@malware_traffic thx, sure enough! missed this and a few others.
Monitor SG
Experimental automated monitoring of #SocGholish, #FakeSG, #ClearFake, #ClickFix, #KongTuke, #ParrotTDS and #SmartApeSG.
Samples and IOCs sent to MalwareBazaar and ThreatFox.
Detected #SmartApeSG infection chain
Compromised site
-->
musicdownloader[.]top/ese/buf.js (injected)
-->
musicdownloader[.]top/ese/bof.js (clickfix)
-->
kabarbhayangkara[.]com/all.php (Powershell)
-->
kabarbhayangkara[.]com/smwr.zip
-->
146[.]70.100.114:443 (NetSupport, EVALUSION, NSM165348)
a3f204b9134ee15369e565870d9aa51cff64cb4b0734b252e3334a03949df94a smwr.zip
New #SocGholish C2:
hXXps://images.venthalpyapp[.]com/viewDashboard
images.venthalpyapp[.]com
166[.]88.182.99
AS26383 Baxet Group Inc.
Detected #SmartApeSG infection chain
Compromised site
-->
islonline[.]org/d.js (injected)
-->
pasangiklan[.]top/ese/bof.js (clickfix)
-->
vietnam24hvoyage[.]com/all.php (Powershell)
-->
vietnam24hvoyage[.]com/zswr.zip
-->
185[.]163.45.41:443 (NetSupport, EVALUSION, NSM165348)
b32bd5ee7d55c6a47ba7cb82162be28490b40cf71edc0386bf05b4e61945ae80 zswr.zip
New #SocGholish C2:
hXXps://cpanel.thekooljack[.]com/viewDashboard
cpanel.thekooljack[.]com
157[.]254.167.84
AS17378 TierPoint, LLC
New #SocGholish C2:
hXXps://sample.tcroadgear[.]com/viewDashboard
sample.tcroadgear[.]com
166[.]88.164.79
AS26383 Baxet Group Inc.
New #SocGholish C2:
hXXps://m.cpa2go[.]com/viewDashboard
m.cpa2go[.]com
45[.]76.18.170
AS20473 The Constant Company, LLC
Detected #SmartApeSG infection chain
Compromised site
-->
franquicias[.]top/sss/buf.js (injected)
-->
franquicias[.]top/sss/bof.js (clickfix)
-->
certifiedhackerindia[.]com/all.php (Powershell)
-->
certifiedhackerindia[.]com/fyqw.zip
-->
185[.]163.45.30:443 (NetSupport, EVALUSION, NSM165348)
a3293a8613d9962ffd169085c6663938fdad006538511ba76b903a94245cd16c fyqw.zip
New #SocGholish C2:
hXXps://ai.lanpdt[.]org/viewDashboard
ai.lanpdt[.]org
209[.]141.43.20
AS53667 FranTech Solutions
Detected #KongTuke infection chain
Compromised site
-->
swedrent[.]com/3c7b.js
-->
swedrent[.]com/js.php (ClickFix)
-->
hXXp://cloud-flaer-verif[.]com/log-in
New #SocGholish C2:
hXXps://cpanel.productdevelopmentplan[.]com/viewDashboard
cpanel.productdevelopmentplan[.]com
166[.]88.182.124
AS26383 Baxet Group Inc.
New #SocGholish C2:
hXXps://folders.emeraldpinesolutions[.]com/viewDashboard
folders.emeraldpinesolutions[.]com
23[.]146.184.117
AS399820 Atomic Networks LLC
Detected #KongTuke infection chain
Compromised site
-->
swedrent[.]com/3c7b.js
-->
swedrent[.]com/js.php (ClickFix)
-->
devindicator[.]dev/webgl.wav
New #SocGholish C2:
hXXps://photo.suziestuder[.]com/viewDashboard
photo.suziestuder[.]com
23[.]27.134.21
AS12083 WideOpenWest Finance LLC
New #SocGholish C2:
hXXps://app.symphoniabags[.]com/ajaxAction
app.symphoniabags[.]com
194[.]213.18.10
AS62240 Clouvider
New #SocGholish C2:
hXXps://www[.]stirngo[.]com/ajaxAction
www[.]stirngo[.]com
166[.]88.159.146
AS26383 Baxet Group Inc.
New #SocGholish C2:
hXXps://cpanel.realizr[.]today/ajaxAction
cpanel.realizr[.]today
157[.]254.167.71
AS17378 TierPoint, LLC
argh. that should be:
login-live-microsoft[.]org
Detected #KongTuke infection chain
Compromised site
-->
cellinifurniture[.]com/6n9m.js
-->
cellinifurniture[.]com/js.php (ClickFix)
-->
login-l.ive-microsof.t[.]org
Detected #KongTuke infection chain
Compromised site
-->
cellinifurniture[.]com/6n9m.js
-->
cellinifurniture[.]com/js.php (ClickFix)
-->
login-li.ve-microsoft[.]org
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst