Askar Dyussekeyev

133 posts

Askar Dyussekeyev banner
Askar Dyussekeyev

Askar Dyussekeyev

@askardyuss

A malware researcher from Kazakhstan | All views are my own

Kazakhstan Katılım Eylül 2019
187 Takip Edilen412 Takipçiler
Askar Dyussekeyev retweetledi
ThreatMon
ThreatMon@MonThreat·
🚨Alleged Daryn.online Breach Exposes 4.2M Kazakh User Records A darkweb forum post claims the exposure of 4.2 million user records from daryn.online, a prominent educational platform in Kazakhstan. The listing, posted on an underground forum, alleges that a comprehensive database containing personal information, credentials, and academic data for students, teachers, and administrators has been compromised. According to the post, the leaked dataset includes sensitive personally identifiable information (PII) and authentication details. The actor lists the following fields as exposed: * Full names (first and last) * Phone numbers and email addresses * Password hashes (bcrypt format) * Individual Identification Numbers (IIN) * Birthdates and gender * User roles (student, teacher, admin) * Academic metrics (grades, ratings, lesson counts) * Last known IP addresses The source material includes sample entries showing hashed passwords, active session tokens, and detailed profiles of educators, including one administrator with the email "admin6@mail.ru" and another with "support@daryn.online". The data also reveals internal identifiers such as user_id, school_id, and region_id, suggesting a structured database dump rather than a scraped surface-level leak. Daryn.online is a significant player in Kazakhstan's EdTech sector, providing online tutoring and preparation for national university entrance exams. The exposure of millions of records, including minors' data and teacher credentials, poses significant privacy risks and potential for credential stuffing or phishing attacks against the educational community. At the time of reporting, the alleged breach has not been independently verified by Daryn.online or security researchers.
ThreatMon tweet media
English
2
1
4
1.6K
Askar Dyussekeyev retweetledi
Zhangir Ospanov
Zhangir Ospanov@s0ld133rr·
Lately I’ve been exploring AI tooling for Offensive Security. After trying a bunch of existing projects, I realized I wanted something with a different workflow and architecture. So I started building PentestCode - a fork of OpenCode focused on penetration testing. Current work includes shared engagement state, task planning, automatic parsing of common security tools, attack path generation and cross-agent memory. Still very early, but I’d love to hear your feedback. github.com/s0ld13rr/pente…
Zhangir Ospanov tweet media
English
1
2
1
311
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
Always great to see major vendors like @Seqrite validating my independent research! 🕵️‍♂️ I published the exact infection chain, LotL TTPs (Smart Install Maker -> Tray Minimizer -> AnyDesk), and IOCs for this Rare Werewolf aerospace campaign days ago. Proper attribution in the infosec community goes a long way. I'd appreciate a credit in the blog post! 👇 x.com/askardyuss/sta… seqrite.com/blog/from-invo… #ThreatIntel #CyberSecurity #OSINT #RareWerewolf #APT
Askar Dyussekeyev@askardyuss

🚨 #ThreatIntel: Attack on Russian aerospace and electronics sectors ✈️🛰️ Recently, I found a highly suspicious EML file discovered in the @anyrun_app sandbox. The phishing email targeted a Russian manufacturer of semiconductor and electronic components. While attribution is always tricky and I cannot state this as a hard fact, the operational tempo, targeting, and toolset heavily suggest a suspected Rare Werewolf (Librarian Ghouls) campaign. 🔍 Infection Chain: 1️⃣ Phishing email masquerades as a billing request from a legitimate Russian institute. 2️⃣ Attached is a password-protected RAR containing a PE32 payload disguised as a .com file. 3️⃣ The payload is a Smart Install Maker dropper. It executes curl.exe with the --resolve flag to bypass DNS filtering and download the next stage. 4️⃣ WinRAR extracts the payload (password: limpid29033). 5️⃣ Legitimate tools are abused: Tray Minimizer is used to hide a portable AnyDesk instance from the user for persistent, undetected remote access. 🛑 Indicators of Compromise (IOCs): Domains: aviatronika[.]online vniir-avia[.]space fgub-vniir[.]space vniir-info[.]space nova-stream[.]site IP Addresses: 198.54.120[.]13 194.87.57[.]81 2.23.88[.]201 Hashes (MD5): eabd440c996846d0992e37ab01d01208 (Dropper) 6cc3c68c56e099792fdeadde76256d56 (Payload RAR) #InfoSec #CyberSecurity #Phishing #RareWerewolf #LibrarianGhouls #Malware #APT

English
0
10
30
5K
Askar Dyussekeyev retweetledi
CSIRT Central Asia
CSIRT Central Asia@CSIRT_CAsia·
🚨 Suspicious domains detected in the home[.]kg zone 🇰🇬 Domains: 🔹 auth.home[.]kg 🇰🇬 🔹 vscode.auth.home[.]kg 🇰🇬 Both domains are flagged in Maltrail (apt_kimsuky.txt) and are linked to infrastructure attributed by OSINT sources to #Kimsuky / #APT43 / Emerald Sleet.
English
1
2
2
175
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
First seen 2026.02.17 according to Kaspersky OpenTIP (VirusTotal analogue).
Askar Dyussekeyev tweet media
English
0
0
3
308
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
🚨 Suspected APT campaign spotted targeting the 🇵🇰 Pakistani military using weaponized CHM files to deliver stealthy, compiled Python payloads. The core sample was recently identified via the @anyrun_app sandbox. 📬 Infection Vector The threat actor utilizes a highly targeted social engineering lure: a compiled help document (CHM) displaying a restricted international defense exhibition and military planning schedule for 🇵🇰 Pakistani defense establishments. ⚙️ Technical Details • Initial execution leverages a classic ActiveX shortcut bypass via the HHCTRL.OCX control, silently spawning a hidden executable from the same directory. • The payload is packed using the Nuitka OneFile framework, which translates Python scripts into native C/C++ instructions, rendering traditional Python decompilers useless. • Deep analysis reveals a core payload named client_exe.dll. It imports specialized modules like _wmi.pyd for system reconnaissance/anti-VM checks and _ctypes.pyd for low-level Windows API interaction, backed by Rust-compiled cryptographic libraries. 🔍 Indicators of Compromise (IOCs) CHM Lure MD5: 9CBE5D435F63E16B85BCA1F8C6EA4A9B Dropped EXE MD5: 37B7AABFAD89345AACE02C294AB940EC Core Payload DLL MD5: 422E4A3F1C69FF834DFC4688E8893716 #ThreatIntel #MalwareAnalysis #APT #Cybersecurity #Pakistan
Askar Dyussekeyev tweet media
English
3
8
23
4.2K
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
🚨 #ThreatIntel: New cyber espionage campaign targeting #Kyrgyzstan 🇰🇬 organizations spotted on @anyrun_app sandbox. The threat actors are utilizing a dual-file archive containing a benign lure PDF and a malicious executable. Technical breakdown: 1. The Lure: A PDF file named "Приложение.pdf" containing the official "Brief Statistical Handbook" from the National Statistical Committee of the #Kyrgyz Republic 🇰🇬. This indicates a highly targeted phishing campaign. 2. The Payload: "Исправленная версия документа.exe" is a 64-bit Windows executable packed with PyInstaller and compiled using Python 3.13. 3. The Backdoor Code: Decompilation of the core script (exec.pyc) reveals a lightweight HTTP reverse shell. It connects to a remote server, registers for a session token, and polls for system commands every 10 seconds via subprocess.Popen, sending results back via POST. 4. Infrastructure & Attribution: The C2 server is located at 65.38.120[.]129:5556 (hosted by BL Networks in Romania). Based on the targeted nature of the lure and stealthy execution, this is a suspected APT activity. Indicators of Compromise (IoCs): * Malicious EXE MD5: 80fbb8ed636178d30b1a3a864cd1f231 * Decoy PDF MD5: 048de81368e46adf9dd12df7278f7821 * C2 IP: 65.38.120[.]129:5556 #MalwareAnalysis #APT #CyberSecurity
English
1
6
23
2.9K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
@JordiMonPMM Because Hugging Face is centralized. The moment model distribution becomes regulated, people will start building decentralized alternatives - just like they did with music and movies 25 years ago
English
1
1
14
1.1K
Florian Roth ⚡️
Florian Roth ⚡️@cyb3rops·
PirateBay but for open source LLMs — When? Plain BitTorrent or OnionShare?
English
10
8
71
16.9K
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
🚨 #ThreatIntel: Attack on Russian aerospace and electronics sectors ✈️🛰️ Recently, I found a highly suspicious EML file discovered in the @anyrun_app sandbox. The phishing email targeted a Russian manufacturer of semiconductor and electronic components. While attribution is always tricky and I cannot state this as a hard fact, the operational tempo, targeting, and toolset heavily suggest a suspected Rare Werewolf (Librarian Ghouls) campaign. 🔍 Infection Chain: 1️⃣ Phishing email masquerades as a billing request from a legitimate Russian institute. 2️⃣ Attached is a password-protected RAR containing a PE32 payload disguised as a .com file. 3️⃣ The payload is a Smart Install Maker dropper. It executes curl.exe with the --resolve flag to bypass DNS filtering and download the next stage. 4️⃣ WinRAR extracts the payload (password: limpid29033). 5️⃣ Legitimate tools are abused: Tray Minimizer is used to hide a portable AnyDesk instance from the user for persistent, undetected remote access. 🛑 Indicators of Compromise (IOCs): Domains: aviatronika[.]online vniir-avia[.]space fgub-vniir[.]space vniir-info[.]space nova-stream[.]site IP Addresses: 198.54.120[.]13 194.87.57[.]81 2.23.88[.]201 Hashes (MD5): eabd440c996846d0992e37ab01d01208 (Dropper) 6cc3c68c56e099792fdeadde76256d56 (Payload RAR) #InfoSec #CyberSecurity #Phishing #RareWerewolf #LibrarianGhouls #Malware #APT
Askar Dyussekeyev tweet mediaAskar Dyussekeyev tweet media
English
0
10
30
6.1K
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
A #phishing domain impersonating the state pension fund of Kazakhstan (ENPF)🇰🇿 has been discovered. Malicious domain: i-enpf[.]kz
Askar Dyussekeyev tweet media
English
1
1
2
553
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
@smica83 @abuse_ch The payload is stored in a6.txt and downloaded from hxxps[:]//twinky[.]vip/api/ujsmE. According to VirusTotal telemetry it is a PowerShell script with md5 1b12e939eb1480bc6b8425e8f620e3dd
Askar Dyussekeyev tweet media
English
0
0
1
70
Naoki Takayama
Naoki Takayama@mopisec·
Canon.dat #PlugX SHA256: c74d70892fc2193790bedc8c08539b390ea460bc0ef72cb568568943016c35f0 C2: 202.61.72[.]198:443 (FUD)
Naoki Takayama tweet media
Indonesia
4
11
38
4.9K
Askar Dyussekeyev
Askar Dyussekeyev@askardyuss·
I have extracted the payload and uploaded it to VirusTotal. md5: 41f9450bba235c37d40cd0315c1013cf detection rate: 30/70
Askar Dyussekeyev@askardyuss

🚨 #ThreatIntel: A sophisticated phishing campaign targeting the Greek Military Representation to #NATO has been spotted in the @anyrun_app sandbox. The observed attack chain and infrastructure setup strongly suggest suspected #MustangPanda (#TA416) activity, though definitive attribution remains open. The threat actors utilized a spoofed Montenegro diplomatic email, delivering a highly relevant lure regarding the Ankara Summit. The phishing link redirects through a fake Cloudflare check to a pixel-perfect Google Drive clone, dropping a malicious ZIP archive. Execution relies on a hidden PowerShell script triggered by an LNK file. It uses data carving to extract a TAR archive from the ZIP, unpacks it using the native Windows tar.exe, and establishes persistence via DLL Side-Loading using a legitimate Canon binary (CNMNSST.exe) to decrypt a hidden payload. Indicators of Compromise (IOCs) Network Infrastructure: ▪️ resources.babyafrosapparel[.]com (Phishing Gate) ▪️ drive.babyafrosapparel[.]com (Fake Google Drive Delivery) ▪️ concreteinportland[.]com (C2 Server via HTTPS GET beacons) Associated Cloudflare IPs: ▪️ 104.21.90.16 ▪️ 172.67.151.3 MD5 Hashes: ▪️ B791C416988D068A3E548A0F21CD3518 (MNE_Readout_Alice_Rufo_Briefing_Ankara_Summit_22Jun2026.lnk) ▪️ c836a6bbe16354a21ee688e3eeb32d86 (CNCLID.dll - Malicious Proxy Loader) ▪️ e70a5908e5eaee1bcd15eef82b1bcfdd (Canon.dat - Encrypted Payload) ▪️ adb67ffe941a706b6343f94413f6e5f2 (CNMNSST.exe - Legitimate Canon Executable) Email Artifacts: ▪️ Sender: stasa.stojkovic.mne@gmail[.]com #ThreatIntel #Cybersecurity #MustangPanda #TA416 #MalwareAnalysis @ccdcoe

English
0
3
14
2.5K