ExecuteMalware Profile
ExecuteMalware

@executemalware

Followers
27K
Following
77K
Media
1K
Statuses
17K

#malware hunter & analyst. Opinions are my own.

Cold country
Joined June 2016
Don't wanna be here? Send us removal request.
@ex_raritas
Andrew Northern ๐“…“
@ex_raritas
21 hours
New research by yours truly ๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡ Featuring: ๐Ÿ’‰ Web Injects ๐Ÿ‘บ Fake-Captchas โ›“๏ธโ€๐Ÿ’ฅ Blockchain Analysis ๐ŸŽ Mac Malware ๐Ÿ–ฅ๏ธ Steam based Dynamic C2 ๐Ÿ’ฌ Telegram Fallback ๐Ÿ“‹ Click-Fix EtherHiding blends Fake CAPTCHAs, Click-Fix lures, and blockchain staging. Payloads rotate inside
@censysio
Censys
@censysio
21 hours
๐Ÿ•ต๏ธโ€โ™‚๏ธ New Censys research investigates EtherHiding, an adversarial tactic that stores payload stages inside smart contracts and uses Fake CAPTCHAs and Click-Fix lures to push victims into running OS-specific commands. EtherHiding can produce resilient delivery paths that donโ€™t
1
6
21
@James_inthe_box
James
@James_inthe_box
21 hours
A new one on me... #mercury32 #loader (but still kinda #darkcloud) https://t.co/8HGhajxzZE
0
3
6
@James_inthe_box
James
@James_inthe_box
23 hours
Evil #logmeinrescue at: https:// connectme-1ke.pages. dev/LogMeInResolve_Unattended.msi e56e5f1f37b6c2ae9f4f1b2e7ab2f7aee9ca91c4c84334dd5bb49675de619736 Company ID: 8400521075231559185
1
2
4
@clibm079
clibm079
@clibm079
1 day
๐Ÿ’™PE-bear: The Art of Intuitive Malware Analysis How Visual Design Turns the โ€˜First Viewโ€™ into Actionable Insights for Reverse Engineering https://t.co/vh9QjCtrpy
3
13
112
@Oddvarmoe
Oddvar Moe
@Oddvarmoe
2 days
Just learned something wild โ€” maybe everyone else already knewโ€ฆ In Edge/Chrome, you can bypass the HTTPS security warning by typing: ๐Ÿ‘‰ thisisunsafe No button, no prompt. Just type it. Instantly skips the warning and loads the site. ๐Ÿคฏ Great write-up explaining it here:
29
125
1K
@RussianPanda9xx
RussianPanda ๐Ÿผ ๐Ÿ‡บ๐Ÿ‡ฆ
@RussianPanda9xx
2 days
It's live ๐Ÿ’™ I think every security person should have this tool (@malcat4ever) installed. https://t.co/sJgxqpy048
19
33
169
@g0njxa
Who said what?
@g0njxa
2 days
1 week after the the operation on Rhadamanthys, it seems to be more disruptive than the one did on Lumma (which should be a good comparation) since the infostealer has not returned soon. So it seems we can start talking about another one missing on the Internet, at least for
@g0njxa
Who said what?
@g0njxa
9 days
First thoughts about #Rhadamanthys Stealer "disruption" (?) and what to expect in the next days with the current information as of November 13th: The same way I did with Lumma I want to share some words ( https://t.co/t5wpfVCa85) Leaving to one side from the discussion anything
2
10
36
@James_inthe_box
James
@James_inthe_box
2 days
#stealerium hosted at: http://31.57.147.77:6464/gethta http://31.57.147.77:6464/getdll hash 88feadbb2f9548d3c0cb9c6519bcea476acf9ac2a3eeccde5655457cbba29db4 on the dll
1
5
10
@anyrun_app
ANY.RUN
@anyrun_app
2 days
๐Ÿšจ ๐—๐—ฆ๐—š๐˜‚๐—Ÿ๐—ฑ๐—ฟ: ๐— ๐˜‚๐—น๐˜๐—ถ-๐—ฆ๐˜๐—ฎ๐—ด๐—ฒ ๐—Ÿ๐—ผ๐—ฎ๐—ฑ๐—ฒ๐—ฟ ๐——๐—ฒ๐—น๐—ถ๐˜ƒ๐—ฒ๐—ฟ๐—ถ๐—ป๐—ด ๐—ฃ๐—ต๐—ฎ๐—ป๐˜๐—ผ๐—บ๐—ฆ๐˜๐—ฒ๐—ฎ๐—น๐—ฒ๐—ฟ TL;DR: We identified #JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver #PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call,
0
15
71
@anyrun_app
ANY.RUN
@anyrun_app
2 days
โš ๏ธ Just one email targeting a US state agency exposed a full FormBook infection chain. Spoofed headers, failed SPF checks, and C2 activity become visible in seconds. ๐Ÿ‘จโ€๐Ÿ’ป See how attacks on government institutions were uncovered and analyzed using #ANYRUN: https://t.co/vvSMTSYcgW
0
15
33
@hasherezade
hasherezade
@hasherezade
3 days
Long overdue, but hereโ€™s my writeup for #FlareOn12 Task 9:
0
36
161
@abuse_ch
abuse.ch
@abuse_ch
3 days
Yet another new stealer in town: #ArkanixStealer ๐Ÿ”ฅ %AppData%\Arkanix_lol\history.json %AppData%\Arkanix_lol\system_info.json %AppData%\Arkanix_lol\screenshot_monitor_1.png Akranix botnet C2: ๐Ÿ“ก https://arkanix .pw/api/session/create ๐Ÿ“ก https://arkanix .pw/delivery
3
32
144
@Jane_0sint
Jane
@Jane_0sint
3 days
#CastleRAT #TAG150 #NetworkTraffic https://t.co/4VOA2iKf9S https://t.co/RWGGnTYhOv https://t.co/ZMohntLoAJ
2
11
53
@struppigel
Karsten Hahn
@struppigel
3 days
Rhadamanthys loader deobfuscation https://t.co/rDvK0uqgiV
0
30
77
@anyrun_app
ANY.RUN
@anyrun_app
3 days
โš ๏ธ Rundll32, certutil, mshta; attackers abuse them to load payloads without raising alerts. Security teams using real-time analysis expose these #LOLBin tactics fast. Hereโ€™s how to achieve it inside your SOC ๐Ÿ‘‡ https://t.co/mJBj2nl9RF
Tweet card summary image
any.run
Learn how attackers misuse trusted Windows binaries and how SOC teams can spot LOLBin abuse early.
0
27
93
@vector35
Vector 35
@vector35
5 days
Free Candy anyone? Well, not quite free candy, but it might seem like it if youโ€™re a user of the Free edition of Binary Ninja! In 5.2, weโ€™re adding many new features from the paid versions to Free: Objective-C workflow, WARP plugin, DWARF Import and TTD support!
1
5
19
@anyrun_app
ANY.RUN
@anyrun_app
4 days
Phishing activity in the past 7 days ๐ŸŸ Track latest #phishing threats in TI Lookup: https://t.co/WtleCMOYeo #TopPhishingThreats
0
3
16
@James_inthe_box
James
@James_inthe_box
5 days
#evil #logmeinrescue at: https://www.filemail\.com/d/hxuvtnorqdzqppi Company ID: 172104807361994773
0
1
3
@abuse_ch
abuse.ch
@abuse_ch
6 days
Potential new stealer dropped by #Amadey, caught by @Bitsight ๐Ÿค–๐Ÿ”Who can name it? โคต๏ธ ๐Ÿ‘‰ https://t.co/OnS2kroAIF Botnet C2 domains: ๐Ÿ“กdefender-temeerty .sbs ๐Ÿ“กtelemetry-defender .lol Botnet C2 server: ๐Ÿ›‘185.100.157.69:443 (Partner Hosting ๐Ÿ‡ฌ๐Ÿ‡ง) Malware sample: ๐Ÿ“„
6
6
32
@anyrun_app
ANY.RUN
@anyrun_app
5 days
Top 10 last week's threats by uploads ๐ŸŒ โฌ†๏ธ #Xworm 1044 (641) โฌ†๏ธ #Lumma 479 (476) โฌ†๏ธ #Asyncrat 398 (275) โฌ‡๏ธ #Quasar 371 (390) โฌ†๏ธ #Vidar 370 (292) โฌ†๏ธ #Remcos 318 (271) โฌ†๏ธ #Stealc 282 (174) โฌ†๏ธ #Agenttesla 193 (167) โฌ†๏ธ #Guloader 176 (171) โฌ‡๏ธ #Smoke 160 (164) Explore malware in
0
4
13