← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.262
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A Russian state-linked threat actor, Laundry Bear (also tracked as UAC-0190 and Void Blizzard), conducted a targeted espionage campaign against Ukrainian government entities in [February 2025], deploying a JavaScript backdoor called DRILLAPP. The malware runs inside Microsoft Edge in headless mode, a trusted and commonly allowlisted process, enabling covert access to cameras, microphones, screens, and the file system without triggering standard endpoint alerts. Organizations with remote workers, diplomatic missions, or operational ties to Ukraine face elevated risk of silent credential and data exfiltration through this technique.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
TTP Sophistication
HIGH
16 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Edge (headless mode), Chromium-based browsers, Windows (LNK and Control Panel module infection vectors)
Are You Exposed?
⚠
You use products/services from Microsoft Edge (headless mode) → Assess exposure
⚠
16 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A Russian state-linked threat actor, Laundry Bear (also tracked as UAC-0190 and Void Blizzard), conducted a targeted espionage campaign against Ukrainian government entities in [February 2025], deploying a JavaScript backdoor called DRILLAPP. The malware runs inside Microsoft Edge in headless mode, a trusted and commonly allowlisted process, enabling covert access to cameras, microphones, screens, and the file system without triggering standard endpoint alerts. Organizations with remote workers, diplomatic missions, or operational ties to Ukraine face elevated risk of silent credential and data exfiltration through this technique.
Technical Analysis
DRILLAPP is a JavaScript backdoor that executes entirely within Microsoft Edge running in headless mode (--headless flag), abusing the Chrome DevTools Protocol (CDP) to bypass JavaScript's native file access restrictions.
CDP provides low-level browser control typically used for testing and automation; DRILLAPP repurposes it to access the camera (T1125 ), microphone (T1123 ), screen (T1113 ), and file system (T1083 ) without user interaction.
Initial access is achieved via malicious LNK files (T1566 ) and Windows Control Panel module (.cpl) abuse (T1218 ), consistent with prior Laundry Bear tradecraft.
Persistence is established via Registry Run keys (T1547.001 ). The malware uses obfuscation (T1027 ), JavaScript execution (T1059.007 ), and web services for C2 communication (T1102.001 , T1071.001 ). Because Edge is a signed Microsoft binary and headless operation is a legitimate enterprise use case, process-based allowlisting and many behavioral detection rules do not fire. No CVE is assigned to this campaign; the attack exploits legitimate browser functionality rather than a patched vulnerability. Relevant CWEs: CWE-693 (Protection Mechanism Failure), CWE-73 (External Control of File Name or Path), CWE-276 (Incorrect Default Permissions). MITRE ATT&CK techniques mapped include T1566 , T1564.003 , T1083 , T1071 , T1056.001 , T1113 , T1547.001 , T1027 , T1125 , T1059.007 , T1218 , T1105 , T1547 , T1102.001 , T1071.001 , T1123 . No patch addresses this technique; mitigation requires configuration and detection controls.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO and legal immediately if any endpoints belonging to users with Ukraine-related operational access are confirmed compromised; engage external DFIR firm if more than five endpoints show evidence of DRILLAPP deployment or successful credential theft.
1
Step 1 (Immediate): Audit Group Policy and endpoint configurations to determine whether headless browser execution (msedge.exe --headless or chrome.exe --headless) is permitted or blocked; restrict headless mode via application control policy or GPO where not operationally required.
IR Detail
Preparation
NIST 800-61r3 §2.1 (Preparation phase: tools and policies)
NIST 800-53 SI-7 (Software, firmware, and information integrity)
NIST 800-53 AC-6 (Least privilege)
CIS Controls v8 2.4 (Address unauthorized software)
Compensating Control
On each endpoint, run `Get-AppLockerPolicy -Effective | Export-Clixml` (PowerShell) to export current AppLocker rules; manually audit for headless exclusions. If AppLocker unavailable, create a GPO that denies execution of msedge.exe and chrome.exe with command-line arguments containing '--headless' using Image File Execution Options registry hive (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options). Test with `tasklist /v | findstr headless` after policy deployment.
Preserve Evidence
Before restricting: capture Group Policy Report (`gpresult /h report.html`), current AppLocker effective policy export, and registry export of HKLM\Software\Policies\Microsoft\Windows\AppCompat. Document baseline allowed processes via `Get-Process | Export-Csv baseline.csv` to validate no production services rely on headless execution.
2
Step 2 (Detection): Search EDR and process logs for msedge.exe or chrome.exe launched with --headless, --remote-debugging-port, or --disable-gpu flags from unusual parent processes (e.g., explorer.exe, rundll32.exe, control.exe); alert on CDP port activity (default 9222) originating from browser processes outside sanctioned automation pipelines.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.1 (Detection and Analysis: anomaly detection)
NIST 800-53 SI-4 (Information system monitoring)
NIST 800-53 AU-12 (Audit generation)
CIS Controls v8 8.5 (Log all access and changes to sensitive data)
Compensating Control
Use Windows Event Log 4688 (Process Creation) with command-line auditing enabled via Group Policy (Computer Config > Policies > Admin Templates > System > Audit Process Creation). Query manually: `wevtutil qe Security /q:*[System[(EventID=4688)] and EventData[Data[@Name='CommandLine'] and (contains(., '--headless') or contains(., '--remote-debugging-port') or contains(., '--disable-gpu'))]]* /f:text`. For CDP port detection without EDR, enable NetFlow or configure Windows Firewall to log outbound connections to port 9222 via `netsh advfirewall firewall add rule name='Log CDP Port' dir=out action=allow protocol=tcp remoteport=9222 profile=any logonname=allow`; parse logs hourly with `wevtutil qe Security /q:*[System[(EventID=5156)]] | findstr 9222`.
Preserve Evidence
Capture all instances of Windows Event Log 4688 (Process Creation) for msedge.exe and chrome.exe for the past 30 days; Windows Event Log 4657 (Registry value modified) tracking HKLM\Software\Microsoft\EdgeUpdate and HKLM\Software\Google\Chrome; Windows Firewall logs (C:\Windows\System32\logfiles\Firewall\pfirewall.log) filtered for port 9222; network packet capture (tcpdump or Wireshark) from any network tap showing port 9222 connections; EDR process tree exports showing parent-child relationships.
3
Step 3 (Detection): Hunt for LNK files created in user-writeable directories (Downloads, Temp, AppData) with unusual targets or arguments; monitor for Control Panel module (.cpl) execution via rundll32.exe or shell32.dll outside expected administrative workflows (T1218).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.2 (Deep investigation of malware artifacts)
NIST 800-53 SI-3 (Malware protection)
NIST 800-53 CA-7 (Continuous monitoring)
CIS Controls v8 2.1 (Inventory all software)
Compensating Control
Search all user-writeable directories for .lnk files created in the past 60 days: `forfiles /S /M *.lnk /D +60 /C "cmd /c @path >> lnk_inventory.txt"". Extract LNK target and arguments using a free tool like `lnk-parser` (GitHub: Matlog/lnk-parser) or WinHexEditor; parse each LNK header for TargetPath field. Monitor rundll32.exe execution: query Event Log 4688 for `rundll32.exe` with arguments matching `*.cpl` patterns: `wevtutil qe Security /q:*[System[(EventID=4688)] and EventData[Data[@Name='CommandLine'] and contains(., '.cpl')]]* | findstr rundll32`. Establish baseline of legitimate .cpl calls (e.g., from Control Panel processes) and alert on deviations.
Preserve Evidence
Export all .lnk file metadata from (%USERPROFILE%\Downloads, %TEMP%, %APPDATA%) including file creation/modification timestamps, target path, arguments, icon location, and hotkey fields; Windows Event Log 4688 for all rundll32.exe and shell32.dll executions with .cpl arguments for the past 30 days; NTFS $MFT (Master File Table) from forensic image to recover deleted .lnk files and establish creation timeline; Windows Prefetch files (C:\Windows\Prefetch\) for rundll32.exe and shell32.dll to identify execution frequency and parameters.
4
Step 4 (Assessment): Inventory systems with Microsoft Edge installed; identify any endpoints where Edge or Chromium-based browsers are allowlisted at the process level in EDR or application control tools without behavioral sub-controls; prioritize endpoints belonging to users with access to sensitive government, diplomatic, or Ukraine-related operational data.
IR Detail
Preparation
NIST 800-61r3 §2.1 (Preparation: asset inventory and prioritization)
NIST 800-53 CM-8 (Information system component inventory)
NIST 800-53 AC-2 (Account management and access control)
CIS Controls v8 1.1 (Establish and maintain detailed asset inventory)
Compensating Control
Query Active Directory for all endpoints: `Get-ADComputer -Filter * -Properties Name,OperatingSystem | Export-Csv endpoints.csv`. On each endpoint, check for Edge/Chrome installation via registry query: `reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" | findstr /I "edge chrome"` or via WMI: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Edge|Chrome"} | Export-Csv installed_browsers.csv`. Cross-reference sensitive user accounts (pulled from AD security groups for government/diplomatic roles) with endpoint inventory. Check EDR/AppLocker policies: export allow-lists and flag any entry with msedge.exe or chrome.exe lacking behavioral rules (e.g., command-line restrictions, memory limits, parent-process whitelisting).
Preserve Evidence
Export Active Directory user accounts and group memberships for sensitive roles; Windows Registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall for browser installation records; EDR policy exports showing browser allow-list entries and absence of behavioral sub-rules; DHCP logs correlating user accounts to endpoint IP addresses; VPN/remote access logs showing which sensitive users logged in from which endpoints; file share access logs (if centralized) showing which endpoints accessed sensitive Ukraine-related directories.
5
Step 5 (Communication): Notify SOC and threat intelligence teams of active Laundry Bear / UAC-0190 / Void Blizzard targeting; if your organization has ties to Ukrainian government entities or operates in relevant sectors and CISA has published a related advisory, escalate to leadership and consider sharing indicators with your sector-specific ISAC.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.5 (Notification and escalation)
NIST 800-53 IR-6 (Incident reporting)
NIST 800-53 CA-7 (Continuous monitoring and incident coordination)
CIS Controls v8 6.3 (Address unauthorized changes)
Compensating Control
Create a standardized incident communication template (one-pager) with: threat actor names (Laundry Bear, UAC-0190, Void Blizzard), campaign name (DRILLAPP), technical indicators (MITRE ATT&CK TTPs: T1218, T1564.003), affected software (msedge.exe, chrome.exe in headless mode), and immediate detection queries. Distribute to SOC via email with severity level tagged. Contact your sector ISAC (e.g., Financial Services ISAC for banking, Government ISAC for public sector) via their standard submission form; include indicators (IP addresses, file hashes, domain IOCs) extracted from threat intelligence feeds (CISA, Mandiant, MITRE).
Preserve Evidence
Document all communication timestamps and recipients in an incident log; retain copies of initial advisory or threat intelligence report (CISA alert, vendor advisory) with extraction date; maintain list of IOCs shared with sector ISAC and any feedback received; track internal notifications to SOC, security leadership, and legal/compliance teams.
6
Step 6 (Long-term): Update detection engineering rules to cover headless browser abuse as a persistent technique class, not just this campaign; review allowlisting policies to ensure signed Microsoft binaries are subject to behavioral controls, not blanket trust; incorporate T1218 (System Binary Proxy Execution) and T1564.003 (Hidden Window) into red team scope for the next assessment cycle.
IR Detail
Post-Incident
NIST 800-61r3 §4 (Post-Incident Activities: lessons learned and process improvement)
NIST 800-53 IR-2 (Incident response training and testing)
NIST 800-53 CA-7 (Continuous monitoring)
CIS Controls v8 6.2 (Address unauthorized software)
Compensating Control
Create detection rules using free/open-source SIEM rule templates (Sigma rules from SigmaHQ GitHub). Build a Sigma rule for headless browser execution: `detection: selection: EventID: 4688 CommandLine|contains: '--headless' ParentImage|endswith: ['explorer.exe', 'rundll32.exe', 'control.exe'] condition: selection`. Integrate into Splunk, ELK, or native Windows event log alerting. Document rule rationale, false-positive baseline, and tuning thresholds in a detection runbook. Schedule quarterly red team exercises targeting T1218 and T1564.003: simulate LNK-based execution chains and headless browser abuse; measure time-to-detect and response completeness.
Preserve Evidence
Maintain version-controlled detection rule repository with change history; document baseline tuning data (false positive rates, detection latency) from initial rule deployment; capture red team engagement reports showing attack paths tested and detection gaps identified; track post-incident process improvements and their implementation dates.
Recovery Guidance
Post-containment: disconnect affected endpoints from network, image hard drives before remediation, analyze captured artifacts for lateral movement or data exfiltration indicators. Rebuild compromised systems from known-good media after forensic analysis completes. Reset credentials for all users who accessed sensitive systems from affected endpoints within 90 days prior to detection. Implement continuous behavioral monitoring on restored endpoints for 60 days to catch any re-infection.
Key Forensic Artifacts
Windows Event Log Security channel (4688 Process Creation, 4689 Process Terminated, 4657 Registry value modified)
NTFS $MFT (Master File Table) and $USN Journal for file creation/deletion timeline reconstruction
Windows Prefetch files (C:\Windows\Prefetch\*.pf) for process execution history and command-line arguments
Windows Registry hives (NTUSER.DAT, SOFTWARE, SYSTEM) for browser policies, installed applications, and Run/RunOnce keys
Browser cache, cookies, and DevTools session artifacts (C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Cache; C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Cache)
Detection Guidance
Primary behavioral indicators: msedge.exe or chrome.exe spawned with --headless and --remote-debugging-port arguments, particularly when the parent process is explorer.exe, rundll32.exe, control.exe, or an Office application.
Secondary indicators: outbound network connections on TCP 9222 (default CDP port) or non-standard high ports from browser processes; browser processes accessing camera or microphone device interfaces without a visible UI window (check Windows device access audit logs under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager).
LNK-related indicators: LNK files in user profile directories pointing to cmd.exe, powershell.exe, or wscript.exe with encoded or obfuscated arguments; recent LNK creation timestamps not matching user activity patterns.
Registry persistence: monitor for new entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM equivalent referencing browser binaries or script runners (T1547.001 ). Network indicators: JavaScript-based C2 often uses web service APIs for blending (T1102.001 ); look for browser processes making periodic low-volume HTTPS requests to newly registered or low-reputation domains outside normal browsing hours. Log sources to prioritize: EDR process creation events, Windows Security Event ID 4688, Sysmon Event IDs 1 (process create) and 3 (network connection), and Windows device access audit logs. No confirmed public IOCs (IPs, domains, hashes) are available from the listed sources at the time this content was generated; monitor CERT-UA, CISA, and Microsoft MSTIC daily for indicator releases as the campaign evolves.
Indicators of Compromise (9)
Export as
Splunk SPL
KQL
Elastic
Copy All (9)
7 behaviorals
1 registry
1 domain
Type Value Enrichment Context Conf.
◆ BEHAVIORAL
msedge.exe --headless --remote-debugging-port=*
DRILLAPP execution pattern — Edge launched in headless mode with CDP port exposed; flagged in process creation logs
HIGH
◆ BEHAVIORAL
control.exe executing .cpl file from user-writable path
Initial access vector — Windows Control Panel module abuse used for DRILLAPP delivery (T1218)
HIGH
◆ BEHAVIORAL
LNK file in %APPDATA%, %TEMP%, or Downloads targeting cmd.exe or wscript.exe with encoded arguments
Initial access vector, LNK files in user-writable directories (%APPDATA%, %TEMP%, Downloads) with encoded command-line arguments targeting cmd.exe or wscript.exe are suspicious because legitimate shortcuts rarely use obfuscated parameters; detect by monitoring LNK file creation/execution followed by cmd/wscript spawning with base64, hex, or PowerShell encoding in arguments, which differs from standard shortcut behavior and is consistent with Laundry Bear's macro-free delivery tradecraft (T1566).
HIGH
◆ BEHAVIORAL
Browser process establishing outbound TCP connection on port 9222
CDP remote debugging port activity from browser process outside sanctioned automation pipeline
MEDIUM
◆ REGISTRY
HKCU\Software\Microsoft\Windows\CurrentVersion\Run — new entry referencing msedge.exe or script runner
Persistence mechanism consistent with T1547.001; review for anomalous entries post-infection
MEDIUM
⌘ DOMAIN
pastefy.app
VT
US
Legitimate pastebin-style service abused for C2 staging by DRILLAPP; outbound connections from workstations to this domain warrant investigation
MEDIUM
◆ BEHAVIORAL
msedge.exe --remote-debugging-port=9222 --headless
Command-line pattern associated with DRILLAPP launching Edge in headless mode for CDP abuse
MEDIUM
◆ BEHAVIORAL
mshta.exe executing HTA from remote or user-writable path
mshta.exe executing HTA files from remote (http/https/UNC paths) or user-writable directories (AppData, Temp, Downloads) is suspicious because it bypasses code signing and execution policies - legitimate mshta.exe usage loads HTAs from protected system directories or trusted application paths, whereas this pattern indicates T1218.005 Living off the Land Binary abuse used for malware delivery; detect this by alerting on mshta.exe child processes with command-line arguments containing remote URLs or non-admin-writable paths, especially when spawned by Office applications, script interpreters, or Windows Management Instrumentation processes.
MEDIUM
◆ BEHAVIORAL
rundll32.exe or control.exe loading CPL from non-system path
rundll32.exe or control.exe loading Control Panel files (.cpl) from non-system directories (outside %SystemRoot%\System32) is suspicious because legitimate Windows Control Panel modules are always digitally signed and restricted to protected system paths; attackers exploit this trusted execution path to sideload malicious CPL files that bypass application whitelisting. In EDR/logs, detect rundll32.exe or control.exe with command-line arguments referencing .cpl files outside System32, especially when followed by child process creation (cmd.exe, powershell.exe), network connections to external IPs, or registry modifications within seconds of execution - legitimate Control Panel access typically loads only signed system CPLs without subsequent suspicious activity.
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: Laundry Bear Deploys Browser-as-Backdoor: DRILLAPP Abuses Headless Edge and Chro
let malicious_domains = dynamic(["pastefy.app"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: LOLBin abuse (mshta, regsvr32, rundll32)
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "cmstp.exe", "msiexec.exe")
| where ProcessCommandLine has_any ("http", "ftp", "\\\\", "javascript:", "vbscript:", "scrobj.dll", "/i:", "-decode", "-urlcache")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "pastefy.app",
"source": "SCC Threat Intel",
"description": "Legitimate pastebin-style service abused for C2 staging by DRILLAPP; outbound connections from workstations to this domain warrant investigation",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-01T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["pastefy.app"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1566
T1564.003
T1083
T1071
T1056.001
T1113
+10
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+1
MITRE ATT&CK Mapping
T1566
Phishing
initial-access
T1083
File and Directory Discovery
discovery
T1071
Application Layer Protocol
command-and-control
T1113
Screen Capture
collection
T1547.001
Registry Run Keys / Startup Folder
persistence
T1027
Obfuscated Files or Information
defense-evasion
T1125
Video Capture
collection
T1218
System Binary Proxy Execution
defense-evasion
T1105
Ingress Tool Transfer
command-and-control
T1547
Boot or Logon Autostart Execution
persistence
T1102.001
Dead Drop Resolver
command-and-control
T1123
Audio Capture
collection
Guidance Disclaimer
