Anurag

815 posts

Anurag

@Malwarehunterr

Threat hunting | Malware Analysis | These views are my own and not my employers. https://t.co/cERmryTU76

Katılım Şubat 2019

552 Takip Edilen546 Takipçiler

Anurag@Malwarehunterr·4d

Fake Malaysia LHDN (tax authority) themed site hosting a “Mandatory Tax Compliance Review” notice. njifjuhgh[.]top The “DOWNLOAD & SEND DOCUMENTS - LHDN SAFE PORTAL” file downloads a #Tedy trojan payload. Interesting part, the same domain previously hosted Indian tax themed phishing/malware urlscan.io/result/019d762… file hash: 7263622822694fc8c2720974c31b5c12b2fdc864ce496ab4f6da57e8c361b59b #phishing #malware @malwrhunterteam @500mk500 @skocherhan

English

6.2K

Anurag@Malwarehunterr·5d

Google Meet #ClickFix campaign abusing online-meet[.]com to trick users into executing PowerShell commands. The script downloads and executes: online-meet[.]com/files/update/uptodate.exe Payload identified as #SalatStealer SHA256: 8a132e7dd4876c87b5c425db32291bd54a2f3a477c78ceb4d29f297867a150fa #ClickFix #Phishing #Malware @500mk500 @malwrhunterteam @skocherhan

English

4.5K

Anurag@Malwarehunterr·9 May

Fake crypto exchange/wallet sites hastesbuy[.]top and agesbuy[.]com appear to be using the same cloned JS codebase and previously shared the same APK download URL. The sites ask for credit card details to purchase crypto without validating users details. Potential phishing / fake crypto wallet operation. - hastesbuy[.]top - agesbuy[.]com - badadan[.]netlify[.]app/app.apk #Phishing #CryptoScam @500mk500 @skocherhan

English

1.5K

Anurag retweetledi

ܛܔܔܔܛܔܛܔܛ@skocherhan·8 May

#Phishing #CryptoScam pw3a[.]sdwnsd[.]com dkjtxz[.]sdwnsd[.]com v1till[.]sdwnsd[.]com eofmfd[.]ewqtgf[.]com elnmgi[.]sdwnsd[.]com fgxlo[.]sdwnsd[.]com rpxqf[.]sdwnsd[.]com sdwnsd[.]com 6genq[.]sdwnsd[.]com b1pog1[.]ewqtgf[.]com 5d4c[.]ewqtgf[.]com 2mcwf4[.]sdwnsd[.]com 0fo6[.]ewqtgf[.]com gd77q[.]sdwnsd[.]com jj7wwn[.]ewqtgf[.]com a26ma2[.]sdwnsd[.]com 7l86v[.]sdwnsd[.]com m8lprz[.]ewqtgf[.]com 67k57k[.]ewqtgf[.]com r3zq3[.]ewqtgf[.]com urdme[.]sdwnsd[.]com f85dt4[.]ewqtgf[.]com 240np1[.]ewqtgf[.]com gpw354[.]ewqtgf[.]com o37lxe[.]sdwnsd[.]com p1zzbr[.]sdwnsd[.]com kwcg3[.]sdwnsd[.]com 7d05[.]sdwnsd[.]com u2pi0z[.]ewqtgf[.]com vxmmzr[.]ewqtgf[.]com bckgp[.]sdwnsd[.]com rqatu[.]ewqtgf[.]com 4t79[.]ewqtgf[.]com j527k[.]ewqtgf[.]com ri1unj[.]sdwnsd[.]com k2448[.]ewqtgf[.]com 90d2vi[.]sdwnsd[.]com z1kvz8[.]ewqtgf[.]com rui[.]ewqtgf[.]com olw80[.]ewqtgf[.]com rjle[.]sdwnsd[.]com nejdfr[.]sdwnsd[.]com nxaf[.]sdwnsd[.]com xj06mt[.]sdwnsd[.]com 8g7uoz[.]ewqtgf[.]com koiusdt[.]com gbd6n[.]sdwnsd[.]com lzmjv[.]sdwnsd[.]com axpi6z[.]ewqtgf[.]com ewqtgf[.]com jd04fu[.]ewqtgf[.]com 08q5[.]ewqtgf[.]com 5971i[.]ewqtgf[.]com vji71d[.]sdwnsd[.]com jmpdats[.]com api[.]jmpdats[.]com api[.]domanse[.]com coimusdt[.]cc ninusdt[.]cc bbusdt[.]cc btciusdt[.]cc alamo-s[.]com alam-os[.]com binusdt[.]cc bybusdt[.]cc ccusdt[.]cc ciousdt[.]cc mousdt[.]cc binanceo6[.]com binancen4[.]com binancee2[.]com binancez5[.]com binaccem8[.]com binancev7[.]com binaiusdt[.]com erssegd[.]com api[.]erssegd[.]com biiusd[.]com biniusd[.]com biniousdc[.]com bybousdc[.]com bybsusd[.]com binlusdx[.]com bintlxusdc[.]com binxusdc[.]com xinlusd[.]com binccusdc[.]com japfc[.]top api[.]japfc[.]top bybssusdt[.]com bholos[.]com bhonso[.]com prsjmp[.]com injmps[.]com ffgydc[.]com ousjms[.]com jmpwes[.]com bybaausdt[.]com osfcsl[.]com deomns[.]com binllusdt[.]com bybopusd[.]com dioeue[.]com bybiiusdt[.]com binyyusdt[.]com binttusdt[.]com binvvusdt[.]com goixsd[.]com nmiuiu[.]com douiox[.]com koiucd[.]com cionusdt[.]com api[.]cionusdt[.]com expmns[.]com api[.]expmns[.]com lin-bf8[.]com binalusdt[.]com th-binks[.]com api[.]th-binks[.]com api[.]lin-bf8[.]com api[.]jn-fc[.]com api[.]ttkx-bx[.]com yl-ch[.]com binkusdt[.]com ms-crypto[.]com ms-stypso[.]com cio-r[.]com cio-a[.]com ttkx-bx[.]com domanse[.]com binusdt[.]com bybusdt[.]com ms-tesf[.]com ms-txs[.]com txs-ms[.]com ms-csypro[.]com nec-a[.]com jn-fc[.]com api[.]ms-crypto[.]com chat[.]ms-crypto[.]com byblusdt[.]com bybiusdt[.]com bao-fua[.]com btcaan[.]com chat[.]cionusdt[.]com btcaav[.]com binvusdt[.]com binanusdt[.]com biniusdt[.]com bineusdt[.]com binbusdt[.]com api[.]binbusdt[.]com api[.]bineusdt[.]com binmusdt[.]com binhusdt[.]com binlusdt[.]com binjusdt[.]com binzusdt[.]com binxusdt[.]com bybnusdt[.]com btcaax[.]com btcaai[.]com btcaac[.]com bnbausdt[.]com btcaaz[.]com btcaal[.]com btcaae[.]com 34[.]150[.]85[.]92 AS396982 Google LLC 🇭🇰 @Malwarehunterr @userlolxxl @googlecloud

