TOTPGuard
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TOTPGuard is the name of the .NET implant family... Local ildasm of that sample recovers a coherent bespoke TOTPGuard namespace... Execution runs through TOTPGuard.MyAppDomainManager ... so the managed implant executes under the trusted EbixExam.Desktop WPF process.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueNimbus Manticore APT operation that abuses a fake Ebix recruitment portal to deliver custom malware to job seekers. Victims are steered through a counterfeit hiring workflow at ebix.recruitment-flow.com, handed Airbus- and Ebix-branded job-description lure PDFs, and prompted to install a "two-factor authentication app" shipped as TOTPGuard.zip.
Execution
1 techniqueExecution runs through TOTPGuard.MyAppDomainManager, an AppDomain-hijacking class loaded via the abused EbixExam.Updater.ServiceHub carrier so the managed implant executes under the trusted EbixExam.Desktop WPF process, wired in through setup.exe and UpdateConfig.xml.
Stealth
3 techniquesThe C2 configuration sits in encrypted EncData / SecretStorage and the live endpoint is not cleanly recoverable from the IL, a stated blind spot leaving the Azure-typosquat updater domain as the only attested network indicator.
The archive drops a payload set in which a malicious .NET implant masquerades inside the legitimate EbixExam.Desktop WPF application, executing through its updater service.
Execution runs through TOTPGuard.MyAppDomainManager, an AppDomain-hijacking class loaded via the abused EbixExam.Updater.ServiceHub carrier so the managed implant executes under the trusted EbixExam.Desktop WPF process, wired in through setup.exe and UpdateConfig.xml.
Command and Control
1 techniqueCommand-and-control runs over an Azure-typosquat domain, business-joiners-exam.azurewebsiets.net, reached by the abused updater component.
Exfiltration
1 techniqueSHA-256 of main.dll, the native implant used for persistence, C2 communication, and data exfiltration.
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.