Olivia
Online
ErrantCyber
@ErrantCyber
Research | Identify | Disrupt
Malicious Cyber Activity
Joined September 2023
27 Following
31 Followers
31 Posts
#APT Earth Krahang group likely compromised the Thailand Secretariat of House of the Representative in early April 2024.
C2: 23.106.122[.]5
@Thenationth @MFAThai
Appears that @Sisense is experiencing a significant security event.
Initial reports that both customer data and additional downstream customers may be impacted. Anticipate creds for Fortune 500 and G2K companies may be exposed.
@BBCBreaking @Reuters
APT #Sidewinder #India #Myanmar
Late Jan - Early Feb
C2: 103.199.16[.]60
Domain: myanmar-gov-mm.direct888[.]com
Great Find - if this was #APT 41, this sample was used to target Taiwan's Ministry of Foreign Affairs in late December
#Taiwanelection #China
#CobaltStrike #Malware 🤔
998c18cef6f79bab58b78b390a518c3a7c8e48da37b0953e72cbe04c1287d85d
7Z -> LNK -> JS -> CAB -> EXE and decoy PPT
"Sina-Africa_relations"
C2: www.cybereason[.xyz
@malwrhunterteam @1ZRR4H
#CobaltStrike #Malware 🤔
998c18cef6f79bab58b78b390a518c3a7c8e48da37b0953e72cbe04c1287d85d
7Z -> LNK -> JS -> CAB -> EXE and decoy PPT
"Sina-Africa_relations"
C2: www.cybereason[.xyz
@malwrhunterteam @1ZRR4H
@Cuser07 @malwrhunterteam @1ZRR4H Great find - sample used in a campaign targeting the Taiwan Ministry of Foreign Affairs.
#APT
Roshan Telco likely compromised by Chinese APT.
Outbound traffic daily throughout November 2023: 203.174.27[.]8 -> 178.128.55[.]84
@unafghanistan @ReutersPakistan
![ErrantCyber's tweet photo. #APT
Roshan Telco likely compromised by Chinese APT.
Outbound traffic daily throughout November 2023: 203.174.27[.]8 -> 178.128.55[.]84
@unafghanistan @ReutersPakistan https://t.co/IRcBUFThyz](https://pbs.twimg.com/media/GCSvifiWoAA5qBZ.jpg)
#SouthAfrica #APT15
Malicious C2: 38.54.63[.]120 adfcloud[.]org
Victim: South Africa Office of the President (164.151.130[.]90) seen beaconing continuously throughout November 2023. Network compromised.
@SATodayNews
@DailyMaverick
@PresidencyZA
![ErrantCyber's tweet photo. #SouthAfrica #APT15
Malicious C2: 38.54.63[.]120 adfcloud[.]org
Victim: South Africa Office of the President (164.151.130[.]90) seen beaconing continuously throughout November 2023. Network compromised.
@SATodayNews
@DailyMaverick
@PresidencyZA https://t.co/YULhP3cKKZ](https://pbs.twimg.com/media/GAMAT_nWgAAXVnK.png)
#APT
Russian Ministry of Foreign Affairs beaconing to Chinese APT Infra daily throughout October 2023
2.63.170[.]75 -> 38.54.85[.]35
#APT #MustangPanda
e79180380997a855c8d19be02d035b7f
C2: ivibers[.]com & meetvibersapi[.]com
Date: Sep 23, 2023
Likely targeted Taiwan
Decoy Document: PDF discussing Terry Gou campaign for Taiwan Presidency.
#china #APT
9/26/23
167.99.72[.]117 -> ftp1.nrsc[.]gov[.]in
Pulling data out of India's National Remote Sensing Center.
@the_hindu @IndianExpress
It's a good thing that governments and global 2k companies removed all Solarwinds software from their environments after Russia compromised 18,000 customers in 2020...... oh wait...
Critical RCE flaws found in SolarWinds access audit solution - @billtoulas
https://t.co/Drn6YxHwu0
https://t.co/Drn6YxHwu0
Worth highlighting that Okta discovered this only because Beyond Trust reported to them that someone was trying to hack BT using a session cookie stolen from Okta - Okta didn't believe BT, and it took them two weeks to confirm that, yes ,they had been breached
@KimZetter Zing...
1b97637fd83abfb7ecab040a4cda2d52
config: https://t.co/0TnVaPldsf
@deloitte buys #BruteRatel...
helps fund development...
#BRc4 is sold to Ransomware & APT actors
Deloitte then bills victims for Incident Response...
#BruteRatel #BRc4
C2 IP Address: 161.35.73.220
Beaconing originating from:
185.24.155[.]148
vpn.trigano[.]fr
(9/1/23-9/26/23)
French Leisure Equipment Manufacturer
@lemondefr @FRANCE24
![ErrantCyber's tweet photo. #BruteRatel #BRc4
C2 IP Address: 161.35.73.220
Beaconing originating from:
185.24.155[.]148
vpn.trigano[.]fr
(9/1/23-9/26/23)
French Leisure Equipment Manufacturer
@lemondefr @FRANCE24 https://t.co/erqJfujOZp](https://pbs.twimg.com/media/F7ShgzfXAAE2h-s.jpg)
#BruteRatel #BRc4
Malware used by:
-Pentesters
-Ransomware Actors
-APTs
Default infra certs impersonate @Microsoft
#BRc4 Sales/Training/Support hosted on @awscloud
3.110.200[.]137
@amazon Ethics?
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.7M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers