{
  "name": "Threat Actor Uses Fake Recovery Manual to Deliver Unidentified Stealer",
  "slug": "threat-actor-uses-fake-recovery-manual-to-deliver-unidentified-stealer",
  "description": "An intelligence report outlines a campaign where an unidentified threat actor impersonated a Microsoft recovery manual through a malicious Word document containing macros. Upon execution, the macros downloaded a novel stealer now tracked as Daolpu. This stealer targets credentials stored in web browsers, saving them to a temporary file before exfiltrating the data to a command-and-control server. The report provides technical analysis, recommendations, indicators of compromise, and MITRE ATT&CK mappings related to this malicious operation.",
  "published": "2024-07-24T06:06:33+00:00",
  "created_at": "2024-07-24T06:06:33+00:00",
  "modified_at": "2024-07-24T06:16:42+00:00",
  "created_at_opencti": "2024-07-24T06:06:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-24",
    "credential",
    "daolpu",
    "exfiltration",
    "impersonation",
    "malicious document",
    "stealer"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "172.104.160.126"
      },
      {
        "id": "",
        "name": "803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61"
      },
      {
        "id": "",
        "name": "5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721"
      },
      {
        "id": "",
        "name": "4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a"
      },
      {
        "id": "",
        "name": "3a9323a939fbecbc6d0ceb5c1e1f3ebde91e9f186b46fdf3ba1aee03d1d41cd8"
      },
      {
        "id": "",
        "name": "00199b4784533a124da96be5d5e472195b0e27be15007dcbd573c0fb29941d99"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:1cccc395ec42d2c8",
        "name": "Daolpu",
        "slug": "daolpu"
      }
    ],
    "attack_patterns": [
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ]
  },
  "external_refs": [
    "https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer",
    "https://otx.alienvault.com/pulse/66a0b60af3901e31f756f29d"
  ]
}