Merge branch 'develop' into APT37

splunk · patel-bhavin · Oct 13, 2025 · Sep 18, 2025 · Sep 19, 2025 · Sep 22, 2025
commit cb07b5cc9e4b12771eb4ae589138194f0c29491b
@@ -82,6 +82,7 @@ tags:
   - Gozi Malware
   - Scattered Spider
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1197

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
 version: 16
-date: '2025-09-18'
+date: '2025-09-30'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -107,6 +107,8 @@ tags:
   - IcedID
   - Interlock Rat
   - APT37 Rustonotto and FadeStealer
+  - PromptLock
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1036

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
 version: 12
-date: '2025-09-18'
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: TTP
@@ -75,6 +75,7 @@ tags:
   - Malicious Inno Setup Loader
   - Water Gamayun
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

@@ -84,6 +84,7 @@ tags:
   - Interlock Ransomware
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

@@ -65,6 +65,7 @@ tags:
   - XWorm
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   mitre_attack_id:
   - T1027
   - T1059.001

@@ -1,7 +1,7 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
 version: 21
-date: '2025-09-18'
+date: '2025-09-30'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -106,6 +106,7 @@ tags:
   - Scattered Spider
   - 0bj3ctivity Stealer
   - APT37 Rustonotto and FadeStealer
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

@@ -1,7 +1,7 @@
 name: Suspicious Curl Network Connection
 id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f
 version: 7
-date: '2025-09-18'
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -54,6 +54,7 @@ tags:
   - Ingress Tool Transfer
   - Linux Living Off The Land
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1105

@@ -1,7 +1,7 @@
 name: Suspicious Process Executed From Container File
 id: d8120352-3b62-411c-8cb6-7b47584dd5e8
 version: 8
-date: '2025-09-18'
+date: '2025-09-16'
 author: Steven Dick
 status: production
 type: TTP
@@ -75,6 +75,7 @@ rba:
 tags:
   analytic_story:
     - APT37 Rustonotto and FadeStealer
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Unusual Processes
     - Amadey
     - Remcos

@@ -1,7 +1,7 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
 version: 16
-date: '2025-09-18'
+date: '2025-09-30'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -89,6 +89,7 @@ tags:
   - China-Nexus Threat Activity
   - Scattered Spider
   - APT37 Rustonotto and FadeStealer
+  - Lokibot
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

@@ -1,7 +1,7 @@
 name: Windows Archived Collected Data In TEMP Folder
 id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
 version: 6
-date: '2025-09-18'
+date: '2025-10-06'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly

@@ -1,7 +1,7 @@
 name: Windows Curl Download to Suspicious Path
 id: c32f091e-30db-11ec-8738-acde48001122
 version: 16
-date: '2025-09-18'
+date: '2025-10-01'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -94,6 +94,7 @@ rba:
 tags:
   analytic_story:
     - APT37 Rustonotto and FadeStealer
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Black Basta Ransomware
     - China-Nexus Threat Activity
     - Forest Blizzard

@@ -91,6 +91,7 @@ rba:
 tags:
   analytic_story:
     - APT37 Rustonotto and FadeStealer
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Winter Vivern
     - Phemedrone Stealer
     - Malicious PowerShell

@@ -1,7 +1,7 @@
 name: Windows HTTP Network Communication From MSIExec
 id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99
 version: 7
-date: '2025-09-18'
+date: '2025-09-16'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -82,6 +82,7 @@ rba:
 tags:
   analytic_story:
     - APT37 Rustonotto and FadeStealer
+    - GhostRedirector IIS Module and Rungan Backdoor
     - Windows System Binary Proxy Execution MSIExec
     - Water Gamayun
     - Cisco Network Visibility Module Analytics

@@ -1,7 +1,7 @@
 name: Windows Obfuscated Files or Information via RAR SFX
 id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
 version: 5
-date: '2025-09-18'
+date: '2025-09-16'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 11
@@ -54,6 +54,7 @@ tags:
   analytic_story:
   - Crypto Stealer
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1027.013

@@ -72,6 +72,7 @@ tags:
   - Salt Typhoon
   - China-Nexus Threat Activity
   - APT37 Rustonotto and FadeStealer
+  - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:
   - T1036.005

@@ -1,7 +1,7 @@
 name: WinEvent Scheduled Task Created Within Public Path
 id: 5d9c6eee-988c-11eb-8253-acde48001122
 version: 19
-date: '2025-09-18'
+date: 2025-10-01
 author: Michael Haag, Splunk
 status: production
 type: TTP