![SealTeamSecs's tweet photo. @redcanary I am seeing similar activity to your https://t.co/7WMo924gqt from last May.
Changed from support.onli-ne[.]com to support.dwnload[.]online
Then: ps.c-0[.]uk/in.mp3
This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now. https://t.co/sB0IOglbVC](https://pbs.twimg.com/media/GJh2wGTXMAAomQJ.png)
![SealTeamSecs's tweet photo. @redcanary I am seeing similar activity to your https://t.co/7WMo924gqt from last May.
Changed from support.onli-ne[.]com to support.dwnload[.]online
Then: ps.c-0[.]uk/in.mp3
This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now. https://t.co/sB0IOglbVC](https://pbs.twimg.com/media/GJh2rYlWwAAu3xc.png)
![SealTeamSecs's tweet photo. @redcanary I am seeing similar activity to your https://t.co/7WMo924gqt from last May.
Changed from support.onli-ne[.]com to support.dwnload[.]online
Then: ps.c-0[.]uk/in.mp3
This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now. https://t.co/sB0IOglbVC](https://pbs.twimg.com/media/GJh2qAJXIAE-KuE.jpg)
![1ZRR4H's tweet photo. Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others.
⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook +Business accounts 💵
Exfiltration to: managedkv[.]com
FB profile: /web.facebook.com/Marketing.GoogleAI
Google Site: /sites.google.com/view/g-aimarketing/ad
Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏
H/T @milannshrestga
[+] Setup.msi: https://t.co/4EEhnhxGeJ
[+] background.js: https://t.co/F2dP0IlJEv
[+] setup.bat: https://t.co/J1ajYXaNnm
REF: https://t.co/j6yiNsvzGx](https://pbs.twimg.com/media/F1iSZCaWAAEQiNA.jpg)
![1ZRR4H's tweet photo. Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others.
⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook +Business accounts 💵
Exfiltration to: managedkv[.]com
FB profile: /web.facebook.com/Marketing.GoogleAI
Google Site: /sites.google.com/view/g-aimarketing/ad
Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏
H/T @milannshrestga
[+] Setup.msi: https://t.co/4EEhnhxGeJ
[+] background.js: https://t.co/F2dP0IlJEv
[+] setup.bat: https://t.co/J1ajYXaNnm
REF: https://t.co/j6yiNsvzGx](https://pbs.twimg.com/media/F1iKhi7XoAcjhnK.jpg)
![1ZRR4H's tweet photo. Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others.
⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook +Business accounts 💵
Exfiltration to: managedkv[.]com
FB profile: /web.facebook.com/Marketing.GoogleAI
Google Site: /sites.google.com/view/g-aimarketing/ad
Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏
H/T @milannshrestga
[+] Setup.msi: https://t.co/4EEhnhxGeJ
[+] background.js: https://t.co/F2dP0IlJEv
[+] setup.bat: https://t.co/J1ajYXaNnm
REF: https://t.co/j6yiNsvzGx](https://pbs.twimg.com/media/F1iKhh3WcAEm_Pp.png)
Olivia
Online
Suspicious Link
@killamjr
I'm just here for the malware and the memes
Missouri, USA
Joined June 2016
985 Following
2.3K Followers
1.7K Posts
Pinned Tweet
For those with access to a SIEM with email headers, things to watch with email campaigns like emotet:
Patterns in:
Message-ID
X-Mailer
URLs in message body
Filenames
Sender host IP/Domain
Obvious sender spoof attempts
@Kostastsale https://t.co/r7o2ArPMg0 has also been helpful knowing which specific RMMs are being actively abused is really helpful when lolrmm has ~200 RMMs
@redcanary I am seeing similar activity to your https://t.co/7WMo924gqt from last May.
Changed from support.onli-ne[.]com to support.dwnload[.]online
Then: ps.c-0[.]uk/in.mp3
This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now.
![SealTeamSecs's tweet photo. @redcanary I am seeing similar activity to your https://t.co/7WMo924gqt from last May.
Changed from support.onli-ne[.]com to support.dwnload[.]online
Then: ps.c-0[.]uk/in.mp3
This is taking screenshots of the user's device and sending to dll[.]lat. I am seeing 502 right now. https://t.co/sB0IOglbVC](https://pbs.twimg.com/media/GJh25VxXIAIt50V.png)
[REPOST, TYPO IN IOC]
#MineBridge #IOC
88.119.169.193 (SSH)
194.15.112.147 (SSH) hxxps://virtualsecretaryservices[.]com/online/tunupd.php (SSH config)
2baserec[.]xyz
2baserec2[.]guru
If anyone knows anything about that campaign and/or stealer component, feel free to share :)
Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others.
⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook +Business accounts 💵
Exfiltration to: managedkv[.]com
FB profile: /web.facebook.com/Marketing.GoogleAI
Google Site: /sites.google.com/view/g-aimarketing/ad
Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏
H/T @milannshrestga
[+] Setup.msi: https://t.co/4EEhnhxGeJ
[+] background.js: https://t.co/F2dP0IlJEv
[+] setup.bat: https://t.co/J1ajYXaNnm
REF: https://t.co/j6yiNsvzGx
![1ZRR4H's tweet photo. Another active campaign by Vietnamese 🇻🇳 threat actors targeting content creators and advertisers among others.
⛓️ @Facebook Ad > @Google Sites > @Dropbox download > protected .zip > .msi > .bat > load Chrome extension with ai[.]google > steal data from Facebook +Business accounts 💵
Exfiltration to: managedkv[.]com
FB profile: /web.facebook.com/Marketing.GoogleAI
Google Site: /sites.google.com/view/g-aimarketing/ad
Apparently someone monitors connections as they take down profiles and websites when they detect something suspicious 😏
H/T @milannshrestga
[+] Setup.msi: https://t.co/4EEhnhxGeJ
[+] background.js: https://t.co/F2dP0IlJEv
[+] setup.bat: https://t.co/J1ajYXaNnm
REF: https://t.co/j6yiNsvzGx](https://pbs.twimg.com/media/F1iSqTbXoAA6GNx.jpg)
@_JohnHammond I'm absolutely advocating for the name "reMOVEit" based on remediation advice from @killamjr
Just got through presenting on #thrunting @HackSpaceCon such a great conference
https://t.co/l310gmznqu
#TA505 really does not care too much. Their domain hxxps://binance-cloud[.]com is delivering payloads for months now and it's still up.
hxxps://binance-cloud[.]com/pload/ => HVNC variant
hxxps://binance-cloud[.]com/ldr/ => Their Loader
🧵1/4
@killamjr from @redcanary is gonna talk about the basics of "thrunting" otherwise known as threat hunting, or the process of searching for "unknown evil" that your existing alerts may be missing at #hackspacecon
Get your tix now!
https://t.co/EQZUVCxmAs
https://t.co/KmdQ6xC6GH
@0xToxin @ankit_anubhav @Iamdeadlyz @executemalware @pr0xylife @Ledtech3 @JAMESWT_MHT @James_inthe_box @Max_Mal_ @Gi7w0rm @tosscoinwitcher We saw the same TTP behavior yesterday with an American victim but payloads were hosted elsewhere:
hxxps://www.basejumper[.io/info.txt
hxxps://www.basejumper[.io/b.png
C2: nasori.ddnsfree[.com:6666
#3LOSH
https://t.co/8M8xo2SQ6Z
@MicahBabinski Awesome blog, great read
@0xshellc0de did you ever figure out what this was?
Well, I didn't expect to be greeted like this by a C2, this gets fun.
Hashes
- SHA-1: 54d9da90371592843a59917a17be59cd9b961ae1
- SHA-256: 8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02
C2 URIs
- /registrauser.php
- /license.txt
Malware @SlackHQ 🤖
/slack-download.net
file here:
/bitbucket.org/slack-files/windows/downloads/SIackSetupWin.iso
https://t.co/12fx6K1iCe
https://t.co/lAlETfOdlx
this how ransomware works
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers