In the past weeks I interviewed the staff from the major infostealers projects, a total of 7: Lumma,Raccoon,Meduza,Vidar,Amadey,StealC,Meta.
Below you will find a short summary of this series that ends today, and also the ones who refused to talk.
👀👇
I mean... Dont let your archive be exposed to the public. 😅😅
#opendir
http://77.91.68.78/lend/
Redline, Lumma, Warzone RAT, Meduza Stealer, Povertystealer, Formbook, Raccoon, AsyncRAT, Rhadamanthys, Smoke Loader, WhiteSnake &
a miner on hashvault
#Meduza
Stealer is not dead!
Search for C2 panels on
@fofabot
:
icon_hash="-559608920"
Some New panels:
193.233.133.81
146.70.161.13
77.105.147.136
185.106.94.31
212.113.116.56
89.185.85.132
95.181.173.235
95.181.173.8
95.181.173.233
89.185.85.34
👀👇
#Raccoon
Stealer has been observed using a new User-Agent: GunnaWunnaBlueTips, since at least 05-13
hxxps://telegra.ph/WareHacks-Soft-04-22
C2 ⚙️
#RacconV2
#Recordbreaker
37.220.87.66
45.9.74.99
UA: GunnaWunnaBlueTips
@crep1x
🙌
👇👇
Anonfiles, one of the major free file storage providers that existed in the past years, has announced the end of its service and domain is now for sale
@vxunderground
RIP anonfiles :(
The infamous
#Rhadamanthys
Stealer has been banned from XSS forum after failing to provide protection to CIS countries people.
Rhadamanthys was used against Russian military infrastructure (), also by some fellow traffers guys...
🫂🫡
I recently made an interview with
#Lumma
Stealer staff.
Just a brief talk :)
They want to say Hello, to all of us. The malware project is near to the 1st Anniversary, it's time to dive into Lumma 🕊️
Read it at:
I made a little interview with
#Meduza
Stealer staff.
The "Immaculate" stealer and heir to Aurora's (RIP) legacy shared a little time talking about his product.
Take a look at:
You can also track the latest
#Qakbot
c2 servers with
@fofabot
jarm="21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21" && header_hash="480868286"
👇👇👇👇
The new exfiltration method used by
#Lumma
Stealer would be POST requests to a new endpoint at C2 servers
Lets say goodbye to /c2sock & /c2conf (RIP 🙏🏼🙏🏼)
New endpoint: /api
act=recive_message (Configuration request)
act=send_message (Exfiltration)
@AnFam17
@evstykas
#Lumma
Stealer has just been updated
Featuring the partnership with "GhostSocks", a SOCKS5 manager.
So it seems like Lumma Stealer will now be leveraging Socks5 proxies from victims.
I don't know how this works but I believe something like other proxy malware (
#SystemBC
)
#Lumma
Stealer implemented a bot protection system, "pre-trained on screenshots of known virtual machines" 2 months ago.
They now claim to have detected 483k bots avoiding 68k "garbage logs", reducing usage of HDDs and helping the world to become cleaner with less CO2 emissions
Seems like now
#infostealers
found a way to collect valuable information from Mozilla-based browsers extensions.
This are new features on some known Stealers, firstly reported by
#Lumma
Stealer at mid April and followed, for example, by
#ACR
Stealer and
#Vidar
at the moment
👇
I made an interview with
#Vidar
staff,
The infamous Vidar stealer (at its 5th Anniversary) and I had a little talk about his malware project.
They say that "there is no need to hold a grudge against us"...
Read it at: 👇👇
I made an interview with
#Recordbreaker
Stealer staff.
Not many questions, just asking things about Raccoon Stealer.
Will "MrBidenNeverKnow" be the next User Agent that we will find on this stealer?
Take a look at: 🦝🦝🦝🦝
If you didn't noticed, some websites involved with
#ClearFake
#FakeUpdates
campaigns seems to be sending download records to a Telegram Bot, forwarded to a Group.
46.255.201.42 - CN authenticprod[.]fr
styktraffred - Group Name
applemalicalo_bot - Bot user
Just been across a weird
#malware
campaign being spread on X via malicious ads (help!)
TL showed me this ad /Andristo_88/status/1776305295263756467 which is aiming to /audacityteam.top (suspended) .
Find it at archive
showing the website and
+👇
While
#lockbit
disruption is getting deservedly all the attention,
Seems like other ransomware gangs are getting issues, talking about
#Stormous
ransomware
👀 Stormous
#DOWN
Privateloader Rewind 2023 ⏳
+1 million unique installs in 2023🎯
A humble blog about the InstallsKey PPI service. Profiling customers, the sources of their installations and the service itself!
