Unclassified malware disguised as WinSCP distributed via Dropbox. No VT detection RN 💀 /easywinscp.xyz ↪️ /winscphub.com C2 178.236.247[.102 🇷🇺 510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f

Watch out for this #DarkGate campaign, quite possibly through Malvertising and using signed MSI files with very low (or zero) detection. #SIGNED "PFO GROUP LLC" Other sites on 154.56.47.156: https://openvpnhub[.]com/ https://angryipscanner[.]net/ https://www.putty-ssh[.]com/

There are those who look for MATLAB malware and those who instead are spreading midi cyber weapons. Dunno.. aw. much respect fo' free malware ❤️

Recently I've been finding several suspicious samples communicating with C2 via MeshAgent 👀 Take this #opendir for example: /2.155.18[.40:9000 C2 /serrapirate2121.duckdns.org joesandbox.com/analysis/12686…

Active #Doenerium stealer dressed up as AnyDesk Software 🏴‍☠️ /anydesks.co/en/downloads/AnyDesk.exe 229037ea33eb267cc08621c8967ab4022f811461f716592ae95be23a8191bfe6 C2 /doenerium.kqnfkpoccicxiudstqonfotuwsrhuxkwhqjjfsbjhonoubrccy.nl

#Havoc #opendir /157.245.47.66:8080 DigitalOcean

Interesting #Malware #opendir 👁️ "\Uranium-235\meltdown.exe" \Uranium-235\nuclear.aul" /46.151.24.25:8000 DDR /alaneade.com C2 /87.251.67[.84/13224453 Mailcow instance /46.151.24.25:8080

Another great analysis from Bridewell BridewellCTI 💣 Thank you guys Joshua Penny Yashraj Solanki for credits. #EasyStealer

#BlazeStealer sample 🦠 /blazest4ler.000webhostapp.com/BlazeStealer.zip MD5: 9a6681622d3f2f766bada7972b0fc8aa

Active #Collector #stealer C2 🦠🇷🇺 /libscripthubs.mcdir.me Dee

#Mars C2 panel source ✅ via /pushpointdelivery.com/panel/login.php tracker.viriback.com

Interesting #opendir at /89.23.98[.143:8000👁️ #Raccoon stealer sample 🦠 Nice UA 🙃 C2 /5.42.64[.45:80 cbf9b27a8f0e0694c727f4365776b745 In all likelihood a miner 🪙 Dropper /89.23.98[.143:30020/receive 04a526f66fc4459a0ace9ec403c750ca

Same #Smokeloader C2 still active ☢️ Working #opendir at /109.186.217[.138 with several samples 💀 tria.ge/231213-x4pcmaa…

LOLBin Atera agent dressed as Adobe Acrobat Reader installer targeting Brasil 🇧🇷 /acrobat-download.pages.dev (auto DL) 7c166c4e8e31346574caf94a1eb609c1 virustotal.com/gui/file/19e6b…

Byakugan stealer panel 👀 /207.244.251.87:8080/auth 🇺🇸

Interesting loader disguised as CreateStudio Pro, dropping an obfuscated Python payload via PythonAnywhere 🐳 /download-createstudioo.com /kingkh.pythonanywhere.com ↪️/kingkh.pythonanywhere.com/SRC/test.zip

/bbystealer.xyz /nt-stealer.xyz Mikhail Kasimov Karol Paciorek

您的浏览器版本过低，请升级浏览器版本 Signed #AsyncRAT stealer dressed as Chrome targeting chinese users 💀 Low detection rate 🦠 /download-updata.com C2 /s2.download-updata.com tria.ge/240323-vjw6mac…

#100DaysofYARA Day83: Suspicious files attempting to impersonate Google Update Utilities github.com/RustyNoob-619/… Thanks to ULTRAFRAUD for sharing the signed malware sample which allowed me to build this YARA

#QuasarRAT C2 🦠 212.192.31[.211 tria.ge/240406-m76qzag… Sample (no longer available) spread by 37.1.200[.46:8081 #opendir 🎰