Threat Actor Unknown origin

ShinyHunters

IoCs CSV 1 detection rule

ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.

Indicators of Compromise 12

Detection Rules

ShinyHunters_SIGMA_Detection
sigma ai_generated
title: ShinyHunters Credential Harvesting via Fortinet Vulnerabilities and Fileless Phantom Stealer
id: 3a8d5e1b-9d2e-4c3a-8f1d-4b2a9c7e6b8f
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_img_load:
    - ImageLoaded|endswith: '\VID001.exe'
    - ImageLoaded|endswith: '\SECOH-QAD.exe'
    - ImageLoaded|endswith: '\u992574.dll'
  selection_cmd_host:
    - CommandLine|contains: 'powershell -ep bypass -c'
    - CommandLine|contains: 'iex(new-object net.webclient)'
    - CommandLine|contains: 'Invoke-PhantomStealer'
    - ParentImage|endswith: '\cmd.exe'
    - ParentImage|endswith: '\cscript.exe'
  selection_temp_webfile:
    - TargetFilename|endswith: '\AppData\Local\Temp\f_000cd7.html'
    - TargetFilename|contains: 'f_000cd7.html'
  selection_hashes:
    - hash_sha256: '9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507'
    - hash_md5: '2915b3f8b703eb744fc54c81f4a9c67f'
    - hash_sha256: 'c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe'
    - hash_md5: 'bf9672ec85283fdf002d83662f0b08b7'
    - hash_sha256: '9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f'
    - hash_md5: '38de5b216c33833af710e88f7f64fc98'
    - hash_sha256: 'e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba'
    - hash_md5: 'dbd8dbecaa80795c135137d69921fdba'
  condition: 1 of selection_* 
falsepositives:
  - Legitimate administrative scripts (unlikely but possible)
  - Unauthorized software deployment
level: critical

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles