![johnk3r's tweet photo. #Mosquito resurgence — updated downloader, C2 shifted to WebSocket, but reuse of UAC & PDB quirks aids attribution.
Targets: ~40 orgs in BR & US.
IoCs:
mku9j[.]com
bdeunlock[.]exe
Ref.: https://t.co/cbR2EGG1SV
#Fraud #Banker https://t.co/eZ8ADoNWyD](https://pbs.twimg.com/media/G1IczhzW4AA_C8b.jpg)
![johnk3r's tweet photo. #Mosquito resurgence — updated downloader, C2 shifted to WebSocket, but reuse of UAC & PDB quirks aids attribution.
Targets: ~40 orgs in BR & US.
IoCs:
mku9j[.]com
bdeunlock[.]exe
Ref.: https://t.co/cbR2EGG1SV
#Fraud #Banker https://t.co/eZ8ADoNWyD](https://pbs.twimg.com/media/G1IczfPW0AAGqSM.jpg)
![johnk3r's tweet photo. #Mosquito resurgence — updated downloader, C2 shifted to WebSocket, but reuse of UAC & PDB quirks aids attribution.
Targets: ~40 orgs in BR & US.
IoCs:
mku9j[.]com
bdeunlock[.]exe
Ref.: https://t.co/cbR2EGG1SV
#Fraud #Banker https://t.co/eZ8ADoNWyD](https://pbs.twimg.com/media/G1IczefXEAAUeNl.jpg)
![johnk3r's tweet photo. #Mosquito resurgence — updated downloader, C2 shifted to WebSocket, but reuse of UAC & PDB quirks aids attribution.
Targets: ~40 orgs in BR & US.
IoCs:
mku9j[.]com
bdeunlock[.]exe
Ref.: https://t.co/cbR2EGG1SV
#Fraud #Banker https://t.co/eZ8ADoNWyD](https://pbs.twimg.com/media/G1IczedX0AAMW2u.jpg)
![JAMESWT_WT's tweet photo. #booking spam spread #Vidar #Stealer
EML>LNK>Zip Pw 501949 > Scr
❇️Samples
https://t.co/AZWGbdpgjr
⚠️Url
https://t.co/r1QOB5Aq1K
⏬AnyRun
https://t.co/Yo6i633Eit
🎯C2
https://t.]me/s4p0g
https://65.108.57.]141:9000 https://t.co/NEOOSlmQLT](https://pbs.twimg.com/media/GAjt-mxWgAAPXFW.jpg)
![JAMESWT_WT's tweet photo. #booking spam spread #Vidar #Stealer
EML>LNK>Zip Pw 501949 > Scr
❇️Samples
https://t.co/AZWGbdpgjr
⚠️Url
https://t.co/r1QOB5Aq1K
⏬AnyRun
https://t.co/Yo6i633Eit
🎯C2
https://t.]me/s4p0g
https://65.108.57.]141:9000 https://t.co/NEOOSlmQLT](https://pbs.twimg.com/media/GAjt-EtWEAALAir.jpg)
![JAMESWT_WT's tweet photo. #booking spam spread #Vidar #Stealer
EML>LNK>Zip Pw 501949 > Scr
❇️Samples
https://t.co/AZWGbdpgjr
⚠️Url
https://t.co/r1QOB5Aq1K
⏬AnyRun
https://t.co/Yo6i633Eit
🎯C2
https://t.]me/s4p0g
https://65.108.57.]141:9000 https://t.co/NEOOSlmQLT](https://pbs.twimg.com/media/GAjt3DQW4AA7Tpi.jpg)
![JAMESWT_WT's tweet photo. #booking spam spread #Vidar #Stealer
EML>LNK>Zip Pw 501949 > Scr
❇️Samples
https://t.co/AZWGbdpgjr
⚠️Url
https://t.co/r1QOB5Aq1K
⏬AnyRun
https://t.co/Yo6i633Eit
🎯C2
https://t.]me/s4p0g
https://65.108.57.]141:9000 https://t.co/NEOOSlmQLT](https://pbs.twimg.com/media/GAjtzNHWQAAOUnL.png)
Olivia
Online
Gerco
@gerco_
🏴☠️Cyber Threat Intelligence 🏴☠️ | 💻 Engineer UNAM
SciFi section
Joined October 2011
475 Following
176 Followers
3.9K Posts
🚨 CYBER INTELLIGENCE ALERT: HIGH-LEVEL ACCESS (SMTP) FOR SALE — BRAZIL 🇧🇷
💥 CRITICAL THREAT: ACTOR SELLING ACCESS TO EMAIL SERVER OF A PROMINENT BRAZILIAN BANK
[STATUS: THREAT UNDER INVESTIGATION / INITIAL ACCESS EXPOSED / RISK OF FINANCIAL FRAUD / ACTIVELY MONITORING, UNCONFIRMED]
A threat actor identifying himself as STA-6 has announced on underground cybercrime forums the successful intrusion and operational control of the SMTP (Simple Mail Transfer Protocol) server of a high-profile banking corporation in Brazil.
The compromise, executed in early May 2026, is being actively sold on the black market. This access allows users to bypass corporate verification mechanisms, enabling potential buyers to spoof any email address under the bank's legitimate domain.
🏢 Affected Entity: Renowned Brazilian Banking Institution (Specific domain name withheld / Exposed address)
👤 Threat Actor: STA-6
⚔️ Attack Vector: Mail Infrastructure Hijacking / Permissive SMTP Relay Configuration (SMTP Open Relay or compromised credentials).
⚠️ CRITICAL RISK ANALYSIS AND THREAT SCOPE
Malicious control over a banking entity's SMTP server represents one of the most dangerous vectors for corporate identity spoofing and targeted financial fraud:
📈 Mass Banking Phishing Campaigns (Spoofing): Purchasers of this access can leverage the bank's clean IP reputation with global anti-spam engines to flood the inboxes of millions of customers with fraudulent emails (e.g., account lockout alerts, security token updates), achieving extremely high open and success rates.
🛡️ TECHNICAL RECOMMENDATIONS AND PREVENTIVE MITIGATION
🛑 Urgent Audit of SMTP Send Connectors: Banking institutions in Brazil are urged to immediately review their mail server configurations (Exchange, Postfix, Sendmail) to identify Open Relay anomalies or the unauthorized use of application connectors via compromised credentials.
🔒 Service Credential Blocking and Rotation: Identify all accounts with bulk sending permissions (such as nao_responda@...) used for automated transaction notifications; enforce immediate password rotation for APIs; and enable strict IP range restrictions for authorized sending sources.
📊 MONITORING AND ASSESSMENT
Intelligence System: https://t.co/wk9bZJ3laQ
Quickly assess your website's security with:
https://t.co/QZhWp0ldhm
#CyberSecurity #Brazil #STA6 #SMTPServer #InitialAccess #BankingFraud #Spoofing #SpearPhishing #ThreatIntelligence #CyberAlert #VECERT #Infosec #UnverifiedBreach
![VECERTRadar's tweet photo. 🚨 CYBER INTELLIGENCE ALERT: HIGH-LEVEL ACCESS (SMTP) FOR SALE — BRAZIL 🇧🇷
💥 CRITICAL THREAT: ACTOR SELLING ACCESS TO EMAIL SERVER OF A PROMINENT BRAZILIAN BANK
[STATUS: THREAT UNDER INVESTIGATION / INITIAL ACCESS EXPOSED / RISK OF FINANCIAL FRAUD / ACTIVELY MONITORING, UNCONFIRMED]
A threat actor identifying himself as STA-6 has announced on underground cybercrime forums the successful intrusion and operational control of the SMTP (Simple Mail Transfer Protocol) server of a high-profile banking corporation in Brazil.
The compromise, executed in early May 2026, is being actively sold on the black market. This access allows users to bypass corporate verification mechanisms, enabling potential buyers to spoof any email address under the bank's legitimate domain.
🏢 Affected Entity: Renowned Brazilian Banking Institution (Specific domain name withheld / Exposed address)
👤 Threat Actor: STA-6
⚔️ Attack Vector: Mail Infrastructure Hijacking / Permissive SMTP Relay Configuration (SMTP Open Relay or compromised credentials).
⚠️ CRITICAL RISK ANALYSIS AND THREAT SCOPE
Malicious control over a banking entity's SMTP server represents one of the most dangerous vectors for corporate identity spoofing and targeted financial fraud:
📈 Mass Banking Phishing Campaigns (Spoofing): Purchasers of this access can leverage the bank's clean IP reputation with global anti-spam engines to flood the inboxes of millions of customers with fraudulent emails (e.g., account lockout alerts, security token updates), achieving extremely high open and success rates.
🛡️ TECHNICAL RECOMMENDATIONS AND PREVENTIVE MITIGATION
🛑 Urgent Audit of SMTP Send Connectors: Banking institutions in Brazil are urged to immediately review their mail server configurations (Exchange, Postfix, Sendmail) to identify Open Relay anomalies or the unauthorized use of application connectors via compromised credentials.
🔒 Service Credential Blocking and Rotation: Identify all accounts with bulk sending permissions (such as nao_responda@...) used for automated transaction notifications; enforce immediate password rotation for APIs; and enable strict IP range restrictions for authorized sending sources.
📊 MONITORING AND ASSESSMENT
Intelligence System: https://t.co/wk9bZJ3laQ
Quickly assess your website's security with:
https://t.co/QZhWp0ldhm
#CyberSecurity #Brazil #STA6 #SMTPServer #InitialAccess #BankingFraud #Spoofing #SpearPhishing #ThreatIntelligence #CyberAlert #VECERT #Infosec #UnverifiedBreach](https://pbs.twimg.com/media/HI44oWGWEAAemSb.jpg)
Hace muchos años, un viejo político me dijo: "cuando veas largas filas en las elecciones, es porque van a votar en contra del gobierno".
Cada vez estamos más cerca del inicio de PumaHat Cybersecurity Week 2023. 👀
Conoce a nuestros ponentes y charlas que tendremos este jueves 30 de noviembre en el auditorio Javier Barros Sierra, Facultad de Ingeniería, CU.
#BunnyLoader is Back! 35 stealer logs of victims in C2 so far...
#malware #Infostealer
IOC (MD5): f00766545f4f322f4afba40ce9dc53fa
¡Te invitamos a participar en PumaHat Cybersecurity Week 2023! Del 27 de noviembre al 1 de diciembre, te ofrecemos una semana llena de aprendizaje en seguridad informática. Explorarás diferentes áreas a través de nuestros talleres y conferencias.
https://t.co/pgdQipFjI5
¡Esta es una de nuestras más recientes investigaciones! Grupo cibernético mexicano Fenix ataca contribuyentes en México y Chile, clonando portales fiscales oficiales para robar datos. #Ocelot
🇲🇽 Al día de hoy se han identificado 2 grupos de cibercriminales mexicanos:
- Neo_Net: Robo de dinero a través de aplicaciones bancarias falsas
- Fenix: Crean sitios apócrifos del @SATMX en los que el usuario descarga un archivo que infecta su equipo
https://t.co/AzYL7HLdDZ
JAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJAJA
¡#HackDef7 la competencia más emocionante tipo Capture the Flag (CTF)! Aún estás a tiempo de unirte, ¡las inscripciones cierran el 15 de julio de 2023! Prepárate para desafiar tus habilidades y convertirte en un auténtico #ethicalhacker. ¡Inscríbete aquí! https://t.co/m3wmyP7kL7
Un grupo de cibercriminales de "reciente creación" llamado "Fenix", es el responsable de algunos de los correos y sitios apócrifos del SAT, Citas de Pasaportes, CURP, REPUVE
Su objetivo es que los usuarios visiten esos sitios, descarguen e instalen una "herramienta de seguridad"
Our team #ocelot has discovered #ATMmalwares such as #Ploutus and #FiXS and keeps monitoring these evolving and new threats. Want to learn latest ATM attacks used by real hackers in the wild? Join @Danuxx and @chucho_domz at @BlackHatEvents #BHUSA https://t.co/Qk6JHVRtvy
Ya comenzó la Semana de Ciberseguridad, un evento del CybersecurityHub del TEC de MTY. El 22 de marzo 11 am daré una charla sobre FiXS, el malware para ATM que recientemente hemos descubierto en Ocelot Threat Intelligence.
Más acerca de FiXS:
https://t.co/qgzlgOreig
Más info:
Te invitamos a la Semana de #Ciberseguridad. 💻🔐
🗓️ Del 21 al 24 de marzo.
📍@TECcampusMTY @TECcampusGDL @Tec_CCM @ITESMCEM @Tec_CSF
➡ Regístrate: https://t.co/W4He7Iep1Y
#YoIngenio🦾💙🧠
🏴☠️ El @FBI anunció el arresto de uno de los principales administradores del Foro Underground más “famoso”, en el que han filtrado y vendido cientos de miles de datos robados de empresas y gobiernos 🇲🇽🇨🇴🇨🇦🇻🇪🇦🇷🇨🇱
Es el segundo administrador arrestado por el FBI
El equipo #threatintell Ocelot obtuvo lista parcial de 90,000 credenciales comprometidas usadas en websites en MX, Chile y Perú. Nuestros clientes ya pueden reproducir este ataque en su infraestructura con #APTSimulation. Lee el blog completo aquí: https://t.co/a9IBMdv1sL
Watch as Brendan Fraser wins Best Actor at the #Oscars
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.9M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.3M followers
Taylor Swift
@taylorswift13
81.1M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.4M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers