ThreatDown @Threat_Down Twitter profile | Pikagi

Pikagi

ThreatDown

@Threat_Down

18,107

Followers

8

Following

863

Media

1,346

Statuses

No complexity, just security. We overpower threats and empower IT to cover every stage of an attack, and every size of business.

Santa Clara

https://t.co/PqMQx5c3aK

Joined August 2019

Don't wanna be here? Send us removal request.

Pinned Tweet

@Threat_Down

ThreatDown

10 months

🛡️ Overpower threats. Empower IT. Built on years of malware detection and remediation, ThreatDown, powered by Malwarebytes, offers best-in-class endpoint security designed to take threats down, take complexity down, and take costs down. Learn more.

2

10

21

Last Seen Profiles

@nubank

@maskedfootman

@bokeplokalmalam

@BretEastonEllis

@Blue_Sapphire92

@ituc

@RajRock97224421

@UnstoppableWoW3

@Marinebioyaz

@NotAustinnnnn

@BadBunny0510

@Only1RealYan

@Arthur_the_Lazy

@BlakeLarsen21

@jandakembangstw

@paramario

@MilanMa64208139

@qxLT9CWl7P2H

@jm_yougotnojams

@ThechromDapp73

@stwmaniax

@saireennonikki

@ys977z9z

@NotLorenzo2

@FansMM

@Piikup1

@homyz

@MalingNer62722

@NightmareRoa

@yamanaka_liz

@semi_seemi

@LumaAcee

@juststfualrady

@cum4niccole

@2SQFXfGzD15Nutu

@Ron_tron3000

@Threat_Down

ThreatDown

3 years

Today at 1:00 PM, our #Emotet -infected machine that had received the special law enforcement file triggered its uninstallation routine. More details here:

Tweet media one

5

129

346

@Threat_Down

ThreatDown

3 years

ℹ️ Malwarebytes' CrackMe returns! Designed by @hasherezade , a Capture-The-Flag type of a task featuring techniques from real-life malware. 2 tracks, 3 winners for each: ➡️ Fastest to solve ➡️ Best write-up Stay tuned for the details and link this Friday (Oct. 29).

Tweet media one

4

79

266

@Threat_Down

ThreatDown

4 years

URLs can be deceiving, but the one used to mimic CloudFlare's Rocket Loader in the latest #Magecart attack takes it to a whole new level.

Tweet media one

7

84

180

@Threat_Down

ThreatDown

2 years

ℹ️ #HermeticWiper : A detailed analysis of the destructive malware that targeted Ukraine 🇺🇦. ✍️ Technical analysis by @hasherezade , @kernelm0de and @elmaisbuscado .

Tweet card media

HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine

Ukraine is notoriously attacked by the Russia-linked disk wipers. The implementation and quality of those wipers vary, which may suggest various different contractors being deployed. In this post we...

www.threatdown.com

1

88

180

@Threat_Down

ThreatDown

3 years

A #malspam campaign is taking advantage of Kaseya VSA #ransomware attack to drop #CobaltStrike . It contains an attachment named "SecurityUpdates.exe" as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!

Tweet media one

6

120

182

@Threat_Down

ThreatDown

2 years

🚨 We detected a major malvertising campaign abusing Google Ads. ➡️ Stay tuned for our full report on this campaign.

4

52

174

@Threat_Down

ThreatDown

4 years

More details about the "law enforcement file" pushed via the #Emotet botnet that removes the malware on April 25 2021. Read our analysis here:

Tweet media one

Tweet media two

2

75

153

@Threat_Down

ThreatDown

4 years

We are checking on the #Emotet 'cleanup binary'. It seems the actual date to trigger the uninstall routine is April 25. More details to come. /cc @campuscodi @LawrenceAbrams

Tweet media one

3

58

137

@Threat_Down

ThreatDown

2 years

ℹ️ The #Conti ransomware leaks are a true gold mine of information. 🚨 Remember to be careful when downloading files, as the AnonFiles website is pushing bogus extensions, VPNs, etc. Some #malvertising domains: freychang[.]fun mpanyinady[.]com sfultraight[.]xyz atexceede[.]com

Tweet media one

3

55

136

@Threat_Down

ThreatDown

2 years

#Saitama backdoor: abusing DNS for C2 communications

Tweet media one

0

52

139

@Threat_Down

ThreatDown

3 years

#FakeCertificate campaign via compromised IIS sites. Payload (TVRAT) 223d8c94877ac7e689733ab7131b749393c7570c2653cd1955f5cb2b4d68deae

Tweet media one

1

63

132

@Threat_Down

ThreatDown

3 years

obj_31337 skimmer via bootstrap2[.]xyz. Malicious JavaScript is hidden within victim's own logo. #Magecart

Tweet media one

3

50

128

@Threat_Down

ThreatDown

3 years

Microsoft Edge traffic from South Korea 🇰🇷 redirecting to #MagnitudeEK with social engineering scheme to deliver #Magniber ransomware.

Tweet media one

2

51

126

@Threat_Down

ThreatDown

3 years

🚨 #UnderminerEK exploiting Google Chrome (CVE-2021-21224) and dropping #Amadey . cc @nao_sec ℹ️ As previously reported by @AvastThreatLabs , there are now 2 active exploit kits targeting Chrome.

Tweet media one

1

49

124

@Threat_Down

ThreatDown

3 years

The CrackMe challenge is on, good luck to everyone!

Tweet card media

The return of the Malwarebytes CrackMe

The Malwarebytes CrackMe challenge is back!

www.malwarebytes.com

@Threat_Down

ThreatDown

3 years

ℹ️ Malwarebytes' CrackMe returns! Designed by @hasherezade , a Capture-The-Flag type of a task featuring techniques from real-life malware. 2 tracks, 3 winners for each: ➡️ Fastest to solve ➡️ Best write-up Stay tuned for the details and link this Friday (Oct. 29).

Tweet media one

4

79

266

2

48

123

@Threat_Down

ThreatDown

3 years

ℹ️ Our latest blog covers #Lazarus Group in their most recent campaign. 🚨 New techniques 🚨 ➡️ KernelCallbackTable to hijack control flow and shellcode execution ➡️ Windows Update client for malicious code execution ➡️ GitHub for C2 communication

Tweet card media

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

How one of North Korea’s most sophisticated APTs tries to avoid detection by using legitiate tools during its attacks.

www.threatdown.com

2

61

121

@Threat_Down

ThreatDown

4 years

We did a quick review of the ransomware samples thought to be tied to the recent Honda and Enel cyber incidents. #SNAKE #EKANS #Ransomware

Tweet media one

Tweet media two

0

51

117

@Threat_Down

ThreatDown

4 years

Retrohunting #APT37 : North Korean APT used VBA self decode technique to inject #RokRat

2

52

117

@Threat_Down

ThreatDown

4 years

Official Canadian @zippo website compromised with credit card skimmer. - zippo[.]ca is running WordPress and WooCommerce - skimmer hiding as fake jQuery script - exfiltration via vetality[.]site/gate.php @urlscanio evidence:

Tweet media one

Tweet media two

10

56

109

@Threat_Down

ThreatDown

4 years

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files #Magecart #WebSkimming

Tweet media one

Tweet media two

1

44

102

@Threat_Down

ThreatDown

2 years

ℹ️ We identified a new backdoor used by #APT34 called #Saitama that targets 🇯🇴 officials. 🧵

Tweet card media

APT34 targets Jordan Government using new Saitama backdoor

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a…

www.threatdown.com

1

38

98

@Threat_Down

ThreatDown

2 years

Three groups accounted for 60% of known ransomware leaks in April.

Tweet media one

1

32

92

@Threat_Down

ThreatDown

3 years

New #Dridex #malspam : Email -> Contains Excel file -> Drops XSL file -> Creates a scheduled Task -> Calls Mshta.exe to execute XSL file by calling WMIC.exe -> Executes #Dridex payload using Rundll32.exe Maldocs: ea3cc91ae1d7da1d5509530560f69f30 0e0c3c9cea7e59a5aee7a7ab2dd03eb2

Tweet media one

3

40

93

@Threat_Down

ThreatDown

3 years

ℹ️ New blog: Lazarus APT conceals malicious code within BMP image to drop its RAT Research by @h2jazi #APT #Lazarus

Tweet media one

3

52

89

@Threat_Down

ThreatDown

2 years

🚨 Our latest blog covers #APT28 's first shot at leveraging the #Follina vulnerability to target Ukraine, amid fears of nuclear war.

Tweet media one

0

44

87

@Threat_Down

ThreatDown

2 years

ℹ️ We discovered a new Remote Access Trojan we call #WoodyRat used against 🇷🇺 ➡️ Distributed via lures in archive format and recently Office documents with Follina exploit. Read more about its capabilities in our blog:

2

41

86

@Threat_Down

ThreatDown

2 years

ℹ️ Our latest threat intel report covers new activity from the #Winnti #APT group in Sri Lanka ➡️ New DBoxAgent backdoor ➡️ Use of Dropbox as a C2

Tweet media one

5

34

83

@Threat_Down

ThreatDown

4 years

#PurpleFox has been one of the most active exploit kits lately. Here's a sequence exploiting Flash Player. SWF exploit:

Tweet media one

2

26

81

@Threat_Down

ThreatDown

2 years

ℹ️ We identified a custom PowerShell RAT targeting 🇩🇪 using the war in 🇺🇦 as a lure. 🧵

Tweet card media

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and Jérôme Segura Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a…

www.threatdown.com

1

36

77

@Threat_Down

ThreatDown

3 years

🚨 #Kaseya VSA servers are under active #REvil / #Sodinokibi #ransomware attacks. ➡️ We are closely monitoring the situation and making sure our customers are protected.

Tweet media one

Tweet media two

Tweet media three

Tweet media four

2

40

75

@Threat_Down

ThreatDown

3 years

ℹ️ We identified a new Python-based RAT targeting Azerbaijan from the same threat actor we profiled a month ago in what we call the Aurora campaign. ➡️ Research by @h2jazi

Tweet media one

Tweet media two

0

35

76

@Threat_Down

ThreatDown

2 years

ℹ️ New blog: Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique ➡️ Rename Colibri as Get-Variable.exe inside %appdata% WindowsApps folder ➡️ Create scheduled task that starts default PowerShell every min 💡 Persistence

1

24

73

@Threat_Down

ThreatDown

3 years

#malspam campaign pretending to be #Zoom conference Invitation is pushing #TrickBot . Email -> Archive file -> Js file -> Calls PowerShell to download and execute #TrickBot Email Subject: Zoom Invite 4579881 7cc0b3da0a622175ee667dc7b4f5bc8a Zoom_Conference_Invitation_4152.zip

Tweet media one

2

34

71

@Threat_Down

ThreatDown

2 years

ℹ️ [Blog] Google ads lead to major malvertising campaign

Tweet card media

Google ads lead to major malvertising campaign

Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However,...

www.malwarebytes.com

@Threat_Down

ThreatDown

2 years

🚨 We detected a major malvertising campaign abusing Google Ads. ➡️ Stay tuned for our full report on this campaign.

4

52

174

3

35

64

@Threat_Down

ThreatDown

3 years

ℹ️ Our latest blog by @h2jazi : Multi-stage PowerShell based attack targets Kazakhstan

Tweet card media

A multi-stage PowerShell based attack targets Kazakhstan

This blog post was authored by Hossein Jazi. On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe…

www.threatdown.com

1

20

66

@Threat_Down

ThreatDown

3 years

🚨 @Malwarebytes customers were already protected against CVE-2021-40444 (zero-day). There have been ITW attacks already, and one of the payloads is #CobaltStrike More details in our blog:

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

36

65

@Threat_Down

ThreatDown

3 years

Ransomware targeting 🇮🇳 via malicious document. Ransom note mentions farmer protests. Document: b8756966cf478aa401a067f14eefb57f34eea127348973350b14b5b53e3eec4f Payload: acbe95f70f7d8e20781841cfd859d78575ccd36720c68b60789251a509e1194d extension .sarbloh #Sarbloh #ransomware

Tweet media one

Tweet media two

9

26

64

@Threat_Down

ThreatDown

3 years

ℹ️ The #Patchwork #APT exposed itself in its latest 'Ragnatela' campaign. ➡️ Read our blog post for the details:

Tweet media one

3

28

65

@Threat_Down

ThreatDown

5 years

If you are a defender tracking online credit card skimmers, you need to watch out for these 2 tricks: steganography & WebSocket connections. A big thanks to @AffableKraut for sharing intel with the community. #Magecart #skimming

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

35

64

@Threat_Down

ThreatDown

2 years

⚠️ Fake Sublime Text website at sublimetext[.]me ➡️ Payload: #DCRat c90bd7b3e642eba0ab5a1153dde46a1c01131a773956f54801c7380ba037e6b6 ➡️ C2: h925402f[.]beget[.]tech 185.50.25[.]13

Tweet media one

2

25

63

@Threat_Down

ThreatDown

4 years

After a noted absence, the #Gootkit banking Trojan returns en masse to hit Germany. In an interesting twist, some of the victims may receive the #REvil ransomware instead. More details in our blog:

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

26

57

@Threat_Down

ThreatDown

3 years

As demonstrated by @buffaloverflow , CVE-2021-40444 can be triggered by simply previewing an RTF document in Windows Explorer.

Tweet media one

0

17

59

@Threat_Down

ThreatDown

3 years

It looks like #RIGEK is exploiting CVE-2021-26411 (IE vulnerability). (cc @nao_sec ). Payload dropped is #Dridex 4d3dcbadf6f445272f29d6b6740f667a795eb868df091700068fb1019423a8ae

Tweet media one

0

29

57

@Threat_Down

ThreatDown

3 years

Reminder to patch Exchange Servers to protect against #Hafnium exploits. We have detected webshells on close to 1K unique machines already.

Tweet media one

Tweet media two

0

26

54

@Threat_Down

ThreatDown

3 years

🚨🚨🚨 #SnakeKeylogger #Malspam The maldoc exploits CVE-2017-11882 to drop the payload. Maldoc: Purchase Order Confirmation.xlsx 296bc6bf7c16699a05193f8af55aa58b Download url (OpenDir): http://198.144.176.204/man/ava.exe Keylogger: fc137a8683575750f4ee06d368fb211b

Tweet media one

1

32

53

@Threat_Down

ThreatDown

2 years

New C2 for #FakeUpdates / #SocGholish fluctuations[.]trendylevels[.]com 84.32.188[.]27

Tweet media one

0

15

56

@Threat_Down

ThreatDown

3 years

🚨 New #Magecart domains on 47.254.184[.]114 (CNNIC-ALIBABA) paypal-pays[.]com jquery-migrates[.]com paypal-analitics[.]com (down)

Tweet media one

0

23

52

@Threat_Down

ThreatDown

3 years

#TrickBot #malspam : DocuSign used as template to drop TrickBot. ➡️ Maldoc: paym_approval_8909830.xlsm 57c1b010e09e8bc0c60902468663b0fa ➡️ Download URLs: http://185.255.130.247/images/earthmap.png http://162.248.225.95/d.php ➡️ Trickbot: 259e0ba72d1aeb2653ca8a63f27580b3

Tweet media one

4

25

52

@Threat_Down

ThreatDown

5 years

#Emotet is back.

0

33

55

@Threat_Down

ThreatDown

2 years

#Phishing email targeting USAA members, using a fake Proofpoint theme to "encrypt" its message. 1/6

Tweet media one

2

16

54

@Threat_Down

ThreatDown

2 years

Long time no see, Underminer Exploit Kit👋 ℹ️ Targets both IE and Chrome browsers, payload is Amadey Stealer ➡️ #UnderminerEK IP: 216.250.255[.]122 ➡️ Amadey: b3e4ddc5b9947b700ee667ee1d9cadbcfca74cd00210b0bb256981221f9fe62c en[.]eredirected[.]xyz/xC0m3/

Tweet media one

0

22

54

@Threat_Down

ThreatDown

5 years

We break down the latest version of IcedID and describe its steganographic trick. #IcedID #IceID #BokBot

2

32

52

@Threat_Down

ThreatDown

3 years

CVV.gif uses steganography to hide a Magecart skimmer. Exfiltration: cloudflare-cdnjs[.]com Domain previously reported:

Tweet media one

@AffableKraut

Eric Brandel

3 years

Some likely digital skimming/ #magecart domains from earlier this month (2021/06/02): cdn-doubleclick[.]net chimpstatic-cdn[.]com cloudflare-cdnjs[.]com cloudflare-ssl[.]com static-doubleclick[.]com static-zdassets[.]com tatic-hotjar[.]com widget-freshworks[.]com 1/2

1

6

14

3

23

48

@Threat_Down

ThreatDown

3 years

#Dridex #malspam new maldoc template: "Microsoft Document Protection" Excel file -> Drops sct file and executes it using mshta.exe -> executes Dridex using rundll32.exe Maldocs: 3c0f480a02317e8354e8e3c05c3918f0 5d7e91a055573a70c596b58c5c7506d9 0ba7c0b5fb877d55039290fa68b6a40f

Tweet media one

2

26

53

@Threat_Down

ThreatDown

2 years

⚠️ Looks like new patterns for #FakeUpdates / #SocGholish ➡️ Zip container: download[.]d272[.]5004[.]zip ➡️ JavaScript: Chrome.Quick.Update.ver.101.65.65282.js ➡️ Theme: connect[.]codigodebarra[.]co ➡️ C2: factor[.]vtaxlaw[.]com

Tweet media one

0

19

50

@Threat_Down

ThreatDown

2 years

ℹ️ There was a time when even malware authors used 'password1234'. Not anymore 🔒 Payload is Emotet fdd44369a079bf9d370046ce7b8c36c026d2ff00f52f9932dca2a79753130871

Tweet media one

2

11

47

@Threat_Down

ThreatDown

3 years

A script uploaded to VirusTotal in July 2021 appears to be related to the cloud video service skimmer attack reported by Palo Alto Networks. Full script (w/ skimmer): #Magecart

Tweet media one

3

26

47

@Threat_Down

ThreatDown

3 years

🚨 Excel add-in file via malspam delivers a screenlocker (masquerading as ransomware). "YOUR FILES ARE ENCRYPTED" ℹ️ IOCs XLL: 0114f3cac3239cc616affe08407fb8e9 Payload: transfer[.]sh/get/cLOn0m/winl.exe 20126108d90d62860119d71b7525988b BTC: 351HBxC4Q2ZnvuGTWNt8Bf31iVzPKqWHXo

Tweet media one

Tweet media two

0

29

48

@Threat_Down

ThreatDown

2 years

ℹ️ Latest from our Threat Intelligence team: Spear phishing campaign targets Russian dissidents with Cobalt Strike and (new to us) RAT.

Tweet media one

1

23

49

@Threat_Down

ThreatDown

2 years

ℹ️ Rare sighting of 2 Exploit Kits still ITW, bringing back some old memories ☕️ ➡️ PurpleFox EK kvte[.]shop/index.php?subid=10087530 dtiipwmr[.]otsrhesa[.]rest ➡️ RIG EK hgoawa[.]xyz/cryptotime 31.44.6[.]123

Tweet media one

2

17

50

@Threat_Down

ThreatDown

2 years

ℹ️ Magniber ransomware dropped via malvertising 💡 Changes the desktop wallpaper with ransom message (new??) actsus[.]email 94.237.79[.]225 paidnet[.]space 209.50.54[.]25

Tweet media one

Tweet media two

1

21

49

@Threat_Down

ThreatDown

3 years

#Qbot ( #Qakbot ) is back after a summer vacation! Malwarebytes Anti-Exploit is able to block this new #Qbot campaign. Excel doc -> Downloads Qbot -> Execution via regsvr32 -> Injects into explorer.exe Example maldoc: c099f27aacf6cfa9bedcfcf4bca786f0

Tweet media one

Tweet media two

1

12

49

@Threat_Down

ThreatDown

3 years

ℹ️ In our latest blog post we follow different leads to unravel sprawling infrastructure used by #Magecart Group 8.

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

16

49

@Threat_Down

ThreatDown

3 years

ℹ️ #EpsilonRed attempts to uninstall security products via a PowerShell script before launching its #ransomware payload. Malwarebytes Tamper Protection will prevent this:

Tweet media one

0

22

46

@Threat_Down

ThreatDown

2 years

🚨 We have been closely monitoring cyber threats targeting #Ukraine . ℹ️ Customers are currently protected against #HermeticWiper .

Tweet media one

1

17

47

@Threat_Down

ThreatDown

2 years

🚨🚨 #FormBook continues to target Oil and Gas Companies. Email subject: Request for Tender for SAUDI ARAMCO - SAUDI ARABIAN REFINERY RENOVATIONS The email contains two attachments: A pdf file and an excel document. - Pdf file contains an embedded excel object (1/4)

Tweet media one

Tweet media two

Tweet media three

1

23

46

@Threat_Down

ThreatDown

3 years

ℹ️ New blog: A deep dive into Saint Bot, a new downloader. We have found it used as part of several campaigns, some of them targeting Ukraine and Georgia.

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

26

48

@Threat_Down

ThreatDown

3 years

Professional 👌 looking web skimmer targeting French 🇫🇷 stores. ➡️ Skimmer JS: yahoo-tracker[.]com/fr.js ➡️ Exfiltrate to: googlegtm[.]com ➡️ Hosted at: 35[.]198[.]110[.]173 Known threat actor: medialand.regru @gmail [.]com #Magecart #WebSkimming

Tweet media one

1

18

48

@Threat_Down

ThreatDown

3 years

ℹ️In our latest blog, @hasherezade examines #AvosLocker , a new ransomware aiming to grow into the coveted big game hunting space.

1

19

44

@Threat_Down

ThreatDown

2 years

ℹ️ Our latest weekly threat intel report is now live ➡️

Tweet media one

1

22

46

@Threat_Down

ThreatDown

2 years

💡 Quick visual of a Magecart skimmer using a websocket to exfiltrate stolen data ➡️ stats-doubleclick[.]com ➡️ 192.236.209[.]185

Tweet media one

1

14

46

@Threat_Down

ThreatDown

4 years

New LNK attack tied to #Higaisa APT discovered (by @h2jazi and @jeromesegura ).

0

24

46

@Threat_Down

ThreatDown

3 years

In our latest blog, we detail a new attack targeting Azerbaijan using steganography to deploy a RAT. Research done by @h2jazi

Tweet media one

0

22

46

@Threat_Down

ThreatDown

2 years

#FakeUpdates / #SocGholish ➡️Theme: casting[.]faeryfox[.]com ➡️Lure: download[.]zip w/ download.js ➡️C2: telegram[.]godsmightywhispers[.]com 77.91.127[.]52

Tweet media one

0

16

46

@Threat_Down

ThreatDown

3 years

Can you tell which payment form is legitimate and which one is a skimmer?

Tweet media one

14

19

45

@Threat_Down

ThreatDown

3 years

Today we release a new paper on a threat actor that has similarities with #APT28 and #MuddyWater . Research done by @h2jazi . ➡️Blog summary: ➡️PDF report: #LazyScripter #APT

2

36

44

@Threat_Down

ThreatDown

1 month

Shout out to all the one person IT teams teams waking up this morning.

1

12

45

@Threat_Down

ThreatDown

3 years

Dozens of fake favicon domains are hosted on 78.47.155[.]179 to facilitate #Magecart attacks. Skimmer is known as 'ant and cockroach', uses favicons to load malicious JavaScript.

Tweet media one

1

20

43

@Threat_Down

ThreatDown

3 years

ℹ️In our latest blog @h2jazi discloses a new variant of the Konni RAT used by APT37 against Russia.

Tweet card media

New variant of Konni malware used in campaign targetting Russia

This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and...

www.threatdown.com

2

14

44

@Threat_Down

ThreatDown

3 years

The q-logger skimmer seems to have updated its obfuscation. IOC: bludigital[.]cyou/affirm.js Our previous blog: #Magecart #skimming

Tweet media one

2

15

42

@Threat_Down

ThreatDown

2 years

Parrot TDS (NDSW) seen injected on website for @Parrable

Tweet media one

1

19

44

@Threat_Down

ThreatDown

3 years

🚨 Same threat group behind #SolarWinds attack was recently spotted in new #phishing campaign. Malwarebytes already blocked the Cobalt Strike payload.

Tweet media one

1

24

43

@Threat_Down

ThreatDown

2 years

Malspam in 🇫🇷 delivering #Formbook stealer. Payload: 103.167.92[.]57/airdrop/vbc.exe 92d4d9719765eefe727464d769fbd0e922cf83af096dd484be6e0f7b1dd297a4

Tweet media one

2

22

43

@Threat_Down

ThreatDown

5 years

#Magecart skimmer stealing from folks donating to Australia's bushfire effort. Skimmer is 'ATMZOW', exfiltration domain vamberlo[.]com was already known.

Tweet media one

Tweet media two

2

38

41

@Threat_Down

ThreatDown

3 years

🚨🚨 Malicious documents with "DocuSign" template used to distribute #BazarBackdoor After dropping the backdoor it injects itself into svchost.exe Maldocs: ee6260fbc01386e306cdd4bcd57e292a ebb294f2f0625ed8d4b89e9e5290dd76

Tweet media one

1

18

41

@Threat_Down

ThreatDown

3 years

➡️ Download pirated license keys off YouTube video ❓ ➡️ Install malware (coin miner) on your PC 😭

Tweet media one

5

12

38

@Threat_Down

ThreatDown

3 years

ℹ️ #RIGEK dropping #RaccoonStealer 🚨 IOCs: 45.138.24[.]135 185.163.204[.]22 185.163.204[.]24 10c0e056a4f5913a5490a9d0d6c71e0590e63b34208a343280dad3effbb97c27

Tweet media one

1

15

40

@Threat_Down

ThreatDown

2 years

🚨 Microsoft Office's latest Zero-Day (MS-MSDT Office RCE ) is a bug and not a feature after all. 🙏 Kudos to @CrazymanArmy and @nao_sec for discovery/awareness. ➡️ Read our blog for more details and to make sure you are protected.

1

13

41

@Threat_Down

ThreatDown

2 years

⚠️ As seen by others, #Emotet is back via spam campaigns

Tweet media one

0

11

38

@Threat_Down

ThreatDown

4 years

According to our crawlers, credit card skimming code was injected into wine store belonging to top French supermarket chain E. Leclerc. This may be why the site is now in maintenance mode. IOCs: clipbutton[.]com[.]br/catalog/discount.php tivents[.]de/media/wysiwyg/paypal4.gif

Tweet media one

Tweet media two

2

27

41

@Threat_Down

ThreatDown

4 years

Fake Corona Antivirus distributes BlackNET remote administration tool RAT: antivirus-covid19[.]site/update.exe C2 panel: instaboom-hello[.]site

Tweet media one

Tweet media two

Tweet media three

Tweet media four

2

19

38

@Threat_Down

ThreatDown

2 years

Et Tu, RIG Exploit Kit? 👀 ➡️ Malvertising referer hgoawa[.]xyz/cryptotime ➡️ #RIGEK 45.138.27[.]78 ➡️ #RaccoonStealer 60009a057bc8cbf7bf6577f516a26e23487909791ddda210687236af448224f9

Tweet media one

1

15

41

@Threat_Down

ThreatDown

2 years

#MagnitudeEK , as discovered by @nao_sec , is dropping Magniber ransomware as an .msi instead of .Appx.

Tweet media one

@nao_sec

nao_sec

2 years

#MagnitudeEK started distributing #Magniber using signed msi file

Tweet media one

0

4

13

3

21

39

@Threat_Down

ThreatDown

2 years

ℹ️ New #FakeUpdates C2: lines[.]fasttracklegal[.]com

Tweet media one

1

9

39

@Threat_Down

ThreatDown

3 years

ℹ️More and more Magecart skimmers are targeting mobile users only. ✍️ Code: navigator.userAgent.includes('Mobile') window.screen.availWidth <= 800

Tweet media one

0

19

39

@Threat_Down

ThreatDown

2 years

ℹ️ Our latest weekly threat intel report is now live ➡️

Tweet media one

0

12

40

@Threat_Down

ThreatDown

2 years

ℹ️ [Blog] Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign #UNC2589 #TA471

Tweet media one

0

11

38

@Threat_Down

ThreatDown

2 years

New #ContiLeaks with jabber_logs.7z. ➡️ Blog post (updated): ➡️ Timeline:

Tweet card media

The Conti ransomware leaks

On February 27, an individual with insights into the Conti ransomwaregroup started leaking a treasure trove of data beginning with internal chat messages. Conti is responsible for a number of high…

www.threatdown.com

@Threat_Down

ThreatDown

2 years

ℹ️ We drew a timeline of events for the #Conti leaks. As there is a lot of data to process and possibly more to come, please check back for updates.

0

8

14

0

11

40

@Threat_Down

ThreatDown

5 years

We've spotted a new #Magecart campaign that injects Magento sites with a #skimmer hosted on @pastebin . -> Injected code mimics Yourviews plugin ("_yvsrc") -> Skimmer loaded over 2K times - IOCs - Skimmer: pastebin[.]com/raw/RmAwMkAL Exfiltration gate: magentoconnectors[.]com

Tweet media one

Tweet media two

2

22

39

@Threat_Down

ThreatDown

2 years

Malicious Office macros are here to stay a little longer...

Tweet media one

4

8

38