Olivia
Online
BreakGlass Intelligence
@BreakGlassIntel
we hunt malware, crack C2 infrastructure, and publish everything. 225+ technical deep dives and counting.
florida
Joined March 2026
46 Following
774 Followers
560 Posts
Pinned Tweet
Breakglass Intelligence detection rules and IOCs — open source.
103 YARA rules, 55 Suricata rules, 16 KQL queries, 24 STIX bundles, 4 nuclei templates. 1,253 IPs, 1,717 domains, 1,031 SHA256 hashes extracted from 232 investigations.
Everything structured for automation: flat IOC lists for blocklists, per-investigation JSON for correlation, STIX for your TIP, KQL for
Defender/Sentinel, machine-readable feed index at iocs/feed.json.
Covering: Mustang Panda, SilverFox, LofyGang, SERPENTINE#CLOUD, GlassWorm, DPRK Contagious Interview, Cobalt Strike campaigns,
ClearFake, RatonRAT, VENON banker, trojanized developer tools, phishing kits, and more.
MIT licensed. TLP:WHITE. Fork it, integrate it, cite it.
https://t.co/akUwiGbEC7
a3928be5f5b6af086ad652a2fed39623 — one HMAC key the operator embedded into 257+ Japanese-language Microsoft impersonation pages on Azure Storage static websites. They forgot to randomize it across kit instances. Now it's a YARA-grade fingerprint for the whole family.
https://t.co/4FrStsCtYH
@solostalking Sociotechnical associations are by threat actor group and/or by threat actor individual. VIP-leader types finance and recruit. Track Maldevs by penmarks. Track Malops op by toolmarks. Done and done
Nice catch. We may have over-reached on the MaxxAudio specifics. The post has been updated.
Quick context on how the attribution flowed: the Silver Fox family call on this campaign came from the researcher who pulled the live config and shared it with us. åççhe attribution weight sits with their telemetry. Our role was packaging, WHOIS/infra analysis, and pattern-checking against the public record.
On that public record: Silver Fox via DLL-sideloading-of-signed-software is well-covered:
• SodaMusicLauncher.exe (ByteDance) — Dark Lab HK: https://t.co/PIiiLDBJCg
• Foxit PDF Reader — Trend Micro: https://t.co/X3dHgmYHmE
But MaxxAudioControl64.exe + MaxxAudioAPOShell64.dll as a Silver Fox variant doesn't appear in public reporting before this campaign. VerSprite documents the MaxxAudio sideload surface as a generic vulnerability — not Silver Fox-specific: https://t.co/EJUuxtkqHQ
The post now frames attribution at the pattern level and explicitly flags MaxxAudio as novel-to-public.
https://t.co/ZnhgtDP3ia
If you've seen MaxxAudio tied to Silver Fox in unpublished telemetry or a report we missed, reply or DM us the citation and we'll credit on the next revision.
Thanks again.
A researcher shared a live ValleyRAT config pull from a Japanese Rakuten invoice lure campaign. We mapped the infrastructure:
C2: 137.220.153[.]175:886 (BGPNET, Hong Kong)
Delivery: missallanahstarr[.]com (Cloudie, Hong Kong)
Vector: MaxxAudio DLL sideloading
Config strings 默认备注 / 默认分组 — stock Gh0st RAT panel defaults. WHOIS registrant on https://t.co/JjF2mRgkb2 with a fabricated "Kyoto, Saitama" address (different prefectures).
HIGH confidence Silver Fox APT.
Blog: https://t.co/ZnhgtDP3ia
IOCs: https://t.co/akUwiGbEC7
#SilverFox #ValleyRAT #APT #Japan #DLLSideloading
@21code_talker34 sorry about that. fixed. thanks for the head up. :)
@500mk500 Raw artifacts + reproduction scripts (per-panel HTTP captures, 9 bundles, SHA-256s, https://t.co/N6kvHPBRGh for each):
https://t.co/3albekwihl
Full fleet table, ASN map, deployment timeline, and recommendations for defenders:
https://t.co/kJ5hDsuK6X
4 IPs from your list didn't answer during the sweep — keeping them on a 14-day recheck rather than retiring:
195.160.220[.]49
82.38.96[.]253
94.103.91[.]192
34.225.141[.]85
If anyone has prior reporting on the Needle vendor's handle or TG presence — reply or DM, happy to update the post and credit prior work.
Hat-tip to @justwanttoQ1 for the pointer.
Live at 47.251.111[.]98:8080 — "TKFleet · AndroidRPA v8.1-wake2", a Chinese-language bot farm control panel on Alibaba Cloud US.
Built to drive 5,000 real Android handsets against Spotify, YouTube, TikTok, Instagram, Facebook, and X. Explicit per-platform action catalogs (TikTok: browse_fyp, like, follow, comment — with probability weights). Four execution backends exposed as a per-device dropdown: HID hardware injection, Accessibility-service abuse, Shizuku, or auto.
When deterministic scripts fail, the panel falls back to Anthropic Claude Haiku for visual navigation — with a per-call USD cost ledger visible in the UI. Device-side APK is https://t.co/g2OVtIEoiP, launcher activity namespaced under com.tencent.yyds (masquerading as Tencent).
Operators watch devices live via a 1 Hz JPEG mirror endpoint. /api/tasks/run takes an arbitrary shell command. Default targeted-campaign placeholder text: "Rick Astley 订阅 × 500".
Full writeup: https://t.co/6TJtCFlgPf
you're 100% correct. the usage over the last month on anthropic's claude has been terrible. no matter how many efficiencies are built, the "smarter" models seem to use more resources to accomplish the same task(s) as the older models. things dont make sense, hard to wrap my head around.
Following two MalwareBazaar submissions that caught our attention, we traced a ValleyRAT campaign across two very different infrastructure choices.
One sample — a KCP protocol module importing "上线模块.dll" (Online Module) — calls home to a Hong Kong shell company (LANLIAN INTL HOLDING GROUP) whose RIPE abuse contact is a personal Gmail address. The C2 at 103[.]215[.]77[.]17:4488 is still live with 78+ associated samples.
The other — a Rust-compiled loader disguised as Microsoft OneDrive — decrypts an AES-256-CBC encrypted MSVC C++ core DLL and routes through v52-83fbf297[.]govroam[.]cf[.]ac[.]uk. That's a device on Cardiff University's GovRoam network. A researcher or student's machine, compromised and repurposed as C2 relay infrastructure.
The Cardiff ports are now closed — the device appears to have been cleaned. Full analysis with both samples, the decrypted stage-2 DLL, and YARA rules:
https://t.co/KprOt7kjQt
Thank you to @abuse_ch and the MalwareBazaar community for making samples like these accessible. ValleyRAT researchers — if you're tracking this campaign cluster, we'd welcome the conversation.
Our 6th Kimsuky infrastructure post, again thanks to @skocherhan's consistent IOC sharing.
This time: a third Vultr Seoul VPS (158[.]247[.]210[.]58) with 60+ credential harvesting domains across 18 months, systematically impersonating Naver, Korean National Tax Service (HomeTax), and Korean government services.
The actor rotates through 7 DDNS providers (mydns[.]jp → dynv6 → dns[.]army → kro[.]kr) as old ones get flagged. 31 domains still actively resolve. Historical passive DNS places this VPS under actor control since September 2020 — over 5 years.
https://t.co/NeZCxXMFXQ
Full domain inventory and DDNS rotation timeline in the post. Researchers with passive DNS coverage of this IP from 2021-2025 — we'd appreciate any additional domains to fill the gap.
Following a tip from @suyog41, we downloaded the full payload chain from a live SHub Stealer v2.0 C2 at terafolt[.]com — including the 37KB AppleScript source.
The loader checks for Russian keyboard layouts and exits if found (CIS geofencing). The stealer targets 14 Chromium browsers, 103 wallet extensions, 23 desktop wallet apps, and attempts to backdoor Exodus, Atomic, Ledger, and Trezor by replacing their app.asar files.
Prior SHub reporting from @Malwarebytes and @DatadogSec documented the family — we're adding a new C2 domain with the same CNOBIN registrar pattern and full payload analysis.
https://t.co/xeyStkPkxW
If you've seen other CNOBIN-registered SHub C2s, please share — we're tracking the registrar pattern.
Thanks to a tip from @smica83, we investigated a compromised Romanian cattle breeders website (acbcr[.]ro) delivering Phemedrone Stealer to Hungarian victims.
The interesting part: the .NET process hollowing injector (ALTERNATE.dll) was compiled by a developer called VICTOR — the same PDB path (C:\Users\VICTOR\Documents\CryptoObfuscator_Output) we documented in an Italian Formbook campaign just the day before.
Same developer, different stealer families, different lure languages. VICTOR appears to be selling injection-as-a-service.
Full kill chain with AES keys, XOR keys, and all hashes:
https://t.co/VWBUlrvxKP
If anyone has additional samples using this ALTERNATE.dll loader, we'd love to cross-reference — reply or DM.
A legitimately signed SimpleHelp Remote Access Client (10/76 VT detections) led us to a 5-server C2 cluster on a dedicated /24, a Russian login portal at dangerstock[.]online, and an exposed Cockpit dashboard leaking the internal hostname "dangerstock.stock."
Four SimpleHelp panels still serving customer download pages. A stolen Google Analytics certificate on port 8443. Dual RAT strategy (SimpleHelp + ScreenConnect). Neighbors on the same subnet spoofing Microsoft, Cloudflare, and Tesla domains.
Fortinet tracks this cluster as PALLASNET.M. The actor has been operational for 10+ months.
https://t.co/eN6O5BQ2wZ
h/t @JAMESWT_WT for the MalwareBazaar submission
No login. No token. No API key. We found "Auraboros C2" — a previously undocumented Brazilian RAT framework serving its entire dashboard, victim list, keylogger feed, and browser credential dump over HTTP to anyone who asks.
The 84KB JS source reveals: live audio streaming, webcam capture, cookie impersonation with SOCKS5 chaining, file browser, ARP/port scanning, and OTA agent updates. The implant is a DLL sideloaded into DiskIntegrityScanner.exe with DPAPI browser decryption and a self-destruct feature.
One beacon registered — the developer's own Lenovo laptop in Goiania, Brazil, username "LabCasa" (HomeLab). Seven OPSEC failures documented including zero auth, CORS *, and the entire command history persisted and publicly accessible.
https://t.co/hz3am2vInB
h/t @Fact_Finder03 for the initial tip, @4_n_0_n_1_3_3_7 for flagging port 9000
Full writeup — Part 2 of our March investigation — with the complete proxy inventory, Crimean attribution chain, verification methodology, and IOC tables:
https://t.co/rcWExDEB0r
Part 1 (March):
https://t.co/z8CGzDkrC9
h/t @Fact_Finder03 @malaboratorium @4_n_0_n_1_3_3_7
In March we published our investigation into NEKOBYTE — 300+ MITM proxies serving stolen TLS certificates for Apple, GitHub, Microsoft, and dozens more, backed by 22 autonomous systems and 13+ UK shell companies directed by teenage Russian nominees.
Six weeks later, we rescanned. The operation tripled. 🧵
We verified a 25-proxy sample:
- Serves the real cert (identical serial numbers)
- Returns near-identical content (1-3 byte diff)
- NOT in any target's official IP ranges
- TLS handshakes 1.3-2.3x slower (confirms relay)
One proxy served a "VK interm CA" Russian DPI certificate valid 2022-2052.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers