███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

Toneshell

backdoor2 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Toneshell

CATEGORY:

BACKDOOR

DESCRIPTION:

Toneshell is a backdoor malware that has been observed in targeted attacks against organizations in the US, Philippines, Pakistan, and Taiwan. The malware is designed to provide remote access to compromised systems and is associated with the Hive0154 threat group.

ALIASES:

Toneshell Backdoor

TAGS:

remote_accesstargeted_attackpersistencehive0154

[MUTEX_SIGNATURES](2)

[MUTEX_01]

Fool87012900137

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan

[MUTEX_02]

Global\SingleCorporation12AD8B

ANALYST: @adhikara13 DATE: 2024-12-30

REFERENCES:

https://intezer.com/blog/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Unknown

FIRST_OBSERVED:

2024

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:2

THREAT_ACTORS:1

ALIASES:1

TAGS:4

CATEGORY:BACKDOOR

Malware profile loaded successfully