Joined January 2016
2,042 Photos and videos
Pinned Post
Generalization is the key on solving the problem of "you-have-wrong-attribution" discussions.
Cybersecurity Terminology
3
3
37
21,234
#APT #Lazarus cameradriverupdates\.com paxos-apply\.com @Namecheap FYI
2
3
9
1,007
"CookieLaw is a lightweight, developer-friendly cookie consent plugin to help you stay compliant with GDPR, ePrivacy, and CCPA." -- is not a plugin, but just #Magecart-related stuff instead. analyticsgtag\.cloud analyticshotjar\.info List: pastebin.com/Q6N6DV2J
1
3
753
Pretty much "thank you" for your "assistance", guys...
1
1
1
828
Some interesting systemd services has appreared on #Lumma-related hosts: /systemd-private-8e43693691394bcf977f1beaea2aa4b3-modemmanager.service-tonrxn /systemd-private-8e43693691394bcf977f1beaea2aa4b3-upower.service-zbkqsz @JAMESWT_WT @smica83 Could you upload them on B, pls ?
1
2
12
1,486
Some add-on for C2 domains list: aputuptherehe\.org galsoillyoucom\.org happygoluckybutterfly\.com malevolencecheats\.com #osx #fluttershell
Unit 42 analyses Operation FlutterBridge, a macOS malvertising campaign that seems to be the next stage of JSCoreRunner. The attackers now deliver adware with full backdoor capabilities through a payload dubbed FlutterShell. unit42.paloaltonetworks.com/…
1
9
1,340
Name: bootkeyslotrat (guess why) Detection: github.com/stamparm/maltrail…
Chinese-linked actors are targeting edge devices across Southeast Asia, leveraging DoH for C2 communications and large-scale DNS hijacking via iptables. See details: EN: qiita.com/Y4er/items/0b60717… CN: qiita.com/Y4er/items/549cfca…
2
4
1,217
sync-simpliconline\.com uromagiservicos\.com ioperador.ddns\.net remote.starmail\.mom remoto.ddins\.click painel.ddins\.click painel.starmail\.mom 5/5
1
1
541
qualifisionemp\.com salomonelawfirm\.com santofoodco\.com sejbrdapremium\.com sejconviteglobal\.com sejpremiebrid\.com sejprincipalbr\.com sejprincipalbrd\.com servicochavesmrx1\.com sigconstrugroup\.com starmail\.mom 4/
1
1
1
564
cvtmrpremiumx\.com cvtmxrpremiumx\.com cvtprinconline\.com ddins\.click deguiemoves\.com limpremiumbrd\.com meuappedigital\.com meufreeflowrccrodoviaz\.com meufreeflowroccrdoviaz\.com netempresaspremium\.com portalchavmrbdr\.com premiumconvitebrd\.com principonlinebelmx\.com 3/
1
27
bremengruposauds\.com ccorodoviazfreeflow\.com ccroviazfreeflow\.com cerenquiliamx\.com clklegaldesign\.com cnvitedigitalbrdl\.com cnviteprinconline\.com conviteglobalonline\.com corptepremiumrx\.com crvamericanmrx\.com cvtamerimraxkr\.com cvteprincipalonline\.com 2/
1
29
Related #banload infra: 45.178.181\.218:443 acesseconviteprincipal\.com acessomundialvip\.com aglobaconvite\.com altahirexpressmrx\.com altprojetosobras\.com assesoriabonline\.com assessoriaonlinebr\.com bazanbusinessco\.com bb-altus\.com benefonline\.com 1/
Some panel with title "Operador - Login": https://remoto.ddins[.]click/login "Operador Painel de controle remoto para gerenciamento e monitoramento de dispositivos em tempo real." "Secure Terminal v3.2 TLS 1.3 AES-256" πŸ˜‚ πŸ€·β€β™‚οΈ @1ZRR4H
1
1
4
1,016
cdnresolver\.com --> dnsresolvev2\.com --> cloudproxy\.link (x.com/suyog41/status/2025846…)
9/ Full confirmed capability set - this is not a simple stealer. It's rather a stealer RAT hybrid. πŸ“Build leak: developer username β€˜rootr’ in Rust debug strings. πŸ“ŒNever run unsigned apps from untrusted sources. Never enter your system password into an app you didn't install yourself.
3
1
954
FIle: virustotal.com/gui/file/0fc7…
🚨 The "π™ΌπšŽπšπšŠπš•πš˜πšπš˜πš—" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected π™Άπš’πšπ™·πšžπš‹ π™°πšŒπšπš’πš˜πš—πšœ workflows containing πš‹πšŠπšœπšŽπŸΌπŸΊ-πšŽπš—πšŒπš˜πšπšŽπš bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: safedep.io/megalodon-mass-gi…
2
2
12
2,104
"IP/OS telemetry syncs to a C2 at l1ewsu3yjkqeroy[.]xyz (Cloudflare-fronted) every 10 seconds" Related domains: pastebin.com/TkJeAMBx
Another npm supply chain compromise. This time npm package πšŠπš›πš-πšπšŽπš–πš™πš•πšŠπšπšŽ, a JavaScript template engine with ~26,000 weekly downloads, has been compromised through maintainer account takeover. Versions 𝟺.𝟷𝟹.𝟹, 𝟺.𝟷𝟹.𝟻 and 𝟺.𝟷𝟹.𝟼 contain unauthorized code appended to the browser bundle (πšπšŽπš–πš™πš•πšŠπšπšŽ-πš πšŽπš‹.πš“πšœ) that loads external JavaScript from third-party domains. checkout for complete details: safedep.io/art-template-npm-…
7
1,299
Who knows... πŸ€¨πŸ€”
1
6
1,243
cdnupdatenews\.top cld-service\.biz cloudevos\.xyz trustnewusacool\.xyz
Seems like nixhacker[.]com may have been compromised with a ClickFix style campaign. Opening blog posts presents a fake CAPTCHA that executes PowerShell to download and run an EXE from cld-service[.]biz/dl @nixhacker
2
1
7
948
New IPs, which can be related to mass npm and pypi packages compromisation cases: 23.254.164.61:8000 23.254.164.92:8000 Detection: github.com/stamparm/maltrail…
ETAG-IP=W/"16-zUIWjx30dNMOrJoqA1R8JWYnVAw" Considering connections: 23.254.167\.216:8000 23.254.203\.244:8000 as related to infra for #axios compromisation
1
2
730
Need a hint on what is it? All related IPs are from AS 205775 (ipinfo.io/AS205775)
1
3
7
1,829
More: biolynq\.com cdn-vault\.com cytovine\.com duskpollen\.com event-trk\.com fnstatick\.com gaevnt\.com goaff-pro\.net hollowbark\.com malinabet\.click plothranex\.com quarvixin\.com sandvortex\.com statqx\.com synthrova\.com uynstatic\.com wavekernel\.com xolvramiq\.com 4/4
1
676
ultradevforge\.com vermexis\.com xanryl\.com 3/3
1
1
1
670