216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 01:16 · Modified 21/12/2025 01:16

Essential information

Value / Name
975cb9494edbe3f8a0c4ddfcb18e03b034b1188f
Confidence
100/100
Revoked
Yes
Valid from
29/08/2023 16:10
Valid until
01/12/2024 15:10
Pattern type
yara
Published
21/12/2025 01:16
Modified
21/12/2025 01:16
Author / Source
AlienVault

Description

No description.

Pattern

rule M_APT_Backdoor_FOXTROT_1 {   
   meta:   
   author = "Mandiant"   
   md5 = "a28de396aa91b7faca35e861b634c502"   
   strings:   
   $str1 = "/usr/share/foxdoor/uuid"   
   $str2 = "/.mozilla/firefox/"   
   $str3 = "hide_foxdoor_mod"   
   $str4 = "POST /api/index.cgi"   
   $str5 = "7(Zu9YTsA7qQ#vw"   
   $str6 = "CONNECT %s:%d HTTP/1.1"   
   $str7 = "network.proxy.http_port"   
   $str8 = "exec bash --rcfile"   
   condition:   
   uint32(0) == 0x464c457f and all of them   
   }

Labels / Tags

Labels: barracuda castletap cve20232868 depthcharge driedmoat foxglove foxtrot ghostemperor skipjack unc3886 unc4841

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC4841
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·