Dragons in Thunder
· Published 28/11/2025 07:33 · Modified 21/12/2025 18:16
Essential information
- Published
- 28/11/2025 07:33
- Modified
- 21/12/2025 18:16
- Tags
- 2025-11-28 CVE-2025-4427 CVE-2025-4428 CVE-2025-53770 babuk cyberspionage ivanti krustyloader lockbit rce vulnerabilities russian targets sharepoint sliver thor
- Related entities
- 4 vulnerabilities (cve), 67 observables, 1 intrusion sets (apt), 17 techniques (mitre), 5 malware, 21 others
Description
This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, attacking around 110 Russian companies across various sectors. Both groups utilized recent vulnerabilities, with QuietCrabs acting within hours of exploit publications. The report highlights the groups' tactics, tools, and targeted industries, emphasizing the need for robust cybersecurity measures to counter such sophisticated attacks.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (4)
CVE-2021-27065
KEV
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
CVE-2025-4428
KEV
7.2
High
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
CVE-2025-53770
KEV
9.8
Critical
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
CVE-2025-4427
KEV
5.3
Medium
Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
Observables (67)
-
8.211.157.186 -
188.127.241.179 -
91.231.186.5 -
192.121.113.123 -
223.76.236.178 -
213.183.57.51 -
178.128.124.227 -
95.142.40.51 -
64.226.98.34 -
167.172.77.125 -
139.59.39.19 -
216.45.58.177
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (17)
-
OS Credential Dumping MITRE
-
Valid Accounts MITRE
-
Virtualization/Sandbox Evasion MITRE
-
Masquerading MITRE
-
Process Injection MITRE
-
Credentials from Password Stores MITRE
-
System Network Configuration Discovery MITRE
-
Data Encrypted for Impact MITRE
-
Obfuscated Files or Information MITRE
-
Exploit Public-Facing Application MITRE
-
Ingress Tool Transfer MITRE
-
Create Account MITRE
Malware (5)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Family
-
Family
-
Family
Others (21)
-
Taiwan
-
Czechia
-
United Kingdom of Great Britain and Northern Ireland
-
Philippines
-
Germany
-
Iran, Islamic Republic of
-
United States of America
-
Russian Federation
-
Manufacturing
-
Health
-
Government and administrations
-
Defense