Spanish malspam
Malicious website targeting Spanish internet users, serving a malicious payload
Malspam 📧 targeting Spanish users 🇪🇸
Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs
1st stage - geo filter 🛑
vmi3228488.contaboserver .net Contabo 🇩🇪
2nd stage - payload 📄
🌐 urlhaus.abuse.ch/url/3824487/
Dropped iso:
bazaar.abuse.ch/sample/faaa4...
Botnet C2:
📡 54.197.208.68 Amazon 🇺🇸
SparkRAT ➡️ ChromeSetup.msi ➡️ FUD 🔥
msftconnecttest .xyz ⤵️
Creation Date: 2024-12-02 ⤵️
After more than a year, this domain still has a detection rate of 1/93 🤯
Pointing to ⤵️
154.31.222.217:443 ➡️ DControl
Chinese? 🇨🇳
lang="zh-cn"
Malware sample:
bazaar.abuse.ch/sample/91a29...
IOCs on ThreatFox:
🦊 threatfox.abuse.ch/browse/tag/F...
Malware samples:
📄 bazaar.abuse.ch/browse/tag/F...
Malware detonation suggests that the threat actor was likely playing around with ScreenConnect RMM before
It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️
What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪
We track the threat on our platforms as #FakeRMM ⤵️
Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including:
➡️SoftConnect
➡️HardConnect
➡️AxisControl
Rogue #ScreenConnect RMM 🕵️♂️
Botnet C2:
📡 no.windowupdateservice .com
📡 relay.windowupdateservice .com
📡193.26.115.51:8041
Payload delivery URL:
🌐 urlhaus.abuse.ch/url/3782937/
Malware sample 📄:
bazaar.abuse.ch/sample/77dc5...
More ScreenConnect RMM IOCs ⤵️
threatfox.abuse.ch/browse/tag/S...
You can report false positives directly through the platform by navigating to the database entry and then choose "actions" -> "report FP"
RemoteX RAT admin panel
Yet another RAT in town: RemoteX🖥️🖱️
🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️♂️ Unauthenticated RAT admin panel 🤡
Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)
Xillen Stealer admin panel on Cloudflare
Xillen Stealer 🎣, heavily dropped by Amadey 🔥
Botnet C2:
https://goldenring[.]live/api/logs/check
"Invisible. Undetectedable. Unstopable." 🤡
👉 github.com/BengaminButt...
Samples ⤵️
bazaar.abuse.ch/browse/signa...
Additional IOCs on ThreatFox 🦊
threatfox.abuse.ch/browse/tag/X...
Thank you @spamhaustech.bsky.social & @abuse-ch.bsky.social for being #PIVOTcon26 Silver Sponsor 🎉
Read more about alliance: abuse.ch & spamhaus.com
This alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets pivotcon.org/sponsors
#CTI #ThreatIntel
Brazilian Banker "GHOST" panel
Brazillian banker 🇧🇷 caught by @johnk3r 🎣
GHOST panel 🧐
007consultoriafinanceira .net
83.229.17.124:80 Clouvider 🇺🇸
Payload delivery URL:
🌐https://urlhaus.abuse.ch/url/3759148/
Malware sample (MSI):
⚙️bazaar.abuse.ch/sample/2cbafc607c5d38a89...
Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌
🌐 urlhaus.abuse.ch/url/3751500/
LogMeIn #GoToResolve payload 📄
bazaar.abuse.ch/sample/77e22...
Malspam from Microsoft Outlook spreading LogMeIn GoToResolve RMM
Fake PDF download spreading LogMeIn GoToResolve RMM
Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️
IOCs:
📡 adwestmailcenter .com ➡️ Landing page
📡 insightme .im ➡️ fake PDF download
turbokent .name - CHICXULUB IMPACT
CHICXULUB IMPACT 💥
Botnet C2 URLs:
📡 turbokent .name/api/initialize
📡 turbokent .name/api/status
Sponsoring domain registrar: NICENIC 🇭🇰
Malware sample 📄:
bazaar.abuse.ch/sample/c32e1...
Malware samples 🤖:
bazaar.abuse.ch/browse/tag/S...
IOCs available on ThreatFox 🦊:
threatfox.abuse.ch/browse/tag/S...
New Stealer in town: SantaStealer 🎅🎄
Botnet C2s ➡️all hosted at AS399486 VIRTUO 🇨🇦:
📡31.57.38.119:6767
📡31.57.38.244:6767
📡80.76.49.114:6767
Stealer admin panel (via @darkwebinformer.com 💪):
🕵️ stealer. su
Artifacts 💻:
C:\tempLog\Clipboard.txt
%LocalAppData%\Temp\passwordslog.txt
Mirai malware delivery URLs
Love letter ❤️ from a threat actor 🕵️exploiting React2Shell vulnerability (CVE-2025-55182) to spread #Mirai malware ⤵️
fuckoffurlhaus 😂
Payload URLs:
🌐 urlhaus.abuse.ch/host/45.153....
Mirai botnet C2s:
📡 marvisxoxo .st (ISTanCo 🇷🇸)
📡 45.156.87 .231:23789 (AS51396 PFCLOUD 🇩🇪)
The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ urlhaus.abuse.ch/url/3733103/
ClickFix infection chain
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️
🖱️ClickFix -> 📃VBS -> ⚙️MSI
Payload delivery host:
🌐https://urlhaus.abuse.ch/host/103.27.157.60/
Malware sample 🤖:
bazaar.abuse.ch/sample/4d8e5...
Botnet C2 domains:
📡w2li .xyz
📡w2socks .xyz
Mirai #malware sample 🤖:
bazaar.abuse.ch/sample/ee2fe...
Payload delivery host 🌐:
urlhaus.abuse.ch/host/172.237...
Releated IOCs 🦊:
threatfox.abuse.ch/browse/tag/C...
Malicious bast script deliverying Mirai payload
Exploitation of recent React RCE vul (CVE-2025-55182 - #React2Shell) leading to #Mirai infection ⤵️
Botnet Mirai C2 domains 📡:
fuckphillipthegerman .ru
Botnet Mirai C2 servers , all hosted at FORTIS 🇷🇺:
138.124.72.251:52896
138.124.69.154:60328
5.144.176.19:60328
MaksRAT botnet C2 traffic
MaksRAT
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\javacom
Botnet C2s 📡
104.198.24 .41:6656
avocado .gay
www.foldacces .online
www.makslove .xyz
www.mavenrat .xyz
www.blackprofit .online
Sample shared by @smica83 💪
bazaar.abuse.ch/sample/88310...
IOCs
threatfox.abuse.ch/browse/tag/M...
Mirai malware sample:
🤖 bazaar.abuse.ch/sample/11248...
More #Mirai IOCs are available on ThreatFox:
🦊 threatfox.abuse.ch/browse/malwa...
Mirai campaign spreading through 213.209.143.85 (Railnet 🇳🇱), messing around with the victim's system iptables 🤔
Mirai botnet C2 domain:
womp.datasurge .vip (NameCheap 🇺🇸)
Mirai botnet C2 server:
176.65.148.57:6969 (Pfcloud 🇩🇪)
Payload URL:
🌐 urlhaus.abuse.ch/url/3725743/
More #Mirai IOCs are available on ThreatFox:
🦊 threatfox.abuse.ch/browse/malwa...
Mirai bot "zerobot"
Mirai botnet #zerobot spreading through 172.86.123.179 (cloudzy 🇦🇪) ⤵️
Mirai botnet C2 domain:
0bot.qzz .io (Gandi SAS 🇫🇷)
Mirai botnet C2 server:
140.233.190.96:69 (Internet Magnate 🇿🇦)
Payload URLs:
🌐 urlhaus.abuse.ch/host/172.86....
Mirai malware sample:
🤖 bazaar.abuse.ch/sample/9f64e...
URLhaus simply wouldn't exist without the help of awesome and committed contributors like this who diligently report malware URLs everyday 🙏
URLhaus stats ➡️ urlhaus.abuse.ch/statistics/
URLhaus ➡️ urlhaus.abuse.ch
🫶 #SharingIsCaring #Community #StrengthInUnity
URLhaus Top Contributor “Geenensp”
🎉 Massive shout out to URLhaus Top Contributor “geenensp”
First seen April 13th 2020 and since then, they’ve shared an unbelievable 844,345 malware URLs!! 😮 Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard 💪 ⤵️
GrokPy botnet C2 traffic
GrokPy malware samples on MalwareBazaar:
📄 bazaar.abuse.ch/browse/signa...
Botnet C2s on ThreatFox:
🦊 threatfox.abuse.ch/browse/tag/G...