abuse.ch

@JAMESWT_WT @hatching_io @cocaman Thanks for the headsup James! We are aware of it. Sadly, the issue seems to be not on our side. Hence I can't do anything to solve it 😔

@hatching_io @abuse_ch @cocaman ⚠️⚠️He's been in this weird situation for days⚠️⚠️ 👇👇👇

My favorite Remus botnet C2 domain so far 😄 havelbeenpwned .net ⤵️ NICENIC INTERNATIONAL🇨🇳 103.211.219.238:4219⤵️ AS394695 PUBLIC-DOMAIN-REGISTRY 🇮🇳 Malware sample: bazaar.abuse.ch/sample/75fce6e… More #Remnus IOCs available on ThreatFox 🦊 threatfox.abuse.ch/browse/malware… /cc @troyhunt

See you at #PIVOTcon26 next week with🙌 We’ll be around with @SpamhausTech and keen to catch up with contributors and familiar faces from the community 😊

@BlinkzSec Hmm are you sure its not cached on your side?

@FABO97662188 @madzincyber Nice! Did you consider to submit them to ThreatFox? 🦊 threatfox.abuse.ch/browse/

#cybersecurity #malware #clickfix #macos #botconf Hi, I’ve decided to share a tool I wrote in my spare time. The app is designed to track the ongoing ClickFix campaign targeting macOS and Win users and collect compromised websites. clickfix.pro Hey @madzincyber :)

@g0njxa Could be, unsure

@abuse_ch Grandoreiro ? 👀

Malspam 📧 targeting Spanish users 🇪🇸 Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs 1st stage - geo filter 🛑 vmi3228488.contaboserver .net Contabo 🇩🇪 2nd stage - payload 📄 urlhaus.abuse.ch/url/3824487/ Dropped iso: bazaar.abuse.ch/sample/faaa4d0… Botnet C2: 📡 54.197.208.68 Amazon 🇺🇸

@banthisguy9349 #ClickFix ? Related (all AS202412 Omegatech 🇳🇱): 158.94.210.248 185.224.215.252 91.92.241.160 188.137.247.152 ... More stuff on 91.92.241.160 ⤵️ #sandnet" target="_blank" rel="nofollow noopener">hunting.abuse.ch/hunt/69e251c6c…

virustotal.com/gui/file/6dcc9… webcam.bin goes to 91.92.241[.]160:9444 What is happening here? 👀👀

@JAMESWT_WT @guelfoweb @ShadowOpCode @marsomx_ @Certego_Intel @D3LabIT @James_inthe_box @c_APT_ure @Max_Mal_ @struppigel @VirITeXplorer PureHVNC / PureRAT Payload URLs: 🌐 urlhaus.abuse.ch/host/everycare… PureHVNC C2: 📡 5.101.84.202:8996 (AS63023 GTHost 🇺🇸) ➡️ Active since at least 2026-03-17 ⤵️ threatfox.abuse.ch/ioc/1769356/ Network owner got notified multiple times, but apparently doesn't care 😕 #sandnet" target="_blank" rel="nofollow noopener">hunting.abuse.ch/hunt/69e24dd2a…

#spam #ita Updated too from everycarebd.]com Samples👇 bazaar.abuse.ch/browse/tag/eve…

@Botconf 2026 is wrapping up, and it’s been a top event 🎉 We’ve been before, but this is the first time we’ve sponsored with our partner @SpamhausTech and supported an event that really matters to our community 🙌 Getting to be in the same room, chatting with people who share data with us and use our platforms, doesn’t happen that often, so it’s been great to make the most of it. Huge thanks 🙏 to the Botconf team for having us - we’re glad the choc bars went down well 😋

@James_inthe_box @Canonical @ubuntu Seen that too

I see @canonical @ubuntu is having a day...

@Fact_Finder03 @500mk500 @ViriBack @AndreGironda @skocherhan @BlinkzSec @BreakGlassIntel C2 URLs (AS202412 OMEGATECH-AS 🇸🇨): 📡 hXXp://130.12.180.28/cdn-cgi/trace 📡 hXXp://130.12.180.28/cdn-cgi/beacon Programs\Startup\MicrosoftEdgeUpdate.lnk Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdateSvc Sample ⤵️ bazaar.abuse.ch/sample/a20c6ce…

@sicehice #AsyncRAT 📡 AsyncRAT botnet C2s: 81.163.111.127:9001 🇷🇺 91.242.179.62:8808 🇷🇺 91.242.179.84:8808 🇷🇺 91.242.179.84:9001 🇷🇺 👉 urlhaus.abuse.ch/host/81.163.11…

#opendir hosting #AsyncRAT 81.163.111.127:8000 🇷🇺 C2s: 91.242.179.84 🇷🇺 91.242.179.62 🇷🇺 81.163.111.127 🇷🇺

@BlinkzSec @500mk500 @JAMESWT_WT @banthisguy9349 Thanks for sharing! Indeed Tofsee ⤵️ Stage 1 C2: 94.232.41.96:443 (quag .cn) Stage 2 C2s: 130.12.180.119:428 130.12.182.175:428 204.76.203.162:428 31.57.216.27:428 31.57.216.28:428 46.151.182.19:428 46.151.182.245:428 64.89.161.178:484 More IOCs: threatfox.abuse.ch/browse/malware…

🇫🇷 We’re proud to be a Gold Sponsor at #Botconf26 with our partner @abuse_ch next month! After attending many times, we’re delighted to be supporting this brilliant event. 🤖🤩 #GoldSponsor #Botnets #Malware

SparkRAT caught by @smica83 👏 ChromeSetup.msi ➡️ FUD 🔥 msftconnecttest .xyz ⤵️ Creation Date: 2024-12-02 ⤵️ After more than a year, this domain has a detection rate of 1/93 🤯 Pointing to ⤵️ 154.31.222.217:443 ➡️DControl Chinese? 🇨🇳 lang="zh-cn" bazaar.abuse.ch/sample/91a2945…

Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including: ➡️SoftConnect ➡️HardConnect ➡️AxisControl It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️ What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪 We track the threat on our platforms as #FakeRMM ⤵️ IOCs on ThreatFox: 🦊 threatfox.abuse.ch/browse/tag/Fak… Malware samples: 📄 bazaar.abuse.ch/browse/tag/Fak…

@byrne_emmy12099 Any chance to share that file? e.g. on MalwareBazaar? 🙏

Настроечных работ.pdf.lnk f59754843a12e298eaaf2b889817fdffee55f92109aa181c00ac0b3ed2fe1148 #APT #Suspicious