Olivia
Online
Askar
@askardyuss
An independent malware researcher from Kazakhstan
Kazakhstan
Joined September 2019
157 Following
139 Followers
76 Posts
Password-protecting the archive is a deliberate tactic to bypass email gateway sandboxes and automated scanners. This infrastructure compromise indicates a highly targeted initial access attempt.
Extracted IoCs for Threat Hunting:
π C2/Redirector Domain: "vnixrbuaxdnl8mpf0iodonfcjmmrcple.envio1313[.]ink"
π¦ Archive: "E57893_PROCESO JUDICIAL_395611.zip"
π Payload: "PROCESO JUDICIAL_395611_E57893.vbs"
π VBS MD5: "500F3E6D876E9DEE17797E54B07FCD0F"
π§ Compromised Source: "[email protected]"
Highly recommend Colombian public sector organizations and Latin American blue teams to cross-check telemetry for these indicators.
#ThreatIntelligence #MalwareAnalysis #APT #BlueTeam #DFIR #CTI
![askardyuss's tweet photo. Password-protecting the archive is a deliberate tactic to bypass email gateway sandboxes and automated scanners. This infrastructure compromise indicates a highly targeted initial access attempt.
Extracted IoCs for Threat Hunting:
π C2/Redirector Domain: "vnixrbuaxdnl8mpf0iodonfcjmmrcple.envio1313[.]ink"
π¦ Archive: "E57893_PROCESO JUDICIAL_395611.zip"
π Payload: "PROCESO JUDICIAL_395611_E57893.vbs"
π VBS MD5: "500F3E6D876E9DEE17797E54B07FCD0F"
π§ Compromised Source: "alcaldia@luruaco-atlantico.gov.co"
Highly recommend Colombian public sector organizations and Latin American blue teams to cross-check telemetry for these indicators.
#ThreatIntelligence #MalwareAnalysis #APT #BlueTeam #DFIR #CTI](https://pbs.twimg.com/media/HJ6qaMQWUAA4mKC.png)
π¨ Major Spear-Phishing campaign targeting Colombia's Presidential Administration infrastructure!
Attackers compromised a legitimate government mailbox "[email protected]" to send high-urgency lures mimicking the Office of the Vice-Fiscal General.
The Attack Chain:
1οΈβ£ Legitimate Facade: Email passes DKIM/ARC as it originates from a hacked official "https://t.co/wGq8Clw3t5" account.
2οΈβ£ Lure: Image in body redirects to a malicious redirector domain ("envio1313[.]ink") carrying target-specific tracking parameters.
3οΈβ£ Payload: Downloads a password-protected ZIP containing a malicious VBScript masquerading as a legal notification ("PROCESO JUDICIAL").
(1/2) π
@infopresidencia @CSIRTPONAL
#ThreatIntelligence #MalwareAnalysis #APT #BlueTeam #DFIR #CTI
![askardyuss's tweet photo. π¨ Major Spear-Phishing campaign targeting Colombia's Presidential Administration infrastructure!
Attackers compromised a legitimate government mailbox "alcaldia@luruaco-atlantico.gov.co" to send high-urgency lures mimicking the Office of the Vice-Fiscal General.
The Attack Chain:
1οΈβ£ Legitimate Facade: Email passes DKIM/ARC as it originates from a hacked official "https://t.co/wGq8Clw3t5" account.
2οΈβ£ Lure: Image in body redirects to a malicious redirector domain ("envio1313[.]ink") carrying target-specific tracking parameters.
3οΈβ£ Payload: Downloads a password-protected ZIP containing a malicious VBScript masquerading as a legal notification ("PROCESO JUDICIAL").
(1/2) π
@infopresidencia @CSIRTPONAL
#ThreatIntelligence #MalwareAnalysis #APT #BlueTeam #DFIR #CTI](https://pbs.twimg.com/media/HJ6qZcOWYAAfNJy.jpg)
Key Findings:
πΉ Delivery: Adversary uses a highly convincing spoofed domain "us06web[.]zoom[.]anpmech[.]com"
πΉ Format: CFBF with Atera Agent PE32 embedded.
πΉ Impact: Installs a legitimate RMM agent silently configured to grant an access via trusted cloud C2.
Extracted IoCs for your SIEM/EDR/NGFW:
π Download URL: "us06web[.]zoom[.]anpmech[.]com"
π¦ Fake Zoom MSI MD5: "F329763D3254EDDE9091ECEF23656CBD"
π Attacker Account ID: "k9sP5CVbR1NKi6BUvQcSxtTcZXUsPXQoMR8wQYW0Pr8="
#MalwareAnalysis #ThreatIntelligence #CTI #BlueTeam #DFIR
![askardyuss's tweet photo. Key Findings:
πΉ Delivery: Adversary uses a highly convincing spoofed domain "us06web[.]zoom[.]anpmech[.]com"
πΉ Format: CFBF with Atera Agent PE32 embedded.
πΉ Impact: Installs a legitimate RMM agent silently configured to grant an access via trusted cloud C2.
Extracted IoCs for your SIEM/EDR/NGFW:
π Download URL: "us06web[.]zoom[.]anpmech[.]com"
π¦ Fake Zoom MSI MD5: "F329763D3254EDDE9091ECEF23656CBD"
π Attacker Account ID: "k9sP5CVbR1NKi6BUvQcSxtTcZXUsPXQoMR8wQYW0Pr8="
#MalwareAnalysis #ThreatIntelligence #CTI #BlueTeam #DFIR](https://pbs.twimg.com/media/HJ6d7SXXgAAkNAb.png)
π¨ Malicious misdirection campaign spotted masquerading as Zoom!
Discovered an another fake "ZoomInstaller.msi" signed with a valid Atera Networks Ltd cert. Attackers continue to abuse @AteraCloud RMM infrastructure for Living-off-the-Land (LotL) persistence and defense evasion.
π₯ Current VT Detection: 0/60+ (Fully Undetected)
(1/2) π
#MalwareAnalysis #ThreatIntelligence #CTI #BlueTeam #DFIR
TA416 (#MustangPanda) continues to target Mongolia π²π³ with cyber espionage activity.
They are deploying #PlugX via a multi-stage SVG smuggling technique. The initial SVG contains heavily obfuscated layers that eventually trigger "ZIP smuggling" to drop the malicious archive.
The SVG payload was completely FUD (0/61 on VirusTotal).
IOCs:
πΉ SVG MD5: df78df95a79f3f764a6da9638624e4a0
πΉ ZIP MD5: 20063941491e5727cb2cbf824c656294 (previously noted by @smica83)
#ThreatIntel #MalwareAnalysis #APT
Spotted a new signed malware sample (MD5 E75C6D87CC5DC04B2F28DF3E6C6FB908) by APT-Q-27 (aka DragonBreath / Golden Eye Dog).
The obfuscated .NET executable was signed at 28.03.2026 and belongs to Taiyuan Yuansu E-commerce Co., Ltd (s/n 32a51e44b13f18e80c4c3d5f by @globalsign @GlobalSignAPAC). Payloads are stored at https[:]//storage.googleapis[.]com/uuupdat/us.txt, but this bucket is already taken down.
#ThreatIntel #MalwareAnalysis #APT
![askardyuss's tweet photo. Spotted a new signed malware sample (MD5 E75C6D87CC5DC04B2F28DF3E6C6FB908) by APT-Q-27 (aka DragonBreath / Golden Eye Dog).
The obfuscated .NET executable was signed at 28.03.2026 and belongs to Taiyuan Yuansu E-commerce Co., Ltd (s/n 32a51e44b13f18e80c4c3d5f by @globalsign @GlobalSignAPAC). Payloads are stored at https[:]//storage.googleapis[.]com/uuupdat/us.txt, but this bucket is already taken down.
#ThreatIntel #MalwareAnalysis #APT](https://pbs.twimg.com/media/HJZA1HpagAAtfwB.png)
π₯ Fresh APT-Q-27 (GoldenEyeDog) artifacts spotted! Both samples show revoked EV certs.
1οΈβ£ image2026052689685.exe (A9012A3DB01AE1336CD5B637A8668A5C)
Signed by: Xiamen Baoding Software Tech
Status: REVOKED by Sectigo (Issued Mar 23, 2026) π
2οΈβ£ Side-loading payload: crashreport.dll (639b0dd0fe4da3f4743de6347d7d58b7)
Signed by: LENOVO (UNITED STATES) INC. (Digital Trust Lab)
Status: REVOKED by DigiCert (Issued Apr 10, 2026) β οΈ
Payload and auxiliary tools are hosted on storage.googleapis[.]com.
Stay vigilant! π‘οΈ
#ThreatIntel #MalwareAnalysis #APT
![askardyuss's tweet photo. π₯ Fresh APT-Q-27 (GoldenEyeDog) artifacts spotted! Both samples show revoked EV certs.
1οΈβ£ image2026052689685.exe (A9012A3DB01AE1336CD5B637A8668A5C)
Signed by: Xiamen Baoding Software Tech
Status: REVOKED by Sectigo (Issued Mar 23, 2026) π
2οΈβ£ Side-loading payload: crashreport.dll (639b0dd0fe4da3f4743de6347d7d58b7)
Signed by: LENOVO (UNITED STATES) INC. (Digital Trust Lab)
Status: REVOKED by DigiCert (Issued Apr 10, 2026) β οΈ
Payload and auxiliary tools are hosted on storage.googleapis[.]com.
Stay vigilant! π‘οΈ
#ThreatIntel #MalwareAnalysis #APT](https://pbs.twimg.com/media/HJWHuR5aYAAzGfW.png)
Malicious RTF + CVE-2026-21509. Sample was seen at VT from Bangladesh.
MD5: CE372134D65709FD83596F411AF5F88B
C2: freefoodaid[.]com
![askardyuss's tweet photo. Malicious RTF + CVE-2026-21509. Sample was seen at VT from Bangladesh.
MD5: CE372134D65709FD83596F411AF5F88B
C2: freefoodaid[.]com https://t.co/pKwTJ1TXBf](https://pbs.twimg.com/media/HJHPFFdaIAAPDy3.png)
Same technique (VHDX + RLO + DLL sideloading) was used to execute the variant of malicious DLL (MD5 68088E5032370006560FF1035B3F2E72).
π¨ Here is an interesting archive masquerading as a German-Gulf order document (APT ???). Malware leverages an Right-to-Left Override trick combined with potential DLL sideloading.
Details below π
π¦ File: German-Gulf_MAY_Order_1PDF.rar
MD5: ca3612c9321ce9e3c9bc50c6ce11d96b
Inside the RAR is a .vhdx image containing two files:
1οΈβ£ German-Gulf_MAY_Order_1PDF[U+202E]fdp.exe (MD5: bf37f1af6dd56acfc41dbdf2714659df)
2οΈβ£ SspiCli.dll (MD5: 3cddb41e5919f64c0d969f0d5ba412d0)
The legitimate renamed executable and U+202E character are used to make the extension look like PDF to the user. The second file is a malicious payload.
Interestingly, SspiCli.dll is not listed in the imports of the executable. It strongly hints at a DLL sideloading/hijacking, possibly via runtime dynamic loading or a deeper OS dependency chain.. π€
#ThreatIntel #Malware #APT #DFIR
![askardyuss's tweet photo. π¨ Here is an interesting archive masquerading as a German-Gulf order document (APT ???). Malware leverages an Right-to-Left Override trick combined with potential DLL sideloading.
Details below π
π¦ File: German-Gulf_MAY_Order_1PDF.rar
MD5: ca3612c9321ce9e3c9bc50c6ce11d96b
Inside the RAR is a .vhdx image containing two files:
1οΈβ£ German-Gulf_MAY_Order_1PDF[U+202E]fdp.exe (MD5: bf37f1af6dd56acfc41dbdf2714659df)
2οΈβ£ SspiCli.dll (MD5: 3cddb41e5919f64c0d969f0d5ba412d0)
The legitimate renamed executable and U+202E character are used to make the extension look like PDF to the user. The second file is a malicious payload.
Interestingly, SspiCli.dll is not listed in the imports of the executable. It strongly hints at a DLL sideloading/hijacking, possibly via runtime dynamic loading or a deeper OS dependency chain.. π€
#ThreatIntel #Malware #APT #DFIR](https://pbs.twimg.com/media/HI1pnXtaYAEhZ7_.png)
π¨ Here is an interesting archive masquerading as a German-Gulf order document (APT ???). Malware leverages an Right-to-Left Override trick combined with potential DLL sideloading.
Details below π
π¦ File: German-Gulf_MAY_Order_1PDF.rar
MD5: ca3612c9321ce9e3c9bc50c6ce11d96b
Inside the RAR is a .vhdx image containing two files:
1οΈβ£ German-Gulf_MAY_Order_1PDF[U+202E]fdp.exe (MD5: bf37f1af6dd56acfc41dbdf2714659df)
2οΈβ£ SspiCli.dll (MD5: 3cddb41e5919f64c0d969f0d5ba412d0)
The legitimate renamed executable and U+202E character are used to make the extension look like PDF to the user. The second file is a malicious payload.
Interestingly, SspiCli.dll is not listed in the imports of the executable. It strongly hints at a DLL sideloading/hijacking, possibly via runtime dynamic loading or a deeper OS dependency chain.. π€
#ThreatIntel #Malware #APT #DFIR
It seems suspicious that the actor added a mention of "China" substring to the export catalog of the recent #LotusLite sample (#MustangPanda).
EF5B753E5A2118D18C5E809C3D159A35
@FarghlyMal @smica83
π¨ Alert: Potential cyberattack preparation against @tengrinewskz detected.
