Xanderux

Hi all! The Threat intel discord server is still open to newcomers. The goal is to share information and methodology in this domain (malware analysis, IOC, leaked evidences, ...) Feel free to join, we are tens of members! discord.gg/KJaQwByvyR #cyberthreatintel #threatintel

@AaronCTI Congratz @AaronCTI , let's go !

Moving into beta for ThreatLens!! Super excited and the last 4 years of iterating, thinking, crying and late-nights have gotten to this point!! DM for more info or a demo!

@n4itr0_07 What tool is it ? Do no seems to be fofa/censys/shodan or onyphe

app="ClawDBot"

What's currently happening in tech? It feels like every cybersecurity startup is suddenly opening new roles after years of hiring freezes

@FIRSTdotOrg Any timeline on the agenda release for the 2026 Paris Technical Colloquium?

@cyb3rops Worth noting: many VirusTotal AV engines share the same underlying engine (e.g. Bitdefender rebrands). A single Bitdefender detection can trigger multiple VT hits. Same goes for false positives 🙃

What frequently happens when people read threat reports is 1. they notice the IOCs 2. go to Virustotal and check if their org's AV covers the threat But they shouldn't stop there. They should click on "Security vendor's analysis on: ..." 3. select the earliest date 4. check if their vendor detected the threat when it was first uploaded to VT (>= when it was seen in the wild) This sub menu is often ignored but it can tell you a lot about the AVs ability to spot new threats

@vxunderground I've built an RSS feed bot for my CTI community based on GitHub Actions. It's fully serverless, meaning it leverages GitHub's servers rather than requiring you to deploy and maintain your own infrastructure Check it out here: github.com/Xanderux/RssDi…

Our "Cyber Threat Intelligence" Discord is temporarily down. If any of you recall, I made a simple bot which collected news from various RSS feeds and pushed it to a Discord server for people to watch. Unfortunately, this bot was being hosted on critical infrastructure (a Raspberry Pi) which was housed in Europe. This in of itself isn't a problem, except the person who was housing it for me messed up his immigration paperwork and got (temporarily) deported. It turns out if you're a United States citizen, temporarily residing somewhere in Europe, and you make a small oopsie on paperwork they kick you out the country for 90 days, but let you return after and stay for a few years (???). I don't understand immigration. I'm not educated in immigration law. His papers and reasoning for residing in Europe are completely legitimate. Barring them for 90 days because of a simple mistake but allowing them to return confuses my little brain. Anyway, they kicked him out for 90 days. All his stuff is still there. Our critical infrastructure is in his apartment. Once he is allowed to return it will come back online. Chat, we've been DEPORTED.

@OVHcloud @virustotal @olesovhcom can you NUKE it ?

🛡️Lazarus Stealer IP : 162.19.147.240 AS 16276 @OVHcloud Undetected on @virustotal more Lazarus servers detected by #C2Watcher on github.com/Xanderux/C2wat…

@JulienLevrard It would be great if we could work together to integrate #C2Watcher on your side. @OVHcloud support is efficient, but opening a ticket every time feels a bit too manual and tiring

@MichalKoczwara @Gi7w0rm @karol_paciorek @evstykas @ViriBack @Fact_Finder03 @abuse_ch @banthisguy9349 @JunWei__Song

@vxunderground @mrd0x @MalDevAcademy Gorgeous

Giveaway. Thank you @mrd0x for sponsoring this. We've got FIVE @MalDevAcademy vouchers. These vouchers are bundles. This vouchers give you: - Full access to malware source code database - Full access to malware development course Comment below for a chance to win.

@brkalbyrk7 Congrats @brkalbyrk7

Hi everyone 👋🏻, I’m excited to share that I’ve joined Trendyol Group’s Cyber Defence Center as a Security Engineer, focusing on threat intelligence and malware analysis 🥳🧡 I’m also truly excited to work with such an amazing team. On to the next chapter.

@brkalbyrk7 Thanks for sharing, @brkalbyrk7! It would have been great to see some performance stats for the different rule sets you mentioned

Back to blogging! 🎉 I just published a new article on how to build a clean, fast and reliable #YARA rule repository. Why it is hard: • 300K+ public rules • no global standard • high f/p rates, duplicate rules • performance/optimization issues 🔗 brkalbyrk.github.io/posts/Creating…

@olesovhcom could you please NUKE the following server which appears to be hosting malicious content and violates OVH ToS?

😵‍💫 Cry Stealer Server IP: 142.44.179[.]180:9999/login ASN : AS 16276( OVH SAS ) @OVHcloud Low detection on @virustotal more Cry Stealer servers detected by #C2Watcher on github.com/Xanderux/C2wat… Congratz @solostalking for this finding 👏

@0xTib3rius @alp0x01 any exemple of website on which cloudflare is blocking burp suite ?

Not encountered this issue myself, just checked by trying to access some known CloudFlare-protected sites in Burp and everything worked. But seems like some have run into this problem, so this extension seems like a good fix if you do!

@motuariki_ Thank you @motuariki_ !

@Xanderuxsf5 I can see how the wording as an Amos variant (which is how I view Odyssey) is confusing. I have updated notes to say it's simply Odyssey.

Recent Odyssey (macOS stealer malware) samples, plus C2/panel domains and IPs: github.com/motuariki/IOCs…

@MalGamy12 Thanks for sharing, @MalGamy12. Pretty surprising to see they're still using the same certificate as a year ago

Tracking #WARMCOOKIE C2 activity. Core capabilities of the backdoor include fingerprinting hosts, reading/writing files, taking screenshots, and executing further payloads. query: en.fofa.info/result?qbase64… report: elastic.co/security-labs/…

@MichalKoczwara @Gi7w0rm @karol_paciorek @evstykas @ViriBack @abuse_ch @banthisguy9349

😵‍💫 CHAOS Server IP:3.39.166.0:4443 ASN : AS 16509 ( AMAZON-02 ) Undetected on @virustotal more CHAOS servers detected by #C2Watcher on github.com/Xanderux/C2wat…