Olivia
Online
Zscaler ThreatLabz
@Threatlabz
Threat intelligence and security research from @zscaler
San Jose, CA
Joined September 2016
47 Following
8.5K Followers
314 Posts
🚨 ThreatLabz identified a malicious Python package in PyPI named "parsimonius" that was designed to impersonate the legitimate parsimonious package through typosquatting. The threat actor selected a package name differing by a single character and assigned it a version number intended to appear newer than the legitimate release, increasing the likelihood of inadvertent installation by developers.
Before its removal from the package repository, the malicious package was downloaded 2,474 times within a matter of days. ThreatLabz analysis revealed that the package incorporated the legitimate parsimonious parsing functionality to avoid suspicion while simultaneously deploying a Telegram-based backdoor. Once installed, the backdoor provided attackers with remote access capabilities and facilitated the theft of sensitive data, including .env files and bot authentication tokens.
The SHA1 hash of the malicious package is a01c2a21f24db63cb01a67016519aebeca438089.
Zscaler ThreatLabz has published an analysis of a malicious OpenClaw skill that weaponizes agentic AI workflows and deploys malicious payloads like Remcos RAT and GhostLoader. The infection chain has two paths: one for Windows and another for macOS and Linux. The campaign attempts to evade detection by suppressing security events, injects into a legitimate process via DLL sideloading, and utilizes runtime payload decryption and obfuscated installer scripts.
Read the entire analysis here: https://t.co/Kvt2KtHlQR
ThreatLabz discovered another fake document reader in the Google Play Store with more than 10K downloads, which delivered the Anatsa Android trojan.
Anatsa installer SHA256 hash: 5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20
Payload URL: http://23.251.108[.]10:8080/privacy.txt
Payload SHA256: 88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f
Anatsa C2s:
http://172.86.91[.]94/api/
http://193.24.123[.]18:85/api/
http://162.252.173[.]37:85/api/
Google Play URL: https://t.co/Wya6lHw9LA[.]com/store/apps/details?id=com.groundstation.informationcontrol.filestation_browsefiles_readdocs (now taken down)
![Threatlabz's tweet photo. ThreatLabz discovered another fake document reader in the Google Play Store with more than 10K downloads, which delivered the Anatsa Android trojan.
Anatsa installer SHA256 hash: 5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20
Payload URL: http://23.251.108[.]10:8080/privacy.txt
Payload SHA256: 88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f
Anatsa C2s:
http://172.86.91[.]94/api/
http://193.24.123[.]18:85/api/
http://162.252.173[.]37:85/api/
Google Play URL: https://t.co/Wya6lHw9LA[.]com/store/apps/details?id=com.groundstation.informationcontrol.filestation_browsefiles_readdocs (now taken down)](https://pbs.twimg.com/media/HG7RoekbgAEMs7-.jpg)
Zscaler ThreatLabz has published a technical analysis on activity we believe to be orchestrated by Tropic Trooper, using military-themed lures and a trojanized SumatraPDF to deploy AdaptixC2 with a custom GitHub-based C2, then pivoting to Visual Studio Code tunnels for remote access.
Read more: https://t.co/myj0VbDZYr
Who to follow
Group-IB Threat Intelligence
@GroupIB_TI
Official account of the @GroupIB Threat Intelligence Unit. Latest research, analytics, IOCs and threat alerts.
proxylife
@pr0xylife
DFIR | Malware Hunter | @Cryptolaemus1
Aaron Jornet
@RexorVc0
Threat Researcher at @socradar | Malware Researcher | Threat Hunter | CTI ¦ Former @ElevenPaths @Panda_Security
📖Book: https://t.co/ZmIUPBuNKG
Zscaler ThreatLabz has observed a wave of ransomware attacks that share similar TTPs with prior BlackBasta initial access brokers. These attacks start with spam bombing followed by vishing via Microsoft Teams and Quick Assist to deploy malware. ThreatLabz has linked these attacks to a relatively unknown ransomware group called Payouts King.
Check out our technical analysis of Payouts King ransomware including the file encryption methods (4,096-bit RSA + 256-bit AES CTR) and techniques to evade malware sandboxes, antivirus and EDR detection.
Link: https://t.co/CsMH0onbSi
The second malware campaign used a PyPI package named logutilkit authored by shiningup1996@gmail[.]com. This package downloads a Python-based RAT from Google Drive with the SHA256 hash 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524
🧵(3/3)
![Threatlabz's tweet photo. The second malware campaign used a PyPI package named logutilkit authored by shiningup1996@gmail[.]com. This package downloads a Python-based RAT from Google Drive with the SHA256 hash 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524
🧵(3/3) https://t.co/4w86RCfSsj](https://pbs.twimg.com/media/HE7HE4rasAEu2Yj.jpg)
🚨 ThreatLabz has identified multiple campaigns distributing malware via Python PyPI packages.
🧵(1/3)
The first malware campaign used malicious PyPI packages with the following names:
- ariadne-federation
- dgl-cu117
- fastapi-middleware-cors
- kvstore-pb2-grpc
- my-super-lib
- python-anchor
The author of these packages used the email address: alex_prog120@gmail[.]com
The packages use a shared codebase with layered obfuscation and a staged execution chain. The payload dropped by these PyPI packages is a RAT with the SHA256 hash 23347f16e39c86eeb2cf9fce72460e38a2d35cce0bc8c482c23555b92f876053 that leverages Telegram for C2 communications.
🧵(2/3)
![Threatlabz's tweet photo. The first malware campaign used malicious PyPI packages with the following names:
- ariadne-federation
- dgl-cu117
- fastapi-middleware-cors
- kvstore-pb2-grpc
- my-super-lib
- python-anchor
The author of these packages used the email address: alex_prog120@gmail[.]com
The packages use a shared codebase with layered obfuscation and a staged execution chain. The payload dropped by these PyPI packages is a RAT with the SHA256 hash 23347f16e39c86eeb2cf9fce72460e38a2d35cce0bc8c482c23555b92f876053 that leverages Telegram for C2 communications.
🧵(2/3)](https://pbs.twimg.com/media/HE7IFb8aIAACVdE.jpg)
Zscaler ThreatLabz has published a technical analysis of Xloader versions 8.1 to 8.7 that covers new code obfuscation techniques that further complicate reverse engineering efforts. In addition, the blog provides an in-depth examination of Xloader’s convoluted network protocol that leverages multiple layers of encryption and uses decoy C2s for misdirection.
Check out the full analysis here: https://t.co/d4fVCf0oSn
The wait is officially over: The 2026 Threat Detection Report is LIVE! 🚨
This year, our team analyzed over 110,000 threats across cloud, SaaS, identity, and networks to give you a deeper look into the evolving threat landscape.
Download your copy of the 2026 Threat Detection Report now: https://t.co/7AZpirQvLN
Zscaler ThreatLabz has published a technical analysis of SnappyClient, a C2 implant that has been distributed via HijackLoader. SnappyClient can steal data from applications based on specific triggers and provide remote access. SnappyClient includes multiple evasion techniques to evade EDRs like bypassing AMSI, leveraging Heaven's Gate, using direct system calls, and implementing transacted hollowing for process injection.
Read the full analysis here: https://t.co/aFTEAEOkSe
Zscaler ThreatLabz has published a technical analysis of a multi-stage attack chain operated by a China-nexus threat actor that targets countries in the Persian Gulf region to deploy a variant of the PlugX backdoor.
Read the entire analysis here: https://t.co/pVqqBHs33p
Zscaler ThreatLabz has published a technical analysis of APT37's Ruby Jumper campaign, a DPRK-backed attack leveraging Windows LNK files and newly discovered tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. This campaign leverages removable media to enable surveillance and execute commands on air-gapped systems.
Read our full analysis here: https://t.co/Gadrbxzoom
Zscaler ThreatLabz has published a technical analysis of GuLoader's anti-analysis techniques that include complex exception-based control flow obfuscation. GuLoader purposefully triggers exceptions to redirect the malware's execution, and employs polymorphic code to dynamically construct constants and string values.
IDA Python scripts for deobfuscating GuLoader can be found in our GitHub repository here: https://t.co/kGOi4fwcsL
Read the full analysis here: https://t.co/49uTtpMttK
Zscaler ThreatLabz has published a technical analysis of Marco Stealer, an information stealer that our team discovered that harvests sensitive information including browser data and cryptocurrency wallets. Marco Stealer uses HTTP-based C2 communication with AES encrypted payloads.
Read the full analysis here: https://t.co/ZLmjqvFFEE
Zscaler ThreatLabz has uncovered a new APT28 campaign that exploits CVE-2026-21509. Tracked as Operation Neusploit, this activity targets countries in Central and Eastern Europe, and uses weaponized Microsoft RTF files to deliver two new backdoors that we have named MiniDoor and PixyNetLoader.
Read the full technical analysis here: https://t.co/OcL5FXBKZG
🚨ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan.
IOCs below:
Google Play URL: https://t.co/Wya6lHw9LA[.]com/store/apps/details?id=com.recursivestd.highlogic.stellargrid
Anatsa installer MD5: 1991f5d0c88d8c7c68f6a6d27efa60d6
Anatsa download URL: https://stellargridinv[.]com/
Anatsa payload
MD5: 7f131404a331ae10fdc76bfe5908575d
Anatsa C2s:
- http://193.24.123[.]18:85/api/
- http://162.252.173[.]37:85/api/
![Threatlabz's tweet photo. 🚨ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan.
IOCs below:
Google Play URL: https://t.co/Wya6lHw9LA[.]com/store/apps/details?id=com.recursivestd.highlogic.stellargrid
Anatsa installer MD5: 1991f5d0c88d8c7c68f6a6d27efa60d6
Anatsa download URL: https://stellargridinv[.]com/
Anatsa payload
MD5: 7f131404a331ae10fdc76bfe5908575d
Anatsa C2s:
- http://193.24.123[.]18:85/api/
- http://162.252.173[.]37:85/api/](https://pbs.twimg.com/media/HAKsMqmbIAAkUMJ.jpg)
Last Seen Users on Sotwe
memek tante
Seen from Indonesia
ㅇㅇ
Seen from Korea
الست انتصار 🥵♥️
Seen from Spain
OmegaLewd 🔞
Seen from Thailand
i M bOtToM AlEes NaK kEnAL AbG ToP
Seen from Malaysia
Momive🔞
Seen from Argentina
pppp
Ankara büyük penis
Seen from Turkey
Blast Cream
Seen from United States
คู่แท้ 27 & 29
Seen from Thailand
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers