̇ @r3dbU7z Twitter profile

Pinned Tweet

̇

3 years

Important Message to All my Followers & Readers. Please keep in mind that: I am absolutely not connected with cybersecurity or IT, it is not my profession because I do not have a profession. And I do not have education. Do not trust what I do. Thank you for reading.

1

2

28

Last Seen Profiles

@peoplesreserve

@Jaban_alkurdi

@Damien32Dc

@HiHimix063628

@omosi_1

@metamwrphosis

@lorem1psum__

@FourTet

@CSeanso

@habzquera

@MrHarryCole

@gibson_cha15198

@macers_14

@brookecandy

@FRA__Football

@Chuberdunkus2

@l_marsili

@reena_pabari

@osushivip

@PECVrouwen

@mhuseinali

@DwaneMann

@ilittlewish

@PaxLinedRed

@doremifaso64

@Momonga262

@laurennnsss

@Yukimura_Eri

@MIRAI5609022297

@cadehorton13420

@celebritypharm

@timxri

@AlphaLeaker

@abrefi_efya

@timxri

@stw_pdg

̇

@r3dbU7z

2 years

CHAOS ransomware 📸

4

51

297

̇

@r3dbU7z

1 year

🚮FYI:

4

42

183

̇

@r3dbU7z

2 years

Hello, @portoseguro - here your site is being scanned a bit. But you've already noticed that, right? Alguém fala português?

11

16

124

̇

@r3dbU7z

2 years

#Ramnit It's an old trick,but it still works.Hiding a file in html code of a hex bytes and a simple VBScript dropper on same page. An example of searching for such pages using #Shodan (approx. this is just an example,the query may be different😉) IPs list->

2

19

76

̇

@r3dbU7z

3 years

ELF backdoor ip: 139.180.189.50 url: zhiyou66\.com Sample 'java' on VT & bazaar -> 587205c17f1121b839744b064e3cd92d

2

22

76

̇

@r3dbU7z

1 year

Good news guys,I was accepted into Red TeamS! 😊😇

2

9

71

̇

@r3dbU7z

2 years

Dear all! Before you search for something in [Shodan, Censys, ZoomEye, etc], try to find something that will help you search. You can start with TwittDeck. Just a tip.

Florian Roth

@cyb3rops

3 years

From time to time people ask me about news aggregator services / RSS feeds that I use The truth is, I'm just a #Tweetdeck power user + keyword based columns + filters on engagements + notifications on rarely updated columns Some tips:

7

51

253

0

11

63

̇

@r3dbU7z

2 years

Another #Winnti panel C2: ip: 103.254.75.216 :3221 url: s2.yk.hyi8mc\.top Sample on VT & bazaar -> 87100cb600d876bd022a4d93ce6305a0 Cc: @500mk500 (;

3

18

63

̇

@r3dbU7z

2 years

#opendir APT31 [highly likely😉] ip: 49.235.66.165

1

11

59

̇

@r3dbU7z

10 months

#opendir #LB3 EternityStealer CobaltStrike 🚮ICYMI: Cryptor, Miner & Two Stealers url: hxxp/45.66.230[.]113 :80\ Bypass[.]bat Ref[1]:

3

14

57

̇

@r3dbU7z

10 months

🚮ICYMI: #DarkGate & CVE-2023-32046 [Windows MSHTML Platform Privilege Escalation Vulnerability, 07/11/2023] url: /fredlomberhfile\.com :2351 url: /163.123.142\.175 :80 Ref[1]: Ref[2]:

2

14

54

̇

@r3dbU7z

2 years

Trojan for linux in golang spotted ITW / low detection url: hxxp://45.32.132.166 <- You're welcome to visit!) Sample 'ltmp' on VT & bazaar -> 70f58625baf28f632fcee71c709078a8 Version for windows -> e96e2bbe4db122abc73bcd5b149488f4 (VT 6/69)

3

27

56

̇

@r3dbU7z

1 year

🦎 #mirai ip: 185.12.14.122 ip: 193.35.18.226

̇

@r3dbU7z

1 year

🚮FYI: Low detection Mirai bots & 'rbot' [MIPS] - flooder on Rust. ip: 193.35.18.35 Ref[1]: Ref[2]:

1

6

15

1

15

47

̇

@r3dbU7z

1 year

Rust, Golang & two webshells ip: 167.179.87.238 🇯🇵 [1]FUD ELF fuso penetrate tool Ref[1]:

2

16

47

̇

@r3dbU7z

2 years

#opendir emotet(?) & signed👀 dropper(s) url: hxxp://5.2.76.43/ C2: url: http://185.215.113.55/fsc3ssxaP/index.php Sample on VT -> Sample on bazaar -> Cc: @500mk500

3

16

44

̇

@r3dbU7z

2 years

🚮FYI: ALFA TEaM Shell Ref[1]:

2

7

40

̇

@r3dbU7z

2 years

Starter toolkit | Fall 2022 Collection For Rans0m Purposes Only!😇

5

16

42

̇

@r3dbU7z

9 months

#opendir AgentTesla & #vthunting 😄 url: xp/141.98.6[.]91 / [ wwe/ke/ wwe/ma/ ] Ref[1]:

̇

@r3dbU7z

9 months

#XWorm #zgRAT 🚮FYI: Ref[1]: Invoice_90023_PDF[.]vbs Ref[2]: uwp4072801[.]png Ref[3]: wallpapercave\.com on URLhaus

2

14

29

2

11

42

̇

@r3dbU7z

2 years

#opendir #Azorult builder ip: 178.140.137.201 🇷🇺 url: http://178.140.137.201/twitchyoutube/fk32nOPxf/index.php Sample on bazaar & VT -> 30bd4415b8698b02c6e39bd8f5343115

2

16

41

̇

@r3dbU7z

1 year

🚮FYI: hxxp\\ 103.123.242.104 🇹🇼 See also samples on MalwareBazaar. Ref[1]:

1

12

41

̇

@r3dbU7z

10 months

Today I discovered an exploit CVE-2023-36874 ITW. Wrote a notification to the company. Let's see what happens.😊 Ref[1]:

3

5

39

̇

@r3dbU7z

2 years

🚮FYI: Raccoon Stealer v2 & AutoCrypt ip: 94.131.100.85 Ref[1]:

0

11

38

̇

@r3dbU7z

2 years

🚮FYI: 'SunloginRCE' hacktool [spotted ITW] HFS panel -> url: hxxp://rat.bitdoge\.one :8080

1

8

40

̇

@r3dbU7z

2 years

DoD Network & #Rekoobe backdoor Spying on spies👁️🤳🤣 ip: 43.140.251.218 🇨🇳 905c2158fadfe31850766f010e149a0f <- adyagent 611c1c28a162523ea25c8a3388c1d002 <- java\.exe

1

15

39

̇

@r3dbU7z

3 years

#mirai #DDoS GitLab url: beanx99\.xyz ip: 172.245.158.140

2

20

37

̇

@r3dbU7z

3 years

Hint: Your linux unexpectedly began sending messages to #telegram ? Just watch man 8 mon !

5

8

36

̇

@r3dbU7z

2 years

Very suspicious 'SystemManager' with PyInstaller packer inside. url: archive.updateptbr\.online Sample on VT & bazaar -> 7ce0d79c8af824483f1b9fd6f30e456f Ref[1]: Ref[2]:

0

9

35

̇

@r3dbU7z

18 days

#stealer `Интерпол` следит за тобой! url: interpol\.cc Ref[1]: waf.dll 21c477cf20dca745fb658ddbeb4731b3

2

6

31

̇

@r3dbU7z

3 years

#opendir ip: 39.107.141.48 🇨🇳 Sample f32\.exe on VT -> <- Signed 👀 Sample payload1\.ps1 on VT ->

1

10

30

̇

@r3dbU7z

10 months

#declassified 🫣 You knew that: now in Censys there is a new function of disassembling of a obfuscated code. No? Now you know.😅

̇

@r3dbU7z

10 months

And ... RemcosRAT dropper with AntiCrack-DotNet😎 url: hxxp/45.150.67.7 :/80

0

1

9

2

9

32

̇

@r3dbU7z

9 months

#XWorm #zgRAT 🚮FYI: Ref[1]: Invoice_90023_PDF[.]vbs Ref[2]: uwp4072801[.]png Ref[3]: wallpapercave\.com on URLhaus

2

14

29

̇

@r3dbU7z

3 years

#opendir ip: 155.94.143.21 🇺🇸 Ref: Cc: @cyb3rops

̇

@r3dbU7z

3 years

#upxHook ELF CobaltStrike beacon? For Linux maybe... Sample on VT -> Sample on bazaar -> Ref:

3

0

4

0

5

29

̇

@r3dbU7z

1 year

Smoke Loader & Laplas Clipper url: /most-wntonlyfunns.ru /iscryload\.exe Sample on VT & bazaar -> 1227c58ccf684170e4726e0251a9ddd0 Ref[1]: Ref[2]: Ref[3]:

RussianPanda 🐼 🇺🇦

@RussianPanda9xx

1 year

@x3ph1 They also drop nthost.exe binary which I assume is the same Laplas Clipper [AppData\Roaming\NTSystem\ntlhost.exe]

1

0

2

0

15

30

̇

@r3dbU7z

2 years

#opendir MedusaLocker 📸 ip: 185.232.164.6 url: hxxp://85.217.170.156 /repeater.php Sample 'scpvss.exe' on VT -> See also sample on bazaar -> fd9b18f720c9c48d0088a00afa6bb87f

0

15

29

̇

@r3dbU7z

3 days

#Шубохранилище / PS stealer backstage ur: smartcert\.store Ref[1]: info_ps.bin\.dec

3

14

30

̇

@r3dbU7z

2 years

#opendir fresh AsyncRAT stagers, Sir! ip: 34.133.9.10 Related domain: url: antivirus-helper.publicvm\.com Ref[1]:

1

10

28

̇

@r3dbU7z

2 years

Eternity Worm For Rans0m Purposes Only!😇 ip: 111.90.151.174 :7777

1

9

27

̇

@r3dbU7z

3 years

#opendir ChinaChopper & CVE-2021-21985 An interesting combination of links to github, isn't it? What would we do without these wonderful comments?! cdk on VT ->

3

7

27

̇

@r3dbU7z

10 months

#DarkGate url: /185.130.227\.202 :2351 Ref[1]:

2

9

29

̇

@r3dbU7z

9 months

#DarkGate U - Update😉 🚮ICYMI: url: iamupdate[.]com ip: 5.252.177\.8 f90e30df61aec134fba71d66a87326c1 Ref[1]: Ref[2]:

2

6

28

̇

@r3dbU7z

3 years

Go #ransomware on Go... OR Not? Samples on VT & bazaar -> 0e3dc5ad55829e35e8b0b668fffd2658 goransom_linux64\.elf bd12b3601bd72416d9520e41963125ea goransom_windows64\.exe Cc: @Arkbird_SOLG

3

8

28

̇

@r3dbU7z

1 year

#opendir #NetSupport RAT url: ✅s/adrem-soft.com/ vp2023\.exe [Let's Encrypt] Ref[1]: Ref[2]:

1

12

27

̇

@r3dbU7z

2 years

AsyncRAT | StormKitty | Telegram RAT😎 ✅url: hxxps://myverifyaccess.my03\.com Sample 'sender\.exe' on VT & bazaar -> e87337cdcc26a92cd66fdbf051c9c8c0 Joeandbox report ->

3

11

28

̇

@r3dbU7z

9 months

😎

4

0

27

̇

@r3dbU7z

10 months

#opendir maldev site. Yet another one stealer on powershell via discord(yeah) and the use of an Flipper-Zero(WhyNot!?)

1

7

26

̇

@r3dbU7z

11 months

#opendir #DarkGate (?)🎁 url: s/ evil[.]gift [:2351 :9999] ip: 88.99[.]105.55 [:2351 :9999] Ref[1]: Ref[2]: Ref[3]:

0

12

25

̇

@r3dbU7z

1 year

#opendir For Department Purposes Only! ip: 104.248.88.180 [CN=Red, repeat CN=Red] C2: url: hxxp:\142.93.130.115 :8443 /en_US/all.js

0

9

24

̇

@r3dbU7z

2 years

#opendir #Redline ❗️For VALIDADOR Purposes Only!😇 Sample on VT & bazaar -> 6f3b1d892b6391f22f30b1bc132101ee <- servicetm\.exe C2: 158.69.114.17 :47305 🇨🇦 Ref[1]:

0

5

24

̇

@r3dbU7z

1 year

#RemcosRAT url: hxxps/ worryless346.duckdns\.org 90eb893c66efe4e796330b770c4d8d93 <- cdfdghgf\.exe C2: 185.246.220.63 :3689 See also -> 'SZ59020 - GENERAL Makina - Sales Order\.Scr' c5dfc30923176ce48b7d00514dee323b Ref[1]:

1

8

24

̇

@r3dbU7z

2 years

Just a samples storage. For RE Purposes Only! Ref[1]:

1

9

24

̇

@r3dbU7z

4 months

MSIX With Heavily Obfuscated PowerShell Script [ITW😎] ICYMI: url: guruveera\.com \data\ And previously spotted similar samples/domens -> url: accoun10\./com url: aianubhav\./com

1

14

23

̇

@r3dbU7z

2 years

#opendir #GoRAT ip: 139.177.196.67 :8000 🇨🇦 Sample on VT & bazaar -> 55a80743a33dc9c4e47319c3f8620bca <- WinUp32\.exe

0

5

24

̇

@r3dbU7z

2 years

#opendir 🫣 url: hxxp://150.158.181.243/ ELF sample '1.elf' on VT & bazaar -> 2239c945281663b4dec1c2638200f389

0

6

22

̇

@r3dbU7z

2 years

For Pr1v4t3 Purposes Only!🫣 url: sqli\.cloud

1

8

22

̇

@r3dbU7z

2 years

Very suspicious DLL library with network activity. ip: 139.162.77.242 :8081 🇯🇵 Sample on VT & bazaar -> 57d99128bd4e8a67f856cb1fe25f3791 <- MSVCR100\.dll Related sample -> Ref[1]:

1

8

23

̇

@r3dbU7z

1 year

#opendir RATs kit. - Remcos & co. url: s/ 193.56.28,104 🇬🇧 .jar samples STRRAT previosly reported by @malwarelabnet Ref[0]: Ref[1]:

1

5

22

̇

@r3dbU7z

2 years

#LodaRAT 🚮ICYMI: url: hxxps://aboreda.linkpc\.net :6666 Sample on VT & bazaar -> fae47086c34007307f6e2cd0c47a97d8 <- OMHGCG\.exe Ref[1]: Ref[2]:

2

7

23

̇

@r3dbU7z

1 year

W - Webshell😄

2

23

̇

@r3dbU7z

1 year

🚮FYI: V - Viper ip: 45.77.174.98 🇸🇬 C2: ip: 182.92.235.68 :1990 🇨🇳 Sample(s) on VT & bazaar -> 81aa27ad9f5fd8bbe15bf47c2bf27274 <-TelegramUpdate\.exe 35c6370224c3911f07d4d52a638ceb2e <- win7\.exe Ref[1]: Ref[2]:

2

8

22

̇

@r3dbU7z

2 years

#opendir #upxHook It looks like an attack on the supply chain OR or is it just a pentest, right? ip: 43.142.20.36 🇨🇳 Cc: @SANGFOR @qingtengcs

0

6

21

̇

@r3dbU7z

2 years

TYPICAL Sliver panel ip: 198.148.118.129 🇺🇸 Related IPs and domens > bunedidu\.com 45.153.243.135 xizojize\.com 64.44.135.116 zuvebeb\.com 23.83.133.104 naporiz\.com 64.44.135.135 #opendir on VT by Garkbit 64.44.102.190 Ref: [1] [2]

Broad Analysis

@BroadAnalysis

2 years

#bumblebee #loader 51.83.250[.]102 downloads #CobaltStrike #C2 naporiz[.]com. Injects C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.

2

14

33

0

5

22

̇

@r3dbU7z

10 days

FYI: Keres backdoor [ITW] url: appdownapp\.com keres\.exe 5d38fe9776ba220f7cab364ae5746c2c Ref[1]:

0

5

21

̇

@r3dbU7z

2 years

For Private Purposes Only!😇

0

1

21

̇

@r3dbU7z

2 years

Display grouped sandbox reports ✅

1

4

22

̇

@r3dbU7z

2 years

#opendir #Ousaban banker backstage | Painel Infos url: dnssuporte.duckdns\.org Sample on VT & bazaar -> dcdb484d09c7a99de645eb72c99ef4b7 <- htmlayout\.dll

2

8

21

̇

@r3dbU7z

1 year

🚮FYI FUD ELF Go1ang Very suspicious files on web server. 155fbe012e0a9069c1254786a3da20e9 <- mpuyg(?) 36bdca61fe21f96a1729ca0cdb2ad8fb <- wmrqc [Client] e00f9d212e7fc83b7d11586f85f42450 <- frpc

2

5

20

̇

@r3dbU7z

3 years

Bot. One more. One verdict. Brand New? Maybe... ip: 88.218.17.149 linux_x86_64 -> mips_test [no strip] -> Cc @albertzsigovits @malwaremustd1e @0xrb @liuya0904

3

5

20

̇

@r3dbU7z

9 months

#opendir Factory Remcos/Rugmi (?) url: ✅/muzu\./re Ref[1]:

1

8

21

̇

@r3dbU7z

2 years

🚮FYI: Stealer 4 Chrome url: php\.ooo ip: 54.254.144.12 🇸🇬 ip: 52.221.14.194 Sample on VT & bazaar -> c06fb699df1516b865ff5a29d9b096cf <-chrome\.gif

0

10

21

̇

@r3dbU7z

2 years

#opendir #AsyncRAT ip: 163.123.142.183 Sample on VT & bazaar -> 1ec82838e7c64f8c6386ec8573c2df72 <- Invoice #17102022 \.exe

0

2

21

̇

@r3dbU7z

2 years

Make DDoS Great Again! hxxp://209.141.48.191/ Sample 'Server' on VT & bazaar -> b9fbce86a2f1376b043cd8c625ec4606

2

19

̇

@r3dbU7z

11 months

🚮FYI: #AsyncRAT url: /macmax13.dynalias[.]org :222/ a.jpg Ref[1]:

3

4

19

̇

@r3dbU7z

1 year

🚮FYI: TYPICAL #QuasarRAT 🥱 C2: url: asyfguas.con-ip\.com :555

1

19

̇

@r3dbU7z

10 months

🚮FYI: Does it look Total Trustworthy, right?

1

5

18

̇

@r3dbU7z

1 year

#SparkRAT minor update: Karachi-Shipyard\.zip c468962920ff2d461656ae5d3ab17c07 Ref[1]: Cc: @pakcert

̇

@r3dbU7z

1 year

🚮FYI: At0mLdr Ref[1]: Ref[2]: 9a95e059d574d4c3bdd26627308e22b6 <- doc\.pdf

0

4

19

2

13

18

̇

@r3dbU7z

2 years

Another one Winnti panel😇 ip: 41.90.19.167 🇰🇪 [Kenya] C2: url: gd.baojie666\.buzz 🇭🇰 Relations on VT -> Samples on VT & bazaar -> a91a3c7dab07eebc283ae3fa1f3b7227 <- server\.exe 762bff46f0d8459d2fd83a7dbc0b3103 <- 2\.exe

0

5

19

̇

@r3dbU7z

1 year

🚮FYI: At0mLdr Ref[1]: Ref[2]: 9a95e059d574d4c3bdd26627308e22b6 <- doc\.pdf

0

4

19

̇

@r3dbU7z

3 years

Stealer (?) url: googlyconnect\.tk url: hxxp://ngetconnect.tk:8000/Newf/^.exe ip: 147.182.207.189 Sample on VT -> Sample on bazaar ->

1

4

18

̇

@r3dbU7z

2 years

Another one Winnti panel😇 C2: ip: 114.132.246.103 :520 #1 Sample 'server.exe' on VT & bazaar -> 6db6ec5bae1438faf87e2ad4378e083c #2 See also already known sample '1.exe' on VT -> url: wuxi.tanxinyu\.cn ip: 82.156.28.253 Just example of course😎

2

3

18

̇

@r3dbU7z

2 years

#opendir #ransomware hacktool ip: 95.213.145.101 :8000 🇷🇺 fe2491d1fed2f1029052207bb75a61b2 main\.exe I couldn't see the source code, but judging by the strings, this is a script generation tool for 'lock' and 'still'😎 Ref[1]:

0

4

18

̇

@r3dbU7z

1 year

🚮FYI #mirai Abusing Azure cloud service for DD()S url: \ badplayer,net /azure\.sh Ref[1]:

0

4

18

̇

@r3dbU7z

2 years

#QuasarRAT url: hxxps:\\pesho.firecho\.cc C2: ip: 179.43.176.64:3124 Sample on VT & bazaar -> 790c75b8878d18d39a88cd1e49cd3b7e

2

8

19

̇

@r3dbU7z

2 years

#opendir TYPICAL dd[]s panel | Make JS Great Again!😊 url: hxxp://168.119.247.111 url: hxxp://142.132.230.75 C2: url: hxxp://188.34.154.180 :3000(?)

1

6

18

̇

@r3dbU7z

11 months

ICYMI: #opendir #phishing stealer ✅url: s/online-bilets[.]net Ref[1]: Ref[2]: LatsunaBeta[.]exe Ref[3]: injection[.]js

3

8

18

̇

@r3dbU7z

11 months

#opendir CVE-2010-2568 url: hxxp:/94.131.99[.]140 :80 Старый конь борозды не портит!😅

1

5

18

̇

@r3dbU7z

10 months

#opendir #AsyncRAT New variant for me. C2: rxrr./duckdns\.org [6606, 7707, 8808] Ref[1]: Prev. version. Ref[2]: MOAR samples on Malware Bazaar ->

̇

@r3dbU7z

11 months

🚮FYI: #AsyncRAT url: /macmax13.dynalias[.]org :222/ a.jpg Ref[1]:

3

4

19

1

6

18

̇

@r3dbU7z

2 years

Trojan/Banker for Chrome browser [via driver upload] used ConfuserEx protector for .NET url: googlyconnect\.xyz ip: 147.182.207.189 Sample 'IRCommDLL1.dll' on VT & bazaar -> 6329989230ea5ec0b353eeefa69261a6 Ref:

̇

@r3dbU7z

3 years

Stealer (?) url: googlyconnect\.tk url: hxxp://ngetconnect.tk:8000/Newf/^.exe ip: 147.182.207.189 Sample on VT -> Sample on bazaar ->

1

4

18

1

9

17

̇

@r3dbU7z

3 years

'Citrix' DDoS bots #mirai ip: 31.133.0.49 :99 <- C2 panel Archiv with samples on VT & bazaar -> c572dd8b4a57c4e692e98d046b801ae7

4

0

17

̇

@r3dbU7z

1 year

#opendir 🚮FYI: For D0S Purposes Only! url: p/78.153.130,90 /backdoor\.ps1 ip: 78.153.130,90 :4444 059bd34c615de2dc437f900138744d94 <-- zip-dump on VT

0

5

17

̇

@r3dbU7z

2 years

#dcrat #censys 🚮FYI: Ref[1]:

1

4

17

̇

@r3dbU7z

11 months

🚮FYI: K8s secrets stealer and malicious badpod(s?) with persistent reverse shell😅 ip: 206.189.187.164 [:1337 :1338 :1339]

3

2

16

̇

@r3dbU7z

3 years

#opendir Another downloader on PS [via Discord lnk] ip: 167.114.77.19 🇨🇦 Sample 1\.txt on VT -> <- 6/xx Cc: @pmelson

2

4

16

̇

@r3dbU7z

2 years

TYPICAL RedLineStealer panels🥱

0

3

17

̇

@r3dbU7z

3 months

System Script Proxy Execution: SyncAppvPublishingServer [ITW] url: .193.124.33.71/ Downloads/ Scan_rekvizity_03.05.2024\.pdf\.lnk [WebDav] e57b2d8b31362ff888fc2f1e58365170 contract_calc\.xls\.lnk b827da23c3485e7f95049596c2e4fab4 Ref[1]:

1

8

16

̇

@r3dbU7z

2 years

TYPICAL Mars stealer panels ip: 135.181.168.27 🇫🇮 ip: 144.24.197.26 🇫🇷 ip: 162.247.152.190 🇺🇸 Ref[1]:

1

4

17

̇

@r3dbU7z

2 years

Scan Station 📸 ip: 45.137.64.40 [dc.exe <- DCRAT of course😃]

0

4

16

̇

@r3dbU7z

1 year

🚮FYI: Low detection Mirai bots & 'rbot' [MIPS] - flooder on Rust. ip: 193.35.18.35 Ref[1]: Ref[2]:

1

6

15

̇

@r3dbU7z

1 year

ICYMI: AsyncRAT backstage😎

Igal Lytzki🇮🇱

@0xToxin

1 year

My writeup on OP Red Deer is up! Uncovering #Aggah campaign towards Israel. 🇮🇱 What’s included in the writeup? ➡️ Impersonation to “Israel Post” (Israel biggest postal company) ➡️ execution chain summary ➡️ SSL certificate hunting ➡️ Opendir hunting ➡️ Bunch of IOCs

1

7

22

0

4

17