RedDrip Team

487 posts

RedDrip Team

@RedDrip7

Technical Twitter of QiAnXin Technology, leading Chinese security vendor. It is operated by RedDrip Team which focuses on malware, APT and threat intelligence.

Katılım Nisan 2018

29 Takip Edilen16.7K Takipçiler

Sabitlenmiş Tweet

RedDrip Team@RedDrip7·5 Ara

#APT_Digital_Weapon We have categorized #IOCs, mostly #APT related, from public resources and sample details are available on #VT. The #GitHub project will keep updated and hope to help the security community fight against malware and targeted attack. github.com/RedDrip7/APT_D…

English

127

215

RedDrip Team@RedDrip7·7 May

It seems that #APT #Donot also used .ACCDR files for initial access. Executed codes are similar to previous samples. 0ecfdece9402c4f8732a4581baf4a927 3c0f8dc931cdc76c9d101b41c258a4dc mtsspk[.net hxxps://mtsspk[.net/TrDGjfgtxkdl3Pl47enr/

RedDrip Team@RedDrip7

Related 7c5116f2412ebcbce7ab99ccfbb2a21a 79ca03e5f149f6cddfbc92262d3f6da9 officesite.onrender[.]com 8b9a7fec4bbb53bb7f9b8c673fd4ab52 mnjkuilhgftrew.baiduwebhost[.]com

English

8.6K

RedDrip Team@RedDrip7·30 Nis

#APT #Bitter ACCDR downloads DLL and uses fsquirt.exe to side-load it -> DLL uses bitsadmin to download EXE -> EXE executes shellcode in a unique way 27f68bcaec9d2085f8804021da8ab70c 0dc4e8723e7860aeaf420cd644c8b1db e25095de50ef896946466f7f5dd47f1a bravojacksonmentor[.com

English

5.5K

RedDrip Team@RedDrip7·24 Nis

#APT #Bitter 776302eeef68e4d5132424de18976845 4b381a89dc0f3fd44286410d7c826073 grandinaspectrum[.com www.grandinaspectrum[.com/hgdtfjgtyf.php?d=%username%_%computername%

Română

RedDrip Team@RedDrip7·21 Nis

#APT #Patchwork #Spyder added codes to detect running environment. 3f4221dacc105466932db94b9b210b84 hxxp://cloudwindowapps[.com/enclose-pdf

English

21.2K

RedDrip Team@RedDrip7·15 Nis

#APT #OceanLotus sample created in 2025 was uploaded to VT last month. DLL decrypts and executes shellcode in memory. C2 seems to be inactive now. 8c13ce3a5f579a4fb4d25222412b775a 152.32.144[.]5:443

English

11.1K

RedDrip Team@RedDrip7·8 Nis

#APT #Patchwork 2d31067df7ccbcd6eaef1025098ed928 (dll) sandtribes[.org Similar to previous samples

RedDrip Team@RedDrip7

#APT #Patchwork 076ab63979336e827abc96fcd4fbf534 (lnk) e066b5a875d08507832fc7ed29a7aa30 (dll) b7c2b4d14112356a3d327e99ee97d627 adskochbus[.org theserveunity[.org

Indonesia

5.9K

RedDrip Team@RedDrip7·3 Nis

#APT #Bitter 912804d58dec8c2fdc909f66f900f1a4 ("DraftLetter.accdr") kuraviewconcepts[.com www.kuraviewconcepts[.com/fesrh.php?d=%username%_%computername%

English

4.3K

RedDrip Team@RedDrip7·31 Mar

#APT #MysteriousElephant 96b15bb9ce8ef7c41b708b1620029d99 (chm) 91693c2d5a4b7d090fe06cc7382dfc18 (exe) 188.214.33[.]170:443

Français

3.6K

RedDrip Team@RedDrip7·27 Mar

Other samples VHDX -> LNK -> jse. Malicious code is hidden after a lot of blank space. 8cb6dee642f510d20825e49435e4f814 (rar) 50c8856d31e28d40c78c6d25afd9b2cb (jse) www.haburyohoteam[.]com/jvdmhawme.okjhvthfv?d=%username%_%computername% Both C2 domains resolve to 104.243.38[.38

English

2.6K

RedDrip Team@RedDrip7·27 Mar

#APT #Bitter used windows script file (wsf) to create scheduled task. Malicious code is hidden in plenty of junk code. 4f23a03843c9ece10de1831c84e48244 (rar) 37cfab987b088c7dc9555f73d6d47acc (wsf) www.caravelcruiser[.]com/gbv.pp?uq=%computername%

English

5.3K

RedDrip Team@RedDrip7·24 Mar

#APT #Donot VBA -> shellcode -> download other payloads 301e257e8ffb69bc2b3a7040053b9a8e 6f3b51b1d9fb1795aa5b1d79113db3f7 63f6302c60c2c0c6e4c83c9b50784c38 0628a33e3f3b08bdff708059b8e00dea ec188d5fcbbf264eeb4025d266d424b6 locaplayz[.]info reggysolution[.]info

4.3K

RedDrip Team@RedDrip7·19 Mar

#Malware #SmartLoader disguised using OpenClaw-related topics Threat actor built malicious Github repo on the basis of a legimate one. Report: mp.weixin.qq.com/s/q-86GR8g_p3N… hxxp://89.169.12[.235/api/ hxxp://213.176.73[.145/api/ hxxp://213.176.73[.162/api/

English

3.8K

RedDrip Team@RedDrip7·17 Mar

#Malware #DCRAT JS -> powershell extracts loader from remote JPEG -> loader gets DCRAT from Github ("albaluzzgom-byte/032026666") 1bfed54ae970308843d0e55ee96eddd9 (js) 8159845a1821df1e5067703af2fa0fb8 (loader) 05aff2b6242e9b2618ade8d34178d46a (DCRAT) vps30002026.kozow[.com:3000

English

4.7K

RedDrip Team@RedDrip7·13 Mar

Related #APT malware (DLL written in Rust) 9a95078a7a5f1045c61fe95ab308ec3f a70e0e057bb9cc33913ca035fb3a1138 hxxps://support.cc-cvbs-sco.workers[.dev:443/api/analytics/collect hxxps://cms.bahria-edu.workers[.dev:443/api/analytics/collect

RedDrip Team@RedDrip7

Suspected #APT #Sidewinder VBA macros in .xls downloads EXE + malicous DLL (Rust trojan). Cloudflare workers domain is abused for C2 infra. 753bb1b5d8b879f478babb21ed4d9696 (xls) f310ee836f88cc43d3939f8a88b20495 (dll) *.goldibrowhoami.workers[.dev *.desco-gov-bd.workers[.dev

English

6.4K

RedDrip Team@RedDrip7·11 Mar

#APT #Bitter 3ee66f56461fc046f600230d11ebe731 (MSI) f57975b8bc1169b35ae17b975327195e (EXE) hxxps://99media.com[.]pk/scvz zoemagicbook[.]com

3.1K

RedDrip Team@RedDrip7·5 Mar

#APT #Lazarus #IoC d6296ad786e76b2dd1d7e6de897491d4 45[.]83.140.55:1244

Italiano

11.1K

RedDrip Team@RedDrip7·3 Mar

Related 7c5116f2412ebcbce7ab99ccfbb2a21a 79ca03e5f149f6cddfbc92262d3f6da9 officesite.onrender[.]com 8b9a7fec4bbb53bb7f9b8c673fd4ab52 mnjkuilhgftrew.baiduwebhost[.]com

10.5K

RedDrip Team@RedDrip7·3 Mar

Suspected #APT #Donot samples VBA uses plenty of comment statements to seperate malicious code which creates scheduled tasks and drops BAT files. cab89ee28820b38d1626806f9c1acb9f e5f0a8b4ab983a1457ec2b0a4bff89eb 04cce783b42af18f9208fe5527fa04a8 shop.gladiolus[.]live

English

5.4K

RedDrip Team@RedDrip7·27 Şub

#APT #Bitter trojan 8523f2ff3ff13e510a9bf75665562b3b ashersoftlib[.]com:44908

English

4.3K

RedDrip Team@RedDrip7·10 Şub

e3b8be98de37a64d72b20e71b92f7adb ("Rastriya satarkata kendra NIDEPT Audit Schedule.vhdx") 6b8efd4e7eb44f3149bbe23703a1efc2 ("CryptBase.dll")

Română

2.5K

RedDrip Team@RedDrip7·10 Şub

#APT #Bitter targeted Nepal. VHDX file contains hidden malicious DLL which creates a scheduled task named "VerifiedTaskMS". C2 domain is overlapped with previous campaign. www.joelgardens[.]com/gvb.php?uq=%username%_%computername%

RedDrip Team@RedDrip7

#APT #Bitter #IoC f04e4f5e197e47a89c406734c4c14a21 e828f8cacbe8df690a2e82410f307362 be1ff48fd155a44293c9b121c7735268 florabrocuisine[.]com oscarskatingcoach[.]com joelgardens[.]com

English

12.7K

Keşfet

@elonmusk @BarackObama @taylorswift13 @cristiano @BillGates @NASA @nikifrancismediavine @katyperry