![ShadowOpCode's tweet photo. ⚠️NEW MALSPAM IN ITALY⚠️
📧"Importante"
Fascicolo Sanitario Elettronico
hxxps://fseitalia[.]es/c/abf99046-6f6c-42d0-bf73-c003eb244993
@AgidCert @guelfoweb @JAMESWT_WT @illegalFawn @AndreaDraghetti https://t.co/z4mPkhZhij](https://pbs.twimg.com/media/HJJbmsvXcAAr1WO.jpg)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#phishing #AdE 730
📩Comunicazione Ufficiale – Rimborso Imposte 2025–2026
hxxps://tax[.]denzay[.]eu/gov/
hxxps://agenziaentrate[.]grillwestfrentes[.]com[.]ar/rimborso/it/
Exfil credit card number
@guelfoweb @JAMESWT_WT @illegalFawn https://t.co/EKq8IYFJ4G](https://pbs.twimg.com/media/HIXG-5SXcAAxAZj.jpg)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#phishing #AdE 730
📩Comunicazione Ufficiale – Rimborso Imposte 2025–2026
hxxps://tax[.]denzay[.]eu/gov/
hxxps://agenziaentrate[.]grillwestfrentes[.]com[.]ar/rimborso/it/
Exfil credit card number
@guelfoweb @JAMESWT_WT @illegalFawn https://t.co/EKq8IYFJ4G](https://pbs.twimg.com/media/HIXG-2oXMAIMjQd.jpg)
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
Fake #Booking #Scam #phishing message
🚨REAL RESERVATION USED AS LURE🚨
hxxps://hotel-stay32181[.]com/
Compromised host?
@illegalFawn @JAMESWT_WT @AgidCert https://t.co/krtJvdyRit](https://pbs.twimg.com/media/HIC8JevXsAIYUfC.jpg)
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
Fake #Booking #Scam #phishing message
🚨REAL RESERVATION USED AS LURE🚨
hxxps://hotel-stay32181[.]com/
Compromised host?
@illegalFawn @JAMESWT_WT @AgidCert https://t.co/krtJvdyRit](https://pbs.twimg.com/media/HIC8JesWkAAyeIa.jpg)
![ShadowOpCode's tweet photo. #Booking #ClickFix
📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)"
📧info@muraptor[.]com
⛓️eml > url > msiexec.exe > #NetSupport
🚫lkhpihf[.]com:443
🚫lkboasprqw[.]com:443
@anyrun_app analysis: https://t.co/XKbmKK8NFz
@JAMESWT_WT https://t.co/VW0hBxXzJF](https://pbs.twimg.com/media/HHfCY5DWwAAQYzx.png)
![ShadowOpCode's tweet photo. #Booking #ClickFix
📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)"
📧info@muraptor[.]com
⛓️eml > url > msiexec.exe > #NetSupport
🚫lkhpihf[.]com:443
🚫lkboasprqw[.]com:443
@anyrun_app analysis: https://t.co/XKbmKK8NFz
@JAMESWT_WT https://t.co/VW0hBxXzJF](https://pbs.twimg.com/media/HHfCSFCXIAAQyi0.jpg)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Booking #ClickFix #NetSupport Manager RAT seen in Italy.
hxxps://admin-extranet[.]com/start/
👇
ClickFix
👇
hxxp://217.145.226[.]119/book/
👇
lkhpihf[.]com:443
lkboasprqw[.]com:443
@anyrun_app : https://t.co/rJZi7kf04C https://t.co/jWunNZwqo8](https://pbs.twimg.com/media/HHpKgppWQAM-HgN.jpg)
![ShadowOpCode's tweet photo. #FSE malspam #phishing campaign
hxxps://sfe-2026[.]com/~server10/c/375f4b72-6efb-45f0-a90e-9de7ee504228 https://t.co/G1jcDF8vpd](https://pbs.twimg.com/media/HHe9MgpWAAIKUfT.png)
![ShadowOpCode's tweet photo. #FSE malspam #phishing campaign
hxxps://sfe-2026[.]com/~server10/c/375f4b72-6efb-45f0-a90e-9de7ee504228 https://t.co/G1jcDF8vpd](https://pbs.twimg.com/media/HHe9JeOXIAAW85S.jpg)
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
#AgentTesla spreading in Italy
📧Purchase Order #10045
📡hxxp://185.29.10[.]77/VbnpIdAHD29.bin
⛔ftp[.]holzbrenzii[.]com
⛔infooo@holzbrenzii.com
Bazaar: https://t.co/fsahBvCoSO
@anyrun_app: https://t.co/CSWH16lDxD
Thanks @JAMESWT_WT for the other samples https://t.co/WA6aQcj9SS](https://pbs.twimg.com/media/HHI-ESvWEAAfpbK.jpg)
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
#AgentTesla spreading in Italy
📧Purchase Order #10045
📡hxxp://185.29.10[.]77/VbnpIdAHD29.bin
⛔ftp[.]holzbrenzii[.]com
⛔infooo@holzbrenzii.com
Bazaar: https://t.co/fsahBvCoSO
@anyrun_app: https://t.co/CSWH16lDxD
Thanks @JAMESWT_WT for the other samples https://t.co/WA6aQcj9SS](https://pbs.twimg.com/media/HHI9_OQWEAAd2m1.png)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Crypto investing scam in #Italy
Using #MarioDraghi and @albmatano image
hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou
@Cloudflare @CloudflareHelp TAKE IT DOWN‼️
@AgidCert @illegalFawn @JAMESWT_WT https://t.co/4oKAIwhucS](https://pbs.twimg.com/media/HHFIcZhbcAA8bbb.png)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Crypto investing scam in #Italy
Using #MarioDraghi and @albmatano image
hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou
@Cloudflare @CloudflareHelp TAKE IT DOWN‼️
@AgidCert @illegalFawn @JAMESWT_WT https://t.co/4oKAIwhucS](https://pbs.twimg.com/media/HHFIQtmbwAA_0kD.jpg)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Crypto investing scam in #Italy
Using #MarioDraghi and @albmatano image
hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou
@Cloudflare @CloudflareHelp TAKE IT DOWN‼️
@AgidCert @illegalFawn @JAMESWT_WT https://t.co/4oKAIwhucS](https://pbs.twimg.com/media/HHFFhoTWQAAExyG.jpg)
![ShadowOpCode's tweet photo. 🚨ALERT🚨
There is a #DarkCloud #malspam campaign started in novembre 2025 and still active
"Quotation - Labmate Scientific USA"
eml > rar > DarkCloud (UPX packed)
📡C2: mail[.]mokasco[.]com (turkish company)
Sender IP: 31[.]57[.]184[.]57 🇮🇷🦁
bazaar: https://t.co/dm2bS09HmX https://t.co/lfAEiiTAbA](https://pbs.twimg.com/media/HGrH0KBWoAA_Cmw.jpg)
![ShadowOpCode's tweet photo. #booking #clickfix #HijackLoader
📧"New notification"
hxxps://admin[.]booking[.]com-complete-captcha[.]info
👇
hxxps://lkgkdsjd[.]com/s.php
👇
hxxps://pulse-srvc[.]com
@anyrun_app : https://t.co/MH82w0c6NC https://t.co/Me1sAFEhpe](https://pbs.twimg.com/media/HGgl5EPWIAArEzk.jpg)
![ShadowOpCode's tweet photo. #booking #clickfix #HijackLoader
📧"New notification"
hxxps://admin[.]booking[.]com-complete-captcha[.]info
👇
hxxps://lkgkdsjd[.]com/s.php
👇
hxxps://pulse-srvc[.]com
@anyrun_app : https://t.co/MH82w0c6NC https://t.co/Me1sAFEhpe](https://pbs.twimg.com/media/HGgl5ENWIAAf8B9.png)
Olivia
Online
ShadowOpCode
@ShadowOpCode
Malware analyst & reverse engineer 🧠
Threat intel on stealers, RATs, live campaigns 🕵️
Technical analysis. No buzzwords.
📍DM open for research collabs
Joined May 2025
171 Following
1K Followers
692 Posts
Pinned Tweet
🚨 New #JavaStealer “MaksStealer” uncovered!
Fully in-memory, FUD, DES–Blowfish runtime decryption, WebSockets on 4025/4028/6662.
Author “Max, 17yo” left his signature in the payload 🤯
Full report & IoCs 👉 https://t.co/HHuNMn5FPL
#infosec #malware #ThreatIntel @malwrhunterteam
⚠️NEW MALSPAM IN ITALY⚠️
📧"Importante"
Fascicolo Sanitario Elettronico
hxxps://fseitalia[.]es/c/abf99046-6f6c-42d0-bf73-c003eb244993
@AgidCert @guelfoweb @JAMESWT_WT @illegalFawn @AndreaDraghetti
![ShadowOpCode's tweet photo. ⚠️NEW MALSPAM IN ITALY⚠️
📧"Importante"
Fascicolo Sanitario Elettronico
hxxps://fseitalia[.]es/c/abf99046-6f6c-42d0-bf73-c003eb244993
@AgidCert @guelfoweb @JAMESWT_WT @illegalFawn @AndreaDraghetti https://t.co/z4mPkhZhij](https://pbs.twimg.com/media/HJJbp5ZWgAAA3Xl.jpg)
@guelfoweb @JAMESWT_WT @tobersotski @illegalFawn @AndreaDraghetti @skocherhan @jamieantisocial thank you @JAMESWT_WT !
I've uploaded more artifacts obtained during reverse engineering of the sample, including a .NET PE embedded and a DLL embedded (matrioska vibes) decrypted at runtime via 3DES and GZip:
https://t.co/8N3lwqhHPR
"Avviso di Bonifico Bancario (SEPA)"
eml > 7z > bat > powershell > exe
hxxps://d[.]tmpfile[.]link/public/2026-05-20/5855cc12-9621-4b14-85ae-b935380953bb/ghhjgr.png
Powershell decryption with XOR
Injection (VirtualAlloc)
AutoIt3 decrypt final payload XOR
C2: 151.243.109[.]130:9518
![ShadowOpCode's tweet photo. "Avviso di Bonifico Bancario (SEPA)"
eml > 7z > bat > powershell > exe
hxxps://d[.]tmpfile[.]link/public/2026-05-20/5855cc12-9621-4b14-85ae-b935380953bb/ghhjgr.png
Powershell decryption with XOR
Injection (VirtualAlloc)
AutoIt3 decrypt final payload XOR
C2: 151.243.109[.]130:9518 https://t.co/W8MoE4pyCs](https://pbs.twimg.com/media/HIxEwbuWkAA2SOM.png)
https://t.co/GVwMvioaqr
Probable PureLogs Stealer
@guelfoweb @JAMESWT_WT @illegalFawn @skocherhan I've seen only now @AgidCert already published it some minutes ago :)
https://t.co/VTdCKAzN2x
🚨ALERT🚨
#phishing #AdE 730
📩Comunicazione Ufficiale – Rimborso Imposte 2025–2026
hxxps://tax[.]denzay[.]eu/gov/
hxxps://agenziaentrate[.]grillwestfrentes[.]com[.]ar/rimborso/it/
Exfil credit card number
@guelfoweb @JAMESWT_WT @illegalFawn
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#phishing #AdE 730
📩Comunicazione Ufficiale – Rimborso Imposte 2025–2026
hxxps://tax[.]denzay[.]eu/gov/
hxxps://agenziaentrate[.]grillwestfrentes[.]com[.]ar/rimborso/it/
Exfil credit card number
@guelfoweb @JAMESWT_WT @illegalFawn https://t.co/EKq8IYFJ4G](https://pbs.twimg.com/media/HIXG-7CXMAES10Q.png)
@IntesaSP_Help #phishing #scam
hxxps://fazexmd[.]com/wordpress/fark/
@illegalFawn @JAMESWT_WT @AgidCert
![ShadowOpCode's tweet photo. @IntesaSP_Help #phishing #scam
hxxps://fazexmd[.]com/wordpress/fark/
@illegalFawn @JAMESWT_WT @AgidCert https://t.co/wSXFs5Jw4e](https://pbs.twimg.com/media/HIGlKlsW4AAMVBr.jpg)
⚠️ALERT⚠️
Fake #Booking #Scam #phishing message
🚨REAL RESERVATION USED AS LURE🚨
hxxps://hotel-stay32181[.]com/
Compromised host?
