# ![@Threatlabz Avatar](https://lunarcrush.com/gi/w:26/cr:twitter::775449576476057601.png) @Threatlabz Zscaler ThreatLabz

Zscaler ThreatLabz posts on X about $zs, check out, data, check the most. They currently have [-----] followers and [---] posts still getting attention that total [---] engagements in the last [--] hours.

### Engagements: [---] [#](/creator/twitter::775449576476057601/interactions)
![Engagements Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::775449576476057601/c:line/m:interactions.svg)

- [--] Week [------] -47%
- [--] Month [------] +64%
- [--] Months [-------] +208%
- [--] Year [-------] -14%

### Mentions: [--] [#](/creator/twitter::775449576476057601/posts_active)
![Mentions Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::775449576476057601/c:line/m:posts_active.svg)

- [--] Week [--] no change
- [--] Month [--] +80%
- [--] Months [--] +36%
- [--] Year [--] +43%

### Followers: [-----] [#](/creator/twitter::775449576476057601/followers)
![Followers Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::775449576476057601/c:line/m:followers.svg)

- [--] Week [-----] +0.49%
- [--] Month [-----] +2.50%
- [--] Months [-----] +16%
- [--] Year [-----] +28%

### CreatorRank: [---------] [#](/creator/twitter::775449576476057601/influencer_rank)
![CreatorRank Line Chart](https://lunarcrush.com/gi/w:600/cr:twitter::775449576476057601/c:line/m:influencer_rank.svg)

### Social Influence

**Social category influence**
[stocks](/list/stocks)  32.38% [technology brands](/list/technology-brands)  8.57% [social networks](/list/social-networks)  2.86% [countries](/list/countries)  1.9% [finance](/list/finance)  1.9%

**Social topic influence**
[$zs](/topic/$zs) #13, [check out](/topic/check-out) 17.14%, [data](/topic/data) 14.29%, [check](/topic/check) 14.29%, [note](/topic/note) 13.33%, [ransom](/topic/ransom) 11.43%, [code](/topic/code) 8.57%, [network](/topic/network) 7.62%, [to the](/topic/to-the) 6.67%, [tools](/topic/tools) 5.71%

**Top accounts mentioned or mentioned by**
[@googledrive](/creator/undefined) [@facebook](/creator/undefined) [@inquest](/creator/undefined) [@rivitna2](/creator/undefined) [@sessionapp](/creator/undefined) [@780thc](/creator/undefined) [@securityaffairs](/creator/undefined)

**Top assets mentioned**
[Zscaler Inc (ZS)](/topic/$zs) [Microsoft Corp. (MSFT)](/topic/microsoft) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [Crowdstrike Holdings Inc (CRWD)](/topic/crowdstrike)
### Top Social Posts
Top posts by engagements in the last [--] hours

"Zscaler ThreatLabz has published a deep dive into APT attacks targeting members of the Indian government. The campaign which we named Gopher Strike leverages several previously undocumented tools. These include GOGITTER as an initial downloader GITSHELLPAD backdoor for C2 communication and GOSHELL used to deploy a Cobalt Strike Beacon. Read our full technical analysis here: https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell"  
[X Link](https://x.com/Threatlabz/status/2015816411428655398)  2026-01-26T15:57Z [----] followers, [----] engagements


"Zscaler ThreatLabz continues its investigation into APT attacks targeting Indian government entities. This second campaign named Sheet Attack introduces three newly discovered backdoors SHEETCREEP FIREPOWER and MAILCREEP designed to compromise systems and exfiltrate sensitive information. Learn more about these targeted attacks: https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and"  
[X Link](https://x.com/Threatlabz/status/2016182129097609627)  2026-01-27T16:10Z [----] followers, [----] engagements


"🚨ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan. IOCs below: Google Play URL: Anatsa installer MD5: 1991f5d0c88d8c7c68f6a6d27efa60d6 Anatsa download URL:https://stellargridinv.com/ Anatsa payload MD5: 7f131404a331ae10fdc76bfe5908575d Anatsa C2s: - http://193.24.123.18:85/api/ - http://162.252.173.37:85/api/ https://play.google https://play.google"  
[X Link](https://x.com/Threatlabz/status/2018366059452199168)  2026-02-02T16:49Z [----] followers, [----] engagements


"⚠Matanbuchus has been continuously making changes to various components to evade AV/ML detection. The group is currently leveraging Microsoft Installer (MSI) files to drop the downloader module with some samples having zero detections: The C2 for this Matanbuchus sample is: https://nady.io/check/robot.aspx More info about Matanbuchus can be found here: https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0 https://www.virustotal.com/gui/file/6a1398395f5434aa39c5074833698b0a85967eb01d76273ef8762fb149136382"  
[X Link](https://x.com/Threatlabz/status/2016578570626428989)  2026-01-28T18:26Z [----] followers, [----] engagements


"Zscaler ThreatLabz has uncovered a new APT28 campaign that exploits CVE-2026-21509. Tracked as Operation Neusploit this activity targets countries in Central and Eastern Europe and uses weaponized Microsoft RTF files to deliver two new backdoors that we have named MiniDoor and PixyNetLoader. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit"  
[X Link](https://x.com/Threatlabz/status/2018411328608809249)  2026-02-02T19:48Z [----] followers, 18.7K engagements


"Zscaler ThreatLabz has published a technical analysis of Marco Stealer an information stealer that our team discovered that harvests sensitive information including browser data and cryptocurrency wallets. Marco Stealer uses HTTP-based C2 communication with AES encrypted payloads. Read the full analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer"  
[X Link](https://x.com/Threatlabz/status/2019450239359545799)  2026-02-05T16:37Z [----] followers, [----] engagements


"☃#Pikabot is now delivering the #IcedID backconnect with the C2: 45.61.138.149:443"  
[X Link](https://x.com/anyuser/status/1722653097271652522)  2023-11-09T16:31Z [----] followers, [----] engagements


"Zscaler ThreatLabz has published a technical analysis of GuLoader's anti-analysis techniques that include complex exception-based control flow obfuscation. GuLoader purposefully triggers exceptions to redirect the malware's execution and employs polymorphic code to dynamically construct constants and string values. IDA Python scripts for deobfuscating GuLoader can be found in our GitHub repository here: Read the full analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques https://github.com/ThreatLabz/tools/tree/main/guloader"  
[X Link](https://x.com/Threatlabz/status/2020901127043355057)  2026-02-09T16:42Z [----] followers, [----] engagements


"Our latest blog analyzes how information stealers such as #RedLineStealer and #RecordBreaker are being distributed through cracked/pirated software lures: Full IOCs are available here: https://bit.ly/3R6qrlK https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download https://bit.ly/3R6qrlK https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download"  
[X Link](https://x.com/anyuser/status/1562159016091848707)  2022-08-23T19:25Z [----] followers, [---] engagements


"ThreatLabz has discovered updates to the #Ares banking trojan with new features including an implementation of the #Qakbot DGA as a fallback C2 channel: IOCs: Tools to generate DGA domains + import hashes: https://bit.ly/3CTQJnb https://bit.ly/3AKfgbR https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga https://bit.ly/3CTQJnb https://bit.ly/3AKfgbR https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga"  
[X Link](https://x.com/anyuser/status/1567179693484396544)  2022-09-06T15:55Z [----] followers, [--] engagements


"ThreatLabz discovered a #0day #exploit that targeted CVE-2022-37969 on fully patched Windows [--] and Windows [--] systems. This vulnerability was addressed in today's #PatchTuesday. More information can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969"  
[X Link](https://x.com/anyuser/status/1569807855238402048)  2022-09-13T21:58Z [----] followers, [---] engagements


"The ThreatLabz research team has analyzed the Windows CLFS Zero-Day vulnerability: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part"  
[X Link](https://x.com/anyuser/status/1580969339192111105)  2022-10-14T17:10Z [----] followers, [---] engagements


"ThreatLabz technical analysis of the #Ducktail information stealer #malware targeting @Facebook business accounts: Full IOCs are available here: https://bit.ly/3TdbgZs https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts https://bit.ly/3TdbgZs https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts"  
[X Link](https://x.com/anyuser/status/1582085047842009088)  2022-10-17T19:04Z [----] followers, [---] engagements


"Zscaler has discovered that a subsea Internet cable was severed in the south of France in an apparent act of vandalism. Internet connectivity to Asia Europe the United States and other parts of the world may be impacted. More details can be found here: https://trust.zscaler.com/zscloud.net/posts/12256 https://trust.zscaler.com/zscloud.net/posts/12256"  
[X Link](https://x.com/anyuser/status/1583128314285170689)  2022-10-20T16:09Z [----] followers, [---] engagements


"ThreatLabz has published Part [--] of our blog series that analyzes an in-the-wild #0day #exploit that targeted the #vulnerability CVE-2022-37969: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part2-exploit-analysis https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part2-exploit-analysis"  
[X Link](https://x.com/anyuser/status/1586023579426033664)  2022-10-28T15:54Z [----] followers, [---] engagements


"ThreatLabz has discovered #APT-36 using new TTPs and tools to target the Indian government: Full IOCs are available here: https://bit.ly/3U4UkEH https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations https://bit.ly/3U4UkEH https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations"  
[X Link](https://x.com/anyuser/status/1588196909641965570)  2022-11-03T15:50Z [----] followers, [---] engagements


"ThreatLabz has identified significant modifications to #BlackBasta including the #ransomware's encryption library/algorithms introduction of stack-based string obfuscation and per victim file extensions. This is likely an attempt to better evade antivirus and EDR detection"  
[X Link](https://x.com/anyuser/status/1593604941909790721)  2022-11-18T14:00Z [----] followers, [---] engagements


"⚡Check out the ThreatLabz technical analysis blog for #BlackBasta version 2.0: 🔐The new BlackBasta #ransomware file encryption combines Elliptic Curve Cryptography using NIST P-521 with XChaCha20. A full BlackBasta feature comparison is shown below: https://www.zscaler.com/blogs/security-research/back-black-basta https://www.zscaler.com/blogs/security-research/back-black-basta"  
[X Link](https://x.com/anyuser/status/1598353732042985474)  2022-12-01T16:30Z [----] followers, [--] engagements


"🤖Check out Zscaler ThreatLabz technical analysis of #DanaBot's code obfuscation techniques: 🛠IDA scripts to assist with DanaBot code deobfuscation are available in our GitHub repository: Example before & after screenshots: https://github.com/threatlabz/tools/tree/main/danabot https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques https://github.com/threatlabz/tools/tree/main/danabot https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques"  
[X Link](https://x.com/anyuser/status/1600165674218770445)  2022-12-06T16:30Z [----] followers, [---] engagements


"ThreatLabz has discovered a new malware family called #AlbumStealer that is being distributed through fake #Facebook profiles. The malware makes significant use of DLL side loading to evade detection: Full IOCs are available here: https://github.com/threatlabz/iocs/tree/main/albumstealer https://www.zscaler.com/blogs/security-research/album-technical-analysis-new-multifunctional-stealer https://github.com/threatlabz/iocs/tree/main/albumstealer https://www.zscaler.com/blogs/security-research/album-technical-analysis-new-multifunctional-stealer"  
[X Link](https://x.com/anyuser/status/1616480058948087814)  2023-01-20T16:57Z [----] followers, [----] engagements


"#BlackBasta ransomware attacks have resumed with at least two new victims after a month of inactivity. There are slight modifications to the #ransomware including a new TOR onion domain in the ransom note: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion"  
[X Link](https://x.com/anyuser/status/1622649766957191168)  2023-02-06T17:33Z [----] followers, [----] engagements


"🕵Zscaler ThreatLabz has observed a campaign targeting a government organization with a new post exploitation framework named #Havoc. During this attack the threat actors have made several #opsec failures: IOCs are available here: https://github.com/threatlabz/iocs/tree/main/havoc https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace https://github.com/threatlabz/iocs/tree/main/havoc https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace"  
[X Link](https://x.com/anyuser/status/1625536813871005697)  2023-02-14T16:45Z [----] followers, 166.5K engagements


"ThreatLabz reverse engineered the #Rhadamanthys information stealer's #obfuscation techniques including the use of the #Quake3 virtual machine and a custom embedded file system. There is also a weakness in the network encryption protocol. More details: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques"  
[X Link](https://x.com/anyuser/status/1628070963244937233)  2023-02-21T16:35Z [----] followers, 12.5K engagements


"🔍ThreatLabz has identified significant code similarities between the #Nevada and #Nokoyawa #ransomware families including debug strings command-line arguments and encryption algorithms. More details: IOCs are available here: https://github.com/threatlabz/iocs/tree/main/nokoyawa https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant https://github.com/threatlabz/iocs/tree/main/nokoyawa https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant"  
[X Link](https://x.com/anyuser/status/1633139191885475841)  2023-03-07T16:15Z [----] followers, [----] engagements


"ThreatLabz has discovered a #GitHub repository owned by a member of the #APT37 threat group. Due to an #opsec failure the group leaked a wealth of information about malicious activities dating as far back as October [----]. More details here: https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37"  
[X Link](https://x.com/anyuser/status/1638250025582231552)  2023-03-21T18:43Z [----] followers, 31.6K engagements


"🔒ThreatLabz has identified the U-Bomb #ransomware group operating a victim portal that strongly resembles the former #Hive group. Screenshots for comparison are shown below:"  
[X Link](https://x.com/anyuser/status/1640368077878730753)  2023-03-27T15:00Z [----] followers, 15.9K engagements


"💰ThreatLabz has discovered a new #ransomware group named Money Message performing double extortion attacks. Sample hash: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b Data leak site: blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion"  
[X Link](https://x.com/anyuser/status/1641113991824158720)  2023-03-29T16:24Z [----] followers, 20.3K engagements


"📝Our latest blog analyzes #Xloader's new #obfuscation techniques that protect critical parts of the code and data in version 4.3: 🛠An IDA script to deobfuscate Xloader's code is available in our GitHub tools repository here: https://github.com/threatlabz/tools/tree/main/xloader https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43 https://github.com/threatlabz/tools/tree/main/xloader https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43"  
[X Link](https://x.com/anyuser/status/1641464046418550784)  2023-03-30T15:35Z [----] followers, 11.2K engagements


"⚠The #DarkAngels ransomware group has launched a new data leak site named "Dunghill Leak" located at hxxp://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html"  
[X Link](https://x.com/anyuser/status/1645455117024641024)  2023-04-10T15:54Z [----] followers, 10.1K engagements


"The CryptNet #ransomware group has set up a new data leak site that is located at The ransomware code is written in .NET and obfuscated with Eziriz's .NET Reactor. Example SHA256: 2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775 http://blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid.onion/ http://blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid.onion/"  
[X Link](https://x.com/anyuser/status/1648747102686806016)  2023-04-19T17:55Z [----] followers, [----] engagements


"ThreatLabz has identified a new ransomware data leak site for a group named #8Base with victims dating back to April 2022: An example 8Base ransom note is available in our GitHub repo here: https://github.com/threatlabz/ransomware_notes/blob/main/8base/8base_note.txt http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion https://github.com/threatlabz/ransomware_notes/blob/main/8base/8base_note.txt http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion"  
[X Link](https://x.com/anyuser/status/1660687100394766336)  2023-05-22T16:40Z [----] followers, 13.8K engagements


"🤖Check out our technical analysis of #Pikabot including the anti-analysis techniques encryption algorithms and similarities with Qakbot: IOCs are available here: https://github.com/threatlabz/iocs/tree/main/pikabot https://zscaler.com/blogs/security-research/technical-analysis-pikabot https://github.com/threatlabz/iocs/tree/main/pikabot https://zscaler.com/blogs/security-research/technical-analysis-pikabot"  
[X Link](https://x.com/anyuser/status/1661394122052075521)  2023-05-24T15:30Z [----] followers, 12.4K engagements


"✋The #Akira ransomware group is using the #ClientJS library to perform JavaScript-based fingerprinting on victims that access the ransom portal through TOR"  
[X Link](https://x.com/anyuser/status/1666454968289869824)  2023-06-07T14:40Z [----] followers, 10.1K engagements


"Zscaler ThreatLabz and @InQuest have joined forces to analyze a new malware family known as #MysticStealer. The malware is highly obfuscated with an encrypted binary protocol and targets dozens of browsers cryptocurrency wallets and MFA applications: https://www.zscaler.com/blogs/security-research/mystic-stealer https://www.zscaler.com/blogs/security-research/mystic-stealer"  
[X Link](https://x.com/anyuser/status/1669387939401596930)  2023-06-15T16:54Z [----] followers, 13.1K engagements


"ThreatLabz has identified a new strain of #Monti ransomware that refers to itself as BIDON with a new TOR domain: Sample: Example ransom note: https://github.com/threatlabz/ransomware_notes/blob/main/monti/bidon_readme.txt https://www.virustotal.com/gui/file/8ef3d35e32343bcce186452f72eea45dbc9e4bd124735bed8bc128a7d7d19ec1 http://myosbja7hixkkjqihsjh6yvmqplz62gr3r4isctjjtu2vm5jg6hsv2ad.onion https://github.com/threatlabz/ransomware_notes/blob/main/monti/bidon_readme.txt https://www.virustotal.com/gui/file/8ef3d35e32343bcce186452f72eea45dbc9e4bd124735bed8bc128a7d7d19ec1"  
[X Link](https://x.com/anyuser/status/1686050873980678145)  2023-07-31T16:27Z [----] followers, 10.3K engagements


