silence-is-best

## gist:ce1d6a685232f1d34f07004e71efa64a
https://redirect-bucket-081fc262.s3.amazonaws.com/redirect-17d0268f.html
https://redirect-bucket-2766cdff.s3.amazonaws.com/redirect-5be57918.html
https://redirect-bucket-32b4b8cd.s3.amazonaws.com/redirect-70f9c1ff.html
https://redirect-bucket-3a343f0b.s3.amazonaws.com/redirect-55d409f6.html
https://redirect-bucket-6fb2bd0a.s3.amazonaws.com/redirect-aeaa3359.html
https://redirect-bucket-9be41d44.s3.amazonaws.com/redirect-7e794a14.html
https://redirect-bucket-b92954d7.s3.amazonaws.com/redirect-b42cb816.html
https://redirect-bucket-e23f3ab1.s3.amazonaws.com/redirect-3fa9db96.html
https://redirect-bucket-f81197a8.s3.amazonaws.com/redirect-93b7611c.html

## gist:440abd3e683adf69f531371cf56cd338
Date,Details,Email Payload Type,Users Targeted
3/1/2026,RE:CONFIRM PAYMENT INVOICE; zip -> originlogger,Attachment,2
3/1/2026,Your shipment has arrived; pdf -> link -> screenconnect continued to 3/6,Attachment,267
3/2/2026,Error synchronizing message ; rar -> js -> originlogger,Attachment,2
3/3/2026,BL DRAFT / 3425005143 SO 202552948280; gz -> remcos,Attachment,2
3/3/2026,Solicitud de precio; lha -> originlogger,Attachment,2
3/6/2026,RFQ FOR TOOL-EM78625; bz2 -> vbs -> xworm,Attachment,2
3/9/2026,Your 2026 Social Security Statement Is Ready|Action Required: Update Your Device Security; link -> screenconnect,Link,10
3/11/2026,"Re: CMA CGM China Ltd � SOA Confirmation Needed USD 15,452.81 (Dec�Jan); rar -> xloader",Attachment,4
3/11/2026,Purchase Order Stock-8787 -IAT; 7z -> bat -> donutloader -> vipkeylogger,Attachment,2

## gist:49cbc51145478ed68d06e02e14ddc135
Date,Details,Payload Type,Users Targeted
2/1/2026,Your Social Security e-Statement Is Ready � View Using the SSA Gov Viewer App; zip -> screenconnect,Attachment,2
2/1/2026,Final shipping documents; zip -> phantomstealer,Attachment,2
2/2/2026,STATEMENT OF ACCOUNTS DEC.2025 USF; zip -> bat -> guloader -> phantomstealer,Attachment,3
2/2/2026,FW: SS24 NEW TPI E407SH005 / E423SH006 RIA; docx -> rtf -> xloader continued to 2/4,Attachment,3
2/2/2026,Fw: RFQ-S75502262N; z -> xloader continued to 2/4,Attachment,2
2/3/2026,Signature Via Docusign Required; link -> msi -> screenconnect,Link,17
2/3/2026,You have an important notice from BMO Bank; link -> msi -> screenconnect,Link,15
2/4/2026,Re:Order H600287395; rar -> guloader -> phantomstealer continued to 2/6,Attachment,7
2/4/2026,PURCHASE ORDER AND SAMPLES 2026; docx -> rtf -> vbs -> xworm,Attachment,3

## gist:8b91cfa90b598f71dbd7169f0391c98c
Date,Details,Email Payload Type,Users Targeted
1/2/2026,Please Review the Tax Violation Notice Promptly; link -> rar -> rustyloader continued to,Link,2
1/4/2026,Your document; zip -> lnk -> exe -> phorpiex -> mamona ransomware,Attachment,106
1/9/2026,"Complete with DocuSign: ETF08 - 09 January, 202616:53:40 PM; link -> action1",Link,4
1/15/2026,Purchase Order and Company Profile 2026; rar -> js -> xworm,Attachment,3
1/15/2026,YOUR SSA e-Statement IS READY!; zip -> url -> msi -> action 1,Attachment,3
1/15/2026,Signature Requested Via Docusign; link -> msi -> screenconnect,Link,26
1/16/2026,YOUR SSA ELECTRONIC STATEMENT NOTICE!; zip -> link -> msi -> screenconnect,Attachment,10
1/17/2026,Request for Quotation P.O4847358 // Urgent; zip -> xloader,Attachment,23
1/19/2026,You have recieved a shared document via WeTransfer 1/19/2026 9:41:55 AM; link -> msi -> screenconnect,Link,7

## gist:720a513ff366780662870bc0dd080ce3
Date,Summary ,Details,Email Payload Type,Users Targeted
12/1/2025,Malicious email campaign; morning,Wire Payment Invoice; link -> msi -> screenconnect,Link,23
12/1/2025,Malicious email campaign; evening,Request for Quotation (RFQ)  Attached Requisitions; zip -> xloader,Attachment,3
12/2/2025,Malicious email campaign; morning,Booking.com Invoice 1658768288; pdf -> link -> xworm -> asyncrat,Attachment,3
12/3/2025,Malicious email campaign; morning,December New Order; docx -> rtf -> xloader,Attachment,2
12/3/2025,Malicious email campaign; morning,Payment_Receipt_12/03/2025; link -> msi  -> screenconnect,Link,2
12/5/2025,Malicious email campaign; evening,Payment Receipt; link -> screenconnect,Link,26
12/10/2025,Malicious email campaign; evening,MV ASL ILEANA/AGENCY FIXTURE NOTICE; rar -> snakekeylogger,Attachment,2
12/11/2025,Malicious email campaign; evening,Payment copy..; link -> msi -> screenconnect,Link,2
12/16/2025,Malicious email campaign; morning,Attachment name is 16202512...OC__dintec____________________

## gist:b0eed8c8a6d6f6381a30d17047603726
Date, Details,Email Payload Type,Users Targeted
11/3/2025,Wire Invoice Payment; link -> msi -> logmeinrescue continued to 11/7,Link,55
11/3/2025,Completed via Docusign: GSWQ5279.pdf; link -> zip -> xworm,Link,5
11/3/2025,REQUEST FOR QUOTATION #PO - No° 20251103//WTS EXP & IMP PJ400; zip -> darkcloud,Attachment,2
11/4/2025,Invoice Payment Received; link -> msi -> logmeinrescue,Link,36
11/4/2025,PROFORMA REQUEST _ LATEST PRICE LIST (NOV 2025); z -> remcos,Attachment,2
11/5/2025,Re: Booking Request - Job 3386 / FLC7932025 /; zip -> originlogger,Attachment,3
11/5/2025,RE: PAYMENT DUE & SHIPMENT STATUS|FW: URGENT ORDER_NO.238275-ENQUIRY; r15 -> xloader,Attachment,4
11/6/2025,ORDER - PO_1306; z -> bat -> remcos,Attachment,40
11/6/2025,RE:RE: DHL - Shipment Doc-/ Arrival Notice - AWB# 13700658****ME85E1306221; z -> vbs -> remcos,Attachment,35

## gist:65c9fe419f8b0551b5f1ce9356e9d13f
Src

100.2.103.51
103.226.207.80
103.248.24.75
103.249.34.94
104.228.44.71
104.60.57.226
106.201.234.19
108.178.116.133

## gist:681395a8bf5b082a27e0e427561f7e99
0845186340ec28a2042a62cbf7d9cafd49630a3d1859c4899fd85ad7aff64aa6  ./Downloads/1/5e269a21-42d8-48b7-862f-29da90bb114c/mpclient.dll
0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4  ./Downloads/1/bdcfd54f-379b-4e6d-a36c-66f8b603e847/mpclient.dll
0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1  ./Downloads/1/961e1ea2-082e-4457-97ca-8e009bc03583/mpclient.dll
0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1  ./Downloads/1/b1c79652-1669-4b54-b53d-9924fcf6e60a/mpclient.dll
29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989  ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/CiscoSparkLauncher.dll
446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b  ./Downloads/1/e5612297-5ac2-48fa-8063-bb8f2b223d26/mpclient.dll
4684643ed7d51902ef8e3d06c821ca5179a3c1e5d50f8ed52d9323bb3f70cf1a  ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/VERSION.dll
4aec77017152f275d3342f52a0f28deabf1edbd9e1d849967b7729af4b1ae948  ./Downloads/1/1c51a401-2a80-4ad1-aef5-8

