Welcome to EVILEMPIRE v2 Previous threat actors using #Amadey have already moved their infrastructure to #AS51381 ELITETEAM-PEERING-AZ1 urlhaus.abuse.ch/asn/51381/

#Censys query to find #GossRAT #C2 servers: services.http.response.body_hash="sha1:b7c4a3bf814a5aaf96e208f47a17066c32ac0ad0" The URL path used for C2 communication is the same across all domains > /rat/apps/mellat/notify.php IOCs: threatfox.abuse.ch/browse/tag/Gos… #IOC #IRATA #GossRAT

are they even trying to hide it NDA0E ? 😆 http://154.216.18.175/ #opendir Bulletproof ASN: AS215240 NETRESEARCH

Distribution domain queries for #RobotDropper on Validin and Censys Validin: RapidShare - Fast & Secure File Transfer for Free Censys: services.http.response.html_title="RapidShare - Fast & Secure File Transfer for Free" IOCs shared on ThreatFox: threatfox.abuse.ch/browse/tag/Rob…

#Mirai #C2 domains are using Round-Robin DNS to resolve to multiple hosts Using "Resolve-DnsName" in PowerShell we can resolve the domains to their corresponding IPs. Ports used for Mirai connection: 1337, 2222, 2474, 5555, 6969, 8745, 8932, 12381 IOCs: threatfox.abuse.ch/browse/tag/RRD…

One more sample of #spearphishing gz attachment reaching #Lokibot C2 104.248.205.66:80 DHL Shipment DOC_643040277.gz >DHL Shipment DOC_643040277.exe > PowerShell > schtasks.exe > yPSkSzOrArThBa.exe The new #IOCs below. Ref: threatfox-api.abuse.ch/ioc/1323367/ NDA0E

Its been a while for me to check up on this issue! 96 ips are currently found to be uses for controlling botnets to perform attacks through API. Is it not funny that the Usual ASN's are on the top? OVHcloud US @AezaGroup @ ponynet @ limenet

MDMCK10 MalwareHunterTeam 腾讯云DNSPod ICANN Big news! ICANN issued a Notice of Breach against 腾讯云DNSPod in response to my complaint. PDF: icann.org/uploads/compli… CC: Fox_threatintel

🚨 Attackers use public open directories for hosting #malicious scripts disguised as .txt and .jpg files These are utilized in multi-stage #AsyncRAT #infections See technical breakdown of the tactics from WatchingRac 👇 any.run/cybersecurity-…

#AsyncRat #Malware 💣holder-apartments-face-matthew[.]trycloudflare[.]com/uline/Nr-2005-028763-2024-PDF[.]lnk💣 lnk->vbs->bat (checks if Avast exists) -> zip -> python scripts (injects shellcode) -> AsyncRat app.any.run/tasks/0a336523… app.any.run/tasks/13911dd7…

On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies 🇭🇰) that is already active for several months started to serve a new version of Socks5Systemz ⤵️ 🌐 urlhaus.abuse.ch/url/3189430/ This is the first major change since 2023 in