Malware Patrol

Our newest Threat Trends Digest is out, highlighting key #malware, #phishing, brute force, and C2 trends from the past month. IOCs in commments, more online: malwarepatrol.net/february-threa….

Following the iOS phishing campaign, threat actors are now targeting #Android users with invitation emails to test fake #ChatGPT and #Meta advertising apps. These messages push malicious apps delivered through “firebase-noreply@google.com” via Firebase App Distribution, a legitimate #Google service for distributing pre-release apps to testers. Once installed, these apps request Facebook credentials, leading to phishing and account takeover. IOCs: package names: com.OpenAIGPTAds com.opengpt.ads com.meta.adsmanager Malicious email domains: thcsmyxa-nd[.]com moitasec[.]com tourmini[.]site ocngongiare[.]com disanviet[.]homes itrekker[.]space

Cybersecurity blog posts, writeups, papers, and tools github.com/0xor0ne/awesom… #cybersecurity

My blog is now live: "The Close Relationship Between Telegram Bots and Threat Actors" new stealers, their log structures, telegram bot C2 infrastructure, and threat actors who hacked themselves while building their own 👉 cti.monster/blog/2026/03/2… happy hunting!

Azure administrative operations remain a prime target for attackers. Our research outlines how privilege escalation, monitoring evasion, and destructive actions unfold on the control plane. Learn more: research.trendmicro.com/3MXlfUR

We added Microsoft SharePoint CVE-2026-20963 (post-auth deserialization RCE) to our scanning & daily feeds. 1109 IPs found running vulnerable instances worldwide (close to 1900 FQDNs) on 2026-03-19, with 510 IPs in the US. Dashboard World Map: dashboard.shadowserver.org/statistics/com…

Who actually posted that first? 🕵️ Who Posted What from @henkvaness, @danielendresz and @djnemec lets you search Facebook by keyword and date - so you can trace where content originated and track how it spread. Free to use: whopostedwhat.com

Top Brute Force IPs 176.65.128.158 84.247.147.74 60.251.54.203 23.137.105.55 154.26.139.222 84.247.147.209 161.97.115.157 95.174.113.63 45.153.34.104 45.153.34.106 34.80.38.201 84.247.147.238

Top Malicious IPs 74.115.51.9 213.186.33.16 66.147.242.174 104.21.65.87 172.67.189.179 211.97.84.77 198.23.50.111 8.218.200.39 213.186.33.17 149.56.178.73 95.173.180.244 54.83.252.56

Our newest Threat Trends Digest is out, highlighting key #malware, #phishing, brute force, and C2 trends from the past month. IOCs in commments, more online: malwarepatrol.net/february-threa….

Top Malware Hashes 59ce0baba11893f90527fc951ac69912 8bdd2cdd39b2ad7b679faa50f629ce2b 3849f30b51a5c49e8d1546960cc206c7 eec5c6c219535fba3a0492ea8118b397 a73ddd6ec22462db955439f665cad4e6 ecf47832c60945488d601012e568b663

A couple of conflict monitoring dashboards worth checking out. If you’re tracking developments, these provide helpful situational snapshots to support your analysis: monitor-the-situation.com and usvsiran.com

: ))! @KagiHQ - is another powerful search engine that helps investigators, researchers, and analysts navigate their hunts without noise > No ad-free, customizable results, AI assistants (opt-in), and "lenses" to filter searches. Great SE to give a try!! #OSINT #Cybersecurity

Generates and injects browser fingerprints to bypass tracking github.com/apify/fingerpr…

Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT). A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar. This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution. It evaded detection by deleting the initial downloader and by adding Microsoft Defender exclusions for the RAT components. It also added persistence using a scheduled task and startup script named world.vbs. Finally, it deployed the final payload, a multi-purpose malware that acted as loader, runner, downloader, and RAT. The RAT connected to the IP address 79.110.49[.]15 for command and control (C2), enabling threat actors to perform various actions like data theft and additional payload deployment. Microsoft Defender detects the malware and malicious behavior observed across the attack chain. To defend against this threat, follow these recommendations: - Block/monitor outbound connections to listed domains/IP addresses and alerts on downloads of java[.]zip or jd-gui.jar from non-corporate sources. - Hunt for the related processes and components. - Audit Microsoft Defender exclusions and scheduled tasks for random names; remove malicious tasks and startup scripts. - Isolate affected endpoints, collect endpoint detection and response (EDR) telemetry, and reset credentials for users active on compromised hosts. Indicators of compromise: - decompiler.exe (SHA-256: 48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb) - jd-gui.jar (SHA-256: a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5) - worldview.db-wal/StandardName.exe (SHA-256: 4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f) - world.vbs (SHA-256: 65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36) - powercat[.]dog:443; remote IP 79.110.49[.]15

W Kambodży w obozach koncentracyjnych nowego typu przetrzymywanych jest do 100 tys. ludzi. Są zmuszani do zajmowania się oszustwami telefonicznymi. Budki z pianką akustyczną, skrypty w kilkunastu językach... Ludzi zwabia się fałszywymi ofertami pracy. Po ekstradycji jednego z bossów do Chin i pod presją Korei, USA i Pekinu, z obozów zaczęto wyrzucać ludzi na ulice. To tysiące osób bez pieniędzy, dokumentów i dachu nad głową. Rząd Kambodży twierdzi, że wszyscy "otrzymują ochronę, schronienie i opiekę medyczną". Amnesty International i ratownicy na miejscu mówią co innego. Część ofiar wraca do pracy w obozach, bo alternatywą jest ulica. Kambodżański rząd walczy z obozami z takim samym zapałem, z jakim przez lata inkasował z nich czynsz. Na razie wyszedł im rządowy komunikat o "całkowitym oczyszczeniu Kambodży" ze scamów. Tymczasem w Chinach w ciągu tygodnia stracono (kara śmierci) 15 osób prowadzących obozy scamowe w Birmie, bo ich "parki przemysłowe" przy generowaniu miliardów dolarów popełniły pewien błąd: zaczęły zwabiać i zabijać Chińczyków.

LevelBlue SpiderLabs analyses a ClickFix attack chain. The flow moves from shellcode to a PE downloader, then injects StealC into legitimate Windows processes to steal credentials, cryptocurrency wallets and screenshots. levelblue.com/blogs/spiderla…

check out my osint gatherings 🥹 start.me/u/commandergirl