![__0XYC__'s tweet photo. Approval_of_visit.rar
e6a36f78273038bae870aea72979fa22
#LNK > hxxp://uk.royalmigration[.]buzz/db612
#APT #Notepad++ https://t.co/L04k9ukNhR](https://pbs.twimg.com/media/GFEzK0GaUAAi151.png)
![__0XYC__'s tweet photo. Approval_of_visit.rar
e6a36f78273038bae870aea72979fa22
#LNK > hxxp://uk.royalmigration[.]buzz/db612
#APT #Notepad++ https://t.co/L04k9ukNhR](https://pbs.twimg.com/media/GFEzKzqaEAA-g1q.png)
![malwrhunterteam's tweet photo. "citibank_statement_dec_2023.zip": e975e2c2077398f0baae0a87773d86b80ebe3ade76ea355e4b8450a07bfb183d
"citibank_statement_Dec_2023.lnk": 386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8
Next stage (opendir): https://nrgtik[.]mx/wp-content/uploads/wp-content.php https://t.co/0FhOUk5qXY](https://pbs.twimg.com/media/GBvWrVpWYAAFaP9.png)
Olivia
Online
Cuser
@Cuser07
Operated not by people, but by pandas.
Joined October 2018
247 Following
282 Followers
101 Posts
@Cuser07 @malwrhunterteam @1ZRR4H Not sure, it is something known for me. Currently I added detection as "generic_stealer", because of suspection about "/upload.php?uniid=" sign. If some known (or new) name comes for that, will move detection. Thank you!
Detection: https://t.co/5koNBTMYSC
Saw a #Suspicious #MSIX https://t.co/f17B9767Jp
hxxps://desktop-tradingwiew[.com/upload.php
The EXE inside is a downloader with valid signature "Videra Services Ltd", but failed to get the right payload🧐
browsettings[.com
security-update[.net
@malwrhunterteam @1ZRR4H @500mk500
@malwrhunterteam @1ZRR4H #CloudEye
[+] 013eb9117d9694bdcfeb88da2da048b57d74298abec24a05cf4ae5a952f74fdb, jantickee[.com
[+] bfed1dff861d7e10902f02e7b0a12e35afa0ec0639dacc985e41707f070cb489, drecterion[.com
#MetaStealer #Sideloading
https://t.co/Z6AQ1I8k5Q, 201307_cfpb_debt-c-letter.zip
C2: ikswccmqsqeswegi[.xyz
Similar case:
https://t.co/MqRLGqYtlr, case2.09-cv-03795[.zip
C2:
ykqmwgsuummieaug[.xyz
ssqsmisuowqcwsqo[.xyz
kiyaqoimsiieeyqa[.xyz
@malwrhunterteam @1ZRR4H
@threatinsight Have seen several samples 🫡https://t.co/vtRFHmTj7z
Maybe there are more insights in their publication @NDumbblonde
Three more VHDs recently:
https://t.co/joK58K1uvZ
https://t.co/vnPXisj89c
https://t.co/3daSZ3qqaW
Both downloaded EXEs are #Sliver
The C2 changes to 128.140.123[.244
CC: @malwrhunterteam @1ZRR4H
@Cuser07 @malwrhunterteam @1ZRR4H Recently watched a test of a well known EDR for #Sliver. They didn’t catch it at all, even though they recognized it as a method used by an APT within their docs. Curious if you’ve had any luck or seen any #EDR detecting it?
Three more VHDs recently:
https://t.co/joK58K1uvZ
https://t.co/vnPXisj89c
https://t.co/3daSZ3qqaW
Both downloaded EXEs are #Sliver
The C2 changes to 128.140.123[.244
CC: @malwrhunterteam @1ZRR4H
Malicious VHD file downloaded #Sliver?🤔
f9a6a9f0507c5eb6c8c53a33f8f294d1381ed250cfbce6e8bda45ee295ca260b, Invoice Report.vhd
=> hxxp://64.52.80[.221/fCzQvTAP/ewrtnyu75473
C2 78.46.212[.67:8056
@malwrhunterteam @1ZRR4H
Interesting #APT attack against #Myanmar using #ASEAN lure
https://t.co/2iHtt4nEq7, ASEAN Notes.iso
C2: openservername[.com (Not resolved, but the www is resolved 🤔)
An old sample https://t.co/NxmJgUyt3A, Analysis of the third meeting of NDSC[.zip
CC: @malwrhunterteam @1ZRR4H
A new one fba7f5c7c1ea064fb42bd472b857b77d1759c16c5df13f745b6295b8360f31cf
citibank_statement_Dec_2023 => citibank_statement_Jan_2024 😹hxxps://dacfurniture.com/wp-content/uploads/wp-content[.php
5.255.99[.164
CC: @malwrhunterteam @1ZRR4H
"citibank_statement_dec_2023.zip": e975e2c2077398f0baae0a87773d86b80ebe3ade76ea355e4b8450a07bfb183d
"citibank_statement_Dec_2023.lnk": 386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8
Next stage (opendir): https://nrgtik[.]mx/wp-content/uploads/wp-content.php
![malwrhunterteam's tweet photo. "citibank_statement_dec_2023.zip": e975e2c2077398f0baae0a87773d86b80ebe3ade76ea355e4b8450a07bfb183d
"citibank_statement_Dec_2023.lnk": 386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8
Next stage (opendir): https://nrgtik[.]mx/wp-content/uploads/wp-content.php https://t.co/0FhOUk5qXY](https://pbs.twimg.com/media/GBvXhHwWUAEte3V.jpg)
Blog Alert 📄
GoStealer: Golang-based credential stealer targets Indian Airforce Officials.
Read it here : https://t.co/ZWdQlrhUMp
Thanks to @Cuser07 !
cc : @malwrhunterteam , @hasherezade
It seems that two more(?) PDFs were uploaded during
#Bangladesh Elections2024
https://t.co/zT1H0WVO9j
https://t.co/PkTZUJPBwU
Both URL lead to a similar page, with the text linked to a previously sample https://t.co/G3EEbGD2qj, flagged as #DoNot 🧐
CC: @malwrhunterteam @1ZRR4H
"Abroad_Training_Nominations_Jan_2024.pdf" seen from Bangladesh: f5eec8ae7f8646328b9de05931fadc3f693c0a3f0f7d1aa0a90071445072dd3f
-> http://adamsresearchshare[.]com/mack.php ->
"Meeting Notice.rar": 35a7feb273ad532b79a5b9e0536642c23c888ec9338369b2159d6f42e2b626e7
(1/3)
![malwrhunterteam's tweet photo. "Abroad_Training_Nominations_Jan_2024.pdf" seen from Bangladesh: f5eec8ae7f8646328b9de05931fadc3f693c0a3f0f7d1aa0a90071445072dd3f
-> http://adamsresearchshare[.]com/mack.php ->
"Meeting Notice.rar": 35a7feb273ad532b79a5b9e0536642c23c888ec9338369b2159d6f42e2b626e7
(1/3) https://t.co/DVd53ET1rE](https://pbs.twimg.com/media/GDAry0PboAAqT5_.png)
Great Find - if this was #APT 41, this sample was used to target Taiwan's Ministry of Foreign Affairs in late December
#Taiwanelection #China
A new one, 5fa3d13366348e7c999cca9a06e4d2f5ec7f518aca3b36f0366ecedba5f2b057, "fakes_war_time.pdf.lnk"
The decoy PDF is also in Russian, I have a feeling that they are now targeting domestic users ...
"ayaz\.zip": 9341cd36d012f03d8829234a12b9ff4e0045cb233e86127ef322dc1c2bb0b585
"ayaz.pdf.lnk": a5270b4e69f042fd7232b2bfc529c72416a8867b282b197f4aea1045fd327921
Next stage's C2: api-gate[.]xyz
Related: https://t.co/OEIyOwgz0G
Who was the target this time?
🤔
@1ZRR4H
cc @jaydinbas
![malwrhunterteam's tweet photo. "ayaz\.zip": 9341cd36d012f03d8829234a12b9ff4e0045cb233e86127ef322dc1c2bb0b585
"ayaz.pdf.lnk": a5270b4e69f042fd7232b2bfc529c72416a8867b282b197f4aea1045fd327921
Next stage's C2: api-gate[.]xyz
Related: https://t.co/OEIyOwgz0G
Who was the target this time?
🤔
@1ZRR4H
cc @jaydinbas https://t.co/bv5yxPbxjq](https://pbs.twimg.com/media/GDguGAUXUAECHtt.png)
An interesting ISOIMG leads to a #Malicious #Nim Loader 🧐
d86645adc1cdc9e4ad55f0bb801525e5f08a4c52efbf8043ad4fffcfaa311cef
ISO -> LNK -> EXE -> DLL
"Raiffeisen_zapyt_vid_2024_01_11.img"
@malwrhunterteam @1ZRR4H
@Cuser07 @malwrhunterteam @1ZRR4H Token is "xoxb-6379011443682-6391721548145-3wbY7GyxHj9Ksw29pvLmqpuP" and channel ID is "C06B22AUJF7", possible check-in is "a83ca19ef3888f57d2bca55175e99bbb7a3e96d28cd36b7a9de26641b25ccd6a"?
An interesting #Malicious ISO was uploaded from India
4fa0e396cda9578143ad90ff03702a3b9c796c657f3bdaaf851ea79cb46b86d7
"SU-30 Aircraft Procurement" ...😹
ISO -> LNK -> EXE and decoy PDF
The EXE was written in Golang and likely use Slack as C2
@malwrhunterteam @1ZRR4H
Last Seen Users on Sotwe
윤지
Seen from Korea
Sojal Shaik
Seen from Oman
Paul Elam 
Seen from United Kingdom
Black🔞sextape (lizzy💦mira)
Seen from France
Kay Ross-Levy 🌺
Seen from United Kingdom
ของดีที่ไฟท้าย
Seen from Thailand
active teens
Gwen P
Seen from Netherlands
SANGEEEAN
Seen from Singapore
PROFESSOR M 🔥🦅
Seen from Switzerland
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers
✨
⭐
💫