#malware #opendir #xloader (small one works, big one not so much) at:

https://royfils\.com/encrypt/

2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

#malware #opendir at:

http://179.43.176].109:8081/Downloads/1/

Back in the rest of the #opendir, uploads/ is used by http://app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind http://app.py/agent.go

Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.

https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161

#malware #thread 🧵

#purecryptor #opendir at:

http://198.12.126].164/tst/

#malware #opendir ultimately #venomrat + #hvnc:

https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

c2: 109.248.144.175:4449

4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

#malware #opendir at:

http://176.65.134\.79/HOST/

Unknown stealer botnet C2 targeting LATAM, having #opendir

👉https://urlhaus.abuse.ch/host/almeida.clientepj.com/

Unknown stealer botnet C2 targeting LATAM, having #opendir

👉https://urlhaus.abuse.ch/host/almeida.clientepj.com/

If you're not blocking trycloudflare\.com at the perimeter, now's the time: #opendir 's:

https://em-ash-announcements-alpha.trycloudflare\.com/1DSAHJKSA/ ->
https://did-efficiency-than-lenses.trycloudflare\.com ->
https://reached-theoretical-regular-impact\.trycloudflare.com

#phishing #opendir:

https://dmc.otarvesq\.com/POST/

#opendir with lots of PowerShell fun (spreading #FormBook it seems) ⤵️

https://urlhaus.abuse.ch/host/87.120.120.56/

#webshell #opendir #netsupport #rat at:

https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

💡No #opendir? Why don't you check for .DS_Store files listing the structure ?

Our scans found 11,856,006 IPs and DNS exposing the file.

Link: https://leakix.net/search?scope=leak&q=%2Bplugin%3ADotDsStoreOpenPlugin
Ref: https://0day.work/parsing-the-ds_store-file-format/

#opendir at:

https:// superior-somalia-bs-leisure.trycloudflare\.com ->
http:// jsnybsafva\.biz:8030

🚨#OpenDir

hxxp://sremc.duckdns.org

#opendir at:

http://79.124.58.130

malicious #meshagent (https://github.com/Ylianst/MeshAgent);

c2: 94.232.43.185

#venomrat #opendir at:

http://trackingshipmentt\.xyz:9394/
http://trackmyshipeng\.site:9094/

https://app.any.run/tasks/086f767d-cb57-46d0-80f6-1d771148444e/

#snakekelogger hta's at #opendir :

http://192.3.176\.138/xampp/ozon
drops
http://192.3.176\.138/105/sahost.exe (also 106)

d9863b7b710599bc2b308a0b78970da8c42ee5bc6d3dcda05c2de52a88125726

exfils to: resultlog62@gmail.com

#malware #opendir #asyncrat at:

http://horus-protector\.pro/d/