216.73.217.22

APT-Q-36

· Published 20/12/2025 21:23 · Modified 20/12/2025 21:23 · Source: AlienVault

Essential information

Confidence
100/100
Published
20/12/2025 21:23
Modified
20/12/2025 21:23
Updated at
20/12/2025 21:23
Revoked
No
Author / Source
AlienVault
Resource level
Primary motivation
Related entities
14 attack patterns (mitre), 3 malware, 5 sectors, 1 countries, 13 indicators, 1 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Attack patterns (MITRE) (14)

  • T1053 uses
    Scheduled Task/Job
  • T1056 uses
    Input Capture
  • T1001 uses
    Data Obfuscation
  • T1203 uses
    Exploitation for Client Execution
  • T1592 uses
    Gather Victim Host Information
  • T1204 uses
    User Execution
  • T1059 uses
    Command and Scripting Interpreter
  • T1057 uses
    Process Discovery
  • T1193 uses
  • T1547 uses
    Boot or Logon Autostart Execution
  • T1105 uses
    Ingress Tool Transfer
  • T1056.001 uses
    Keylogging
  • TA0011 uses
  • T1041 uses
    Exfiltration Over C2 Channel

Malware (3)

  • BADNEWS
  • Spyder uses
    Family
    Published 21/03/2025 10:33 · Modified 21/03/2025 10:33
  • Remcos uses
    Family
    Published 05/05/2026 18:45 · Modified 05/05/2026 18:45

Sectors (5)

  • Education targets
  • Defense ministries (including the military) targets
  • Government targets
  • Diplomacy targets
  • Research targets

Countries (1)

  • Pakistan targets

Indicators (13)

  • e9e4ea8998d370199b9dcfab06e17e031764c2d81be912074b8f025484a8ab9b indicates
  • d07adf2032c1274ef810aa9146e0407dbe76335b2121c6f98667f67a90f63ce3 indicates
  • grand123099ggcarnivol.com indicates
  • mfaturk.com indicates
  • morimocanab.com indicates
  • dayspringdesk.xyz indicates
  • fbd567c08b493a4c406fcd4d9a6d7403dc572f9b4c50fc4a56d37982c25dc457 indicates
  • www.wingtiptoys.com indicates
  • 9153c0618803e8799472060ac508135933f551581ede827265c78d644aba08b1 indicates
  • firebasebackups.com indicates
  • http://dayspringdesk.xyz/wfgkl/cvrkaf/xkj/test.xn--phppost:-w39lx09b6hpmxyzx3aj93aorics9e7lo indicates
  • 27b2cbb45e866e8db8bf8933d6749164dc97995351704f0d33f62982a9abf955 indicates
  • omeri12oncloudd.com indicates

Vulnerabilities (CVE) (1)

CVE-2017-11882 KEV
7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector
Local
Complexity
Low
Published
15/11/2017
Modified
29/05/2026