Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
18 distinct techniques documented for this family, organized by ATT&CK tactic.
The SADBRIDGE configuration is encrypted using a simple subtraction of 0x1 on each byte of the configuration string. The encrypted stages are all appended with a .log extension, and decrypted during runtime using XOR and the LZNT1 decompression algorithm.
These organized campaigns target victims by masquerading as legitimate software such as web browsers or social media messaging services.
SADBRIDGE employs PoolParty, APC queues, and token manipulation techniques for process injection.
The keylogging functionality in GOSAR is implemented in the vibrant_services_KeyLogger function. This feature relies on Windows APIs ... with SetWindowsHookEx with the parameter WH_KEYBOARD_LL.
The current version we have only processes a GET request to the URI /security.js , responding with the string callback();
The malware has the capability to execute plugins, which are PE files downloaded from the C2 and stored on disk encrypted with an XOR algorithm.
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Golang-based reimplementation of Quasar RAT mentioned only as a payload deployed by SADBRIDGE in a separate intrusion set.
A Golang reimplementation of QUASAR that functions as a multi-platform remote access trojan/backdoor for Windows and Linux. It supports system information theft, screenshots, command execution, keylogging, clipboard logging, plugin execution, HVNC, screen capture, process/service management, and encrypted logging over TCP/TLS C2.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.