ShadowOpCode

633 posts

ShadowOpCode

@ShadowOpCode

Malware analyst & reverse engineer 🧠 Threat intel on stealers, RATs, live campaigns 🕵️ Technical analysis. No buzzwords. 📍DM open for research collabs

Katılım Mayıs 2025

161 Takip Edilen997 Takipçiler

Sabitlenmiş Tweet

ShadowOpCode@ShadowOpCode·19 May

🚨 New #JavaStealer “MaksStealer” uncovered! Fully in-memory, FUD, DES–Blowfish runtime decryption, WebSockets on 4025/4028/6662. Author “Max, 17yo” left his signature in the payload 🤯 Full report & IoCs 👉 github.com/ShadowOpCode/M… #infosec #malware #ThreatIntel @malwrhunterteam

English

109

42.7K

ShadowOpCode@ShadowOpCode·14h

bazaar.abuse.ch/browse/tag/69-…

ZXX

ShadowOpCode@ShadowOpCode·14h

malspam campaign in 🇮🇹📧 .bat creates persistence with HTA file 👇 powershell.exe uses XOR and AES with key SHA256(salt+"phazzy Lee") to decrypt a shellcode (Donut?) 👇 🐚Shellcode injected in explorer.exe 👇 Dynamic API resolver 👇 🦠XWorm 👇 📡C2: 69.61.36[.]229:2080 bazaar 👇

English

637

ShadowOpCode@ShadowOpCode·20h

#phishing #scam hxxps://mindfeathershirtthumb[.]rest/it/amazonwinnersiphone/index.html @illegalFawn @JAMESWT_WT

English

432

ShadowOpCode@ShadowOpCode·1d

"Conferma richiesta premio GARMlN" hxxps://prolificrevokement[.]space hxxps://prizeonlines[.]com/ @illegalFawn

554

ShadowOpCode@ShadowOpCode·1d

"v_mail-202603<RANDOM>.mp3" 👇 HTML attached 👇 larozada[.]com (wordpress likely compromised) 👇 wispy-fly-84775382[.]figma[.]site (fake Voicemail) 👇 foxrofhschiid[.]com (O365 exfiltration)

English

579

ShadowOpCode@ShadowOpCode·1d

@struppigel @rifteyy @GDATA Same obfuscator seen in #MaksStealer x.com/ShadowOpCode/s…

ShadowOpCode@ShadowOpCode

English

154

Karsten Hahn@struppigel·2d

I wrote an article about SugarSMP Minecraft scams, Spark stealer and hacked accounts After a brief contact to the threat actor, we talked to two victims and followed the trail. Analysis in collaboration with @rifteyy #GDATATechblog @GDATA #GDATA blog.gdatasoftware.com/2026/03/38390-…

English

3.8K

ShadowOpCode@ShadowOpCode·2d

@JAMESWT_WT @1ZRR4H @k3dg3 @VirITeXplorer @struppigel @AndreaDraghetti @guelfoweb @pr0xylife @marsomx_ @c_APT_ure interesting to note that even in any.run the response is an empy JSON. I am emulating the communication in Python (which is pretty simple, just a POST every 120s) waiting for the base64 payload.

English

171

JAMESWT@JAMESWT_WT·3d

New #Click-Fix Variant / webdav / workflow Some Related Samples +extra 👇 bazaar.abuse.ch/browse/tag/185… AnyRun Zip app.any.run/tasks/9af568c0… Triage Zip tria.ge/260221-2ety2ae… Msi tria.ge/260201-sfg67ae… cc @1ZRR4H @ShadowOpCode @k3dg3

The Hacker News@TheHackersNews

⚠️ A new ClickFix variant abuses Win+R to mount a remote WebDAV drive and run malware. It launches a trojanized WorkFlowy Electron app that beacons to C2 every 2 seconds. @Atos says it bypassed Microsoft Defender and surfaced only through threat hunting. 🔗 Inside: WebDAV trick + ASAR injection → thehackernews.com/2026/03/invest…

English

ShadowOpCode@ShadowOpCode·2d

@JAMESWT_WT @1ZRR4H @k3dg3 @VirITeXplorer @struppigel @AndreaDraghetti @guelfoweb @pr0xylife @marsomx_ @c_APT_ure thanks for sharing! Seems to be a trojanized electron app. Basically a dropper with persistence capability

English

145

ShadowOpCode@ShadowOpCode·3d

fake @intesasanpaolo #phishing hxxps://intesassanpaolo[.]area-client-id7526700[.]com

1.3K

ShadowOpCode@ShadowOpCode·3d

Malspam campaign targeting 🇮🇹 users "Avviso urgente: fattura scaduta - sospensione imminente" postmaster@dsignit[.pt 👇 termo[.traduccionesrenace[.com 👇 hxxps://strong-emerald-cheetah[.31-22-7-102[.cpanel[.site/invoice/ 👇 /invoice/quick-payment.php 👇 hxxps://lucky2lucky[.com/

English

1.1K

ShadowOpCode@ShadowOpCode·6d

@blueteamsec1 thanks for sharing! x.com/ShadowOpCode/s…

ShadowOpCode@ShadowOpCode

🚨NEW MALWARE UNCOVERED🚨 DesckVB RAT v2.9 is NOT “just another RAT”. 5-stage intrusion chain unraveled (WSH JS → obf PS → in-memory .NET loaders → RAT). C2 + plugin ecosystem rebuilt from historical PCAP. 🕵️Hard links to #Pjoao1578. 📄Full report: github.com/ShadowOpCode/D… 🧵👇

English

Blue Team News@blueteamsec1·8 Mar

DesckVB-RAT: Full analysis of a never documented before Remote Access Trojan linked to Pjoao1578 toolchain dlvr.it/TRMZD2 #cyber #threathunting #infosec

English

935

ShadowOpCode@ShadowOpCode·12 Mar

🚨ALERT🚨 New #phishing campaign #PagoPA in Italy to harvest credit card data hxxps://anisatransport[.co[.ke/wp-content/id/pagopa/log/msdpweb/index.php ⚠️exposing phishing admin panel without authentication⚠️ 🤖Telegram bot in the admin panel

English

1.3K

ShadowOpCode@ShadowOpCode·12 Mar

⚠️ALERT⚠️ Fake @Klarna #phishing website hxxps://klarmna[.]info @illegalFawn

474

ShadowOpCode@ShadowOpCode·11 Mar

hxxps://pub-4c182737706e41d29aee6cc5517f834d[.r2.dev/img_163200.png C2: hxxps://officedesk2026[.4nmn[.com:1709

Filipino

169

ShadowOpCode@ShadowOpCode·11 Mar

hxxps://pub-e6f64f05a00d4309aec9508777bc43bc[.r2.dev/img_181532.png hxxps://ia601609.us[.archive.org/5/items/msi-pro-with/MSI_PRO_with.png hxxps://ia601409.us[.archive.org/19/items/optimized_msi_20260303_1054/optimized_MSI.png more👇

178

ShadowOpCode@ShadowOpCode·11 Mar

🚨ALERT🚨 threat actors are targeting italian organizations with a malspam campaign in 🇮🇹 language to deliver #Remcos through #steganograpy eml>tar>vbs>powershell>injection (remcos) Bazaar: bazaar.abuse.ch/browse/tag/off… IoC👇

English

1.8K

tobersotski@tobersotski·19 Şub

A PyInstaller loader uses PowerShell to bypass policies, profiles the victim's IP, and ensures persistence. It runs the #Efimer malware which exfiltrates via Tor. See images for details (JS #Deobfuscation) #Malware #Crypto #Stealer #ReverseEngineering x.com/skocherhan/sta…

ܛܔܔܔܛܔܛܔܛ@skocherhan

reparertelephone[.]fr/?dl=bWljcm9zb2Z0X2V4Y2VsX3ZOTk5OX0JBTF94My5leGU%3D

English

4.1K

ShadowOpCode@ShadowOpCode·27 Şub

@tobersotski @JAMESWT_WT @skocherhan @jamieantisocial @1ZRR4H @AcooEdi @virusbtn @AndreaDraghetti @reecdeep AMAZING

English

ShadowOpCode@ShadowOpCode·25 Şub

@D3LabIT likely to be PureHVNC: app.any.run/tasks/8e138eb0… Thanks @anyrun_app and @Fortinet

English

105

ShadowOpCode@ShadowOpCode·25 Şub

@D3LabIT UpCrypter is injecting two malwares inside InstallUtil.exe and MSBuild.exe. The one in MSBuild (and at this stage is no more UpCrypter) is doing connections to webdot[.]ddns[.]net which was already pointed out by FORTINET in this report: fortinet.com/blog/threat-re…

English

142

D3Lab@D3LabIT·24 Şub

🚨 Distribuito il malware #UPcrypter in #Italia Email: “Nuovo ordine 2026” con allegato HTML malevolo. Apertura → redirect → JS offuscato → download payload → contatto C2. IOC: mandatechgroup[.]com/ai/ eventul[.]com/it/i[.]php JS: 06ba9a11d693b8ab94e61f696e46faaf

Italiano

1.8K

ShadowOpCode@ShadowOpCode·25 Şub

@matacmalware @D3LabIT x.com/ShadowOpCode/s…

ShadowOpCode@ShadowOpCode

QME

matac@matacmalware·25 Şub

@D3LabIT Ci sono altri IoC?

Italiano

Keşfet

@illegalFawn @JAMESWT_WT @struppigel @rifteyy @GDATA @1ZRR4H @k3dg3 @VirITeXplorer