216.73.216.6

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 20/12/2025 23:34

Essential information

Value / Name
5983dc3361dfb765c62119e0836c9b799c11a5cc
Confidence
100/100
Revoked
Yes
Valid from
14/03/2023 04:35
Valid until
16/06/2024 05:35
Pattern type
yara
Published
20/12/2025 19:38
Modified
20/12/2025 23:34
Author / Source
AlienVault

Description

Detects LIDSHIFT implant

Pattern

rule M_APT_Loader_Win_LIDSHIFT_1 {   
    meta:   
    author = "Mandiant"   
    description = "Detects LIDSHIFT implant"   
    strings:   
    $anchor1 = "%s:%s:%s" ascii   
    $encloop = { 83 ?? 3F 72 ?? EB ?? 8D ?? ?? B8 ?? 41 10 04 F7 ?? 8B ?? 2B ?? D1 ?? 03 ?? C1 ?? 05 6B ?? 3F 2B ?? 42 0F ?? ?? ?? 41 ?? ?? }     
    condition:   
    uint16(0) == 0x5a4d and all of them   
   }

Labels / Tags

Labels: lidshift lidshot lightshift phish plankwalk sideshow temp.hermit tightvnc viewer touchshift unc2970 wordpress

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • TEMP.Hermit
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·