Also available at /t.me/privateloader (🇺🇲&🇷🇺)
👇🏻👇🏻
CHAOS is an open-source RAT (/github.com/tiagorlampert/CHAOS) that was somewhat popular and abused last year, and it's still in use!
Track this on
@fofabot
👇👇
fid="9BUak7FRNMoqKoJPH7v8Lw=="
US, Canada, UK and Australia websites are compromised to serve Fortnite Spam (again)
At first, TA seems to be abusing Kentico CMS Media libraries.
Compromised websites includes Bing Blogs, Credit Unions, Medical Institutions and NGO's
See full list!
hxxp://77.91.78.118/test2.bat
Cute privilege scalation method dropped by
#Amadey
Loader
It also disables any restore point from the infected host and block downloads from browsers.
Ironhost IO - BulletProof Servers
joined the PrivateLoader campaign serving as a c2 since 1st November.
91.92.243.151 - ironhost[.]io
Need a fast and reliable bulletproof server? Do not wait!
Have you ever wondered what is going on with Vietnamese 🇻🇳 malware targeting Facebook accounts?
I did, so you can get a quick overview of these threat actors activities and how they are spending (and earning) millions of $$$
Read now! 👇👀
#dropshipping
#Lumma
Stealer updated its capabilities recently.
It now has the ability to load other files while executing main stealer and self deletion after that
This behavior is common on other stealers like
#Vidar
or
#recordbreaker
, loading crypto clippers like
#laplas
.
Very active.
A few days ago,
#Amadey
owner and I did a brief interview.
We talk about past, present and future of the infamous
#Amadey
Loader, one of the biggest products in the MaaS environment. Something worth a read.
Please find it at:
Android Botnets ain't dead! 📲
#Ermac
V3.0 Botnet C2 Panel
91.215.85.213
Didn't find any information on this new version of this botnet. Previous V2 had some leak on March 2023
This was a previous C2 for StealC
@0x6rss
want to take a look? :)
An unkown
#stealer
has been spotted on YT!
C2 ⚙️
http://146.71.81.144/
Cookie Stealer, File Grabber, Crypto wallets, Password managers and Screenshoots, everything POST to C2
Take a look!👇👇 Just uploaded to VT
Let's discover one of the "youngest" infostealers traffers teams playing bad around...
Ghostbusters aka MMM Team 👻
+70k victims recorded in less than a year with +100 members disclosed, still active 👀
Absolute customization of builds and more!!
🪙👇
More live
#Clearfake
!
This is not about RU, this is China! 🇨🇳🇨🇳
Search on
@fofabot
title="Google Chrome 网络浏览器"
Examples:
/www.updateload.live/
/ggsdown.top
/update.chrome-up.com/
/y13xlt1d.xyz/
/url.drvceo.com
/kcdq78.fit
Check samples!
@LinkedIn
accounts are compromised in a daily basis to join a big SEO poisoning campaign via LinkedIn Pulses.
Users are then redirected to fake malicious sites where malware is being distributed, mainly
#Lumma
Stealer,
#Cryptbot
and
#AMOS
for Mac Users (finally found! 🍎)
👇👇
The infamous Raccoon stealer 🦝 has not been updated for long months and the activity in the wild has dropped (Talking about me I see no more Raccoon)
Asked his staff, seems like the old coder left and there's a new one working on, so we must expect new updates soon!
👇⚙️
hxxp://bratzen.duckdns.org/byte/
#Opendir
Unknown
#loader
Hosting unkown payloads as a Comercial Loader for malware distribution.
Stored as .txt with the client TG username.
Seen on
#PrivateLoader
campaigns
Watch out Dynamics 365 *.microsoftcrmportals domains, abused at the "free vbucks" SEO poisoning campaign 🙄
/osvolunteers.microsoftcrmportals.com
/fms.microsoftcrmportals.com
/indspire.microsoftcrmportals.com
/ecosoft.microsoftcrmportals.com
/bggtscsp.microsoftcrmportals.com
Hunting
#Clearfake
with
@fofabot
fid="QddxtK34KUI1XP5ujfy5bw=="
Track the latest compromised domains
/altenara.com
/doolittles.be
/easymall.co.th
/megacarwreckers.com.au
/filmovita.ba
/staging.armipour.com
/or-and.com
/esmito.com
/sistemajogodobicho.com
There should be more!
#Meta
Stealer just got updated to v4.3
So it seems like malware developers are now using AI to sign builds in order to avoid detections?
@NexusFuzzy
I believe the same updates will be seen on Redline soon, as usual.
Check everything 👇🏻👀
#Vidar
Stealer announced today the launch of a cryptocurrency token named $VIDAR coin, on the TON platform (Telegram Open Network).
They have also launched some NFTs.
1 $VIDAR = $0.11
Official page
/vidar.news
NFTs
/getgems.io/vidar
Something crazy is now being pushed by
#Privateloader
opens a pop-up window with a Microsoft error and a QR Code.
/pcrrent.com (Microsoft phishing) 🇨🇳??
Financial information is asked and exfiltrated via POST to /pcrrent.com/index.php
Full Detonation:
The use of SSL certificates on
#stealers
commn. to C2 servers is becoming popular among this malware projects.
Exfiltration over HTTPS allegedly makes them to "receive less detections on c2s and prolong its life"
A recent example is
#Lumma
Stealer 👇👀
After a long search, a build of the
#Vega
Stealer v2 has been found.
@suyog41
@Jane_0sint
41b8caca7e2c1ec36c2528fcd6a3f334
Log at C:\Users\<user>\AppData\Local\SystemFiles\
👇👇
Meet Chenlun , a worldwide phishing & carding campaigns provider
A community around a developer of rental products, with thousands of pishing victims, specialized on smishing attacks and looking for Credit Card Information
👇👇 Check it now!
New Amadey Update, just to "get ride of some detections".
Fresh C2s from our beloved
#Privateloader
👀
v4.03 is out!
/167.235.20.126/bjdm32DP/index.php
v4.02
/185.196.8.176/7jshasdS/index.php
Full detonation 👇👇
Threat Actors are doing their best trying to spread malware at GitHub
Recently, they were found sharing malicious Screensavers (.scr) files disguised as .sln files in a legit VS project in order to share
#AsyncRAT
abusing Discord CDN
Full run
#44caliber
is an open-source Stealer (hxxps://github.com/razexgod/44CALIBER) that relies on Discord Webhook as an exfiltration method of victim's information.
Seen back in 2021 and 2022, now it has been observed again at Youtube campaigns targeting Russian-based users
👇👇👀
stealerskymtni3tiagmx3pqktjgkm2iigwj6e2touws773emrfjvoyd[.]onion
#Rhadamanthys
Stealer Official Page on the underground
They even got a wiki page
rhadwikiwwzr6sfzygsr3qh7lwu5ghnaoupxwpsj2xuxjcgcebikh7id[.]onion
And some "media publicity" 😂
@SentinelOne
@proofpoint
@zscaler
🔍 Update in Malware Trends Tracker:
#Rhadamanthys
!
This
#stealer
is equipped with lots of features — including very unusual ones. Rising popularity makes it a notable
#cybersecurity
concern.
Dive into the Rhadamanthys overview and samples here 👇
#Amadey
updates on the v4.1 (4.11, 4.12 and 4.13)
Featuring:
Support for Psi+ XMPP client has been added to the stealer module.
Implementation of Reverse Proxy on the panel
Hundred small changes in EXE files
Check some IOCs 👇👇
The release of Amadey v4 was set to October 8th, 2023.
That was the 5th anniversary of the malware project, I kindly want to congratulate it for being a pain in the ass all these years. 🥳🥳🥳
How many years it will last?
Amadey - Hancintor - Hynamer - more AV names
OLD pics
#Meta
Stealer just announced one of the biggest updates in his entire operation time.
Meta Stealer v4.0:
New information exfiltrated from the victim host
New build encryption
New structure of requests between build & panel
More!
Time to 👀
Read the full changelog below:😅😅😅
A malware campaign on YouTube spreading fake installs via gopcworlds[.]com is hosting malware on an opendir
#opendir
5.42.64.15/bo 🇷🇺
Theres full of .zip with binaries, crashing when sandbox testing but even so I could identify some
#Redline
and
#SystemBC
👇👇
🪙📥:
#Alphv
/
#Blackcat
ransomware related account has been banned after failing to appeal to the scam report.
Total amount discussed of ~350 BTC 💸
GG, exit scam. Indeed the seizure was fake
alphv is the next ransom gang that choosed this way to end operations after noEscape
Let's have look on the
#Cerberus
Team (the rebrand of the infamous
#Amnesia
Team) 🐐
Traffers that have been targeting Russian-based people for a long time (not as other teams), but also with more than 300k infected users around the world.
Tracking the activity of Alfa Team with FOFA 👀👀
👇👇
icon_hash="-1901078794"
First shells appearing on May, most recent October 21th
Live shell: /research.plu.ac.th
Extra (related): /b0ru70.github.io
ref: 👇
There's a update on this campaign
C2
#Vidar
168.119.55.206
Dropping
C2 New
#Amadey
@Viriback
hxxp://45.9.74.164/b7djSDcPcZ/index.php
Dropping
C2
#SystemBC
5.42.65.67
👇👇
The
#Stormous
ransomware is back with two new onion blogs.
They also promoting a new affiliate program with paid and free versions, and a "PYV service" to use their blog to sell and publish data on a fee.
Stormous.X/GhostLocker
While
#lockbit
disruption is getting deservedly all the attention,
Seems like other ransomware gangs are getting issues, talking about
#Stormous
ransomware
👀 Stormous
#DOWN
FYI it seems to be a misconfiguration on one site shared here that replaced .zip malware download into a download of the entire web server.
So you can now take a look on .php files, admin settings and other hidden things, for FREE!!
Caution, 👇👇
One of the fancy methods used by threat actors to spread malware is using a fake software website under a common template.
This is a trend, and this week I noticed a weird high amount of this websites, which I never seen in months
Featuring
#RootTeam
,
#Redline
and others
👇👇
Interesting build being shared by
#privateloader
/185.198.57.117/sservc.exe
That is using infected machine to brute ssh, ftp, php admin, wp-login and other services from gov and edu domains worldwide using TOR?
Have you ever seen that? Is this
#tofsee
?
#Risepro
Stealer is also offering a "Google Cookies Restoration" Service. 👀🍪
This would be the third stealer malware project offering this kind of service after
#Lumma
and
#Rhadamanthys
.
Today May 4th, 2024
#Lumma
Stealer added support for Windows XP on his builds.
Windows XP was released October 25th, 2001 (23 years ago)
Final exceptional end of support at April 9, 2019 (5 years ago)
Is Windows XP still a thing in today's world? 😟😟
UPDATE:
The previosly seen campaign of Lumma Stealer + AMOS for MacOS users via Linkedin,
is also being spread via Twitter Spam.
AMOS is using hash busting
Currently serving via
hxxp://dafu-xiaoniangao.monster/askdaskdIB/22987ggg
C2 Lumma - IB4
/nursepridespan.fun/api
Do you ever noticed that at some point malware was also distributed via Twitter compromised accounts?
I only found months old tweets with videos sharing dead Redline builds, BUT everything still up.
Also some people running affiliate download campaigns
Very poor effort
Have you ever seen a
#Rhadamanthys
panel?
#Rhadamanthys
Stealer offers a web-based panel hosted in the TOR network.
Today you will be able to see a v0.5.0 panel. Here you can see how everything looks:
(But make sure to check the analysis from
@hasherezade
first!)
1/3 👇
#Rhadamanthys
stealer keeps evolving.
In our new blog,
@hasherezade
takes you on a deep dive into version 0.5.0, layer by layer, discovering new features and techniques.
While web location of the panel remains undiscovered, the main panel used by
#Lumma
stealer developers and staff achieved astonishing results since the major update (June 2023)
At 09/09, 478.690 victims were infected by Lumma only by those individuals, in 10 campaigns.
👇👇👇
@elhackernet
Lockbit sufrio un DDOS en agosto despues de la filtracion de Entrust que mantuvo su infrastructura caida por un par de dias.
El ataque no frenó nada y parece que fortalecio las tacticas criminales del grupo...
Si buscan desencadenar algo parecido, ya saben las consecuencias
From the same creator,
#Umbral
Stealer () being shared on malicious Github Accounts sharing Microsoft Office cracks
910a5896b1488769e91e985b0dbba73f
f77cd86cb44f7d53e84fb258115b2374
Fake downloads of games are a serious threat to the whole Internet , especially when malware or abusive spam is involved.
I was able to talk to threat actors and victims about this.
A threat hunting journey with the help of
@Malcoreio
!
Read it on 👇👇👀
One of the first things i see on this update is a new look for Lumma C2s.
Now they will be showing another poetry from "Шарль Бодлер" Charles Baudelaire
CHARLES BAUDELAIRE, "FLOWERS OF EVIL", VERSE 29
C2
#Lumma
Stealer
/gaspatchommm.fun/
/blockbeerman.fun/
So fancy russians
Here come the new updates for
#LummaC2
(14.09)
✅ New communication protocol with the server
✅ 11 randomized servers and they will be constantly changing
Would be nice to see some new samples 😅
Seems like there have been some irl defacements of billboards around the world in support of Palestine and claimed by CasperSecurity
@vxunderground
@malwrhunterteam
Guys out there have seen too much Watch Dogs 😭
Reports on Indonesia, Albania, Mexico, Malaysia and Italia
Fake
#GtaVI
downloads being promoted via Twitter Ads
Spreading
#Lumma
+
#AMOS
Stealer
windows
/sergiocostantino.com/temp/Gta6Alpha.zip
Mac (FUD 2/56)
/codeelectron.com/upload/gta6alpha_launcher.dmg
Lumma ID -> TRNGVa--gads
self-games[.]com
self-games[.]pw
seen on YT
Distribution of
#Redline
Stealer via fake software installs
C2 ⚙️
#Redline
104.193.255.48
get-vbs[.]com
is dropping redline binaries via wget,
redirect from
vbs1[.]pw
vbs2[.]pw
vbs3[.]pw
👇👇