To follow up on the earlier thread, the impersonation of AECOM HR part 2 continues with the malicious actors respond to my reply.

I had responded to the threat actor, providing availability for a conversation. The threat actor responded with the questions below at 0331 AM PT 2026-02-04. This should have been a big tell for me as the spoofed HR persona is located in Portland, OR and not likely working in the middle of the night.
Then when I had not responded, they replied to the same email thread with the same content at 1737 PM PT 2026-02-04. This is what triggered my further analysis and recognized the miscreant at work.
I posted the IOCs and details on my Github:
https://github.com/obrientg/Analysis/blob/main/2026%2002%2004%20Impersonation%20of%20AECOM%20HR%20part%202

#jobsearch #fraud #impersonation #informationsecurity #abuse #risk #riskmanagement #gethired #hiring #threatintel #IOC #IOCs #gethired #hiring #threatlandscape #getFediHired #threatInteligence #cybersecurity #phishing

🚨 𝗔 𝗻𝗲𝘄 𝗚𝗼-𝗯𝗮𝘀𝗲𝗱 #𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗶𝘀 𝗮𝗰𝘁𝗶𝘃𝗲. GREENBLOOD encrypts files fast using ChaCha8 and tries to delete its executable to reduce visibility. Attackers threaten victims with leaking stolen data on their TOR-based website, creating business and compliance risks.

#ANYRUN Sandbox exposed ransomware behavior and cleanup attempts in real time, so SOC teams can act before the damage spreads.

👾 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/6f5d3098-14c0-45ed-916e-863ef4ba354d/?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_term=040226&utm_content=linktoservice

🔍 Pivot from IOCs and subscribe to Query Updates to proactively track evolving attacks: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_content=linktotilookup&utm_term=040226#%7B%2522query%2522:%2522commandLine:%255C%2522greenblood%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats early: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_term=040226&utm_content=linktosandboxlanding

IOCs:
12bba7161d07efcb1b14d30054901ac9ffe5202972437b0c47c88d71e45c7176
5d234c382e0d8916bccbc5f50c8759e0fa62ac6740ae00f4923d4f2c03967d7a

#cybersecurity #infosec

Pour la chasse et vérification dans les logs réseau notamment pour la période juin ➡️ décembre 2025

👇

https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/

⬇️

🔍 IOC — Validin (Exploring Notepad++ network indicators)

Ces IOC proviennent du rapport d’analyse de l’infrastructure C2 associé à l’attaque Notepad++ (indiqués dans l’article Validin).

• 95.179.213[.]0 (confirmé le même que Rapid7)

• api[.]skycloudcenter[.]com

• 61.4.102[.]97

• api[.]wiresguard[.]com

• 59.110.7[.]32

• 124.222.137[.]114

• 45.32.144[.]255

• 160.250.93[.]48

• cloudtrafficservice[.]com

• api[.]cloudtrafficservice[.]com

• 103.159.133[.]178

👇

https://securelist.com/notepad-supply-chain-attack/118708/

🔍 IOC — Securelist (Notepad supply chain attack)

Cet article donne plusieurs catégories d’indicateurs (machines de mise à jour malicieuses, C2, fichiers, etc.).

⚠️ Malicious Updater URLs

• hxxp://45.76.155[.]202/update/update.exe
  
• hxxp://45.32.144[.]255/update/update.exe
  
• hxxp://95.179.213[.]0/update/update.exe
  
• hxxp://95.179.213[.]0/update/install.exe
  
• hxxp://95.179.213[.]0/update/AutoUpdater.exe
  

📡 System Info Upload / C2

• hxxp://45.76.155[.]202/list
  
• hxxps://self-dns.it[.]com/list
  

⚙️ Metasploit downloader / Cobalt Strike

• hxxps://45.77.31[.]210/users/admin
  
• hxxps://cdncheck.it[.]com/users/admin
  
• hxxps://safe-dns.it[.]com/help/Get-Start
  

💻 Cobalt Strike Beacon / Payload C2

• hxxps://45.77.31[.]210/api/update/v1
  
• hxxps://45.77.31[.]210/api/FileUpload/submit
  
• hxxps://cdncheck.it[.]com/api/update/v1
  
• hxxps://cdncheck.it[.]com/api/Metadata/submit
  
• hxxps://cdncheck.it[.]com/api/getInfo/v1
  
• hxxps://cdncheck.it[.]com/api/FileUpload/submit
  
• hxxps://safe-dns.it[.]com/resolve
  
• hxxps://safe-dns.it[.]com/dns-query
  

#CyberVeille #NotepadPlusPlus #IoCs

⚠️ #BQTLock ransomware uses #Remcos injected into explorer.exe to hide inside normal system activity. In the #ANYRUN Sandbox, behavioral analysis and file system monitoring exposed a UAC bypass via fodhelper.exe, followed by persistence through autorun mechanisms with elevated privileges.

👾 Once elevated, the malware moves into data theft and screen capture. See the full execution chain and collect #IOCs to speed up detection and cut response time: https://app.any.run/tasks/90be5f16-fdde-4aca-9482-86e2aa43fba0/?utm_source=mastoodon&utm_medium=post&utm_campaign=bqtlock_case&utm_term=300126&utm_content=linktoservice

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats early: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=bqtlock_case&utm_term=300126&utm_content=linktosandboxlanding

#cybersecurity #infosec

🚨 #RustyWater: How Word Macros Still Enable Initial Access
Macros execution blends into normal document use and often runs before security tools raise alerts. In this case, the attack chain starts with a malicious Word document whose macros drops and executes the RustyWater implant.

The activity is linked to a #MuddyWater spearphishing campaign aimed at high-risk sectors.

⚠️ The implant launches from ProgramData via cmd[.]exe, bypassing static detection pushing defenders straight into incident response phase.

Execution pattern breakdown:
1️⃣ Document_Open
The macros trigger WriteHexToFile and love_me__ once the document is opened.

2️⃣ WriteHexToFile
Hex data from UserForm1.TextBox1 is cleaned, converted to bytes, and written to C:\ProgramData\CertificationKit[.]ini. This function acts as a dropper for the implant.

3️⃣ love_me__
The macros dynamically constructs WScript[.]Shell using Chr() and creates the object. It then builds and runs the command: cmd.exe /c C:\ProgramData\CertificationKit[.]ini. The implant runs without a visible window.

4️⃣ Strings, object names, and commands are obfuscated to complicate static inspection and signature-based detection.

👨‍💻 See live execution and download actionable report: https://app.any.run/tasks/6f60427a-522c-4972-b05f-ab12490bd690/?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_term=210126&utm_content=linktoservice

❗️ Why macros-based initial access still works?
Macros execute payloads before actionable alerts appear. The delayed visibility forces teams to investigate after execution has already occurred. Earlier behavioral visibility helps contain threats before escalation, reducing investigation time and business impact.

🔍 Find similar Word macros-on-open cases and pivot from #IOCs in TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_content=linktotilookup&utm_term=210126#%7B%2522query%2522:%2522threatName:%255C%2522macros-on-open%255C%2522%2520AND%2520fileExtension:%255C%2522doc%255C%2522%2522,%2522dateRange%2522:180%7D

IOCs:
f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f
7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
nomercys[.]it[.]com

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_term=210126&utm_content=register#register

#cybersecurity #infosec

aww man, looking around to see if anyone has already done some reversing/modding work on a game that's piqued my interest recently has led me to this itch account using the blog feature to redirect to fake downloads.

httpX://itch[.]io/blog/1318716/hollow-knight-silksong-mod-menu-software-for-pc-control-

Initial landing page: gitcompiler[.]com, appears to call out and test 3 sub domains to redirect to which in turn will send to a landing page. (though 2 of the domains have busted cors rules and don't work anyway)

Interestingly I was only able to download the sample on my linux machine by using the "responsive mode" emulating a mobile device in firefox for the (purpose of User Agent spoofing). Anyrun and virustotal didn't pick anything up, but another user got some signals using the recorded future sandbox under a different download.

As much as I'd love to try and dig at it myself to practice some reversing I don't have the setup here to do anything of the sort safely

reuploaded sample: https://app.any.run/tasks/5ee02578-a655-4559-8dc9-899b40f5ea57
sample from malicious host: https://app.any.run/tasks/eb5dc590-a83a-4a38-afab-6e419ce99686
public sandbox: https://tria.ge/260117-qf18ysat4c

https://www.virustotal.com/gui/file/f6dfc06fb7fa8e733ae7b2541d7b1771cd1b6d11984b97f636a9ac47e23ad811/community

#iocs #itch

// Primary landing page 

*.gitcompiler[.]com

// Redirect mirrors, contains an AES encrypted url in /head/meta[name='token']

httpX://digitalwavesway[.]com

httpX://gametolifeservers[.]com

httpX://techflowtime[.]com

// landing page for digitalwavesway

httpX://mailer.soham-sn[.]com/

// redirects to this anon filehost for applicable UAs

httpX://download.us-east-1.fromsmash[.]co/transfer/o__j34ymsr-et/file/57f99acc7c450b6d46375299cfea313a04b5c9d2?identity=a3aa69c86700fc05b854066a0e9dc0c5-46a18736882df635ff3cb7ed43d39ba05859a992c5ec0d2b7ef47c8d99fc4de6c7884d5fcf7019eafa90291a05c7421c3ef7b7b78d70fbcdced31f8a3b50dec16c04299c9ea69377415fe2a33d26899c&Expires=1768719805&Key-Pair-Id=APKAIM76HR2FWFZRN3HA&Signature=eG9gFcmZF2zZXoRTPyWemG0syj4bEbtNOitCECgcjF-XyQzUb6i9skCN~9pKcSr0n31JPfnCbfSytbNS1MdgsbQH5kpxQQthp4bhK38Xqmbsd~Gc-VgT7M~3ml7K0H1uiPrvd8eu7oWTWEaUJJjyAn-ZbqAVRSD99AjhJ8O~yWD49~nlYowUR0fO7R-gPtNd1BtB278xB3DdW0js1M2os8T5AwIULZKOW3-oDjMhrAXCfqzwGOrH8GxNyJpA09sP8ZBWvDOb73ykYWb47~UZPBLV0T2hnWGkDW5ZHoKhZUwedrankpheTBG51DeSM81OZi3ZPOEbngtGZDvtIYQtEg__

🚨 #Phishing on Trusted Cloud Infrastructure: Google, Microsoft, Cloudflare.
We’re tracking a growing trend where phishing kit infrastructure is hosted on legitimate cloud and CDN platforms, not newly registered domains. In some cases, these campaigns specifically target enterprise users. This creates serious visibility challenges for security teams.

We’ve observed this pattern across multiple #phishkits:
🔹 #Tycoon hosted on alencure[.]blob[.]core[.]windows[.]net (Microsoft Azure Blob Storage): https://app.any.run/tasks/29b53d89-99b4-4827-b0af-72f315fdf529/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
⚠️ #Sneaky2FA hosted on legitimate cloud platforms, filtering out free email domains via a fake Microsoft 365 login to target corporate accounts:
firebasestorage[.]googleapis[.]com (Cloud Storage for Firebase): https://app.any.run/tasks/8189dd5e-0159-480d-8654-7b438a73f11e?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
cloudfront[.]net (AWS CloudFront): https://app.any.run/tasks/9a2d1537-e952-455e-bba0-b36f720a07e6/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice
🔹 #EvilProxy hosted on sites[.]google[.]com (Google Sites): https://app.any.run/tasks/07995c22-6e7d-468b-ad94-29af75525ed3/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktoservice

Victims see a “trusted” provider domain, while the network only sees normal HTML being loaded from cloud infrastructure. What looks clean at first glance is exposed by #ANYRUN Sandbox in under 60 seconds, directly reducing MTTD and MTTR.

🔍 Hunt for related activity and pivot from #IOCs using these search queries in TI Lookup:
🔹 Microsoft Azure Blob Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%22query%22:%22threatName:%5C%22phishing-ml%5C%22%20and%20domainName:%5C%22*.blob.core.windows.net$%5C%22%22,%22dateRange%22:30%7D
🔹 Firebase Cloud Storage abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522firebasestorage.googleapis.com$%255C%2522%2520AND%2520(domainName:%255C%2522.icu$%255C%2522%2520OR%2520domainName:%255C%2522.xyz$%255C%2522)%2522,%2522dateRange%2522:60%7D%20%20
🔹 Google Sites abuse: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=linktotilookup#%7B%2522query%2522:%2522domainName:%255C%2522sites.google.com$%255C%2522%2520AND%2520suricataMessage:%255C%2522*Possible%2520Fake%2520Microsoft%2520Sign-in%2520domain%2520chain*%255C%2522%2522,%2522dateRange%2522:60%7D%20%20

Many security vendors will flag these domains as legitimate. Technically, they are. That’s why security teams need behavioral analysis and network-level signals to reliably uncover phishing before impact.

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=trusted_cloud_infrastructure&utm_term=150126&utm_content=register#register
#ExploreWithANYRUN

#IOCs:
mphdvh[.]icu
kamitore[.]com
aircosspascual[.]com
Lustefea[.]my[.]id

#cybersecurity #infosec

🚨 #CastleLoader attacks government agencies, compromising up to 400+ devices at once.

Its unusual process hollowing via an AutoIt3 script is hard for EDR to detect.

See full analysis with extracted runtime config, C2s, and #IOCs 👇
https://any.run/cybersecurity-blog/castleloader-malware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=castleloader_malware_analysis&utm_term=130126&utm_content=linktoblog

#cybersecurity #infosec

🔍 Fresh, actionable threat intelligence for security leaders.
This report covers three high-impact malware families affecting Windows and mobile environments:
🔹 #Albiriox, an Android banking trojan offered as MaaS, combining VNC-based remote control and overlays to bypass protections in 400+ financial apps.
🔹 #OctoRAT, a .NET-based Windows RAT with UAC bypass, credential theft, proxying, and full remote control for long-term access.
🔹 #GuLoader, a downloader using heavily obfuscated PowerShell, shellcode, and process injection to deliver RATs and infostealers.

👨‍💻 Explore an exclusive report with #IOCs, YARA, and detection insights in the TI Lookup Premium plan: https://intelligence.any.run/reports/69440c66df2d202c2ce203c3/?utm_source=mastodon&utm_medium=post&utm_campaign=threat_brief_jan&utm_term=060126&utm_content=linktoservice

New to TI Lookup? Start a trial to explore more in-depth analyses of active threats and APTs: https://any.run/plans-ti/?utm_source=mastodon&utm_medium=post&utm_campaign=threat_brief_jan&utm_term=060126&utm_content=linktotiplans

#cybersecurity #infosec

Command-and-control IPv4 map, 2025-12-22 to 2026-01-04 #IOCs
https://abjuri5t.github.io/SarlackLab/

156.234.96[.]0/20
103.48.132[.]0/22
156.234.152[.]0/23
156.234.208[.]0/23
156.234.145[.]0/24
103.41.6[.]0/23
156.234.216[.]0/21
156.234.252[.]0/22
104.140.144[.]0/20

Already in holiday mode? Don’t switch off yet.
Year-end emails about bonuses, HR requests, and finance updates feel routine. That is exactly why attackers use them as #phishing lures.

👨‍💻 Explore an exclusive report with examples and #IOCs in the TI Lookup Premium plan: https://intelligence.any.run/reports/12-19-end-of-year-phishing?utm_source=mastodon&utm_medium=post&utm_campaign=holiday_phishing&utm_content=linktotireport&utm_term=191225

New to TI Lookup? Start a trial to explore more in-depth analyses of active threats and APTs: https://any.run/plans-ti/?utm_source=mastodon&utm_medium=post&utm_campaign=holiday_phishing&utm_content=linktotireport&utm_term=191225

#cybersecurity #infosec

🚨 #Udados: New Botnet Behind HTTP Flood #DDoS Attacks
⚠️ We identified a new botnet #malware family and named it Udados. Its activity is linked primarily to the Technology and Telecommunications sectors.

Infected hosts communicate with a C2 and receive commands to launch HTTP flood DDoS attacks. Once triggered, they send high volumes of HTTP POST requests to the victim’s domain, generating sustained attack traffic.

❗️ The malware connects to infrastructure hosted in a frequently abused ASN (AS214943 – RAILNET) at IP 178[.]16[.]54[.]87.

HTTP-based flooding remains effective because it can blend into legitimate traffic, delaying mitigation and disrupting business continuity. For defenders, this highlights the importance of understanding how C2 commands translate into attack traffic to limit downtime and financial impact.

👨‍💻 See Udados’ DDoS execution chain and traffic patterns in the #ANYRUN Sandbox: https://app.any.run/tasks/a85696de-1479-4047-bc64-8c6a69f2259c/?utm_source=mastodon&utm_medium=post&utm_campaign=udados&utm_content=linktoservice&utm_term=171225

📤 The infected host sends structured JSON data to the C2, including:
Uid: user ID
St: task execution status
Msg: status message sent to C2
Tid: task ID
Bv: bot version
Priv: privilege level on the system
Src: DNS-beacon
Sys: system information of the infected host

📥 In response, the C2 issues commands containing:
Id: C2 response identifier
Command: C2 command, for instance, !httppost, which triggers the HTTP POST DDoS module
888: attack duration
88: number of threads
Base64: data sent in POST requests to overload the target server: {"data":"random_data_0.28543390397237833"}

📌 How to detect:
Track HTTP requests to the specific URI /uda/ph.php. Inspect the request body for characteristic parameters such as uid, st, msg, tid, bv, priv, src, sys. Monitor short-term spikes in outbound HTTP activity from a single host to external destinations.

🔍 Search for Udados-related activity and pivot across infrastructure using TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=udados&utm_content=linktoservice&utm_term=171225#%7B%2522query%2522:%2522threatName:%255C%2522udados%255C%2522%2522,%2522dateRange%2522:7%7D%20

#IOCs
SHA256:
7e2350cda89ffedc7bd060962533ff1591424cd2aa19cd0bef219ebd576566bb
770d78f34395c72191c8b865c08b08908dff6ac572ade06396d175530b0403b8
IP: 178[.]16[.]54[.]87
URI: /uda/ph[.]php
Domain: ryxuz[.]com
Request body: uid, st, msg, tid, bv, priv, src, sys

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=udados&utm_term=171225&utm_content=register#register

#cybersecurity #infosec

🚨 Stego-Based Delivery Chain Targeting Windows Environments

⚠️ #LOTUSHARVEST blends into legitimate activity, creating visibility gaps that raise the risk of delayed detection and costly compromise for enterprises.

The attack starts with an LNK shortcut disguised as a PDF CV and a “PNG image”. In #ANYRUN Sandbox, the full execution chain becomes visible, exposing how the #malware stages payloads and bypasses detection.

The malware uses findstr.exe, a text-filtering and pattern-search utility (T1564), to locate the required parts inside the “PNG image”. The temporary file with Base64 string is then cleaned of noise and moved into ProgramData (T1059.003).

❗️ What makes this chain stand out:
1️⃣ Abuse of ftp.exe as a script runner
ftp -s:<file> executes any line that looks like an FTP command, even local shell commands starting with !. LOTUSHARVEST places ASCII instructions at the top of the PNG, turning it into a pseudo-script (T1202, T1218).

2️⃣ PNG as a stacked container
The PNG is a multi-layered container holding a script, a PDF fragment, and an encoded PE (T1027.003), enabling stealthy delivery without extra artifacts.

3️⃣ DeviceCredentialDeployment.exe used as a LOLBin
This legitimate Windows component can hide console windows. LOTUSHARVEST uses it to run command chains invisibly (T1564.003), making detection harder.

👨‍💻 #ANYRUN Sandbox detected and executed LOTUSHARVEST in real time. See the analysis session: https://app.any.run/tasks/228cbbb7-b554-4951-95df-4c644dbad936/?utm_source=mastodon&utm_medium=post&utm_campaign=lotusharvest&utm_term=101225&utm_content=linktoservice

Attackers rely on legitimate utilities and layered containers to remain persistent without raising alerts. For security teams, understanding these techniques is essential for spotting malicious activity early and stopping breaches before they escalate.

🔍 Track similar activity and pivot from #IOCs using TI Lookup:
Suspicious use of ftp.exe: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lotusharvest&utm_content=linktoti&utm_term=101225#%7B%2522query%2522:%2522commandLine:%255C%2522ftp.exe*-s:%255C%255C%255C%2522*.*%255C%255C%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D%20
Suspicious LNK patterns: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lotusharvest&utm_content=linktoti&utm_term=101225#%7B%2522query%2522:%2522threatName:%255C%2522susp-lnk%255C%2522%2522,%2522dateRange%2522:180%7D%20
Hidden DeviceCredentialDeployment.exe execution: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=lotusharvest&utm_content=linktoti&utm_term=101225#%7B%2522query%2522:%2522commandLine:%255C%2522cmd.exe*DeviceCredentialDeployment.exe%255C%2522%2522,%2522dateRange%2522:180%7D%20

💬 Find IOCs in the comments.

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=lotusharvest&utm_term=101225&utm_content=register#register

#cybersecurity #infosec

RE: https://chaos.social/@christopherkunz/115615056111216077

potentially pivotal: key indicators of compromise (#IoCs) identified by GitLab's Vulnerability Research team concerning an active, large-scale supply chain attack on the #npm ecosystem.
#DevSecOps

🚨 𝗝𝗦𝗚𝘂𝗟𝗱𝗿: 𝗠𝘂𝗹𝘁𝗶-𝗦𝘁𝗮𝗴𝗲 𝗟𝗼𝗮𝗱𝗲𝗿 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝗶𝗻𝗴 𝗣𝗵𝗮𝗻𝘁𝗼𝗺𝗦𝘁𝗲𝗮𝗹𝗲𝗿
TL;DR: We identified #JSGuLdr, a multi-stage JavaScript-to-PowerShell loader used to deliver #PhantomStealer. A JScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%\Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%\Autorise131[.]Tel. The payload is decoded in memory and loaded, with PhantomStealer injected into msiexec.exe.

⚠️ The chain combines obfuscation, cloud-hosted payloads, COM-based execution, and fileless in-memory loading, making it difficult to detect with automated or static detection solutions.

Execution chain: wscript.exe ➡️ explorer.exe (svchost.exe) ➡️ explorer.exe (COM) ➡️ powershell.exe ➡️ msiexec.exe

👨‍💻 See analysis session: https://app.any.run/tasks/7b295f6f-5f16-4a44-a02b-5d59fd4b1e8f/?utm_source=mastodon&utm_medium=post&utm_campaign=jsguldr&utm_term=201125&utm_content=liktoservice

Stage 1️⃣: The sample is an obfuscated JScript script signed with a fake Authenticode certificate to bypass trust checks. It builds an encrypted PowerShell string and writes it to %APPDATA%\Registreri62, forming the second stage.

Through Shell.Application and Explorer COM interaction, the script launches powershell.exe under explorer.exe, masking the execution chain as normal user activity.

🎯 TTPs: Obfuscation (T1027), Signed binary proxy execution (T1553.006), COM interaction (T1559.001), Proxy execution via explorer.exe (T1218)

Stage 2️⃣: The PowerShell code decodes and runs %APPDATA%\Registreri62, reconstructing hidden commands (iex) and loading a new payload from Google Drive. The file is saved as an encrypted container for the third stage.

🎯 TTPs: Encrypted payload download (T1105), Cloud storage abuse (T1105), Local file staging (T1074.001)

Stage 3️⃣: Autorise131[.]Tel acts as an on-disk container for an in-memory payload.
The same PowerShell process decodes it, extracts bytes, and executes the result through Invoke-Expression, running PhantomStealer filelessly in memory.

The payload is injected into msiexec.exe, enabling PhantomStealer to steal data.

🎯 TTPs: Fileless execution (T1059.001), Reflective .NET module loading (T1620), Process injection (T1055), Proxy execution via msiexec.exe (T1218.007)

🔍 Track similar activity and pivot from IOCs using this TI Lookup search query: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=jsguldr&utm_content=linktoti&utm_term=201125#%7B%2522query%2522:%2522commandLine:%255C%2522windowssystem32%255C%2522%2520and%2520imagePath:%255C%2522explorer.exe%255C%2522%2522,%2522dateRange%2522:180%7D

#IOCs:
URL: hxxps://drive[.]google[.]com/uc?export=download&id=1gUB_fKBej5Va_l3ZSEXk_7r5Q4EeJuwd
Files: %APPDATA%\Registreri62, %APPDATA%\Autorise131[.]Tel
CMD: powershell.exe "$Citize=$env:appdata+'\Registreri62';$Guazuma=gc $Citize;$Aristape=$Guazuma[4460..4462] -join ''"

🚀 Gain fast detection and full visibility with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=jsguldr&utm_term=201125&utm_content=register#register

#cybersecurity #infosec

⚠️ Gunra is a fast-growing #ransomware using Conti-based code and double extortion

It targets healthcare, manufacturing, and other sectors worldwide, deletes recovery options, and encrypts data across entire networks

👾 Explore analysis & gather #IOCs: https://any.run/malware-trends/gunra/?utm_source=mastodon&utm_medium=post&utm_campaign=gunra&utm_term=191125&utm_content=linktomtt

#cybersecurity

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

🚨#XWorm: PNGs hiding an in-memory loader.
A malicious JavaScript installer named PurchaseOrder_25005092.JS is delivered via #phishing pages and emails (T1566.001). The script uses an IIFE-style obfuscation (T1027), writes three staged files to C:\Users\PUBLIC, and creates a scheduled task to ensure persistence (T1053.005).

This JS checks for required artifacts and, if missing, writes them to disk using long Base64 blobs and AES-encrypted strings (T1027.013). The staged files are named Kile.cmd, Vile.png, and Mands.png.

⚠️ .png files are not images, they are storage containers for Base64-encoded encrypted payloads (T1036.008). It is a common technique to evade quick detection.

Kile.cmd is a heavily obfuscated batch script with variable noise, percent-based substitutions, chunked Base64 fragments, that reassembles commands at runtime.

❗️ At execution, the JS reconstructs readable commands from those fragments and launches a PowerShell payload (T1059). The PowerShell is a two-stage AES-CBC loader:
1️⃣ Reads C:\Users\PUBLIC\Mands.png as Base64 ➡️ AES-decrypt ➡️ yields Base64-encoded commands. Each command is decoded and executed via Invoke-Expression (IEX). This acts as a command runner.

2️⃣ Reads C:\Users\PUBLIC\Vile.png as Base64 ➡️ AES-decrypt ➡️ raw bytes. The loader attempts to load a .NET assembly from memory and execute its entry point (T1620).

This is an in-memory assembly loader, a fileless/memory-loader pattern: command runner + in-memory payload.

👾 At the end, PowerShell runs an assembly in memory to launch XWorm.

A single successful XWorm infection can give adversaries access to critical systems, leading to breaches and operational disruption. Once inside, attackers can steal data, move laterally, and cause costly downtime.

👨‍💻 Get fast detection and full visibility with #ANYRUN. See live execution and download actionable report: https://app.any.run/tasks/bec21e02-8fb5-4a18-b43c-131e02e21041/?utm_source=mastodon&utm_medium=post&utm_campaign=png-xworm&utm_term=051125&utm_content=linktoservice

👨‍🍳 Use this CyberChef recipe to decode the final PowerShell string:
https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'EPMNJLDRV'%7D,'',true,false,true,false)From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')&oenc=65001&ieol=CRLF&oeol=CRLF

🔍 Find similar campaigns using these TI Lookup search queries and enrich #IOCs:
🔹 PowerShell .Replace() obfuscation: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=png-xworm&utm_content=linktoti&utm_term=051125#%7B%2522query%2522:%2522imagePath:%255C%2522%255C%255C%255C%255Cpowershell.exe$%255C%2522%2520AND%2520commandLine:%255C%2522.Replace(%255C%2522%2522,%2522dateRange%2522:180%7D%20
🔹 PowerShell invoking IEX: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=png-xworm&utm_content=linktoti&utm_term=051125#%7B%2522query%2522:%2522imagePath:%255C%2522%255C%255C%255C%255Cpowershell.exe$%255C%2522%2520AND%2520commandLine:%255C%2522iex%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 JS droppers in Public\Libraries: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=png-xworm&utm_content=linktoti&utm_term=051125#%7B%2522query%2522:%2522filePath:%255C%2522%5EC:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255CLibraries%255C%255C%255C%255C*.js$%255C%2522%2522,%2522dateRange%2522:180%7D

Gain full visibility with #ANYRUN to make faster, smarter security decisions 🚀

#cybersecurity #infosec

🚨 How #Pxastealer Uses Masquerading: Execution Flow and TTPs.
⚠️ Pxastealer is delivered through archive links in #phishing emails, bypassing automated filters. Masquerading hides execution and gives attackers time to exfiltrate data.

Execution flow & TTPs:
1️⃣ Initial Access (T1566.002): A victim clicks a link to a malicious archive in a spearphishing email.
2️⃣ Execution & Cleanup (T1059.003, T1070.004): cmd.exe runs a long command chain and deletes traces.
3️⃣ Defense Evasion (1036.008, T1140, T1027): A fake Word file opens to mask background activity, while certutil -decode turns a fake “financial report” into an archive masked as Invoice.pdf. Another file posing as a .jpg unpacks the payload, hiding malicious activity behind trusted formats.
4️⃣ Execution / Masquerading (T1036.005): The attack unpacks Python files and runs Pxastealer under the name svchost.exe, using a trusted filename outside System32 to evade detection.
5️⃣ Persistence (T1547.001): Adds autorun via command line.
6️⃣ Exfiltration / C2 (T1567, T1071.001): Pxastealer exfiltrates data via Telegram.

👨‍💻 Examine Pxastealer behavior and collect #IOCs: https://app.any.run/tasks/eca98143-ba80-4523-ac82-e947c3e6bd74/?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_term=291025&utm_content=linktoservice
🔍 Further investigate the threat, track campaigns, and enrich IOCs with live attack data:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_content=linktoti&utm_term=291025#%7B%2522query%2522:%2522registryValue:%255C%2522cmd%2520/c%2520start%2520C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C*C:%255C%255C%255C%255CUsers%255C%255C%255C%255CPublic%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=pxastealer&utm_content=linktoti&utm_term=291025#%7B%2522query%2522:%2522imagePath:%255C%2522C:%255C%255C%255C%255CUsers%255C%255C%255C%255Cadmin%255C%255C%255C%255CAppData%255C%255C%255C%255CLocal%255C%255C%255C%255CTemp%255C%255C%255C%255CRar*%255C%255C%255C%255C_%255C%255C%255C%255C%255C%2522%2520and%2520commandLine:%255C%2522-decode%2520*.pdf*.pdf%255C%2522%2522,%2522dateRange%2522:180%7D

IOCs:
Sha256: 81918ea5fa5529f04a00bafc7e3fb54978a0b7790cfc7a5dad9fa9640666560a (svchost.exe)

🚀 Gain full visibility with #ANYRUN to make faster, smarter security decisions.

#Cybersecurity #infosec

🚀 Power your @ThreatQuotient setup with fresh, actionable, 99% unique #IOCs from TI Feeds.

Expand threat coverage, shorten MTTR, and solve alert overload.

Deploy via STIX/TAXII connector in 5 minutes 👇
https://any.run/cybersecurity-blog/threat-intelligence-feeds-threatq-integration/?utm_source=mastodon&utm_medium=post&utm_campaign=threatq_integration&utm_term=231025&utm_content=linktoblog

#Cybersecurity #infosec