Anurag

@Malwarehunterr fakeapp: github.com/stamparm/maltr… Thank you!

Open directory indexing on a website exposed multiple phishing templates - Fake #SharePoint document portal - Multiple #Microsoft email verification pages - Fake #Outlook login page - #ConnectWise executable delivered as a document download URLs: brcee[.]com brcee[.]com/test/ brcee[.]com/test2/ brcee[.]com/test3/ synergyconsulting[.]com[.]br/zmsso/ synergyconsulting[.]com[.]br/docu-zconnecting/ SHA256: 5172c183e2a809439aeea23980e8168dbff4c23fd603d7e217821413a6da81e8 @500mk500 @skocherhan #credentialharvesting #malware

@Malwarehunterr With some add-on: github.com/MikhailKasimov…

@Malwarehunterr -> github.com/stamparm/maltr… Thank you!

Fake #Adobe Acrobat document sharing page distributing a ScreenConnect installer instead of Adobe Reader. The page also notifies the operator via Telegram whenever a victim visits, collecting IP address, browser, OS, device type, referrer, and other telemetry. Telegram: - Bot: Pleplex_bot - Bot ID: 7949068235 - Recipient: zxcvaax - Chat ID: 7697853079 URLs: morg-234[.]com pub-53cea2db57dc4d53a276334acb98f5c0[.]r2[.]dev/ScreenConnect.ClientSetup.exe SHA256: 850f4b36791744182bd1e7fdc9dab227579b7258daec0970f96b103d8c8c6276 #phishing #malware #RMM @500mk500 @patialavii @skocherhan

Suspicious "Private Document" verification page. The page asks visitors for their email address, then uses JavaScript obfuscation (Base64 + string reversal) to redirect victims to an external domain while appending the supplied email address to the URL. URLs: hxxps://www.test[.]engelconsulting[.]ci/secure_integration.html hxxps://0xdff5bcee57809c2062cd5b38febee9ae61b47e5erh4[.]com/?ymnecxtp #phishing @500mk500

Document Download phishing lure impersonating a secure file-sharing portal. The page displays a fake "Encrypted End-to-End Document" message and redirects users to a second-stage site when the "View / Download Document" button is clicked. URLs: 123plochki[.]online securedoc.labsuface[.]com #Phishing #CredentialHarvesting @500mk500

Suspicious "Google Meet audio issue" page The site impersonates Google/Gemini, tracks visitors, polls a backend for instructions. URL: audio92872[.]icu #Phishing @500mk500 #Google

Fake Microsoft Teams device code phishing page Interestingly, the same site was used about a year ago to host Microsoft/Outlook phishing content. URLs: readfile[.]online login.vvorkpage[.]online Old scan: urlscan.io/result/0195f40… #phishing #devicecodephishing #microsoft365 #teams @500mk500 @urlscanio

@Richardkn59 @500mk500 nope

@Malwarehunterr @500mk500 Were you scammed?

Fake #Binance Crypto Giveaway #scam URLs: hxxps://ozonhend[.]eu[.]org/ hxxps://ozonhend[.]eu[.]org/operator_connect hxxps://ozonhend[.]eu[.]org/operator_chat2 hxxps://ozonhend[.]eu[.]org/payout_currency hxxps://ozonhend[.]eu[.]org/payout_exchange #Phishing @500mk500 #CryptoScam

⚠️Observed phishing URLs delivering RMM payload: RMM: Atera Theme: Teams URL: hxxps://mg.duclbhk[.]com/en-us.microsoft-teams/Windows/invite.php MSI Download URL: hxxps://mg.duclbhk[.]com/en-us.microsoft-teams/Windows/download.php SHA256: 6d15ac1d471e8be4a823c7728d7d82fdb98e57827fae880c585a81de56b390cc #ThreatIntel #Phishing #RMM

One row per rule. Every command line, host, user collapsed into one pivot. That's what VALUES() does in ES|QL. It collects all distinct values of a field inside each group, so they survive the aggregation. Without VALUES(), STATS gives you a count. With it, you get every command, every path, every host that fired under that rule. All on one row. 150+ alerts become 15 rules. Stop reading alerts. Start reading rules.

⚠️Observed phishing URLs delivering RMM payload: RMM: Atera Theme: DocuSign URL: hxxps://workspaceviewers[.]com/ftx/page.html MSI Download URL: hxxps://pub-08c4eecd5bcd44d090c4e0250d46725f.r2[.]dev/setup_docusign_installer_v2.8.msi SHA256: 4b6e6db485cf455d9c6e0fcac297d7a1ed62f21d7abb66fb9fdb8ce787dae1fa #ThreatIntel #Phishing #RMM

⚠️Observed phishing URLs delivering RMM payload: RMM: ScreenConnect Theme: IRS URL: hxxps://btswp.microsharp[.]net/irss/docu/Windows/invite.php EXE Download URL: hxxps://educargames.com[.]br/msi/ScreenConnect.ClientSetup.exe SHA256: 8b8fccafc9abffb4e23f839672a953c454d4a63f42ac2de08e36955f306d9019 #ThreatIntel #Phishing #RMM

ssh.exe -R proves a tunnel exists. It doesn't prove a pivot. Identical flag in all three rows. What separates a benign port-forward from a SOCKS subnet sweep is the shape of the traffic: fan-out and failure count, not the command line. Full breakdown drops Thursday. KQL + ES|QL so you hunt it the same day. 🔍

⚠️Observed phishing URLs delivering RMM payload: RMM: Rodex Theme: Zoom URL: hxxps://clientmeetingzoomspace[.]com/Windows/invite.php VBS Download URL: hxxps://user-support[.]online/api/agent/download/6a22e84654ddf3633644d077?type=vbs EXE Download URL: hxxps://user-support[.]online/api/agent/download/6a22e84654ddf3633644d077?type=exe SHA256: 17e46f389c35bd5db3118562ac2500cb3bdd6d72ebbc432d2a986087e36fae5f #ThreatIntel #Phishing #RMM

I gained access to the threat actor’s server due to their bad SECOPS. Later, they discovered and removed my backdoor and patched the vulnerabilities I used.

#Phishing crsorgi[.]gov[.]in[.]web[.]indexe[.]buzz dc[.]crsorgi[.]gov[.]in[.]index[.]web-index[.]info dc[.]crsorgi[.]gov[.]in[.]index[.]certificate-veryfied[.]dc-p[.]xyz dc[.]crsorgi[.]gov[.]in[.]verfy[.]store dc[.]crsorgi[.]gov[.]in[.]verifycertificate[.]info dc[.]crsorgi[.]gov[.]in[.]verifycertificate[.]biz dc[.]crsorgi[.]gov[.]in[.]verifycertificatecrs[.]co[.]in dc[.]crsorgi[.]gov[.]in[.]crsverifycertificate[.]co[.]in dc[.]crsorgi-gov[.]site dc[.]crsorgi[.]gov[.]websecure[.]site dc[.]crsorgi[.]gov[.]in[.]viewd[.]in dc[.]crsorgi[.]gov[.]in[.]verifyy[.]in dc[.]crsorgi[.]gov[.]ec[.]cc dc[.]crsorgi[.]gov[.]in[.]checkbd[.]in[.]cscvles[.]shop dc[.]crsorgi[.]crs-gov[.]com dc[.]crsorgi[.]gov[.]in[.]codezfree[.]online dc[.]crsorgi-gov-in[.]pro dc[.]crsorgi[.]gov[.]in[.]ineu[.]eu[.]cc dc[.]crsorgi[.]gov-ln[.]site dc[.]crsorgi[.]gov[.]in-co[.]pw dc[.]crsorgi[.]gov[.]in[.]index[.]dc-p[.]xyz dc[.]crsorgi[.]gov[.]in[.]web[.]dccertificate[.]in dc[.]crsorgi[.]gov[.]in[.]verfiys[.]in dc[.]crsorgi[.]gov[.]in[.]veriye[.]in crsorgi[.]gov[.]vaiw[.]in crsorgi-gov[.]site crsorgi[.]gov[.]in[.]web[.]index[.]birthcetficate[.]co crosagi-gov-in[.]info @IndianCERT @500mk500 @Malwarehunterr