high🤖Botnet

publishedMarch 12, 2026

BumbleBee "Shanya" Campaign Dissected: 300 Sinkholed DGA Domains, Fraudulent EV Certificates, and a Six-Family Malware Arsenal Targeting IT Administrators

Threat Actors:ProfileAssessmentfingerprint** -- directly reveals operator regionTimeline

#botnet#stealc#cobalt-strike#smokeloader#lumma#dll-sideloading#c2#ransomware#exploit#dga

TL;DR: A BumbleBee loader variant (botnet grp0005) is at the center of a multi-malware operation codenamed "Shanya" that trojanizes popular IT administration tools -- Advanced-IP-Scanner, RVTools, zenmap, NetSetMan, WinMTR, and Wireless Network Watcher -- into EV code-signed MSI installers. The loader uses DLL sideloading via a proxy msimg32.dll, a 300-domain DGA on the .life TLD (all sinkholed by Fraunhofer FKIE), and RC4-encrypted payloads to deliver at least six malware families including NightshadeC2, LummaStealer, Stealc, SmokeLoader, and EDR killers. A CIS locale kill-switch covering 16 country codes confirms post-Soviet operators, and the SmokeLoader C2 infrastructure on Google Cloud at 34.41.139.193 remains live.

Why This Matters

BumbleBee has been one of the most consequential initial access loaders in the cybercrime ecosystem since its emergence in 2022, directly linked to the post-Conti/TrickBot operator network. It does not steal credentials or encrypt files itself -- it opens the door. Once BumbleBee lands on a system, ransomware operators (historically Conti, Royal, and Black Basta) walk through it.

The Shanya campaign represents a deliberate pivot toward targeting IT professionals. Every trojanized application in the delivery chain is a network administration utility -- tools that sysadmins download, run with elevated privileges, and often whitelist from security controls. An IT administrator compromised through BumbleBee does not just lose one workstation. They hand over the keys to the infrastructure they manage.

The Attack Chain

The infection begins where most IT professionals would never suspect it -- a search engine result.

Stage 1: SEO Poisoning and Malvertising

The operator purchases search ads or poisons SEO results for queries like "Advanced IP Scanner download" or "RVTools free download." Victims land on a delivery domain (hub28[.]shop) that serves what appears to be a legitimate MSI installer, complete with the correct application name and branding.

Certificate transparency logs tell the story of hub28[.]shop:

First certificate: 2025-02-21 (ZeroSSL RSA Domain Secure Site CA)
Renewed:           2025-04-23 (active campaign maintenance)
Expired:           2025-07-22 (abandoned after campaign wave)

The domain was stood up specifically for this campaign, maintained for five months, and discarded once the delivery wave concluded.

Stage 2: EV Code-Signed MSI Execution

The downloaded MSI installer carries a valid Extended Validation code signing certificate:

Subject:     LLC Best Consult
Issuer:      GlobalSign GCC R45 EV CodeSigning CA 2020
Serial:      1044dc08d7a1cead020b97ec
Thumbprint:  5ce814f2c915eb20b8f72ac54b7d0a3a4756e80cf6d60a7525268ed8df4965ec
Valid:        2025-05-14 to 2026-05-15

This is almost certainly a fraudulently obtained EV certificate through a shell company. "LLC Best Consult" signed at least six different trojanized MSI packages across the campaign. EV code signing means the installer passes Windows SmartScreen without a warning, and most application whitelisting solutions treat it as trusted software. The MSI drops both the legitimate application (so the victim sees the expected tool working correctly) and a malicious DLL into the same directory.

Stage 3: DLL Sideloading via msimg32.dll

The core of the loader is a 64-bit DLL masquerading as msimg32.dll -- a legitimate Windows GDI+ helper library responsible for image manipulation functions like alpha blending and gradient fills. The proxy mechanism is elegant: three of the five exports forward directly to the real system DLL, maintaining full application compatibility.

Export	RVA	Purpose
`AlphaBlend`	0x1F4B93	Forwarded to real `C:\Windows\System32\msimg32.dll`
`DllInitialize`	0x1F4BC8	BumbleBee initialization routine
`GradientFill`	0x1F4BFF	Forwarded to real `C:\Windows\System32\msimg32.dll`
`TransparentBlt`	0x1F4C37	Forwarded to real `C:\Windows\System32\msimg32.dll`
`vSetDdrawflag`	0x1F4C70	BumbleBee payload trigger

When the legitimate application loads msimg32.dll from its own directory (standard Windows DLL search order), it gets the trojanized version. Calls to AlphaBlend, GradientFill, and TransparentBlt work normally -- the application functions perfectly. But DllInitialize and vSetDdrawflag trigger the BumbleBee loader chain.

Stage 4: Anti-Analysis Gauntlet

Before decrypting its payload, BumbleBee runs an extensive anti-analysis checklist:

CIS Locale Kill-Switch -- The loader checks the system locale against 16 country codes and aborts execution if any match:

ru-RU, ru-BY, ru-KG, ru-MD, ru-UA, kk-KZ, ky-KG,
uz-Cyrl, uz-Cyrl-UZ, uz-Latn, uz-Latn-UZ, uz-Arab,
az-Cyrl, az-Cyrl-AZ, az-Latn, az-Latn-AZ,
ka-GE, uk-UA, tg-Cyrl, tg-Cyrl-TJ, tk-TM,
hy-AM, be-BY, lt-LT, lv-LV, ro-MD, et-EE

This is the clearest attribution fingerprint in the sample. The kill-switch covers Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Uzbekistan, Azerbaijan, Georgia, Tajikistan, Turkmenistan, Armenia, Lithuania, Latvia, Moldova, and Estonia -- essentially the entire former Soviet Union. The operators do not want to compromise machines in their own region.

VM and Sandbox Detection -- Checks for VMware, VirtualBox, QEMU, Wine, and Parallels. SCSI registry keys are enumerated to identify virtualized storage controllers. IsDebuggerPresent and QueryPerformanceCounter timing checks detect debuggers and single-stepping.

Dynamic API Resolution -- The import table is deliberately minimal and benign. Only 79 functions from KERNEL32.dll and supporting libraries like USER32.dll and GDI32.dll appear in the IAT -- exactly what you would expect from a legitimate graphics helper DLL. All sensitive APIs (VirtualAlloc, network functions, crypto routines) are resolved at runtime through GetProcAddress and LoadLibraryExW, evading static import analysis entirely.

Stage 5: Payload Decryption and DGA Resolution

The encrypted BumbleBee core sits in two contiguous high-entropy regions:

Section	Offset Range	Size	Entropy
`.text` (tail)	0x145000 - 0x1DB000	600 KB	High
`.data`	0x1F5000 - 0x28A000	596 KB	8.00 (maximum)

The combined encrypted blob is approximately 1.2 MB, decrypted at runtime with RC4. The .data section at entropy 8.00 -- the theoretical maximum for 8-bit data -- is a dead giveaway for encrypted content in static analysis.

After decryption, BumbleBee generates 300 C2 domains using a domain generation algorithm:

DGA Seed:       7941704092191845612
Domain Length:  13 characters
Character Set:  Lowercase alphanumeric (a-z, 0-9)
TLD:            .life
C2 Port:        443 (HTTPS)
Encryption:     RC4

Sample generated domains:

19ak90ckxyjxc[.]life
o2u1xbm9xoq4p[.]life
9b10t4vyvx6b5[.]life

All 300 DGA domains currently resolve to 188.40.187.152 -- a Fraunhofer FKIE sinkhole operated by the German CERT. This means the BumbleBee DGA channel is effectively dead. The infrastructure was identified and sinkholed before our investigation.

Stage 6: Post-Exploitation Payload Delivery

When the C2 channel was active, BumbleBee served as the initial access broker, downloading and executing additional malware families based on operator tasking. The Shanya campaign deploys at least six families:

Family	Role	Sample Count
BumbleBee	Initial access loader	3
NightshadeC2	Remote access / C2 framework	2
LummaStealer	Credential and browser data theft	1
Stealc	Information stealer	1
SmokeLoader	Secondary loader (botnet `pub4`)	1
EDR Killer	Security tool termination	2

The combination is methodical: BumbleBee gets in, EDR Killer neutralizes defenses, NightshadeC2 establishes persistent remote access, LummaStealer and Stealc harvest credentials, and SmokeLoader provides a backup delivery channel. This is a full-spectrum intrusion toolkit.

The Trojanized IT Tool Arsenal

Every application targeted for trojanization is a network administration utility that IT professionals routinely download and execute with elevated privileges:

Trojanized Installer	Hash Prefix	Signed By	First Seen
`zenmap-7.97.msi`	`5afe56d2...`	LLC Best Consult	2025-05-20
`zenmap-7.97.msi`	`9514b84a...`	Unknown	2025-05-29
`Wireless_Network_Watcher.msi`	`bd4a1d11...`	Unknown	2025-05-29
`Wireless_Network_Watcher.msi`	`8f424f4d...`	Unknown	2025-05-23
`Advanced-IP-Scanner.msi`	`a14506c6...`	Unknown	2025-07-16
`Advanced-IP-Scanner.msi`	`76ea5c5b...`	Unknown	2025-07-09
`NetSetMan.msi`	`cd454d80...`	Unknown	2025-07-11
`NetSetMan.msi`	`ad415a5f...`	Unknown	2025-07-17
`RVTools.msi`	`1ba85af9...`	Unknown	2025-07-18
`WinMTR.msi`	`02197c23...`	LLC Best Consult	2025-05-19

The targeting is precise. These are not consumer applications -- they are tools used by network engineers, system administrators, and IT support staff. An IT professional running a trojanized Advanced-IP-Scanner on a management workstation gives the operator immediate access to a machine that likely has credentials for servers, network devices, and cloud management consoles.

SmokeLoader: The Live Infrastructure

While BumbleBee's DGA domains have been sinkholed, the SmokeLoader component (botnet pub4) maintains live C2 infrastructure:

C2 URL	IP	Provider	Status
`hxxp://obozintsev[.]ru/tmp/index.php`	34.41.139.193	Google Cloud	LIVE
`hxxp://olovge[.]at/tmp/index.php`	34.41.139.193	Google Cloud	LIVE
`hxxp://nuxc[.]cc/tmp/index.php`	34.41.139.193	Google Cloud	LIVE
`hxxp://piratekings[.]online/tmp/index.php`	104.21.86.76	Cloudflare	LIVE

Three of four SmokeLoader C2 domains resolve to a single Google Cloud IP (34.41.139.193). Shodan shows this IP with hundreds of open ports and a reverse DNS entry of zzkongqipao.com -- characteristics of a multi-purpose malicious hosting node. The obozintsev[.]ru domain -- registered at RU-CENTER, a Russian registrar -- is another attribution data point linking the operation to Russian-speaking operators.

The nuxc[.]cc domain was registered as recently as 2026-01-20, confirming the SmokeLoader infrastructure is actively maintained even though the BumbleBee DGA channel is dead.

PE Analysis Deep Dive

Primary Sample

Attribute	Value
SHA-256	`5e2382ba5822edc0780c09f58a5a13bc737ac9cc846d89a93a862a64262947ea`
SHA-1	`a5075f53216abf7b5b4f7a7bbe76995e07f6eb25`
MD5	`35c783567e26df468686248c5b0fafa7`
Imphash	`e4a86d4171ecc771cbe518b0841def67`
File Type	PE32+ DLL (AMD64), 7 sections
File Size	2,685,952 bytes (2.56 MB)
Compilation	2024-02-16 13:50:19 UTC
Internal Name	`msimg32_0x000F59365472624.dll`
ASLR	Yes (HIGH_ENTROPY_VA + DYNAMIC_BASE)
DEP/NX	Yes

Section Table

Section	Virtual Size	Raw Size	Entropy	Notes
`.text`	0x1E5330	0x1E5400	6.60	Main code + encrypted payload tail
`.rdata`	0xEA26	0xEC00	5.35	Import/export tables
`.data`	0x9DCE8	0x99A00	8.00	Encrypted BumbleBee payload
`.pdata`	0xDB0	0xE00	5.29	Exception handlers
`.gfids`	0x94	0x200	0.76	Guard CF data
`.rsrc`	0x500	0x600	2.89	Fake version info
`.reloc`	0x648	0x800	4.85	Relocations

The .data section at entropy 8.00 is the primary detection signal. Legitimate DLLs almost never have a section at maximum entropy -- this unambiguously indicates encrypted or compressed content.

