RT @abuse_ch: On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies 🇭🇰) that is already ac….

RT @RacWatchin8872: #AsyncRat #Malware.💣holder-apartments-face-matthew[.]trycloudflare[.]com/uline/Nr-2005-028763-2024-PDF[.]lnk💣.lnk->vbs-….

RT @anyrun_app: 🚨 Attackers use public open directories for hosting #malicious scripts disguised as .txt and .jpg files. These are utilized….

RT @NDA0E: @mdmck10 @malwrhunterteam @DNSPod @ICANN Big news! .ICANN issued a Notice of Breach against @DNSPod in response to my complaint….

RT @banthisguy9349: Its been a while for me to check up on this issue!.96 ips are currently found to be uses for controlling botnets to per….

RT @kddx0178318: One more sample of #spearphishing gz attachment reaching #Lokibot C2 104.248.205.66:80.DHL Shipment DOC_643040277.gz >DHL….

#Mirai #C2 domains are using Round-Robin DNS to resolve to multiple hosts. Using "Resolve-DnsName" in PowerShell we can resolve the domains to their corresponding IPs. Ports used for Mirai connection: 1337, 2222, 2474, 5555, 6969, 8745, 8932, 12381. IOCs:

Distribution domain queries for #RobotDropper on @ValidinLLC and @censysio. Validin: RapidShare - Fast & Secure File Transfer for Free. Censys: services.http.response.html_title="RapidShare - Fast & Secure File Transfer for Free". IOCs shared on ThreatFox:

RT @banthisguy9349: are they even trying to hide it @NDA0E ? 😆. http://154.216.18.175/ #opendir . Bulletproof ASN: AS215240 NETRESEARCH http….

#Censys query to find #GossRAT #C2 servers:.services.http.response.body_hash="sha1:b7c4a3bf814a5aaf96e208f47a17066c32ac0ad0". The URL path used for C2 communication is the same across all domains > /rat/apps/mellat/notify.php. IOCs: #IOC #IRATA #GossRAT

RT @spamhaus:

Welcome to EVILEMPIRE v2. Previous threat actors using #Amadey have already moved their infrastructure to #AS51381 ELITETEAM-PEERING-AZ1.

cc: @onecert_ir @banthisguy9349.

As for now, the 10 active domains are delivering the same #GossRAT payload. URLhaus: Mellat.apk:

Iranian threat actors are using phishing sites that impersonate @mellatbankiran to distribute #GossRAT through a download page claiming to be the bank's mobile app. Using @censysio DNS records i found over 100 domains to have been involved, most of them using .buzz as their TLD.

#Rhadamanthys #C2 at 91.92.242.245:443.

#GuLoader #opendir. hXXps://www.pineappletech.ae/at/. at.vbs: #Rhadamanthys ? .#Stealer

Also targeting different agencies and law enforcement from foreign countries:. international-return-back[.]vip.legalteam[.]top.cyberpol-int[.]services.cyber-pl[.]info.zujupeo[.]com.ic3cyber[.]org.

Search using @urlscanio . filename: "interpol.mp4" AND filename:"country.json" 🔥. cancel-service[.]info.