Indicators of Compromise
IP Address	        Active Timeframe	           Characterization
207.246.100[.]151       Feb. 7 – May 6 2022	           Proxy Router C2
66.42.124[.]155	        Feb. 7 – May 6 2022	           Proxy Router C2
104.156.246[.]150	Feb. 7 – May 6 2022	           Proxy Router C2
192.169.6[.]241	        May 2 – May 3 2022	           Proxy Router C2
149.28.119[.]73	        May 8 – Sept. 25 2022	           Proxy Router C2
45.32.88[.]250	        May – Nov. 2 2022	           Proxy Router C2
144.202.43[.]124	Sept. 22 – Nov. 2 2022	           Proxy Router C2
108.61.203[.]19	        Nov. 12 – Dec. 2022	           Proxy Router C2
140.82.20[.]246	        Nov. 12 – Dec. 2022	           Proxy Router C2
159.203.72[.]166	Mar. 27 – Nov. 13 2023	           Proxy Router C2
140.82.20[.]246	        Nov. 28, 2022 – Nov. 13 2023	   Proxy Router C2
108.61.132[.]157	Nov. 15 – 20, 2023	           Proxy Router C2
144.202.49[.]189	Nov. 17 – Dec. 6 2023	           Proxy Router C2
174.138.56[.]21	        Nov. 17 – Dec. 4 2023	           Proxy Router C2
159.203.113[.]25	Nov. 17 – Dec. 6 2023	           Proxy Router C2
216.128.179[.]235	May – Dec. 6 2022	           Callback Server
216.128.180[.]232	May 19 – Sept. 25 2022	           1st stage Payload Server
155.138.146[.]162	Sept. 26 – Dec. 12 2022	           1st stage Payload Server
45.156.21[.]172	        Dec. 13, 2022 – Sept. 1 2023	   1st stage Payload Server
45.11.92[.]176	        April – Dec. 6 2023	           1st stage Payload Server
193.36.119[.]48	        Aug. 28, 2022 – Dec. 6 2023	   1st stage Upstream Controller

Files 
 
Kv-all.sh (Cisco)
7043ffd9ce3fe48c9fb948ae958a2e9966d29afe380d6b61d5efb826b70334f5
Kv-arm
690638c702170dba9e43b0096944c4e7540b827218afbfaebc902143cda4f2a7
Kv-mipsel
48299c2c568ce5f0d4f801b4aee0a6109b68613d2948ce4948334bbd7adc49eb
Cli_download_arm
0279435f8727cca99bee575d157187787174d39f6872c2067de23afc681fe586
Cli_download_mipsel
2cb6df289475457e807fc202a2b4688b2e23a88c94a8431981780caf8b76acf7
download_cli_x86_64
b4f2470159ca93f9d585ae2df1da972f6d14a0c418ebc202a324b9be5c877b61
Cli_download_MIPs
d6cd1636569bba4131462bb8f45be1daa9a203aa343b6f2fd48a4847acfc29fa
Cli_download_I866
3fab16ec4643d8f6b9a99d85427322f7fb40e9ea3cd4de8318c6a52e29869d5a
86f01d5342ec39c65b1cff716f19c334cec26a82b87492d783d5e8f4ff9cb63a
Test_02
19aa5a2235ee2518826a48363cb603060ee73ddccdf7d93bf197f97d7402aa37
 
Main payloads 

Sha256:c524e118b1e263fccac6e94365b3a0b148a53ea96df21c8377ccd8ec3d6a0874  
Sha1:067f238d9d5c219d3c359dc398f5416f1a99c70b
 
Sha256:2711f1341d2f150a0c3e2d596939805d66ba7c6403346513d1fc826324f63c87 
Sha1: 08ad4f940d488587697820d13c3d175a05e5fa6c
 
Sha256:5928f67db54220510f6863c0edc0343fdb68f7c7070496a3f49f99b3b545daf9  
Sha1:0bafedb699488d2a46878b429e8992f50e881eee
 
Sha256:8e35d8643c00d9e2993625b03366a7cd1bd36e6a60bc0c6039a509fccf9df150  
Sha1:245e31af35cc6b950fcf08a0348a1b5ad178bf9a
 
Sha256:07118af421f14a7e07601639f44a72f6782757ae74d2afffdb531b8209697e7f  
Sha1:311722dc71061d9977b8f713f812ed47ff9b8a7a
 
Sha256:dc7b6b4f53581b53edfbbc83d825cfa0450b2039f126cd62e8529189bb156033  
Sha1:3a2ef359ee152f2f4b19c418d7b3cbee
 
Sha256:c2299d8581af4ea8048bbf2bffd45c6ddca323c9c718c172355cc0df006ea6ca  
Sha1:48c3bd085b0d078cc6981f717755b694
Sha256:88fc3816c94f9b0191179f4e933843ee4cfdbcb392968605491a387b1235ec12  
Sha1:4bfffff0405a1156c801444c35b25c241b687c04
 
Sha256:6a8230e66011e0a0012273f7d12110c23b1e33bd7232dc67a836662a3d1075c7  
Sha1:6528827cdd6fd5b27543669c606577a3fd733e73
 
Sha256:08d0da0c36089f7a1f700b989f2f7825c5ba2549a20735d0bd1e64ca9c4885bc  
Sha1:6b458e39559fb6cb9f1c23ec15ee7300fcf15da7
 
Sha256:e88b03465c0376463f912a5601a518cc697330dc3e5857068f3de0c434b52c9a  
Sha1:6c177b41cc4376afbc955522ee213addb4ca2ef4
 
Sha256:c0871ecfe8b306074c6d376db14d966578a8511e5b5d355a4cf2c4d0b8c9deb9  
Sha1:7178ee14a4103f569d0cb4cc84ab016f27caf7dc
 
Sha256:b845ef0f9c5853ad1c226ac0ae7bb91159d5bb132185c1bfd171696b755a9164  
Sha1:7b30dc024e2bbfa9d21aca46783a6cd2656e6a92
 
Sha256:5a2681ea2e1d0d5e7db2a2499d2e6e27b2689830c638d5ee28c2eef9867ececf  
Sha1:82de9031e5f6e46f7b7560d7ae45329f711d139f
 
Sha256:5512cce87ff9dfd3ee9721eb29302d1700199ed7d625e09f9f779772ec06bdb0  
Sha1:8c04be1d054d0a9a5e33723ed91c336cd9e94cce
 
Sha256:f5271fcb895977dc1eead64415e525323cd412e3f2625aee2fafbb5674beea28  
Sha1:8ed5a832dc036c452e137199db3e2f021390a9fb
 
Sha256:d90e4a1b3a6bf019474b3be1703bf3211f1ebcca00b21bc252a39af274dc4fb0  
Sha1:9029f0e725e0134b1ca3db329d263d7794623c5f
 
Sha256:9e6a2a01decc2c26f3586a119b6fd3a886c4cf9c76aa452339d164fda40c63e4  
Sha1:9c13ccb0c31539303b4b9cf0c8b6691afb351d77
 
Sha256:bf0ed245e897c7d1ada511db2939e8f3a879a96543f2651d5631339d5419bb75 
Sha1:a4414dee4899fad39014b269d16daed7065ba123
 
Sha256:c71d04e2b6b35fdd058b4be5cf9ea3478697950378d4ee3c7fe0bf87e1e3730f 
Sha1:a6a4e8aba325b1942c80beaf17dc9887efd2f7a0
 
Sha256:36c63d0c2a78497ccf555e84f0233a514943faeff38281d99d00baf5df23f184  
Sha1:f7315b4a12fd470a561be7289631a776
 
Sha256:b6226c3e0e4ad64bbda3e6a79eb464c7050faa25d1f5332dcac014d2e79dd87f  
Sha1:fd8981b043381adfaed6ac4c4a625c177d343804
 
 
X.509 Certificate sha256 Fingerprints
cdffba0ebda39b3b58f59815be3829ca9c1cde957b46a6ad5ce4b31e405455bb
2b640582bbbffe58c4efb8ab5a0412e95130e70a587fd1e194fbcd4b33d432cf