English

961

Anurag@Malwarehunterr·8 May

Fake SPGroup payment overdue email Landing URL: donarimadafo[.]com/spg/login.php Uses Constant Contact infrastructure for delivery/tracking. @CSAsingapore @SPGroupSG #phishing

English

720

Anurag retweetledi

VM@patialavii·8 May

⚠️Observed phishing URLs delivering RMM payload: RMM: Screenconnect Inital URL: hxxps://www.tecote[.]com/liopa_home/ Redirected URL: hxxps://www.tecote[.]com/liopa_home/download.html VBS Download URL: hxxps://www.tecote.com/liopa_home/download.php SHA256: 298f59d1f3b905563e7c5830911b11607583c0cad4a539ac4c6bdbfe4a1356c6 #ThreatIntel #Phishing #RMM

English

457

Anurag@Malwarehunterr·7 May

f7cqhx2ygpj-voicemsgmp3listen.vvgggvoicee[.]com/5ecdb3fb0123c33384d6ef916f46f4e1/ #Phishing #Gmail @500mk500

Anurag@Malwarehunterr

Voicemail lure leading to phishing Email claims missed call and “Play Voicemail” link redirects via Microsoft OAuth to fake Gmail login page Captcha URL -> ec15z.gootrtyyy[.]com/kolp/?error=interaction_required&error_description=Session+information+is+not+sufficient+for+single-sign-on Fake gmail login page -> bnlv027hoet-voicemsgmp3listen[.]voiceggffty[.]com/ecaa6f7e8cf30101e156b9a206a108c2/ subdomain changes for both urls. #Phishing #Gmail @500mk500

Dansk

900

Anurag retweetledi

VM@patialavii·7 May

⚠️Observed phishing URLs delivering RMM payload: RMM: TiFLUX URL: hxxps://greanworld[.]com/operationfinallyhome/complete.php File Download URL: hxxps://greanworld[.]com/operationfinallyhome/download.php SHA256: f182192ca39d692c2920b75c85378ff7d7b4aabb91c3486cf113a6dbe76b05ab #ThreatIntel #Phishing #RMM

English

844

Anurag@Malwarehunterr·7 May

docusign.midnightdocuments[.]network Link I have received via email

English

232

Anurag@Malwarehunterr·7 May

Fake #DocuSign download pages distributing suspicious payloads. docusign.midnightdocuments[.]network overdocu[.]live Payloads: store5.gofile[.]io/download/direct/6751a25f-da78-4d2f-9d10-65ff6ad75b31/DocuSign%20Setup.exe VBScript from overdocu[.]live downloads: dvdhvbh.s3.us-east-1[.]amazonaws[.]com/DocuSign_installer.vbs The VBScript silently installs LogMeIn/GoTo Resolve unattended remote access tool via msiexec. #malware #LogMeIn #Phishing @malwrhunterteam @500mk500 @skocherhan @ffforward

English

4.6K

Anurag@Malwarehunterr·7 May

graph[.]org/BALANCE-36824-US-DOLLARS-04-24-2

English

Anurag@Malwarehunterr·5 May

#phishing graph[.]org/BALANCE-3682444-USD-04-21-6 redirects to 121hiu[.]senes[.]at/stakings/ 121hiu.senes[.]at/stakings/signup.php 121hiu.senes[.]at/stakings/cab397sk.php #phishing #Coinbase #CryptoScam

English

724

Anurag retweetledi

VM@patialavii·6 May

New RMM agent observed (TiFLUX): URL - hxxps://specialme.pages[.]dev/gradient Download URL - hxxps://pub-84967d52dcf9438dad6b39da8e17c5ea.r2[.]dev/invitationcard_Ti.msi Hash - 7345df9eaedd6eb0a5e4c15a01d02fa8eb40a674166243853e26a04b55fa2d34

2.9K

Anurag retweetledi

Demon@volrant136·4 May

#ThreatHunting | #Crypto Pivot on Title 'Ledger | The Secure Crypto Wallet & Signer' shows 1 additional URL using @Huntio. Detected on: 2026-04-28 https://www.ledgerlive-desktop[.]com/ cc: @500mk500 @MichalKoczwara @malwrhunterteam @Malwarehunterr

English

1.3K

Anurag@Malwarehunterr·4 May

@500mk500

QME

137

Anurag@Malwarehunterr·1 May

#Google Rewards Scam Fake “Google Rewards” site abusing Vercel hosting to lure users with fake earnings ($17 → $213). - Forces video watch to “unlock withdrawal” - Redirects to payment page asking card details URLS google-rewards-quiz-iota[.]vercel[.]app app.quorapay[.]online/pay/032fe0ca-54d4-4245-aaab-a833309692d4 #Phishing #ScamAlert #GoogleOpinionRewards

English

796

Anurag retweetledi

Mikhail Kasimov@500mk500·3 May

@Malwarehunterr Related to x.com/muha2xmad/stat… case

Muhammad Hasan Ali@muha2xmad

#clickfix inopportunefable[.]com => learnzonekey[.]monster => jicinvestments[.]monster downloads inside %TEMP%\<random_folder>\<random_filename>.exe sample virustotal.com/gui/file/9bf76… @500mk500 @James_inthe_box

English

777

Anurag@Malwarehunterr·3 May

#clickFix Malicious ClickFix chain abusing Cloudflare Pages Flow: - unusedworld[.]pages[.]dev - cuntdown[.]co[.]nz - unused[.]world - hwea[.]trueappstackview[.]click Works only when VPN/Proxy is OFF (anti-analysis) Payload delivery: tastevolume[.]monster/api/index.php?a=dl&token= #phishing #malware @malwrhunterteam @500mk500 @skocherhan @volrant136

English

6.3K

Anurag retweetledi

Demon@volrant136·3 May

String: "aHR0cHM6Ly90cmlub3hidS5jb20uZGUvRDNVTlM3cVRSbm8v" Ref: x.com/Malwarehunterr… cc: @500mk500 @MichalKoczwara @malwrhunterteam

Anurag@Malwarehunterr

southgatelectric[.]pages[.]dev mimics a SharePoint document portal to lure users. After entering email, it - Base64 encodes victim email - Decodes hidden URL Redirects to: trinoxbu[.]com[.]de/D3UNS7qTRno/#X<base64_email> #phishing @500mk500 #Sharepoint #Cloudflare

722

Anurag retweetledi

Demon@volrant136·3 May

Using @Huntio, similar Base64-encoded redirect pattern observed from 30 Jan 2026: 🔴 transitionquebec[.]pages[.]dev 🔴 bcs-kc[.]pages[.]dev 🔴 harbourcityconstruction[.]pages[.]dev 🔴 loio[.]pages[.]dev All redirect to: trinoxbu[.]com[.]de/D3UNS7qTRno/ @Malwarehunterr

English

1.8K

Anurag retweetledi

Mikhail Kasimov@500mk500·3 May

@Malwarehunterr with some extra: github.com/stamparm/maltr…

English

235

Keşfet

@malwrhunterteam @500mk500 @skocherhan @userlolxxl @googlecloud @CSAsingapore @SPGroupSG @ffforward