abuse.ch

3.4K posts

abuse.ch banner
abuse.ch

abuse.ch

@abuse_ch

Fighting malware and botnets

Zurich Katılım Mayıs 2009
300 Takip Edilen37.5K Takipçiler
abuse.ch retweetledi
Spamhaus Technology
Spamhaus Technology@SpamhausTech·
OUT NOW | 🤖 The @Spamhaus Project's Jan - Jun 2026 Botnet Report  Find analysis from Spamhaus researchers on the number of botnet C&Cs, their geolocation, associated malware, domains, most abused registrars and network activity. Read this FREE report here👇  hubs.ly/Q04pb8Kl0 #BotnetCC #Malware #ThreatIntel
Spamhaus Technology tweet media
English
0
1
1
416
abuse.ch retweetledi
Fox_threatintel
Fox_threatintel@banthisguy9349·
I really recommend anyone that find any form of IOC to report them over to @abuse_ch as a indepent researcher its a great way to make a impact.
English
2
8
38
4.1K
abuse.ch
abuse.ch@abuse_ch·
New loader in town SolarisLoader spotted by @SpamhausTech and abuse.ch 🔥 📡 SolarisLoader IOCs (botnet C2 servers): threatfox.abuse.ch/browse/tag/Sol… 📄 SolarisLoader malware samples: bazaar.abuse.ch/browse/tag/Sol… ⚙️ SolarisLoader configs are available: github.com/spamhaus/CTI/t…
Spamhaus Technology@SpamhausTech

❗️Spamhaus’ Cyber Threat Intelligence Unit has identified a new malware loader, "SolarisLoader," used to deliver additional malware and stealers while using evasion and persistence techniques to avoid detection. Key findings and link to the full report below ⤵️⤵️ 📄 Research: spamhaus.com/resource-cente… 🕵‍Author: Nikolaos Totosis, Senior Threat Researcher Key findings: ➡️ SolarisLoader is being used by an unknown threat actor to actively deliver additional loaders and stealers. ➡️ Rather than relying on obfuscation, it abuses the Safetica Windows Driver to disable Windows services and terminate EDR processes, helping it avoid detection and improve infection success. ➡️ It patches Windows' internal Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) through direct opcode modification, effectively blinding Windows telemetry before persistence is established. ➡️ Persistence is reinforced through a combination of scheduled task registration, registry-based self-backup, and a watchdog process that automatically relaunches the implant after the victim reboots. ➡️ The malware stealer has already evolved through 10 distinct versions, confirming active development and ongoing operational use by the threat actor. #ThreatIntelligence #Solaris #Malware #ThreatResearch

English
0
8
26
5.7K
abuse.ch
abuse.ch@abuse_ch·
Our platforms were recently targeted by a large-scale web scraping operation originating from devices that are apparently participating in residential proxy networks 🏘️ 🖥️ . The vast majority of these requests were successfully blocked by our existing mitigations 🛑 . However, the sheer volume of traffic caused temporary disruptions to both the MalwareBazaar and URLhaus platforms ⚠️ To put the scale into perspective, our web platforms typically handle approximately 1,500 requests per second (excluding traffic to our community API and commercial APIs). During this incident, the scraping operation leveraged more than 135,000 unique IP addresses, most of which could be identified as nodes in residential proxy networks 🔍 The offender attempted to remain undetected by sending very few requests (less than 5) per IP address to the platforms 🕵 Below are the top networks sourcing this traffic (by unique IPs): 2,961 AS25019 SAUDINETSTC 🇸🇦 1,995 AS206206 KNET 🇮🇶 1,984 AS9121 TTNet 🇹🇷 1,954 AS3215 Orange 🇫🇷 1,871 AS12322 PROXAD 🇫🇷 1,550 AS5410 BOUYGTEL-ISP 🇫🇷 1,531 AS37705 TOPNET 🇹🇳 1,413 AS8193 BRM-AS 🇺🇿 We are sharing details of the involved IPs, along with the relevant timestamps, here for your awareness ⤵️ raw.githubusercontent.com/abusech/misc/r…
abuse.ch tweet media
English
0
19
31
6.6K
Leigh
Leigh@0x1337Leigh·
Error 503 first byte timeout on @abuse_ch Am I the only one getting this?
English
1
0
2
342
abuse.ch
abuse.ch@abuse_ch·
Botnet C2 tied to an unidentified #malware family trying to hide as FortiGate device 😜 🌐 Domain: az2030port.duckdns .org 📡 C2: 178.16.55.28:2030 ➡️ Omegatech LTD 🇳🇱 🔐 SSL certificate: FortiGate, O=Fortinet Ltd. Corresponding malware samples ⤵️ hunting.abuse.ch/hunt/6a285c89c…
abuse.ch tweet media
English
7
16
76
7.8K
abuse.ch
abuse.ch@abuse_ch·
@smica83 hXXps://dralexandrecoura.com .br/ups/cuh.vbs ... sadly already down
English
0
0
3
1.1K
abuse.ch
abuse.ch@abuse_ch·
@JAMESWT_WT @hatching_io @cocaman Thanks for the headsup James! We are aware of it. Sadly, the issue seems to be not on our side. Hence I can't do anything to solve it 😔
English
0
0
4
250
abuse.ch
abuse.ch@abuse_ch·
@BlinkzSec Hmm are you sure its not cached on your side?
English
1
0
0
944
blinkz
blinkz@BlinkzSec·
Shows as offline on urlhaus, but is still online. @abuse_ch hxxps://urlhaus.abuse.ch/host/176.65.139.143/
blinkz tweet media
Deutsch
1
1
5
1.6K
abuse.ch
abuse.ch@abuse_ch·
Malspam 📧 targeting Spanish users 🇪🇸 Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs 1st stage - geo filter 🛑 vmi3228488.contaboserver .net Contabo 🇩🇪 2nd stage - payload 📄 urlhaus.abuse.ch/url/3824487/ Dropped iso: bazaar.abuse.ch/sample/faaa4d0… Botnet C2: 📡 54.197.208.68 Amazon 🇺🇸
abuse.ch tweet mediaabuse.ch tweet media
English
1
6
16
5.1K
abuse.ch
abuse.ch@abuse_ch·
@banthisguy9349 #ClickFix ? Related (all AS202412 Omegatech 🇳🇱): 158.94.210.248 185.224.215.252 91.92.241.160 188.137.247.152 ... More stuff on 91.92.241.160 ⤵️ #sandnet" target="_blank" rel="nofollow noopener">hunting.abuse.ch/hunt/69e251c6c…
abuse.ch tweet mediaabuse.ch tweet media
English
2
3
17
1.9K