so.cl

Today I’d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable.

My first observable was a zipped text file compressing a simple update.js script. The script was created to avoid automatic analysis tools since the dimension (>9MB) really makes hard to beautify or remove unwanted/funny or added trash code every which happens to be everywhere. Is Hagga Threat Actor (ab)using FSociety framework ?