Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly... For the final stage of the infection, DOWNIISSA creates an instance of msiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.
It contains a one-byte XOR-encrypted LODEINFO shellcode... The embedded BLOB is divided into four-byte chunks... then decode the LODEINFO shellcode using a one-byte XOR key... some important strings are found with a one-byte XOR encryption.
The attackers exploited the name of a well-known Japanese politician... The file name and the decoy document suggest the target was the Japanese ruling party or a related organization.
the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly... For the final stage of the infection, DOWNIISSA creates an instance of msiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.