Yesterday (May 7), several typosquatting domains mimicking the original https://t.co/rDUTE8Qx2F were registered. These are likely intended for phishing newsroom staff or spreading disinformation/fake news.
The editorial team has been notified. π‘οΈ
Suspicious domains:
kaztengrinews[.]kz
tengtinews[.]kz
tengrines[.]kz
tenrginews[.]kz
tenginrews[.]kz
tengritavel[.]kz
entengrinews[.]kz
tegnrinews[.]kz
#CyberSecurity #Kazakhstan #Infosec #Tengrinews #Phishing
π¨ New Exfiltration Campaign: Unknown APT group observed using Bangladesh Armed Forces-themed lures to deploy a custom "Recovery Agent v7.0" stealer.
π Highlights:
β’ Multi-stage chain: RAR/ZIP -> BAT -> PS1
β’ Targets: Documents, Desktop, Recycle, etc.
β’ Features: GZip compression & persistent TCP connection
π VT uploads detected from πΉπ· Turkey and πΊπΈ USA.
#APT #ThreatIntel #MalwareAnalysis #CyberSecurity
β’ C2: 38.60.235[.]109:9876
β’ Folder: C:\RecoveryAgent
β’ MD5 (RAR): 5271eb3803e77c27e4b097fca455908e (CAS Bangaldesh Visit Details.rar)
β’ MD5 (BAT): 455DC932051989CE884F3C2259E82A3C (Bangladesh Air Force Procurement Details 2026.bat)
β’ MD5 (PS1): 436461E6CD64D3991DB51D367E751A08 (Passport.ps1)
β’ MD5 (PDF): 0A00F851EFD0B7712DD20EC8AACE6AED (4. Fwd of Inv and Prog of V-RMTC & T-RMN in Rome, Italy.pdf)
β’ Lure Author (Google Docs): gso2armynjtops[at]https://t.co/nJDdonwHc9 (Might be legit)
![askardyuss's tweet photo. π¨ New Exfiltration Campaign: Unknown APT group observed using Bangladesh Armed Forces-themed lures to deploy a custom "Recovery Agent v7.0" stealer.
π Highlights:
β’ Multi-stage chain: RAR/ZIP -> BAT -> PS1
β’ Targets: Documents, Desktop, Recycle, etc.
β’ Features: GZip compression & persistent TCP connection
π VT uploads detected from πΉπ· Turkey and πΊπΈ USA.
#APT #ThreatIntel #MalwareAnalysis #CyberSecurity
β’ C2: 38.60.235[.]109:9876
β’ Folder: C:\RecoveryAgent
β’ MD5 (RAR): 5271eb3803e77c27e4b097fca455908e (CAS Bangaldesh Visit Details.rar)
β’ MD5 (BAT): 455DC932051989CE884F3C2259E82A3C (Bangladesh Air Force Procurement Details 2026.bat)
β’ MD5 (PS1): 436461E6CD64D3991DB51D367E751A08 (Passport.ps1)
β’ MD5 (PDF): 0A00F851EFD0B7712DD20EC8AACE6AED (4. Fwd of Inv and Prog of V-RMTC & T-RMN in Rome, Italy.pdf)
β’ Lure Author (Google Docs): gso2armynjtops[at]https://t.co/nJDdonwHc9 (Might be legit)](https://pbs.twimg.com/media/HFeeEOqWoAEyteB.jpg)
@KasperSekrets @kaspersky @msftsecresponse What about TOO "Midori Trading", a cybersecurity startup from Kazakhstan?
@KasperSekrets @kaspersky @msftsecresponse Midori AV is a new player on endpoint security market with roots from Kazakhstan.. π
@frdfzi Each line might be colored for better effect..
Related registration data
β’ Names
- GUNDUS ERCAN GUNDUS
- Afanasev Andrei
β’ Emails
- oil_gaztet@mail[.]ru
- ramazanyesergepov@mail[.]ru
β’ Phone
- +7 926 302 4147
Additional phishing domains impersonating Kazakhstan-based fuel suppliers.
Amid Middle East tensions and rising oil prices, fuel buyers may be more vulnerable to panic-driven purchases.
#OSINT #Phishing #Kazakhstan #OilAndGas
Technical details are below..π
Phishing domains:
albanpetroleumgroupkz[.]kz
albanpetroleumgroup[.]kz
altaypetroleum[.]kz
altaypetroleumltd[.]kz
azia-oil[.]kz
bertys-terminal[.]kz
izumi-oil[.]kz
kubera-petroleum[.]kz
munaygorizont[.]kz
rau-petroleum[.]kz
sarzhaoil-terminal[.]kz
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers