Who said what
@g0njxa
Followers
2,042
Following
189
Media
617
Statuses
2,351
qui fa lo que pot no esta obligat a mes | objetivo 2028 | Bad Student, enthusiast, more likely than an expert DMs are open, feel free to reach! 😼☂️🟣🍇👾
Valencia, Spain 🇪🇸
Joined January 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
PondPhuwin WeAre EP10
• 244405 Tweets
#해차니_생일_와떠여
• 144566 Tweets
D-Day
• 82733 Tweets
Janones
• 64530 Tweets
Star Wars
• 60146 Tweets
NEVER LET GO D-1
• 44176 Tweets
Nikolas
• 41125 Tweets
Rachadinha
• 39802 Tweets
Día Mundial del Medio Ambiente
• 32369 Tweets
対象の3作品
• 31220 Tweets
Meral Akşener
• 27830 Tweets
Conselho de Ética
• 22493 Tweets
James Biden
• 22382 Tweets
Jim Crow
• 21838 Tweets
Lauryn
• 19516 Tweets
Giovanni van Bronckhorst
• 16987 Tweets
Birx
• 15838 Tweets
Byron Donalds
• 15594 Tweets
EL X VENIR 6 MILLONES
• 13448 Tweets
Paolini
• 11849 Tweets
Hochul
• 11358 Tweets
Sabalenka
• 10697 Tweets
Rosalinda López Hernández
• 10078 Tweets
Pinned Tweet
In the past weeks I interviewed the staff from the major infostealers projects, a total of 7: Lumma,Raccoon,Meduza,Vidar,Amadey,StealC,Meta.
Below you will find a short summary of this series that ends today, and also the ones who refused to talk.
👀👇
5
20
76
I mean... Dont let your archive be exposed to the public. 😅😅
#opendir
http://77.91.68.78/lend/
Redline, Lumma, Warzone RAT, Meduza Stealer, Povertystealer, Formbook, Raccoon, AsyncRAT, Rhadamanthys, Smoke Loader, WhiteSnake &
a miner on hashvault
0
2
14
5
44
178
#Raccoon
Stealer has been observed using a new User-Agent: GunnaWunnaBlueTips, since at least 05-13
hxxps://telegra.ph/WareHacks-Soft-04-22
C2 ⚙️
#RacconV2
#Recordbreaker
37.220.87.66
45.9.74.99
UA: GunnaWunnaBlueTips
@crep1x
🙌
👇👇
3
32
88
Anonfiles, one of the major free file storage providers that existed in the past years, has announced the end of its service and domain is now for sale
@vxunderground
RIP anonfiles :(
2
29
68
#Raccoon
Stealer has been spotted with an update!
New user agent: DuckTales
C2⚙️
#Recordbreaker
#RaccoonV2
94.142.138.74 🇷🇺
Build is from June 19th
@Gi7w0rm
@crep1x
👇👇
4
40
67
#Rhadamanthys
Stealer being spread via fake KMSPico downloads
/kms-full.com/install.php > /kms-product.eu > /kms-product.pro > DropBox
Loaded from /176.113.115.224:6230/3178c
C2: 185.130.226.143:6575
Detonation:
3
23
64
The infamous
#Rhadamanthys
Stealer has been banned from XSS forum after failing to provide protection to CIS countries people.
Rhadamanthys was used against Russian military infrastructure (), also by some fellow traffers guys...
🫂🫡
3
18
66
I recently made an interview with
#Lumma
Stealer staff.
Just a brief talk :)
They want to say Hello, to all of us. The malware project is near to the 1st Anniversary, it's time to dive into Lumma 🕊️
Read it at:
3
18
62
I made a little interview with
#Meduza
Stealer staff.
The "Immaculate" stealer and heir to Aurora's (RIP) legacy shared a little time talking about his product.
Take a look at:
4
15
60
You can also track the latest
#Qakbot
c2 servers with
@fofabot
jarm="21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21" && header_hash="480868286"
👇👇👇👇
🔥I have some certainty that these hunting rules would help identify command and control servers.
Shodan:
Censys:
#Qakbot
2
10
55
2
15
60
#Rhadamanthys
stealer is now offering a similar service than
#Lumma
: 👀
Restoration of expired Google sessions
0
20
58
#Lumma
Stealer implemented a bot protection system, "pre-trained on screenshots of known virtual machines" 2 months ago.
They now claim to have detected 483k bots avoiding 68k "garbage logs", reducing usage of HDDs and helping the world to become cleaner with less CO2 emissions
3
16
56
Introducing
#Amadey
Botnet v4, as seen in newly PrivateLoader Campaigns.
http://77.91.97.162/g93kdwj3S/Login.php
So far, a new GUI has been discovered and URLs are now 2 chars longer
Traffic cc
@Jane_0sint
NEW v4
OLD v3
1
18
53
Yayy!! 🦝
#RaccoonV2
#recordbreaker
Stealer updated its user-agent.
Seen via
#Lgoogloader
being distributed on
#PrivateLoader
campaigns
New UA: Xmlst
C2: 77.246.102[.]57
@NexusFuzzy
@Gi7w0rm
👇👇 raccoon v2.3.0 is live 🦝
3
12
50
Something new has been spotted on YT
#Redline
and
#Ransomware
MAD HAT
#MADHAT
Ransom is $50 , so honest price to "protect" a data already stolen by Redline 😅
@AnFam17
@Gi7w0rm
@Jane_0sint
👇👇
0
24
48
Following the ban on XSS forum, Lockbit profile has also been banned from Exploit.
reason: Ripper
LockbitSupp has been banned from XSS forum for not paying the 10% as requested by the admin.
cc:
@Jon__DiMaggio
@ddd1ms
@3xp0rtblog
@AShukuhi
@vxunderground
@Cyberknow20
@uuallan
@BrettCallow
@BushidoToken
10
41
155
4
12
51
I made an interview with
#StealC
stealer owner,
We talked about his malware project, and he "wishes us good luck" in our hunting.
Please read it at:👀👇
1
14
50
Seems like now
#infostealers
found a way to collect valuable information from Mozilla-based browsers extensions.
This are new features on some known Stealers, firstly reported by
#Lumma
Stealer at mid April and followed, for example, by
#ACR
Stealer and
#Vidar
at the moment
👇
3
25
50
So this seems to be something new spotted on YT!
#Root
Team Stealer
Uploading logs at temp linx server
http://5.42.66.26/
(Same behaviour as for example Darth Project Stealer)
Sandbox log:
http://5.42.66.26/mk7nl8q3y3.zip
👇👇
4
16
47
I made an interview with
#Vidar
staff,
The infamous Vidar stealer (at its 5th Anniversary) and I had a little talk about his malware project.
They say that "there is no need to hold a grudge against us"...
Read it at: 👇👇
0
12
48
I made an interview with
#Recordbreaker
Stealer staff.
Not many questions, just asking things about Raccoon Stealer.
Will "MrBidenNeverKnow" be the next User Agent that we will find on this stealer?
Take a look at: 🦝🦝🦝🦝
5
24
48
Have you ever heard about
#Dracula
stealer?
Sample:
C2 - 195.10.205.74:1953
Detonation:
ping
@RussianPanda9xx
@Jane_0sint
7
13
46
If you didn't noticed, some websites involved with
#ClearFake
#FakeUpdates
campaigns seems to be sending download records to a Telegram Bot, forwarded to a Group.
46.255.201.42 - CN authenticprod[.]fr
styktraffred - Group Name
applemalicalo_bot - Bot user
0
14
45
Yayyy!!!!
#Raccoon
Stealer aka
#recordbreaker
has been updated. ☀️🌄🌕👀
I'm updating the User-Agents and Official Announcements Chart.
@Gi7w0rm
@crep1x
Hunt the raccoon!!! 🦝🦝🎯🎯
Thanks,
@suyog41
2
13
44
Privateloader Rewind 2023 ⏳
+1 million unique installs in 2023🎯
A humble blog about the InstallsKey PPI service. Profiling customers, the sources of their installations and the service itself!
Also available at /t.me/privateloader (🇺🇲&🇷🇺)
👇🏻👇🏻
1
20
44
US, Canada, UK and Australia websites are compromised to serve Fortnite Spam (again)
At first, TA seems to be abusing Kentico CMS Media libraries.
Compromised websites includes Bing Blogs, Credit Unions, Medical Institutions and NGO's
See full list!
3
14
42
#WhiteSnake
Stealer is now releasing an update featuring Google Cookies restoration 🍪👀
Same features after
#Lumma
,
#Rhadamanthys
,
#Risepro
,
#Meduza
,
#Stealc
Anyone else?😂
1
12
42
Ironhost IO - BulletProof Servers
joined the PrivateLoader campaign serving as a c2 since 1st November.
91.92.243.151 - ironhost[.]io
Need a fast and reliable bulletproof server? Do not wait!
1
4
42
Have you ever wondered what is going on with Vietnamese 🇻🇳 malware targeting Facebook accounts?
I did, so you can get a quick overview of these threat actors activities and how they are spending (and earning) millions of $$$
Read now! 👇👀
#dropshipping
4
13
42
What kind of Stealer is this? Something new?
C2 ⚙️
94.142.138.97/Up
I think this stealer likes browser cookies the most
Take a look!
👇👇
5
14
40
Fresh
#BlankGrabber
Python stealer () being shared on Youtube targeting users via fake Valorant Cheats.
be578842ae7a7d0b51f20bac551645a6
log password "baim123" 👇👇
1
6
40
#Lumma
Stealer updated its capabilities recently.
It now has the ability to load other files while executing main stealer and self deletion after that
This behavior is common on other stealers like
#Vidar
or
#recordbreaker
, loading crypto clippers like
#laplas
.
Very active.
4
22
40
⚠️Watch out fake AV websites sharing malware
#Spynote
(for android)
/avast-securedownload.com
@Avast
#Lumma
Stealer
/bitdefender-app.com
@Bitdefender
#StealC
(via Buer Loader?)
/malwarebytes.pro
@Malwarebytes
samples and detonations below 👀
2
14
39
An unkown
#stealer
has been spotted on YT!
C2 ⚙️
http://146.71.81.144/
Cookie Stealer, File Grabber, Crypto wallets, Password managers and Screenshoots, everything POST to C2
Take a look!👇👇 Just uploaded to VT
3
13
38
Let's discover one of the "youngest" infostealers traffers teams playing bad around...
Ghostbusters aka MMM Team 👻
+70k victims recorded in less than a year with +100 members disclosed, still active 👀
Absolute customization of builds and more!!
🪙👇
1
14
39
FYI, Last updates:
Ⓜ️META - 4.5.1 (Mar 12)
📈RedLine - 30 (Feb 22)
🕊️Lumma - Apr 10
🦝Raccoon - 2.3.1.1 (⌛️?💀)
🔱Vidar - 9 (Apr 10)
⚓️StealC - 1.8.1 (Feb 23)
🐍 Meduza - 2.5.1 (Apr 3)
🤍WhiteSnake - 1.6.1.9 (Mar 20)
🐉Rhadamanthys - 0.6.0 (Feb 17)
☣️Amadey - 4.19.2 (Apr 8)
0
4
39
More live
#Clearfake
!
This is not about RU, this is China! 🇨🇳🇨🇳
Search on
@fofabot
title="Google Chrome 网络浏览器"
Examples:
/www.updateload.live/
/ggsdown.top
/update.chrome-up.com/
/y13xlt1d.xyz/
/url.drvceo.com
/kcdq78.fit
Check samples!
2
12
37
The infamous Raccoon stealer 🦝 has not been updated for long months and the activity in the wild has dropped (Talking about me I see no more Raccoon)
Asked his staff, seems like the old coder left and there's a new one working on, so we must expect new updates soon!
👇⚙️
0
7
37
hxxp://bratzen.duckdns.org/byte/
#Opendir
Unknown
#loader
Hosting unkown payloads as a Comercial Loader for malware distribution.
Stored as .txt with the client TG username.
Seen on
#PrivateLoader
campaigns
1
11
36
Watch out Dynamics 365 *.microsoftcrmportals domains, abused at the "free vbucks" SEO poisoning campaign 🙄
/osvolunteers.microsoftcrmportals.com
/fms.microsoftcrmportals.com
/indspire.microsoftcrmportals.com
/ecosoft.microsoftcrmportals.com
/bggtscsp.microsoftcrmportals.com
0
5
35
#Amadey
is back on Privateloader campaigns after some days of inactivity.
Loaded via
#opendir
(LgoogLoader)
/85.217.144.143/files/
new C2 panel ⚙️
http://193.42.32.29/9bDc8sQ/Login.php
Still not fixed, patch it NOW!
@evstykas
Full detonation: 👇👇
1
9
35
Hunting
#Clearfake
with
@fofabot
fid="QddxtK34KUI1XP5ujfy5bw=="
Track the latest compromised domains
/altenara.com
/doolittles.be
/easymall.co.th
/megacarwreckers.com.au
/filmovita.ba
/staging.armipour.com
/or-and.com
/esmito.com
/sistemajogodobicho.com
There should be more!
1
8
35
#Meta
Stealer just got updated to v4.3
So it seems like malware developers are now using AI to sign builds in order to avoid detections?
@NexusFuzzy
I believe the same updates will be seen on Redline soon, as usual.
Check everything 👇🏻👀
2
14
35
Track
#HookBot
panels with
@fofabot
fid="8ZfqDfBADcCVT8Cf796SUg=="
recent ones (Novemeber):
/bravevikingser.xyz
/91.92.249.18
/20.39.184.218
/161.35.235.125
/178.23.190.21
/87.98.185.14
/199.101.135.49
/94.156.64.181
/91.92.245.80
/91.215.85.153
more!
1
11
33
Something crazy is now being pushed by
#Privateloader
opens a pop-up window with a Microsoft error and a QR Code.
/pcrrent.com (Microsoft phishing) 🇨🇳??
Financial information is asked and exfiltrated via POST to /pcrrent.com/index.php
Full Detonation:
1
13
33
#FAKEUPDATES
live update
/88.99.105.167
/63.141.252.148
/51.38.115.103
/paolomorettifurs.com/temp/EngineChromium.zip
Drops from
#opendir
/77.105.147.44/river/strit/wantworkerpro.zip
#Purelogs
Stealer
185.138.164.41:7705
Detonation 👇👇
1
12
33
@1ZRR4H
Some similar obfuscator is
Samples are detected as Little-endian UTF-16 so it can be a possibility
0
3
33
#opendir
Lumma Stealer
/167.88.160.150/ps143m/
loaded by steganography
Steg:
hxxps://i.ibb.co/kgZ7SgM/Graphics-Card-PCB-Assembly-Final.jpg
C2:⚙️
firmpanacewa[.]fun
👇👇
0
7
32
After a long search, a build of the
#Vega
Stealer v2 has been found.
@suyog41
@Jane_0sint
41b8caca7e2c1ec36c2528fcd6a3f334
Log at C:\Users\<user>\AppData\Local\SystemFiles\
👇👇
3
7
30
Meet Chenlun , a worldwide phishing & carding campaigns provider
A community around a developer of rental products, with thousands of pishing victims, specialized on smishing attacks and looking for Credit Card Information
👇👇 Check it now!
4
14
30
New Amadey Update, just to "get ride of some detections".
Fresh C2s from our beloved
#Privateloader
👀
v4.03 is out!
/167.235.20.126/bjdm32DP/index.php
v4.02
/185.196.8.176/7jshasdS/index.php
Full detonation 👇👇
If
#Amadey
keeps updating, we keep tracking it!
v4.02 is out
From /193.42.33.7/newumma.exe
C2
http://193.42.33.7/mbSDvj3/index.php
Via
#PrivateLoader
, you can check the full detonation of it :)
0
9
29
1
3
30
2
11
29
#44caliber
is an open-source Stealer (hxxps://github.com/razexgod/44CALIBER) that relies on Discord Webhook as an exfiltration method of victim's information.
Seen back in 2021 and 2022, now it has been observed again at Youtube campaigns targeting Russian-based users
👇👇👀
2
10
29
stealerskymtni3tiagmx3pqktjgkm2iigwj6e2touws773emrfjvoyd[.]onion
#Rhadamanthys
Stealer Official Page on the underground
They even got a wiki page
rhadwikiwwzr6sfzygsr3qh7lwu5ghnaoupxwpsj2xuxjcgcebikh7id[.]onion
And some "media publicity" 😂
@SentinelOne
@proofpoint
@zscaler
🔍 Update in Malware Trends Tracker:
#Rhadamanthys
!
This
#stealer
is equipped with lots of features — including very unusual ones. Rising popularity makes it a notable
#cybersecurity
concern.
Dive into the Rhadamanthys overview and samples here 👇
0
7
13
0
10
29
#Amadey
updates on the v4.1 (4.11, 4.12 and 4.13)
Featuring:
Support for Psi+ XMPP client has been added to the stealer module.
Implementation of Reverse Proxy on the panel
Hundred small changes in EXE files
Check some IOCs 👇👇
1
4
19
0
11
29
If
#Amadey
keeps updating, we keep tracking it!
v4.02 is out
From /193.42.33.7/newumma.exe
C2
http://193.42.33.7/mbSDvj3/index.php
Via
#PrivateLoader
, you can check the full detonation of it :)
The release of Amadey v4 was set to October 8th, 2023.
That was the 5th anniversary of the malware project, I kindly want to congratulate it for being a pain in the ass all these years. 🥳🥳🥳
How many years it will last?
Amadey - Hancintor - Hynamer - more AV names
OLD pics
1
4
19
0
9
29
#Meta
Stealer just announced one of the biggest updates in his entire operation time.
Meta Stealer v4.0:
New information exfiltrated from the victim host
New build encryption
New structure of requests between build & panel
More!
Time to 👀
Read the full changelog below:😅😅😅
Checkout my writeup on
#MetaStealer
👾 It's not to be confused with
#RedlineStealer
!
Big thanks to
@cod3nym
for the review!
11
69
189
1
5
28
Tracking the activity of Alfa Team with FOFA 👀👀
👇👇
icon_hash="-1901078794"
First shells appearing on May, most recent October 21th
Live shell: /research.plu.ac.th
Extra (related): /b0ru70.github.io
ref: 👇
📌 Solevisible / ALFA TEAM
🔗
#OpenDir
: 139.59.113[.]146
💻 Panel: 139.59.113[.]146/lol.php
In the files, I found scripts containing
#Metasploit
.
@digitalocean
, please take a look :)
CC:
@500mk500
@NexusFuzzy
@g0njxa
4
6
41
1
14
27
The
#Stormous
ransomware is back with two new onion blogs.
They also promoting a new affiliate program with paid and free versions, and a "PYV service" to use their blog to sell and publish data on a fee.
Stormous.X/GhostLocker
2
9
27
FYI it seems to be a misconfiguration on one site shared here that replaced .zip malware download into a download of the entire web server.
So you can now take a look on .php files, admin settings and other hidden things, for FREE!!
Caution, 👇👇
2
6
27
Hunting
#Socks5Systemz
panels rel. to
#TeamSpy
with FOFA
title=="Phichichi" && fid="hC3Y75PtrHXEGYlvOGjMNw=="
/185.141.63.172/auth.php
/109.236.85.145/auth.php
/193.242.211.141/auth.php
/109.230.199.181/auth.php
/212.8.242.211/auth.php
dead panel
/178.32.216.234/
@ViriBack
1
4
25
Interesting build being shared by
#privateloader
/185.198.57.117/sservc.exe
That is using infected machine to brute ssh, ftp, php admin, wp-login and other services from gov and edu domains worldwide using TOR?
Have you ever seen that? Is this
#tofsee
?
0
11
26
Go hunt
#MetaStealer
!
Submit IOCs to
@abuse_ch
Meta is not Redline!!!
12 new OPEN, 12 new PRO (12 + 0) TA444, MetaStealer, LNK/imageres, TA422, ClearFake, Win32/Agent.UAF
Thanks
@AnFam17
,
@g0njxa
,
@StopMalvertisin
0
1
6
2
4
27
#Risepro
Stealer is also offering a "Google Cookies Restoration" Service. 👀🍪
This would be the third stealer malware project offering this kind of service after
#Lumma
and
#Rhadamanthys
.
#Rhadamanthys
stealer is now offering a similar service than
#Lumma
: 👀
Restoration of expired Google sessions
0
20
58
1
8
25
UPDATE:
The previosly seen campaign of Lumma Stealer + AMOS for MacOS users via Linkedin,
is also being spread via Twitter Spam.
AMOS is using hash busting
Currently serving via
hxxp://dafu-xiaoniangao.monster/askdaskdIB/22987ggg
C2 Lumma - IB4
/nursepridespan.fun/api
Do you ever noticed that at some point malware was also distributed via Twitter compromised accounts?
I only found months old tweets with videos sharing dead Redline builds, BUT everything still up.
Also some people running affiliate download campaigns
Very poor effort
0
3
5
1
9
25
Have you ever seen a
#Rhadamanthys
panel?
#Rhadamanthys
Stealer offers a web-based panel hosted in the TOR network.
Today you will be able to see a v0.5.0 panel. Here you can see how everything looks:
(But make sure to check the analysis from
@hasherezade
first!)
1/3 👇
#Rhadamanthys
stealer keeps evolving.
In our new blog,
@hasherezade
takes you on a deep dive into version 0.5.0, layer by layer, discovering new features and techniques.
5
66
142
1
5
24
#Mystic
Stealer is now being dropped by
#PrivateLoader
via
#Smoke
Loader
C2⚙️
#Mystic
Stealer
109.248.206.137
Panel at 109.248.206.137/login
👇👇
0
10
25
Nvm, here's the login panel
#Lumma
Stealer
hxxp://seobrokerstv.fun/login
188.114.96.3
While web location of the panel remains undiscovered, the main panel used by
#Lumma
stealer developers and staff achieved astonishing results since the major update (June 2023)
At 09/09, 478.690 victims were infected by Lumma only by those individuals, in 10 campaigns.
👇👇👇
3
9
21
3
3
24
@elhackernet
Lockbit sufrio un DDOS en agosto despues de la filtracion de Entrust que mantuvo su infrastructura caida por un par de dias.
El ataque no frenó nada y parece que fortalecio las tacticas criminales del grupo...
Si buscan desencadenar algo parecido, ya saben las consecuencias
1
1
24
From the same creator,
#Umbral
Stealer () being shared on malicious Github Accounts sharing Microsoft Office cracks
910a5896b1488769e91e985b0dbba73f
f77cd86cb44f7d53e84fb258115b2374
Fresh
#BlankGrabber
Python stealer () being shared on Youtube targeting users via fake Valorant Cheats.
be578842ae7a7d0b51f20bac551645a6
log password "baim123" 👇👇
1
6
40
0
7
24
Fake downloads of games are a serious threat to the whole Internet , especially when malware or abusive spam is involved.
I was able to talk to threat actors and victims about this.
A threat hunting journey with the help of
@Malcoreio
!
Read it on 👇👇👀
2
7
25
One of the first things i see on this update is a new look for Lumma C2s.
Now they will be showing another poetry from "Шарль Бодлер" Charles Baudelaire
CHARLES BAUDELAIRE, "FLOWERS OF EVIL", VERSE 29
C2
#Lumma
Stealer
/gaspatchommm.fun/
/blockbeerman.fun/
So fancy russians
Here come the new updates for
#LummaC2
(14.09)
✅ New communication protocol with the server
✅ 11 randomized servers and they will be constantly changing
Would be nice to see some new samples 😅
1
8
39
1
4
24
Seems like there have been some irl defacements of billboards around the world in support of Palestine and claimed by CasperSecurity
@vxunderground
@malwrhunterteam
Guys out there have seen too much Watch Dogs 😭
Reports on Indonesia, Albania, Mexico, Malaysia and Italia
3
12
22
Seen on YT
C2⚙️
#Collector
Stealer
f0837288.xsph[.]ru
Exfiltration via /collect.php
Uploaded to VT (crashed at anyrun)
👇👇
2
7
23
"Reputation takes a lifetime to build, but seconds to destroy"
LockbitSupp has been banned from XSS forum for not paying the 10% as requested by the admin.
cc:
@Jon__DiMaggio
@ddd1ms
@3xp0rtblog
@AShukuhi
@vxunderground
@Cyberknow20
@uuallan
@BrettCallow
@BushidoToken
10
41
155
2
6
24
