gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
confirmed
IIM v1.1
MB-0001
needs review
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
entry
file
6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar
IIM-T024
2
entry
file
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
3
staging
file
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2_1_1_7755_11.11.2025.HTA
IIM-T024
4
staging
url
hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf
IIM-T008IIM-T019IIM-T020IIM-T021
5
payload
file
Pteranodon Stage-2 loader
6
redirector
url
hxxps://www.telegram[.]me/s/natural_blood
IIM-T006IIM-T013
7
redirector
url
hxxps://www.telegram[.]me/s/oberfarir
IIM-T006IIM-T013
8
redirector
url
hxxps://telegram[.]me/s/teotori
IIM-T006IIM-T013
9
redirector
url
hxxps://graph[.]org/vryivzphxwc-11-11
IIM-T006IIM-T013
10
staging
url
hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon
IIM-T010IIM-T013
11
redirector
domain
document-downloads.ddns.net
IIM-T008IIM-T011
12
c2
ip
194.67.71.75
IIM-T003IIM-T007
13
c2
ip
45.32.220.217
IIM-T002
Relations
directed infrastructure edgese001dropse002
confirmed
e001dropse003
confirmed
e003downloade004
likely
e004downloade005
likely
e005communicates-withe006
confirmed
e005communicates-withe007
confirmed
e005communicates-withe008
confirmed
e005communicates-withe009
confirmed
e009referencese010
confirmed
e005connecte011
likely
e005connecte012
likely
e011resolves-toe012
tentative
e005connecte013
tentative
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | 6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar |
Stage-1 sample table lists this RAR with the lure name 'Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf'. The same table states that the PDF stream drops a Startup-folder HTA: '...Startup_2_1_1_7755_11.11.2025.HTA'. Report section describes RAR archives exploiting CVE-2025-6218/CVE-2025-8088 as an increasingly used entry vector. |
e002 |
file | Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf |
Decoy/lure document filename from the Stage-1 sample table for the 6aa9741f... RAR. The report describes RAR archives containing seemingly harmless documents as the new favorite delivery vector. |
e003 |
file | %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2_1_1_7755_11.11.2025.HTA |
Stage-1 sample table shows the PDF stream writing a Startup-folder HTA named '2_1_1_7755_11.11.2025.HTA'. The report states that opening the RAR triggers extraction of a hidden HTA into the Windows Startup folder and execution after reboot. Detection section highlights HTA/VBS in the Startup folder as a hunting indicator. |
e004 |
url | hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf |
The article IOC list includes readers.serveirc.com under DynDNS payload delivery servers. The same IOC section lists '/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf' under observed URL paths. The full userinfo-style URL was preserved from the analyst-provided chain and normalized/defanged for safe publication. |
e005 |
file | Pteranodon Stage-2 loader |
Campaign summary identifies Pteranodon as the central Stage-2 loader. Report states that all delivery formats share one purpose: download and launch Pteranodon. Analysis section states that after bypassing filters, obfuscated HTA loaders fetch Pteranodon, wiper modules and auxiliary droppers. |
e006 |
url | hxxps://www.telegram[.]me/s/natural_blood |
IOC list includes https://www.telegram.me/s/natural_blood. Report states that Gamaredon uses Telegram channels for rotating C2 IPs and cryptographic material. Screenshot in the report shows the NaturalBlonde / @natural_blood Telegram channel. |
e007 |
url | hxxps://www.telegram[.]me/s/oberfarir |
IOC list includes https://www.telegram.me/s/oberfarir. Report states that Gamaredon uses Telegram channels for rotating C2 IPs and cryptographic material. Screenshot in the report shows the Oboessat / @oberfarir Telegram channel. |
e008 |
url | hxxps://telegram[.]me/s/teotori |
IOC list includes https://telegram.me/s/teotori. Telegram channels are described as C2 IP and cryptographic-material rotation points. |
e009 |
url | hxxps://graph[.]org/vryivzphxwc-11-11 |
Report explicitly lists https://graph.org/vryivzphxwc-11-11. Report states that graph.org pages are used for rotating payload URLs. |
e010 |
url | hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon |
Report screenshot of a graph.org page shows the URL 'https://www.bitdefender.com@weliveditwell.online/mammon'. The userinfo-style domain disguise matches the same infrastructure pattern as president.gov.ua@readers.serveirc.com. |
e011 |
domain | document-downloads.ddns.net |
IOC list includes document-downloads.ddns.net under DynDNS payload delivery servers. ATT&CK mapping notes frequent use of DynDNS for rotating C2 domains. |
e012 |
ip | 194.67.71.75 |
Report calls out 194.67.71.75 as standing out in REG.RU infrastructure. Report describes 194.67.71.0/24 as Fast-Flux infrastructure with short TTL, rapid rotation and many domains per IP. IOC list includes 194.67.71.75. |
e013 |
ip | 45.32.220.217 |
IOC list includes 45.32.220.217. Note: the analyst draft contained 45.33.16.183, but that exact IP is not present in the cited article; this chain uses the article-backed 45.32.220.217 instead. |
ATT&CK annotations
optional complementary mappingT1566.001Phishing: Spearphishing Attachment
Ukraine-themed RAR/HTA/LNK attachment delivery.
