@0x0be

Newly registered #clawdbot / #openclaw domains: /openclaws.io /openclaws.ai

Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia_io, which executes #Lumma Stealer IoCs ⬇️

🚨ALERT: Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection 🧵 (1/3) ⚠️ The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox The #ANYRUN team discovered that as part of this #zeroday attack, threat actors attempt to conceal the file type by deliberately corrupting it, making it difficult for certain security tools to detect 📌 Our sandbox solves this problem thanks to interactivity. It launches these broken files in their corresponding programs, which allows it to identify #malicious behavior See example: app.any.run/tasks/6839e806… 🚫 Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types They were uploaded to VirusTotal, but all antivirus solutions returned "clean" or “Item Not Found” as they couldn't analyze the file properly