Top Tweets for #SnakeKeyLogger
日本語のマルウェア付きメールが確認されています。
■日時
2026/02/27
■件名
請求書
■添付ファイル
注文.rar -> .exe
https://t.co/uIGuGvNWdF
https://t.co/5qjt8AtKgF
情報窃取マルウェア #VIPKeylogger (#SnakeKeylogger)

![skocherhan's tweet photo. hosting2[.]ro[.]hostsailor[.]com
#Formbook #SnakeKeylogger #VIPKeylogger https://t.co/k6t6LET4D4](https://pbs.twimg.com/media/HAYGUrMXQAAHH9N.jpg)
webmail[.]ki-lojaobrinquedos[.]com[.]br
#SnakeKeylogger
![skocherhan's tweet photo. webmail[.]ki-lojaobrinquedos[.]com[.]br
#SnakeKeylogger https://t.co/msVfi5nsaS](https://pbs.twimg.com/media/HAYDYF8WQAA62Ne.jpg)
#snakekeylogger at:
https://intesmak\.com/obitwo
c2: https://api.telegram\.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA

📡New research #SnakeKeylogger | #404Keylogger evolution - One of the most ᵾꞥfamous #malware used by all kinds of #TA and #campaigns
⛓️ #Phishing | Fake link > Loader > Persistence > Load code > #Snake > Obtain info > #Telegram
🔎Full research: https://t.co/es70EHJYqB


日本語のマルウェア付きメールが確認されています。
■日時
2025/10/30
■件名
FW: Remittance Advice Swift Identifier UTRI : CustID (略)
■添付ファイル
S00010 UTR 11000 Swift 301025 pdf.z -> exe
https://t.co/5QhbLDl7lN
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語マルウェアメールの接到を確認しています。
件名: FW: Remittance Advice Swift Identifier UTRI : CustID 56258XXXX_0075NSMT103I0020526
添付ファイル: S00010 UTR 11000 Swift 301025 pdf.z -> exe
MD5: 9d742de1427435bf6b989efca7a6609d
Sample: https://t.co/QTTNJL2uDV

"Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm
![JAMESWT_WT's tweet photo. "Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm https://t.co/fqKqctEOpZ](https://pbs.twimg.com/media/G3N3smeXgAArAuM.jpg)
🚨We are observing a new active #infostealer #SnakeKeylogger campaign. The threat is distributed via e-mails 📧 with sender aliases such as "CPA-Payment Files" impersonating CPAGlobal / @Clarivate.
The e-mails contain ISO or ZIP files containing malicious BAT script downloading and executing Powershell commands. Be careful if you spot similar e-mails.
IoCs:
1bf2e282e0b58814838af57c8792b6147eacedb3f954821b8eea3b79e1f77cb3 (ZIP in mail attachment)
fb17cc142e92edd5c683c3d53ff8e15f73c67b65df116827f92c9f81c672ec26 (ISO in mail attachment)
929fc6575e8ca6b7a657c784254693c4a343e0576bc64a8ba42eac5003796e68 (BAT downloader)
hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1 (PS script downloaded by BAT)
![GenThreatLabs's tweet photo. 🚨We are observing a new active #infostealer #SnakeKeylogger campaign. The threat is distributed via e-mails 📧 with sender aliases such as "CPA-Payment Files" impersonating CPAGlobal / @Clarivate.
The e-mails contain ISO or ZIP files containing malicious BAT script downloading and executing Powershell commands. Be careful if you spot similar e-mails.
IoCs:
1bf2e282e0b58814838af57c8792b6147eacedb3f954821b8eea3b79e1f77cb3 (ZIP in mail attachment)
fb17cc142e92edd5c683c3d53ff8e15f73c67b65df116827f92c9f81c672ec26 (ISO in mail attachment)
929fc6575e8ca6b7a657c784254693c4a343e0576bc64a8ba42eac5003796e68 (BAT downloader)
hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1 (PS script downloaded by BAT)](https://pbs.twimg.com/media/G20116qWcAAsyp7.jpg)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
![bomccss's tweet photo. 日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger ) https://t.co/tMJwiLbi56](https://pbs.twimg.com/media/G1mPWocaoAEHFWT.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/22
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00009[.]zip -> .exe
https://t.co/2pajAMYvfU
マルウェア種別は未判定ですが、恐らくは情報窃取マルウェアの #SnakeKeylogger
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼書 Q2509-00009
添付ファイル: Q2509-00009[.]zip -> exe
MD5: e709639bd0072c40bc3641405120a0c1
Sample: https://t.co/4OdJwfw030
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼書 Q2509-00009
添付ファイル: Q2509-00009[.]zip -> exe
MD5: e709639bd0072c40bc3641405120a0c1
Sample: https://t.co/4OdJwfw030 https://t.co/socf3i6R8p](https://pbs.twimg.com/media/G1mFHqhbQAAb97n.png)
Been a while since I've seen a bundle:
https://t.co/9vZacXfHfL
#remcos #rat #snakekeylogger
https://api.telegram\.org/bot8344787963 on the #snakekeylogger
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/08
■件名
注文書(西日本常盤商行
■添付ファイル
常盤注文書0687-080925[.]zip -> .exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語マルウェアメールの接到を確認しています。
件名:注文書(西日本常盤商行
添付ファイル:常盤注文書https://t.co/lqXjTWMLeH→exe
MD5:753e00bc5ec44e7a62f5d89fd0f77022
C2: drive[.]google[.]com
→ mail[.]gunesmetal[.]net
→ api[.]telegram[.]org
Sample: https://t.co/LAx6WMX0WL
![tdatwja's tweet photo. 日本語マルウェアメールの接到を確認しています。
件名:注文書(西日本常盤商行
添付ファイル:常盤注文書https://t.co/lqXjTWMLeH→exe
MD5:753e00bc5ec44e7a62f5d89fd0f77022
C2: drive[.]google[.]com
→ mail[.]gunesmetal[.]net
→ api[.]telegram[.]org
Sample: https://t.co/LAx6WMX0WL https://t.co/1se1eAwSj4](https://pbs.twimg.com/media/G0TztTlbUAAxWtP.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/03
■件名
見積依頼
■添付ファイル
見積依頼 20250903_pdf.z -> exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/5Wmf5Iv5jW
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼 20250903_pdf.z -> exe
MD5: 74f4cfe6ced8215a34c2edd23df9b4ab
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/DPQBIufRnI
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼 20250903_pdf.z -> exe
MD5: 74f4cfe6ced8215a34c2edd23df9b4ab
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/DPQBIufRnI https://t.co/juUR2168NZ](https://pbs.twimg.com/media/Gz_VW_dbkAMn6b1.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/03
■件名
見積依頼
■添付ファイル
見積依頼09032025_pdf.r00 ->.exe
ダウンローダー #Guloader -> 情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/quWzveM59k
【2025/09/03】日本語で書かれたばらまき型攻撃メール(Guloader, VIP Keylogger)に関する注意喚起 https://t.co/yR1b4dDz1r
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/02
■件名
見積依頼
■添付ファイル
見積依頼フォーム.zip ->.exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼フォーム.zip -> exe
MD5: d3048ffed5b3a53ea4527d07b0674a40
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/efnHxEXBg7
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼フォーム.zip -> exe
MD5: d3048ffed5b3a53ea4527d07b0674a40
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/efnHxEXBg7 https://t.co/3yIT3JVl7A](https://pbs.twimg.com/media/Gz03G80aoAUBEVE.png)
From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc
![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlKkaSXgAAyw-X.jpg)
日本語のマルウェア付きメールが確認されています。
■日時
2025/08/29
■件名
見積依頼 20250829131540
■添付ファイル
見積依頼 20250829131540[.]zip ->.exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/DZ0FiPFKpS
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼 20250829131540
添付ファイル: 見積依頼 20250829131540[.]zip
-> 見積依頼 20250829131540[.]exe
MD5: 2b9c922d2fc588de36dad106ce147457
C2: mail[.]imzalimetal[.]com[.]tr
Sample: https://t.co/X0viXsA1u6
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼 20250829131540
添付ファイル: 見積依頼 20250829131540[.]zip
-> 見積依頼 20250829131540[.]exe
MD5: 2b9c922d2fc588de36dad106ce147457
C2: mail[.]imzalimetal[.]com[.]tr
Sample: https://t.co/X0viXsA1u6 https://t.co/ZLADgMbr6D](https://pbs.twimg.com/media/GzgXm4pawAAGDv4.png)
e9ec4a29ee8e1e68cf0bd3ff77e74dfd
ismail@senkar[.]com[.]tr
akuwork38@gmail[.]com
#SnakeKeylogger @TRCert
![skocherhan's tweet photo. e9ec4a29ee8e1e68cf0bd3ff77e74dfd
ismail@senkar[.]com[.]tr
akuwork38@gmail[.]com
#SnakeKeylogger @TRCert https://t.co/pbVt6AEDyv](https://pbs.twimg.com/media/GxyojEsWkAA_v26.png)
🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.
👨💻 See execution on a live system and download actionable report:
https://t.co/kqindb5Cgt
Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://t.co/bsiGkcJMMG
🔹 https://t.co/vEvZNcfklS
🔹 https://t.co/ceT9R4TNu3
🔹 https://t.co/krG9T5JK0a
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
👨💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions. #ExploreWithANYRUN
![anyrun_app's tweet photo. 🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.
👨💻 See execution on a live system and download actionable report:
https://t.co/kqindb5Cgt
Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://t.co/bsiGkcJMMG
🔹 https://t.co/vEvZNcfklS
🔹 https://t.co/ceT9R4TNu3
🔹 https://t.co/krG9T5JK0a
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
👨💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions. #ExploreWithANYRUN](https://pbs.twimg.com/media/GwoSxMpXgAAQuYW.jpg)
Last Seen Hashtags on Sotwe
shemalejakarta
Seen from Indonesia
Fupa
Seen from Brazil
monkeyapp
Seen from Canada
mummatwt
Seen from Turkey
Durantula
Seen from Thailand
คลิปหลุดหนักศกษา
Seen from Thailand
รับงานขอนแก่น
Seen from Thailand
Teenagegirls filter:videos
Seen from Turkey
murdermedia
Seen from United States
marasescort
Seen from Turkey
Most Popular Users

Elon Musk 
@elonmusk
240.8M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111.1M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.8M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.8M followers

Lady Gaga 
@ladygaga
73.3M followers

Virat Kohli 
@imvkohli
70.3M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63.1M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
61M followers

X 
@x
60.8M followers









![JAMESWT_WT's tweet photo. "Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm https://t.co/fqKqctEOpZ](https://pbs.twimg.com/media/G3N1JxZWsAAwB66.jpg)

![bomccss's tweet photo. 日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger ) https://t.co/tMJwiLbi56](https://pbs.twimg.com/media/G1mPU25a4AAsUx1.jpg)

![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlKjtKXkAArmmF.png)
![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlJ9nhXoAAn5Hj.png)
