![mopisec's tweet photo. WindowsTelemetry[.]zip uploaded from Japan.
SHA256: 0fb45474ca58bd67220f79b0e3b07f940270c371ba56e27d3e2b99bf4dbb5174
Sideloaded DLL "VERSION.dll" executes payload that deploys PoisonX RAT and vulnerable driver (EneIo64.sys).
C2: 101.32.190[.]202:8080
#malware #iocs https://t.co/1XoupfxcrD](https://pbs.twimg.com/media/HIopZI7bEAAJ7c7.png)
![mopisec's tweet photo. Found multi-stage Cobalt Strike Beacon Loader. The payload will be executed only if the USERDNSDOMAIN variable is "maz", "minaz", "tib", or "geel.maz".
SHA256: 4078905b6f1810a913a7204c320a31bce644376a72ebe1f54cf324db9afa3ecd
C2: cloudmanagernetapp[.]nl:443
#malware #iocs https://t.co/gPdLNqMxK2](https://pbs.twimg.com/media/HFunBLua0AA7rnf.png)
![mopisec's tweet photo. Found multi-stage Cobalt Strike Beacon Loader. The payload will be executed only if the USERDNSDOMAIN variable is "maz", "minaz", "tib", or "geel.maz".
SHA256: 4078905b6f1810a913a7204c320a31bce644376a72ebe1f54cf324db9afa3ecd
C2: cloudmanagernetapp[.]nl:443
#malware #iocs https://t.co/gPdLNqMxK2](https://pbs.twimg.com/media/HFum9ZJbUAAIcov.png)
![mopisec's tweet photo. Found multi-stage Cobalt Strike Beacon Loader. The payload will be executed only if the USERDNSDOMAIN variable is "maz", "minaz", "tib", or "geel.maz".
SHA256: 4078905b6f1810a913a7204c320a31bce644376a72ebe1f54cf324db9afa3ecd
C2: cloudmanagernetapp[.]nl:443
#malware #iocs https://t.co/gPdLNqMxK2](https://pbs.twimg.com/media/HFumIR5bEAAHI3R.png)
![mopisec's tweet photo. It seems the config is not only RC4 encrypted but also partially encoded now. Very interesting.
SHA256 (AVKTray.dat - Payload File): 4ee6bd5a5701853402a08640f531e1be937d0c1f497e3fc255c9ea3e943ecf42
C2: 108.165.255[.]97:443
#PlugX https://t.co/WHnheVMzln](https://pbs.twimg.com/media/HAf5oGcacAAXjFm.png)
![mopisec's tweet photo. It seems the config is not only RC4 encrypted but also partially encoded now. Very interesting.
SHA256 (AVKTray.dat - Payload File): 4ee6bd5a5701853402a08640f531e1be937d0c1f497e3fc255c9ea3e943ecf42
C2: 108.165.255[.]97:443
#PlugX https://t.co/WHnheVMzln](https://pbs.twimg.com/media/HAf5m6zacAU-bAT.png)
![mopisec's tweet photo. It seems the config is not only RC4 encrypted but also partially encoded now. Very interesting.
SHA256 (AVKTray.dat - Payload File): 4ee6bd5a5701853402a08640f531e1be937d0c1f497e3fc255c9ea3e943ecf42
C2: 108.165.255[.]97:443
#PlugX https://t.co/WHnheVMzln](https://pbs.twimg.com/media/HAf5kmsacAEZgUV.png)
Olivia
Online
Naoki Takayama
@mopisec
A malware analyst, digital forensic investigator, and threat researcher. Conference speaker at BSides Tokyo, JSAC, and VB.
Japan
Joined September 2016
170 Following
1.3K Followers
151 Posts
Related sample uploaded from China:
b892981af3ca699d13f07ddcf75c2df62c1543b071278b4cc1ac0993d8b9dc01 (Same C2)
IIJ's Naoki Takayama analyses SLOTAGENT, a newly identified multifunctional RAT found in a ZIP uploaded from Japan to a public malware repository. The malware can execute BOF-format payloads, and implements anti-forensic features including time stomping. https://t.co/ZZ8qpefZqF
BOFの実行などに対応した新たなマルウェアSLOTAGENT | IIJ Security Diary https://t.co/pPV7EiSl8C @IIJSECT
Who to follow
Azara 
@a_zara_n
🦭/Engineer/(Info|Cyber|Product|Cloud)Security/ AWS CB
たけまる🦦
@tkmru
昼は炭酸水を飲んで、夜は星を見てる / 著書『ポートスキャナ自作ではじめるペネトレーションテスト ―Linux環境で学ぶ攻撃者の思考 』『マスタリングGhidra』他 / AVTOKYO, Black Hat Arsenal, CODEBLUE Bluebox 他 / 頭取 of @sterrasec
tokina(ひみつ)🚗/mTeshiba
@_tokina23
自動車セキュリティコンサル/弱ペンテスター, SwarmSU, LoRaWAN, ISO21434&UNR155, CACSP, CISSP, CISA, CISM, OSINT, セキュリティ登山家(自称), 自動車セキュリティとLoRaWANの人📩[email protected]
#JSAC2026 の講演動画を公開いたしました。
当日ご参加いただけなかった方や、内容を改めて確認されたい方はぜひご視聴ください。^AS
https://t.co/qr9UoJQA5S
Correction: The payload will be executed only if the USERDNSDOMAIN variable **starts with** "maz", "minaz", "tib", or "geel.maz".
C2: www[.]neurosurgeryx[.]com:443
#PlugX
![mopisec's tweet photo. C2: www[.]neurosurgeryx[.]com:443
#PlugX https://t.co/rblzoRuMbT](https://pbs.twimg.com/media/HE5GXDwaQAAXmFo.png)
@kienbigmummy I haven't developed formal configuration extractor yet, but I shared analysis result of config's structure & C2 address's decryption routine in my company's blog post (unfortunately not available in English, so please machine translate it).
https://t.co/qO26v1yUnL
Eraser.dat #PlugX
SHA256: c5267fefaac1764eba5f42681eb216f146b7d18fcbf546275d33e70cb36fdfba
C2: coastallasercompany[.]com:443
Reference: https://t.co/qO26v1yUnL
![mopisec's tweet photo. Eraser.dat #PlugX
SHA256: c5267fefaac1764eba5f42681eb216f146b7d18fcbf546275d33e70cb36fdfba
C2: coastallasercompany[.]com:443
Reference: https://t.co/qO26v1yUnL https://t.co/4UeSNRYfuI](https://pbs.twimg.com/media/HEGp4D9a8AAza7N.png)
@58_158_177_102 すみません、公開作業時のミスでアクセスできない状態になっていました。
修正したので、開けるようになったと思います。
Dropbox APIを使用するKimsukyのマルウェア | IIJ Security Diary https://t.co/N2MsgJ0SmX @IIJSECT
@byrne_emmy12099 Great finding. Another (possible) related sample:
a762d65c0d6f6345541485aeef35a3b331b1f69bace8452cf55026b301e963bd
UNC6384, Mustang Panda, and RedDelta have a lot in common: overlaps in tooling, targeting, and C2 procurement.
This research identifies an active PlugX C2 cluster staged on a single ASN for a short window before being obscured by a proxy.
Full analysis https://t.co/DM8ehqkgwo
Check out our new post!!! PlugX Meeting Invitation via MSBuild and GDATA https://t.co/mqbdjlIegu
STATICPLUGINによって実行される最新のPlugX亜種 | IIJ Security Diary https://t.co/pKBVNVUTxr @IIJSECT
ブログ JPCERT/CC Eyes「JSAC2026 開催レポート~DAY 1~」を公開。1月21日~23日に開催したJSAC2026の様子を3回に分けて紹介します。第1回は、DAY 1 Main Trackの講演についてです。^KI
https://t.co/0ta2uzJBBS
It seems the config is not only RC4 encrypted but also partially encoded now. Very interesting.
SHA256 (AVKTray.dat - Payload File): 4ee6bd5a5701853402a08640f531e1be937d0c1f497e3fc255c9ea3e943ecf42
C2: 108.165.255[.]97:443
#PlugX
![mopisec's tweet photo. It seems the config is not only RC4 encrypted but also partially encoded now. Very interesting.
SHA256 (AVKTray.dat - Payload File): 4ee6bd5a5701853402a08640f531e1be937d0c1f497e3fc255c9ea3e943ecf42
C2: 108.165.255[.]97:443
#PlugX https://t.co/WHnheVMzln](https://pbs.twimg.com/media/HAgEkGIbkAAg207.png)
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers