{"id":8248,"date":"2024-07-23T13:37:41","date_gmt":"2024-07-23T13:37:41","guid":{"rendered":"\/cybersecurity-blog\/?p=8248"},"modified":"2024-07-24T14:04:58","modified_gmt":"2024-07-24T14:04:58","slug":"crowdstrike-outage-abuse","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/","title":{"rendered":"Find Threats Exploiting CrowdStrike Outage <br> with TI Lookup \u00a0"},"content":{"rendered":"\n<p>A recent update by CrowdStrike on July 18, 2024, resulted in a worldwide outage, causing significant disruption for users who were left with blue screens of death (BSODs) on their devices.<\/p>\n\n\n\n<p>Cybercriminals seized the opportunity to target affected users with phishing scams and malware.\u00a0<\/p>\n\n\n\n<p>The <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> team has been closely monitoring the situation after the outage and has identified two primary sources of threats \u2014 domains and malware disguised as updates or bug fixes.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Fake CrowdStrike Domains&nbsp;<\/h2>\n\n\n\n<p>One of the earliest consequences of the outage was the creation of websites with domain names that mimicked CrowdStrike&#8217;s official domain. Although some of them were created with no malicious intent, others were used as part of phishing attempts.<\/p>\n\n\n\n<p>These websites included newly registered ones and those that were still under construction.<\/p>\n\n\n\n<p>Some examples:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Crowdstriketoken[.]com: <a href=\"https:\/\/app.any.run\/tasks\/f58a7af0-e5ad-4d1c-8c18-f2093cddc28c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/f58a7af0-e5ad-4d1c-8c18-f2093cddc28c\/<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Crowdstrikebluescreen[.]com: <a href=\"https:\/\/app.any.run\/tasks\/789aa98b-fe9d-4758-a023-72a0b67530f8\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/789aa98b-fe9d-4758-a023-72a0b67530f8\/<\/a> &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>crowdstrikedown[.]site: <a href=\"https:\/\/app.any.run\/tasks\/577a9a3c-148d-419f-9eb2-89adbbabeef4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/577a9a3c-148d-419f-9eb2-89adbbabeef4\/<\/a> &nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-1024x561.png\" alt=\"\" class=\"wp-image-8250\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-1024x561.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-300x164.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-768x420.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-370x203.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers-740x405.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/CrowdStrike-Outage-Exploited-by-Attackers.png 1520w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake domains identified within three days following the outage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Looking at the data, the first day after the outage saw the highest volume of newly-generated fake domains. Threat actors were quick to respond, potentially tricking numerous users into visiting fake websites while they were trying to fix the problem on their own.&nbsp;<\/p>\n\n\n\n<p>Here is a list of domains collected by ANY.RUN so far:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-114\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"5\"\n           data-rows=\"14\"\n           data-wpID=\"114\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:22.596153846154%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-bsod[.]co                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:16.907051282051%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-bsod[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:15.144230769231%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-fix[.]zip                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:17.948717948718%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-helpdesk[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:27.403846153846%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-out[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]blue                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]bot                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]cam                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]ee                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]es                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike[.]fail                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike0day[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikebluescreen[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikebsod[.]co                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E3\"\n                    data-col-index=\"4\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikebsod[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikebug[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeclaim[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeclaims[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeclassaction[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E4\"\n                    data-col-index=\"4\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikecure[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikedoomsday[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikedown[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikedown[.]site                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikefail[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E5\"\n                    data-col-index=\"4\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikefix[.]co                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikefix[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikefix[.]in                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikefix[.]zip                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeglitch[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E6\"\n                    data-col-index=\"4\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikehelp[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikelawsuit[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikemedaddy[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeold[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D7\"\n                    data-col-index=\"3\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeoops[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E7\"\n                    data-col-index=\"4\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeoopsie[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeoopsies[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeout[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeoutage[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D8\"\n                    data-col-index=\"3\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeoutage[.]info                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E8\"\n                    data-col-index=\"4\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikepatch[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeplatform[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeplatform[.]info                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikerecovery[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D9\"\n                    data-col-index=\"3\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikereport[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E9\"\n                    data-col-index=\"4\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikesettlement[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikesuporte[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikesupport[.]info                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstriketoken[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D10\"\n                    data-col-index=\"3\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeupdate[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E10\"\n                    data-col-index=\"4\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikeyou[.]xyz                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        crowdstrikezeroday[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fix-crowdstrike-apocalypse[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fix-crowdstrike-bsod[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D11\"\n                    data-col-index=\"3\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fix-crowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E11\"\n                    data-col-index=\"4\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fixcrowdstrike[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fixmycrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        fuckcrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        howtofixcrowdstrikeissue[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D12\"\n                    data-col-index=\"3\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        iscrowdstrikedown[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E12\"\n                    data-col-index=\"4\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        iscrowdstrikefixed[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        iscrowdstrikestilldown[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        isitcrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        microsoftcrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"D13\"\n                    data-col-index=\"3\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        microsoftoutagescrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"E13\"\n                    data-col-index=\"4\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        secure-crowdstrike[.]com                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        suportecrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        whatiscrowdstrike[.]com                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011 wpdt-empty-cell \"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011 wpdt-empty-cell \"\n                                            data-cell-id=\"D14\"\n                    data-col-index=\"3\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011 wpdt-empty-cell \"\n                                            data-cell-id=\"E14\"\n                    data-col-index=\"4\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-114'>\ntable#wpdtSimpleTable-114{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-114 td, table.wpdtSimpleTable114 th { white-space: normal !important; }\n.wpdt-fs-000011 { font-size: 11px !important;}\n<\/style>\n\n\n\n\n<p>To stay informed about the latest suspicious domains, use <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>. Our service lets you search our continuously updated threat database using 40 parameters, including domain names.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-1024x622.png\" alt=\"\" class=\"wp-image-8251\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-768x466.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4-740x449.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-4.png 1336w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>An example of a query for finding malicious domains mimicking CrowdStrike\u2019s<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Use queries like the ones below to look for more examples of websites impersonating CrowdStrike:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-115\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"115\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522crowdstrike%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2520%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522crowdstrike%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2520%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:\u201dcrowdstrike&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:\u201dcrowdstrike&quot; AND threatLevel:&quot;malicious&quot;<\/a>\n<br>\n<br>\n<a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522falcon%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2520%2522,%2522dateRange%2522:180%7D\"\u00a0 rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522falcon%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2520%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:\u201dfalcon&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:\u201dcrowdstrike&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-115'>\ntable#wpdtSimpleTable-115{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-115 td, table.wpdtSimpleTable115 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nSee how ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span> can help your team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threats_crowdstrike&#038;utm_term=230724&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Our analysts have created a Suricata rule to identify domains that may contain phishing or malicious software.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"925\" height=\"473\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3.png\" alt=\"\" class=\"wp-image-8252\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3.png 925w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-768x393.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-3-740x378.png 740w\" sizes=\"(max-width: 925px) 100vw, 925px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata rule used for detecting fake domains<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Such domains are now tagged with &#8220;fakedomain&#8221; to warn users of potential dangers. Use this tag in <em>Public Submissions <\/em>to locate additional samples:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-116\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"116\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/app.any.run\/submissions\/#tag:fakedomain\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/app.any.run\/submissions\/#tag:fakedomain\" data-link-text=\"https:\/\/app.any.run\/submissions\/#tag:fakedomain\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">https:\/\/app.any.run\/submissions\/#tag:fakedomain<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-116'>\ntable#wpdtSimpleTable-116{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-116 td, table.wpdtSimpleTable116 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Malicious Archive with Remcos &nbsp;<\/h2>\n\n\n\n<p>After the incident, there has been a rise in campaigns spreading malware as updates or bug fixes.&nbsp;<\/p>\n\n\n\n<p>One of the <a href=\"https:\/\/app.any.run\/tasks\/5f515fa2-bd4a-49fd-88e2-d35b0c8376d9\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">first instances<\/a> of malware observed by ANY.RUN, disguised as a CrowdStrike hotfix, was an archive containing Hijackloader.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"757\" height=\"482\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1.png\" alt=\"\" class=\"wp-image-8253\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1.png 757w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image3-1-740x471.png 740w\" sizes=\"(max-width: 757px) 100vw, 757px\" \/><figcaption class=\"wp-element-caption\"><em>The malicious archive<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The malicious file, named &#8220;crowdstrike-hotfix&#8221;, was distributed from hxxps:\/\/portalintranetgrupobbva[.]com. After execution, it delivered Remcos to the infected system. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"493\" height=\"321\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image4-1.png\" alt=\"\" class=\"wp-image-8254\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image4-1.png 493w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image4-1-300x195.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image4-1-370x241.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image4-1-270x176.png 270w\" sizes=\"(max-width: 493px) 100vw, 493px\" \/><figcaption class=\"wp-element-caption\"><em>Process tree in ANY.RUN showing the infection chain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To identify more suspicious files disguised as CrowdStrike updates, use TI Lookup with queries like:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-117\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"117\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22fileName:%5C%22crowdstrike%5C%22%C2%A0AND%C2%A0threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22fileName:%5C%22crowdstrike%5C%22%C2%A0AND%C2%A0threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:180}\" data-link-text=\"fileName:&quot;crowdstrike&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">fileName:&quot;crowdstrike&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-117'>\ntable#wpdtSimpleTable-117{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-117 td, table.wpdtSimpleTable117 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">IOCs:<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-119\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"16\"\n           data-wpID=\"119\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        crowdstrike-hotfix.zip\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Setup.exe\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5ae3838d77c2102766538f783d0a4b4205e7d2cdba4e0ad2ab332dc8ab32fea9\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        maddisAsm_.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        battuta.flv\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        sqlite3.dll\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        vclx120.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        rtl120.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        maidenhair.cfg\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        datastate.dll\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        madexcept_.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        vcl120.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        madbasic_.bpl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        instrucciones.txt\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4f450abaa4daf72d974a830b16f91deed77ba62412804dca41a6d42a7d8b6fd0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Domain: \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        hxxps:\/\/portalintranetgrupobbva[.]com\/\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        213.5.130.58:443\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URLs:\u00a0 \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        mail.zoomfilms-cz[.]com\u00a0\u00a0 discussiowardder[.]website\u00a0\u00a0 wxt82[.]xyz\u00a0 \u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-119'>\ntable#wpdtSimpleTable-119{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-119 td, table.wpdtSimpleTable119 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Phishing Email with a Data Wiper&nbsp;<\/h2>\n\n\n\n<p>One of the most <a href=\"https:\/\/app.any.run\/tasks\/48e18e33-2007-49a8-aa60-d04c21e8fa11\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">sophisticated attacks<\/a> involved the distribution of a data wiper.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image5-1.png\" alt=\"\" class=\"wp-image-8255\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image5-1.png 617w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image5-1-300x265.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image5-1-370x326.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image5-1-270x238.png 270w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing pdf<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It began with the CrowdStrike-themed phishing email and PDF attachment, which, in turn, included a link to downloading a ZIP file.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"408\" height=\"620\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image.jpg\" alt=\"\" class=\"wp-image-8256\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image.jpg 408w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-197x300.jpg 197w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-370x562.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image-270x410.jpg 270w\" sizes=\"(max-width: 408px) 100vw, 408px\" \/><figcaption class=\"wp-element-caption\"><em>Certificate verdict in ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The archive contained an executable that, once launched, asked the user if they wanted to install the update.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"714\" height=\"544\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2.jpg\" alt=\"\" class=\"wp-image-8257\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2.jpg 714w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-300x229.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-370x282.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-270x206.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image2-80x60.jpg 80w\" sizes=\"(max-width: 714px) 100vw, 714px\" \/><figcaption class=\"wp-element-caption\"><em>Destroyed file<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Upon launching, the wiper devastated the system by overwriting files with zero bytes and then reported it over Telegram.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/14fc6a8a-6fd7-431f-aba5-d3177b47690f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">See analysis session in ANY.RUN<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOCs<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-120\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"4\"\n           data-wpID=\"120\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        update2.pdf\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        1bbb795ce19f4dcc4ac9f8e8c12f3452f1f07c68a53ef631c76e392e1d06ea43\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        update.zip\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CrowdStrike.exe\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URL\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        hxxps:\/\/link.storjshare[.]io\/s\/jwyite7mez2ilyvm2esxw2jq3apq\/crowdstrikeisrael\/update.zip?download=1\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-120'>\ntable#wpdtSimpleTable-120{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-120 td, table.wpdtSimpleTable120 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Malicious Document with a Stealer&nbsp;<\/h2>\n\n\n\n<p>Attackers also used other ways to trick unsuspecting victims into running malware. &nbsp;<\/p>\n\n\n\n<p>The picture below shows a <a href=\"https:\/\/app.any.run\/tasks\/2d27f10a-bb78-4b0a-b0d7-6a9c95e509f4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">harmful document<\/a> that claims to provide instructions on how to resolve the issue. &nbsp;<\/p>\n\n\n\n<p>Yet, when opened, it uses a bad VBS (Visual Basic Script) to start a series of tools on the infected computer. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"680\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6.png\" alt=\"\" class=\"wp-image-8258\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6.png 884w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6-300x231.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6-768x591.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6-370x285.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6-270x208.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/image6-740x569.png 740w\" sizes=\"(max-width: 884px) 100vw, 884px\" \/><figcaption class=\"wp-element-caption\"><em>The malicious .docm file that kickstarts the malware<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After execution, it downloads and launches&nbsp;a <a href=\"https:\/\/app.any.run\/tasks\/1a9e6ba2-88bf-4b13-8b69-78cfbd82518d\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">stealer malware<\/a> using curl.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOCs<\/h3>\n\n\n\n<p><strong>Malicious document<\/strong><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-121\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"121\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Name\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hash sum\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URL\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        hxxp[:\/\/]172.104.160[.]126:8099\/payload2[.]txt\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-121'>\ntable#wpdtSimpleTable-121{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-121 td, table.wpdtSimpleTable121 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>Stealer<\/strong><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-122\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"122\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Hash sum\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        URL\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        172.104.160.126:5000\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-122'>\ntable#wpdtSimpleTable-122{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-122 td, table.wpdtSimpleTable122 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations&nbsp;<\/h2>\n\n\n\n<p>Users and organizations are advised to remain vigilant and thoroughly verify any updates or hotfixes before installation.&nbsp;<\/p>\n\n\n\n<p>For any information concerning the course of action for affected users, it is important to follow CrowdStrike\u2019s official statements and guidance.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threats_crowdstrike&amp;utm_term=230724&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recent update by CrowdStrike on July 18, 2024, resulted in a worldwide outage, causing significant disruption for users who were left with blue screens of death (BSODs) on their devices. Cybercriminals seized the opportunity to target affected users with phishing scams and malware.\u00a0 The ANY.RUN team has been closely monitoring the situation after the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8259,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-8248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Find Threats Exploiting CrowdStrike Outage  with TI Lookup \u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See how attackers exploited the global outage caused by CrowdStrike&#039;s faulty update and collect up-to-date threat intelligence.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0\",\"datePublished\":\"2024-07-23T13:37:41+00:00\",\"dateModified\":\"2024-07-24T14:04:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\"},\"wordCount\":775,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\",\"name\":\"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-07-23T13:37:41+00:00\",\"dateModified\":\"2024-07-24T14:04:58+00:00\",\"description\":\"See how attackers exploited the global outage caused by CrowdStrike's faulty update and collect up-to-date threat intelligence.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Find Threats Exploiting CrowdStrike Outage  with TI Lookup \u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"See how attackers exploited the global outage caused by CrowdStrike's faulty update and collect up-to-date threat intelligence.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0","datePublished":"2024-07-23T13:37:41+00:00","dateModified":"2024-07-24T14:04:58+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/"},"wordCount":775,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/","url":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/","name":"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-07-23T13:37:41+00:00","dateModified":"2024-07-24T14:04:58+00:00","description":"See how attackers exploited the global outage caused by CrowdStrike's faulty update and collect up-to-date threat intelligence.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Find Threats Exploiting CrowdStrike Outage with TI Lookup \u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8248"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8248"}],"version-history":[{"count":11,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8248\/revisions"}],"predecessor-version":[{"id":8424,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8248\/revisions\/8424"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8259"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}