216.73.217.139

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 21/12/2025 00:08

Essential information

Value / Name
9b692f4614e221f09920cc63da2b6b3ba3c8b53b
Confidence
100/100
Revoked
Yes
Valid from
18/03/2023 19:10
Valid until
20/06/2024 20:10
Pattern type
yara
Published
20/12/2025 19:38
Modified
21/12/2025 00:08
Author / Source
AlienVault

Description

Detects Reaper 2FA phishing webpage

Pattern

rule apt_Reaper_2FA_Phishing_webpage {
    meta:
        id = "348ca2ad-c8f9-4aed-8a27-95caa3a34f4b"
        version = "1.0"
        intrusion_set = "Reaper"
        description = "Detects Reaper 2FA phishing webpage"
        source = "SEKOIA.IO"
        creation_date = "2023-03-09"
        classification = "TLP:WHITE"
    strings:
        $ = "setTimeout(checkUpload,"
        $ = "commChannel.addListener("
        $ = "else if(commType =="
        $ = "?dir=DOWN&method=READ&id="
        $ = "Content : base64_encode(upload_data)"
        $ = "$.post(upHttpRelayer"
        $ = "var ablyUpData = {"
        $ = "initComm();"
        $ = "function Next(arg) {"
    condition:
        3 of them
}

Labels / Tags

Labels: ablygo apt backdoor chinotto chm espionage extremevnc mshta phishing powershell reaper

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.