{ "name": "Operation SalmonSlalom", "slug": "operation-salmonslalom", "description": "A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.", "published": "2025-02-26T08:26:10+00:00", "created_at": "2025-02-26T08:26:10+00:00", "modified_at": "2025-02-26T09:02:18+00:00", "created_at_opencti": "2025-02-26T08:26:10+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-02-26", "dll sideloading", "fatalrat", "gh0st rat", "moudoor", "mydoor", "simayrat", "zegost" ], "related_entities": { "observables": [ { "id": "", "name": "82.156.145.216" }, { "id": "", "name": "81.71.1.107" }, { "id": "", "name": "8.217.0.16" }, { "id": "", "name": "47.57.68.157" }, { "id": "", "name": "43.159.192.196" }, { "id": "", "name": "47.106.224.107" }, { "id": "", "name": "43.155.73.235" }, { "id": "", "name": "43.154.68.193" }, { "id": "", "name": "43.154.238.130" }, { "id": "", "name": "43.139.35.42" }, { "id": "", "name": "43.139.101.11" }, { "id": "", "name": "43.138.199.241" }, { "id": "", "name": "43.138.176.5" }, { "id": "", "name": "206.233.130.141" }, { "id": "", "name": "42.193.242.180" }, { "id": "", "name": "175.178.96.9" }, { "id": "", "name": "175.178.89.24" }, { "id": "", "name": "175.178.166.216" }, { "id": "", "name": "156.236.67.181" }, { "id": "", "name": "154.91.227.32" }, { "id": "", "name": "154.39.238.101" }, { "id": "", "name": "123.207.8.204" }, { "id": "", "name": "139.199.168.63" }, { "id": "", "name": "134.122.137.252" }, { "id": "", "name": "123.207.79.195" }, { "id": "", "name": "123.207.55.60" }, { "id": "", "name": "123.207.44.193" }, { "id": "", "name": "123.207.35.145" }, { "id": "", "name": "123.207.1.145" }, { "id": "", "name": "123.207.16.43" }, { "id": "", "name": "122.152.231.146" }, { "id": "", "name": "120.78.173.89" }, { "id": "", "name": "120.79.91.168" }, { "id": "", "name": "119.29.219.211" }, { "id": "", "name": "114.132.56.175" }, { "id": "", "name": "114.132.46.48" }, { "id": "", "name": "114.132.121.130" }, { "id": "", "name": "111.230.91.145" }, { "id": "", "name": "111.230.93.174" }, { "id": "", "name": "111.230.45.217" }, { "id": "", "name": "111.230.32.52" }, { "id": "", "name": "111.230.108.14" }, { "id": "", "name": "111.230.10.93" }, { "id": "", "name": "107.148.54.105" }, { "id": "", "name": "107.148.52.242" }, { "id": "", "name": "107.148.52.176" }, { "id": "", "name": "106.52.216.112" }, { "id": "", "name": "107.148.50.113" }, { "id": "", "name": "103.144.29.211" }, { "id": "", "name": "103.144.29.123" }, { "id": "", "name": "1.12.37.113" }, { "id": "", "name": "101.33.243.31" }, { "id": "", "name": "154.197.6.103" }, { "id": "", "name": "154.206.236.9" }, { "id": "", "name": "123.207.58.147" }, { "id": "", "name": "119.29.235.38" }, { "id": "", "name": "111.230.15.48" }, { "id": "", "name": "107.148.50.116" }, { "id": "", "name": "107.148.52.241" }, { "id": "", "name": "107.148.50.112" }, { "id": "", "name": "http://svp7.net:9874/UltraViewer.exe" }, { "id": "", "name": "http://svp7.net:9874/AnyDesk.exe" }, { "id": "", "name": "http://82.156.145.216:6000" }, { "id": "", "name": "http://81.71.1.107:6000" }, { "id": "", "name": "http://8.217.0.16:6000" }, { "id": "", "name": "http://47.106.224.107:6000" }, { "id": "", "name": "http://47.57.68.157:8080" }, { "id": "", "name": "http://43.159.192.196:6000" }, { "id": "", "name": "http://43.154.68.193:6000" }, { "id": "", "name": "http://43.154.238.130:8081" }, { "id": "", "name": "http://43.154.238.130:6000" }, { "id": "", "name": "http://43.139.35.42:6000" }, { "id": "", "name": "http://43.138.199.241:6000" }, { "id": "", "name": "http://43.139.101.11:6000" }, { "id": "", "name": "http://42.193.242.180:6000" }, { "id": "", "name": "http://43.138.176.5:6000" }, { "id": "", "name": "http://206.233.130.141:6000" }, { "id": "", "name": "http://175.178.96.9:8081" }, { "id": "", "name": "http://175.178.89.24:6000" }, { "id": "", "name": "http://175.178.166.216:6000" }, { "id": "", "name": "http://156.236.67.181:6000" }, { "id": "", "name": "http://154.91.227.32:6000" }, { "id": "", "name": "http://154.39.238.101:6000" }, { "id": "", "name": "http://154.206.236.9:6000" }, { "id": "", "name": "http://139.199.168.63:6000" }, { "id": "", "name": "http://154.197.6.103:6000" }, { "id": "", "name": "http://134.122.137.252:6000" }, { "id": "", "name": "http://123.207.8.204:6000" }, { "id": "", "name": "http://123.207.79.195:6000" }, { "id": "", "name": "http://123.207.55.60:6000" }, { "id": "", "name": "http://123.207.58.147:6000" }, { "id": "", "name": "http://123.207.44.193:6000" }, { "id": "", "name": "http://123.207.35.145:6000" }, { "id": "", "name": "http://123.207.16.43:6000" }, { "id": "", "name": "http://123.207.1.145:6000" }, { "id": "", "name": "http://122.152.231.146:6000" }, { "id": "", "name": "http://120.79.91.168:6000" }, { "id": "", "name": "http://120.78.173.89:6000" }, { "id": "", "name": "http://119.29.235.38:6000" }, { "id": "", "name": "http://119.29.219.211:6000" }, { "id": "", "name": "http://114.132.56.175:6000" }, { "id": "", "name": "http://114.132.46.48:6000" }, { "id": "", "name": "http://114.132.121.130:6000" }, { "id": "", "name": "http://111.230.93.174:8081" }, { "id": "", "name": "http://111.230.91.145:8081" }, { "id": "", "name": "http://111.230.45.217:8081" }, { "id": "", "name": "http://111.230.32.52:6000" }, { "id": "", "name": "http://111.230.15.48:8081" }, { "id": "", "name": "http://111.230.108.14:6000" }, { "id": "", "name": "http://111.230.10.93:6000" }, { "id": "", "name": "http://107.148.54.105:6000" }, { "id": "", "name": "http://107.148.52.242:6000" }, { "id": "", "name": "http://107.148.52.241:6000" }, { "id": "", "name": "http://107.148.52.176:6000" }, { "id": "", "name": "http://107.148.50.113:6000" }, { "id": "", "name": "http://107.148.50.112:6000" }, { "id": "", "name": "http://107.148.50.116:6000" }, { "id": "", "name": "http://106.52.216.112:6000" }, { "id": "", "name": "http://103.144.29.211:6000" }, { "id": "", "name": "http://103.144.29.123:6000" }, { "id": "", "name": "http://101.33.243.31:82/initialsubmission?windows_version=17134&computer_name=MYTEST:DESKTOP-CROB74D" }, { "id": "", "name": "http://101.33.243.31:82" }, { "id": "", "name": "http://1.12.37.113:8081" }, { "id": "", "name": "nbs2012.novadector.xyz" }, { "id": "", "name": "34.kosdage.asia" }, { "id": "", "name": "110.kkftodesk110.top" }, { "id": "", "name": "109.kkftodesk109.top" }, { "id": "", "name": "108.kkftodesk108.top" }, { "id": "", "name": "107.kkftodesk107.top" }, { "id": "", "name": "106.kkftodesk106.top" }, { "id": "", "name": "105.kkftodesk105.top" }, { "id": "", "name": "104.kkftodesk104.top" }, { "id": "", "name": "102.kkftodesk102.top" }, { "id": "", "name": "101.kkftodesk101.top" }, { "id": "", "name": "xindajiema.info" }, { "id": "", "name": "svp7.net" }, { "id": "", "name": "novadector.xyz" }, { "id": "", "name": "microsoftmiddlename.tk" }, { "id": "", "name": "microsoftupdatesoftware.ga" }, { "id": "", "name": "cloudservicesdevc.tk" }, { "id": "", "name": "0a305ffb2a1d41f6870eac02f9afce89.xyz" }, { "id": "", "name": "api.youkesdt.asia" }, { "id": "", "name": "fd1a608a9e1bfcb845f59fa6b89aa6d27511517d4fb42d3f970f7404dc6ef138" }, { "id": "", "name": "cb201744a0f50e72ee4fda9298785fa16bfc4bf639a9474457e429278ff376bc" }, { "id": "", "name": "a996e4c18ae4c4563db0767cb230b24279daeb3f62ee62b061d2ee076d81bdfd" }, { "id": "", "name": "abb2cb43caecac0ca2dcba15ee1cdcc4499ffad18c06265de2ac2f811166d976" }, { "id": "", "name": "a46b8a14d6e95b3c57ddf7c811092672095563bd2e1336598b74c6d314b82e19" }, { "id": "", "name": "9f61bc02326bca563f45642167f5d40a2db0bc40b137bafb3e8c3318db852199" }, { "id": "", "name": "7cb4ea591b3932db13ade1d50a94f1cb3b5ff8034cce2c8733b129d4973db661" }, { "id": "", "name": "7ad450932e55d2bb6c81dd01cb36a3134c12cf4ba51c743f3a88eb955868c1f9" }, { "id": "", "name": "6823b6d1f0ccbc346b061fabcbb556f219ad58e612aaea475178df84a1a9b60c" }, { "id": "", "name": "666981117291cc823e3f34a02f7af4fb3d31507f2a57c3d34391b05cdfcab020" }, { "id": "", "name": "58ed95527d5dae930308dc5862934ba6811216f4cd68f7aac30ed8df0b180eda" }, { "id": "", "name": "55dcd01848a03db4d71876e45397c5395391f708c2445549d26a169a72d9f295" }, { "id": "", "name": "559861ad0be5526819650d26566ad6ca25dd0f54df0a81352006e75a5da3d92b" }, { "id": "", "name": "4609f46c7a9f8fe01fe05eca4cde987e28f68fd9651de113ec87c4e6b03b52c9" }, { "id": "", "name": "07272a51d1f6a7be8c45cc097bf821267d258eb2378d32c95c4601cd000366c9" }, { "id": "", "name": "20a418e0de5890e79c9a628eeebe1208244f5d90d12cf8124f4424c8720299ce" }, { "id": "", "name": "03045010bd0d618e7aa872e952abb987891befdc5ab70b7f82be30d4f64f6f93" }, { "id": "", "name": "013a681ff8c09b5fab6218f4aa493627652c9ec7c6ba88291980b6e00e151201" } ], "malware": [ { "id": "legacy:malware:84f35c4cb9f083d3", "name": "Zegost", "slug": "zegost" }, { "id": "legacy:malware:2ca7ad0b8b67f836", "name": "SimayRAT", "slug": "simayrat" }, { "id": "legacy:malware:e743891f230591b5", "name": "FatalRAT", "slug": "fatalrat" }, { "id": "db3270fd-1a2b-4c8f-b6b5-9332b19e2c3a", "name": "Moudoor", "slug": "moudoor" }, { "id": "legacy:malware:0289513ffc269da1", "name": "Mydoor", "slug": "mydoor" }, { "id": "legacy:malware:061958664c91b28b", "name": "gh0st RAT - S0032", "slug": "gh0st-rat-s0032" } ], "attack_patterns": [ { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Hong Kong" }, { "id": "", "name": "Singapore" }, { "id": "", "name": "Taiwan" }, { "id": "", "name": "China" }, { "id": "", "name": "Thailand" }, { "id": "", "name": "Japan" }, { "id": "", "name": "Malaysia" }, { "id": "", "name": "Philippines" }, { "id": "", "name": "Information Technology" }, { "id": "", "name": "Construction" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Energy" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" }, { "id": "", "name": "Manufacturing" } ] }, "external_refs": [ "https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets", "https://otx.alienvault.com/pulse/67bede32c9b6c40d45a9f2f8" ] }