@RussianPanda9xx RussianPanda πΌ πΊπ¦
RussianPanda πΌ πΊπ¦ posts on X about check, the new, in the, check out the most. They currently have [------] followers and [---] posts still getting attention that total [-----] engagements in the last [--] hours.
Engagements: [-----] #
- [--] Week [------] -47%
- [--] Month [-------] -43%
- [--] Months [---------] +956%
- [--] Year [---------] +53%
Mentions: [--] #
- [--] Months [--] +172%
- [--] Year [---] -26%
Followers: [------] #
- [--] Week [------] +0.52%
- [--] Month [------] +1.80%
- [--] Months [------] +20%
- [--] Year [------] +44%
CreatorRank: [-------] #
Social Influence
Social category influence technology brands 6.54% stocks 5.61% finance 3.74% social networks 3.74% products 1.87% travel destinations 0.93% automotive brands 0.93% countries 0.93%
Social topic influence check 7.48%, the new 5.61%, in the 5.61%, check out 3.74%, this is 3.74%, link 3.74%, config 2.8%, we are 2.8%, sleep 2.8%, have the 1.87%
Top accounts mentioned or mentioned by @esthreat @huntresslabs @blackhatnanny @urlscanio @g0njxa @xplynx @dodosec @anyrunapp @traclabs @validinllc @malwarevillage @mecha_egirl @dnews88222 @cisagov @ukdanielcard @wifirumham @roddsec @russianpandapswstealeranalysisca0867b3594b @pr0xylife @0xtoxin
Top assets mentioned SolarWinds Corporation Common Stock (SWI) Crowdstrike Holdings Inc (CRWD) Cloudflare, Inc. (NET) Spotify Technology (SPOT)
Top Social Posts
Top posts by engagements in the last [--] hours
"Who are you and why do you have the same face as me π @DNews88222"
X Link 2026-02-12T00:47Z 18.1K followers, [----] engagements
"We underestimate simple malware infections way too much No 0-day no exploited VPN no exposed RDP Just social engineering - backdoor - game over The unsexy stuff is still winning if not monitored or detected properly"
X Link 2026-01-29T16:49Z 18.1K followers, 16.9K engagements
"We identified the threat actor behind the ransomware campaign cool cool so anyway they are having breakfast in Moscow completely unbothered. Spend time cutting off their profits instead"
X Link 2026-01-31T18:10Z 18K followers, [----] engagements
"NEW SILENT HILL MOVIE IS OUT AND NOBODY TOLD ME ABOUT IT"
X Link 2026-01-31T19:29Z 18K followers, [----] engagements
"Ive been declining Notepad++ updates for awhile now and Im actually proud of myself. Not because I suspected anything Im just lazy. But still"
X Link 2026-02-02T14:15Z 18K followers, 16.5K engagements
"Based on our observations going to put my money on this being Akira. @CISAgov https://www.huntress.com/blog/esxi-vm-escape-exploit https://www.huntress.com/blog/esxi-vm-escape-exploit"
X Link 2026-02-05T20:55Z 18.1K followers, [----] engagements
"Nothing feels better than helping to write a SolarWinds advisory on the weekend π² Inspiration gained. Sage: You chose knowledge over rest. Gale would be proud"
X Link 2026-02-08T00:06Z 18.1K followers, [----] engagements
"@UK_Daniel_Card @xplynx I don't believe you @xplynx Thank you Daniel @UK_Daniel_Card βΊ"
X Link 2026-02-08T23:08Z 18K followers, [--] engagements
"What I was thinking is the threat actor configured custom alerts on the SimpleHelp server side. SimpleHelp supports custom alerts which let you run any toolbox script on a schedule against remote machines and trigger based on the return code. The TA likely set up custom alerts with toolbox scripts that enumerate window titles and check for those crypto/RMM keywords then report back when a match is found https://twitter.com/i/web/status/2021629505626952129 https://twitter.com/i/web/status/2021629505626952129"
X Link 2026-02-11T16:56Z 18.1K followers, [---] engagements
"My first job in cybersecurity paid $50k. I had a car loan lived in a studio apartment and was juggling a ton of bills and debt. It wasnt a great salary but it was manageable - you just have to be smart with your money. https://t.co/EiaxKcm0Je https://t.co/bJOCql5TZL https://t.co/EiaxKcm0Je https://t.co/bJOCql5TZL"
X Link 2025-10-08T22:28Z 18.1K followers, 657.5K engagements
"Having a hot date with myself π"
X Link 2026-02-14T21:01Z 18.1K followers, [----] engagements
"The new #Nitrogen [---] campaign comes back with some juicy stuff.π€Ώ β
AMSI WLDP bypass ETW patching AntiHook and the implementation of KrakenMask β
Usage of transacted hollowing β
Obfuscated Python scripts delivering Sliver C2 and Cobalt Strike payloads β
Usage of Restic for data exfiltration β
Deployment of ALPHV/BlackCat in the final phase Check out our blog for more details: @esthreat https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware"
X Link 2023-11-04T06:33Z 18.1K followers, 45.5K engagements
"NEW BLOG: The Great VM Escape π We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure π If anyone has thoughts on it let me know but I needed almost a full case of beer to wrap my head around this one πΊ Full technical breakdown π https://www.huntress.com/blog/esxi-vm-escape-exploit https://www.huntress.com/blog/esxi-vm-escape-exploit"
X Link 2026-01-07T15:02Z 18.1K followers, 158.3K engagements
"New blog on a Sunday sheesh We caught threat actors actively exploiting SolarWinds Web Help Desk (CVE-2025-26399) The tradecraft is wild - Velociraptor as C2 Zoho Assist Cloudflare tunnels QEMU SSH backdoors and the attacker built their own Elastic Cloud instance to triage victims at scale. Bro thinks hes a blue teamer π Patch WHD to [------] now - all prior versions are vulnerable http://huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 http://huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399"
X Link 2026-02-08T21:55Z 18.1K followers, 33.2K engagements
"Grab some Modelos with me and lets talk about SolarWinds π₯Ή If you run SolarWinds Web Help Desk stop scrolling. This is being actively exploited. The wildest part about it These cybercriminals stood up their own stack. @RussianPanda9xx breaks it down. This write-up is only part of what we uncovered: https://t.co/bSTK5mQtNq https://t.co/ekv4cOrsT0 If you run SolarWinds Web Help Desk stop scrolling. This is being actively exploited. The wildest part about it These cybercriminals stood up their own stack. @RussianPanda9xx breaks it down. This write-up is only part of what we uncovered:"
X Link 2026-02-11T02:28Z 18.1K followers, [----] engagements
"Traveling back from the @HuntressLabs offsite and honestly I miss office vibes. No Slack delay just screaming across the room like hey about that thing. - I GOT YOU HOMIE with full eye contact and zero emoji needed. (okay maybe one π₯°). Everyone is just so amazing to talk to and hang out with β€ https://twitter.com/i/web/status/2019831986022473745 https://twitter.com/i/web/status/2019831986022473745"
X Link 2026-02-06T17:54Z 18.1K followers, [----] engagements
"Back home where the wifi is strong and the bed doesnt require a key card π I dont know how yall are always on the road π"
X Link 2026-02-07T02:59Z 18.1K followers, [----] engagements
"Be honest you dig my IDA theme I finally switched to the dark side"
X Link 2026-02-15T23:12Z 18.1K followers, [----] engagements
"@dodo_sec I would just block them and let people figure it out themselves that the query doesnt work"
X Link 2026-02-03T19:40Z 18K followers, [--] engagements
"@WifiRumHam @dodo_sec Thats fair but you can still warn people without naming the person behind it if people want to know - they will find out"
X Link 2026-02-03T23:54Z 18K followers, [--] engagements
"We have matching hair π©π¦³ @RoddSec"
X Link 2026-02-05T02:28Z 18K followers, [----] engagements
"Finished the write-up on #PSWSTEALER. It's been awhile since I touched Medium. https://medium.com/@RussianPanda/pswstealer-analysis-ca0867b3594b https://medium.com/@RussianPanda/pswstealer-analysis-ca0867b3594b"
X Link 2023-04-03T05:00Z 18.1K followers, 26.8K engagements
"Potential #ducktail #infostealer. The binary is a mess. Has ngrok embedded in and .NET dependencies (I believe for credentials stealing). It collects Brave Edge Chrome and Firefox browsing data takes the screenshot of the user machine and saves it under %temp% folder with the name tmp_cap_randomdigits. Telegram serves as the C2 channel: hxxps://api.telegram.org/bot5990104447:AAFophsPbIvfIt7o-XkSFffhtBLCNrHIxoQ/getUpdates Sandbox: flags it as XWorm for some reason. Memory dump also extracted a bunch of Outlook emails @esthreat http://Tria.ge https://tria.ge/230424-qret4aca76 http://Tria.ge"
X Link 2023-04-24T21:20Z 18.1K followers, 34K engagements
"How I reverse malware Disclaimer: dont try this at home"
X Link 2023-04-26T02:13Z 18.1K followers, 30.4K engagements
"Check out my writeup on #Vidar #Stealer π @esthreat https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer"
X Link 2023-05-11T16:35Z 18.1K followers, 28.2K engagements
"#Pikabot execution chain: β‘ rundll32.exe PikaBot_payload.dllTest (initial execution) β‘ WerFault.exe (connects to PikaBot C2 in our case it's 45.85.235.39) β‘ whoami.exe /all β‘ ipconfig.exe /all β‘ schtasks.exe /Create /F /TN "B220CD07-2339-4E8E-8FDD-DF2C6D1B42DC" /TR "cmd /q /c start /min "" powershell "$HydrofluoboricInclaspedNonredressing = Get-ItemProperty -Path HKCU:SoftwareHydrofluoboricInclaspedNonredressing; powershell -encodedcommand $HydrofluoboricInclaspedNonredressing.ParodyRoisterImpressibly"" /SC HOURLY /MO (example of the scheduled task as a persistence mechanism the registry"
X Link 2023-05-19T19:53Z 18.1K followers, 52.1K engagements
"Hunting for APTs at the park π"
X Link 2023-05-21T20:32Z 18.1K followers, 42.2K engagements
"Check out my latest analysis on #WhiteSnakeStealer with them config extractors π I know the image does not represent the white snake but a shoutout to @0xToxin for generating it for me π€ https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/ https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/"
X Link 2023-07-05T22:02Z 18.1K followers, 45.6K engagements
"When a SOC analyst closes the true positive alert as false positive β IT admins after half the company clicked the phishing link. https://t.co/M9Tz8AjPyK IT admins after half the company clicked the phishing link. https://t.co/M9Tz8AjPyK"
X Link 2023-07-15T18:51Z 18.1K followers, 45K engagements
"Raccoons are cute but not the stealers π¦ Check out my latest writeup on Raccoon Stealer @esthreat https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-part-2 https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-part-2"
X Link 2023-08-04T15:33Z 18.1K followers, 18.4K engagements
"Wrote a #DarkGate configuration extractor. Doesn't cost 15k per month π₯² https://github.com/esThreatIntelligence/RussianPanda/blob/main/darkgate_config_extractor.py https://github.com/esThreatIntelligence/RussianPanda/blob/main/darkgate_config_extractor.py"
X Link 2023-08-21T06:21Z 18.1K followers, 40.9K engagements
"I wrote the #PikaBot C2 extractor script. Since I am terrible at Regex I found Yara pattern matching much more merciful π
You can access the C2 extractor here: https://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/pikabot_c2_extractor.py https://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/pikabot_c2_extractor.py"
X Link 2023-11-17T18:41Z 18.1K followers, 35.2K engagements
"Check out my writeup on #ParallaxRAT π infection leading to lateral movement And of course not without the configuration extractor: @esthreat https://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/parallax_rat_config_extractor.py https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement https://github.com/esThreatIntelligence/RussianPanda_tools/blob/main/parallax_rat_config_extractor.py https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement"
X Link 2023-11-25T01:08Z 18.1K followers, 37.4K engagements
"#100DaysofYara Day 6: This rule detects TrueCrypt which is the crypter written in Golang and is used by many well-known stealer families such as Raccoon Stealer Vidar MetaStealer Redline and Lumma stealers. Let's make our rules more confusing for malware developers π Another contribution to an awesome #UnprotectProject π₯ cc @fr0gger_ https://github.com/RussianPanda95/Yara-Rules/blob/main/TrueCrypt/truecrypt_crypter.yar https://github.com/RussianPanda95/Yara-Rules/blob/main/TrueCrypt/truecrypt_crypter.yar"
X Link 2024-01-06T21:59Z 18.1K followers, 43.6K engagements
"This was my first attempt at dissecting MacOS malware with barely any knowledge about how MacOS works but I certainly learned a lot. I present you the blog on #AtomicStealer or From Russia With Code: Disarming Atomic Stealer https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/ https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/"
X Link 2024-01-16T06:03Z 18.1K followers, 20.9K engagements
"New #PlanetStealer written in Golang. What do we know so far π It's UPX-packed. Simple XOR string encryption. Sends POST requests to C2 server: 193.178.170.30 (can anyone find a login link) π
with exfiltrated data: β
/submit/info - sends the initial information including bot ID builder ID and user information β
/submit/file - sends out the ZIP archive with collected data What to look for in case of a successful infection π‘ File creations such as Cookieschrome-default.txt system.txt SQLite files (e.g. qEyjW2Mb.dat) under %TEMP% folder. Thanks to @anyrun_app for the sandbox analysis:"
X Link 2024-03-05T03:28Z 18.1K followers, 25.8K engagements
"Time to add #GlorySprout stealer to the list of shame. Check out my analysis on GlorySprout Stealer or should I say Taurus Stealer π€ https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/ https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/"
X Link 2024-03-17T02:04Z 18.1K followers, 42.9K engagements
"Deanon is claiming to have the original version of Pegasus that works on all versions of Android and iOS. The pricing for the lifetime access is $ [-------] π A few days later Deanon offered the subscription model for Pegasus Panel. Around April [--] Apple started sending email notifications on targeted mercenary spyware attacks to affected users π€ https://support.apple.com/en-us/102174 https://support.apple.com/en-us/102174"
X Link 2024-04-11T13:58Z 18.1K followers, 155.9K engagements
"I can't emphasize enough how invaluable @urlscanio has been in identifying additional domains related to #FIN7. The effort would not have been possible without the support of the community and the contributions of people who submit those domains to the platform. https://urlscan.io/search/#filename%3A%229e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95%22 https://urlscan.io/search/#filename%3A%229e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95%22"
X Link 2024-05-03T00:04Z 18.1K followers, 47.9K engagements
"Thank you everyone for your support and very helpful tips. I think the presentation went well. π₯Ή We are presenting at #RSAC first thing in the morning tomorrow I am terrified of public speaking feeling very anxious mostly because of the imposter syndrome I think Hopefully will get some sleep tonight π We are presenting at #RSAC first thing in the morning tomorrow I am terrified of public speaking feeling very anxious mostly because of the imposter syndrome I think Hopefully will get some sleep tonight π"
X Link 2024-05-07T20:04Z 18.1K followers, 18.1K engagements
"Im telling you Im a panda πΌ π"
X Link 2024-06-29T18:31Z 18.1K followers, 13.4K engagements
"Its time to replace you IDA. One step at a time π₯· @psifertex My opsec is lit I know"
X Link 2024-07-03T18:41Z 18.1K followers, 12.4K engagements
"Do people actually read long technical blogs with myriad lines of codes and [--] paragraphs of explanations π€ I feel like my writeups are getting shorter and shorter just because from my personal experience I dont read everything in a 10-15 pages article and I usually scroll down to interesting parts. π«£"
X Link 2024-07-07T05:58Z 18.1K followers, 51.7K engagements
"As promised I am releasing the blog on the abuse of ITarian RMM by #DolphinLoader a new MaaS Loader in the market. You will find some interesting stuff in there ππ¬ Link: https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader"
X Link 2024-08-16T17:56Z 18.1K followers, 26.6K engagements
"#PoseidonStealer switched from encoding the AppleScript using hexadecimal to a custom Base64-encoding alphabet. I wrote a config extractor to handle both the previous and the new versions. I ran across [--] samples found on VT seems to work π
Output (38 samples): Link to config extractor: https://github.com/RussianPanda95/Configuration_extractors/blob/main/poseidon_config_extractor.py https://gist.github.com/RussianPanda95/ed9e58382275bedbb56baed716ddfb6d https://github.com/RussianPanda95/Configuration_extractors/blob/main/poseidon_config_extractor.py"
X Link 2024-09-03T17:33Z 18.1K followers, 11.9K engagements
"A good hunting rule for #LummaStealer C2s on @virustotal: query: entity:url title:"Just a moment." url:.shop/api Need that PRO access π₯Ή"
X Link 2024-09-04T01:42Z 18.1K followers, 27K engagements
"MSIX is still so hot right now here is the basic query to get started with some juicy malware hunting thanks @urlscanio π΅ query: page.url:".msix" NOT page.url:statics.teams NOT page.url:teams.static"
X Link 2024-10-03T02:29Z 18.1K followers, 18.2K engagements
"Did you know Vidar and StealC stealers have one interesting thing in common Can you guess what it is Whoever gets it right first gets $100 from me π
"
X Link 2024-10-16T02:18Z 18.1K followers, 40.3K engagements
"Can someone verify if this is real π Law enforcement has compromised the entire backend infrastructure of the Redline and Meta infostealers. All data has been seized and will be reviewed as part of an ongoing internationally coordinated investigation. For details (or arrest warrants) visit: http://www.operation-magnus.com http://www.operation-magnus.com"
X Link 2024-10-28T06:22Z 18.1K followers, 65.1K engagements
"Check out the new blog I wrote on #Gabagool AiTM Phishing we discovered at @TRACLabs_ π targeting corporate and government employees. https://medium.com/@traclabs_/aitm-phishing-hold-the-gabagool-analyzing-the-gabagool-phishing-kit-531f5bbaf0e4 https://medium.com/@traclabs_/aitm-phishing-hold-the-gabagool-analyzing-the-gabagool-phishing-kit-531f5bbaf0e4"
X Link 2024-11-18T02:40Z 18.1K followers, 25.7K engagements
"FINALLY π₯ The new blog has been launched in collaboration with @g0njxa π Today we hope to expose the #CRYPTOLOVE traffer's group operation. It is a long read but we promise it is worth it. https://trac-labs.com/hearts-stolen-wallets-emptied-insights-into-cryptolove-traffers-team-3f65e84ccebe https://trac-labs.com/hearts-stolen-wallets-emptied-insights-into-cryptolove-traffers-team-3f65e84ccebe"
X Link 2024-11-27T22:11Z 18.1K followers, 141.4K engagements
"Whose account did they gain access to π« "
X Link 2024-12-15T05:55Z 18.1K followers, 43.6K engagements
"Happy Friday everyone With recent changes in #LummaStealer - using ChaCha20 for C2 encryption here is the new config extractor in C/C++. We will try a different approach this time π¦ Enjoy https://github.com/RussianPanda95/Configuration_extractors/tree/main/LummaC2 https://github.com/RussianPanda95/Configuration_extractors/tree/main/LummaC2"
X Link 2025-01-24T20:59Z 18.1K followers, 29.6K engagements
"Happy Valentine's folks β€ I am excited to share with you my recent research @TRACLabs_ on #SocGholish post-exploitation phase and delivery of #GhostWeaver backdoor. Huge thanks to @ValidinLLC and @badsectorlabs for providing great tools and labs that helped in my research. Link: Love you all π«Ά https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983 https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983"
X Link 2025-02-14T22:11Z 18.1K followers, [----] engagements
"This is pretty good not going to lie my job is being replaced by Claude now π₯² Claude [---] + IDA MCP automatically reverse engineers Windows driver ctf I wrote without symbols(p1 p2). Proceeds to create structures and recreates source code(p3) with extreme accuracy compared to original source(p4). 3mins fully automated https://t.co/Gekol9ycHY Claude [---] + IDA MCP automatically reverse engineers Windows driver ctf I wrote without symbols(p1 p2). Proceeds to create structures and recreates source code(p3) with extreme accuracy compared to original source(p4). 3mins fully automated"
X Link 2025-03-28T04:35Z 18.1K followers, 25.7K engagements
"#AMOS Stealer changed their obfuscation so instead of hardcoding a blob of data (configuration) and custom base64 alphabet each character is computed at runtime through subtraction. Here is the configuration extractor script (tested on IDA Pro 9.1): https://github.com/RussianPanda95/IDAPython/blob/main/Atomic%20Stealer/amos_config_extract_idapython-3-2025.py https://github.com/RussianPanda95/IDAPython/blob/main/Atomic%20Stealer/amos_config_extract_idapython-3-2025.py"
X Link 2025-03-30T02:16Z 18.1K followers, 22.7K engagements
"Autopsy of a Failed Stealer: StealC v2 When Your $3000 Malware Budget Goes to Marketing Instead of Actually Enabling the Encryption Function I did some analysis on the updated #StealC v2. The blog comes with config extractor hunting queries and Yara rule. Let me know your thoughts π Link: Thank you @g0njxa @iamaachum and @pancak3lullz for providing the valuable information. As well as @ValidinLLC @censysio and @anyrun_app for providing their platforms for analysis and threat hunting β€π«Ά https://trac-labs.com/autopsy-of-a-failed-stealer-stealc-v2-a4e32da04396"
X Link 2025-04-10T21:39Z 18.1K followers, 17.3K engagements
"I gave malware RE everything I had. Now I'll give the threat actors everything they deserve. I officially joined @Unit42_Intel as a Threat Hunting Researcher"
X Link 2025-04-29T04:12Z 18.1K followers, 32.1K engagements
"Im sorry for disappearing for a bit there. I have been dealing with some family issues its tough but I should be back on my feet again soon π"
X Link 2025-06-19T02:42Z 18.1K followers, 11.4K engagements
"When you know the malware developer is a Russian native speaker π« "
X Link 2025-06-22T23:53Z 18.1K followers, 64.3K engagements
"AI: "Hold my IDA" destroys malware in under [--] minutes Hyped to announce that me and @EdwardCrowderX will be speaking at @MalwareVillage at #DEFCON33. Out talk title is "Your Static Tools Are Cute - My AI Ripped ZebLoader Apart". Can't wait to see you there π"
X Link 2025-06-23T01:35Z 18.1K followers, 19.9K engagements
"Spoiler alert π"
X Link 2025-07-02T19:45Z 18.1K followers, 14.7K engagements
"Did you know TypedPaths artifact can be helpful to detect the FileFix First FileFix that I've seen in the wild: https://t.co/prm4gpscMj First FileFix that I've seen in the wild: https://t.co/prm4gpscMj"
X Link 2025-07-03T17:52Z 18.1K followers, 59.5K engagements
"I need a new badass profile picture #NewProfilePic"
X Link 2025-07-03T22:11Z 18.1K followers, 10.8K engagements
"Upper braces removed. No more alligator teeth π"
X Link 2025-07-09T15:33Z 18.1K followers, [----] engagements
"AI + reversing. I use it all quite a lot. Not because I cant do the work but because it enables me to work faster when reversing is not my primary job. When the sample fails to run in the sandbox and you need the IOCs during an active engagement. Ill drop it in a disassembler figure out the decryption logic and write a quick extractor with AI helping me script it faster. Here is the thing: AI isnt magic. You still need to know what you are looking at and give the right prompts. If you understand how the malware works AI becomes a powerful assistant Lets chat more about it in @MalwareVillage"
X Link 2025-07-19T20:46Z 18.1K followers, 13.6K engagements
"If ransomware gangs can afford it why cant we π"
X Link 2025-07-23T19:57Z 18.1K followers, 24.5K engagements
"Got a chance to hang out with @d4rksystem during #defcon33 and got his book signed even π₯°"
X Link 2025-08-10T01:58Z 18.1K followers, 23.3K engagements
"It was so nice to meet everyone at #defcon33 π₯Ήπ You nerds are so cool"
X Link 2025-08-10T02:30Z 18.1K followers, 11.4K engagements
"I just want to say thank you for all of your support just hit 15k followers π₯Ή Love you guys π"
X Link 2025-08-16T17:59Z 18.1K followers, 15.4K engagements
".NET malware is easy they say. wait until you see this crap that can't even be properly debugged"
X Link 2025-08-17T20:24Z 18.1K followers, 28.1K engagements
"Going to wear this shirt every day to work from now on π"
X Link 2025-08-31T17:00Z 18.1K followers, [----] engagements
"Funny how folks complain about EDR seeing too much That visibility is literally what stops you from waking up to ransomware notes at 3AM"
X Link 2025-09-09T18:59Z 18.1K followers, 21.9K engagements
"How big is your malware folder"
X Link 2025-09-12T17:39Z 18.1K followers, 25.8K engagements
"Im going to have nightmares tonight about LockBit [---] if I ever manage to fall asleep π"
X Link 2025-09-15T06:31Z 18.1K followers, 66.9K engagements
"I hate wearing dresses but here we go π"
X Link 2025-09-21T01:53Z 18.1K followers, 10.1K engagements
"Had an incredible time working on this case π Proud to share my first contribution to @TheDFIRReport I learned so much from investigating this case and can't wait to contribute more βΊπΌ πNew report out todayπ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda Christos Fotopoulos Salem Salem reviewed by @svch0st. Audio: Available on Spotify Apple YouTube and more Report: https://t.co/E4bFI79BLc πNew report out todayπ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by"
X Link 2025-09-29T15:31Z 18.1K followers, 19.1K engagements
"@vxunderground Smelly finished all the side quests in cybersecurity and accidentally 100% completed the game"
X Link 2025-10-09T01:44Z 18.1K followers, 21.5K engagements
"DM me for . new Lumma config extractor π€"
X Link 2025-10-17T04:35Z 18.1K followers, 30.2K engagements
"I received so many DMs on Lumma config extractor. I promise I will get back to all of you by the end of tomorrow. Have a good weekend love you all π₯°β€"
X Link 2025-10-18T18:54Z 18.1K followers, [----] engagements
"Why spend hours deobfuscating PowerShell scripts when you can just redefine Invoke-Expression"
X Link 2025-10-21T18:56Z 18.1K followers, 22.9K engagements
"The last thing you see before leaking your VirusTotal Enterprise API key"
X Link 2025-10-25T21:39Z 18.1K followers, 17.4K engagements
"You know what day it is Sunday - the national holiday for shitposting. Didnt realize how old I am until I started seeing them wrinkles on my face π©"
X Link 2025-11-02T19:56Z 18.1K followers, [----] engagements
"If youre in cybersecurity live in the States and decide to do cybercrime just save everyone the time and CC the @FBI. Meet Ryan Clifford Goldberg a Digital Forensics and Incident Response manager at Sygnia he is one of three insiders accused of cybercrimes. He allegedly conducted cyberattacks using ALPHV BlackCat ransomware. Goldberg and two other insiders ran ransomware operations since https://t.co/jzplRr00p8 Meet Ryan Clifford Goldberg a Digital Forensics and Incident Response manager at Sygnia he is one of three insiders accused of cybercrimes. He allegedly conducted cyberattacks using"
X Link 2025-11-05T06:24Z 18.1K followers, 72.3K engagements
"Good morning β #GootLoader woke up and chose violence (again) Grab your coffee this one's JUICY π£ https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation"
X Link 2025-11-05T15:04Z 18.1K followers, 27.6K engagements
"Ive seen a lot of comments about me listening to music in Russian or being told to change my handle. Im not changing it on platforms where community follow my work. My handle was created years before the war and was meant to mock Russian cybercriminals - inspired by names like FancyBear (thanks CrowdStrike). I do not support the war. I simply grew up listening to Russian music like many people from Eastern Europe"
X Link 2025-11-09T15:26Z 18.1K followers, 15.3K engagements
"Pandas sleep [--] hours a day. I do too - emotionally every day and physically on my days off"
X Link 2025-11-11T18:02Z 18.1K followers, [----] engagements
"I barely have makeup and filters on this one. Dont judge the looks and just admit that emulating is cool π When hackers play checkers @RussianPanda9xx plays chess. β She studies their every move emulates their malware and turns their own tactics against them. Because the best cybersecurity defense isnt defense at all. Its offense. https://t.co/n2bPmDGRhE When hackers play checkers @RussianPanda9xx plays chess. β She studies their every move emulates their malware and turns their own tactics against them. Because the best cybersecurity defense isnt defense at all. Its offense."
X Link 2025-11-11T22:07Z 18.1K followers, 16.9K engagements
"My team @HuntressLabs is hiring a Senior Hunt & Response Analyst (West Coast 3-5 years exp). Not going to lie this is one of the best teams I have worked for in my entire career. We want the person who: π° Makes threat actors sweat π― You hunt threats for fun π₯ Actually enjoys incident response π΄ You can timeline an incident while half asleep π Knows their way around a compromised system blindfolded Cultural fit We protect ALL businesses not just the 1%. If you think every company deserves good security and you get genuinely hyped about kicking bad guys' asses we want you. You know who you"
X Link 2025-11-12T19:47Z 18.1K followers, 21.8K engagements
"1/ #QuasarRAT π was observed being delivered via #OneNote. Shoutout to @dr4k0nia for helping me with deobfuscating the "injector" β and showing me some .NET dark arts. C2: ghcc.duckdns.org:4782 Extracted configuration: https://github.com/RussianPanda95/Malware/blob/main/QuasarRAT/QuasarRAT_OneNote.json https://github.com/RussianPanda95/Malware/blob/main/QuasarRAT/QuasarRAT_OneNote.json"
X Link 2023-02-04T06:47Z 18.1K followers, 34.2K engagements
"1/ You might have noticed that my area of interest is specifically stealers and RATs π
Wrote the configuration extractor for #Vidar stealer https://github.com/RussianPanda95/Configuration_extractors/blob/main/vidar_config_extractor.py https://github.com/RussianPanda95/Configuration_extractors/blob/main/vidar_config_extractor.py"
X Link 2023-05-03T20:58Z 18.1K followers, 39.3K engagements
"An interesting bundle that: β‘ Drops Xen Manager password recovery β‘ Drops Golang password extractor β‘ Drops XMRig β‘ Exfiltrates credentials over an FTP channel β‘ FTP: ftp.hpdataserver.altervista.org (lots of stolen credentials π) β‘ Another potential C2: 207.180.208.205 Sandbox analysis: @esthreat https://tria.ge/230524-xfkpjaeb76/behavioral3 https://github.com/moonD4rk/HackBrowserData/releases/tag/v0.4.4 https://tria.ge/230524-xfkpjaeb76/behavioral3 https://github.com/moonD4rk/HackBrowserData/releases/tag/v0.4.4"
X Link 2023-06-04T05:41Z 18.1K followers, 30.7K engagements
"The report on the campaign I proudly named "Resident" is finally out π₯ We have been tracking it since December [----] across multiple EDR products - Carbon Black SentinelOne and CrowdStrike @esthreat https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign"
X Link 2023-06-19T18:28Z 18.1K followers, 42.4K engagements
"Checkout my writeup on #MetaStealer πΎ It's not to be confused with #RedlineStealer Big thanks to @cod3nym for the review https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/ https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/"
X Link 2023-11-21T02:40Z 18.1K followers, 35.5K engagements
"Another great showcase of using @urlscanio. You can use Options to specify the HTTP referer and user agent. Let's apply this to the threat case that @DaveLikesMalwre found today. We were able to extract the main culprit (chatgpt-app.cloud) from the injected script that is serving the malicious payload. How did it start π The user visited the infected page serving a fake browser update π After passing the VM and browser checks the user was served the malicious ZIP archive hosted on Discord CDN Link: https://urlscan.io/result/4cef63b0-2a21-41cc-9d2c-ab8f02f9056b/"
X Link 2024-05-03T20:51Z 18.1K followers, 31.4K engagements
"We are presenting at #RSAC first thing in the morning tomorrow I am terrified of public speaking feeling very anxious mostly because of the imposter syndrome I think Hopefully will get some sleep tonight π"
X Link 2024-05-07T06:05Z 18.1K followers, 26.5K engagements
"I heard stealers are struggling to restore Googleπͺπ Translated post (#LummaC2): Guys since Google has tightened the screws π© and while we are exploring automation options here are some temporary tips for working with Google accounts β Tips β‘ [--]. For logging in you now need to select an almost perfect location with accuracy down to the area/region/state level . [--]. Each Google account now requires its own profile in an anti-detect browser. If before you could use one profile for multiple accounts thats no longer the case due to Googles restrictions βΉ. [--]. If you are using account recovery"
X Link 2024-10-03T15:46Z 18.1K followers, 29.6K engagements
"Good detection rule for Vidar and StealC you think π Did you know Vidar and StealC stealers have one interesting thing in common Can you guess what it is Whoever gets it right first gets $100 from me π
Did you know Vidar and StealC stealers have one interesting thing in common Can you guess what it is Whoever gets it right first gets $100 from me π
"
X Link 2024-10-16T22:30Z 18.1K followers, 35.2K engagements
"Presenting the #Wagmi traffer group ( ). Collaborated with @g0njxa on this blog to raise awareness about these widespread scams on X Discord and other platforms. Too many people are falling victim putting millions in the hands of threat actors. Stay vigilant π΅ https://trac-labs.com/the-wagmi-manual-copy-paste-and-profit-2803a15bf540 https://trac-labs.com/the-wagmi-manual-copy-paste-and-profit-2803a15bf540"
X Link 2025-04-05T19:01Z 18.1K followers, 29.5K engagements
"Day [--] with a MacBook: Spent [--] minutes looking for the Windows Start button like I'm searching for my will to live π Also what psychopath invented natural scrolling"
X Link 2025-07-06T20:43Z 18.1K followers, 24.9K engagements
"Thats the best pentest report from the ransomware ops - deploy Huntress agent π"
X Link 2025-07-24T00:40Z 18.1K followers, 24.6K engagements
"WTF is this detection for a Cobalt Strike payload How an analyst is supposed to interpret this"
X Link 2025-09-02T01:07Z 18.1K followers, 15.9K engagements
"So far what I am seeing for unpacking the LockBit [---]. - Hardcoded seed gets mixed through bit operations to create cipher state - Each byte of keystream comes from shuffling [--] state values with shifts (11 [--] 8) and XORs for stream cipher generation - XOR encrypted blob with keystream to get data - But the data is compressed maybe π€ I am seeing it reading control bytes copies literals or back-references while passing chunks through unscrambling function - Then each decrypted chunk feeds back to regenerate the cipher state (XOR + rotate operations) which changes the keystream for the next"
X Link 2025-09-15T14:55Z 18.1K followers, 55.7K engagements
"Microsoft Authenticator is insanely bad. It didnt transfer to the new iPhone so now I need to legit have two phones π₯²"
X Link 2025-09-22T17:42Z 18.1K followers, 43.6K engagements
"Who let the panda πΌ out of the Berlin zoo"
X Link 2025-09-25T17:15Z 18.1K followers, 13.2K engagements
Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing