#cybersecurity - Fighting #malware and #botnets
Brazilian banker ๐ง๐ท
GHOST panel ๐ง
007consultoriafinanceira .net โก๏ธ GoDaddy ๐บ๐ธ
83.229.17.124:80 โก๏ธ Clouvider ๐บ๐ธ
Payload delivery URL ๐:
https://urlhaus.abuse.ch/url/3759148/
Malware sample (MSI) โ๏ธ:
https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/
๐ค Jul-Dec 2025 Botnet Threat Update out now!
โฌ๏ธ 21,425 #botnet C&Cs observed, up by +24%.
โซ Botnet C&C domains soar +9,608% for ๐ท๐บ Russia-based REGRU
โฌ๏ธ Remote Access Trojans represent 42% of Top 20 malware associated with botnet C&Cs.
But it isnโt all bad news โ several large cloud network operators have taken action to tackle active botnet C&Cs - find out which ones in the latest FREE report here๐
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/
Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote ๐ป๐๐ต๏ธ
IOCs:
๐ก adwestmailcenter .com โก๏ธ Landing page
๐ก insightme .im โก๏ธ fake PDF download
Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus ๐
https://urlhaus.abuse.ch/url/3751500/
LogMeIn #GoToResolve payload ๐
https://bazaar.abuse.ch/sample/77e22f4e1af7758d6f7284f32a92539ea36a527fa89c8c6765f10a3f98a8d13e/
CHICXULUB IMPACT ๐ฅ
Botnet C2 URLs:
๐ก https://turbokent .name/api/initialize
๐ก https://turbokent .name/api/status
Sponsoring domain registrar: NICENIC ๐ญ๐ฐ
Malware sample ๐:
https://bazaar.abuse.ch/sample/c32e1db396e6b64846792f05c776c5b52f34834b0500bc18f982927e07ca3eeb/
New Stealer in town: SantaStealer ๐ ๐
Botnet C2s โก๏ธall hosted at AS399486 VIRTUO ๐จ๐ฆ:
๐ก31.57.38.119:6767
๐ก31.57.38.244:6767
๐ก80.76.49.114:6767
Stealer admin panel (via @DarkWebInformer ๐ช):
๐ต๏ธ stealer. su
Artifacts ๐ป:
C:\tempLog\Clipboard.txt
%LocalAppData%\Temp\passwordslog.txt
Malware samples ๐ค:
https://bazaar.abuse.ch/browse/tag/SantaStealer/
IOCs available on ThreatFox ๐ฆ:
https://threatfox.abuse.ch/browse/tag/SantaStealer/
Love letter โค๏ธ from a threat actor ๐ต๏ธexploiting React2Shell vulnerability (CVE-2025-55182) to spread #Mirai malware โคต๏ธ
fuckoffurlhaus ๐
Payload URLs ๐:
https://urlhaus.abuse.ch/host/45.153.34.201/
Mirai botnet C2s ๐ก:
marvisxoxo .st (ISTanCo ๐ท๐ธ)
45.156.87 .231:23789 (AS51396 PFCLOUD ๐ฉ๐ช)
Malware sample ๐:
https://bazaar.abuse.ch/sample/9a84057ceb444e73f6f8733eda2fbd0db46fd9a6e182179256289558871427d6/
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix โคต๏ธ
๐ฑ๏ธClickFix -> ๐VBS -> โ๏ธMSI
Payload delivery host:
๐ https://urlhaus.abuse.ch/host/103.27.157.60/
Malware sample ๐ค:
https://bazaar.abuse.ch/sample/4d8e5e890e8be3a1d3529edd384517f99ec1b05bbed7edb38da936d7b3d7749b/
Botnet C2 domains:
๐ก w2li .xyz
๐ก w2socks .xyz
The same malware is also being spread by #Amadey pay-per-install (PPI):
โก๏ธ https://urlhaus.abuse.ch/url/3733103/
Exploitation of recent React RCE vul (CVE-2025-55182 - #React2Shell) leading to #Mirai infection โคต๏ธ
Botnet Mirai C2 domains ๐ก:
effeminate.fuckphillipthegerman .ru
trap.fuckphillipthegerman .ru
tranny.fuckphillipthegerman .ru
Botnet Mirai C2 servers , all hosted at FORTIS ๐ท๐บ:
138.124.72.251:52896
138.124.69.154:60328
5.144.176.19:60328
Mirai #malware sample ๐ค:
https://bazaar.abuse.ch/sample/ee2fe11a7f43aba14f37897b7c69e2c4b26eef20a8854a838353b59866ee4861/
Payload delivery host ๐:
https://urlhaus.abuse.ch/host/172.237.55.180/
Releated IOCs ๐ฆ:
https://threatfox.abuse.ch/browse/tag/CVE-2025-55182/
MaksRAT
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\javacom
Botnet C2s ๐ก
104.198.24 .41:6656
avocado .gay
www.foldacces .online
www.makslove .xyz
www.mavenrat .xyz
www.blackprofit .online
Malware sample ๐ค
https://bazaar.abuse.ch/sample/883108e1491ab90780fa3b43ed1580e29786287fdca5cae1a49eea6ec91d90fd/
IOCs are available on ThreatFox ๐ฆ
https://threatfox.abuse.ch/browse/tag/MaksRAT/
Mirai campaign spreading through 213.209.143.85 (Railnet ๐ณ๐ฑ), messing around with the victim's system iptables ๐ค
Mirai botnet C2 domain:
womp.datasurge .vip (NameCheap ๐บ๐ธ)
Mirai botnet C2 server:
176.65.148.57:6969 (Pfcloud ๐ฉ๐ช)
Payload URL:
๐ https://urlhaus.abuse.ch/url/3725743/
Mirai malware sample:
๐ค https://bazaar.abuse.ch/sample/112481469fb1a0e94a8f0a34ff70b76e874540f3913db2a1d6b9b6c3899367e0/
More #Mirai IOCs are available on ThreatFox:
๐ฆ https://threatfox.abuse.ch/browse/malware/elf.mirai/
Mirai botnet #zerobot spreading through 172.86.123.179 (cloudzy ๐ฆ๐ช) โคต๏ธ
Mirai botnet C2 domain:
0bot.qzz .io (Gandi SAS ๐ซ๐ท)
Mirai botnet C2 server:
140.233.190.96:69 (Internet Magnate ๐ฟ๐ฆ)
Payload URLs:
๐ https://urlhaus.abuse.ch/host/172.86.123.179/
Mirai malware sample:
๐ค https://bazaar.abuse.ch/sample/9f64ea43d9ba0bed705b94251dfbcdc596fc594df8c0d94c512e4573c55b30e5/
More #Mirai IOCs are available on ThreatFox:
๐ฆ https://threatfox.abuse.ch/browse/malware/elf.mirai/
๐ Massive shout out to URLhaus Top Contributor โgeenenspโ
First seen April 13th 2020 and since then, theyโve shared an unbelievable 844,345 malware URLs!! ๐ฎ Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard ๐ช
URLhaus simply wouldn't exist without the help of awesome contributors like this who report malware URLs everyday ๐
URLhaus โก๏ธ https://urlhaus.abuse.ch/
Stats โก๏ธ https://urlhaus.abuse.ch/statistics/
๐ has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
๐ค uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at Hetzner ๐ฉ๐ช on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
๐ https://bazaar.abuse.ch/browse/signature/GrokPy/
Botnet C2s on ThreatFox:
๐ฆ https://threatfox.abuse.ch/browse/tag/GrokPy/
โ๏ธ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
๐ก calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
๐ฑ creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
๐ง uses dilly + [a-zA-Z0-9]{8,11}@Gmail
.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
Weโve identified an interesting malware family ๐, which weโve named #GrokPy due to its use of a Grok LLM model ๐ค to solve and subsequently bypass CAPTCHAs ๐ฅ
The malware gets dropped by #Amadey and:
๐ช collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
๐ป attempts to escalate privileges by running as admin or as a scheduled task
@7666 I recommend you to just remove the PS and serve 404. URLhaus cant distinguish between malicious PS and legitinate PS and as that URL was serving a PS initially, the URL will be flagged as online as long as it servs a PS
@7666 URLhaus re-scans every URL several times per hour. No need for a manual rescan
This week, everywhere you look, bulletproof hosting (BPH) is in cyber news headlines. From the CrazyRDP takedown, to sanctions against entities adjacent to Aeza, and most recently Media Land LLC and ML[.]Cloud] LLC (do these measures actually move the needle?), to new CISA guidance on mitigating BPH activities.๐ก๏ธ
Itโs clear the spotlight is firmly on one of cybercrimeโs most persistent enablers. And for a good reason. Few infrastructures have enabled so much criminal activity, for so long, with such resilience.
Spamhaus has tracked BPH operators and their evolving tactics for decades. ๐ต๏ธ We've watched the ecosystem shift from monolithic BPHs to layered and complex business structures.
So, amid the sensational headlines, weโve compiled a grounded look at the topic, covering: the history, the current landscape, and where the threat landscape is likely to head next.
Read it in full here ๐ https://www.spamhaus.org/resource-hub/bulletproof-hosting/the-anatomy-of-bulletproof-hosting-past-present-future-/
@spamhaus Taking down the infrastructure is only half the battle, supporting those affected is just as important. Thank you, for stepping in again to help remediate machines infected with the Rhadamanthys malware ๐๐ #Community #Endgame3 #Remediation
ENDGAME 3.0 REMEDIATION | Following on from the ๐ข announcement last week Spamhaus is now sending notification emails ๐ฉ to ISPs associated with infected machines.
Here's what to do if you receive one: โคต๏ธ
