From fad578f68a84520dbadb633abb25c771c40f7063 Mon Sep 17 00:00:00 2001
From: brad-duncan <bduncan@paloaltonetworks.com>
Date: Tue, 16 Jan 2024 09:26:17 -0600
Subject: [PATCH] Updated 2024-01-08-IOCs-for-GootLoader-infection.txt

---
 2024-01-08-IOCs-for-GootLoader-infection.txt | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/2024-01-08-IOCs-for-GootLoader-infection.txt b/2024-01-08-IOCs-for-GootLoader-infection.txt
index 1accf29..b440004 100644
--- a/2024-01-08-IOCs-for-GootLoader-infection.txt
+++ b/2024-01-08-IOCs-for-GootLoader-infection.txt
@@ -1,5 +1,10 @@
 2024-01-08 (MONDAY): GOOTLOADER INFECTION
 
+REFERENCES:
+
+- https://www.linkedin.com/posts/unit42_gootloader-unit42threatintel-timelythreatintel-activity-7150172074219651074-KCt3
+- https://twitter.com/Unit42_Intel/status/1744406454210036096
+
 CHAIN OF EVENTS:
 
 - Fake forum post page --> link to zip download --> zip --> extracted .js file --> Gootloader C2
@@ -44,4 +49,4 @@ POST-INFECTION TRAFFIC:
 - hxxps://mihfada[.]com/xmlrpc.php
 - hxxps://musify[.]co/xmlrpc.php
 - hxxps://ostadmajazi[.]com/xmlrpc.php  <-- attempted TCP connections, not successful
-- hxxps://palladiummall[.]com/xmlrpc.php
\ No newline at end of file
+- hxxps://palladiummall[.]com/xmlrpc.php