"ThreatLabz has identified #Pikabot distributing #CobaltStrike with SHA256 32db4a58e46d8f98978c51f581daed959ef58ed0e6a1a5b04dce6abe309ea285 containing the following C2s: hxxps://ponturded.com/Derive/encryption/39J9PTT5M3 hxxps://ponturded.com/select/mbo/LD0P946H9GVV"  
[X Link](https://x.com/anyuser/status/1714327628705120280)  2023-10-17T17:08Z [----] followers, 18.6K engagements


"#Hive ransomware is back We have added their rebranded "Hunters International" ransom note to our GitHub repository: Special credit to: @rivitna2 https://github.com/threatlabz/ransomware_notes/blob/main/hunters/Contact%20Us.txt https://github.com/threatlabz/ransomware_notes/blob/main/hunters/Contact%20Us.txt"  
[X Link](https://x.com/anyuser/status/1715510293659594955)  2023-10-20T23:28Z [----] followers, [----] engagements


"Pikabot is distributing a #CobaltStrike beacon with the URL: hxxps://173.44.141.113/Create/v10.58/RTYZC2PY The latest #Pikabot C2s: 139.99.216.90:13720 156.251.137.134:5000 154.12.252.84:23399 85.215.218.128:5243 103.231.93.15:5631 196.218.123.202:13783"  
[X Link](https://x.com/anyuser/status/1716492689036951591)  2023-10-23T16:32Z [----] followers, 17.3K engagements


"🚨#Pikabot is now delivering #Metasploit Meterpreter with the C2: 88.214.25.244:443"  
[X Link](https://x.com/anyuser/status/1717243502181208208)  2023-10-25T18:15Z [----] followers, 45K engagements


"👻Latest #Pikabot C2s: hxxps://45.76.208.235:23399 hxxps://139.162.147.197:2225 hxxps://50.116.54.138:13724 hxxps://104.200.28.75:2222 hxxps://172.234.16.175:2083 hxxps://172.233.185.220:5242"  
[X Link](https://x.com/anyuser/status/1719031924134711713)  2023-10-30T16:42Z [----] followers, 15.7K engagements


"ThreatLabz discovered [---] #vulnerabilities in #Microsoft [---] apps that use the #SketchUp 3D library. Check out part [--] of our blog series that delves into the methodologies and technical details: Part [--] coming soon https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d"  
[X Link](https://x.com/anyuser/status/1719765396335759710)  2023-11-01T17:16Z [----] followers, [----] engagements


"ThreatLabz identified two new #Pikabot C2s: hxxps://15.235.44.231:5938 hxxps://210.243.8.247:23399 Full C2 list here: https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231102.txt https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231102.txt"  
[X Link](https://x.com/anyuser/status/1720124030903349322)  2023-11-02T17:01Z [----] followers, 23.5K engagements


"🚨 #Pikabot is distributing #CobaltStrike with the following C2s: https://167.71.14.110/dev/queue/MULVQ8OXY dns.investmentrealtyhp.net:53"  
[X Link](https://x.com/anyuser/status/1721591731530182977)  2023-11-06T18:13Z [----] followers, 12.6K engagements


"🔍Latest #CobaltStrike C2s associated with #Pikabot: https://getnationalresearch.com/create/makefile/4YVZFXI9E2N1 https://getnationalresearch.com/Compose/v8.59/TCMACGXS"  
[X Link](https://x.com/anyuser/status/1721974458985193550)  2023-11-07T19:34Z [----] followers, [----] engagements


"The #Trigona ransomware group is back online and extorting victims after the Ukrainian Cyber Alliance infiltrated and took down the infrastructure. New victim portal URL: http://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd.onion http://znuzuy4hkjacew5y2q7mo63hufhzzjtsr2bkjetxqjibk4ctfl7jghyd.onion"  
[X Link](https://x.com/anyuser/status/1725201184372506941)  2023-11-16T17:16Z [----] followers, 13.6K engagements


"🦃New #Pikabot C2s: https://64.176.5.228:13783 https://65.20.78.68:13721 https://64.176.67.194:2967 Full list here: https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231121.txt https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231121.txt"  
[X Link](https://x.com/anyuser/status/1727055554701558053)  2023-11-21T20:05Z [----] followers, [----] engagements


"#Pikabot is dropping a #CobaltStrike DNS stager with the C2 domain: aaa.h.dns.ionoslaba.com"  
[X Link](https://x.com/anyuser/status/1729571130581934547)  2023-11-28T18:41Z [----] followers, [----] engagements


"New #CobaltStrike C2s tied to #Pikabot: Stager C2: https://79.132.128.29/construct/Windows/VTSIK0T0DAYD Beacon C2s: https://nutiensel.com/Dequeue/odbc/1VXDSW2OHJOE https://nutiensel.com/Retrieve/v3.85/ZSRNTX1OUI Full beacon config: https://github.com/threatlabz/iocs/blob/main/pikabot/cobaltsrike_beacon_20231129.json https://github.com/threatlabz/iocs/blob/main/pikabot/cobaltsrike_beacon_20231129.json"  
[X Link](https://x.com/anyuser/status/1729904037481607273)  2023-11-29T16:43Z [----] followers, [----] engagements


"#Qakbot is back The new version is 64-bit uses AES for network encryption and sends POST requests to the path /teorema505"  
[X Link](https://x.com/anyuser/status/1735863156738871470)  2023-12-16T03:23Z [----] followers, 21.1K engagements


"The #NoName ransomware group has created a data leak site located at: Ransom note: https://github.com/threatlabz/ransomware_notes/blob/main/noname/HOW%20TO%20RECOVERY%20FILES.TXT http://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion https://github.com/threatlabz/ransomware_notes/blob/main/noname/HOW%20TO%20RECOVERY%20FILES.TXT http://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion"  
[X Link](https://x.com/anyuser/status/1747299684216193049)  2024-01-16T16:48Z [----] followers, [----] engagements


"⚠ThreatLabz has identified a new #ransomware group called #Slug that is performing data extortion attacks only (no file encryption). Current leak site URL: Ransom note: Negotiations are performed through the @session_app https://github.com/threatlabz/ransomware_notes/blob/main/slug/excel%20error.txt http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion/ https://github.com/threatlabz/ransomware_notes/blob/main/slug/excel%20error.txt http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion/"  
[X Link](https://x.com/anyuser/status/1747729463855751179)  2024-01-17T21:15Z [----] followers, [----] engagements


