![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwfSYvXgAIgy5Z.jpg)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwe4joWwAA2fCB.png)
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwexp0XQAEnVaL.png)
![johnk3r's tweet photo. #Hunting some interesting samples — no confirmed TA attribution yet, but the infra is worth tracking.
- Rust agent: signed by 'PACN TECNOLOGIA E SOFTWARE LTDA'
- Go agent: lekrmmagent → machinesdelek[.]com
- C2: mnks[.]digital (#claudermm-server-1 v0.1.0 - wt?)
- MSI: AssistenteEmpresarial / NF-e themed
#nexus_agent #Nexus Access V3
Anyone tracking something similar? #ThreatHunting](https://pbs.twimg.com/media/HGjTFRzWUAAUO0i.png)
![P4nd3m1cb0y's tweet photo. [1/4] Script obfuscation isn’t the problem people think it is.
At runtime, everything must become readable and that’s where AMSI quietly does the heavy lifting.
#CyberSecurity #CyberSec #InfoSec #Malware https://t.co/i4zNngzrV8](https://pbs.twimg.com/media/G9Hs8QsWEAEWIaL.jpg)
Olivia
Online
eremit4
@_eremit4
Joined February 2022
167 Following
371 Followers
140 Posts
Chat, let me tell you something
In cybersecurity there are two things of immense value that will determine your career prospects as well as how your peers will treat you.
1. Your knowledge base
2. Your ability to shut up
Literally nothing else matters.
You don't have to be some 1337 demigod zero day researcher to have respect, but if you're educated enough in your discipline (cloud security, physical security, malware, whatever), you're golden. Pick a topic, know your stuff, don't be a jerk.
The infinitely MORE valuable asset though is your ability to remain SILENT.
Hear some crazy rumor? Shut the fuck up and don't say anything to anyone.
Hear about a potential arrest coming from some Threat Intel people? Shut the fuck up and don't say anything to anyone.
Did you hear some Threat Actors discuss a compromise? Shut the fuck up and don't say anything to anyone.
See someone get "doxxed"? Shut the fuck up and don't say anything to anyone.
Did a colleague or peer disclose something to you that they shouldn't have? Shut the fuck up and don't say anything to anyone.
Are some Threat Actors having a conflict online? Shut the fuck up and don't say anything to anyone.
The only time, with little to no nuance, something can be discussed is if it is public-public. Otherwise, it is in your best interest to remain quiet and mind your own business. Being loud can cause many problems, but drama and conflict is a big no-no in our field especially with it being so relatively small
Deep dive on a recently compiled sample of the infamous #Prilex Ghost...
version 6.03.9048 | compiled 2026-04-29
Compared to prior build:
— added generic TEF middleware to target list
— new POS target added
Other relevant functions already documented by Kaspersky's prior research: https://t.co/8bD713wO60
#Prilex #ThreatIntel #Fraud
For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000
![johnk3r's tweet photo. For my Brazilian ThreaHunting/DFIR friends:
Been reversing a malware called “#CNABHunter” (NUikita), and this thing is way more interesting than a regular banking trojan.
At first I had to figure out what “CNAB240/400” even was — apparently it’s a financial file standard heavily used by Brazilian ERP/banking integrations.
The malware hunts for those files in environments running TOTVS, SAP, RM, Senior, Sankhya, etc., extracts transaction data, and waits for remote commands to modify payments.
Most interesting part: it doesn’t do dumb string replacement.
The malware appears to rebuild the entire financial record using the correct field positions to keep the file structurally valid for banking processing.
Maybe my interpretation of this behavior is wrong, but that’s what I’ve understood so far from reversing it.
C2: 104.245.245[.]50:5000](https://pbs.twimg.com/media/HHwg5lEWAAIwmhv.png)
#Hunting some interesting samples — no confirmed TA attribution yet, but the infra is worth tracking.
- Rust agent: signed by 'PACN TECNOLOGIA E SOFTWARE LTDA'
- Go agent: lekrmmagent → machinesdelek[.]com
- C2: mnks[.]digital (#claudermm-server-1 v0.1.0 - wt?)
- MSI: AssistenteEmpresarial / NF-e themed
#nexus_agent #Nexus Access V3
Anyone tracking something similar? #ThreatHunting
![johnk3r's tweet photo. #Hunting some interesting samples — no confirmed TA attribution yet, but the infra is worth tracking.
- Rust agent: signed by 'PACN TECNOLOGIA E SOFTWARE LTDA'
- Go agent: lekrmmagent → machinesdelek[.]com
- C2: mnks[.]digital (#claudermm-server-1 v0.1.0 - wt?)
- MSI: AssistenteEmpresarial / NF-e themed
#nexus_agent #Nexus Access V3
Anyone tracking something similar? #ThreatHunting](https://pbs.twimg.com/media/HGjVS_nWcAEdNa-.jpg)
🇰🇵 Call Kim Jong Un a “fat, ugly pig” to prove that you are not from North Korea
During a job interview at a U.S. IT company, a candidate was asked to call Kim Jong Un a “fat, ugly pig” to prove he wasn’t from North Korea. The candidate decided life was more important and walked out.
North Korean workers sometimes join U.S. companies remotely, then steal sensitive data or leave security vulnerabilities in the code.
> download kali linux
> the mostest 1337 hacker tool
> super dangerous
> over 9000 hackinging tools
> can hack anything, even cows
> age verification at os level becomes law
> dont age verify 1337 hacker os
> arrested
Is hacking illegal and for nerds?
🗞️ Hunting Malicious Mining Pools: Pivoting Through Crypto Mining Infrastructure
This blog post aims to demonstrate how we can correlate a small cluster of IOCs to identify a malicious mining pool associated with the Tangerine Turkey operation.
Check it out: https://t.co/lNNVcA1b2H
CC:
@johnk3r @_eremit4 @moval0x1 @akaclandestine @MichalKoczwara @1ZRR4H @struppigel
North Korean actor UNC1069 is targeting the crypto sector with AI-enabled social engineering, deepfakes, and 7 new malware families.
Get the details on their TTPs and tooling, as well as IOCs to detect and hunt for the activity detailed in our post 👇
https://t.co/t2qIB35stt
Large phishing campaign aimed at Brazil, impersonating jusbrasil @Jusbrasil , using legitimate Microsoft @MsftSecIntel
C2
tocadistribuidora./net
translogvinece./net
telefonesapple./com
smartdistburstcn./net
speedroutenetrixwb./net
Zscaler ThreatLabz has published a technical analysis of Marco Stealer, an information stealer that our team discovered that harvests sensitive information including browser data and cryptocurrency wallets. Marco Stealer uses HTTP-based C2 communication with AES encrypted payloads.
Read the full analysis here: https://t.co/ZLmjqvFFEE
🚨 Tracking the Rise of Chinese Tap-to-Pay Android Malware
Tap-to-pay fraud is no longer limited to stolen cards or physical proximity. Threat actors are now abusing NFC-enabled #Androidmalware to relay #paymentdata in real time, enabling remote, contactless fraud at scale. Our latest research uncovers how Chinese #cybercrime communities are industrializing this technique and turning it into a fully operational fraud ecosystem.
Key Highlights:
🔹 Over 54 NFC-enabled Android malware samples identified, designed to relay payment APDUs remotely
🔹 Multiple Telegram-based vendors offering tap-to-pay malware as a service, complete with subscriptions, support, and custom regional builds
🔹 At least $355,000 in fraudulent transactions linked to a single illicit POS vendor between Nov 2024 and Aug 2025
🔹 #Smishing and #vishing campaigns actively used to trick victims into installing malware and tapping their cards
🔹 Mule networks and compromised mobile wallets enabling global, card-present fraud without physical cards
Alongside these findings, the research provides in-depth technical analysis of TX-NFC, #NFU, and related variants, examining code overlaps, cash-out infrastructure, and key defensive considerations for #financialinstitutions and payment networks. Read the full research now: https://t.co/4C0ROKNdH8
Good morning X.
The Mycelial Mage: Tracing a Spanish-Speaking Credential Theft Operation · The Sage Hollow #I recommend reading it; incredible research conducted by my friend. https://t.co/cmaFzf0v8b
[1/4] Script obfuscation isn’t the problem people think it is.
At runtime, everything must become readable and that’s where AMSI quietly does the heavy lifting.
#CyberSecurity #CyberSec #InfoSec #Malware
![P4nd3m1cb0y's tweet photo. [1/4] Script obfuscation isn’t the problem people think it is.
At runtime, everything must become readable and that’s where AMSI quietly does the heavy lifting.
#CyberSecurity #CyberSec #InfoSec #Malware https://t.co/i4zNngzrV8](https://pbs.twimg.com/media/G9Hs8UtWMAA3t3m.jpg)
A Magecart campaign targeting LATAM e-commerces via GTM side-loading. Actors compromise CMS blocks to inject a secondary container, establishing a persistent WebSocket (WSS) tunnel for stealthy exfiltration. [+]
#CTI #Magecart #InfoSec #LATAM #Skimming
![_eremit4's tweet photo. A Magecart campaign targeting LATAM e-commerces via GTM side-loading. Actors compromise CMS blocks to inject a secondary container, establishing a persistent WebSocket (WSS) tunnel for stealthy exfiltration. [+]
#CTI #Magecart #InfoSec #LATAM #Skimming https://t.co/eoeuCVkKGV](https://pbs.twimg.com/media/G8fYf7AWIAAT7_9.png)
Next-gen #Magecart attack spotted:
👉 Loaded via GTM (K698P9G2),
👉 Opens two parallel WebSockets (onlinechatmatrix․\xyz & onlinesupportmatrix․\support)
👉 Alternates between a fake checkout form + silent DOM skimmer.
#WebSkimming #FormJacking #PCIDSS #clientsidesecurity
IOCs:
onlinechatmatrix․/xyz
onlinechatmatrix./store
onlinechatmatrix./online
onlinesupportmatrix․/support
onlinesupportmatrix./org
onlinesupportmatrix./xyz
supportstreamonline/.com
@abuse_ch @ValidinLLC @P4nd3m1cb0y
Last Seen Users on Sotwe
เอ๋เด็กลาว
Seen from Thailand
เบิด love mom 3
Seen from Thailand
Belinda
Seen from Colombia
🇱🇾Ahmed_1987🇱🇾
Mas_Ell🍆
Seen from Indonesia
baddie_brat
Seen from Italy
FARIDARIFIN
Seen from Indonesia
ชื่อบอล เกย์ไบรุก
Seen from Thailand
New.Grassgoteyez
Seen from South Africa
hany Ebrahim
Seen from Egypt
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.6M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers