I find this #C2 #Redline #Stealer 213.248[.]43[.]54 (1/88) on MalwareBazar and I have discovered two more from the same infrastructure by pivoting around the name, ASN number, and OS. New C2 : 213.248[.]43[.]53 (1/88) 213.248[.]43[.]60 (1/88) #OSINT #ThreatIntelligence

Identified additional IP addresses sharing characteristics with the campaign IP, including the use of OpenSSH version 7.4, belonging to the same autonomous system (ASN 399629), and listening on port 22. The complete list can be found here. search.censys.io/search/report?…

More here after pivoting on censys, 77[.]91.78.192 (6/89) 78[.]46.200.68 (5/89) 85[.]209.11.185(15/89) 91[.]103.252.217 (11/89) 95[.]215.108.29 (6/89) #qakbot #Qbot #ThreatIntel search.censys.io/search/report?…

#njrat #C2 server hackerbahaa[.]myftp[.]biz confirmed 2025-06-26

"HTTP/1.1 302 Moved Temporarily Server: playit-cloud Location: https://playit[.gg" njrat/quasar already seen using playit/.gg servers

city:"Amsterdam" org:"SERVERS TECH FZCO" asn:"AS216071" os:"Windows Server 2012 R2 Standard 9600"

here it is : http.component:"microsoft httpapi" port:3389,5985 FQDN: WIN-F6NF7R6I6PJ country:"PL" org:"MEVSPACE sp. z o.o." AsyncRAT (now)/Radhamentys (before) ecosystem

🔎 shodan : http.html_hash:-51903740 ☣️ Broomstick C2 actively exploiting Oyster backdoor ♟️SEO poisoning + SEO poisoning + DLL sideloading + Scheduled task + Web C2 + Credential keylogging + SSH access + Data encryption #ThreatIntel #backdoor #Broomstick #Rhysida #C2

This one is nice. Hard work to find it haha 🔎 title:"telegram" country:"HK" Server: nginx ☣️ telegram credentials theft ♟️ impersonating telegram + hijacking users + Domain Generation Algorithms (DGA) #telegram #hijack #threatintel #shodan

on #FOFA

APT38 (Bluenoroff) infrastructure #Bluenoroff #apt38 #threatintel #shodan #lazarus 🔎 ssl.jarm:3fd21b20d00000021c43d21b21b43d76e1f79b8645e08ae7fa8f07eb5e4202 org:"Hostwinds Seattle"

🔍 Que cache un domaine comme chippotle-sso[.]com ? L’équipe CTI de SysDream a enquêté sur le groupe Scattered Spider : usurpations, faux portails Okta, IOCs... ➡️ Rapport complet à lire sur notre blog : ow.ly/sS5650WqwOs