abuse.ch

🇫🇷 We’re proud to be a Gold Sponsor at #Botconf26 with our partner @abuse_ch next month! After attending many times, we’re delighted to be supporting this brilliant event. 🤖🤩 #GoldSponsor #Botnets #Malware

SparkRAT caught by @smica83 👏 ChromeSetup.msi ➡️ FUD 🔥 msftconnecttest .xyz ⤵️ Creation Date: 2024-12-02 ⤵️ After more than a year, this domain has a detection rate of 1/93 🤯 Pointing to ⤵️ 154.31.222.217:443 ➡️DControl Chinese? 🇨🇳 lang="zh-cn" bazaar.abuse.ch/sample/91a2945…

Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including: ➡️SoftConnect ➡️HardConnect ➡️AxisControl It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️ What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪 We track the threat on our platforms as #FakeRMM ⤵️ IOCs on ThreatFox: 🦊 threatfox.abuse.ch/browse/tag/Fak… Malware samples: 📄 bazaar.abuse.ch/browse/tag/Fak…

@byrne_emmy12099 Any chance to share that file? e.g. on MalwareBazaar? 🙏

Настроечных работ.pdf.lnk f59754843a12e298eaaf2b889817fdffee55f92109aa181c00ac0b3ed2fe1148 #APT #Suspicious

Rogue #ScreenConnect RMM 🕵️‍♂️ Botnet C2: 📡 no.windowupdateservice .com 📡 relay.windowupdateservice .com 📡193.26.115.51:8041 Payload delivery URL: 🌐 urlhaus.abuse.ch/url/3782937/ Malware sample 📄: bazaar.abuse.ch/sample/77dc543… More ScreenConnect RMM IOCs ⤵️ threatfox.abuse.ch/browse/tag/Scr…

@RacWatchin8872 Thank you so much for your efforts in figthing cybercrime! 💪💪💪💪

If you’re not doing it for the goodies, you’re doing it wrong 😄 Jokes aside, thanks to @abuse_ch for the goodies and for supporting the community with your platform. It’s an honor to be a top reporter.

@JustWantToQ1 I would say so, as it allows you to connect to the victim's machine via a VNC-alike channel and via CLI. But open for other opinions 🙂

@abuse_ch Is this a RAT?

Yet another RAT in town: RemoteX🖥️🖱️ 🪲 Dropped by Amadey 📃 Written in Golang 💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽) 🌐 Uses WebSocket for C2 communication 🕵️‍♂️ Unauthenticated RAT admin panel 🤡 Botnet C2: 📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧) Malware sample ⤵️ bazaar.abuse.ch/sample/d631655…

@skocherhan @spamhaus Well deserved! 🥳

Thank you @abuse_ch & @spamhaus for the acknowledgment and recognition. #ThreatIntel

Xillen Stealer 🎣, heavily dropped by Amadey 🔥 Botnet C2: https://goldenring[.]live/api/logs/check "Invisible. Undetectedable. Unstopable." 🤡 👉 github.com/BengaminButton… Samples ⤵️ bazaar.abuse.ch/browse/signatu… Additional IOCs on ThreatFox 🦊 threatfox.abuse.ch/browse/tag/Xil…

Very excited and honestly a bit humbled to be recognized as a Top Contributor by @spamhaus and @abuse_ch Community-driven intel makes the internet safer. Glad to contribute, and I’ll keep at it. Big respect to everyone submitting, reviewing, and maintaining these datasets. 🙂

@ttakvam @spamhaus Well deserved Tor! Sharing is caring 🫶

📢 Botnet Spotlight July - December 2025 | The second half of 2025 brought progress against botnet infrastructure: stronger anti-abuse action by major network operators, increased law enforcement pressure on RATs and bulletproof hosting, and major takedowns like CrazyRDP. 🚨 1/3

Thank you @SpamhausTech & @abuse_ch for being #PIVOTcon26 Silver Sponsor Read more about alliance: abuse.ch & spamhaus.com This alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets pivotcon.org/sponsors

Brazilian banker 🇧🇷 caught by @johnk3r 🎣 GHOST panel 🧐 007consultoriafinanceira .net ➡️ GoDaddy 🇺🇸 83.229.17.124:80 ➡️ Clouvider 🇺🇸 Payload delivery URL: 🌐urlhaus.abuse.ch/url/3759148/ Malware sample (MSI): ⚙️bazaar.abuse.ch/sample/2cbafc6…

🤖 Jul-Dec 2025 Botnet Threat Update out now! ⬆️ 21,425 #botnet C&Cs observed, up by +24%. ⏫ Botnet C&C domains soar +9,608% for 🇷🇺 Russia-based REGRU ⬆️ Remote Access Trojans represent 42% of Top 20 malware associated with botnet C&Cs. But it isn’t all bad news – several large cloud network operators have taken action to tackle active botnet C&Cs - find out which ones in the latest FREE report here👇 spamhaus.org/resource-hub/b… #Botnet #ThreatIntel

Malspam sent from Microsoft Outlook that is spreading @LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️ IOCs: 📡adwestmailcenter .com ➡️ Landing page 📡insightme .im ➡️ fake PDF download Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌 🌐 urlhaus.abuse.ch/url/3751500/ LogMeIn #GoToResolve payload 📄 bazaar.abuse.ch/sample/77e22f4…

@c_APT_ure @smica83 @skocherhan There are 372 IPs sharing the same certificate

@smica83 @abuse_ch @skocherhan Netbios cluster: WIN-JDPEQD10OQR

Low detected RAT variant, seen from Spain and Ukraine 'Doc 489333.js' @abuse_ch bazaar.abuse.ch/sample/413a08e… @skocherhan

CHICXULUB IMPACT 💥 Botnet C2 URLs: 📡 https://turbokent .name/api/initialize 📡 https://turbokent .name/api/status Sponsoring domain registrar: NICENIC 🇭🇰 Malware sample 📄: bazaar.abuse.ch/sample/c32e1db…

New Stealer in town: SantaStealer 🎅🎄 Botnet C2s ➡️all hosted at AS399486 VIRTUO 🇨🇦: 📡31.57.38.119:6767 📡31.57.38.244:6767 📡80.76.49.114:6767 Stealer admin panel (via @DarkWebInformer 💪): 🕵️ stealer. su Artifacts 💻: C:\tempLog\Clipboard.txt %LocalAppData%\Temp\passwordslog.txt Malware samples 🤖: bazaar.abuse.ch/browse/tag/San… IOCs available on ThreatFox 🦊: threatfox.abuse.ch/browse/tag/San…