MalBeacon

New @Proofpoint blog: cargo theft actor spent 30 days inside DeceptionPro environment revealing: * 4 RMM tools * Malicious code signing-as-a-service * 13+ PowerShell scripts, and bank access. * HoK activity whole way. This is real adversary telemetry. Link in thread.

Proofpoint baited a cargo/transport industry threat actor into performing its activities in a decoy environment operated by Deception.Pro for 30+ days. The result: rare, visibility into post‑compromise operations, tooling, and decision‑making. proofpoint.com/us/blog/threat…

🔗 proofpoint.com/us/blog/threat… #ThreatIntel #CargoTheft #Deception

New @Proofpoint blog: cargo theft actor spent 30 days inside DeceptionPro environment revealing: * 4 RMM tools * Malicious code signing-as-a-service * 13+ PowerShell scripts, and bank access. * HoK activity whole way. This is real adversary telemetry. Link in thread.

🔗 blog.deception.pro/blog/cpuz-troj…

🚨 Trojanized CPU-Z → STXRAT → PureLogs Stealer → PureHVNC → 54hrs of exfil through a hidden QEMU VM. We caught everything after. First documented full post-exploitation chain for this campaign. IOCs & hunting artifacts link in thread #ThreatIntel #DFIR #Malware

check out our deception.pro operation report: blog.deception.pro/blog/clickfix-…

ClickFix isn’t “just a trick”—it’s an on-ramp to hands-on-keyboard ops. We mapped EDR telemetry to a timeline tied to Velvet Tempest + activity consistent w/ Termite ransomware tradecraft. IOCs + defender takeaways inside. link in thread..

Introducing: What is this stealer? A new repository that allows you to identify Stealer malware by the system information text file format commonly included in stealer malware exfiltration. Yara Rules included! Check it out and contribute! github.com/MalBeacon/what…

Adversary Illuminated - Operating #StealC C2: 176.124.198[.]17 Location: Frankfurt am Main, DE ASN: AS210644

Adversary Illuminated - Operating #RiseProStealer C2: 193.233.132[.]74:8081/login Location: Lille, FR ASN: AS16276 OVH SAS

Adversary illuminated - Operating #OriginBotnet Location: Abuja, NG ASN: AS29465 MTN NIGERIA #MalBeacon #Malware

@RedPacketSec Adversary Illuminated - Operating #CobaltStrike C2: 173.82.206.184 Actor Location: Hong Kong, HK Actor ASN: AS137409 GSL Networks Pty LTD #Malware #MalBeacon

Cobalt Stike Beacon Detected - 173[.]82[.]206[.]184:443 - redpacketsecurity.com/cobalt-stike-b… #CobaltStrikeBeaconDetected #OSINT #ThreatIntel

Adversary Illuminated - Operating #MarsStealer C2: test.akadns9[.]net/panel/login.php Location: Ballerup, DK ASN: AS9009 M247 Ltd

@pr0xylife Adversary Illuminated - Operating #AgentTesla C2: 103.147.185[.]68 Actor Location: Lagos, NG Actor ASN: AS29465 MTN NIGERIA Communication limited #Malware #MalBeacon

#AgentTesla - .ppam > .ps1 1dd180f67644aff83f92e7e09565969c148b02b463f8750d44cf6426a6877cb5 c2' hxxp://103.147.185.68/j/p20gj/mawa/69bb7ee91c7a92b6dfa1.php Panel: hxxp://103.147.185.68/j/p20gj/login.php

@reecdeep Adversary Illuminated - Operating #Lokibot C2: farmanat[.]ro Location: Amsterdam, NL ASN: AS203557 DataClub S.A. #Malware #MalBeacon

#GuLoader #CloudEye has been spawning the same #Lokibot #Malware for weeks and targeting #Italy 🇮🇹 subj:"ORDINE" RUN:app.any.run/tasks/b0c82a76… 🐚hxxps://fabricraft.co.za/Farmant_hhVNwJna195.bin 🔥 c2: hxxps://farmanat[.ro/arman30/five/fre.php #infosec #cybersecurity #mwitaly

@reecdeep Adversary Illuminated - Operating #AgentTesla C2: mgbless[.]in Location: Lagos, NG ASN: AS29465 MTN NIGERIA Communication limited #Malware #MalBeacon

#AgentTesla #Malware hits #Italy 🇮🇹 using #taxes lure 👉hxxps://buysrilankan.lk/k/ConsoleApp18.jpg 💉hxxp://179.43.187.131/ueyt/VIPETSDYSYUYSDYSSIUSUDYUSDUISD.dll 🔥 hxxps://www.mgbless.in/ble/inc/b24a80c4836624.php #infosec #privacy #dataprotection #cybersecurity #mwitaly

@James_inthe_box @pmelson @pancak3lullz @Ledtech3 @lazyactivist192 Adversary Illuminated twitter.com/malbeacon/stat…

Some fresh #hagga -> #AgentTesla app.any.run/tasks/056603f9… c2: http://bot[.]statusupdate[.]one/webpanel-og/mawa/549c03609890dee87e18.php cc @pmelson @pancak3lullz @Ledtech3 @lazyactivist192

Adversary illuminated - Operating #Pony C2: global-popular[.]com/bin/panel/admin.php Location: Lagos, NG ASN: AS36873 Airtel Networks Limited #Malware #MalBeacon

@James_inthe_box Adversary Illuminated - Operating #LokiBot C2: checkvim[.]com/fd4/fre.php Location: Lagos, NG ASN: AS29465 MTN NIGERIA Communication limited #Malware #MalBeacon

And looks like CVE-2021-40444 #malspam starts to arrive: app.any.run/tasks/8ef8732f…

Adversary illuminated - Operating #LokiBot C2: davidmorgann[.]com/LOLO/five/PvqDq929BSx_A_D_M1n_a.php Location: Port Harcourt, NG ASN: AS29465 MTN NIGERIA Communication limited #MalBeacon #Malware