Cyber Security News
Published 23/09/2020

Nuova campagna Malware Emotet del 23 Settembre 2020. Sono state identificate 3 diverse logiche per la compromissione delle postazioni:

  1. E-Mail con documento Word malevolo in allegato
  2. E-Mail con ZIP (con password) contenente documento Word malevolo
  3. E-Mail con URL per il download del documento Word malevolo

Tutti i documenti Word contengono una Macro malevola per il download e installazione del Trojan Emotet.

Di seguito alcuni dettagli:

Indicatori di Compromissione parziali:

C2: 76.168.54.203:80C2: 174.113.69.136:80C2: 98.13.75.196:80
C2: 51.38.124.206:80C2: 178.250.54.208:8080C2: 185.178.10.77:80
C2: 38.88.126.202:8080C2: 190.2.31.172:80C2: 181.129.96.162:8080
C2: 54.37.42.48:8080C2: 45.16.226.117:443C2: 67.247.242.247:80
C2: 5.196.35.138:7080C2: 50.121.220.50:80C2: 170.81.48.2:80
C2: 177.129.17.170:443C2: 217.13.106.14:8080C2: 199.203.62.165:80
C2: 87.106.46.107:8080C2: 217.199.160.224:7080C2: 204.225.249.100:7080
C2: 68.183.190.199:8080C2: 80.11.164.185:80C2: 77.106.157.34:8080
C2: 185.183.16.47:80C2: 172.104.169.32:8080C2: 68.183.170.114:8080
C2: 186.103.141.250:443C2: 77.90.136.129:8080C2: 45.46.37.97:80
C2: 64.201.88.132:80C2: 123.51.47.18:80C2: 70.32.115.157:8080
C2: 70.32.84.74:8080C2: 82.230.1.24:80C2: 190.163.31.26:80
C2: 68.69.155.181:80C2: 74.58.215.226:80C2: 94.176.234.118:443
C2: 82.76.111.249:443C2: 185.94.252.27:443C2: 95.9.180.128:80
C2: 111.67.12.221:8080C2: 181.30.61.163:443C2: 104.131.103.37:8080
C2: 60.93.23.51:80C2: 111.67.77.202:8080C2: 35.143.99.174:80
C2: 104.131.41.185:8080C2: 96.227.52.8:443C2: 91.105.94.200:80
C2: 92.24.50.153:80C2: 2.36.95.106:80C2: 190.6.193.152:8080
C2: 191.182.6.118:80C2: 78.249.119.122:80C2: 155.186.0.121:80
C2: 61.197.92.216:80C2: 209.236.123.42:8080C2: 219.92.13.25:80
C2: 213.197.182.158:8080C2: 185.215.227.107:443C2: 12.162.84.2:8080
C2: 137.74.106.111:7080C2: 188.135.15.49:80C2: 220.109.145.69:80
C2: 138.97.60.141:7080C2: 83.169.21.32:7080C2: 177.74.228.34:80
C2: 187.162.248.237:80C2: 96.245.123.149:80C2: 77.238.212.227:80
C2: 110.142.219.51:80C2: 216.47.196.104:80C2: 61.92.159.208:8080
C2: 51.159.23.217:443C2: 50.28.51.143:8080C2: 186.70.127.199:8090
C2: 192.241.143.52:8080C2: 5.189.178.202:8080C2: 45.33.77.42:8080
C2: 190.24.243.186:80C2: 74.136.144.133:80C2: 152.169.22.67:80
C2: 51.255.165.160:8080C2: 72.47.248.48:7080C2: 192.241.146.84:8080
C2: 212.71.237.140:8080C2: 190.190.148.27:8080C2: 185.94.252.12:80
C2: 190.115.18.139:8080C2: 189.2.177.210:443C2: 177.73.0.98:443
C2: 65.36.62.20:80
emotetiocmalspamtrojan

Related articles

Malware Analysis
March 23, 2026

Protected: Matanbuchus – Malware Analysis

There is no excerpt because this is a protected post.
charonmalwarematanbuchusmatanbuchus 3.0ransomware
Learn more
Tactical analysis of Storming Tide criminal campaign infrastructure and data exfiltration techniques - image generated by Google Gemini
DefenceFeatured
March 13, 2026

Operation Storming Tide: A massive multi-stage intrusion campaign

In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabilities. The campaign, internally dubbed "FortiSync Quasar," revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC. Rapid containment prevented any data exfiltration.
EspionageForescoutFortgalefortinetmatanbuchusmora_001ransomwarereportSentinelOnestorming tide
Learn more
Defence
January 24, 2026

Protected: Investment-Targeted Phishing: How Phishing Kit Fuels Espionage in Funding Rounds

There is no excerpt because this is a protected post.
phishingpishsurfrockstarrockstar 2fa
Learn more