Top Tweets for #Snakekeylogger
日本語のマルウェア付きメールが確認されています。
■日時
2026/02/27
■件名
請求書
■添付ファイル
注文.rar -> .exe
https://t.co/uIGuGvNWdF
https://t.co/5qjt8AtKgF
情報窃取マルウェア #VIPKeylogger (#SnakeKeylogger)

![skocherhan's tweet photo. hosting2[.]ro[.]hostsailor[.]com
#Formbook #SnakeKeylogger #VIPKeylogger https://t.co/k6t6LET4D4](https://pbs.twimg.com/media/HAYGUrMXQAAHH9N.jpg)
webmail[.]ki-lojaobrinquedos[.]com[.]br
#SnakeKeylogger
![skocherhan's tweet photo. webmail[.]ki-lojaobrinquedos[.]com[.]br
#SnakeKeylogger https://t.co/msVfi5nsaS](https://pbs.twimg.com/media/HAYDYF8WQAA62Ne.jpg)
#snakekeylogger at:
https://intesmak\.com/obitwo
c2: https://api.telegram\.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA

📡New research #SnakeKeylogger | #404Keylogger evolution - One of the most ᵾꞥfamous #malware used by all kinds of #TA and #campaigns
⛓️ #Phishing | Fake link > Loader > Persistence > Load code > #Snake > Obtain info > #Telegram
🔎Full research: https://t.co/es70EHJYqB


日本語のマルウェア付きメールが確認されています。
■日時
2025/10/30
■件名
FW: Remittance Advice Swift Identifier UTRI : CustID (略)
■添付ファイル
S00010 UTR 11000 Swift 301025 pdf.z -> exe
https://t.co/5QhbLDl7lN
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語マルウェアメールの接到を確認しています。
件名: FW: Remittance Advice Swift Identifier UTRI : CustID 56258XXXX_0075NSMT103I0020526
添付ファイル: S00010 UTR 11000 Swift 301025 pdf.z -> exe
MD5: 9d742de1427435bf6b989efca7a6609d
Sample: https://t.co/QTTNJL2uDV

"Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm
![JAMESWT_WT's tweet photo. "Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm https://t.co/fqKqctEOpZ](https://pbs.twimg.com/media/G3N3smeXgAArAuM.jpg)
🚨We are observing a new active #infostealer #SnakeKeylogger campaign. The threat is distributed via e-mails 📧 with sender aliases such as "CPA-Payment Files" impersonating CPAGlobal / @Clarivate.
The e-mails contain ISO or ZIP files containing malicious BAT script downloading and executing Powershell commands. Be careful if you spot similar e-mails.
IoCs:
1bf2e282e0b58814838af57c8792b6147eacedb3f954821b8eea3b79e1f77cb3 (ZIP in mail attachment)
fb17cc142e92edd5c683c3d53ff8e15f73c67b65df116827f92c9f81c672ec26 (ISO in mail attachment)
929fc6575e8ca6b7a657c784254693c4a343e0576bc64a8ba42eac5003796e68 (BAT downloader)
hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1 (PS script downloaded by BAT)
![GenThreatLabs's tweet photo. 🚨We are observing a new active #infostealer #SnakeKeylogger campaign. The threat is distributed via e-mails 📧 with sender aliases such as "CPA-Payment Files" impersonating CPAGlobal / @Clarivate.
The e-mails contain ISO or ZIP files containing malicious BAT script downloading and executing Powershell commands. Be careful if you spot similar e-mails.
IoCs:
1bf2e282e0b58814838af57c8792b6147eacedb3f954821b8eea3b79e1f77cb3 (ZIP in mail attachment)
fb17cc142e92edd5c683c3d53ff8e15f73c67b65df116827f92c9f81c672ec26 (ISO in mail attachment)
929fc6575e8ca6b7a657c784254693c4a343e0576bc64a8ba42eac5003796e68 (BAT downloader)
hxxp://fxa[.]sabitaxt[.]com/mc55tP.ps1 (PS script downloaded by BAT)](https://pbs.twimg.com/media/G20116qWcAAsyp7.jpg)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
![bomccss's tweet photo. 日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger ) https://t.co/tMJwiLbi56](https://pbs.twimg.com/media/G1mPWocaoAEHFWT.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/22
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00009[.]zip -> .exe
https://t.co/2pajAMYvfU
マルウェア種別は未判定ですが、恐らくは情報窃取マルウェアの #SnakeKeylogger
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼書 Q2509-00009
添付ファイル: Q2509-00009[.]zip -> exe
MD5: e709639bd0072c40bc3641405120a0c1
Sample: https://t.co/4OdJwfw030
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼書 Q2509-00009
添付ファイル: Q2509-00009[.]zip -> exe
MD5: e709639bd0072c40bc3641405120a0c1
Sample: https://t.co/4OdJwfw030 https://t.co/socf3i6R8p](https://pbs.twimg.com/media/G1mFHqhbQAAb97n.png)
Been a while since I've seen a bundle:
https://t.co/9vZacXfHfL
#remcos #rat #snakekeylogger
https://api.telegram\.org/bot8344787963 on the #snakekeylogger
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/08
■件名
注文書(西日本常盤商行
■添付ファイル
常盤注文書0687-080925[.]zip -> .exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語マルウェアメールの接到を確認しています。
件名:注文書(西日本常盤商行
添付ファイル:常盤注文書https://t.co/lqXjTWMLeH→exe
MD5:753e00bc5ec44e7a62f5d89fd0f77022
C2: drive[.]google[.]com
→ mail[.]gunesmetal[.]net
→ api[.]telegram[.]org
Sample: https://t.co/LAx6WMX0WL
![tdatwja's tweet photo. 日本語マルウェアメールの接到を確認しています。
件名:注文書(西日本常盤商行
添付ファイル:常盤注文書https://t.co/lqXjTWMLeH→exe
MD5:753e00bc5ec44e7a62f5d89fd0f77022
C2: drive[.]google[.]com
→ mail[.]gunesmetal[.]net
→ api[.]telegram[.]org
Sample: https://t.co/LAx6WMX0WL https://t.co/1se1eAwSj4](https://pbs.twimg.com/media/G0TztTlbUAAxWtP.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/03
■件名
見積依頼
■添付ファイル
見積依頼 20250903_pdf.z -> exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/5Wmf5Iv5jW
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼 20250903_pdf.z -> exe
MD5: 74f4cfe6ced8215a34c2edd23df9b4ab
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/DPQBIufRnI
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼 20250903_pdf.z -> exe
MD5: 74f4cfe6ced8215a34c2edd23df9b4ab
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/DPQBIufRnI https://t.co/juUR2168NZ](https://pbs.twimg.com/media/Gz_VW_dbkAMn6b1.png)
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/03
■件名
見積依頼
■添付ファイル
見積依頼09032025_pdf.r00 ->.exe
ダウンローダー #Guloader -> 情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/quWzveM59k
【2025/09/03】日本語で書かれたばらまき型攻撃メール(Guloader, VIP Keylogger)に関する注意喚起 https://t.co/yR1b4dDz1r
日本語のマルウェア付きメールが確認されています。
■日時
2025/09/02
■件名
見積依頼
■添付ファイル
見積依頼フォーム.zip ->.exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼フォーム.zip -> exe
MD5: d3048ffed5b3a53ea4527d07b0674a40
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/efnHxEXBg7
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼
添付ファイル: 見積依頼フォーム.zip -> exe
MD5: d3048ffed5b3a53ea4527d07b0674a40
C2: drive[.]google[.]com
-> mail[.]imzalimetal[.]com[.]tr
-> api[.]telegram[.]org
Sample: https://t.co/efnHxEXBg7 https://t.co/3yIT3JVl7A](https://pbs.twimg.com/media/Gz03G80aoAUBEVE.png)
From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc
![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlKkaSXgAAyw-X.jpg)
日本語のマルウェア付きメールが確認されています。
■日時
2025/08/29
■件名
見積依頼 20250829131540
■添付ファイル
見積依頼 20250829131540[.]zip ->.exe
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger )
https://t.co/DZ0FiPFKpS
日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼 20250829131540
添付ファイル: 見積依頼 20250829131540[.]zip
-> 見積依頼 20250829131540[.]exe
MD5: 2b9c922d2fc588de36dad106ce147457
C2: mail[.]imzalimetal[.]com[.]tr
Sample: https://t.co/X0viXsA1u6
![tdatwja's tweet photo. 日本語で書かれたマルウェアメールの接到を確認しています。
件名: 見積依頼 20250829131540
添付ファイル: 見積依頼 20250829131540[.]zip
-> 見積依頼 20250829131540[.]exe
MD5: 2b9c922d2fc588de36dad106ce147457
C2: mail[.]imzalimetal[.]com[.]tr
Sample: https://t.co/X0viXsA1u6 https://t.co/ZLADgMbr6D](https://pbs.twimg.com/media/GzgXm4pawAAGDv4.png)
e9ec4a29ee8e1e68cf0bd3ff77e74dfd
ismail@senkar[.]com[.]tr
akuwork38@gmail[.]com
#SnakeKeylogger @TRCert
![skocherhan's tweet photo. e9ec4a29ee8e1e68cf0bd3ff77e74dfd
ismail@senkar[.]com[.]tr
akuwork38@gmail[.]com
#SnakeKeylogger @TRCert https://t.co/pbVt6AEDyv](https://pbs.twimg.com/media/GxyojEsWkAA_v26.png)
🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.
👨💻 See execution on a live system and download actionable report:
https://t.co/kqindb5Cgt
Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://t.co/bsiGkcJMMG
🔹 https://t.co/vEvZNcfklS
🔹 https://t.co/ceT9R4TNu3
🔹 https://t.co/krG9T5JK0a
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
👨💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions. #ExploreWithANYRUN
![anyrun_app's tweet photo. 🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.
👨💻 See execution on a live system and download actionable report:
https://t.co/kqindb5Cgt
Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://t.co/bsiGkcJMMG
🔹 https://t.co/vEvZNcfklS
🔹 https://t.co/ceT9R4TNu3
🔹 https://t.co/krG9T5JK0a
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
👨💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions. #ExploreWithANYRUN](https://pbs.twimg.com/media/GwoSxMpXgAAQuYW.jpg)
Last Seen Hashtags on Sotwe
nolimit()****** filter:videos
Seen from Turkey
Shakira
Seen from United States
beautiful
Seen from United States
gaybdsm
Seen from Netherlands
momson(*)
บ่อบัว
Seen from Thailand
ketoo_ka
Seen from Thailand
หลุดนักเรียน
Seen from Thailand
omegle() filter:videos
Seen from United States
空姐制服
Seen from Thailand
Most Popular Users

Elon Musk 
@elonmusk
240.8M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111.1M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.8M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.8M followers

Lady Gaga 
@ladygaga
73.3M followers

Virat Kohli 
@imvkohli
70.3M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63.1M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
61M followers

X 
@x
60.8M followers









![JAMESWT_WT's tweet photo. "Firma questi documenti con una penna blu!"
👇
Protocol: smtp
webmail.ki-lojaobrinquedos.]com.]br
Username:
vendas@feiraodoscabelos.]com.]br
Email To:
nolimitforce@yandex.]com
👇
#snakekeylogger
👇
Samples
https://t.co/bqkjLrSGBP
AnyRUn
https://t.co/yoYCMD8hkm https://t.co/fqKqctEOpZ](https://pbs.twimg.com/media/G3N1JxZWsAAwB66.jpg)

![bomccss's tweet photo. 日本語のマルウェア付きメールが確認されています。
■日時
2025/09/24
■件名
見積依頼書 Q2509-00009
■添付ファイル
Q2509-00008[.]rar -> .exe
https://t.co/2pajAMYvfU
見積依頼書 Q2509-00008[.]zip -> .exe
https://t.co/XzRdSr9lh8
情報窃取マルウェア #VIPKeyLogger ( #SnakeKeyLogger ) https://t.co/tMJwiLbi56](https://pbs.twimg.com/media/G1mPU25a4AAsUx1.jpg)

![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlKjtKXkAArmmF.png)
![JAMESWT_WT's tweet photo. From #compromised #email @HotelParleInt
#snakekeylogger👇
Protocol: smtp
Host:
⚠️mail.hotelparleinternational.]com
Username:
⚠️accounts@hotelparleinternational.]com
Email To:
⚠️newupdatedauglog@onionmail.]org
👇Collection Samples Tagged and Updated👇
https://t.co/w2AMLc1Fvc https://t.co/orAhtBoQe4](https://pbs.twimg.com/media/GzlJ9nhXoAAn5Hj.png)