T1203Exploitation for Client Execution
CVE-2025-6218 style archive handling causes HTA placement/execution.
T1059.005Command and Scripting Interpreter: Visual Basic
HTA/VBScript loader execution.
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
HTA placed in Windows Startup folder.
T1071.001Application Layer Protocol: Web Protocols
HTTP/HTTPS communication to DynDNS, graph.org and C2 infrastructure.
T1102.002Web Service: Bidirectional Communication
Telegram channels used for dynamic IP rotation and material distribution.
T1568.002Dynamic Resolution: Domain Generation Algorithms / Dynamic DNS
Frequent DynDNS use for rotating C2 domains.
T1090Proxy
Fast-flux/proxy-like infrastructure in 194.67.71.0/24.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "gamaredon.2025.zero-click-rar.pteranodon",
"title": "Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure",
"description": "IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.",
"actor_id": "UAC-0010",
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "likely",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"entities": [
{
"id": "e001",
"type": "file",
"value": "6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog: Inside Gamaredon 2025",
"evidence": [
"Stage-1 sample table lists this RAR with the lure name 'Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf'.",
"The same table states that the PDF stream drops a Startup-folder HTA: '...Startup_2_1_1_7755_11.11.2025.HTA'.",
"Report section describes RAR archives exploiting CVE-2025-6218/CVE-2025-8088 as an increasingly used entry vector."
]
},
{
"id": "e002",
"type": "file",
"value": "Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog: Inside Gamaredon 2025",
"evidence": [
"Decoy/lure document filename from the Stage-1 sample table for the 6aa9741f... RAR.",
"The report describes RAR archives containing seemingly harmless documents as the new favorite delivery vector."
]
},
{
"id": "e003",
"type": "file",
"value": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog: Inside Gamaredon 2025",
"evidence": [
"Stage-1 sample table shows the PDF stream writing a Startup-folder HTA named '2_1_1_7755_11.11.2025.HTA'.",
"The report states that opening the RAR triggers extraction of a hidden HTA into the Windows Startup folder and execution after reboot.",
"Detection section highlights HTA/VBS in the Startup folder as a hunting indicator."
]
},
{
"id": "e004",
"type": "url",
"value": "hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list + analyst-provided chain",
"evidence": [
"The article IOC list includes readers.serveirc.com under DynDNS payload delivery servers.",
"The same IOC section lists '/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf' under observed URL paths.",
"The full userinfo-style URL was preserved from the analyst-provided chain and normalized/defanged for safe publication."
]
},
{
"id": "e005",
"type": "file",
"value": "Pteranodon Stage-2 loader",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog: Inside Gamaredon 2025",
"evidence": [
"Campaign summary identifies Pteranodon as the central Stage-2 loader.",
"Report states that all delivery formats share one purpose: download and launch Pteranodon.",
"Analysis section states that after bypassing filters, obfuscated HTA loaders fetch Pteranodon, wiper modules and auxiliary droppers."
]
},
{
"id": "e006",
"type": "url",
"value": "hxxps://www.telegram[.]me/s/natural_blood",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list",
"evidence": [
"IOC list includes https://www.telegram.me/s/natural_blood.",
"Report states that Gamaredon uses Telegram channels for rotating C2 IPs and cryptographic material.",
"Screenshot in the report shows the NaturalBlonde / @natural_blood Telegram channel."
]
},
{
"id": "e007",
"type": "url",
"value": "hxxps://www.telegram[.]me/s/oberfarir",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list",
"evidence": [
"IOC list includes https://www.telegram.me/s/oberfarir.",
"Report states that Gamaredon uses Telegram channels for rotating C2 IPs and cryptographic material.",
"Screenshot in the report shows the Oboessat / @oberfarir Telegram channel."
]
},
{
"id": "e008",
"type": "url",
"value": "hxxps://telegram[.]me/s/teotori",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list",
"evidence": [
"IOC list includes https://telegram.me/s/teotori.",
"Telegram channels are described as C2 IP and cryptographic-material rotation points."
]
},
{
"id": "e009",
"type": "url",
"value": "hxxps://graph[.]org/vryivzphxwc-11-11",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog: Inside Gamaredon 2025",
"evidence": [
"Report explicitly lists https://graph.org/vryivzphxwc-11-11.",
"Report states that graph.org pages are used for rotating payload URLs."
]
},
{
"id": "e010",
"type": "url",
"value": "hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog graph.org screenshot",
"evidence": [
"Report screenshot of a graph.org page shows the URL 'https://www.bitdefender.com@weliveditwell.online/mammon'.",
"The userinfo-style domain disguise matches the same infrastructure pattern as president.gov.ua@readers.serveirc.com."
]
},
{
"id": "e011",
"type": "domain",
"value": "document-downloads.ddns.net",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list",
"evidence": [
"IOC list includes document-downloads.ddns.net under DynDNS payload delivery servers.",
"ATT&CK mapping notes frequent use of DynDNS for rotating C2 domains."
]
},
{
"id": "e012",
"type": "ip",
"value": "194.67.71.75",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list / Fast-Flux section",
"evidence": [
"Report calls out 194.67.71.75 as standing out in REG.RU infrastructure.",
"Report describes 194.67.71.0/24 as Fast-Flux infrastructure with short TTL, rapid rotation and many domains per IP.",
"IOC list includes 194.67.71.75."
]
},
{
"id": "e013",
"type": "ip",
"value": "45.32.220.217",
"observed_at": "2025-11-11T00:00:00Z",
"source": "Synaptic Security Blog IOC list",
"evidence": [
"IOC list includes 45.32.220.217.",
"Note: the analyst draft contained 45.33.16.183, but that exact IP is not present in the cited article; this chain uses the article-backed 45.32.220.217 instead."
]
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e002",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false,
"review_notes": "Decoy document is part of initial delivery context, not the execution payload itself."
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"needs_review": false
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [
"IIM-T008",
"IIM-T019",
"IIM-T020",
"IIM-T021"
],
"role_confidence": "likely",
"technique_confidence": "likely",
"needs_review": false,
"review_notes": "URL reconstructed from report-listed domain and path plus analyst-provided full URL form."
},
{
"entity_id": "e005",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e006",
"role": "redirector",
"techniques": [
"IIM-T006",
"IIM-T013"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e007",
"role": "redirector",
"techniques": [
"IIM-T006",
"IIM-T013"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e008",
"role": "redirector",
"techniques": [
"IIM-T006",
"IIM-T013"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e009",
"role": "redirector",
"techniques": [
"IIM-T006",
"IIM-T013"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e010",
"role": "staging",
"techniques": [
"IIM-T010",
"IIM-T013"
],
"role_confidence": "likely",
"technique_confidence": "likely",
"needs_review": false
},
{
"entity_id": "e011",
"role": "redirector",
"techniques": [
"IIM-T008",
"IIM-T011"
],
"role_confidence": "likely",
"technique_confidence": "likely",
"needs_review": false
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [
"IIM-T003",
"IIM-T007"
],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [
"IIM-T002"
],
"role_confidence": "tentative",
"technique_confidence": "tentative",
"needs_review": true,
"review_notes": "Article lists the IP as IOC but does not provide a sample-specific relation from this exact chain. Keep as related C2 candidate unless separately validated in Mantis/Kraken."
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "drops",
"sequence_order": 1,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Stage-1 sample table associates the RAR with the PDF lure name.",
"Report explains RAR archives contain seemingly harmless documents."
]
},
{
"from": "e001",
"to": "e003",
"type": "drops",
"sequence_order": 2,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Stage-1 sample table shows the RAR/PDF stream writing Startup_2_1_1_7755_11.11.2025.HTA.",
"Report explains hidden HTA extraction into Startup after opening the RAR."
]
},
{
"from": "e003",
"to": "e004",
"type": "download",
"sequence_order": 3,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Report states that the initial dropper contacts a remote Gamaredon domain and retrieves Pteranodon.",
"readers.serveirc.com and the /gss_11.11.2025/kidneyfih/broadlyrQZ.pdf path are present in the IOC list; full URL form comes from the analyst draft."
]
},
{
"from": "e004",
"to": "e005",
"type": "download",
"sequence_order": 4,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Report states that all delivery formats download and launch Pteranodon.",
"Analysis says obfuscated HTA loaders fetch Pteranodon after filters are bypassed."
]
},
{
"from": "e005",
"to": "e006",
"type": "communicates-with",
"sequence_order": 5,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"IOC list includes natural_blood Telegram URL.",
"Report states Telegram channels are used for rotating C2 IPs and cryptographic material."
]
},
{
"from": "e005",
"to": "e007",
"type": "communicates-with",
"sequence_order": 6,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"IOC list includes oberfarir Telegram URL.",
"Report states Telegram channels are used for rotating C2 IPs and cryptographic material."
]
},
{
"from": "e005",
"to": "e008",
"type": "communicates-with",
"sequence_order": 7,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"IOC list includes teotori Telegram URL.",
"Report states Telegram channels are used for dynamic IP rotation and distribution of secrets/tokens."
]
},
{
"from": "e005",
"to": "e009",
"type": "communicates-with",
"sequence_order": 8,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Report explicitly lists graph.org/vryivzphxwc-11-11.",
"Report states graph.org pages are used for periodically rotating payload URLs."
]
},
{
"from": "e009",
"to": "e010",
"type": "references",
"sequence_order": 9,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Report screenshot of the graph.org page shows the weliveditwell.online URL.",
"Graph.org is described as payload URL rotation infrastructure."
]
},
{
"from": "e005",
"to": "e011",
"type": "connect",
"sequence_order": 10,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"document-downloads.ddns.net appears in the DynDNS payload delivery server IOC list.",
"Report notes frequent requests to newly generated DynDNS domains as a tactical pattern."
]
},
{
"from": "e005",
"to": "e012",
"type": "connect",
"sequence_order": 11,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Report identifies 194.67.71.75 as notable C2/fast-flux infrastructure.",
"Hunting guidance highlights outbound traffic to 194.67.71.0/24 as a network indicator."
]
},
{
"from": "e011",
"to": "e012",
"type": "resolves-to",
"sequence_order": 12,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "tentative",
"x_evidence": [
"Both document-downloads.ddns.net and 194.67.71.75 are in the article IOC set.",
"The article does not explicitly state this exact domain-to-IP mapping; keep tentative unless confirmed by PassiveDNS/Kraken/Mantis."
]
},
{
"from": "e005",
"to": "e013",
"type": "connect",
"sequence_order": 13,
"observed_at": "2025-11-11T00:00:00Z",
"confidence": "tentative",
"x_evidence": [
"45.32.220.217 is present in the IOC IP list.",
"Article does not provide a sample-specific edge from the November 11 RAR chain to this IP; retained as related campaign C2 candidate."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Ukraine-themed RAR/HTA/LNK attachment delivery."
},
{
"technique_id": "T1203",
"name": "Exploitation for Client Execution",
"tactic": "Execution",
"comment": "CVE-2025-6218 style archive handling causes HTA placement/execution."
},
{
"technique_id": "T1059.005",
"name": "Command and Scripting Interpreter: Visual Basic",
"tactic": "Execution",
"comment": "HTA/VBScript loader execution."
},
{
"technique_id": "T1547.001",
"name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
"tactic": "Persistence",
"comment": "HTA placed in Windows Startup folder."
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control",
"comment": "HTTP/HTTPS communication to DynDNS, graph.org and C2 infrastructure."
},
{
"technique_id": "T1102.002",
"name": "Web Service: Bidirectional Communication",
"tactic": "Command and Control",
"comment": "Telegram channels used for dynamic IP rotation and material distribution."
},
{
"technique_id": "T1568.002",
"name": "Dynamic Resolution: Domain Generation Algorithms / Dynamic DNS",
"tactic": "Command and Control",
"comment": "Frequent DynDNS use for rotating C2 domains."
},
{
"technique_id": "T1090",
"name": "Proxy",
"tactic": "Command and Control",
"comment": "Fast-flux/proxy-like infrastructure in 194.67.71.0/24."
}
],
"x_source_reports": [
"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale"
],
"x_source_urls": [
"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"
],
"x_report_published_at": "2025-11-22T00:00:00Z",
"x_report_updated": [
"2025-12-22",
"2026-01-08"
],
"x_selection_reason": "Included because the article contains a concrete RAR-to-Startup-HTA infection path, DynDNS delivery nodes, Telegram/graph.org resolver infrastructure, C2 IPs and enough operational detail to model the chain without inventing missing stages.",
"x_scope_note": "This chain models one representative November 2025 Gamaredon RAR/HTA/Pteranodon path. Edges that are campaign-level rather than sample-specific are marked likely/tentative with review notes.",
"x_publication_safety": "Malicious URLs are defanged with hxxp/hxxps and [.] for public feed display.",
"x_corrective_notes": [
"Changed e8 from type=url to type=domain where applicable for document-downloads.ddns.net.",
"Changed relation e3->e4 from resolves-to to download; a file does not resolve to a URL.",
"Removed duplicate IIM-T008 in the delivery node.",
"Replaced 45.33.16.183 with 45.32.220.217 because 45.33.16.183 is not present in the cited article IOC list.",
"Kept the document-downloads.ddns.net -> 194.67.71.75 relation tentative because the article lists both indicators but not the exact DNS resolution edge."
]
}