abuse.ch

We’ll be at #PIVOTcon26 next week with Spamhaus Technology Ltd 🙌 Roman Hüssy will be there and keen to catch up with contributors, collaborators, and friendly faces from across the community 😊 Really looking forward to another great event, Pasquale Stirparo, Ph.D. and Bartosz Jerzman. See you all soon!

Botconf2026 is wrapping up, and it’s been a top event 🎉 We’ve been before, but this is the first time we’ve sponsored with our partner Spamhaus Technology Ltd and supported an event that really matters to our community 🙌 Getting to be in the same room, chatting with people who share data with us and use our platforms, doesn’t happen that often, so it’s been great to make the most of it. Huge thanks 🙏 to the Botconf team for having us - we’re glad the choc bars went down well 😋

Our colleagues at Proofpoint have recently uncovered a fake Remote Monitoring and Management Tool (RMM) called #TrustConnect and #DocConnect, which is posing as a RMM 🔎 🖥️ Pivoting on the threat in our collection reveals that the threat actors are spreading the same malware under additional names, including: ➡️ SoftConnect ➡️ HardConnect ➡️ AxisControl Our research has also revealed a couple of interesting findings 🕵 The threat actors: 🛠️ have previously apparently experimented with a legitimate RMM called #ScreenConnect (aka #ConnectWise) before switching to their own fake RMM ☢️ sent several hundred fake emails to recipients in corporate environments 📡 prefer Contabo GmbH in Germany 🇩🇪 for hosting their botnet C2 servers We track this threat on our platforms as #FakeRMM ⤵️ IOCs on ThreatFox: 🦊 https://lnkd.in/esesP8ya Malware samples: 📄 https://lnkd.in/eHq3CzJV

🎉 Excited to support PIVOTcon again this year with our partner Spamhaus Technology Ltd! 📅 If you haven’t added it to your calendar yet, check it out, we can’t recommend it enough 🙌

We received a submission from a contributor on the URLhaus platform today that caught our attention 🔎👀 A threat actor has uploaded multiple #Mirai payloads to a server hosted in AS51396 (PFCLOUD 🇩🇪), using a very specific directory structure that "explicitly" references URLhaus: hXXp://45.153.34[.]201:61440/fuckoffurlhaus/ 👉 https://lnkd.in/eDEU2XKj It appears the actor was “offended” after we took down their previous malware delivery host 💥 This is a good example of how reporting active malware distribution infrastructure to URLhaus has a real impact on cybersecurity worldwide 💪

🎉 Massive shout out to URLhaus Top Contributor “geenensp” First seen April 13th 2020 and since then, they’ve shared an unbelievable 844,345 malware URLs!! 😮 Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard 💪 URLhaus simply wouldn't exist without the help of awesome and committed contributors like this who diligently report malware URLs everyday 🙏 URLhaus stats ➡️ https://lnkd.in/dVVMgJF URLhaus ➡️ https://urlhaus.abuse.ch/ 🫶 #SharingIsCaring #Community #StrengthInUnity

We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥 The malware gets dropped by #Amadey and: 🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name 💻 attempts to escalate privileges by running as admin or as a scheduled task ⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions 📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions 👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the #botnet C2 📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail .com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process 🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha 🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha Botnet C2 servers are all hosted at Hetzner 🇩🇪 on port 8008 TCP: 46[.]62.225.51 [active] 46[.]62.224.205 46[.]62.205.38 GrokPy malware samples on MalwareBazaar: 📄 https://lnkd.in/eeSSETCv Botnet C2s on ThreatFox: 🦊 https://lnkd.in/e6hnmkNk

Taking down the infrastructure is only half the battle, supporting those affected is just as important. We’re pleased to see The Spamhaus Project stepping in again to help remediate machines infected with the Rhadamanthys malware. 👏👏 #Community #Endgame3 #Remediation

We are excited that we were once again part in the coordinated international operation Endhame 📣, taking action against the notorious information and credential stealer #Rhadamanthys 🪝🕵️ We assisted in the takedown of threat actor infrastructure and share a full list of #Rhadamanthys botnet C2s on ThreatFox 🦊 Top geographical location of Rhadamanthys botnet C2s (Tier-1): #1 209 🇩🇪 #2 207 🇺🇸 #3 205 🇬🇧 #4 78 🇷🇺 Top networks hosting Rhadamanthys botnet C2s (Tier-1): #1   94 AS24940 HETZNER-AS 🇩🇪 #2   93 AS51396 PFCLOUD 🇩🇪 #3   45 AS215826 PARTNER-HOSTING-LTD 🇬🇧 #4   44 AS396073 MAJESTIC-HOSTING-01 🇺🇸 #5  26 AS210644 AEZA-AS 🇬🇧 #6   24 AS215730 H2NEXUS-AS 🇬🇧 #7   21 AS42624 SWISSNETWORK02 🇸🇨 #8   20 AS216071 VDSINA 🇦🇪 #9   19 AS214351 FEMOIT 🇬🇧 #10 19 AS213702 QWINS-LTD 🇬🇧 The full list of Rhadamanthys botnet C2s is available here: 📡 https://lnkd.in/eCQdFzfP More information on #OpEndgame: 💡 https://lnkd.in/e6KakJ2u Official press release from Europol: 👮 https://lnkd.in/eVgVFf8E #OpEndgame #malware #botnet #cti #threatintel

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month. 👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted. 💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported. Find the full breakdown here: 👉 https://lnkd.in/eQcMM9qN #ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel