“##ller executable that conducts traffic forwarding and executes the attacker ’ s commands through a reverse ssh tunnel. it contains russian text in its comments and log messages, indicating possible origins. the tunnesshclient sample used in this blog for demonstration ( sha256 :…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
95%
“##fcf70b6a75d5bdcf7d76 ) for demonstration. the vbs script uses integer arrays to represent strings. it contains a function " a " that converts integer arrays to their corresponding strings. the script also includes a function named ensureelevatedprivileges for privilege escalati…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
93%
“then sends system information to the attacker at “ / api / get _ port ”. it retrieves a port number for remote port forwarding from the attacker ’ s response, then creates a reverse ssh tunnel using its previously retrieved ssh credentials and traffic - forwarding port number to …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
65%
“redirects to the fetched url. in other github repositories, scripts. js files are used to fetch, aes - decrypt, and redirect to a url ( such as hxxps : / / github [. ] com / arena - breakout - infinite - esp /. github ). the scripts. js files use base64 - encoded links to fetch t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1140Deobfuscate/Decode Files or Information
64%
“##7391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7 ). the libcurl. dll file ( sha256 : fa767391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7 ) loads a payload ( sha256 : d295720bc0c1111ce1c3d8b1bc1b36ba840f103b3ca7e95a5a8bf03e2cc44fe5 ) from its resource se…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
57%
“##ed1f382bb347517a54ea82084c841d0f955518 ) achieves persistence by adding a registry entry under the run key and creating a scheduled task. heaconload sends beacon messages to the attacker via http post requests at “ : 8088 / healthcheck ”. each beacon message contains collected …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
55%
“new boryptgrab stealer targets windows users via deceptive github pages malware new boryptgrab stealer targets windows users via deceptive github pages the boryptgrab campaign uses fake seo ‑ optimized github repositories and deceptive download pages to distribute a data ‑ steali…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1547.001Registry Run Keys / Startup Folder
45%
“##ed1f382bb347517a54ea82084c841d0f955518 ) achieves persistence by adding a registry entry under the run key and creating a scheduled task. heaconload sends beacon messages to the attacker via http post requests at “ : 8088 / healthcheck ”. each beacon message contains collected …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users.