Top Tweets for #Sendspace
Okay.. this #malware actor's efforts continues. New #email malvertisement w/domain robinrodriguez[.]info via spambot at 161[.]248.238.122 at same AS150895/EZ TECHNOLOGY in #Vietnam, w/same payload "Protected .py" saved in #sendspace camouflaged in a zipped python windows pkg. The evil docx is now using new obfusctated JS loader to exec encoded powershell downloader, triggered by same cve #EQUEDIT exploit. It aims signature evasion, with same infection #backdoor motivation.
See attached pictures for better understanding. Block that sendspace url & final #stager hashes.
docx: https://t.co/lYvysb3DY6
js: https://t.co/rHiUVimunK
#MalwareMustDie!
![malwaremustdie's tweet photo. Okay.. this #malware actor's efforts continues. New #email malvertisement w/domain robinrodriguez[.]info via spambot at 161[.]248.238.122 at same AS150895/EZ TECHNOLOGY in #Vietnam, w/same payload "Protected .py" saved in #sendspace camouflaged in a zipped python windows pkg. The evil docx is now using new obfusctated JS loader to exec encoded powershell downloader, triggered by same cve #EQUEDIT exploit. It aims signature evasion, with same infection #backdoor motivation.
See attached pictures for better understanding. Block that sendspace url & final #stager hashes.
docx: https://t.co/lYvysb3DY6
js: https://t.co/rHiUVimunK
#MalwareMustDie!](https://pbs.twimg.com/media/HERoRN6agAAOoxE.png)
Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains:
crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection.
Chains infection:
docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process.
That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i
So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app.
The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can.
Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat.
#MalwareMustDie!!
![malwaremustdie's tweet photo. Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains:
crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection.
Chains infection:
docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process.
That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i
So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app.
The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can.
Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat.
#MalwareMustDie!!](https://pbs.twimg.com/media/HDNS_7IbQAY7Jrp.jpg)
#BoldAndTheBeautiful #SendSpace
I just wanted to say I really enjoyed talking with everyone today regarding the show as well as the past and future!! It is excellent to hear other people’s perspective and escape reality a little more!
https://t.co/i0hHtuewlE
We pride ourselves on the outcomes of all of our SEN projects including the classroom block we built at the Hundred of Hoo Academy.
To find out more about this project visit us online: https://t.co/l5EaYynEgL
#sen #send #education #school #newbuild #timberframe #sendspace

Sue to @DspaceSen maintenance BS the archived show from Wednesday is not up yet - I tried at 10:30 PM- waited like they said and tried at 4 AM - still Maintenance Bill Crap- get it together #SendSpace @kenthomson87

☣ #Redline Stealer pushed by #SendSpace or #MediaFire links, uploaded from UK🇬🇧
Discord Nitro Generator + Checker 3.0.exe
95[.]215[.]207[.]185:64399
0a5856af65f2da2a1c5098cc638799dc
Discord Gen.exe
185[.]241[.]54[.]128:47729
8bad491fd5bd7142871b1815c24305bc
![BushidoToken's tweet photo. ☣ #Redline Stealer pushed by #SendSpace or #MediaFire links, uploaded from UK🇬🇧
Discord Nitro Generator + Checker 3.0.exe
95[.]215[.]207[.]185:64399
0a5856af65f2da2a1c5098cc638799dc
Discord Gen.exe
185[.]241[.]54[.]128:47729
8bad491fd5bd7142871b1815c24305bc https://t.co/mcZN68UHSt](https://pbs.twimg.com/media/E7AtC3BXEAQ2FAd.png)
Listen to @DjThwennyEight ft @Tlhali_X10 - Ngifuna Uthando
#SoundCloud
https://t.co/djEqV7NZDF
#Sendspace
https://t.co/5FK709rPWd
#05HipHopUpdates
*New Mix Alert*🚨
*BYO Memes 100K Appreciation Mix Mixed By Kotwane Hikwa*
DL Links :
#SoundCloud
https://t.co/rwcXKb0TlX
#Sendspace
https://t.co/qkg2zi37Ab
Enjoy & Please Share.🌍
Socials👇🏽
IG : https://t.co/ocNVl7CrOT
TW : https://t.co/q5V45iuJu1

*New Mix Alert*🚨
BYO Memes 100K Appreciation Mix Mixed By Kotwane Hikwa
DL Links :
#SoundCloud
https://t.co/6ixbWS7HYv
#Sendspace
https://t.co/1oEFl4jy3a
Fb : https://t.co/amRIsHBW1f
IG : https://t.co/BifdFfvjzM
TW : https://t.co/9Dcb5mMgCw
WhatsApp : https://t.co/zASUiVMMog

Hi guys, please check out @PM_Project latest mixtape
"PM Project - What Is House - on Drums Radio (UK)Episode #83 (2020)"
Download links
#soundcloud https://t.co/QvF3NaUfWN
#sendspace https://t.co/uxLE9ybv2T
P.M Project - What Is House - on @DRUMSradio (UK)Episode #83 (2020)
Download links
#soundcloud https://t.co/yYFv13qFFP
#sendspace https://t.co/zimEJCQJOf #afrohouse #deephouse #stream #download

Stream and download #TwelveEP by @Khalibryce & @tyla_sxxl
#Soundcloud : https://t.co/0S4ShmAkDZ
#Audiomack : https://t.co/SP1FDdMFml
#Spotify : https://t.co/FFo2N9xmYy
#Sendspace : https://t.co/0hh6aHQ1wv
Hay código que apuntas #Dropbox
La única opción que está en CyDown
Pero también envía a #sendspace
#Zyppyshare y un sin fin de paginas donde se suben los deb
Archivo /Library/MobileSubstrate/DynamicLibraries/

No quiero ser comspiranoico
Pero porque CyDown siempre tratará de verificar y restaurar mis packetes comprados y subiéndolos 😅

Marshalart Entertainment Presents
Ma-ARE VBM_Darkest Minds EP
#Audiomack
https://t.co/JDpB0kuUI6
#SendSpace
https://t.co/C1MwiGtOMW
Marshalart Entertainment Presents
Dj Lax-Gqom Solid EP Part 2
#SoundCloud
https://t.co/5kayQq8sIb
#SendSpace
https://t.co/CBm8bBc4dM
Stimela - where did we go wrong
KINGDeetoy x @GeorgeLesley_ Remix
• #YouTube- https://t.co/qOJoYGv1ci
•#Wetransfer- https://t.co/WkFvHWRiMw
#sendspace - https://t.co/r4ZZb0dK8X
#AudioMack - https://t.co/opoOjsXL1f
...म्हणून लोकप्रिय फाईल शेअरिंग कंपनी 'वी ट्रान्सफर'वर झालंय बंद
https://t.co/T7WPjLddw5
#WeTransfer #Sakal #FileTransfer #SendSpace #SakalNews #MarathiNews
🚨🚨📢Frank Ru- Remix Package
Frank Ru presents a 5 Track Remix Package for free download. available on #SoundCloud🔥🙏🏼🙇🏽♂️ & #Sendspace .
Steaming Link🔗
https://t.co/NY1IYtUoAa
Free Zip Download Link🔗
https://t.co/42mNAyNSbz
@willarmex @idinGorji @masonflint @CandidBeings

Download & Stream Mrs. Independent by @RikidySwizzSA x @tyla_sxxl x Zack
#Sendspace
https://t.co/ctkY8dmsWm
#Audiomack
https://t.co/QPNcYXjiZY
#SoundCloud
https://t.co/FDoyBb45oV
Stream & Download #imnotOK by @tyla_sxxl on #Audiomack, #SoundCloud & #Sendspace
https://t.co/jGKqnt94a5
https://t.co/EJRxWkklM8
https://t.co/Zc0DPd3SBk
Download & Stream #NoCap by @Khalibryce
#Sendspace :
https://t.co/f3mXpaOcMU
#Souncloud - https://t.co/I9cMSmpfb6
#Audiomack - https://t.co/bakFJIILPW
Last Seen Hashtags on Sotwe
CROT
Seen from Malaysia
nolimit(***) filter:native_video since:2026-06-27
Seen from Spain
NoLimit
Seen from Spain
hijabslut
Seen from India
bop
Seen from United States
Exhilarama
Seen from United States
Snapgodâ
Seen from Thailand
cerkezkoytravesti
Seen from Turkey
帽子と水筒を持って
Seen from United States
bursapasif
Seen from Turkey
Trends for you
Most Popular Users

