CORESHELL

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Coreshell is a variant of Sofacy malware used by threat actors to compromise systems and steal sensitive information. Malware, like Coreshell, can infect computer systems through suspicious downloads, emails, or websites. Once inside, it can disrupt operations, steal personal information, or hold data hostage for ransom. In mid-May, IRON TWILIGHT operators installed XTunnel as a Coreshell child process on an already compromised system. They also installed Coreshell on a compromised bridge server that provided a connection between a TV station's corporate and broadcast networks. The installation of Coreshell on the bridge server suggests that the threat actors may have considered data on that system to be of interest or crucial to achieving their goals. The Sofacy group expanded its arsenal in 2013, adding more backdoors and tools, including CORESHELL, SPLM, JHUHUGIT, AZZY, and others. This highlights the continued evolution and sophistication of malware, making it increasingly challenging to defend against these threats. Organizations need to remain vigilant, employ robust security measures, and update their defenses regularly to stay ahead of evolving malware like Coreshell.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CORESHELL Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset
MITRE
a year ago
A Slice of 2017 Sofacy Activity