Malicious @github repo at:
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
06.03.2025 17:37
๐ 0
๐ 0
๐ฌ 0
๐ 0
Malicious @github repo at:
github/.com/charlie...
seen dropped via #xworm on a hijacked @operagxofficial installer
app.any.run/tasks/4be36a...
If you'be been dealing with these janky downloaders ("pdfs" if MiTM the TLS), these have been #darkcloud #stealer so far:
app.any.run/tasks/925ce6...
Look for:
vbs file
showip\.net
LoginData
WebData
keyDBPath.db
in the run and
StrFtpServer
DCS V
in the dmp file
Some fresh (and I can't believe I'm typing this) #lokibot:
app.any.run/tasks/054d7a...
c2: http:// touxzw\.ir/fix/five/fre.php
A csv formatted list of #malspam campaigns that crossed my path in February to include #malware name, c2, hash, subject, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
Hrmm....thinking a whitehat has taken control ;)
Huh...first time I've seen threat actor's using @ThinkstCanary :
https:// assistance-newton-adam-indiana.trycloudflare\.com
Badness at:
144.91.79.54/10022025/
app.any.run/tasks/70b515...
Ultimately #darkcloud (the txt file); c2 juguly\.shop
Ultimately #asyncrat and #hvnc:
mathewhvnc.twilightparadox\.com
kjhvnc.duckdns\.org
rtasyn.duckdns\.org
asyncyam.twilightparadox\.com
If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:
https:// em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https:// did-efficiency-than-lenses.trycloudflare\.com ->
https:// reached-theoretical-regular-impact\.trycloudflare.com
#phishing #opendir:
dmc.otarvesq/.com/POST/
http:// account\.empireaccelerate.com:9200/empire_account/account/account.do ๐คจ
When the threat actor REALLY wants it to run... #venomrat c2:
176.65.142.172:4449
A csv formatted list of #malspam campaigns that crossed my path in January to include subjects, hashes, c2's, #malware type, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
When #windows decides it's had enough of you blocking it's update/telemetry processes (going to wd-prod-cp-us-west-2-fe\.westus.cloudapp.azure.com) and just yeats out the lookup over #netbios ๐คท
A fairly sizable distributed port scan (all source port 19000) about 30 minutes ago; raw logs and sources here:
gist.github.com/silence-is-b...
If you're....you know...bored...
app.any.run/tasks/365f89...
#webshell #opendir #netsupport #rat at:
https:// appointedtimeagriculture\.com/wp-includes/blocks/post-content/
GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA
As much as I was excited about #telegram cooperating with LE...I haven't noticed much of a change:
app.any.run/tasks/694cb9...
Big zips appear to be a #python #stealer
#opendir at:
https:// superior-somalia-bs-leisure.trycloudflare\.com ->
http:// jsnybsafva\.biz:8030
Same
A late (due to holiday vacation) and sparse csv formatted list of #malspam campaigns that crossed my path in December to include subjects, #malware, hashes, c2's, and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt
Additional details:
An #expiro (believe it or not) dropping #xloader
app.any.run/tasks/43f807...
fake c2 and campaign:
http ://www.sunnyz.store/px6j
But it's not though. Not really.
Interesting use of @Formstack as an interactive landing page for a #ms365 #phish:
https:// bilykfilms .com/m/
is the site.
An unsurprisingly light csv formatted list of #malspam campaigns that crossed my path in November to included subjects, #malware type, hashes, c2's and email exfil addresses:
gist.github.com/silence-is-b...
#retrohunt #infosec #cybersecurity
Excellent...thanks!
A curious js file...
app.any.run/tasks/112848...
...nice place you got here...