SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sharpstage (Back to overview)

SharpStage

aka: LastConn

Actor(s): Molerats


The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

References
2021-07-060ffset Blog0verfl0w_, Daniel Bunce
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
SharpStage
2020-12-09CybereasonCybereason Nocturnus
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark
2020-12-09CybereasonCybereason Nocturnus Team
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark

There is no Yara-Signature yet.