"#Zloader aka #SilentNight is back Check out our technical analysis of Zloader version 2.1.7.0 where we uncover the new obfuscation techniques updates to the DGA and the addition of RSA to network encryption. Blog link: https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night"  
[X Link](https://x.com/anyuser/status/1748495107740041418)  2024-01-19T23:58Z [----] followers, 10.2K engagements


"Check out our technical analysis for the latest version of #Pikabot which has restructured the internal configuration simplified the string encryption and updated the network protocol. Blog link: https://www.zscaler.com/blogs/security-research/d-evolution-pikabot https://www.zscaler.com/blogs/security-research/d-evolution-pikabot"  
[X Link](https://x.com/anyuser/status/1757106092654690618)  2024-02-12T18:15Z [----] followers, [----] engagements


"ThreatLabz has observed new #Lockbit ransomware attacks following the law enforcement takedown operation last week. The latest ransom note can be found in our GitHub repo: https://github.com/threatlabz/ransomware_notes/blob/main/lockbit/%5Bid%5D.README.txt https://github.com/threatlabz/ransomware_notes/blob/main/lockbit/%5Bid%5D.README.txt"  
[X Link](https://x.com/anyuser/status/1762521408205430863)  2024-02-27T16:53Z [----] followers, [----] engagements


"🚨New threat actor SPIKEDWINE impersonates Indian government officials to deliver WINELOADER malware in a #phishing campaign that targets European diplomats. Check out our technical analysis here: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader"  
[X Link](https://x.com/anyuser/status/1762534083090149589)  2024-02-27T17:44Z [----] followers, 19.9K engagements


"Threat actors are exploiting unsuspecting users with fake Skype Zoom & Google Meet sites distributing dangerous #RAT malware. Blog link: https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures"  
[X Link](https://x.com/anyuser/status/1765052653216903569)  2024-03-05T16:32Z [----] followers, [----] engagements


"ThreatLabz has released an IDA plugin to deobfuscate the strings for previous versions of #Pikabot. Read our blog here: The source code for the IDA plugin can be found here: https://github.com/threatlabz/pikabot-deobfuscator https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation https://github.com/threatlabz/pikabot-deobfuscator https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation"  
[X Link](https://x.com/anyuser/status/1777358238469558404)  2024-04-08T15:30Z [----] followers, [----] engagements


"#Zloader development continues with new versions that include an anti-analysis feature that prevents samples from being executed on another system after an initial infection. This is likely inspired by the leaked #ZeuS source code that implements a similar feature. Read the full blog here: https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks"  
[X Link](https://x.com/anyuser/status/1784947807679607206)  2024-04-29T14:08Z [----] followers, [----] engagements


"Zscaler ThreatLabz has joined forces with international law enforcement agencies and private industry partners for #OperationEndgame. More details to follow"  
[X Link](https://x.com/anyuser/status/1796036312518340990)  2024-05-30T04:30Z [----] followers, [----] engagements


"#OperationEndgame remotely cleaned #SmokeLoader from infected systems. Check out our blog for technical details: https://zscaler.com/blogs/security-research/operation-endgame-smoke https://zscaler.com/blogs/security-research/operation-endgame-smoke"  
[X Link](https://x.com/anyuser/status/1796215691043131404)  2024-05-30T16:22Z [----] followers, [----] engagements


"The text of the #BlackBasta ransomware note has been updated for the first time in over [--] years: https://github.com/threatlabz/ransomware_notes/blob/main/blackbasta/instructions_read_me.txt https://github.com/threatlabz/ransomware_notes/blob/main/blackbasta/instructions_read_me.txt"  
[X Link](https://x.com/anyuser/status/1799108556698120648)  2024-06-07T15:58Z [----] followers, [----] engagements


"#ValleyRAT developers have updated the malware with new features including device fingerprinting and desktop screen capturing. See our technical analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat"  
[X Link](https://x.com/anyuser/status/1800181627143754056)  2024-06-10T15:02Z [----] followers, [----] engagements


"In preparation for #OperationEndgame ThreatLabz researchers performed technical analysis for all versions of #SmokeLoader dating back to [----]. The downloader has proven to be remarkably resilient with continuous improvements to the network communication encryption and obfuscation. Read more here: https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1 https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1"  
[X Link](https://x.com/anyuser/status/1800551902758961585)  2024-06-11T15:33Z [----] followers, [----] engagements


"⚠ There is a new #ransomware group calling themselves #BrainCipher. Ransom note: https://github.com/threatlabz/ransomware_notes/blob/main/braincipher/%5Bid%5D.README.txt https://github.com/threatlabz/ransomware_notes/blob/main/braincipher/%5Bid%5D.README.txt"  
[X Link](https://x.com/anyuser/status/1802756112573477174)  2024-06-17T17:32Z [----] followers, [----] engagements


"#Lockbit has just released data that is allegedly from the Federal Reserve. except this data appears to be from a bank that was recently penalized by the Federal Reserve for "deficiencies in the banks anti-money laundering risk management and consumer compliance programs.""  
[X Link](https://x.com/anyuser/status/1805705436081144183)  2024-06-25T20:51Z [----] followers, 25.9K engagements


"In March [----] ThreatLabz spotted #Kimsuky (aka #APT43) leveraging #TRANSLATEXT to target the South Korean education sector as part of an intelligence collection operation. Read our analysis here: https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia"  
[X Link](https://x.com/anyuser/status/1806428488699871604)  2024-06-27T20:44Z [----] followers, [----] engagements


"ThreatLabz has uncovered new tools from #APT41 including #DodgeBox and #MoonWalk. DodgeBox utilizes EDR evasion techniques including call stack spoofing unhooking APIs and bypassing Control Flow Guard. The purpose of DodgeBox is to deploy the MoonWalk backdoor which leverages @GoogleDrive for C2 communications. Check out Part [--] of our blog series: https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1 https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1"  
[X Link](https://x.com/anyuser/status/1811064916738248907)  2024-07-10T15:48Z [----] followers, 103.3K engagements


"⚠Threat actors are taking advantage of the CrowdStrike BSOD bug to spread malware. ThreatLabz identified a lure that uses a Microsoft Word document that contains instructions on how to recover from the issue. However the document contains a malicious macro that when enabled downloads a poorly detected information stealer from hxxp://172.104.160.126:8099/payload2.txt Stolen data is sent via HTTP POST requests to 172.104.160.126:5000 Malicious Word doc: Info stealer: https://www.virustotal.com/gui/file/4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a"  
[X Link](https://x.com/anyuser/status/1815442461545951710)  2024-07-22T17:43Z [----] followers, 28.6K engagements


"💸ThreatLabz has uncovered a record breaking $75 million payment made by a Fortune [--] company to the #DarkAngels ransomware group. The payment is the single largest ransomware-related transaction ever reported. For more details check out our annual ransomware report: https://www.zscaler.com/campaign/threatlabz-ransomware-report https://www.zscaler.com/campaign/threatlabz-ransomware-report"  
[X Link](https://x.com/anyuser/status/1818290881830834415)  2024-07-30T14:21Z [----] followers, 53.9K engagements


"Zscaler ThreatLabz uncovered a malware campaign using #DarkVision RAT alongside #PureCrypter and #DonutLoader. Our blog covers the attack chain as well as a technical analysis of DarkVision RAT including its persistence network communication protocol plugins and commands. Link: https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat"  
[X Link](https://x.com/anyuser/status/1844380363709350262)  2024-10-10T14:12Z [----] followers, [----] engagements


"North Korean threat actors are using the #ContagiousInterview and #WageMole campaigns to secure remote jobs in the West bypassing sanctions with stolen data. ThreatLabz researchers have identified obfuscation enhancements new Windows & macOS package formats and over [---] infected devices. Learn more in our latest blog: https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west"  
[X Link](https://x.com/anyuser/status/1853454234009911319)  2024-11-04T15:08Z [----] followers, [----] engagements


"Zscaler ThreatLabz discovered two new malware families (RevC2 and Venom Loader) deployed using #VenomSpider MaaS Tools. RevC2 uses WebSockets for C2 communication steals cookies and passwords proxies network traffic and enables RCE. Venom Loader is a new malware loader that is customized for each victim hardcoding the victims computer name to encode the payload. Read our technical analysis here: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader"  
[X Link](https://x.com/anyuser/status/1863636236671521117)  2024-12-02T17:27Z [----] followers, 16.1K engagements


"ThreatLabz has identified a new version of #Zloader 2.9.4.0 that added DNS tunneling for C2 communication. The traffic uses a custom protocol that is encrypted with TLS using the Windows SSPI API. The protocol relies on DNS address (A and AAAA) records to transfer information. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling"  
[X Link](https://x.com/anyuser/status/1866523406088409248)  2024-12-10T16:40Z [----] followers, [----] engagements


"ThreatLabz has discovered a new malware family named #NodeLoader that abuses the Node.js framework to deliver second-stage payloads including Lumma Stealer Phemedrone Stealer and XMRig. NodeLoader currently has nearly zero antivirus and EDR detections. Read our technical analysis here: https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection"  
[X Link](https://x.com/anyuser/status/1867615681946272216)  2024-12-13T17:00Z [----] followers, [----] engagements


"Meet #RiseLoader a new malware family with a network communication protocol that is similar to RisePro. RiseLoader is currently delivering malware payloads such as Vidar Lumma Stealer XMRig and Socks5Systemz. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader"  
[X Link](https://x.com/anyuser/status/1868707990989332583)  2024-12-16T17:21Z [----] followers, [----] engagements


"The Lockbit [---] ransom note has been added to our ransomware notes repository: https://github.com/ThreatLabz/ransomware_notes/blob/main/lockbit/%5Brand%5D.README.txt https://github.com/ThreatLabz/ransomware_notes/blob/main/lockbit/%5Brand%5D.README.txt"  
[X Link](https://x.com/anyuser/status/1869868201431212298)  2024-12-19T22:11Z [----] followers, [----] engagements


"We have added another #Clop ransomware note to our repository for attacks that specifically exploited a zero-day vulnerability in Cleo Harmony VLTrader and LexiCom products: https://github.com/ThreatLabz/ransomware_notes/blob/main/clop/Details_Cleo.txt https://github.com/ThreatLabz/ransomware_notes/blob/main/clop/Details_Cleo.txt"  
[X Link](https://x.com/anyuser/status/1879656215090979192)  2025-01-15T22:25Z [----] followers, [----] engagements


"Raspberry Robin has recently been updated and now contains a privilege escalation exploit for CVE-2024-38196. A sample of this exploit is available here: https://www.virustotal.com/gui/file/d1bd569df4f3f6f4a135931b7e200a865490544ea82b65cef20e20bafe8a34b0 https://www.virustotal.com/gui/file/d1bd569df4f3f6f4a135931b7e200a865490544ea82b65cef20e20bafe8a34b0"  
[X Link](https://x.com/anyuser/status/1879956781360976155)  2025-01-16T18:19Z [----] followers, [----] engagements


"Xloader continues to evolve with new layers of encryption obfuscation and anti-analysis. In our latest blog we examine the latest techniques implemented in Xloader versions [--] and [--] to protect code data and evade endpoint security software. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1 https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1"  
[X Link](https://x.com/anyuser/status/1883915458702962773)  2025-01-27T16:30Z [----] followers, [----] engagements


"🚨 ThreatLabz has identified a new ransomware group named Linkc. Ransom note: Data leak site: http://iywqjjaf2zioehzzauys3sktbcdmuzm2fsjkqsblnm7dt6axjfpoxwid.onion https://github.com/ThreatLabz/ransomware_notes/blob/main/linkc/README.TXT https://github.com/ThreatLabz/ransomware_notes/blob/main/linkc/README.TXT"  
[X Link](https://x.com/anyuser/status/1891922820898357446)  2025-02-18T18:48Z [----] followers, [----] engagements


"🔒We have added another ransomware note to our repository for a new group calling themselves AiLock: https://github.com/ThreatLabz/ransomware_notes/blob/main/ailock/ReadMe%5B1%5D.txt https://github.com/ThreatLabz/ransomware_notes/blob/main/ailock/ReadMe%5B1%5D.txt"  
[X Link](https://x.com/anyuser/status/1897365894151721054)  2025-03-05T19:17Z [----] followers, [----] engagements


"HijackLoader is the latest malware family that has added call stack spoofing and virtual machine detection to its arsenal to evade detection. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics"  
[X Link](https://x.com/anyuser/status/1906726584268247208)  2025-03-31T15:13Z [----] followers, [----] engagements


"A new ransomware group named Thor has a victim chat portal with a FAQ written in English AND Russian. Sample ransom note: FAQ shown below: https://github.com/ThreatLabz/ransomware_notes/blob/main/thor/thor.txt https://github.com/ThreatLabz/ransomware_notes/blob/main/thor/thor.txt"  
[X Link](https://x.com/anyuser/status/1917260111250350211)  2025-04-29T16:50Z [----] followers, [----] engagements


"StealC V2 includes enhanced information stealing RC4 encryption and a new control panel with an embedded builder that allows operators to customize payload rules based on geolocation HWID and installed software. ThreatLabz has observed StealC V2 being deployed via Amadey and conversely it being used to distribute StealC V2. Dive into our analysis here: https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc"  
[X Link](https://x.com/anyuser/status/1917961930075197810)  2025-05-01T15:18Z [----] followers, [----] engagements


"ThreatLabz has uncovered a new malware loader that we have named TransferLoader. Active since Feb [----] TransferLoader uses advanced evasion techniques and control flow obfuscation along with a backdoor component that utilizes the InterPlanetary File System peer-to-peer platform as a fallback C2 channel. Check out our full analysis: https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader"  
[X Link](https://x.com/anyuser/status/1922669194782622052)  2025-05-14T15:03Z [----] followers, [----] engagements


"⚡ Zscaler ThreatLabz has identified a new Rhadamanthys version that is being distributed through CoffeeLoader with a new configuration structure. The changes include the addition of FastLZ compression for C2 URLs and a new Base64 custom character set. Sample hash: 07a9f78963c300ef09481ab597fbd6251cd7d5ca6b1c83056f1747300650bc4c Sample C2: https://107.189.28.160:4096/HbTaQwW5z38xHKTdU6J2SRpwSzq9kzhg/5dw66tsl.h19u5"  
[X Link](https://x.com/anyuser/status/1925228814503952444)  2025-05-21T16:34Z [----] followers, [----] engagements


"A programming flaw in DanaBot's C2 server code introduced "DanaBleed" a memory leak exposing sensitive internal data between [----] to [----]. Zscaler ThreatLabz has published a technical analysis that explores how the leak occurred its impact and the insights it revealed into DanaBots infrastructure and operations. Check out our technical analysis: https://www.zscaler.com/blogs/security-research/danableed-analysis-c2-server-memory-leak-bug https://www.zscaler.com/blogs/security-research/danableed-analysis-c2-server-memory-leak-bug"  
[X Link](https://x.com/anyuser/status/1932097406944026726)  2025-06-09T15:28Z [----] followers, [----] engagements


"ThreatLabz has observed Bumblebee distributing DonutLoader embedded with StealC v2. Bumblebee config: StealC config: C2: http://nispgael.biz/7321a45c92764723.php Botnet ID: winmtr RC4 key: 140877183e614f06 Expiration date: 10/08/2025 https://github.com/ThreatLabz/iocs/blob/main/bumblebee/c2s.txt https://github.com/ThreatLabz/iocs/blob/main/bumblebee/c2s.txt"  
[X Link](https://x.com/anyuser/status/1945881983680405570)  2025-07-17T16:23Z [----] followers, [----] engagements


"Zscaler ThreatLabz has published a technical analysis of Operation GhostChat and Operation PhantomPrayers in which a China-nexus APT group targeted the Tibetan community to deploy Ghost RAT and PhantomNet. These campaigns used strategic web compromises and social engineering tied to the Dalai Lama's 90th birthday. Read our full analysis here: https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community"  
[X Link](https://x.com/anyuser/status/1948036077601841357)  2025-07-23T15:02Z [----] followers, [----] engagements


"BlackSuit ransomware's negotiation portal and data leak site are now displaying a seizure notice as part of Operation Checkmate"  
[X Link](https://x.com/anyuser/status/1948492780235317485)  2025-07-24T21:17Z [----] followers, [----] engagements


"⚡ Zscaler ThreatLabz has identified a new Rhadamanthys variant that has changed the magic bytes for the configuration structure from RHA to BEEF. Sample hash: eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662 Sample C2: https://192.30.242.210:8888/gateway/qq7o8k3h.fnliq"  
[X Link](https://x.com/anyuser/status/1950949733935223110)  2025-07-31T16:00Z [----] followers, [----] engagements


"Zscaler ThreatLabz revisits Raspberry Robin in our latest analysis. Recent updates include enhanced obfuscation a shift to ChaCha-20 encryption a randomized RC4 key seed per campaign and a new privilege escalation exploit (CVE-2024-38196). Check out our analysis: https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin"  
[X Link](https://x.com/anyuser/status/1952380641754202136)  2025-08-04T14:46Z [----] followers, [----] engagements


"Zscaler ThreatLabz has released a technical analysis detailing how threat actors are leveraging generative AI tools to craft phishing pages that steal sensitive information and defraud victims. These sites have many telltale signs of GenAI including code patterns excessive comments and templating. Check out our analysis here: https://www.zscaler.com/blogs/security-research/genai-used-phishing-websites-impersonating-brazil-s-government https://www.zscaler.com/blogs/security-research/genai-used-phishing-websites-impersonating-brazil-s-government"  
[X Link](https://x.com/anyuser/status/1952740164205465794)  2025-08-05T14:35Z [----] followers, [----] engagements


"ThreatLabz has identified #IcedID dropping #CobaltStrike with the following C2 servers: hxxps://appsoftwareupdate.com/Kill/interface/6XI6K00M3L hxxps://appsoftwareupdate.com/Admin/images/EFDXAVXRRW dns.building4business.net:53/ dns.building4business.net:53/dev/coke/CQHL5IYQF"  
[X Link](https://x.com/anyuser/status/1715037700766790005)  2023-10-19T16:10Z [----] followers, [----] engagements


"The #Akira ransomware group is using #jQuery Terminal which is a web-based JavaScript terminal emulator to create a retro look and feel for their data leak site: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion"  
[X Link](https://x.com/Threatlabz/status/1651956941437145089)  2023-04-28T14:30Z [----] followers, 43.2K engagements


"Check out our technical analysis of #Qakbots [--] year evolution. From a banking trojan to an initial access broker the threat group has proven to be remarkably resilient with continuous improvements to the network communication encryption and obfuscation. Blog link: https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development"  
[X Link](https://x.com/Threatlabz/status/1752731722528207140)  2024-01-31T16:33Z [----] followers, [----] engagements


"🕷 The initial access broker using #Latrodectus is back The group has resurrected the malware loader less than a month after #OperationEndgame. #BruteRatel is currently being used to drop Latrodectus. Sample BruteRatel SHA256 hash: 5b18441926e832038099acbe4a90c9e1907c9487ac14bdf4925ac170dddc24b6 BruteRatel C2s: https://barsen.monster:7444/bookmarks.php https://barsen.monster:7444/work.php https://kurvabbr.pw:7444/bookmarks.php https://kurvabbr.pw:7444/work.php Latest Latrodectus C2s: https://lettecoft.com/live/ https://ultroawest.com/live/ https://tristgodfert.com/live/"  
[X Link](https://x.com/Threatlabz/status/1804918852528357791)  2024-06-23T16:46Z [----] followers, 29.8K engagements


"Check out Part [--] of our technical analysis of the new #MoonWalk backdoor used by #APT41 that uses obscure Windows Fibers (an alternative to threads) to evade EDR and implements an encrypted custom binary protocol using @GoogleDrive to blend in with legitimate network traffic. Link: https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2 https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2"  
[X Link](https://x.com/Threatlabz/status/1811433824766873615)  2024-07-11T16:14Z [----] followers, [----] engagements


"Check out our technical analysis of the #Copybara Android malware family. The latest variant uses the MQTT protocol for C2 communication and contains a significant number of capabilities including keylogging audio & video recording SMS hijacking screen capturing credential stealing and remotely controlling an infected device. Copybara has been recently observed targeting victims in Italy and Spain to conduct cryptocurrency and financial theft. Read our analysis here: https://www.zscaler.com/blogs/security-research/technical-analysis-copybara"  
[X Link](https://x.com/Threatlabz/status/1826657918240034828)  2024-08-22T16:29Z [----] followers, [----] engagements


"Check out our technical analysis of #RaspberryRobin's multilayered approach to thwarting analysis and evading detection. Read the full technical analysis here: https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and"  
[X Link](https://x.com/Threatlabz/status/1858921006699868649)  2024-11-19T17:11Z [----] followers, 30K engagements


"☕ ThreatLabz has discovered a new sophisticated malware threat that we have named CoffeeLoader. The malware is a loader that implements numerous stealthy techniques to evade antivirus and EDRs via call stack spoofing sleep obfuscation and Windows fibers. The malware is also protected using a packer that leverages GPU code to thwart sandboxes and virtual environments. On the network side CoffeeLoader implements a custom encrypted binary protocol uses a DGA as a backup channel and performs certificate pinning to prevent TLS introspection. CoffeeLoader is currently being distributed through"  
[X Link](https://x.com/Threatlabz/status/1904915721265832400)  2025-03-26T15:17Z [----] followers, 21.4K engagements


"Zscaler ThreatLabz has published a deep dive on 🐼Mustang Pandas latest arsenal including updates to the ToneShell backdoor and a newly discovered lateral movement tool that we have named StarProxy. Read our full technical analysis here: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1 https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1"  
[X Link](https://x.com/Threatlabz/status/1912528944936677627)  2025-04-16T15:30Z [----] followers, [----] engagements


"Zscaler ThreatLabz continues its exploration of Mustang Panda tools by analyzing two new keyloggers that we have named PAKLOG & CorKLOG and an EDR tampering tool that we have named SplatCloak. Learn how this APT evades detection: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2 https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2"  
[X Link](https://x.com/Threatlabz/status/1912555857453437299)  2025-04-16T17:17Z [----] followers, [----] engagements


"👮🛑Operation Endgame has once again simultaneously targeted multiple malware threat groups. One of the targets of the operation was DanaBot which ThreatLabz has been tracking over the past [--] years. The groups activity has included both criminal and perhaps most interestingly nation-state attacks. Learn more here: Our free DanaBot detection tool can be downloaded here: https://github.com/ThreatLabz/danadetector https://www.zscaler.com/blogs/security-research/operation-endgame-2-0-danabusted https://github.com/ThreatLabz/danadetector"  
[X Link](https://x.com/Threatlabz/status/1925631807459872966)  2025-05-22T19:16Z [----] followers, [----] engagements


"Zscaler ThreatLabz examines updates to Anatsa malware that now targets more than [---] global financial and cryptocurrency applications. In the latest version Anatsa has implemented enhanced encryption device-specific payload restrictions and keylogger functionality. Anatsa continues to use decoy applications that are distributed via the Google Play Store with some of these apps exceeding [-----] installations. Read our full technical analysis here: https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa"  
[X Link](https://x.com/Threatlabz/status/1958558456165904751)  2025-08-21T15:54Z [----] followers, [----] engagements

Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing