![g0njxa's tweet photo. Currently seeing a surge on #CastleLoader malware being delivered through fake websites impersonating software used in enterprise environments such as Zabbix or RVTools (see photo 1 & 2). IOCS below 👾🔎
Please note that this campaign uses the same exact template lures of previous observed #Bumblebee campaigns back in Summer 2025, disappeared for some months. Efforts put into disrupting Bumblebee infrastructure could have made the folks behind these campaigns to migrate into other malware options such as observed CastleLoader
The CastleLoader builds, hosted on fake Github repos (see photo 3), are being delivered as EV cert signed MSI builds (also like the previous Bumblebee campaigns), leading to other malware such as NetSupport RAT. The abuse of EV certificates by this malware can be tracked on CertCentral by @SquiblydooBlog (https://t.co/KfhngzzuDM)
IOCS
~Signatures
LLC KHD GROUP (GlobalSign)
INTYNA EXIM PRIVATE LIMITED (SSLdotcom)
~ Samples
ed93f66bcda92e8db51e897ec0dd70412356b148a50ec86d218533e7c37ba6d6
2a040d0bb9f335c12e7dd809d66b328e9114445eccfc79f5d797cc9636b6c72d
24fb4e14f8e2f2b663e3221132aec06f30eae68aea9ad4e927407ce6049a9ac1
31f46e524f3aabd1360cfe2c6dd74bf2b3a1e714723d5ecb759a48b9494352eb
c6ddd8e919cc0b2eca8e9ee9a2bb7832fa96b5adab4cdf6c1fc8b87fae87bcb5
~ CastleLoader C2 domains
wereatwar[.]com
~ NetSupport RAT C2
37.230.62.235:514
37.230.62.235
84.200.81.32](https://pbs.twimg.com/media/G324RmvWgAAMUDh.png)
![g0njxa's tweet photo. Currently seeing a surge on #CastleLoader malware being delivered through fake websites impersonating software used in enterprise environments such as Zabbix or RVTools (see photo 1 & 2). IOCS below 👾🔎
Please note that this campaign uses the same exact template lures of previous observed #Bumblebee campaigns back in Summer 2025, disappeared for some months. Efforts put into disrupting Bumblebee infrastructure could have made the folks behind these campaigns to migrate into other malware options such as observed CastleLoader
The CastleLoader builds, hosted on fake Github repos (see photo 3), are being delivered as EV cert signed MSI builds (also like the previous Bumblebee campaigns), leading to other malware such as NetSupport RAT. The abuse of EV certificates by this malware can be tracked on CertCentral by @SquiblydooBlog (https://t.co/KfhngzzuDM)
IOCS
~Signatures
LLC KHD GROUP (GlobalSign)
INTYNA EXIM PRIVATE LIMITED (SSLdotcom)
~ Samples
ed93f66bcda92e8db51e897ec0dd70412356b148a50ec86d218533e7c37ba6d6
2a040d0bb9f335c12e7dd809d66b328e9114445eccfc79f5d797cc9636b6c72d
24fb4e14f8e2f2b663e3221132aec06f30eae68aea9ad4e927407ce6049a9ac1
31f46e524f3aabd1360cfe2c6dd74bf2b3a1e714723d5ecb759a48b9494352eb
c6ddd8e919cc0b2eca8e9ee9a2bb7832fa96b5adab4cdf6c1fc8b87fae87bcb5
~ CastleLoader C2 domains
wereatwar[.]com
~ NetSupport RAT C2
37.230.62.235:514
37.230.62.235
84.200.81.32](https://pbs.twimg.com/media/G32sDqUWsAA9tF_.jpg)
Olivia
Online
Alex H.
@GodLevelAccess
Bucharest, Romania
Joined October 2021
887 Following
44 Followers
157 Posts
100% this… when you’re not challenged or growing, it’s often time for a change!
2026:
@Jean_Maes_1994 Curious about the orchestration layer used in your screenshot. Is that open-source or something that you could share? 🙂
@riotgames what the actual fuck..
there is a game called "data center" on steam which let's you build and manage your own data center.
this is lowkey genius, the best way to educate people on a new trait. hyperscalers should learn a thing or two from "edutainment".
https://t.co/J0eef1haHO
@HackingLZ Hey Justin, is Defender Explorer something available on GitHub? Looks interesting 😁
@_xpn_ Merry XMAS :D!
Currently seeing a surge on #CastleLoader malware being delivered through fake websites impersonating software used in enterprise environments such as Zabbix or RVTools (see photo 1 & 2). IOCS below 👾🔎
Please note that this campaign uses the same exact template lures of previous observed #Bumblebee campaigns back in Summer 2025, disappeared for some months. Efforts put into disrupting Bumblebee infrastructure could have made the folks behind these campaigns to migrate into other malware options such as observed CastleLoader
The CastleLoader builds, hosted on fake Github repos (see photo 3), are being delivered as EV cert signed MSI builds (also like the previous Bumblebee campaigns), leading to other malware such as NetSupport RAT. The abuse of EV certificates by this malware can be tracked on CertCentral by @SquiblydooBlog (https://t.co/KfhngzzuDM)
IOCS
~Signatures
LLC KHD GROUP (GlobalSign)
INTYNA EXIM PRIVATE LIMITED (SSLdotcom)
~ Samples
ed93f66bcda92e8db51e897ec0dd70412356b148a50ec86d218533e7c37ba6d6
2a040d0bb9f335c12e7dd809d66b328e9114445eccfc79f5d797cc9636b6c72d
24fb4e14f8e2f2b663e3221132aec06f30eae68aea9ad4e927407ce6049a9ac1
31f46e524f3aabd1360cfe2c6dd74bf2b3a1e714723d5ecb759a48b9494352eb
c6ddd8e919cc0b2eca8e9ee9a2bb7832fa96b5adab4cdf6c1fc8b87fae87bcb5
~ CastleLoader C2 domains
wereatwar[.]com
~ NetSupport RAT C2
37.230.62.235:514
37.230.62.235
84.200.81.32
![g0njxa's tweet photo. Currently seeing a surge on #CastleLoader malware being delivered through fake websites impersonating software used in enterprise environments such as Zabbix or RVTools (see photo 1 & 2). IOCS below 👾🔎
Please note that this campaign uses the same exact template lures of previous observed #Bumblebee campaigns back in Summer 2025, disappeared for some months. Efforts put into disrupting Bumblebee infrastructure could have made the folks behind these campaigns to migrate into other malware options such as observed CastleLoader
The CastleLoader builds, hosted on fake Github repos (see photo 3), are being delivered as EV cert signed MSI builds (also like the previous Bumblebee campaigns), leading to other malware such as NetSupport RAT. The abuse of EV certificates by this malware can be tracked on CertCentral by @SquiblydooBlog (https://t.co/KfhngzzuDM)
IOCS
~Signatures
LLC KHD GROUP (GlobalSign)
INTYNA EXIM PRIVATE LIMITED (SSLdotcom)
~ Samples
ed93f66bcda92e8db51e897ec0dd70412356b148a50ec86d218533e7c37ba6d6
2a040d0bb9f335c12e7dd809d66b328e9114445eccfc79f5d797cc9636b6c72d
24fb4e14f8e2f2b663e3221132aec06f30eae68aea9ad4e927407ce6049a9ac1
31f46e524f3aabd1360cfe2c6dd74bf2b3a1e714723d5ecb759a48b9494352eb
c6ddd8e919cc0b2eca8e9ee9a2bb7832fa96b5adab4cdf6c1fc8b87fae87bcb5
~ CastleLoader C2 domains
wereatwar[.]com
~ NetSupport RAT C2
37.230.62.235:514
37.230.62.235
84.200.81.32](https://pbs.twimg.com/media/G324-BhWoAA858U.jpg)
@Jhaddix I did some work in this area using Hindsight and a CrowdStrike workflow. https://t.co/3k6Vg6vYrA
Want to integrate #LLMs and #AI into #OffSec operations? On Oct 21, experts from @OutflankNL and Cobalt Strike are offering a free hands-on training sharing their research on using these technologies to amplify engagements. Spots are limited, register now!
https://t.co/DqkEQVRjFe
How to learn Active Directory…
Step 1. Setup your own lab. Setup laps, applocker, logon scripts, CA server, sccm, exchange, file shares etc the whole nine
Step 2. intentionally misconfigure it with tools like BadBlood and BadShares (I wrote this one) or just manually screw it up
Step 3. Find all the messed up stuff (PingCastle, scriptsentry (mine), locksmith, ADeleginator (me again), AppLocker Inspector (also me), PurpleKnight, etc etc). Included in this step is documenting the stuff you find and the root cause (makes good blogging/video content)
Step 3a. Try to exploit the bad stuff. This is optional but it’s super fun and I believe it’s helpful to know how threat actors may attack the stuff you find (also good content)
Step 4. Fix all the messed up stuff. Included in this step is documenting your process and the fix (again good content)
Step 5. Repeat until you can talk about XYZ without looking it up
Bonus - document your process and stuff you’re doing on social media. Write blogs, make videos, whatever. Post daily.
Do this consistently for 1 year without looking up and I bet you’ll be surprised how far you go in just 12 months.
PS - This isn’t the only way. This is just what I’d recommend based on what’s worked for me and seeing others learn this way 🙏
-= Now Playing =-
♡ Viper Strike [Teaser] ♡
• UWU UNDERGROUND •
──────⚪───────
◄◄⠀▐▐ ⠀►►
0:00 / 0:00 ──○ 🔊⠀ ᴴᴰ ⚙ ❐ ⮎1⮌
@ellishlomo Hey, silly question, but where can I learn all this? Is there like a MS cert/course that I can take?
@wydbanx V for Vendetta
@NVIDIAGeForce HalfLife2RTX
@Windows Then Vista, surely he must have been adopted.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers