![c_APT_ure's tweet photo. #MalwareChallenge
What is this Java #malware
(besides "Branchlock Obfuscator")
C2: {italimmuo,skadooo}.ddns[.]net:{1006,8793}
ZIP (mail attach)
https://t.co/TmGNPynaVq
JAR Sample:
https://t.co/CYc3Mfsop1
C2 pcap:
https://t.co/6ObPCArNMg
No IDS hits 🤔 (malware specific) https://t.co/tkkYtX0rNx](https://pbs.twimg.com/media/GZ1vTHhWAA4dRSp.png)
![c_APT_ure's tweet photo. #MalwareChallenge
What is this Java #malware
(besides "Branchlock Obfuscator")
C2: {italimmuo,skadooo}.ddns[.]net:{1006,8793}
ZIP (mail attach)
https://t.co/TmGNPynaVq
JAR Sample:
https://t.co/CYc3Mfsop1
C2 pcap:
https://t.co/6ObPCArNMg
No IDS hits 🤔 (malware specific) https://t.co/tkkYtX0rNx](https://pbs.twimg.com/media/GZ1vPorXQAEvoRT.png)
![anyrun_app's tweet photo. 📌 Uncovering ongoing #phishing attacks distributing HTM and HTML files – #ExploreWithANYRUN
⚠️️ Over the past few weeks, we’ve been tracking several active campaigns spreading #malicious documents named “Play_VM”, “payment", “PurchaseOrder”, etc.
Take a look at the examples:
1️⃣ The #script is not hidden, but pushed down to the bottom of the page with weak obfuscation:
https://t.co/83paiARX34
👉 #IOC: Redirect to http[s]://ythcongress[.]com/wpfile/unsubscribe?277=YWFiYXphQGdlbWluaS1ob2xkaW5nLmNvbQ
2️⃣ The #obfuscation includes many misleading comments to hinder analysis:
https://t.co/eHcSpvI2n8
3️⃣ Unobfuscated #phish page containing #BASE64-encoded images:
https://t.co/kA9qdjm18O
👉 IOC: Redirect to http[s]://sgsfserer[.]mypi[.]co/orvc/pdfz[.]php
4️⃣ Fully #obfuscated script without an HTML body:
https://t.co/aJo2mgvG4b
👉 Fetches and decrypts fake PDF images along with scripts from the body
5️⃣ Large gaps between lines on the page make it hard to read the file:
https://t.co/JtNBars5Ra
👉 IOC: Redirect to http[s]://href[.]li/?http[s]://yMU8H[.]inarmitat[.]com/Tfsjj/iligai.jigshj@pilai[.]com
Analyze and investigate the latest #malware and phishing attacks with #ANYRUN 🛡️](https://pbs.twimg.com/media/GX1m0ExWoAAvspD.jpg)
![anyrun_app's tweet photo. 📌 Uncovering ongoing #phishing attacks distributing HTM and HTML files – #ExploreWithANYRUN
⚠️️ Over the past few weeks, we’ve been tracking several active campaigns spreading #malicious documents named “Play_VM”, “payment", “PurchaseOrder”, etc.
Take a look at the examples:
1️⃣ The #script is not hidden, but pushed down to the bottom of the page with weak obfuscation:
https://t.co/83paiARX34
👉 #IOC: Redirect to http[s]://ythcongress[.]com/wpfile/unsubscribe?277=YWFiYXphQGdlbWluaS1ob2xkaW5nLmNvbQ
2️⃣ The #obfuscation includes many misleading comments to hinder analysis:
https://t.co/eHcSpvI2n8
3️⃣ Unobfuscated #phish page containing #BASE64-encoded images:
https://t.co/kA9qdjm18O
👉 IOC: Redirect to http[s]://sgsfserer[.]mypi[.]co/orvc/pdfz[.]php
4️⃣ Fully #obfuscated script without an HTML body:
https://t.co/aJo2mgvG4b
👉 Fetches and decrypts fake PDF images along with scripts from the body
5️⃣ Large gaps between lines on the page make it hard to read the file:
https://t.co/JtNBars5Ra
👉 IOC: Redirect to http[s]://href[.]li/?http[s]://yMU8H[.]inarmitat[.]com/Tfsjj/iligai.jigshj@pilai[.]com
Analyze and investigate the latest #malware and phishing attacks with #ANYRUN 🛡️](https://pbs.twimg.com/media/GX1mz6HXoAAuxch.jpg)
![anyrun_app's tweet photo. 📌 Uncovering ongoing #phishing attacks distributing HTM and HTML files – #ExploreWithANYRUN
⚠️️ Over the past few weeks, we’ve been tracking several active campaigns spreading #malicious documents named “Play_VM”, “payment", “PurchaseOrder”, etc.
Take a look at the examples:
1️⃣ The #script is not hidden, but pushed down to the bottom of the page with weak obfuscation:
https://t.co/83paiARX34
👉 #IOC: Redirect to http[s]://ythcongress[.]com/wpfile/unsubscribe?277=YWFiYXphQGdlbWluaS1ob2xkaW5nLmNvbQ
2️⃣ The #obfuscation includes many misleading comments to hinder analysis:
https://t.co/eHcSpvI2n8
3️⃣ Unobfuscated #phish page containing #BASE64-encoded images:
https://t.co/kA9qdjm18O
👉 IOC: Redirect to http[s]://sgsfserer[.]mypi[.]co/orvc/pdfz[.]php
4️⃣ Fully #obfuscated script without an HTML body:
https://t.co/aJo2mgvG4b
👉 Fetches and decrypts fake PDF images along with scripts from the body
5️⃣ Large gaps between lines on the page make it hard to read the file:
https://t.co/JtNBars5Ra
👉 IOC: Redirect to http[s]://href[.]li/?http[s]://yMU8H[.]inarmitat[.]com/Tfsjj/iligai.jigshj@pilai[.]com
Analyze and investigate the latest #malware and phishing attacks with #ANYRUN 🛡️](https://pbs.twimg.com/media/GX1mztAWgAAcOlH.jpg)
Olivia
Online
#MalwareChallenge
What is this Java #malware
(besides "Branchlock Obfuscator")
C2: {italimmuo,skadooo}.ddns[.]net:{1006,8793}
ZIP (mail attach)
https://t.co/TmGNPynaVq
JAR Sample:
https://t.co/CYc3Mfsop1
C2 pcap:
https://t.co/6ObPCArNMg
No IDS hits 🤔 (malware specific)
![c_APT_ure's tweet photo. #MalwareChallenge
What is this Java #malware
(besides "Branchlock Obfuscator")
C2: {italimmuo,skadooo}.ddns[.]net:{1006,8793}
ZIP (mail attach)
https://t.co/TmGNPynaVq
JAR Sample:
https://t.co/CYc3Mfsop1
C2 pcap:
https://t.co/6ObPCArNMg
No IDS hits 🤔 (malware specific) https://t.co/tkkYtX0rNx](https://pbs.twimg.com/media/GZ1vUPuWUAcAbte.png)
#MalwareChallenge
Password protected #malware ZIP attach with unknown password.
Who can provide the password or EXE sample?
ZIP sample provided here:
https://t.co/b7bgW9gcaa
RFQ.exe
2637855 bytes
Date: 2024-09-24 05:48:58
New timer 👀 https://t.co/QA2ABhhFLd
So @censysio just deployed the "suspicious-open-dir" label to their search engine.
So far it appears a game changer, giving very solid hit rates on finding malicious infrastructure.
So for today, this will be a thread documenting my findings using the new feature.
1/x
Appreciation post time.
There are a lot of security researchers who have an entire career focused on tracking botnets, or information stealers, and do so for years with little to no recognition. We'd like to take a minute to shoutout a few people who we think are doing great stuff and not getting enough love and respect.
- @malwrhunterteam, consistently for years tracking malware, initial access malware, and openly sharing information it
- @Max_Mal_, @Cryptolaemus1 (and whoever is part of the group), @JAMESWT_MHT, and @1ZRR4H, for ruthlessly tracking many of the big names botnets and loaders and openly sharing information on it
- @JaffaCakes118, and @Neiki__, they both are some of the largest malware collectors and distributors. They've freely shared millions of malware samples for years.
- @Gootloader, actively tracking Gootloader, the initial access malware used by many ransomware groups, and doing so, for free, for literally years.
- @bmmaloney97, the number one expert in Windows One Drive analysis and internal. He has openly and freely shared his research for years.
- @RussianPanda9xx, for actively tracking Lumma Stealer (and tons of others), for what feels like forever, and openly sharing information and updates on the malware.
There's so many more we could shoutout, but we can't think of anymore off the top of our our head. But your work is respected and remembered. Thank you so much for the things you do for the researchers and the world.
📌 Uncovering ongoing #phishing attacks distributing HTM and HTML files – #ExploreWithANYRUN
⚠️️ Over the past few weeks, we’ve been tracking several active campaigns spreading #malicious documents named “Play_VM”, “payment", “PurchaseOrder”, etc.
Take a look at the examples:
1️⃣ The #script is not hidden, but pushed down to the bottom of the page with weak obfuscation:
https://t.co/83paiARX34
👉 #IOC: Redirect to http[s]://ythcongress[.]com/wpfile/unsubscribe?277=YWFiYXphQGdlbWluaS1ob2xkaW5nLmNvbQ
2️⃣ The #obfuscation includes many misleading comments to hinder analysis:
https://t.co/eHcSpvI2n8
3️⃣ Unobfuscated #phish page containing #BASE64-encoded images:
https://t.co/kA9qdjm18O
👉 IOC: Redirect to http[s]://sgsfserer[.]mypi[.]co/orvc/pdfz[.]php
4️⃣ Fully #obfuscated script without an HTML body:
https://t.co/aJo2mgvG4b
👉 Fetches and decrypts fake PDF images along with scripts from the body
5️⃣ Large gaps between lines on the page make it hard to read the file:
https://t.co/JtNBars5Ra
👉 IOC: Redirect to http[s]://href[.]li/?http[s]://yMU8H[.]inarmitat[.]com/Tfsjj/iligai.jigshj@pilai[.]com
Analyze and investigate the latest #malware and phishing attacks with #ANYRUN 🛡️
![anyrun_app's tweet photo. 📌 Uncovering ongoing #phishing attacks distributing HTM and HTML files – #ExploreWithANYRUN
⚠️️ Over the past few weeks, we’ve been tracking several active campaigns spreading #malicious documents named “Play_VM”, “payment", “PurchaseOrder”, etc.
Take a look at the examples:
1️⃣ The #script is not hidden, but pushed down to the bottom of the page with weak obfuscation:
https://t.co/83paiARX34
👉 #IOC: Redirect to http[s]://ythcongress[.]com/wpfile/unsubscribe?277=YWFiYXphQGdlbWluaS1ob2xkaW5nLmNvbQ
2️⃣ The #obfuscation includes many misleading comments to hinder analysis:
https://t.co/eHcSpvI2n8
3️⃣ Unobfuscated #phish page containing #BASE64-encoded images:
https://t.co/kA9qdjm18O
👉 IOC: Redirect to http[s]://sgsfserer[.]mypi[.]co/orvc/pdfz[.]php
4️⃣ Fully #obfuscated script without an HTML body:
https://t.co/aJo2mgvG4b
👉 Fetches and decrypts fake PDF images along with scripts from the body
5️⃣ Large gaps between lines on the page make it hard to read the file:
https://t.co/JtNBars5Ra
👉 IOC: Redirect to http[s]://href[.]li/?http[s]://yMU8H[.]inarmitat[.]com/Tfsjj/iligai.jigshj@pilai[.]com
Analyze and investigate the latest #malware and phishing attacks with #ANYRUN 🛡️](https://pbs.twimg.com/media/GX1m0NqWoAANfG4.jpg)
@sans_isc Nice article @xme!
To remove bloat from PE files, there's also the debloat tool by @SquiblydooBlog:
https://t.co/rQFn5vt86s
So after the investigation by #Qurium and #Correctiv, the Bayrische Verfassungsschutz (LfV Bayern) seized 2 servers operated by #Doppelgaenger #disinformation group.
The LfV basically proved involvement of #Russia.
1/2
In 1974, I co-founded Métal Hurlant together with Moebius, Jean-Pierre Dionnet and Bernard Farkas 🚀 it was a dream come true. It became a beacon for sci-fi and fantasy art. Proud to be part of such a revolutionary movement
IT teams waking up this morning
We're launching major upgrades to our scanning engine! 🌐 Live Browsing: Interact with websites in real-time, dismiss alerts, solve CAPTCHAs, and more. Real Device Scanning: High-fidelity scans with actual mobile devices. Blog: https://t.co/25liSRLzdw
4. Beowulf, Unknown
This legendary poem tells of the hero Beowulf, who leads a quest to save the Danish people from the monster Grendel.
Beowulf's list of creatures heavily influenced the creation of some of the races in Middle-Earth.
📌 Abuse of Telegram and Discord messengers by #malware
#ARfinds – our new hashtag for interesting samples we find
Attackers use instant messengers to store both stolen data and attack logs, as well as server addresses used in the process of stealing the victim’s data.
📃 We have collected for you the top submission stealers over the last week with this feature:
BlankGrabber (Exfil) https://t.co/jnRSqHy8Zx
Agent Tesla (Exfil) https://t.co/stvqpHieUm
XWorm (Log) https://t.co/Kczxfx1fm7
DarkCrystal (Log) https://t.co/qlP2PVZFAg
Umbral-Stealer (Exfil) https://t.co/DPaPrQ1hRY
Vidar (DDR) https://t.co/Ro1XMolCZT
WhiteSnake (Log) https://t.co/1A3IN7UysA
Creal-Stealer (Exfil) https://t.co/yTiEvln6yM
🔍 #TI search strings:
ThreatName:"telegram" and ThreatName:"stealer"
ThreatName:"discord" and ThreatName:"stealer"
ThreatName:"discordgrabber"
MITRE:"T1102"
⬇️ Try #ANYRUN's Threat Intelligence Lookup yourself https://t.co/9CeHC34Kck
We welcome submission links with abuse cases in the comments 👇
Today @RecordedFuture released a research paper on using malware infostealer logs to identify CSAM consumers.
RecordedFuture identified over 3,000 individuals purchasing CSAM. All users were reported to their respective law enforcement agency.
https://t.co/0uz5jPAJfS
Discover the latest in #ransomware and data leak site monitoring with our May 2024 updates.
Curious to see the data for yourself? Experience it firsthand with a free trial for your cybersecurity experts at https://t.co/023wuB1GRB. Don't miss out!
Announcing the JA4+ Database!
https://t.co/ZqhIkM1dNn
Under *very* active development but ready for use. Expect orders of magnitude more data and JA4+ combinations over the next few months. I recommend downloading the DB and loading up in your data explorer of choice for now.
Everyone has a different use-case for JA4+ so we're trying to make it easy to find what you're looking for. Below are some examples you can do in a data explorer like Elastic.
JA4 to JA4H
JA4 to User-Agent String
JA4 to Application
JA4 to Library
JA4T to Device
JA4X to Device
JA4X to Application
JA4X to Issuers
JA4X to JA4T
etc. etc. etc.
There are so many combinations and use cases for each.
Please send me any feedback, improvement suggestions.
hello hello Mr. Mors. You there?
Odd also has these names:
Last Seen Users on Sotwe
คู่แท้ หาคนเย็ดหีเมีย
Seen from Thailand
Samoo
Seen from Algeria
👊 Balkan Bro 👣
Seen from Italy
Limpopo baddies & sexy ama 2k 
💖 OnlyFans Stars 💖
Seen from Egypt
ayak kolesi
Seen from Turkey
Azgınlar kulübü
Seen from Germany
جورجينا 🫦
Seen from Turkey
Aurora•᷄ v •᷅
Seen from Turkey
fred 🇵🇭 (Taipei 🇹🇼 June 5-19)
Seen from Thailand
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers