CORESHELL

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to malwares

The MITRE Corporation · Published 31/05/2017 23:33 · Modified 27/03/2026 01:05 Family

Essential information

Confidence: 100/100
Is family: Yes
Published: 31/05/2017 23:33
Modified: 27/03/2026 01:05
Revoked: No
Author / Source: The MITRE Corporation
Related entities: 11 attack patterns (mitre), 1 intrusion sets (apt), 7 sectors, 4 countries, 99 indicators, 6 vulnerabilities (cve)

Aliases

Sofacy SOURFACE

Description

[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

Marking (TLP)

External references

Securelist Sofacy Feb 2018
FireEye APT28
mitre-attack (S0137)
FireEye APT28 January 2017

Related entities

Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.

Attack patterns (MITRE) (11)

Junk Code Insertion uses

MITRE
T1071.001 uses

Web Protocols MITRE
T1218.011 uses

Rundll32 MITRE
T1071.003 uses

Mail Protocols MITRE
T1132.001 uses

Standard Encoding MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1105 uses

Ingress Tool Transfer MITRE
T1573.001 uses

Symmetric Cryptography MITRE
T1082 uses

System Information Discovery MITRE
Local Storage Discovery uses

MITRE
T1547.001 uses

Registry Run Keys / Startup Folder MITRE

Intrusion sets (APT) (1)

APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Sectors (7)

Retail targets
Healthcare targets
Manufacturing targets
Defense ministries (including the military) targets
Finance targets
Technology targets
Government targets

Countries (4)

South Africa targets
Central African Republic targets
American Samoa targets
United States of America targets

Indicators (99)

d310f5baa1c39ada9f60b85ed134b7cd99a04d9a8869f24ec9f3bd28ce9de519 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
d176951b9ff3239b659ad57b729edb0845785e418852ecfeef1669f4c6fed61b indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
35f16e469047cf4ef78f87a616d26ec09e3d6a3d7a51415ea34805549a41dcfa indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
data-dev.helpkaspersky.top indicates

stix 100/100 Revoked

· Valid until 01/07/2025 · Source: AlienVault
tfirstdaily.store indicates

stix 100/100 Revoked

· Valid until 12/01/2025 · Source: AlienVault
2e3645c8441f2be4182869db5ae320da00c513e0cb643142c70a833f529f28aa indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
www.security-microsoft.net indicates

stix 100/100 Revoked

· Valid until 01/07/2025 · Source: AlienVault
15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
484578b6e7e427a151c309bdc00c90b1c0faf25a8581cace55e2c25ec34056e0 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
5e1839fed3562d559166f7f9d3e388cdd21da83b67ccb70fa4121825b91469d6 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
dd469fbf68f6bf71e495b3e497e31d17aa1d0af918a943f8637dd3304f840740 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault
bb6afc28d610bfddcd0cf3497c152c081f63137fea9914a1fd461a0706c74288 indicates

stix 100/100 Revoked

· Valid until 21/06/2025 · Source: AlienVault

← Previous

Page / 9

1–12 of 99

Vulnerabilities (CVE) (6)

CVE-2016-5195 KEV targets

7.0 High

Race condition in mm/gup.c in the Linux kernel allows local users to escalate privileges.

Attack vector: LOCAL
Complexity: HIGH
Published: 10/11/2016
Modified: 22/04/2026

CWE-362

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2022-21587 KEV targets

9.8 Critical

Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications …

Attack vector: Network
Published: 02/02/2023
Modified: 21/12/2025

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2021-22555 KEV targets

Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap …

Published: 06/10/2025
Modified: 21/12/2025

CVE-2023-32315 KEV targets

8.6 High

Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …

Attack vector: Network
Published: 24/08/2023
Modified: 21/12/2025

Contact About Legal notice Privacy policy Terms of use