@illegalFawn @JAMESWT_WT @AgidCert
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
Fake #Booking #Scam #phishing message
🚨REAL RESERVATION USED AS LURE🚨
hxxps://hotel-stay32181[.]com/
Compromised host?
@illegalFawn @JAMESWT_WT @AgidCert https://t.co/krtJvdyRit](https://pbs.twimg.com/media/HIC8JewWYAA7B2h.jpg)
#Booking #ClickFix
📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)"
📧info@muraptor[.]com
⛓️eml > url > msiexec.exe > #NetSupport
🚫lkhpihf[.]com:443
🚫lkboasprqw[.]com:443
@anyrun_app analysis: https://t.co/XKbmKK8NFz
@JAMESWT_WT
![ShadowOpCode's tweet photo. #Booking #ClickFix
📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)"
📧info@muraptor[.]com
⛓️eml > url > msiexec.exe > #NetSupport
🚫lkhpihf[.]com:443
🚫lkboasprqw[.]com:443
@anyrun_app analysis: https://t.co/XKbmKK8NFz
@JAMESWT_WT https://t.co/VW0hBxXzJF](https://pbs.twimg.com/media/HHfCf2kXsAA_M7m.png)
🚨ALERT🚨
#Booking #ClickFix #NetSupport Manager RAT seen in Italy.
hxxps://admin-extranet[.]com/start/
👇
ClickFix
👇
hxxp://217.145.226[.]119/book/
👇
lkhpihf[.]com:443
lkboasprqw[.]com:443
@anyrun_app : https://t.co/rJZi7kf04C
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Booking #ClickFix #NetSupport Manager RAT seen in Italy.
hxxps://admin-extranet[.]com/start/
👇
ClickFix
👇
hxxp://217.145.226[.]119/book/
👇
lkhpihf[.]com:443
lkboasprqw[.]com:443
@anyrun_app : https://t.co/rJZi7kf04C https://t.co/jWunNZwqo8](https://pbs.twimg.com/media/HHpjzyzW0AQhj05.png)
@anyrun_app @JAMESWT_WT @AgidCert @guelfoweb @illegalFawn @skocherhan stage: hxxp://193.233.113[.]106/book
#Booking #ClickFix
📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)"
📧info@muraptor[.]com
⛓️eml > url > msiexec.exe > #NetSupport
🚫lkhpihf[.]com:443
🚫lkboasprqw[.]com:443
@anyrun_app analysis: https://t.co/XKbmKK8NFz
@JAMESWT_WT
⚠️ALERT⚠️
#AgentTesla spreading in Italy
📧Purchase Order #10045
📡hxxp://185.29.10[.]77/VbnpIdAHD29.bin
⛔ftp[.]holzbrenzii[.]com
⛔[email protected]
Bazaar: https://t.co/fsahBvCoSO
@anyrun_app: https://t.co/CSWH16lDxD
Thanks @JAMESWT_WT for the other samples
![ShadowOpCode's tweet photo. ⚠️ALERT⚠️
#AgentTesla spreading in Italy
📧Purchase Order #10045
📡hxxp://185.29.10[.]77/VbnpIdAHD29.bin
⛔ftp[.]holzbrenzii[.]com
⛔infooo@holzbrenzii.com
Bazaar: https://t.co/fsahBvCoSO
@anyrun_app: https://t.co/CSWH16lDxD
Thanks @JAMESWT_WT for the other samples https://t.co/WA6aQcj9SS](https://pbs.twimg.com/media/HHI-K64WcAA1igH.jpg)
🚨ALERT🚨
#Crypto investing scam in #Italy
Using #MarioDraghi and @albmatano image
hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou
@Cloudflare @CloudflareHelp TAKE IT DOWN‼️
@AgidCert @illegalFawn @JAMESWT_WT
![ShadowOpCode's tweet photo. 🚨ALERT🚨
#Crypto investing scam in #Italy
Using #MarioDraghi and @albmatano image
hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou
@Cloudflare @CloudflareHelp TAKE IT DOWN‼️
@AgidCert @illegalFawn @JAMESWT_WT https://t.co/4oKAIwhucS](https://pbs.twimg.com/media/HHFJkiuaUAAfmnn.png)
@RussianPanda9xx Have you ever tried ChatGPT plus? What do you think?