Elon Musk 
@elonmusk
240.6M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
110.7M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.7M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
90.9M followers

KATY PERRY 
@katyperry
87.7M followers

Taylor Swift 
@taylorswift13
81.5M followers

Lady Gaga 
@ladygaga
73.1M followers

Virat Kohli 
@imvkohli
69.9M followers

Kim Kardashian 
@kimkardashian
69.8M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
63.9M followers

Neymar Jr 
@neymarjr
62.7M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

X 
@x
60.8M followers

Selena Gomez 
@selenagomez
60.8M followers

![malwaremustdie's tweet photo. Okay.. this #malware actor's efforts continues. New #email malvertisement w/domain robinrodriguez[.]info via spambot at 161[.]248.238.122 at same AS150895/EZ TECHNOLOGY in #Vietnam, w/same payload "Protected .py" saved in #sendspace camouflaged in a zipped python windows pkg. The evil docx is now using new obfusctated JS loader to exec encoded powershell downloader, triggered by same cve #EQUEDIT exploit. It aims signature evasion, with same infection #backdoor motivation.
See attached pictures for better understanding. Block that sendspace url & final #stager hashes.
docx: https://t.co/lYvysb3DY6
js: https://t.co/rHiUVimunK
#MalwareMustDie!](https://pbs.twimg.com/media/HERoJk8acAAcRiJ.png)
![malwaremustdie's tweet photo. Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains:
crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection.
Chains infection:
docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process.
That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i
So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app.
The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can.
Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat.
#MalwareMustDie!!](https://pbs.twimg.com/media/HDNS_7CbQAAibtv.jpg)
![malwaremustdie's tweet photo. Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains:
crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection.
Chains infection:
docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process.
That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i
So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app.
The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can.
Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat.
#MalwareMustDie!!](https://pbs.twimg.com/media/HDNS_68bQAUgOlF.jpg)
![malwaremustdie's tweet photo. Okay, listen up. THIS (see prev thread) #malware campaign is on-going, even now. Adversaries are in control of these .INFO domains:
crystalogletree[.]info, coraliereinger[.]info and kevinsaad[.]info, Which they are spreading infection campaign relayed from various IP MTA located in this subnet 160[.]250.128.0/23 at AS150895/EZ TECHNOLOGY CO LTD, I attached. email they used for the infection.
Chains infection:
docx -> rtf -> xml obj #cve-2017-118822 load shellcode to decrypt & load another shellcode to execute malicious script in rtf (there are license.vbs/.js/Client.vbs) that downloads python312x86()zip contains evil Protected(py) to be persistence installed & executed, or execute a DLL binary of "license(.)ini" to be injected to into process.
That evil python is lastly served at sendspace(.)com/pro/dl/5qcr3i
So all of scripts used & binary will be heavily obfuscated. They tried hard to evade all checks and aiming unpatched #EQEDIT on older #msoffice app.
The above #IOC and #CTI info should be their #TTP so use information above to #block ur network in anyway you can.
Just saying, in a glimpse, it seems like adaptation of previously known as #hancitor docx campaign added w/ AI steroid. No, this isn't emotet, and no this is not Heodo/Geodo but could be the copycat.
#MalwareMustDie!!](https://pbs.twimg.com/media/HDNS_63bcAATlmE.jpg)





![BushidoToken's tweet photo. ☣ #Redline Stealer pushed by #SendSpace or #MediaFire links, uploaded from UK🇬🇧
Discord Nitro Generator + Checker 3.0.exe
95[.]215[.]207[.]185:64399
0a5856af65f2da2a1c5098cc638799dc
Discord Gen.exe
185[.]241[.]54[.]128:47729
8bad491fd5bd7142871b1815c24305bc https://t.co/mcZN68UHSt](https://pbs.twimg.com/media/E7AtC3AXMAAD1NL.png)










