NJRAT – Active IOCs
May 26, 2025CVE-2025-4975 – TP-Link Tapo App Vulnerability
May 26, 2025NJRAT – Active IOCs
May 26, 2025CVE-2025-4975 – TP-Link Tapo App Vulnerability
May 26, 2025Severity
High
Analysis Summary
APT-17, also known as "Bitter APT" or "DeputyDog" is a state-sponsored cyber espionage group believed to operate out of China. They have been active since 2012 and have primarily targeted aerospace, defense, and technology organizations. They are known for targeting China, Pakistan, and Saudi Arabia and have expanded to set their sights on Bangladeshi government agencies. The group uses various custom malware and tools to carry out their operations, including Remote Access Trojans (RATs), keyloggers, and backdoors. The group's malware is known to be complex, and multi-stage and uses a range of techniques to evade detection, such as code signing, legitimate tools and third-party tools, and encrypted communications. They are also known to use spear-phishing campaigns to gain initial access to targeted systems. They have been active for more than a decade and are known to use a wide range of custom malware and tools to carry out their operations. Organizations in these sectors should know the threat actors and take appropriate measures to protect against their attacks. This includes implementing robust security measures, such as advanced threat detection and response capabilities, as well as employee training on how to identify and respond to spear-phishing campaigns. The group was observed using Powershell and curl instead of msiexe in one of the latest campaigns.
Impact
- Information Theft and Espionage
Indicators of Compromise
Domain Name
jgmfducservice.net
inizdesignstudio.com
MD5
01f134002bc90a582e4dda39ae6218e3
e55758d6e30b262c8652cb97dfdc9039
bd0b21fc82d432f27bf6b184b0c4a859
SHA-256
d02fd3472adb0d7a502b08656c5001093a7a052905f406979873b464e9ca2378
64fd1e641731e48ea8c3df7b9caa5f8074dea15e99093b137af2acfe66754f73
7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67
SHA1
6e6dfbbcb569ad7a49acc29c643e68312ce6bb5f
6d8afa6a268c228ef1b45ec093878e2acf4e2c9e
d0a605137c3240f3851ba0258f7a4e711fc7ac75
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Use testing tools to detect any vulnerabilities in the deployed codes.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using a multi-layered protection is necessary to secure vulnerable assets.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Enable two-factor authentication.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.