🚨ALERT🚨
There is a #DarkCloud #malspam campaign started in novembre 2025 and still active
"Quotation - Labmate Scientific USA"
eml > rar > DarkCloud (UPX packed)
📡C2: mail[.]mokasco[.]com (turkish company)
Sender IP: 31[.]57[.]184[.]57 🇮🇷🦁
bazaar: https://t.co/dm2bS09HmX
![ShadowOpCode's tweet photo. 🚨ALERT🚨
There is a #DarkCloud #malspam campaign started in novembre 2025 and still active
"Quotation - Labmate Scientific USA"
eml > rar > DarkCloud (UPX packed)
📡C2: mail[.]mokasco[.]com (turkish company)
Sender IP: 31[.]57[.]184[.]57 🇮🇷🦁
bazaar: https://t.co/dm2bS09HmX https://t.co/lfAEiiTAbA](https://pbs.twimg.com/media/HGrIAJlWUAA8oVn.jpg)
@JAMESWT_WT @serverplan @smica83 @guelfoweb @marsomx_ @Certego_Intel @D3LabIT @struppigel @c_APT_ure @James_inthe_box @VirITeXplorer @Max_Mal_ username: backup@corella[.]ro
password: I won't tell you 🥱
Threat actors are abusing branded PDFs to deliver phishing via malicious QR codes.
📩"Employee Pay Raise and Bonus Allocation"
The QR code redirects users outside the corporate perimeter to a credential harvesting page.
🎣hxxps://crioralo[.]ru
![ShadowOpCode's tweet photo. Threat actors are abusing branded PDFs to deliver phishing via malicious QR codes.
📩"Employee Pay Raise and Bonus Allocation"
The QR code redirects users outside the corporate perimeter to a credential harvesting page.
🎣hxxps://crioralo[.]ru https://t.co/6kirCqXlBL](https://pbs.twimg.com/media/HGlSx_AXkAA7AYZ.jpg)
@JAMESWT_WT @anyrun_app @guelfoweb @AgidCert @skocherhan @marsomx_ @VirITeXplorer @D3LabIT @Certego_Intel @James_inthe_box @c_APT_ure @struppigel @Max_Mal_ exactly! Seems like a stealer also, it searches for Crypto Wallets and cookies in the system
#booking #clickfix #HijackLoader
📧"New notification"
hxxps://admin[.]booking[.]com-complete-captcha[.]info
👇
hxxps://lkgkdsjd[.]com/s.php
👇
hxxps://pulse-srvc[.]com
@anyrun_app : https://t.co/MH82w0c6NC
![ShadowOpCode's tweet photo. #booking #clickfix #HijackLoader
📧"New notification"
hxxps://admin[.]booking[.]com-complete-captcha[.]info
👇
hxxps://lkgkdsjd[.]com/s.php
👇
hxxps://pulse-srvc[.]com
@anyrun_app : https://t.co/MH82w0c6NC https://t.co/Me1sAFEhpe](https://pbs.twimg.com/media/HGgl5EiWUAA3-NT.jpg)
Last Seen Users on Sotwe
Dhhd
Seen from Italy
Ünlüler
Seen from Egypt
U g h t e a Ngeunah
Seen from Netherlands
متحرر من الكويت
Seen from Oman
รับปรึกษาแนวครอบครัวด้านมืดในมุมของตัวเอง
Seen from Thailand
milf porn
Seen from Turkey
🐇 Fun Couple 🐇 
Seen from Singapore
♀️ZEVK ÇIĞLIKLARI♂️
Seen from Turkey
بنت اليمن اب
Seen from Saudi Arabia
٧
Seen from Netherlands
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers