216.73.217.22

Operation SalmonSlalom

· Published 26/02/2025 09:26 · Modified 26/02/2025 10:02

Export JSON

Essential information

Published
26/02/2025 09:26
Modified
26/02/2025 10:02
Tags
2025-02-26 dll sideloading fatalrat gh0st rat moudoor mydoor simayrat zegost
Related entities
160 observables, 23 techniques (mitre), 6 malware, 15 others

Description

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and . The attack shares similarities with previous campaigns using open-source RATs like and , but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (160)

  • 82.156.145.216
  • 81.71.1.107
  • 8.217.0.16
  • 47.57.68.157
  • 43.159.192.196
  • 47.106.224.107
  • 43.155.73.235
  • 43.154.68.193
  • 43.154.238.130
  • 43.139.35.42
  • 43.139.101.11
  • 43.138.199.241
  • 43.138.176.5
  • 206.233.130.141
  • 42.193.242.180
  • 175.178.96.9
  • 175.178.89.24
  • 175.178.166.216
  • 156.236.67.181
  • 154.91.227.32
  • 154.39.238.101
  • 123.207.8.204
  • 139.199.168.63
  • 134.122.137.252
  • 123.207.79.195
  • 123.207.55.60
  • 123.207.44.193
  • 123.207.35.145
  • 123.207.1.145
  • 123.207.16.43
  • 122.152.231.146
  • 120.78.173.89
  • 120.79.91.168
  • 119.29.219.211
  • 114.132.56.175
  • 114.132.46.48
  • 114.132.121.130
  • 111.230.91.145
  • 111.230.93.174
  • 111.230.45.217
  • 111.230.32.52
  • 111.230.108.14
  • 111.230.10.93
  • 107.148.54.105
  • 107.148.52.242
  • 107.148.52.176
  • 106.52.216.112
  • 107.148.50.113
  • 103.144.29.211
  • 103.144.29.123
  • 1.12.37.113
  • 101.33.243.31
  • 154.197.6.103
  • 154.206.236.9
  • 123.207.58.147
  • 119.29.235.38
  • 111.230.15.48
  • 107.148.50.116
  • 107.148.52.241
  • 107.148.50.112
  • http://svp7.net:9874/UltraViewer.exe
  • http://svp7.net:9874/AnyDesk.exe
  • http://82.156.145.216:6000
  • http://81.71.1.107:6000
  • http://8.217.0.16:6000
  • http://47.106.224.107:6000
  • http://47.57.68.157:8080
  • http://43.159.192.196:6000
  • http://43.154.68.193:6000
  • http://43.154.238.130:8081
  • http://43.154.238.130:6000
  • http://43.139.35.42:6000
  • http://43.138.199.241:6000
  • http://43.139.101.11:6000
  • http://42.193.242.180:6000
  • http://43.138.176.5:6000
  • http://206.233.130.141:6000
  • http://175.178.96.9:8081
  • http://175.178.89.24:6000
  • http://175.178.166.216:6000
  • http://156.236.67.181:6000
  • http://154.91.227.32:6000
  • http://154.39.238.101:6000
  • http://154.206.236.9:6000
  • http://139.199.168.63:6000
  • http://154.197.6.103:6000
  • http://134.122.137.252:6000
  • http://123.207.8.204:6000
  • http://123.207.79.195:6000
  • http://123.207.55.60:6000
  • http://123.207.58.147:6000
  • http://123.207.44.193:6000
  • http://123.207.35.145:6000
  • http://123.207.16.43:6000
  • http://123.207.1.145:6000
  • http://122.152.231.146:6000
  • http://120.79.91.168:6000
  • http://120.78.173.89:6000
  • http://119.29.235.38:6000
  • http://119.29.219.211:6000
  • http://114.132.56.175:6000
  • http://114.132.46.48:6000
  • http://114.132.121.130:6000
  • http://111.230.93.174:8081
  • http://111.230.91.145:8081
  • http://111.230.45.217:8081
  • http://111.230.32.52:6000
  • http://111.230.15.48:8081
  • http://111.230.108.14:6000
  • http://111.230.10.93:6000
  • http://107.148.54.105:6000
  • http://107.148.52.242:6000
  • http://107.148.52.241:6000
  • http://107.148.52.176:6000
  • http://107.148.50.113:6000
  • http://107.148.50.112:6000
  • http://107.148.50.116:6000
  • http://106.52.216.112:6000
  • http://103.144.29.211:6000
  • http://103.144.29.123:6000
  • http://101.33.243.31:82/initialsubmission?windows_version=17134&computer_name=MYTEST:DESKTOP-CROB74D
  • http://101.33.243.31:82
  • http://1.12.37.113:8081
  • nbs2012.novadector.xyz
  • 34.kosdage.asia
  • 110.kkftodesk110.top
  • 109.kkftodesk109.top
  • 108.kkftodesk108.top
  • 107.kkftodesk107.top
  • 106.kkftodesk106.top
  • 105.kkftodesk105.top
  • 104.kkftodesk104.top
  • 102.kkftodesk102.top
  • 101.kkftodesk101.top
  • xindajiema.info
  • svp7.net
  • novadector.xyz
  • microsoftmiddlename.tk
  • microsoftupdatesoftware.ga
  • cloudservicesdevc.tk
  • 0a305ffb2a1d41f6870eac02f9afce89.xyz
  • api.youkesdt.asia
  • fd1a608a9e1bfcb845f59fa6b89aa6d27511517d4fb42d3f970f7404dc6ef138
  • cb201744a0f50e72ee4fda9298785fa16bfc4bf639a9474457e429278ff376bc
  • a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd
  • abb2cb43caecac0ca2dcba15ee1cdcc4499ffad18c06265de2ac2f811166d976
  • a46b8a14d6e95b3c57ddf7c811092672095563bd2e1336598b74c6d314b82e19
  • 9f61bc02326bca563f45642167f5d40a2db0bc40b137bafb3e8c3318db852199
  • 7cb4ea591b3932db13ade1d50a94f1cb3b5ff8034cce2c8733b129d4973db661
  • 7ad450932e55d2bb6c81dd01cb36a3134c12cf4ba51c743f3a88eb955868c1f9
  • 6823b6d1f0ccbc346b061fabcbb556f219ad58e612aaea475178df84a1a9b60c
  • 666981117291cc823e3f34a02f7af4fb3d31507f2a57c3d34391b05cdfcab020
  • 58ed95527d5dae930308dc5862934ba6811216f4cd68f7aac30ed8df0b180eda
  • 55dcd01848a03db4d71876e45397c5395391f708c2445549d26a169a72d9f295
  • 559861ad0be5526819650d26566ad6ca25dd0f54df0a81352006e75a5da3d92b
  • 4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9
  • 07272a51d1f6a7be8c45cc097bf821267d258eb2378d32c95c4601cd000366c9
  • 20a418e0de5890e79c9a628eeebe1208244f5d90d12cf8124f4424c8720299ce
  • 03045010bd0d618e7aa872e952abb987891befdc5ab70b7f82be30d4f64f6f93
  • 013a681ff8c09b5fab6218f4aa493627652c9ec7c6ba88291980b6e00e151201

Techniques (MITRE) (23)

  • T1543.003
    Windows Service
  • T1070.001
    Clear Windows Event Logs
  • T1574.002
  • T1012
    Query Registry
  • T1056.001
    Keylogging
  • T1573
    Encrypted Channel
  • T1547
    Boot or Logon Autostart Execution
  • T1518
    Software Discovery
  • T1218
    System Binary Proxy Execution
  • T1082
    System Information Discovery
  • T1057
    Process Discovery
  • T1105
    Ingress Tool Transfer
  • T1083
    File and Directory Discovery
  • T1071
    Application Layer Protocol
  • T1102
    Web Service
  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1132
    Data Encoding
  • T1033
    System Owner/User Discovery
  • T1027
    Obfuscated Files or Information
  • T1053
    Scheduled Task/Job
  • T1112
    Modify Registry
  • T1059
    Command and Scripting Interpreter

Malware (6)

  • Zegost
    Family
    Published 26/02/2025 09:26 · Modified 26/02/2025 09:26
  • SimayRAT
    Family
    Published 26/02/2025 09:26 · Modified 26/02/2025 09:26
  • FatalRAT
    Family
    Published 19/02/2026 16:01 · Modified 19/02/2026 16:01
  • Moudoor
    Family
    Published 19/11/2025 08:54 · Modified 19/11/2025 08:54
  • Mydoor
    Family
    Published 17/04/2026 23:18 · Modified 17/04/2026 23:18
  • gh0st RAT - S0032
    Family
    Published 17/04/2026 23:18 · Modified 17/04/2026 23:18

Others (15)

  • Hong Kong
  • Singapore
  • Taiwan
  • China
  • Thailand
  • Japan
  • Malaysia
  • Philippines
  • Information Technology
  • Construction
  • Healthcare
  • Energy
  • Telecommunications
  • Government
  • Manufacturing

External references