All owned by rly for VVS Stealer vvs[.]cymru (reg April 2025) delfiauto[.]ltd (reg Dec 2024) www.delfiautos[[.]]lt (reg Dec 2024) lote45[.]onedriver[.]com[.]br (reg Aug 2024) tupy[.]onedriver[.]com[.]br solarbr.onedriver[.]com[.]br 504e1c93[.]host.njalla[.]net (hosting

🚨 New Odyssey Stealer C2 Panel 🎯 hxxp://5.199.166[.]102/login This is the third C2 spin-up in a matter of days. Favicon: 9108dde25ad958b27f6a97d644775dee #Threathunting #Odyssey #Stealer #ThreatIntel MalwareHunterTeam Dee Who said what? RussianPanda 🐼 🇺🇦 Mikhail Kasimov

🚨 More VektorX C2 Panel 🎯hxxp://92.119.114[.]111:5173/auth/login - AS211381 🎯 91.211.249[.]147 🎯 62.233.53[.]22 🧬Hash: e9c154045c3e12a1a16617e0eaede551 @onyphe.io PD for the dev: Work on your logo tracing skills bro, they are therrible 😂 (/assets/fncVEJjF.png)

🚨 Fresh ClickFix Delivering Pentagon Stealer 🎯 hxxps://zfbezhefbzhbdfbzdufbuzbdf[.]pages[.]dev MalwareHunterTeam Dee Who said what? RussianPanda 🐼 🇺🇦 Mikhail Kasimov DaveTheResearcher ANY.RUN #pentagonstealer #threatintel #threathunt #stealer

🚨 ClickFix - Sennheiser CF Phishing 🎯 hxxps://www.sennheiser[.]ad/ MalwareHunterTeam Dee Who said what? RussianPanda 🐼 🇺🇦 Mikhail Kasimov DaveTheResearcher #threatintel #clickfix #threathunting #PhishingScam

🚨 ClickFix Delivering XWorm 🎯 hxxps://lbkequityexchange[.]com/i.cmd 🎯 hxxps://lbkequityexchange[.]com/EQTRN.exe 🎯 Prob C2: winservicesconsole[.]duckdns.]org - 45.154.98[.]252 ASN 210558 💻 Fake CAPTCHA → Runs PS script → Downloads i.cmd → Deploys XWorm while mimicking a

NEW BLOG: Investigating ClickFix Incidents ClickFix/Fake Captcha has emerged as a popular technique to deliver malware to users. This blog discusses the first stages of a ClickFix investigation to determine the impact on your organisation. kqlquery.com/posts/investig…

🚨 Same Threat Actor is now delivering Windows Payload through the ~2800 compromised sites using ClickFix It dinamycally changes depending on platform (user-agent) Mac/Win 1: https://e.overallwobbly[.]ru/au1 (Dropper1: era-stau1.a) → PowerShell → Stage 1 Script (AutoIT) 2:

🚨 Clickfix - Binance Phishing delivering VIDAR 🎯 193.24.123[.]165 🎯 traderai[.]name C2: t[.]me/m00f3r, steamcommunity[.]com/profiles/76561199851454339 (couple more IPs in the title). VT: c3ac276122e6af6459eda55251a70ebf8bb091a620314f18ada33a6259fe10b1 MalwareHunterTeam

🚨 Odyssey Stealer C2 Panel 🎯 odyssey-st[.]com 🎯 83.222.190[.]214 MalwareHunterTeam Dee Who said what? RussianPanda 🐼 🇺🇦 Mikhail Kasimov DaveTheResearcher

🚨 Introducing Mave Stealer C2 Panel: 🎯 web.mavedashboard[.]lol 🎯31.57.156[.]135 (AS210538) 🧬ea8aebfaedd0d287ac10c39a5a3c4de6 @onyphe.io Mave Stealer appears to have been launched on Apr 25. [@]squ4ts🐀<🐈 :) Any samples? MalwareHunterTeam Dee Who said what? RussianPanda 🐼 🇺🇦

Microsoft has partnered with others across industry and international law enforcement and facilitated a disruption of Lumma infrastructure and the marketplaces in which the stealer malware was sold to other cybercriminals. msft.it/6011Sd2zc

👀 Interesting coordinated release from multiple agencies (NCSC, NSA, BSI, etc) about Russian GRU Unit 26165. Worth a read. nsa.gov/Press-Room/Pre…

Lumma customers claim to have received this message on Telegram, apparently on Lumma customers group

🚨 Odyssey Stealer C2 Panel 🎯 http[:]//194.26.29[.]217 AS 206728 Rotating infostealer infra. MalwareHunterTeam Dee Who said what? Mikhail Kasimov DaveTheResearcher