Marcus Holloway

I fucking DESPISE annual corporate self-review and goal setting. My goal is to get a paycheck every couple weeks

@SquiblydooBlog x.com/TheDFIRReport/… This appears to be related

@malwaremarcus Ultimate goal is ransomware deployment, primarily against businesses. The malware is primarily a loader that will download a second stage with more remote access capability.

Fake Microsoft Teams, "MTSetup_v15.3.7191.msi" signed by "Tryphena Lewis" 18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277 FUD-lite Uploaded to MalwareBazaar here https://bazaar.abuse[.]ch/sample/18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277

@SquiblydooBlog Thank you! By chance do you know the ultimate goal of the malware? Ex: was it just doing recon on the infected system?

It is a malware I'm tracking as "LoremIpsumLoader", I've needed to write more but haven't. It seems the actor "Vanilla Tempest" (think Rhysida ransomware) moved from using OysterLoader to this new malware. It loads shellcode containing LoremIpsum text which is used to decode a deaddrop on the site letsdiskuss[.]com to get the C2 addresses it needs.

Life between accepted new offer letter & joining date

AhnLabs reports seeing evidence of the campaign going back as far as October 2025. Thanks to folk who upload such files to MalwareBazaar, VT, and help report the certificates. Thanks @AhnLab_SecuInfo for publishing the analysis: asec.ahnlab.com/en/91995/ 2/2

@hatfieldsports That Chantilly team was damn good. Crazy how the mighty have fallen.

Final in VHSL Region 6D Football Championship - Madison 26, Westfield 0 Justin Counts directs the Warhawks to a 6th straight regional title. His Madison squad becomes the first team to shut out Westfield in the playoffs in 15 years (Chantilly 7-0 in 2010).

@luke92881 I see! I’ll be on the lookout for it if you do! Seeing a lot more of it these days

@malwaremarcus Not sure yet, I see now that crystalpdf, convertmate, and maybe some others like powerdoc and easy2convert might be related as well.. a lot of infrastructure seems to be down now as well from what I can tell.

@luke92881 do you plan on doing any write ups for pdfskills or zipthis?

@SquiblydooBlog Thank you.

@malwaremarcus I think they are trying to get people to use the password manager which stores passwords with a key known to the attacker, but I could be missing something else.

Oh look who it is, "ZipThis" that everyone keeps pinging me about because of the code-signing signature. They recommend the same password extension as PDFSkills. (Visible in the anyrun analysis) app.any.run/tasks/af2ea981…

@StixPhish @SquiblydooBlog @struppigel @InvokeReversing Thank you!

@malwaremarcus @SquiblydooBlog @struppigel @InvokeReversing These references should help. App names can vary but from what I've seen they're all mostly the same under the hood. trendmicro.com/en_us/research… expel.com/blog/you-dont-…

Amazing reflection on trojans from @struppigel . JustAskJacky was using a code-signing certificate we reported last week "App Interplace LLC", they were running a few other campaigns too: AskBettyHow, DailyChefly, GoCookMate, etc. JustAskJacky C2: api[.]vtqgo0729ilnmyxs9q[.]com

@StixPhish @SquiblydooBlog @struppigel @InvokeReversing Do you have any more info regarding “openmymanual”? recently came across it and trying to determine what its end goal is. Anything helps!🙏

@SquiblydooBlog @struppigel @InvokeReversing Similar activity from PDF themed apps turbofixpdf, effortlesspdf, and Manual Reader themed apps usermanualsonline, allmanualsreader, manualreaderpro, getmanualviewer, openmymanual. Node.exe launches malicious js files Many using same api.(RandomNumCharString).com format C2 URLs

70 cybersecurity projects from beginners to experts

The 30 most creative and iconic ads you've ever seen: 1. Mastercard

"Virtual Machine for the Web"

"In April 2024, eSentire's TRU identified and traced hands-on-keyboard activity to a #SocGholish infection initiated by a #FakeBrowserUpdate. The fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment." esentire.com/blog/socgholis…

🚨 Threat Campaign Alert - Fake Browser Updates Deliver BitRAT and Lumma Stealer🚨 Summary: Researcher identified fake browser updates distributing BitRAT and Lumma Stealer malware via malicious JavaScript on compromised webpages. Users were redirected to download a malicious ZIP archive containing PowerShell scripts and payloads, leading to device compromise, data theft, and cryptocurrency theft. The campaign utilized Discord’s CDN for hosting the malicious files and targeted victims with a combination of remote access tools and information-stealing malware. Threat Actor/Threat Group: Not mentioned. Malware: BitRAT, Lumma Stealer Targeted Countries: Not mentioned. Targeted Industries: Not mentioned. Targeted Applications/CVEs: Not Mentioned Impact: Data Breach, Device Compromise, Information Stealing IOC Ipaddr 77[.]221[.]151[.]31 Domain demonstationfukewko[.]shop tolerateilusidjukl[.]shop accountasifkwosov[.]shop liabilitynighstjsko[.]shop shortsvelventysjo[.]shop productivelookewr[.]shop alcojoldwograpciw[.]shop incredibleextedwj[.]shop shatterbreathepsw[.]shop MD5 Hash D2E9DE8671FD61605FF5F8B8F3249D6B,          6C7918C0440BE6BFAF9B83E365E00668, 147983884C533C294BF08CAEB2195EA7,                       0D3C23D986D7B1A1C54F2F5A34F79758 MITRE TTPs: T1071.001:Application Layer Protocol, T1105:Ingress Tool Transfer, T1113:Screen Capture, T1059.001: PowerShell, T1053.005:Visual Basic, T1547.001:Registry Run Keys / Startup Folder, T1562.001:Impair Defenses::Disable or Modify Tools, T1036.005:Masquerading::Match Legitimate Name or Location, T1218.010:System Binary Proxy Execution::cmstp, T1027:Obfuscated Files or Information Reference: This writing is based on Research Advisory Report published by ‘Esentire' Team. --------------------------------------------------------------------------------------- 🚀Join us on our mission to secure the digital world and make cyber defense affordable to everyone! 🌐 Follow "CyberXTron Technologies" for the timely, relevant and actionable cyber threat insights. #FakeBrowserUpdate #MalwareCampaign #BitRAT #LummaStealer #infosec #cyberXTron #uncovertheunknown🛡️🔒

🚀 The Flare-On Challenge is officially wrapped up! This year, we had 5,324 participants, but only 275 made it to the finish line! Check out our blog post for the solutions, winner stats, and a shoutout to our challenge authors! bit.ly/4fvzfh8

flare-on 11 write up is out on my company's blog: gmo-cybersecurity.com/blog/flare-on-…