Part 4 of the Ollama Honeypot series is out!
This is an LLMjacking case where a single IP used an exposed Ollama API as free inference capacity for credential reconnaissance. Blog: https://t.co/txst1q9hok
Can’t wait to speak at @DEATHCon2026 with @fr0gger_ about detecting adversarial prompts with NOVA!
See you there on November 13–14!
Check out the DEATHCon website to explore all the other workshops available: https://t.co/mN08zBz0jL
Another compromised YouTube channel is being used to deliver malware by abusing the current AI hype. The video claims to offer “Claude Opus 4.8 free and unlimited,” but the advertised installer modifies Claude Code settings and uses DLL sideloading to deploy malware.
The same compromised Youtube Channel is still active and yesterday they published 3 new repositories on GitHub:
- hxxps[://]github[.]com/RestBudgieCabin/claude-free-plugin
- hxxps[://]github[.]com/RestBudgieCabin/chatgpt-trial
- hxxps[://]github[.]com/RestBudgieCabin/autotune
We discovered fake installers impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor.
Attackers are using compromised YouTube channels to distribute links to the malicious software.
Each MSI contains a CmdFile and a PowerShellFile. The remote obfuscated javascript payload is the only difference between them.
- hxxp[://]lunarcanine[.]org/38447a5436f52b59[.]js
- hxxp[://]lunarcanine[.]org/cad6d12946d2b6d0[.]js
The same compromised Youtube Channel is still active and yesterday they published 3 new repositories on GitHub:
- hxxps[://]github[.]com/RestBudgieCabin/claude-free-plugin
- hxxps[://]github[.]com/RestBudgieCabin/chatgpt-trial
- hxxps[://]github[.]com/RestBudgieCabin/autotune
@JamfThreatLabs I've found 3 more, they don't have the macOS payload but they look very similar:
- hxxps[://]github[.]com/RestBudgieCabin/claude-free-plugin
- hxxps[://]github[.]com/RestBudgieCabin/chatgpt-trial
- hxxps[://]github[.]com/RestBudgieCabin/autotune
Active domains (urlscan/censys) where the LLM named skimmer (llmcollect[.]com) is present:
- dake360[.]com
- via[.]box
- glacierfreshfilter[.]com
- mildstyles[.]com
- tclsingapore[.]com
- sunbeamlive[.]com
Actors weaponize #AI hype: fake LLM domains, branded C2 infrastructure and payment skimmers. We tracked three active campaigns abusing AI lures and infrastructure. Details at https://t.co/QTb5tEGdsb
Found this last night as well. The curious thing is that it’s running CyberStrikeAI on port 8080, and while poking around the code, I found explicit mentions of “cyberstrike,” so the use of the tools in opendir seems to be connected to it
#MaliciousOpenDir#C2Server#C2#ThreatHunting#CobaltStrike
URL: hxxp[:]//161[.]248[.]87[.]10[:]18888
ASN: AS400619
ISP: AROSSCLOUD INC.
The exposed server contains an open directory with a range of offensive security and post-exploitation tools, which strongly suggests its function as threat actor infrastructure for intrusion operations. The directory features multiple variants of GodPotato and Potato privilege escalation tools for Windows, PowerShell scripts such as token_steal.ps1 and adduser.ps1 for token theft and account creation, and reverse shell related files such as rev.ps1 and https://t.co/lQ6iaROk1h for upload binary files from his victims. The presence of encoded payloads, executables, and source code files further indicates ongoing development, testing, or deployment of attack tools.
I sent a PR to Sigma adding a new rule to detect this behavior: https://t.co/E4BtWQvVT5
References:
- https://t.co/6gvvSGVkyc
- https://t.co/KvFpQQ1F4j
Yesterday, I received two notifications that an AWS key Canarytoken I had placed in a honeypot built with @BeelzebubLabs was triggered by 46.193.68[.]8.
The actor called GetCallerIdentity and GetSendQuota. 🧵
This partially maps to what Wiz and Datadog described: attackers use compromised access keys to call APIs such as GetAccount, ListIdentities, and GetSendQuota.
The goal is to determine whether an SES account is available for later abuse.