🚨 New #JavaStealer “MaksStealer” uncovered! Fully in-memory, FUD, DES–Blowfish runtime decryption, WebSockets on 4025/4028/6662. Author “Max, 17yo” left his signature in the payload 🤯 Full report & IoCs 👉 https://t.co/HHuNMn5FPL #infosec #malware #ThreatIntel @malwrhunterteam

@jamieantisocial @struppigel @JAMESWT_WT @guelfoweb @marsomx_ @RussianPanda9xx @_JohnHammond maybe this is interesting for you, have a look if you want :)

sample available here:

found this russian (?) malware Downloads artifacts falcon.exe -> Stealer, packed with Themida, drops logs in russian, exfiltration via HTTPS in a ZIP file explorer.exe -> CryptoMiner, XMRig #UnPacking #Themida #ThreatIntel "Banshee" in the ZIP name, APT (?) We need to investigate

staging: hxxps://4bagh[.]net/doc/Encrypted_Script.ps1 C2 SMTP: mail[.]iranlabex[.]ir 🇮🇷 C2 sender: salesoffice@iranlabex.ir 🇮🇷 C2 receiver: jctrads@protonmail.com Bazaar:

🚨ALERT🚨 Malspam campaign against Sistema Sanitario Regionale Liguria @RegLiguria 📤Sender likely spoofed (🇺🇿 based server) 📥Receiver: Institutional PEC mail > rar > jse > powershell with AES encrypted ps1 > aspnet_compiler.exe (BLACKHAWK > Agent Tesla) IoC and sample below👇

Phishing "Pedaggio non pagato" autostde[.]com domain created today (2025-11-19) @AgidCert @JAMESWT_WT @illegalFawn @guelfoweb @AndreaDraghetti @marsomx_

https://t.co/V8OI9NNQji Hunter: @MaksRAT_Off

🚨NEW python stealer🚨 🛸Drops .pyd in %APPDATA%\Local\Temp\_MEIxxxxx ⚠️Relaunch itself via CreateProcessW Exfil👇 browser cookies and password Discord Steam 📡send data via telegram bot C2: api[.telegram[.org/bot8484778379:AAG_EhhM1Ao139HBPfgfV0zVlMSi-2HfkCM/sendMessage bazaar👇

🚨ALERT🚨 #CryptersAndTools started using github and supabase as staging for #steganography images Delivering #AgentTesla @anyrun_app : https://t.co/26LPH3iVnX hunter: @JAMESWT_WT

Caminho Loader Malware Analysis #CaminhoLoader #malware #ThreatIntel @smica83 @ShadowOpCode https://t.co/KYnUbH2SsR

⚠️ALERT⚠️ there is an OPEN webshell on hxxps://boldcleaningsolutionsatl[.]com/ NEW domains: boldcompanions[.]com boldinnovationspetcare[.]com @AgidCert @guelfoweb @JAMESWT_WT @vxunderground a lot of malwere inside 😋 cc: @tobersotski https://t.co/HwXuXe3lho

HTA file deobfuscation from the "fake DMCA report" phishing campaign. Key features shown in the screenshots @_JohnHammond @vxunderground @ShadowOpCode https://t.co/vMiXwrmRMk

hxxps://cfd[.]morgancapital[.]ltd/ 🧵2/2

Cryptocurrency investment scam #Italy Targeting @RaiNews and @SigfridoRanucci @CarContiRai @antoclerici hxxps://advertiserspots[.]com/ hxxps://advertiserspots[.]com/Italy/ spotted also by @illegalFawn https://t.co/6XM6UzVhF6 🧵 1/2

🚨#Formbook #Xloader spotted in a malspam campaign in #Italy ⚠️Using another "Lorem Ipsum Dolores" variation! Related tweet: https://t.co/gNq7Bg9Bv5 @anyrun_app analysis: https://t.co/nVJAypisqu C2: www[.]grevla[.]top

@AgidCert @guelfoweb @JAMESWT_WT @illegalFawn @marsomx_ @AndreaDraghetti the domain is #FUD at the moment 🤡 https://t.co/Ou4NpQizTh

🚨ALERT🚨 ⚠️We have spotted a massive #phishing campaign in #Italy targeting various firms mail > pdf lure > #TypoSquatting 👀Typo squatting domain: hxxps://mircosotfonilne[.]ru

This variant shows identical C# runtime compilation and Donut shellcode staging → same TTP chain as Lumma Stealer documented here: https://t.co/39thjdb7gR 🔥Reverse, correlate, hunt🔥

the payload is finally injected inside of explorer.exe It is not clear at the moment what malware is this. However...

the operations to create the C# executable are performed...