Tommy M (TheAnalyst)

4.5K posts

Tommy M (TheAnalyst)

@ffforward

Threat Researcher @proofpoint | @Cryptolaemus1

شامل ہوئے Mayıs 2010

195 فالونگ14.5K فالوورز

پن کیا گیا ٹویٹ

Tommy M (TheAnalyst)@ffforward·2 Mar

So I have started a new job this week, as a Threat Researcher for @proofpoint. Can you imagine working with such an awesome team that finds and shares stuff like this? 🙌👏🥳

Threat Insight@threatinsight

Proofpoint has identified a compromised private military email account delivering #SunSeed Lua malware. Threat research related to this activity is detailed in this blog. ow.ly/7COv50I7zkO

English

240

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·19 Şub

Proofpoint threat researchers identified a new malware-as-a-service named #TrustConnect. Notably, it masquerades as a legitimate remote monitoring and management tool, marking an evolution in how attackers weaponize trust around enterprise tooling. brnw.ch/21x05Vh

English

6.9K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Squiblydoo@SquiblydooBlog·19 Şub

Thanks to the proofpoint team for highlighting "TrustConnect Software PTY LTD". The actor got the cert hoping to look like a legitimate RMM—but in collaboration with Proofpoint—we didn't let them maintain the illusion. See Proofpoint's blog for all the details.

Tommy M (TheAnalyst)@ffforward

Would you run AdobeReader.exe from a days-old company called "TrustConnect Software PTY LTD" just because they managed to purchase an Extended Validation certificate? New blog out together with @proofpoint @threatinsight proofpoint.com/us/blog/threat…

English

4.8K

Tommy M (TheAnalyst)@ffforward·19 Şub

English

20K

Tommy M (TheAnalyst)@ffforward·2 Şub

@malwrhunterteam Bot that is installed after the stealer in this campaign for example: jeromesegura.com/malvertising/2… Exfils data > 38.244.158[.]56/contact > Trojanize Ledger (sassonco[.]com/zxc/app.zip and Trezor sassonco[.]com/zxc/apptwo.zip> above URL via installBot(homeDir, cachedPassword, botUrl)

English

306

MalwareHunterTeam@malwrhunterteam·27 Oca

"kito": c375980f5734dcf7cbb41e859633e1735a232ed9f70795501ac25bcb70139594 From: https://sassonco[.]com/zxc/kito 🤷‍♂️

Português

4.4K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·28 Oca

As the security landscape evolves and expands, Proofpoint observed many threat actors disappear from email threat data in 2025. But TA584 maintained operational consistency, w/ recent shifts demonstrating its attempt to infect a broader range of targets. brnw.ch/21wZsWU

English

1.7K

Tommy M (TheAnalyst)@ffforward·19 Oca

@malwrhunterteam @LogMeIn Resolve, a lot of abuse of it right now. companyid=621183840131085098

English

306

MalwareHunterTeam@malwrhunterteam·19 Oca

"SSA_STATEMENT_PDF.msi": e13a8bf2d66774042a0d0ca1ada2b9951b52fbd833a9844979edb633e2b0314f From: https://84pixels[.]com/ -> https://84pixels[.]com/SSA_STATEMENT_PDF.msi "The United State Social Security Administration | SSA" "Welcome to Your Latest SSA Statement Download" 😂 🤷‍♂️

English

2.8K

Tommy M (TheAnalyst)@ffforward·19 Oca

@malwrhunterteam Some similarities how the PowerShell loader works. But if I recall correctly this older thing instead used Deno to to download and run Python+script, not sure I looked much deeper than that

English

258

MalwareHunterTeam@malwrhunterteam·19 Oca

@ffforward Is there any relation other than that is also using Deno?

English

187

MalwareHunterTeam@malwrhunterteam·16 Oca

Possible interesting "topwebcomicsv1.msi": 5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01 It is using Deno, "the next-generation JavaScript runtime". Seeing malware using Deno is not a common thing, at least yet... 🤷‍♂️

English

50.7K

Tommy M (TheAnalyst)@ffforward·19 Oca

@malwrhunterteam BTW looked at this thing back in September that likely is related: virustotal.com/gui/domain/fet… which then goes back to at least January last year.

English

990

Tommy M (TheAnalyst)@ffforward·19 Oca

@vxunderground @malwrhunterteam @nullableVoidPtr Nice writeup, but Smokest might not be a good name, its likely just a campaign indicator. Example virustotal.com/gui/file/0bd1d… Fake OBS > Donut > Amadey > Various MSI > PowerShell that I have seen lead to either this or CastleRAT via Python loader, Smokest120[.]zip.

English

20K

Tommy M (TheAnalyst)@ffforward·19 Oca

@malwrhunterteam x.com/ffforward/stat…

Tommy M (TheAnalyst)@ffforward

QME

651

vx-underground@vxunderground·19 Oca

A few days ago @malwrhunterteam discovered a new malware family (I think, I couldn't find any family overlap, vendors please confirm). I poked it with a stick. I've named it Smokest. It was deobfuscated by @nullableVoidPtr. It's neato. malwaresourcecode.com/home/my-projec…

English

252

19.5K

Tommy M (TheAnalyst)@ffforward·4 Ara

@LunchM0n3ey9090 Looks like Tsundere Bot?

English

539

Aug@LunchM0n3ey9090·4 Ara

Oh.

490

Tommy M (TheAnalyst)@ffforward·16 Kas

@abuse_ch @Bitsight I suggested #WallStealer due to the calculation of wallpaper hash but if someone already have a name thats fine too 😅

English

791

abuse.ch@abuse_ch·16 Kas

Potential new stealer dropped by #Amadey, caught by @Bitsight 🤖🔍Who can name it? ⤵️ 👉 #sandnet" target="_blank" rel="nofollow noopener">hunting.abuse.ch/hunt/6919ec1c9… Botnet C2 domains: 📡defender-temeerty .sbs 📡telemetry-defender .lol Botnet C2 server: 🛑185.100.157.69:443 (Partner Hosting 🇬🇧) Malware sample: 📄 bazaar.abuse.ch/sample/903cdf6… Dropped by Amadey via: 🌐 urlhaus.abuse.ch/host/arabianai…

English

6.5K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·13 Kas

Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the Nov. 13, 2025 disruption of #Rhadamanthys and #VenomRAT—#malware used by multiple cybercriminals. Rhadamanthys: brnw.ch/21wXsCc VenomRAT: brnw.ch/21wXsCd

English

3.7K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Ole Villadsen@OleVilladsen·3 Kas

Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US #cybercrime #shipping #cargo #freight #trucking #rmm #fleetdeck #logmein #nable #pdqconnect #screenconnect #simplehelp proofpoint.com/us/blog/threat…

English

2.1K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·21 Eki

Since 14 Oct., we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020. Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

English

2.7K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·3 Eyl

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵

English

6.8K

Tommy M (TheAnalyst)@ffforward·19 Ağu

@anyrun_app @threatinsight Thanks, and as always very impressive to see these chains run fully in a public sandbox, with all their filtering and various tricks it's very uncommon.

English

839

ANY.RUN@anyrun_app·19 Ağu

@threatinsight Appreciate you sharing!

English

368

Threat Insight@threatinsight·18 Ağu

Proofpoint @threatinsight identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys. We first spotted this post by @anyrun_app about ClickFix delivering Rhadamanthys and began investigating. 🔍

ANY.RUN@anyrun_app

🚨 How #Rhadamanthys Stealer Slips Past Defenses using ClickFix ⚠️ Rhadamanthys is now delivered via ClickFix, combining technical methods and social engineering to bypass automated security solutions, making detection and response especially challenging. 👾 While earlier ClickFix campaigns mainly deployed #NetSupport RAT or #AsyncRAT, this C++ infostealer ranks in the upper tier for advanced evasion techniques and extensive data theft capabilities. #ANYRUN Sandbox lets SOC teams observe and execute complex chains, revealing evasive behavior and providing intelligence that can be directly applied to detection rules, playbooks, and proactive hunting. 🔗 Execution Chain: ClickFix ➡️ msiexec ➡️ exe-file ➡️ infected system file ➡️ PNG-stego payload In a recent campaign, the phishing domain initiates a ClickFix flow (#MITRE T1566), prompting the user to execute a malicious MSI payload hosted on a remote server. 🥷 The installer is silently executed in memory (#MITRE T1218.007), deploying a stealer component into a disguised software directory under the user profile. The dropped binary performs anti-VM checks (T1497.001) to avoid analysis. In later stages, a compromised system file is used to initiate a TLS connection directly to an IP address, bypassing DNS monitoring. 📌 For encryption, attackers use self-signed TLS certificates with mismatched fields (e.g., Issuer or Subject), creating distinctive indicators for threat hunting and expanding an organization’s visibility into its threat landscape. 🖼️ The C2 delivers an obfuscated PNG containing additional payloads via steganography (T1027.003), extending dwell time and complicating detection. 🎯 See execution on a live system and download actionable report: app.any.run/tasks/a101654d… 🔍 Use these #ANYRUN TI Lookup search queries to track similar campaigns and enrich #IOCs with live attack data from threat investigations across 15K SOCs: intelligence.any.run/analysis/looku… intelligence.any.run/analysis/looku… intelligence.any.run/analysis/looku… intelligence.any.run/analysis/looku… 👾 IOCs: 84.200[.]80.8 179.43[.]141.35 194.87[.]29.253 flaxergaurds[.]com temopix[.]com zerontwoposh[.]live loanauto[.]cloud wetotal[.]net Find more indicators in the comments 💬 Protect critical assets with faster, deeper visibility into complex threats using #ANYRUN 🚀 #ExploreWithANYRUN

English

11.1K

Tommy M (TheAnalyst) ری ٹویٹ کیا

Threat Insight@threatinsight·18 Ağu

The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.

English

2.5K

دریافت کریں

@proofpoint @threatinsight @malwrhunterteam @LogMeIn @vxunderground @nullableVoidPtr @LunchM0n3ey9090 @abuse_ch