboard stealers.
author: Security Arsenal
references:
- https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboard-stealers
tags:
- attack.exfiltration
- attack.c2
- attack.traffic_signaling
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|contains:
- '77.91.123.'
- '178.236.252.'
DestinationPort: 80
condition: selection
falsepositives:
- Rare, legitimate traffic to these specific blocks is unlikely
level: high
KQL (Microsoft Sentinel)
// Hunt for file hashes associated with TA4922, Avalon, and Mimikatz
let IOCs = dynamic([
"43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56",
"2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d",
"4b7301f02b8312ae6de614981f325dbbabee32166630618fdff74615d9a487ba",
"40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c6"
]);
DeviceFileEvents
| where SHA256 in IOCs
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc
kql
// Hunt for network connections to Smishing and VPN C2 infrastructure
let MaliciousIPs = dynamic([
"43.159.168.186", "43.162.84.202", "43.165.6.36",
"45.135.162.90", "47.82.154.2", "8.222.134.149",
"77.91.123.187", "178.236.252.133", "178.236.252.161"
]);
DeviceNetworkEvents
| where RemoteIP in MaliciousIPs
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc
PowerShell Hunt Script
<#
.SYNOPSIS
IOC Hunt for Avalon, TA4922, and Mimikatz Hashes.
.DESCRIPTION
Scans C: drive for specific SHA256 hashes identified in OTX pulses.
#>
$TargetHashes = @(
"43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56",
"b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c",
"2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d",
"0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8",
"c3587edc48c37656b29bcd3da9458eea",
"4b7301f02b8312ae6de614981f325dbbabee32166630618fdff74615d9a487ba",
"40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c6"
)
Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan
$Matches = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $TargetHashes) {
[PSCustomObject]@{
Path = $_.FullName
Hash = $Hash
Detection = "IOC Match"
}
}
}
if ($Matches) {
Write-Host "WARNING: Malicious files detected!" -ForegroundColor Red
$Matches | Format-Table -AutoSize
} else {
Write-Host "No IOC matches found on local system." -ForegroundColor Green
}
# Response Priorities
* **Immediate:**
* Block all listed IPv4 addresses and `/html/continue.php` URLs at the perimeter.
* Run the PowerShell hunt script across endpoints to identify dropped payloads (Avalon, RATs, Mimikatz).
* Isolate hosts with confirmed Mimikatz or ColdFusion exploitation indicators.
* **24 Hours:**
* **Credential Audit:** Given the prevalence of infostealers (Avalon, VPN extensions, Smishing), force a password reset for privileged accounts and monitor for anomalous logon attempts (TA4922 global expansion).
* Review browser extension lists in enterprise environments for "VPN Go" or "Free VPN by VPN GO" and enforce a blocklist policy.
* **1 Week:**
* Patch Adobe ColdFusion servers against CVE-2023-26360 and CVE-2023-29298.
* Update application control policies to block MSBuild execution from user directories (Avalon vector).
* Implement stricter email filtering for Proton Drive links and legal document lures.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.