Fake Version Information

The version info resource contains auto-generated nonsense strings from the packer/builder toolchain:

Comments:        Myelocyst teamman preidea anusvara stereoplanigraph
CompanyName:     Hypersensuousness
FileDescription: Expressively theligonaceous renitence orthotactic antherozoidal
InternalName:    Khitan
LegalCopyright:  Inalterability hypnoidize corelates cyclosilicate
ProductName:     Sidewash hype

These strings are a fingerprint. They are not random -- they are generated by a specific builder tool that selects obscure English words. Any PE with version info matching this pattern of multi-syllabic, uncommon English words in fields like Comments and LegalCopyright warrants immediate investigation.

Build Environment (Rich Header)

The Rich header reveals a mixed Visual Studio 2017/2019 toolchain with 140 imported object files. The mixed compiler versions suggest the loader incorporates code from multiple development phases or third-party libraries -- consistent with a modular malware-as-a-service platform where different components are compiled separately and linked together.

Operator OPSEC Failures

The Shanya campaign operators made several operational security mistakes that enable tracking and attribution:

CIS kill-switch as attribution fingerprint -- Checking 16 CIS locale codes directly reveals the operator's region of origin. This is the most reliable attribution indicator in the sample.
Shared signing certificate -- The "LLC Best Consult" EV certificate links six or more samples across the entire campaign. Revoking this single certificate degrades the operator's ability to bypass SmartScreen across all delivery vectors.
Consistent DLL naming -- The internal name msimg32_0x000F59365472624.dll contains a hex suffix that appears to be a build identifier. This suffix is consistent across samples and can be used as a tracking pivot.
Botnet ID progression -- The progression from grp0004 to grp0005 reveals campaign versioning and allows analysts to track operational tempo.
Russian-TLD C2 domain -- Using obozintsev.ru for SmokeLoader C2 unnecessarily ties infrastructure to a Russian registrar.
Fake version info pattern -- The auto-generated gibberish strings fingerprint the specific builder tool used across the campaign.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Acquire Infrastructure: Domains	T1583.001	DGA domains (.life TLD), hub28[.]shop delivery
Resource Development	Obtain Capabilities: Code Signing Certificates	T1588.003	LLC Best Consult fraudulent EV cert
Initial Access	Drive-by Compromise	T1189	SEO poisoning / malvertising for IT tools
Execution	System Services: Service Execution	T1569.002	MSI installer execution
Execution	User Execution: Malicious File	T1204.002	Victim runs trojanized MSI
Persistence	Hijack Execution Flow: DLL Side-Loading	T1574.002	msimg32.dll proxy sideloading
Defense Evasion	Obfuscated Files or Information	T1027	RC4-encrypted payload, string encryption
Defense Evasion	Dynamic API Resolution	T1027.007	Minimal IAT, runtime GetProcAddress
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	msimg32.dll impersonation
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	VMware/VBox/QEMU/Wine/Parallels detection
Defense Evasion	Impair Defenses	T1562	EDR Killer components
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Fraudulent EV code signing
Discovery	System Location Discovery: System Language	T1614.001	CIS locale kill-switch (16 codes)
Discovery	System Information Discovery	T1082	SCSI registry, drive enumeration
Command and Control	Application Layer Protocol: Web	T1071.001	HTTPS C2 on port 443
Command and Control	Dynamic Resolution: DGA	T1568.002	300 .life domains from seed
Command and Control	Encrypted Channel	T1573	RC4-encrypted C2 communications
Credential Access	Credentials from Password Stores	T1555	LummaStealer, Stealc components

Indicators of Compromise

File Hashes -- BumbleBee Loader

5e2382ba5822edc0780c09f58a5a13bc737ac9cc846d89a93a862a64262947ea (primary sample)
12a6ed8bc832cd5aca2135bdfdd7af1064370b5c121e14342b42025df706b9f1
0dd6fabb987f0a58550c4b2ef599239947f3f5b5dc9ff496ce52c9f67671c689

File Hashes -- Campaign Arsenal

8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94 (NightshadeC2)
04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c (NightshadeC2)
e8bf060de32a342a7a79d89e98428d80084777ac39d7ef017607af1582c4c9d3 (LummaStealer)
c3972dc848367b7bb2d88efcf016585c055c744872b8373c18f71971d64ad2f8 (Stealc)
ec20550754890947272134381fe1835e31d40c84d5b696eec35d53355ddb9d3f (SmokeLoader)
65de909d70e361d611d00a944ea094c385467777ffc053c96aafa04c795fdc90 (EDR Killer)
087216ee05746cc264752b0623dc6a1e32cddc0ca088832672e6dd356d394393 (EDR Killer)

File Hashes -- Trojanized MSI Installers

5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1924e44448d08c1 (zenmap-7.97.msi)
02197c23af1f99c3fa41d52f7f925e47ae5bfb5e604314d19382b1bb7112463f (WinMTR.msi)
783a4034e44f58427a248454ade7ab09c4099414bb0a385ca32d8b263cd21ae4 (RVTools.msi)

Network Indicators -- Domains

hub28[.]shop                  (BumbleBee delivery -- DEAD)
19ak90ckxyjxc[.]life          (BumbleBee DGA -- SINKHOLED)
o2u1xbm9xoq4p[.]life          (BumbleBee DGA -- SINKHOLED)
9b10t4vyvx6b5[.]life          (BumbleBee DGA -- SINKHOLED)
obozintsev[.]ru               (SmokeLoader C2 -- LIVE)
olovge[.]at                    (SmokeLoader C2 -- LIVE)
nuxc[.]cc                      (SmokeLoader C2 -- LIVE)
piratekings[.]online           (SmokeLoader C2 -- LIVE)
furfen[.]com                   (Cobalt Strike C2 -- historic)
savvybrandsinc[.]com           (shared cert with furfen -- historic)

Network Indicators -- IPs

34[.]41[.]139[.]193            (SmokeLoader C2 -- Google Cloud -- LIVE)
104[.]21[.]86[.]76             (piratekings[.]online -- Cloudflare -- LIVE)
172[.]67[.]216[.]147           (piratekings[.]online -- Cloudflare -- LIVE)
188[.]40[.]187[.]152           (Fraunhofer FKIE sinkhole -- NOT malicious)

Code Signing Certificate

Subject:     LLC Best Consult
Issuer:      GlobalSign GCC R45 EV CodeSigning CA 2020
Serial:      1044dc08d7a1cead020b97ec
Thumbprint:  5ce814f2c915eb20b8f72ac54b7d0a3a4756e80cf6d60a7525268ed8df4965ec
Valid:        2025-05-14 to 2026-05-15
Status:      Fraudulent -- recommend immediate revocation

DGA Parameters

Seed:            7941704092191845612
Domain Length:   13 characters
Character Set:   a-z, 0-9
TLD:             .life
Count:           300
C2 Port:         443 (HTTPS)
Encryption:      RC4
Botnet ID:       grp0005

Detection Opportunities

YARA Rules

rule BumbleBee_Shanya_msimg32_Sideload
{
    meta:
        author = "Breakglass Intelligence"
        description = "BumbleBee loader DLL sideloading via msimg32.dll proxy (Shanya campaign)"
        date = "2026-03-09"
        hash = "5e2382ba5822edc0780c09f58a5a13bc737ac9cc846d89a93a862a64262947ea"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"

    strings:
        $export_name = "msimg32_0x" ascii
        $fwd_alpha = "\\System32\\msimg32.AlphaBlend" ascii
        $fwd_gradient = "\\System32\\msimg32.GradientFill" ascii
        $fwd_transparent = "\\System32\\msimg32.TransparentBlt" ascii
        $fwd_vset = "\\System32\\msimg32.vSetDdrawflag" ascii
        $export_dllinit = "DllInitialize" ascii
        $locale_ru = "ru-RU" wide
        $locale_by = "ru-BY" wide
        $locale_kz = "kk-KZ" wide
        $locale_ua = "uk-UA" wide
        $locale_ge = "ka-GE" wide
        $vi_fake1 = "Myelocyst" wide
        $vi_fake2 = "Hypersensuousness" wide
        $vi_fake3 = "Khitan" wide

    condition:
        uint16(0) == 0x5A4D and
        uint32(uint32(0x3C)) == 0x00004550 and
        (
            ($export_name and 2 of ($fwd_*)) or
            (3 of ($locale_*) and $export_dllinit) or
            (2 of ($vi_fake*) and any of ($fwd_*))
        )
}

rule BumbleBee_DGA_Life_TLD
{
    meta:
        author = "Breakglass Intelligence"
        description = "BumbleBee DGA domains using .life TLD (network indicator)"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"

    strings:
        $dga1 = "19ak90ckxyjxc.life" ascii wide nocase
        $dga2 = "o2u1xbm9xoq4p.life" ascii wide nocase
        $dga3 = "9b10t4vyvx6b5.life" ascii wide nocase

    condition:
        any of them
}

rule BumbleBee_MaxEntropy_Data_Section
{
    meta:
        author = "Breakglass Intelligence"
        description = "PE with maximum entropy .data section and msimg32 exports -- BumbleBee payload container"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"

    strings:
        $msimg = "msimg32" ascii wide nocase
        $dllinit = "DllInitialize" ascii
        $vset = "vSetDdrawflag" ascii

    condition:
        uint16(0) == 0x5A4D and
        filesize > 2MB and filesize < 4MB and
        ($msimg or $dllinit or $vset) and
        math.entropy(0, filesize) > 7.0
}

Suricata Rules

# BumbleBee DGA -- 13-character alphanumeric .life TLD domains
alert dns any any -> any 53 (msg:"BREAKGLASS BumbleBee DGA .life TLD Resolution"; \
  dns.query; content:".life"; endswith; pcre:"/^[a-z0-9]{13}\.life$/"; \
  sid:2026030901; rev:1; classtype:trojan-activity; \
  metadata:author Breakglass_Intelligence;)

# BumbleBee DGA in TLS SNI
alert tls any any -> any 443 (msg:"BREAKGLASS BumbleBee C2 DGA Domain in TLS SNI"; \
  tls.sni; content:".life"; endswith; pcre:"/^[a-z0-9]{13}\.life$/"; \
  sid:2026030902; rev:1; classtype:trojan-activity;)

# SmokeLoader C2 URI pattern
alert http any any -> $EXTERNAL_NET any (msg:"BREAKGLASS SmokeLoader C2 pub4 URI Pattern"; \
  http.uri; content:"/tmp/index.php"; \
  sid:2026030903; rev:1; classtype:trojan-activity;)

# SmokeLoader C2 IP -- Google Cloud
alert http any any -> 34.41.139.193 any (msg:"BREAKGLASS SmokeLoader C2 IP (Shanya Campaign)"; \
  sid:2026030904; rev:1; classtype:trojan-activity;)

# SmokeLoader C2 domains
alert dns any any -> any 53 (msg:"BREAKGLASS Shanya SmokeLoader C2 - obozintsev.ru"; \
  dns.query; content:"obozintsev.ru"; sid:2026030905; rev:1; classtype:trojan-activity;)
alert dns any any -> any 53 (msg:"BREAKGLASS Shanya SmokeLoader C2 - olovge.at"; \
  dns.query; content:"olovge.at"; sid:2026030906; rev:1; classtype:trojan-activity;)
alert dns any any -> any 53 (msg:"BREAKGLASS Shanya SmokeLoader C2 - nuxc.cc"; \
  dns.query; content:"nuxc.cc"; sid:2026030907; rev:1; classtype:trojan-activity;)
alert dns any any -> any 53 (msg:"BREAKGLASS Shanya SmokeLoader C2 - piratekings.online"; \
  dns.query; content:"piratekings.online"; sid:2026030908; rev:1; classtype:trojan-activity;)

Hunting Queries

Sigma -- Suspicious msimg32.dll Outside System32

title: msimg32.dll Loaded from Non-Standard Location
status: experimental
description: Detects msimg32.dll sideloading as used by BumbleBee Shanya campaign
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\msimg32.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter
level: high
tags:
    - attack.persistence
    - attack.t1574.002

KQL -- IT Tool MSI from Non-Official Domain

DeviceFileEvents
| where FileName matches regex @"(?i)(Advanced.IP.Scanner|NetSetMan|RVTools|WinMTR|zenmap|Wireless.Network.Watcher).*\.msi"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
| where FolderPath !contains "official-download-domain"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessCommandLine

Splunk -- DGA .life Domain Pattern

index=dns sourcetype=dns
| regex query="^[a-z0-9]{13}\.life$"
| stats count by src_ip, query
| where count > 5
| sort -count

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 10 Shanya campaign samples analyzed across 6 malware families. 300 DGA domains sinkholed by Fraunhofer FKIE. SmokeLoader C2 infrastructure on Google Cloud remains live. Classification: TLP:CLEAR