Some #bots related to this campaign. Who's the mysterious figure behind "symtee"?🤔

🚨Mission from my big brother @SethKingHi: The payload in the sample is encrypted with AES_CBC and compressed with LZMA. The decryption key is derived from a parameter in Python. The final payload abuses a #Zulip chat room as its #C2. Happy hunting 🍷 & Stay vigilant⏰@Xlab_qax

🚨#APT #Higaisa Another intriguing discovery was the file 91f0ebb41949f14d16f1c70a4086cb45 utilized #AppImage as a "packing mechanism" to evade static detection🤔. It had only 7/66 on VT, while its extracted payload scored 27/66😅. Happy hunting 🍷 & Stay vigilant⏰ @Xlab_qax

🚨 #IOC #Backdoor Identified low-detection #ELF samples on VT with a VMP-like shell, 🤔. Analysis of the dumped config confirms they are #NoodleRAT . #C2 📸{ 107.148.33.2 | 43.246.209.83 }📸. Ip 43 affiliated with #APT #Higaisa. Happy hunting 🍷 & Stay vigilant⏰@Xlab_qax

#IOC @rubick_ai Your servers are pwned! Attackers are leveraging them to serve up downloads for the #PickAI #backdoor. The #C2's detection rate is practically nonexistent right now. Happy hunting 🍷 & Stay vigilant! 📷@Xlab_qax

很艰难的一次法国之旅，一落地就病倒了；很有意思的一次聚会，总是惊叹于大佬们的奇思妙想

🚨 #IOC Identified zero-detection #ELF samples on VT with a VMP-like shell, featuring two uncommon sections🤔. Analysis of the dumped config confirms they are #APT41 #WINNTI #Backdoor. 📸 #C2 👉 {linux|rk|win}.tklolasi.com. Happy hunting 🍷 & Stay Stay vigilant! ⏰ @Xlab_qax

哈哈哈

🚨#IOC #ELF sample (cafbe0a19de0401d895c6d7c7c37f79b) with low detection 4/65 on VT, decrypted to reveal a payload consistent with the classic #Rekoobe #Backdoor, using get.astrarepository[.]com as its #C2. C2 is zero detections.Happy hunting 🍷 & Stay vigilant ⏰,@Xlab_qax

#IOC Some cool Easter eggs from #DDoS #Botnet 5FA0454DB32325C42EE70186CD5760C2: .📸"dick surgey isn't cheap" & 🚨"Arrest Alex".Bro—oh wait, I guess I should call you sis now 🤣. Did the surgery hurt? Also, please don’t arrest Alex.🙏 Happy hunting 🍷 & Stay vigilant ⏰,@Xlab_qax

🚨#IOC #Backdoor New low detection #AutoColor samples found on VT, initially exposed by @Unit42_Intel , leverage a zero-detection #C2: update[.]dateplugs[.]com. Happy hunting 🍷 & Stay vigilant ⏰, @Xlab_qax

🫡Fox, you’ve got a keen eye for detail,👍. The bot isn’t actually leveraging the A record. The threat actor deliberately pulled an IP from the #FBI’s ASN infras —a bold, in-your-face provocation. The real #C2 communication is happening via the TXT record.Stay vigilant,@Xlab_qax

A new #botnet rolls into town. The ciphertext quotes love song lyrics, what a sentimental threat actor,🤣. We’ve got another song for the actor, “Let It Go.”.#C2 👉 re.santasbigcandycane[.]ru. "santasbigcandycane" is clearly a nod to #Mirai. Have Fun and Stay vigilant @Xlab_qax

🚨#Speculoos #Backdoor 3db8e26f059e8b1fd3bbb96c052cfe4a belongs to #APT41 #WINNTI, has stayed undetected since 2023.04.23. #IOC #C2 is sshc.webtechnovelty[.]com. Comparing with @Unit42_Intel samples, function names alone reveal expanded capabilities. Stay vigilant, ⏰@Xlab_qax

Absolutely loved this #RE challenge—#Vo1d is a clever foe! If you’re into it, check out the Codomain & ASR_XXTEA parts—you won’t be disappointed. Oh, and if you want #DGA details , pls follow @Xlab_qax & DM—My boss’ll share u code.(他太闲了，给他找点活干,🤣)🍷"LONG LIVE THE RE"🍷.

Back from Spring Festival🍷, finished a new blog on #Vo1d variant infected ~160m TV. For RE fans, the coolest bit is how the Vo1d author messed with the XXTEA , ditching LSR for ASR,total genius move👏! You can bet some #DDoS #botnets will nab this trick. Stay vigilant, @Xlab_qax

January 20th is a special day. Let's take a look at a few #C2 domains: {trump2024.oss & liberalretard.libre}. It seems the botnet is run by #Trump supporters, but ironically, they launched a #DDoS attack on the Trump-#Musk Livestream in 2024. "Money is the root of. "🤣 @Xlab_qax

🚨Initially thought to be a new #IOCONTROL sample from Germany on VT, turned out to be a UPX magic tweak—"ABC!" to "GBC!". Despite this minor tweak, the detection plummeted from 32/63 to just 3/63. #C2 points to a new IP: 3.127.232.142. who’s behind this update?@Xlab_qax @Claroty

🚨🚨Recently caught the latest update from the #vo1d #android #botnet—still boasting an impressive scale of 1.3 million bots. Stay vigilant，⏰⏰！@Xlab_qax

Haha, 英雄所“见”略同,😁.I dropped a Chinese analysis on this malware back on 11.28. I had a hunch there was some background to it, but didn’t realize it was this big, "a cyberweapon". The background and impact analysis in @Claroty's report is pure gold，🫡.