SYMBOLCOMMON_NAMEaka. SYNONYMS
js.cactustorch (Back to overview)

CACTUSTORCH

Actor(s): APT32, Leviathan

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

References
2022-01-16forensicitguyTony Lambert
@online{lambert:20220116:analyzing:2c8a9db, author = {Tony Lambert}, title = {{Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike}}, date = {2022-01-16}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/}, language = {English}, urldate = {2022-01-25} } Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike
2020-09-24MicrosoftBen Koehl, Joe Hannon, Microsoft Identity Security Team
@online{koehl:20200924:microsoft:adbe527, author = {Ben Koehl and Joe Hannon and Microsoft Identity Security Team}, title = {{Microsoft Security—detecting empires in the cloud}}, date = {2020-09-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/}, language = {English}, urldate = {2020-09-24} } Microsoft Security—detecting empires in the cloud
CACTUSTORCH LazyCat APT40
2020-09-23SeqriteKalpesh Mantri, Pawan CHaudhari, Goutam Tripathy
@techreport{mantri:20200923:operation:1bb33e6, author = {Kalpesh Mantri and Pawan CHaudhari and Goutam Tripathy}, title = {{Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years}}, date = {2020-09-23}, institution = {Seqrite}, url = {https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf}, language = {English}, urldate = {2020-09-25} } Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years
CACTUSTORCH AllaKore
2019-04Macnica NetworksMacnica Networks
@techreport{networks:201904:oceanlotus:8ceeac3, author = {Macnica Networks}, title = {{OceanLotus Attack on Southeast Asian Automotive Industry}}, date = {2019-04}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpression_automobile.pdf}, language = {Japanese}, urldate = {2021-03-02} } OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike
2018-12-20CoderctoCodercto
@online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies
CACTUSTORCH
2017-11-16Github (mdsecactivebreach)Vincent Yiu
@online{yiu:20171116:cactustorch:be5ebfd, author = {Vincent Yiu}, title = {{CACTUSTORCH: Payload Generation for Adversary Simulations}}, date = {2017-11-16}, organization = {Github (mdsecactivebreach)}, url = {https://github.com/mdsecactivebreach/CACTUSTORCH}, language = {English}, urldate = {2020-01-09} } CACTUSTORCH: Payload Generation for Adversary Simulations
CACTUSTORCH

There is no Yara-Signature yet.