## gist:5ac67205cb12c0244d0c591b95dde1c9
Date,Details,Email Payload Type,Users Targeted
10/5/2025,RFQ 6000187979 from 3060; z -> xloader,Attachment,22
10/7/2025,Re: Purchase order Items- Quotation request; zip -> redline,Attachment,2
10/7/2025,MV TBN CALL PORT FOR LOADING COAL; rar -> phantomstealer,Attachment,2
10/8/2025,RFQ - VRF/BT/2025/ENG/037; z -> vipkeylogger,Attachment,4
10/9/2025,FOLLOW UP ON REVISED CONTRACT PROPOSAL;pdf -> link -> screenconnect,Attachment,2
10/10/2025,Attachment name is swift copy for USD 67,825.00.zip; zip -> vipkeylogger,Attachment,2
10/12/2025,RFQ-SPE-2025010-WA001310; tar -> remcos,Attachment,2
10/13/2025,RE: KABRU 25006 14 X 20 DV; xlam -> darkcloud,Attachment,3
10/13/2025,RE: Purchase Order - HOM-OS-20-25-813; r15 -> vipkeylogger continued to 10/14,Attachment,6

## gist:d88941f83dc233ae953fd62daa34ab88
Date,Details,Email Payload Type,Users Targeted
9/4/2025,RE: Shipment Docs; js -> txt -> xloader,Attachment,3
9/4/2025,Zoom Meeting Invitation; link -> msi -> ateraagent,Attachment,4
9/9/2025,P.O; gz -> xloader,Attachment,2
9/10/2025,UNPAID INVOICE REMINDER - LionsHome GmbH - Invoice No. 2025-08-839; rar -> xloader,Attachment,9
9/16/2025,RE: Shipment Docs; r11 -> xloader,Attachment,6
9/17/2025,Re: Shipping Documents and Invoice; zip -> originlogger,Attachment,7
9/19/2025,Re: Quotation; gz -> remcos,Attachment,5
9/27/2025,Nota fiscal referente ao pedido 1947; r15 -> phantomstealer,Attachment,2
	https://redirect-bucket-081fc262.s3.amazonaws.com/redirect-17d0268f.html
	https://redirect-bucket-2766cdff.s3.amazonaws.com/redirect-5be57918.html
	https://redirect-bucket-32b4b8cd.s3.amazonaws.com/redirect-70f9c1ff.html
	https://redirect-bucket-3a343f0b.s3.amazonaws.com/redirect-55d409f6.html
	https://redirect-bucket-6fb2bd0a.s3.amazonaws.com/redirect-aeaa3359.html
	https://redirect-bucket-9be41d44.s3.amazonaws.com/redirect-7e794a14.html
	https://redirect-bucket-b92954d7.s3.amazonaws.com/redirect-b42cb816.html
	https://redirect-bucket-e23f3ab1.s3.amazonaws.com/redirect-3fa9db96.html
	https://redirect-bucket-f81197a8.s3.amazonaws.com/redirect-93b7611c.html
	Date,Details,Email Payload Type,Users Targeted
	3/1/2026,RE:CONFIRM PAYMENT INVOICE; zip -> originlogger,Attachment,2
	3/1/2026,Your shipment has arrived; pdf -> link -> screenconnect continued to 3/6,Attachment,267
	3/2/2026,Error synchronizing message ; rar -> js -> originlogger,Attachment,2
	3/3/2026,BL DRAFT / 3425005143 SO 202552948280; gz -> remcos,Attachment,2
	3/3/2026,Solicitud de precio; lha -> originlogger,Attachment,2
	3/6/2026,RFQ FOR TOOL-EM78625; bz2 -> vbs -> xworm,Attachment,2
	3/9/2026,Your 2026 Social Security Statement Is Ready\|Action Required: Update Your Device Security; link -> screenconnect,Link,10
	3/11/2026,"Re: CMA CGM China Ltd � SOA Confirmation Needed USD 15,452.81 (Dec�Jan); rar -> xloader",Attachment,4
	3/11/2026,Purchase Order Stock-8787 -IAT; 7z -> bat -> donutloader -> vipkeylogger,Attachment,2
	Date,Details,Payload Type,Users Targeted
	2/1/2026,Your Social Security e-Statement Is Ready � View Using the SSA Gov Viewer App; zip -> screenconnect,Attachment,2
	2/1/2026,Final shipping documents; zip -> phantomstealer,Attachment,2
	2/2/2026,STATEMENT OF ACCOUNTS DEC.2025 USF; zip -> bat -> guloader -> phantomstealer,Attachment,3
