Axel F

🚩 #404TDS URLs: - https://select-holidays[.]com/vfk6c - http://khel999[.]com/vks6o - https://lookingthroughtheturn[.]com/vbu4b Lead to #Lumma Stealer from: - https://documents[.]notificationsapps[.]com/Document.iso C2: http://gapi-node[.]io/c2conf [+] Sample: bazaar.abuse.ch/sample/a8c2dc9… [+] Same C2 also spotted in a #ClearFake campaign rapid7.com/blog/post/2023…

Emails using #Tax lure spreading #404TDS URLs

this is an old C2 that was also used in 2023-01-26 sample 34104f2ee58f629d7222cce339a24db5. However its still active and Bitter has been recently using other, even older C2's

#Bitter #APT #CHM 410ef267cd56b74c6a7578947efb3b66 Upgradation of Systems Document.chm wbfashionshow[.]com

Another #Spyder from #Sidewinder #APT - Md5 930f288c9f9ed516f7eaec8f1ccbfc02 hxxp[:]//libreofficeupdates[.]com/drive/files.php hxxp[:]//libreofficeupdates[.]com/drive/includes.php

HTML cred phish for #India gov email portal. #APT 488ddfb1fec1408ecf7e9464246374c3 "letter dt 20.06.2023" > hxxp[:]//samedaywalkintub[.]ca/mail.gov.in/

quick look: (a) network traffic is similar including data and headers (b) many same strings in binary, etc

#Spyder malware looks to be an update of #WarHawk malware from #Sidewinder #APT 1f4b225813616fbb087ae211e9805baf BAF Operations Report CamScannerDocument.exe c2 hxxp[:]//plainboardssixty[.]com/drive/bottom.php

More samples (same c2): 53b3a018d1a4d935ea7dd7431374caf1 Naxal VPN Version2.2 Setup.exe 1f599f9ab4ce3da3c2b47b76d9f88850 Naxal VPN Version2.2 Setup.exe

@__0XYC__ Similar macro to d2bebe3912a5700d76635af29f098cfb twitter.com/JVPv5sIM3eFmGy…

Hindi variables - seeking faster attribution ? winners-final.xls 7f3e405d6e9fb03de14551e19e3dfccb hxxps://mega.nz/file/mTZngbYZ#dm3HkJr-uVp3PUPv-Zw3g5c184gSLMrwfARBVRS3Ek8 hxxps://online-csdgovpk.servehttp.com/images/pmdu_finance_2.jpg #APT hosting maldocs @MEGAprivacy

Are you Small? Medium? Are you a business? I wrote a thing about you! Using @Proofpoint_SME data @threatinsight found SMBs are hot targets for APT threat actors looking for key #espionage info, financial gain, or hoping to launch supply chain attacks proofpoint.com/us/blog/threat…

@0xToxin @JAMESWT_MHT @James_inthe_box @Max_Mal_ @executemalware @pr0xylife @AnFam17 @ankit_anubhav @Gi7w0rm @reecdeep @Iamdeadlyz URL eg https[:]//worldinsolvency[.]org/[5 chars] > https[:]//jessicacorry[.]com/z/ serves JS JS gets http[:]//212.113.116[.]147/vio.sct > a6fa27178032b9250c4fdb0da23f6766 VBS gets MSI (screenshotter inside) http[:]//176.124.217[.]20/%serial% > 7867270e7aca7998d97d1a6235d27f10

@0xToxin @JAMESWT_MHT @James_inthe_box @Max_Mal_ @executemalware @pr0xylife @AnFam17 @ankit_anubhav @Gi7w0rm @reecdeep @Iamdeadlyz 404 TDS URLs -> JS -> .sct VBS (#WasabiSeed) -> #Screenshotter (inside MSI) #TA866

@CloisterNunmonk @threatinsight @proofpoint Hi, test if its blocked at click-time (chances are it is). That is part of your protection for URLs.

@threatinsight @proofpoint And on January 9th, our ProofPoint appliance let one of these through as clean.

With bonus and #salary reviews coming up, threat actors know it and are using these lures for #socialengineering. On January 10th 2023, @proofpoint observed emails with #phishing links purporting to be from #HumanResources and utilizing bonus and #payraise lures.

#Sidewinder #APT d0ca92ce29456931ad14aed48c3ea93f 未命名的附件 00002[.]zip 5356a1193252b4fb2265fc8ac10327a1 .lnk hxxps://mailtsinghua[.]sinacn[.]co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta

New variant of #Emotet Excel lure, slight variation where "Relaunch Required" instructions (to bypass Office macro security measures) are in green box instead of yellow. Example file: W-9 form.xls 703d6f27c9b54b604f58d3d853c328f6cd51b8598af4dedb4ae0ddea3074ef38

Today Proofpoint observed the #Emotet E4 botnet delivering what seems to be a development build of a new #IcedID Loader. This module has the ID 2445 and directly downloads the IcedID bot.

A particularly interesting #Emotet email in #France is spoofing "Chambre des Notaires de Paris." #Emotet emails are targeting many countries, including the United States, United Kingdom, Japan, Germany, Italy, France, Mexico, and Brazil.

@__0XYC__ + f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc 33-Advisory-No-33-2022.pdf.iso 58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a 32-Advisory-No-32.iso

circular_29092022.iso cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253 bbcca0dc10b700c01e557612f009c050ca618f227e0b8be3d4f471dd9d887a18 NisSrv.exe #APT

That's how ! treat actor getting started 🤫 comsats-mail[.]pk #gophish

@__0XYC__ @StopMalvertisin +2 b82580cd92afe20e3a51ec92fb46053b3f78c93cf57811d94ac9fe14d3a5e21f List of Officers and amount deducted for floods 2022.xlsm 9133388cf8754dc7bb98031dad59333868f441c303264b9218a900c8079cfafc List of Officers and amount deducted for floods 2022.xlsm

List of Officers and amount deducted for floods 2022.xlsm 081ff426ca94307aee5afaf02e76e908b8d63cb58c7c8b9df41ac66114612c29 hxxps://r.mailflix.live/967ebc5fcda61b83d8d8eb66e26c75e3rWngLux0HKBIz #APT Password: SEP2022 CC @StopMalvertisin