MalasadaTech

This was the lead. I tried to find the activity Malwarebytes was talking about. I couldn't find that one, but ended up with this one. Here's the link to the Malwarebytes article. malwarebytes.com/blog/threat-in…

Google Meet-themed lure delivering Datto RMM googgle[.]click >> hxxps://store-na-phx-3.gofile[.]io/download/direct/e5dcdce3-d78a-46d0-8c02-a0fbd2a21bcd/GoogleMeet.exe Pulse link: otx.alienvault.com/pulse/69ad01b3…

New YAPA post: blog.lukeacha.com/2026/03/yapa-a… In addition I was able to pivot to another interesting sample zipsphere, which might be a worth look.

A fake Zoom meeting site mimics a video call, then uses an “Update Available” countdown to automatically download a malicious installer onto Windows machines—no permission required. bit.ly/4qXyLp7

@Namecheap fake @Zoom Website spread malware https://uswebzoomus.]com/zoom https://uswebzoomus.]com/zoom/process.php?download=1 👇 virustotal.com/gui/file/644ef… 👇 bazaar.abuse.ch/sample/c73b756… 👇 app.any.run/tasks/88ca5549…

They sent my mom a smish, so I'm sharing their infra. Not sure if they're all on 47.245.93[.]160, but there's a lot of Hawaii subdomains on it. 1,007 domains created this month. You can use the pattern in the snip w/Silent Push. AlienVault Pulse here: otx.alienvault.com/pulse/69a3a0ad…

Anyone have a good way to monitor new @GoogleAds for a specific domain?

@Gootloader @GoogleAds Just periodic manual checks. I'm interested to see if there's a better way.

GalacticPDF Analysis: blog.lukeacha.com/2026/02/galact…

🚨Tax Season is Phishing Season: How IRS Lures are Dropping RMM Backdoors In our last report blog.knowbe4.com/the-skeleton-k… we highlighted how threat actors weaponized Social Security notifications to deploy RMM tools. Now, they’ve pivoted to the next seasonal hook: IRS and Tax Document Verification. It’s a classic example of how social engineering adapts to the calendar. When the lure matches the season, the "Human Risk" sky-rockets. The "Skeleton Key" Tactic Attackers are shifting from custom malware to legitimate Remote Monitoring and Management (RMM) tools. By exploiting the urgency of tax season, they trick users into "verifying" documents, which instead installs a persistent backdoor using signed, trusted software. What we’re seeing: The Hook: Emails masquerading as IRS tax refund alerts or document verification requests. The Payload: Deployment of RMM tools like ScreenConnect, Simplehelp remote access. The Goal: Establishing "low-friction" remote access that blends into normal IT traffic. 🛡️ IOCs TO MONITOR AND BLOCK: hxxps://zippyokwidth[.]mypi[.]co/ woodcareexpert[.]com hxxps://clickme.thryv[.]com/ hxxps://www[.]zikomarket[.]com/bootstrapp/54321[.]html lrs.gov-information959439494242us[.]com lrs.gov-information[.]app Digitalseosociety[.]com coxomail[.]com Email Subject Pattern: Your tax document is ready-Doc ID: xxxx New Mandatory Policy: Immediate Upload of Employee W-2 Forms xxx #CyberSecurity #Phishing #ThreatIntelligence #KnowBe4 #HumanRisk #TaxScams #IRS #RMM

@MalasadaTech kingsearchresults..... hmmmmm

@MalasadaTech also has same URI structures and talks to pdfappup[.]com and starrtlightspirit[.]com

@MalasadaTech Rust based, the embedded PE file is pdfium.dll. app.any.run/tasks/b71ca08e… HTTP comms to hopinpoint[.]com. Some custom encoded traffic here that I have not played with yet.

@rifteyy @skocherhan Thanks! Certificate has been reported. In regards to funny certificates, my favorite signer has been "Just Add Water Italian Pizza Bread Pasta Mix Ltd." ea18b965ab43d927a1d690f395f4e2b55a15db9744f68454a86b5508b302c404 The payload was a fake Adobe installer.

Popular Text Editor Notepad++ was compromised by a nation state attacker presumably from June through December 2, 2025. The state actor used the access to reroute software update traffic to attacker controlled servers making this a supply chain attack. notepad-plus-plus.org/news/hijacked-…

@MalasadaTech this relation in virustotal (b7e3b66d28429c07714bb0b8e9487bc9) suggests another browser search hijacker

@luke92881 Nice! Looks like YAPA. Thanks for the tag! Unfortunately I will not be able to look into it =[ I'm studying for the CCNP Security cert...

@MalasadaTech YAPA... Galacticpdf (97e814385de850e7dbc934e2c8cdce46).

Thorough analysis of AnyPDF malware by @rifteyy The code-signing certificate has been reported for revocation; was signed by "Lupus Tech Limited" and added to TheCertGraveyard.

🚨 PHISH ALERT: When Legitimate Software Becomes First-Stage Payload: The RMM Problem" KnowBe4 ThreatLabs tracking sophisticated campaign weaponizing Social Security notifications to deploy RMM tools (SimpleHelp Remote Access Client) as persistent backdoors. No traditional malware. Just trusted IT software. 🧵👇 🎯 ATTACK CHAIN: Fake SSA email ("Statement Ready") → Social_Security_eStatement__Pdf.exe → Legitimate RMM agent install → Pre-configured attacker access → Bypass AV/EDR entirely 🔴 CRITICAL SHIFT: RMM exploitation is now a "first-stage" payload standard across threat actors—from scammers to APTs. Why? Because: ✓ Digitally signed = trusted ✓ Legitimate software = no AV flags ✓ "ClickFix" social engineering = user executes willingly 🚩 DETECTION INDICATORS: 📧 Subject Pattern: "Social Security Statement" + urgency 📎 Filename: Social_Security_eStatement_*_Pdf.exe ⚠️ Executable masquerading as PDF 🔧 Unexpected RMM tool installation 🛡️ IOCs TO MONITOR AND BLOCK: Sender Email: “info@nsgrafica[.]ao” “safetraining@infinity47[.]ro” URLs: h_ps://microninfo[.]com/wp-admin/red-6578423[.]php/?[email] h_ps://api[.]ssstik[.]net/red-6256923[.]php/?[email] h_ps://tradebazaarenterprise[.]com/wp-content/red-6552123[.]php/?[email] h_ps://nbfoodcentre[.]com/wp-content/red-52489625[.]php/?[email] h_ps://www[.]misbookrights[.]com/wp-includes/sitemaps/FHB3yr6tg[.]php/?[email] h_ps://adronestates[.]com/mzxlkoe/Ugmj4t8t432[.]php/?[email] h_ps://armaheat[.]com/wp-includes/HFB73gfa[.]php/?[email] h_ps://capitalguidex[.]com/clzresw/HFB73gfa[.]php/?[email] h_ps://dars360[.]com/wp-content/red-6226923[.]php/?[email] h_ps://greeninovation[.]com/sin1fpk/HFB73gfa[.]php/?[email] h_ps://kim88game[.]com/wp-includes/red-525684625[.]php/?[email] h_ps://login[.]suffrenalawnservice[.]com/red-6294423[.]php/?[email] h_ps://moonageajans[.]com/lckifvz/HFB73gfa[.]php/?[email] h_ps://preprod[.]conversionprollp[.]com/wp-content/Ugmj4t8t432[.]php/?[email] h_ps://test1[.]thanglon[.]com/wp-includes/sitemaps/Ugmj4t8t432[.]php/?[email] h_ps://thetoysharing[.]com/wp-includes/FHB3yr6tg[.]php/?[email] h_ps://wordpress[.]spepchurch[.]org/red-6289923[.]php/?[email] h_ps://social-security-update[.]codconnect[.]com #Phishing #RMM #ThreatIntel #SSAScam #CyberSecurity #InfoSec