	2/2/2026,FW: SS24 NEW TPI E407SH005 / E423SH006 RIA; docx -> rtf -> xloader continued to 2/4,Attachment,3
	2/2/2026,Fw: RFQ-S75502262N; z -> xloader continued to 2/4,Attachment,2
	2/3/2026,Signature Via Docusign Required; link -> msi -> screenconnect,Link,17
	2/3/2026,You have an important notice from BMO Bank; link -> msi -> screenconnect,Link,15
	2/4/2026,Re:Order H600287395; rar -> guloader -> phantomstealer continued to 2/6,Attachment,7
	2/4/2026,PURCHASE ORDER AND SAMPLES 2026; docx -> rtf -> vbs -> xworm,Attachment,3
	Date,Details,Email Payload Type,Users Targeted
	1/2/2026,Please Review the Tax Violation Notice Promptly; link -> rar -> rustyloader continued to,Link,2
	1/4/2026,Your document; zip -> lnk -> exe -> phorpiex -> mamona ransomware,Attachment,106
	1/9/2026,"Complete with DocuSign: ETF08 - 09 January, 202616:53:40 PM; link -> action1",Link,4
	1/15/2026,Purchase Order and Company Profile 2026; rar -> js -> xworm,Attachment,3
	1/15/2026,YOUR SSA e-Statement IS READY!; zip -> url -> msi -> action 1,Attachment,3
	1/15/2026,Signature Requested Via Docusign; link -> msi -> screenconnect,Link,26
	1/16/2026,YOUR SSA ELECTRONIC STATEMENT NOTICE!; zip -> link -> msi -> screenconnect,Attachment,10
	1/17/2026,Request for Quotation P.O4847358 // Urgent; zip -> xloader,Attachment,23
	1/19/2026,You have recieved a shared document via WeTransfer 1/19/2026 9:41:55 AM; link -> msi -> screenconnect,Link,7
	Date,Summary ,Details,Email Payload Type,Users Targeted
	12/1/2025,Malicious email campaign; morning,Wire Payment Invoice; link -> msi -> screenconnect,Link,23
	12/1/2025,Malicious email campaign; evening,Request for Quotation (RFQ) Attached Requisitions; zip -> xloader,Attachment,3
	12/2/2025,Malicious email campaign; morning,Booking.com Invoice 1658768288; pdf -> link -> xworm -> asyncrat,Attachment,3
	12/3/2025,Malicious email campaign; morning,December New Order; docx -> rtf -> xloader,Attachment,2
	12/3/2025,Malicious email campaign; morning,Payment_Receipt_12/03/2025; link -> msi -> screenconnect,Link,2
	12/5/2025,Malicious email campaign; evening,Payment Receipt; link -> screenconnect,Link,26
	12/10/2025,Malicious email campaign; evening,MV ASL ILEANA/AGENCY FIXTURE NOTICE; rar -> snakekeylogger,Attachment,2
	12/11/2025,Malicious email campaign; evening,Payment copy..; link -> msi -> screenconnect,Link,2
	12/16/2025,Malicious email campaign; morning,Attachment name is 16202512...OC__dintec____________________
	Date, Details,Email Payload Type,Users Targeted
	11/3/2025,Wire Invoice Payment; link -> msi -> logmeinrescue continued to 11/7,Link,55
	11/3/2025,Completed via Docusign: GSWQ5279.pdf; link -> zip -> xworm,Link,5
	11/3/2025,REQUEST FOR QUOTATION #PO - No° 20251103//WTS EXP & IMP PJ400; zip -> darkcloud,Attachment,2
	11/4/2025,Invoice Payment Received; link -> msi -> logmeinrescue,Link,36
	11/4/2025,PROFORMA REQUEST _ LATEST PRICE LIST (NOV 2025); z -> remcos,Attachment,2
	11/5/2025,Re: Booking Request - Job 3386 / FLC7932025 /; zip -> originlogger,Attachment,3
	11/5/2025,RE: PAYMENT DUE & SHIPMENT STATUS\|FW: URGENT ORDER_NO.238275-ENQUIRY; r15 -> xloader,Attachment,4
	11/6/2025,ORDER - PO_1306; z -> bat -> remcos,Attachment,40
	11/6/2025,RE:RE: DHL - Shipment Doc-/ Arrival Notice - AWB# 13700658****ME85E1306221; z -> vbs -> remcos,Attachment,35
	Src

	100.2.103.51
	103.226.207.80
	103.248.24.75
	103.249.34.94
	104.228.44.71
	104.60.57.226
	106.201.234.19
	108.178.116.133
	0845186340ec28a2042a62cbf7d9cafd49630a3d1859c4899fd85ad7aff64aa6 ./Downloads/1/5e269a21-42d8-48b7-862f-29da90bb114c/mpclient.dll
	0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4 ./Downloads/1/bdcfd54f-379b-4e6d-a36c-66f8b603e847/mpclient.dll
	0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1 ./Downloads/1/961e1ea2-082e-4457-97ca-8e009bc03583/mpclient.dll
	0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1 ./Downloads/1/b1c79652-1669-4b54-b53d-9924fcf6e60a/mpclient.dll
	29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989 ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/CiscoSparkLauncher.dll
	446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b ./Downloads/1/e5612297-5ac2-48fa-8063-bb8f2b223d26/mpclient.dll
	4684643ed7d51902ef8e3d06c821ca5179a3c1e5d50f8ed52d9323bb3f70cf1a ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/VERSION.dll
	4aec77017152f275d3342f52a0f28deabf1edbd9e1d849967b7729af4b1ae948 ./Downloads/1/1c51a401-2a80-4ad1-aef5-8
	Date,Details,Email Payload Type,Users Targeted
	10/5/2025,RFQ 6000187979 from 3060; z -> xloader,Attachment,22
	10/7/2025,Re: Purchase order Items- Quotation request; zip -> redline,Attachment,2
	10/7/2025,MV TBN CALL PORT FOR LOADING COAL; rar -> phantomstealer,Attachment,2
	10/8/2025,RFQ - VRF/BT/2025/ENG/037; z -> vipkeylogger,Attachment,4
	10/9/2025,FOLLOW UP ON REVISED CONTRACT PROPOSAL;pdf -> link -> screenconnect,Attachment,2
	10/10/2025,Attachment name is swift copy for USD 67,825.00.zip; zip -> vipkeylogger,Attachment,2
	10/12/2025,RFQ-SPE-2025010-WA001310; tar -> remcos,Attachment,2
	10/13/2025,RE: KABRU 25006 14 X 20 DV; xlam -> darkcloud,Attachment,3
	10/13/2025,RE: Purchase Order - HOM-OS-20-25-813; r15 -> vipkeylogger continued to 10/14,Attachment,6
	Date,Details,Email Payload Type,Users Targeted
	9/4/2025,RE: Shipment Docs; js -> txt -> xloader,Attachment,3
	9/4/2025,Zoom Meeting Invitation; link -> msi -> ateraagent,Attachment,4
	9/9/2025,P.O; gz -> xloader,Attachment,2
	9/10/2025,UNPAID INVOICE REMINDER - LionsHome GmbH - Invoice No. 2025-08-839; rar -> xloader,Attachment,9
	9/16/2025,RE: Shipment Docs; r11 -> xloader,Attachment,6
	9/17/2025,Re: Shipping Documents and Invoice; zip -> originlogger,Attachment,7
	9/19/2025,Re: Quotation; gz -> remcos,Attachment,5
	9/27/2025,Nota fiscal referente ao pedido 1947; r15 -> phantomstealer,Attachment,2