Sabitlenmiş Tweet
So many shits in 2025... but still nothing really big, interesting, exciting...
Let's see 2026. I not want to wait much more...
😂
🤷♂️
English
MalwareHunterTeam
71K posts
MalwareHunterTeam
@malwrhunterteam
Official MHT Twitter account. Check out ID Ransomware (created by @demonslay335). More photos & gifs, less malware.
Earth. Katılım Ekim 2014
37 Takip Edilen250.4K Takipçiler
Why/how the fuck does anyone take 🤡 @OSCE 🤡 seriously anyway?
🤷♂️
Szabolcs Panyi@panyiszabolcs
🤯You can't make this up: amid Kremlin meddling in Hungary's election, OSCE PA sends Vladimir Putin's former interpreter Daria Boyarskaya – sanctioned by Poland, detained by Lithuania – on an election observation mission to Budapest. More in my newsletter: vsquare.org/goulash-putins…
English
🤷♂️
Moonlock Lab@moonlock_lab
1/ New #macOS samples, 0 detections on VT as of writing, but multiple artifacts suggest Sliver-like HTTP(S) C2. Shared by @malwrhunterteam. What stood out: procedural URL patterns, PNG-wrapped network payloads, no plaintext IOCs, and wazero/WASM-related execution. More below👇
ART
@SinghSoodeep Seen some .lnk samples like this in past days, but not knew the source of them... Thanks.
English
New ClickFix instance abusing TON blockchain to fetch C2 server address
Attacker registered domain masquerades as @bookingcom and uses #ClickFix social engineering technique to execute PowerShell command line
ClickFix -> PowerShell -> downloads node.exe -> decrypts and executes JavaScript -> C2 domain fetch from TON blockchain -> encrypted C2 communication
Similar attack chain delivered via Windows LNK file as well.
LNK MD5 hash: 99e00fe729159d4538309e3cb069ff14
PowerShell script MD5 hash: fe86223148f9bcf013d37db3a8fb11f8
Malicious domain: bokphotguest[.]pro
TON smart contract: c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9
Calls get_domain method of the deployed smart contract on TON blockchain to retrieve the C2 domain
TTPs have overlap with Tsundere botnet and EtherRAT however abusing TON blockchain in this case.
@YungBinary @iphelix @malwrhunterteam
#threatintel
English
Maybe some North Korean sample...
🤷♂️
L0Psec@L0Psec
Another double extension compiled AppleScript file shared by @malwrhunterteam: Digital Currency Group (DCG) - Audit Confirmation Request.docx.scpt - 61b56c8c2df374861c8b23e6c555456f34e17e5638ea9965f721c3ffe77f57ca. If you go to line #1649, you can see the actual commands. 🧵
English
And as usually, @smica83 uploaded some related samples to Bazaar: x.com/smica83/status….
One of them is a "SIFE SOFTWARE LLC" (GoGetSSL given cert) signed sample...
🤷♂️
Szabolcs Schmidt@smica83
Two related samples are uploaded @abuse_ch bazaar.abuse.ch/browse/tag/46-…
English
ZABBIX panel here: http://46.30.188[.]99:8443/login - same 8443 port just as for the previously seen ZABBIX panel (x.com/malwrhuntertea…).
Then opendir here: http://46.30.188[.]99:9090/
And also on port 80 there is some fake captcha / ClickFix lure...
🤷♂️
MalwareHunterTeam@malwrhunterteam
Some panel with "ZABBIX" as "login-brand": http://41.216.188[.]46:8443/login 🤷♂️
English
@1ZRR4H The machine looks still infected today... no one can help?
🤷♂️
English
With @1ZRR4H's help, noticed that a machine that is communicating with a C2 belongs to "Beijing Marine Communication & Navigation Company", and possibly 500+ files got stolen from it. From the name, it could be at least a little serious. Anyone has a contact there?
English
Looks like VT is more and more becoming a tool for actors that can be used to help convince their targets into thinking that their malware is not malware...
🤷♂️
English
Was too busy so missed to update: the samples are too big for Bazaar (it's 2026 and 100MB is still too much 🤷♂️) so @smica83 couldn't upload as he usually does. But at least @SquiblydooBlog uploaded one to Mega too for anyone to download: x.com/SquiblydooBlog…
Squiblydoo@SquiblydooBlog
@malwrhunterteam Certificate reported. Uploaded to Triage for analysis and available for others to download: tria.ge/260316-qyhvbsg… Also made available on Mega NZ: #Id-ichinwCbfOOCJHT-USys2xO4hnxf32XXCxtWLagM" target="_blank" rel="nofollow noopener">mega.nz/file/tntjDKpY#…
English
There are these totally legit sites:
https://tralert[.]online/
https://tralert7[.]com/
You can be sure that the "AgilusTech LLC" (SSL Corp given cert) signed files that are coming from these sites are also very legit, totally not malicious, but especially no North Korean malware can be found in them...
😂
🤷♂️
English