# ![@Merlax_ Avatar](https://lunarcrush.com/gi/w:26/cr:twitter::146655989.png) @Merlax_ Merl

Merl posts on X about argentina, como, gui, gran the most. They currently have [-----] followers and [--] posts still getting attention that total [-----] engagements in the last [--] hours.

### Engagements: [-----] [#](/creator/twitter::146655989/interactions)
![Engagements Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::146655989/c:line/m:interactions.svg)

- [--] Month [------] +126%
- [--] Months [------] +204%
- [--] Year [------] +86%

### Mentions: [--] [#](/creator/twitter::146655989/posts_active)
![Mentions Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::146655989/c:line/m:posts_active.svg)

- [--] Months [--] +286%
- [--] Year [--] +127%

### Followers: [-----] [#](/creator/twitter::146655989/followers)
![Followers Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::146655989/c:line/m:followers.svg)

- [--] Month [-----] +0.90%
- [--] Months [-----] +6.90%
- [--] Year [-----] +15%

### CreatorRank: [-------] [#](/creator/twitter::146655989/influencer_rank)
![CreatorRank Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::146655989/c:line/m:influencer_rank.svg)

### Social Influence

**Social category influence**
[technology brands](/list/technology-brands)  9.52% [countries](/list/countries)  6.35% [stocks](/list/stocks)  3.17% [social networks](/list/social-networks)  1.59%

**Social topic influence**
[argentina](/topic/argentina) 6.35%, [como](/topic/como) 4.76%, [gui](/topic/gui) #98, [gran](/topic/gran) #362, [server](/topic/server) #39, [google](/topic/google) 3.17%, [$googl](/topic/$googl) 3.17%, [relay](/topic/relay) 1.59%, [cuando](/topic/cuando) 1.59%, [desde](/topic/desde) 1.59%

**Top accounts mentioned or mentioned by**
[@johnk3r](/creator/undefined) [@1zrr4h](/creator/undefined) [@0xtoxin](/creator/undefined) [@dodosec](/creator/undefined) [@assolini](/creator/undefined) [@mediafire](/creator/undefined) [@juanbrodersen](/creator/undefined) [@endifok](/creator/undefined) [@malwrhunterteam](/creator/undefined) [@jameswtmht](/creator/undefined) [@pr0xylife](/creator/undefined) [@executemalware](/creator/undefined) [@russianpanda9xx](/creator/undefined) [@gmailcom](/creator/undefined) [@grupoargos](/creator/undefined) [@bancopatagonia](/creator/undefined) [@viriback](/creator/undefined) [@cosiprensa](/creator/undefined) [@cyb3rops](/creator/undefined)

**Top assets mentioned**
[Alphabet Inc Class A (GOOGL)](/topic/google)
### Top Social Posts
Top posts by engagements in the last [--] hours

"#Mispadu RAT reveal ✨"Un gran poder conlleva una GUI horrible" ✨ 🎯Paises: Algunos aparecen como "ES" pero es por el idioma no por el pais Keep hunting 🏹"  
[X Link](https://x.com/Merlax_/status/2017349602710614197)  2026-01-30T21:30Z [----] followers, 10.9K engagements


"Fake Pay - NFC Relay - Distribuido mediante apps falsas que simulan ser billeteras para tarjetas NFC - La info la recibe un servidor intermediario - El Admin se sincroniza con el server cuando quiere hacer un pago por nfc desde su app Related https://cyble.com/blog/relaynfc-nfc-relay-malware-targeting-brazil/ https://cyble.com/blog/relaynfc-nfc-relay-malware-targeting-brazil/"  
[X Link](https://x.com/anyuser/status/2019882567328231670)  2026-02-06T21:15Z [----] followers, [----] engagements


"Panel 💸📸 #Banker #Fraud .NET malware changes the PIX QR code displayed on screen replacing the original payment data with the fraudsters key a Brazil-focused PIX fraud. This is the first time Ive observed this specific behavior implemented via QR decoding (ZXing) 1/2 @assolini https://t.co/AS8FfyxIRl #Banker #Fraud .NET malware changes the PIX QR code displayed on screen replacing the original payment data with the fraudsters key a Brazil-focused PIX fraud. This is the first time Ive observed this specific behavior implemented via QR decoding (ZXing) 1/2 @assolini https://t.co/AS8FfyxIRl"  
[X Link](https://x.com/Merlax_/status/2015915153116520502)  2026-01-26T22:30Z [----] followers, [----] engagements


"Un segundo RAT en la red - "RD Server" - La comunicacin con el servidor es diferente a la del otro RAT tambin tiene menos overlays 📡 - En la cadena de ejecucin utiliza AutoIT y hace process hollowing a regsvcs ⛓ 🎯Objetivos/overlays: #Mispadu RAT reveal ✨"Un gran poder conlleva una GUI horrible" ✨ 🎯Paises: Algunos aparecen como "ES" pero es por el idioma no por el pais Keep hunting 🏹 https://t.co/KLhIZMAnpj #Mispadu RAT reveal ✨"Un gran poder conlleva una GUI horrible" ✨ 🎯Paises: Algunos aparecen como "ES" pero es por el idioma no por el pais Keep hunting 🏹 https://t.co/KLhIZMAnpj"  
[X Link](https://x.com/anyuser/status/2022423032917106783)  2026-02-13T21:30Z [----] followers, [----] engagements


"#Malware "FX" - Fenix Painel 🪶 - Utiliza rustdesk para acceso remoto - Pareciera tener como objetivo entidades europeas - No s an su procedencia el idioma al menos es portugus - NO est relacionado a "Botnet Fenix" 🚫 - NO tengo muestras/chain Site hxxps://doydoo.site/"  
[X Link](https://x.com/anyuser/status/2022426806570062307)  2026-02-13T21:45Z [----] followers, [----] engagements


"#Malware #Grandoreiro Activos modificando diseos 1er stage Sites 1er stage p://173.249.58.7/ p://213.199.36.218/ p://164.68.106.78/ [---] Links @MediaFire Imagens - Loader + contador "HLsystem" - Site descarga "pdf" (.iso .vbs) - "Captcha" pdf https://pastebin.com/raw/icLFVkhd https://pastebin.com/raw/icLFVkhd"  
[X Link](https://x.com/Merlax_/status/1971700135496503548)  2025-09-26T22:15Z [----] followers, [----] engagements


"Agrego algunos IOCs que estn relacionados Zips (por geo) hxxp://4.246.148.250/585485785/73640.827263/ hxxp://4.228.95.93/9b1suatwv2dmfe3q6st4l88z/73640.827263/ hxxp://172.174.32.104/585485785/73640.827263/ hxxp://20.206.115.204/data-application/73640.827263/ +"  
[X Link](https://x.com/Merlax_/status/1622770558101225472)  2023-02-07T01:33Z [----] followers, [--] engagements


"CVE-2023-20198 🟣 Vulnerabilidad critica en Cisco IOS XE WebUI - [---] IPs comprometidas de [---] en Argentina Ms info:"  
[X Link](https://x.com/Merlax_/status/1714394941185482862)  2023-10-17T21:36Z [----] followers, [----] engagements


"CVE-2023-4966 - Sensitive information disclosure 🟣 Panorama : - [--] vulnerables de [---] escaneados Comparto mi script:"  
[X Link](https://x.com/Merlax_/status/1716847785872437559)  2023-10-24T16:03Z [----] followers, 11.8K engagements


"Supuesta base de datos con ms de 500mil clientes de tiendas argentinas puesta en venta en un foro - Info expuesta: dni mail nombre y telfono - La fuente del leak es desconocida"  
[X Link](https://x.com/Merlax_/status/1721528242358595805)  2023-11-06T14:01Z [----] followers, [----] engagements


"#Malware Bot de Pix para Android🤖 - Supuesto panel de "CMW" - Bancos objetivo parecen ser todos de - Supuestas herramientas utilizadas para bypassear Google Protect Sites de Apps hxxps://playstoreapp.fun/apps/"  
[X Link](https://x.com/Merlax_/status/1730551063302832561)  2023-12-01T11:35Z [----] followers, [---] engagements


"#KLRemota [----] - Versin actualizada del conocido RAT 🐭 - Pequea modificacin en el panel web - +Login - Encontrado en un server inseguro 😁"  
[X Link](https://x.com/Merlax_/status/1735260847998423549)  2023-12-14T11:30Z [----] followers, [--] engagements


"Yo esperando a que entre Starlink a Argentina para negociar por vigsima vez en el ao la factura de internet con el proveedor local"  
[X Link](https://x.com/Merlax_/status/1737630237758718001)  2023-12-21T00:25Z [----] followers, 45.6K engagements


"#Fakebat + #Rhadamanthys #Stealer Hay otras dos publicidades activas en Google apuntando a Bitbucket y Bitwarden IP 141.98.233.61 [--] dominios relacionados a la ip Todos los productos apuntados: Bitwarden BitBucket Blender VMWare Todoist Calendly 1/2"  
[X Link](https://x.com/Merlax_/status/1779820614582251793)  2024-04-15T10:34Z [----] followers, [--] engagements


"#Renaper Uno de los sitios ".onion" expuestos por el delincuente es vulnerable a path traversal. Suposicin: Parece estar abierto desde un servidor comprometido y gubernamental de Gualeguaychu no lo puedo confirmar Muestro algunas imagenes por si alguno lo identifica"  
[X Link](https://x.com/Merlax_/status/1780942078379245947)  2024-04-18T12:50Z [----] followers, [--] engagements


"#Malware KL Remota Zeus Loader ZIP hxxps://dramarcelarodriguesd.com/ Payload hxxps://linkcarconsorcios.simple-url.com/temp.png Config hxxps://docs.google.com/document/u/0/d/13zHv-2MlPLM0qze5dsPMHCciadgkj4wABYkM_WDlFGQ/exportformat=txt&isid= C2 38.60.209.132:443"  
[X Link](https://x.com/Merlax_/status/1786179599346401698)  2024-05-02T23:42Z [----] followers, [----] engagements


"#Malware Bancario #Grandoreiro Fuerte campaa en Crea carpetas con nombres aleatorios en: C:UsersPublic C:ProgramData IOCs p://51.120.240.117 p://54.233.206.70:40817/WaveEdgeNRzyoSecureSphereDevice.xml p://18.230.124.104:39054/BNceD0ttGfG.txt C2 18.230.186.145:36044"  
[X Link](https://x.com/Merlax_/status/1790890717596024863)  2024-05-15T23:43Z [----] followers, [--] engagements


"Mi script para explotar la vuln CVE-2024-24919 de Check Point Script: https://raw.githubusercontent.com/merlax/tools/main/CVE-2024-24919.py https://raw.githubusercontent.com/merlax/tools/main/CVE-2024-24919.py"  
[X Link](https://x.com/Merlax_/status/1796292877921693806)  2024-05-30T21:29Z [----] followers, [----] engagements


"Para seguir con los path traversal dejo tambin un script para chequear si un Nexus es vulnerable a CVE-2024-4956 😁 Script: Info de la vuln: https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16 https://raw.githubusercontent.com/merlax/tools/main/CVE-2024-4956.py Mi script para explotar la vuln CVE-2024-24919 de Check Point Script: https://t.co/8MKCLKgl67 https://t.co/y1u0eEi7CR https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16"  
[X Link](https://x.com/Merlax_/status/1796673254171554190)  2024-05-31T22:40Z [----] followers, [---] engagements


"#Malware KL Remota Zeus Apuntando a Entidades argentinas mencionadas en el tweet citado Downloader hxxps://208.109.233.38/ Payload hxxps://globoaves234.com/temp1.zip Counter grupotecnosege.likescandy.com 92.205.226.128 C2 154.205.154.172:778 #Malware KL Remota Zeus - Mismo TA que operaba Mekotio en - Agreg varias entidades de Argentina al RAT: BNABBVA Galicia MercadoPago Banco Santa Fe Provincia Macro Chain de Fraude: Freeze/Pantalla de carga-Overlay Token/Clave-Transaccion ✅💸 Algunos Overlays https://t.co/pkWTXi6a2z #Malware KL Remota Zeus - Mismo TA que operaba Mekotio en - Agreg varias"  
[X Link](https://x.com/Merlax_/status/1797747970537889904)  2024-06-03T21:51Z [----] followers, [----] engagements


"#Mekotio #Malware Actuales objetivos:  Config hxxps://insaatfender.top/99.txt C2 104.245.245.7:9999 Config hxxp://strogonoff.xyz/ C2 boludo.online:7957 Lista completa de Config/C2 Dejo dos overlays de CL - MX"  
[X Link](https://x.com/Merlax_/status/1805750049135018347)  2024-06-25T23:48Z [----] followers, [--] engagements


"#Mekotio Objetivo Cadena Mail✉ PDF 📎 Link🌐 ZIP+MSI ServerLoader C2 🦹♂ - Utiliza duratex.com.mx para redirigir al zip+msi IOCs s://facturas.duratex.com.mx/Facturador_En_Linea/ s://tudoprainfo.info 68.221.121.160:9095 C2 Final 78.46.215.90:5060"  
[X Link](https://x.com/Merlax_/status/1806825719177347275)  2024-06-28T23:03Z [----] followers, [--] engagements


"Corrijo c2 Final 45.40.96.230:7958"  
[X Link](https://x.com/Merlax_/status/1806833714778759501)  2024-06-28T23:35Z [----] followers, [---] engagements


"#Mekotio #Malware Campaa - PDF de AFIP descarga zip.cmd 🧠Insight-C2-Contador - Contador al final de la cadena de ataque - El puerto rota segn dia del mes - Info interesante: pais + banco detectado por el que hizo conexin la vctima - Imagenes: logs de operadores"  
[X Link](https://x.com/Merlax_/status/1841656772139892992)  2024-10-03T01:49Z [----] followers, [--] engagements


"#Malware posible APT-C-36 Remcos & njrat #Opendir hxxp://167.0.201.5/ hxxps://186.169.63.46/ hxxp://190.9.223.135/ hxxp://186.169.83.212/ C2 sost2024ene.duckdns.org:1213 remcosoct.duckdns.org:4576 02oct.duckdns.org:9001"  
[X Link](https://x.com/Merlax_/status/1842001785587650815)  2024-10-04T00:40Z [----] followers, [--] engagements


"#Malware RAT Operador posible Ousaban🤔 - Objetivos y posible - El panel web parece loguear la actividad al congelar el equipo de la vctima 🤦♂"  
[X Link](https://x.com/Merlax_/status/1842336395857379456)  2024-10-04T22:50Z [----] followers, [--] engagements


"@juanbrodersen @endif_ok Crack Juan Felicitaciones muy merecido👏💪"  
[X Link](https://x.com/Merlax_/status/1844483579541336133)  2024-10-10T21:02Z [----] followers, [--] engagements


"@1ZRR4H @malwrhunterteam @JAMESWT_MHT @pr0xylife @executemalware @RussianPanda9xx @0xToxin Panel🐦"  
[X Link](https://x.com/Merlax_/status/1846026212193210765)  2024-10-15T03:12Z [----] followers, [--] engagements


"ltima parte de este tope con Botnet Fenix 🐦 Una muestra rpida de "Bitrax" - Funcionara como un live phishing posiblemente es cargado desde la Botnet Fenix - Entidades financieras de en su objetivo - En el video algunas de las pantallas utilizadas contra B. de Chile"  
[X Link](https://x.com/Merlax_/status/1847397694253187416)  2024-10-18T22:01Z [----] followers, [--] engagements


"@johnk3r @0xToxin @1ZRR4H KL Contador: hxxps://set.cristianesousapequenoaprendiz.com/PP/Pink1/Get.php"  
[X Link](https://x.com/Merlax_/status/1849826952305140010)  2024-10-25T14:54Z [----] followers, [---] engagements


"👀 Articulo: https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/ aUtHenTiCaTed RCE Citrix https://t.co/jKjRVhpLMf https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/ aUtHenTiCaTed RCE Citrix https://t.co/jKjRVhpLMf"  
[X Link](https://x.com/Merlax_/status/1856378468298019317)  2024-11-12T16:48Z [----] followers, [---] engagements


"Bullish 💹😎"  
[X Link](https://x.com/Merlax_/status/1856794766962561505)  2024-11-13T20:22Z [----] followers, [---] engagements


"C2 172.104.105.246:7957 molejo.online:7957 13.58.35.143:3070 92.205.233.240:8088 chuckchuck20g.ddns.net:3070 socnetfiles01.hopto.org:3070 pianoocabam2025.space-to-rent.com:8088 172.86.86.84:8005 explousemprefs.com:8005"  
[X Link](https://x.com/Merlax_/status/1864793983974543458)  2024-12-05T22:08Z [----] followers, [---] engagements


"Fraude de CEO por aqu apuntando a empresa del sector de Salud: gerentegeneralcorreo@gmail.com"  
[X Link](https://x.com/Merlax_/status/1867703271902544382)  2024-12-13T22:48Z [----] followers, [---] engagements


"#Phishing dirigido a @Grupo_Argos Site hxxps://gestion-ingreso-contratistas.shop/"  
[X Link](https://x.com/Merlax_/status/1874954714816848168)  2025-01-02T23:03Z [----] followers, [---] engagements


"#Phishing GEO - multi-banco IP 164.90.131.182 Dominios activos: https://pastebin.com/raw/4iP12UdU https://app.validin.com/detailtype=ip&find=164.90.131.182#tab=resolutions https://pastebin.com/raw/4iP12UdU https://app.validin.com/detailtype=ip&find=164.90.131.182#tab=resolutions"  
[X Link](https://x.com/Merlax_/status/1874960636943409597)  2025-01-02T23:27Z [----] followers, [----] engagements


"Posible ip del site: 185.158.113.114 #Argentina: el grupo de #Ransomware BlackLock anuncia a Hidrocarburos Argentinos como nueva vctima. #Ciberseguridad #Cibercrimen #Argentina: el grupo de #Ransomware BlackLock anuncia a Hidrocarburos Argentinos como nueva vctima. #Ciberseguridad #Cibercrimen"  
[X Link](https://x.com/Merlax_/status/1875687439014228396)  2025-01-04T23:35Z [----] followers, [----] engagements


"Sitio simula ser el onboarding de @Banco_Patagonia Lo raro es que le pega a la API del banco 🤔 Site hxxps://onlineempresapatagonia.lat/onboarding/qr-code No es el mismo site pero parece estar relacionado: 147.93.14.214 Sites en esa IP https://pastebin.com/raw/M0GLQLze https://pastebin.com/raw/M0GLQLze"  
[X Link](https://x.com/Merlax_/status/1880363214472372706)  2025-01-17T21:15Z [----] followers, [---] engagements


"#Malware Apuntando a Counter hxxp://172.86.115.125/zzz/test.php Sample https://bazaar.abuse.ch/sample/db871ccf4cced277c89d82b06d0568f72e4533a94c39f77fac4b9f79d766f9aa/ https://bazaar.abuse.ch/sample/db871ccf4cced277c89d82b06d0568f72e4533a94c39f77fac4b9f79d766f9aa/"  
[X Link](https://x.com/Merlax_/status/1884375721054728316)  2025-01-28T22:59Z [----] followers, [----] engagements


"#Malware #javali vbs - 1er stage hxxps://ar03.gxsearch.club/25/serial.php Payload final hxxps://roncluv.com/ar6/arquivos/download/up.zip Config hxxps://pastebin.com/raw/Hbq0DQ3q C2 162.218.114.84:50000 chrome_elf.dll Contador 1er stage / [----] lineas relacionadas a hxxps://ar03.gxsearch.club/25/visit.txt https://www.virustotal.com/gui/file/677187e03b6c38f681c38902e724ecf73413cdb3258ef297451fe0c7d5c2d5b8/detection https://www.virustotal.com/gui/file/677187e03b6c38f681c38902e724ecf73413cdb3258ef297451fe0c7d5c2d5b8/detection"  
[X Link](https://x.com/Merlax_/status/1908288519363322194)  2025-04-04T22:40Z [----] followers, [----] engagements


"Script extractor de mails hxxps://sinistryenvios.com/envion/sh/upx/uplory.zip URLs de extraccin: indentar.club indentar.online indentar.site indentar.store indentar.xyz Sample zip+vbs: https://bazaar.abuse.ch/sample/26920c407a336a2723194dc0d9d67a1cefd39ace2d85fc709f9c97f4e7794c26/ https://bazaar.abuse.ch/sample/26920c407a336a2723194dc0d9d67a1cefd39ace2d85fc709f9c97f4e7794c26/"  
[X Link](https://x.com/Merlax_/status/1910894248162885709)  2025-04-12T03:14Z [----] followers, [---] engagements


"#Deepfake Deepfakes en Facebook de distintos directores/gerentes de bancos promocionando sitios para invertir (posible Scam) Link del DeepFake utilizando al Director General del Banco Nacin: https://www.facebook.com/61574972886126/videos/1880976569381341/ https://www.facebook.com/61574972886126/videos/1880976569381341/"  
[X Link](https://x.com/Merlax_/status/1921709378312270206)  2025-05-11T23:29Z [----] followers, [----] engagements


"#Malware #Android posible BTMOB apuntando a 🎯 Sites hxxps://191.96.79.133/Transporte%20Seguro/ hxxps://191.96.79.133/Magalu%20Entregas/ IOCs hxxp//195.160.221.203/yaarsa/private/yarsap_80541.php ws 195.160.221.203:8080 VT https://www.virustotal.com/gui/file/8779cbdc2ab90e171d2b2d48d0a99f90cd5d8db3886404505f2c7cedfabc518dnocache=1 https://www.virustotal.com/gui/file/8779cbdc2ab90e171d2b2d48d0a99f90cd5d8db3886404505f2c7cedfabc518dnocache=1"  
[X Link](https://x.com/Merlax_/status/1924600836635640049)  2025-05-19T22:59Z [----] followers, [----] engagements


"#Malware #Mekotio 🎯 Mail site zip msi PDQ ps1 (desactiva defender) ps1 (descarga Mekotio) Mekotio #Grandoreiro 🎯 Mail site zip vbs exe (Adobe pdf "captcha") exe Samples IOCs https://pastesio.com/raw/bra-boyz-4 https://bazaar.abuse.ch/user/953/ https://pastesio.com/raw/bra-boyz-4 https://bazaar.abuse.ch/user/953/"  
[X Link](https://x.com/Merlax_/status/1928567717558104406)  2025-05-30T21:42Z [----] followers, [----] engagements


"#Opendir Relacionado a investigacin de @johnk3r Expone: - Credenciales - user+pass(cifrada) - Sites - Headers / Tokens de sesin + [-----] jsons + [----] txt @ViriBack Panels: hxxps://servidor2025.com/control/admin2/ hxxps://servidor2025.com/gpt.php Batch + Warsaw Check + Malicious Extension = Exfiltration A malicious batch script checks for #Warsaw security software. If Warsaw is absent the infection process stops. If present it loads a malicious extension then monitors and collects data from "Banco do Brasil" accesses. https://t.co/ZqX0ymHbcQ Batch + Warsaw Check + Malicious Extension ="  
[X Link](https://x.com/Merlax_/status/1951295026627060091)  2025-08-01T14:52Z [----] followers, [----] engagements


"#Malware #Hijackloader - #ClickFix en el sitio de @COSIPRENSA Site manipulado s://cosi.com.ar/ Algunos IOCs s://sefefuy2.ru/gdawr.googlet=ye41n873 s://rs.mezi.bet/samie_bower.mp3 hxxps://1h.vuregyy1.ru/3g2bzgrevl.hta 91.212.166.51:443 37.27.165.65:1477"  
[X Link](https://x.com/Merlax_/status/1960048599678493033)  2025-08-25T18:36Z [----] followers, [---] engagements


"#Malware #Grandoreiro - Cambio mnimo de .zip a .iso en la primera etapa de la cadena 1st stage ps://vmi2815219.contaboserver.net/ p://31.220.84.31/ Mediafire - [--] links 2nd stage p://3.8.132.27:30516 https://pastebin.com/raw/4c6feKYK https://pastebin.com/raw/4c6feKYK"  
[X Link](https://x.com/Merlax_/status/1969159566555324422)  2025-09-19T22:00Z [----] followers, [---] engagements


"@johnk3r @dodo_sec @1ZRR4H Also it uses "RedirSystem" Allowed countries: 🎯 Allowed ip: 216.234.208.0"  
[X Link](https://x.com/Merlax_/status/1978230052731900093)  2025-10-14T22:42Z [----] followers, [---] engagements


"#Malware #Mispadu Objetivos C2 Activos 57.129.23.16:6061 51.91.209.34:8001 Pass-Grabber hxxp://64.95.10.181/pWgr/ [---] IOCs https://pastebin.com/uE0H9iyJ https://pastebin.com/uE0H9iyJ"  
[X Link](https://x.com/Merlax_/status/1892387093193609514)  2025-02-20T01:33Z [----] followers, [----] engagements


"@johnk3r @dodo_sec @1ZRR4H Nice find 👏 more screenshots of the c2 maybe it's used as a loader"  
[X Link](https://x.com/Merlax_/status/1978226450093265004)  2025-10-14T22:28Z [----] followers, [----] engagements


"#Malware #Grandoreiro Campaas apuntando a Loader hlsystem 3.236.105.171:6215 34.226.202.119:34622 3.234.208.143:45632 IOCs - [--] urls mediafire - [--] urls - redirect mediafire/.iso - [--] ips loader stage Lista completa: https://pastebin.com/raw/mbL2U1b5 https://pastebin.com/raw/mbL2U1b5"  
[X Link](https://x.com/Merlax_/status/1989438192974499912)  2025-11-14T21:00Z [----] followers, [----] engagements


"#Malware Banker Dirigido a IOCs zip+hta hxxp://192.169.176.93 Autoit+rat s://zvisionelectronics.com/w1/lib/AutoIt3 s://zunelosangeles.com/w1/lib/tiaoCrt s://zunelosangeles.com/w1/lib/AutoIt3.exe C2 149.28.108.157:56789"  
[X Link](https://x.com/Merlax_/status/1989440703202824436)  2025-11-14T21:10Z [----] followers, [--] engagements


"#Malware KLRemota & tools IOCs relacionados a un grupo criminal que despliega variante de klremota Algunas urls: s://24.152.38.72/sisblack/ s://adobeview.online/contador/login.php s://24.152.38.72/matrizofusca/ s://24.152.38.72/mpl/ Report: https://tria.ge/251028-y6v4mabq8s/behavioral1 https://tria.ge/251028-y6v4mabq8s/behavioral1"  
[X Link](https://x.com/Merlax_/status/1997050974326968479)  2025-12-05T21:10Z [----] followers, [----] engagements


"#Malware - Sitio Fake de Google Play ("Deploy Palace") + Posible BTMOB Sites s://191.96.79.179/apps_criptografado/apps_obfuscated s://191.96.225.241/apps_criptografado/apps_obfuscated s://191.96.79.41/apps_obfuscated s://191.96.224.87/apps_obfuscated Un site tiene regalo 🎁"  
[X Link](https://x.com/Merlax_/status/1997055883407216993)  2025-12-05T21:30Z [----] followers, [----] engagements


"#Malware Android - Fake Google Play + #BTMOB Fake Google play s://191.96.224.87/apps_obfuscated/ s://191.96.225.241/apps_criptografado/apps_obfuscated/ BTMOB s://191.101.131.250/ s://191.96.78.28/ s://200.9.155.153/ s://191.96.78.172/ s://arbsniper.com/"  
[X Link](https://x.com/Merlax_/status/2009431290580217956)  2026-01-09T01:05Z [----] followers, [----] engagements


"#Malware #GHOST RAT Objetivos: C2 Activo 92.246.128.19:8055 Brazilian banker caught by @johnk3r 🎣 GHOST panel 🧐 007consultoriafinanceira .net ➡ GoDaddy 83.229.17.124:80 ➡ Clouvider Payload delivery URL: 🌐https://t.co/CxkqVvkaQm Malware sample (MSI): ⚙https://t.co/0p2NT8LJOA https://t.co/ceGaieaire Brazilian banker caught by @johnk3r 🎣 GHOST panel 🧐 007consultoriafinanceira .net ➡ GoDaddy 83.229.17.124:80 ➡ Clouvider Payload delivery URL: 🌐https://t.co/CxkqVvkaQm Malware sample (MSI): ⚙https://t.co/0p2NT8LJOA https://t.co/ceGaieaire"  
[X Link](https://x.com/Merlax_/status/2012269880418910485)  2026-01-16T21:05Z [----] followers, [----] engagements


"#Malware #Mekotio El texto del payload ahora viaja cifrado MSI hxxp://202.3.66.34.bc.googleusercontent.com/ hxxp://228.115.68.34.bc.googleusercontent.com/ hxxp://66.113.69.34.bc.googleusercontent.com/ Payload 102.37.155.46:10002 Config (cado) gameslol.ddnsking.com"  
[X Link](https://x.com/Merlax_/status/1623300329214279687)  2023-02-08T12:38Z [----] followers, [----] engagements


"Otras dos urls con MSI (desactualizadas) hxxp://34.29.127.135/ hxxp://35.226.160.162/ Otros config 185.101.92.9 37.228.132.153 185.250.205.88 185.101.93.95 37.228.132.91 185.101.94.186 37.228.132.207 37.228.132.205 37.228.132.199"  
[X Link](https://x.com/Merlax_/status/1623300332221497352)  2023-02-08T12:38Z [----] followers, [---] engagements


"Gracias a tod@s por acercarse ayer por la participacin y las risas 🤣 El debate post charla estuvo muy bueno. Para el que se lo perdi expuse sobre la clula procariota. Nuevamente gracias ❤⚔"  
[X Link](https://x.com/Merlax_/status/1982234683938160835)  2025-10-25T23:55Z [----] followers, [----] engagements


"BT-MOB Brasil Versin customizada de BT-MOB que estn distribuyendo algunos cibercriminales BTMOB RAT delivery panel: storepplay.shop downloadaplicativo0.store baixaraplicativo.site descargarapp.store storrpplay.shop descargarseguro.store baixaraplicativo1.store descargaapp1.store playbaixar.shop download-seguro.store downloadappseguro.online https://t.co/QONfWT4F6K BTMOB RAT delivery panel: storepplay.shop downloadaplicativo0.store baixaraplicativo.site descargarapp.store storrpplay.shop descargarseguro.store baixaraplicativo1.store descargaapp1.store playbaixar.shop download-seguro.store"  
[X Link](https://x.com/anyuser/status/2012276173368385717)  2026-01-16T21:30Z [----] followers, [----] engagements


"Sitio educativo del reactor nuclear escuela RA4 con "artifacts" de alfa shell 🤔"  
[X Link](https://x.com/anyuser/status/2013376331442974922)  2026-01-19T22:21Z [----] followers, [----] engagements


"Algunas TTP de un documento interno de n0v4 ransom dirigido a entornos citrix y rdw"  
[X Link](https://x.com/Merlax_/status/2014699197404942726)  2026-01-23T13:58Z [----] followers, [----] engagements


"RT @cyb3rops: Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloade"  
[X Link](https://x.com/Merlax_/status/2018392363236790306)  2026-02-02T18:33Z [----] followers, [---] engagements

Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing