Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions - Indicators of Compromise Files Detection SHA-256 Filename/Path Description Trojan.Win32.SNAPPYBEE.ZMLJ fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5 WINMM.dll SNAPPYBEE loader Backdoor.Win32.SNAPPYBEE.ZOLJ.enc fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098 NortonLog.txt SNAPPYBEE payload Trojan.PS1.DEMODEX.ZNLJ 2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec onedrived.ps1 DEMODEX PowerShell dropper Rootkit.Win64.DEMODEX.ZBLI 16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266 C:\Windows\System32\drivers\dumpfiskfss.sys DEMODEX driver Trojan.Win64.DEALOAD.ZALH 9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c C:\Windows\System32\SstpCfs.dll DEMODEX loader Trojan.Win32.SNAPPYBEE.ZMLJ 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b DgApi.dll SNAPPYBEE loader Trojan.Win32.SNAPPYBEE.ZOLK 6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc imfsbDLL.dll SNAPPYBEE loader Trojan.Win64.SNAPPYBEE.ZNLJ b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac DgApi.dll SNAPPYBEE loader Trojan.Win64.SNAPPYBEE.ZNLJ 05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870 imfsbDLL.dll SNAPPYBEE loader Backdoor.Win64.SNAPPYBEE.ZNLK.enc 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296 dbindex.dat SNAPPYBEE payload Network (Updated: October 31, 2024) IP Description 103.91.64.214 Campaign Alpha (DEMODEX) 165.154.227.192 Campaign Alpha (frpc) 23.81.41.166 Campaign Alpha (Open directory C&C) 158.247.222.165 Campaign Alpha (SNAPPYBEE) 172.93.165.14 Campaign Alpha (related C&C) 91.245.253.27 Campaign Alpha (SNAPPYBEE) 103.75.190.73 Campaign Alpha (related C&C) 45.125.67.144 Campaign Beta (DEMODEX) 43.226.126.164 Campaign Beta (DEMODEX) 172.93.165.10 Campaign Beta (DEMODEX) 193.239.86.168 Campaign Beta (DEMODEX) 146.70.79.18 Campaign Beta (DEMODEX) 146.70.79.105 Campaign Beta (DEMODEX) 205.189.160.3 Campaign Beta (DEMODEX) 96.9.211.27 Campaign Beta (DEMODEX) 43.226.126.165 Campaign Beta (DEMODEX) 139.59.108.43 Campaign Beta (GHOSTSPIDER) 185.105.1.243 Campaign Beta (GHOSTSPIDER) 143.198.92.175 Campaign Beta (GHOSTSPIDER) 139.99.114.108 Campaign Beta (GHOSTSPIDER) 139.59.236.31 Campaign Beta (GHOSTSPIDER) 104.194.153.65 Campaign Beta (GHOSTSPIDER) Domain Description materialplies.com Campaign Alpha (related C&C) news.colourtinctem.com Campaign Alpha (related C&C) api.solveblemten.com Campaign Alpha (SNAPPYBEE) esh.hoovernamosong.com Campaign Alpha (SNAPPYBEE) vpn114240349.softether.net Campaign Alpha (SoftEther VPN) imap.dateupdata.com Campaign Beta (DEMODEX) pulseathermakf.com Campaign Beta (DEMODEX) www.infraredsen.com Campaign Beta (DEMODEX) billing.clothworls.com Campaign Beta (GHOSTSPIDER) helpdesk.stnekpro.com Campaign Beta (GHOSTSPIDER) jasmine.lhousewares.com Campaign Beta (GHOSTSPIDER) private.royalnas.com Campaign Beta (GHOSTSPIDER) telcom.grishamarkovgf8936.workers.dev Campaign Beta (GHOSTSPIDER) vpn305783366.softether.net Campaign Beta (SoftEther VPN) vpn487875652.softether.net Campaign Beta (SoftEther VPN) vpn943823465.softether.net Campaign Beta (SoftEther VPN)