🛑 Heads-up: #num2words v0.5.15 (just dropped on PyPI) may be #compromised. Early signs probably link it to #Scavenger, the same threat actor behind previous software supply chain intrusions. @MalwareUtkonos @cyb3rjerry @InvokeReversing

@dodo_sec @1ZRR4H @Merlax_ In a new sample observed the Threat Actor changed the payload from "Powershell->WPPworm" to "Python->WPPworm". Additionally, the #Astaroth payload is delivered in an MSI file: IoC: varegjopeaks\.com

The collection has been updated with two new samples from this campaign: https://t.co/X3mS8mBEYQ 6d61d7284a81149ae6db117cbbcbac1e8ced4d762a92e57cd2c7f85f834143de 341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d Thanks for the feedback @dodo_sec #HappyHunting

@johnk3r @dodo_sec @1ZRR4H Nice find 👏 more screenshots of the c2, maybe it's used as a loader

IoC: https://t.co/TdZ5BbfObe https://t.co/X3mS8mBEYQ #HappyHunting

One analyzed C2 shows ~2,000 potential victims @dodo_sec @1ZRR4H @Merlax_

Stage 3: LNK dropper that downloads known #Astaroth payloads (AutoIt).

Stage 1: Obfuscated VBS — language checks, host fingerprinting, and C2 retrieval (some samples pull C2 via hardcoded IMAP). Stage 2: WhatsApp session hijack — malware copies the browser data folder; if unauthenticated it displays the WhatsApp QR for login.

Brazilian threat actors are abusing WhatsApp to spread banker trojans. The actor behind the infamous #Astaroth/#Guildma runs a 3-stage campaign: obf VBS →WhatsApp session hijack → LNK dropper → Astaroth(AutoIt) Note: days ago the same technique delivered Maverick (.NET). 1/4

Just shared the final stages of this threat on MalwareBazaar — a related article is available below: https://t.co/GnAlz2kb9p https://t.co/k4eu3eYXH3 #HappyReversing #maverick @JAMESWT_WT @smica83

The previous link has expired [MyBad]. Here's the new link with new insights and IoC: https://t.co/fAfp7pzD4K #HappyHunting #Banker #Fraud #LATAM

Targets extracted from the "Maverick.StageTwo :: MonitorBrowserUrl" module. Logic: b64 → AES-256-CBC (PKCS7) decrypt → GZip decompress → JSON (domains → index). https://t.co/DtlM2fypS5

IoC: sorvetenopote\.com/api/itbi/startup/ casadecampoamazonas\.com MaverickZapBot2025SecretKey12345 🧐

#Banker malware observed with two modules — Maverick.StageTwo and Maverick.Agent — spreading via WhatsApp. Victims receive links/files leading to a stager that abuses UI Automation to grab browser URLs and load payloads in memory. #Coyote? @TomerPeled92 1/2

#BQTLock? #MILITARY APT INFECTION DETECTED - LEVEL: STATE SPONSORED 🧐🧐 p://military-apt\.onion https://t.co/GssT41Q1jz @RexorVc0

ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8 [wsftprm.sys - Topaz OFD - PM]

3/3 Samples: 79f560a1677f983ad3ffaca8ff00b8351b9a54f98d0a7d82d4aea6d043696e5d [cartel.exe] 29f275382b0c14c068bb40385c1ed43aa08ab0e2785c2d7efc10510cd6c11c7f [lazarus.exe] #HappyHunting

To debug the driver I used #Radare + #Malcat. Here are the main functions of this vulnerable driver: 0x14000264c | 0x140002848 | 0x1400029b0 Ref.: https://t.co/a0YOSk5R3s 2/3

Observed threat actor abusing a vulnerable driver (wsftprm.sys, Topaz OFD – Brazilian antifraud vendor, #CVE-2023-52271) for defense evasion. Attack chain: cartel.exe → vulnerable driver → Lazarus.exe (final payload, extension ".cry"). First seen in Colombia. 1/3

In the last few days, a global Password Spraying campaign has been targeting EntraID, more precisely the legacy app 'Windows Live Custom Domains', via IPv6. Strengthen defenses with Conditional Access 🔐. https://t.co/lJ9ThW2MBU

#Mosquito resurgence — updated downloader, C2 shifted to WebSocket, but reuse of UAC & PDB quirks aids attribution. Targets: ~40 orgs in BR & US. IoCs: mku9j[.]com bdeunlock[.]exe Ref.: https://t.co/cbR2EGG1SV #Fraud #Banker