![1ZRR4H's tweet photo. 🚩 #404TDS URLs:
- https://select-holidays[.]com/vfk6c
- http://khel999[.]com/vks6o
- https://lookingthroughtheturn[.]com/vbu4b
Lead to #Lumma Stealer from:
- https://documents[.]notificationsapps[.]com/Document.iso
C2: http://gapi-node[.]io/c2conf
[+] Sample: https://t.co/ztzdlJmICz
[+] Same C2 also spotted in a #ClearFake campaign https://t.co/GsabAvN7z9](https://pbs.twimg.com/media/F5uoP3lWgAAheJB.png)
![Axel_F5's tweet photo. #Bitter #APT #CHM
410ef267cd56b74c6a7578947efb3b66
Upgradation of Systems Document.chm
wbfashionshow[.]com https://t.co/EXALp5xs9K](https://pbs.twimg.com/media/F3lRe9HXoAE-Oz1.png)
![Axel_F5's tweet photo. Another #Spyder from #Sidewinder #APT
-
Md5 930f288c9f9ed516f7eaec8f1ccbfc02
hxxp[:]//libreofficeupdates[.]com/drive/files.php
hxxp[:]//libreofficeupdates[.]com/drive/includes.php https://t.co/40it6lWnDU](https://pbs.twimg.com/media/F1Ve7igXwA4wRWq.png)
![Axel_F5's tweet photo. HTML cred phish for #India gov email portal. #APT
488ddfb1fec1408ecf7e9464246374c3
"letter dt 20.06.2023"
>
hxxp[:]//samedaywalkintub[.]ca/mail.gov.in/ https://t.co/uGcQ23MIm2](https://pbs.twimg.com/media/Fzpql06XwAEHZgf.jpg)
![Axel_F5's tweet photo. HTML cred phish for #India gov email portal. #APT
488ddfb1fec1408ecf7e9464246374c3
"letter dt 20.06.2023"
>
hxxp[:]//samedaywalkintub[.]ca/mail.gov.in/ https://t.co/uGcQ23MIm2](https://pbs.twimg.com/media/FzpqkoPWIBITQ7F.png)
![Axel_F5's tweet photo. HTML cred phish for #India gov email portal. #APT
488ddfb1fec1408ecf7e9464246374c3
"letter dt 20.06.2023"
>
hxxp[:]//samedaywalkintub[.]ca/mail.gov.in/ https://t.co/uGcQ23MIm2](https://pbs.twimg.com/media/FzpqjYnWIAclvTp.jpg)
Olivia
Online
Axel F
@Axel_F5
computer security
Joined April 2010
55 Following
130 Followers
30 Posts
🚩 #404TDS URLs:
- https://select-holidays[.]com/vfk6c
- http://khel999[.]com/vks6o
- https://lookingthroughtheturn[.]com/vbu4b
Lead to #Lumma Stealer from:
- https://documents[.]notificationsapps[.]com/Document.iso
C2: http://gapi-node[.]io/c2conf
[+] Sample: https://t.co/ztzdlJmICz
[+] Same C2 also spotted in a #ClearFake campaign https://t.co/GsabAvN7z9
![1ZRR4H's tweet photo. 🚩 #404TDS URLs:
- https://select-holidays[.]com/vfk6c
- http://khel999[.]com/vks6o
- https://lookingthroughtheturn[.]com/vbu4b
Lead to #Lumma Stealer from:
- https://documents[.]notificationsapps[.]com/Document.iso
C2: http://gapi-node[.]io/c2conf
[+] Sample: https://t.co/ztzdlJmICz
[+] Same C2 also spotted in a #ClearFake campaign https://t.co/GsabAvN7z9](https://pbs.twimg.com/media/F5uoP4mXMAAW1H0.png)
this is an old C2 that was also used in 2023-01-26 sample 34104f2ee58f629d7222cce339a24db5. However its still active and Bitter has been recently using other, even older C2's
Who to follow
Another #Spyder from #Sidewinder #APT
-
Md5 930f288c9f9ed516f7eaec8f1ccbfc02
hxxp[:]//libreofficeupdates[.]com/drive/files.php
hxxp[:]//libreofficeupdates[.]com/drive/includes.php
![Axel_F5's tweet photo. Another #Spyder from #Sidewinder #APT
-
Md5 930f288c9f9ed516f7eaec8f1ccbfc02
hxxp[:]//libreofficeupdates[.]com/drive/files.php
hxxp[:]//libreofficeupdates[.]com/drive/includes.php https://t.co/40it6lWnDU](https://pbs.twimg.com/media/F1Ve8TVXoAAoeD6.jpg)
quick look: (a) network traffic is similar including data and headers (b) many same strings in binary, etc
#Spyder malware looks to be an update of #WarHawk malware from #Sidewinder #APT
1f4b225813616fbb087ae211e9805baf
BAF Operations Report CamScannerDocument.exe
c2 hxxp[:]//plainboardssixty[.]com/drive/bottom.php
![Axel_F5's tweet photo. #Spyder malware looks to be an update of #WarHawk malware from #Sidewinder #APT
1f4b225813616fbb087ae211e9805baf
BAF Operations Report CamScannerDocument.exe
c2 hxxp[:]//plainboardssixty[.]com/drive/bottom.php https://t.co/4U88yTqodz](https://pbs.twimg.com/media/FyxNPJVWwAAU6Uz.png)
More samples (same c2):
53b3a018d1a4d935ea7dd7431374caf1
Naxal VPN Version2.2 Setup.exe
1f599f9ab4ce3da3c2b47b76d9f88850
Naxal VPN Version2.2 Setup.exe
@__0XYC__ Similar macro to d2bebe3912a5700d76635af29f098cfb https://t.co/dP1TpNWWLZ
#patchwork? #sidewinder #APT
d2bebe3912a5700d76635af29f098cfb 61a5bbd005f54b11eb1e379caf4bda21
https[:]//finance-govpk.servehttp.com/favicon.ico
xls macros file--dll
filename:version.dll probably patchwork......
path: Microsoft\\OneDrive
Are you Small? Medium? Are you a business? I wrote a thing about you! Using @Proofpoint_SME data @threatinsight found SMBs are hot targets for APT threat actors looking for key #espionage info, financial gain, or hoping to launch supply chain attacks
https://t.co/flh0UxLPeq
@0xToxin @JAMESWT_MHT @James_inthe_box @Max_Mal_ @executemalware @pr0xylife @AnFam17 @ankit_anubhav @Gi7w0rm @reecdeep @Iamdeadlyz URL eg
https[:]//worldinsolvency[.]org/[5 chars]
>
https[:]//jessicacorry[.]com/z/
serves JS
JS gets
http[:]//212.113.116[.]147/vio.sct
>
a6fa27178032b9250c4fdb0da23f6766
VBS gets MSI (screenshotter inside)
http[:]//176.124.217[.]20/%serial%
>
7867270e7aca7998d97d1a6235d27f10
@0xToxin @JAMESWT_MHT @James_inthe_box @Max_Mal_ @executemalware @pr0xylife @AnFam17 @ankit_anubhav @Gi7w0rm @reecdeep @Iamdeadlyz 404 TDS URLs -> JS -> .sct VBS (#WasabiSeed) -> #Screenshotter (inside MSI)
#TA866
@CloisterNunmonk @threatinsight @proofpoint Hi, test if its blocked at click-time (chances are it is). That is part of your protection for URLs.
#Sidewinder #APT
d0ca92ce29456931ad14aed48c3ea93f
未命名的附件 00002[.]zip
5356a1193252b4fb2265fc8ac10327a1
.lnk
hxxps://mailtsinghua[.]sinacn[.]co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta
New variant of #Emotet Excel lure, slight variation where "Relaunch Required" instructions (to bypass Office macro security measures) are in green box instead of yellow. Example file:
W-9 form.xls
703d6f27c9b54b604f58d3d853c328f6cd51b8598af4dedb4ae0ddea3074ef38
@__0XYC__ +
f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc 33-Advisory-No-33-2022.pdf.iso
58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a 32-Advisory-No-32.iso
@__0XYC__ @StopMalvertisin +2
b82580cd92afe20e3a51ec92fb46053b3f78c93cf57811d94ac9fe14d3a5e21f
List of Officers and amount deducted for floods 2022.xlsm
9133388cf8754dc7bb98031dad59333868f441c303264b9218a900c8079cfafc
List of Officers and amount deducted for floods 2022.xlsm
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers