Tag

Apt37

3 briefs RSS

Windows Cabinet File Extraction via Expand.exe

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

Splunk Enterprise +2 APT37 cabinet_extraction expand.exe windows endpoint

2r 2t 3w ago

high threat

ScarCruft (APT37) Deploying BirdCall Android Backdoor via Compromised Game Platform

2 rules 5 TTPs 1 IOC

The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.

Google Play +2 ScarCruft android malware spyware apt37 supply-chain

2r 5t 1i May 5, 2026

high threat

Braodo Stealer Screen Capture in TEMP Directory

2 rules 1 TTP

This analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.

Splunk Enterprise +2 Braodo Stealer stealc-stealer crypto-stealer braodo-stealer apt37 hellcat-ransomware vip-keylogger screen-capture malware

2r 1t Jan 3, 2024