dougy

#3/3 - Windows malware Windows users get on pwin[.]onelink[.]me/zmFc/dt38769z >> warboardgame[.]com/github-download.html This fake Github download page is serving a ZIP Download (image 1). The same template has been observed in the past serving other Windows stealers. Downloads are managed by warboardgame[.]com/archiveProxy.php, sending download stats to /statProxy.php The build analyzed has been detonated here: https://t.co/RCc8bqV3Th ZIP Sample -> 67fcd19f1be87ff47246a5fa40549df24da60eb81c62450efd5254fcb3628c1c Inside ZIP, a .vbs script downloads a build via Powershell from botshield[.]vu/kFcjld. Once b64 decoded -> 15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5 This file loads another file from Stealer C2 hxxp://45.93.20.61:5466/api/CryptoByte (4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997) This file sends a log zip to hxxp://45.93.20.61:5466/api/upload Sandbox log has been saved here -> 4ebbb900e083ccc240a8d354fb6466b339a5c4e7c1711a749ad00b1343bd96eb On the log you can observe infected machine information (copying the format of Rhadamanthys) (image 3), a screenshot of the machine, default user agents used in browsers and a file "browser_decryption.log" that describes the runtime of an additional payload download from: hxxp://45.93.20.61:5466/api/client (751e45828a3ff877ed4add1508b3e54463376cfb11f3171bfac160653ca9813c) This build scans the system looking for Browsers installation folders, decrypting the encryption of the browsers to extract data (such as User Agent in this preliminary log sent to C2), scan for crypto wallet files and extensions (that will also be extracted and send in log if found) and scan and extract Telegram session related files. This file is also responsible to create persistence on the machine with scheduled tasks via CLI and via a XML file (image 3) Additionally and to finish, the build makes requests to hxxp://45.93.20.195:5000 on /api/get_credentials , /api/get_challenge and /api/get_port using a Python client. The client makes the machine to establish and maintain a reverse SSH tunnel, by retrieving SSH login credentials from the server (Request a challenge, send a response, and decrypt credentials). Then the reverse SSH tunnel is established on a free port of the C2 requested previously, attempting to act as a SOCKS5 proxy Thank you to whoever leaked/extracted a related client, we love you <3. It helps much to understand what is going on (image 4) 4893748008f7c2a1508bb1bb4fa16a7a92de658b89fe7cc1e68e05a02a9aa4b4 No further analysis has been done, feel free to play with it 🏁

These fake Fortinet websites, still present on top browser search engines results, are now delivering a fake FortiClient app, signed "Taiyuan Lihua Near Information Technology Co., Ltd. (Certum-given)" Its a phishing app, that will send credentials to vpn-connection[.]pro Based on other signed files with same EV cert, recently the TA were also spreading applications impersonating Sophos, WatchGuard and Ivanti. Analysis: https://t.co/CKyprHs5US

MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB - unauthenticated memory disclosure - public POC, trivial to exploit - leaks creds, tokens, cloud keys straight from RAM - huge exposed surface on the internet Good writeups and technical details here: https://t.co/LgK4RABmJu https://t.co/DWtByJQ3au https://t.co/LUwfnF6uXG Patch fast, rotate secrets, and assume exposed instances were scanned(!)

Possible new leak of internal Conti / Trickbot chats A valuable dataset of internal communications that appears to be missing from public leaks. Some conversations are dated 2019. Not previously published in Conti-Leaks; partially overlaps with Trick-Leaks, but in a different form. https://t.co/OPZq7L1LH6