#asyncrat — Public Fediverse posts

@malware_traffic Thank you for sharing Brad!
The TLS traffic to 173.232.146.62:25658 looks like #AsyncRAT or possibly #PureRAT. Can you confirm if it was generated by the powershell script with MD5 90389d2988cce2fe508087618dd2f519 from fnjnbehjangelkd[.]top?

A domain registration is more like a lease rather than a deed. You get the exclusive right to use a domain name for a fixed term, but if you miss renewal, someone else can swoop in. What's scary is that with dropcatch services, cybercriminals can automate monitoring of pending‑delete domains and fire off registrations the split‑second a name is deleted by the registry and becomes available again. Think hawks circling for high‑value prey. 🦅

That's what happened to fita[.]org, a popular website owned by the Federation of International Trade Associations (FITA) and referenced by many government bodies including the International Trade Administration (trade.gov). The domain now sits behind Cloudflare and functions as a command-and-control (C2) for the AsyncRAT malware. The actor controlling it also stood up these C2 endpoints:

90phutif[.]cc,90phutis[.]cc,90phutiv[.]cc,90phuttn[.]cc,xoilaclinkf[.]cc,xoilactivi[.]uk,xoilactivik[.]cc,xoilactivil[.]cc,xoilactivim[.]cc,xoilactivin[.]cc,xoilactivio[.]cc,xoilactivip[.]cc,xoilactiviq[.]cc,xoilactivir[.]cc,xoilactivis[.]cc,xoilactivit[.]cc,xoilactiviu[.]cc,xoilactiviv[.]cc,xoilactiviw[.]cc,xoilactivix[.]cc,xoilactiviy[.]cc,xoilactiviz[.]cc,xoilacvnnc[.]tv,xoilacvnnf[.]tv,xoilacvzb[.]cc,xoilacvzc[.]cc,xoilacvze[.]cc,xoilacvzi[.]cc,xoilacvzk[.]cc,xoilacvzn[.]cc,xoilacvzp[.]cc,xoilacvzq[.]cc,xoilacvzz[.]cc,xoilacyys[.]cc,xoilaczc[.]mobi,xoilaczzbb[.]cc,xoilaczzczz[.]tv,xoilaczzdd[.]cc,xoilaczzdzz[.]tv,xoilaczziz[.]tv,xoilaczzszz[.]tv,xoilaczzvzz[.]tv

So make sure to set auto pay for any valuable domains you possess 💳 otherwise you could risk losing them. Proactive IT governance is also part of security.

#InfobloxThreatIntel #dns #async #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #rat #asyncrat #malware #dropcatch #domain #cloudflare #remoteaccesstrojan #infostealer #c2

I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

I finished compiling the information for #Kongtuke #ClickFix activity using the finger command on 2025-12-11, and it's now live at www.malware-traffic-analysis.net/2025/12/11/index2.html

I'd already posted the #SmartApeSG ClickFix activity using finger that same day, so now both are available.

I had to run the ClickFix command on a physical host because the C2 server didn't like me when I initially tried it on a VM.

Post-infection traffic looks like the same type of #AsyncRAT I've seen before, and some Tor traffic from whatever the follow-up malware is.

It's a 221 MB zip archive containing the #pcap for the full infection, and it's about the same size as the zip archive containing forensic artifacts from the infected host.

#xworm #asyncrat #purehvnc at:

https:// locale-respondent-realtor-excellent.trycloudflare\.com

ShinyHunters Wage Broad Corporate Extortion Spree https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/ #ScatteredLAPSUS$Hunters #OracleEBusinessSuite #Ne'er-Do-WellNews #CharlesCarmichael #CrimsonCollective #ALittleSunshine #LatestWarnings #TheComingStorm #AustinLarsen #CVE202561882 #ShinyHunters #Ransomware #Salesforce #Salesloft #ASYNCRAT #UNC6040 #UNC6395

ShinyHunters Wage Broad Corporate Extortion Spree

https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/

#ScatteredLAPSUS$Hunters #OracleE-BusinessSuite #Ne'er-Do-WellNews #CharlesCarmichael #CrimsonCollective #ALittleSunshine #LatestWarnings #TheComingStorm #CVE-2025-61882 #AustinLarsen #ShinyHunters #Ransomware #Salesforce #Salesloft #ASYNCRAT #UNC6040 #UNC6395

China-Linked AI Pentest Tool ‘Villager’ Raises Concern After 10K Downloads https://hackread.com/china-ai-pentest-tool-villager-10k-downloads/ #Cybersecurity #CobaltStrike #Cyberspike #Security #AsyncRAT #Straiker #Villager #HSCSEC #China #PyPI #CTF

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords | TechRadar https://www.techradar.com/pro/security/this-widely-used-remote-monitoring-tool-is-being-used-to-deploy-asyncrat-to-steal-passwords
#cybersecurity #ScreenConnect #AsyncRAT #fileless #malware

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT – Source: securityaffairs.com https://ciso2ciso.com/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #filelessmalware #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #AsyncRAT #Security #hacking #Malware #RAT

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT – Source: securityaffairs.com https://ciso2ciso.com/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #filelessmalware #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #AsyncRAT #Security #hacking #Malware #RAT

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT – Source: securityaffairs.com https://ciso2ciso.com/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #filelessmalware #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #AsyncRAT #Security #hacking #Malware #RAT

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT – Source: securityaffairs.com https://ciso2ciso.com/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #filelessmalware #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #AsyncRAT #Security #hacking #Malware #RAT

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto – Source:thehackernews.com https://ciso2ciso.com/asyncrat-exploits-connectwise-screenconnect-to-steal-credentials-and-crypto-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #AsyncRAT

New Fileless Malware Attack Uses AsyncRAT for Credential Theft https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/ #Cybersecurity #ScreenConnect #CyberAttack #SentinelOne #Security #AsyncRAT #Fileless #Malware #TROJAN

New Fileless Malware Attack Uses AsyncRAT for Credential Theft – Source:hackread.com https://ciso2ciso.com/new-fileless-malware-attack-uses-asyncrat-for-credential-theft-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #ScreenConnect #CyberAttack #SentinelOne #AsyncRAT #Fileless #Hackread #security #malware #trojan

Guess we're back to these...:
http://episode-windsor-subdivision-delivery.trycloudflare\.com
https://lol-julian-impossible-bermuda.trycloudflare\.com
https://italia-committees-practical-violence.trycloudflare\.com

#asyncrat #purehvnc #quasarrat

jskeywon.duckdns\.org
jbsak.duckdns\.org
jul5050quasae.duckdns\.org
ksj43ts.duckdns\.org

Happy Wednesday everyone!

#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.

Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!

GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine – Source:hackread.com https://ciso2ciso.com/github-abused-to-spread-amadey-lumma-and-redline-infostealers-in-ukraine-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #AsyncRAT #Hackread #security #malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine https://hackread.com/github-abused-amadey-lumma-redline-infostealers-ukraine/ #Cybersecurity #CyberAttacks #CyberAttack #SmokeLoader #Emmenhtal #Security #AsyncRAT #Malware #Redline #Ukraine #Amadey #GitHub #Python #Lumma

Unmasking AsyncRAT: Navigating the labyrinth of forks
#AsyncRAT #DCRat #VenomRAT #BoratRAT #NonEuclidRAT #JasonRAT #XieBroRAT
https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/

The strange tale of ischhfd83: When cybercriminals eat their own – Source: news.sophos.com https://ciso2ciso.com/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own-source-news-sophos-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #cybercrimeforums #ThreatResearch #nakedsecurity #nakedsecurity #lummastealer #SophosXOps #AsyncRAT #backdoor #FEATURED #asyncrat #Backdoor #featured

Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

https://securelist.com/gitvenom-campaign/115694/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Ghost in the Shell: Null-AMSI Bypasses Security to Deploy AsyncRAT https://thecyberexpress.com/asyncrat-attack/ #TheCyberExpressNews #remoteaccesstrojan #TheCyberExpress #FirewallDaily #ItachiUchiha #SasukeUchiha #DarkWebNews #CyberNews #Null-AMSI #AsyncRAT

Ghost in the Shell: Null-AMSI Bypasses Security to Deploy AsyncRAT https://thecyberexpress.com/asyncrat-attack/ #TheCyberExpressNews #remoteaccesstrojan #TheCyberExpress #FirewallDaily #ItachiUchiha #SasukeUchiha #DarkWebNews #CyberNews #Null-AMSI #AsyncRAT

Ultimately #asyncrat and #hvnc:

mathewhvnc.twilightparadox\.com
kjhvnc.duckdns\.org
rtasyn.duckdns\.org
asyncyam.twilightparadox\.com

#malware #opendir #asyncrat at:

http://horus-protector\.pro/d/

LNK file with "Copy" command used as simple downloader for #Xworm #RAT and #AsyncRAT The source argument of copy command is the network location in this case, which effectively means that the remote BAT file is downloaded to the victim computer.

LNK files are often used for malicious purposes. For example, they can be the delivered as email attachments and can run malicious PowerShell commands. However, this one is demonstration of KISS principle - simple and stupid (or actually smart) usage of essential utility.

Ref: https://app.any.run/tasks/1cbca783-8323-474e-aa6a-ca655ed6637e/

#malware #malwareanalysis #lolbin #sandbox #AnyRun

Как вредоносы распространялись через поддельный менеджер паролей KeePass: AsyncRAT, BATLoader

Приветствую, и снова я начну с вопроса. И достаточно непростого. Пользуетесь ли вы менеджерами паролей и считаете ли вы их полностью безопасными? Скорее всего, мнения читателей на этом моменте разделятся. Кто-то ответит, мол, пользуется блокнотом и ручкой, а кто-то ответит утвердительным «‎да»‎. А к чему этот вопрос? Во-первых, замечу, что абсолютно ничто в нашем мире не может быть полностью безопасным: будь то программное обеспечение, какой-то ресурс или вовсе ваш телефон с тысячей защитных приложений. А во-вторых, менеджеры паролей в последнее время очень и очень часто стали подводить своих клиентов. Об одном таком инциденте и пойдет сегодня речь. Так совсем недавно специалистами из MalwareBytes была обнаружена целая схема фейковых ресурсов , через которые распространялись инфицированные версии приложения KeePass. И совсем не удивительным является тот факт, что эта кампания продвигалась посредством использования GoogleAds (да, это та самая надоедливая реклама, которая появляется при посещении различных сайтов) и SEO Poisoning. Казалось бы, удивительного здесь ничего нет, ведь это далеко не первый случай, когда вредонос распространяется подобным образом. Google, естественно, с этим борется, исправляет уязвимости, но пока что все без толку. Чего, кстати, не скажешь о человеческом факторе, ведь за последние несколько лет большинство пользователей сообразили, что поисковые системы не всегда выдают безопасные результаты из-за чего эффективность подобного метода атаки заметно поубавилась. Но в случае с KeePass произошло кое-что другое. Злоумышленники прибегли к использованию метода Punycode, чтобы сделать вредоносный домен практически идентичным оригинальному. В данном случае хакеры использовали Punycode «xn—eepass-vbb.info», что транслируется в адресной строке, как «ķeepass.info».

https://habr.com/ru/companies/first/articles/778488/

#keepass #AsyncRAT #batloader #вредоносы #анализ #дроппер

Как вредоносы распространялись через поддельный менеджер паролей KeePass: AsyncRAT, BATLoader

Приветствую, и снова я начну с вопроса. И достаточно непростого. Пользуетесь ли вы менеджерами паролей и считаете ли вы их полностью безопасными? Скорее всего, мнения читателей на этом моменте разделятся. Кто-то ответит, мол, пользуется блокнотом и ручкой, а кто-то ответит утвердительным «‎да»‎. А к чему этот вопрос? Во-первых, замечу, что абсолютно ничто в нашем мире не может быть полностью безопасным: будь то программное обеспечение, какой-то ресурс или вовсе ваш телефон с тысячей защитных приложений. А во-вторых, менеджеры паролей в последнее время очень и очень часто стали подводить своих клиентов. Об одном таком инциденте и пойдет сегодня речь. Так совсем недавно специалистами из MalwareBytes была обнаружена целая схема фейковых ресурсов , через которые распространялись инфицированные версии приложения KeePass. И совсем не удивительным является тот факт, что эта кампания продвигалась посредством использования GoogleAds (да, это та самая надоедливая реклама, которая появляется при посещении различных сайтов) и SEO Poisoning. Казалось бы, удивительного здесь ничего нет, ведь это далеко не первый случай, когда вредонос распространяется подобным образом. Google, естественно, с этим борется, исправляет уязвимости, но пока что все без толку. Чего, кстати, не скажешь о человеческом факторе, ведь за последние несколько лет большинство пользователей сообразили, что поисковые системы не всегда выдают безопасные результаты из-за чего эффективность подобного метода атаки заметно поубавилась. Но в случае с KeePass произошло кое-что другое. Злоумышленники прибегли к использованию метода Punycode, чтобы сделать вредоносный домен практически идентичным оригинальному. В данном случае хакеры использовали Punycode «xn—eepass-vbb.info», что транслируется в адресной строке, как «ķeepass.info».

https://habr.com/ru/companies/first/articles/778488/

#keepass #AsyncRAT #batloader #вредоносы #анализ #дроппер

Decryption of strings from #AsyncRAT/#DcRat/#VenomRAT configuration with #CyberChef. Little bit of #Dotnet #reversing and commented recipe with usage of registers for PBKDF2 and AES decryption

Blog post: https://malwarelab.eu/posts/asyncrat-cyberchef/
Recipe with example input: https://tinyurl.com/AsyncRatConfigDecryptor2

Just wanted to share these cool Censys Search queries for hunting C2s.

PoshC2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+poshc2
#poshC2

AsyncRat C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+asyncrat
#AsyncRAT

Covenant C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+covenant
#covenant

Mythic C2s: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+mythic
#mythic

DeimosC2: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.product%3A+deimosc2
#DeimosC2

Other C2s that are not “tarpits”: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=labels:%3Ac2+services.software.product%3A+c2+or+services.software.other.value%3A+c2+and+not+labels%3A+tarpit
#c2

#threathunting

#Hackers have devised a novel way to download remote access trojans (RAT) such as #AsyncRAT & #RemcosRAT by abusing the Windows Search Feature.

#infosec #cybersecurity #WindowsSearch #trojan #malware

https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html

Completed Part 3 of my personal #SocGholish series.

The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.

Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.

If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.

Big thanks to @rmceoin for help along the way.

https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3

Catch up on everything cyber with this week's edition of our SOC Goulash newsletter!:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-373

Images which were redacted or cropped on Google Pixel devices or using the Windows Snipping Tool can be reversed and sensitive data revealed. The bug, dubbed "Acropalypse", may have been fixed but any existing images - be they bank details, nudes, or confidential company information - remain up for grabs.

#Hacktivists launched a week-long, coordinated attack on Australian banks, hospitals, airports and more, in retaliation for an offensive submission by an Australian designer at the Melbourne Fashion Festival, of all things.

The takedown of #BreachForums was made official last week, with the subsequent disarray demonstrating that continued law enforcement action is succeeding in capitalising on the mistrust inherent to the cyber crime ecosystem.

A significant vulnerability in the #WooCommerce Payments plugin can let attackers takeover #WordPress sites, and a PoC #exploit has been released publicly for a vulnerability in #Veeam's backup software.

The #blueteam had a great week, with CISA releasing a tool that helps grab #Azure, #M365 and the #Defender suite telemetry to help run ad hoc investigations; #Splunk shared an awesome defensive guide to #ADCS attacks, and we've seen a bunch of great write-ups on #IcedID, #ASyncRAT, and more!

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-373

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #acropalypse #OpAustralia #darkweb #CISA

This week's newsletter is hot off the press, get it here: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

The #ESXiArgs escapades have gone from bad to okay and back to bad again, after attackers revised their encryption routine to bypass CISA's recovery script, and launched a 2nd wave of attacks that resulted in the reinfection of hundreds of hosts. Worst yet - we don't know how they're doing it, as the OpenSLP service (believed to be their method of ingress) has been disabled in a number of reported infections.

PowerShell isn't dead - The DFIR Report published their analysis of an apparent attack by Iran's Oilrig/APT34, whose initial infection relied exclusively on PowerShell and remained undetected for a significant period of time.

Proofpoint have unveiled #TA866, a savvy threat group that leverages the 404 Traffic Distribution System and little known AutoHotKey scripting language to cherry pick their targets.

#RedTeam members might find the BokuLoader Reflective Loader for #CobaltStrike useful in their next engagements, as well as #LocalPotato - the latest PrivEsc technique to join the Potato family.

#BlueTeam - check out a list of resources that popped up last week to help analyse #ASyncRAT malware and infections, as well as some helpful how-tos on hunting IIS backdoors and DLL abuse techniques

Happy reading, and happy Monday!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-b16

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc #threatintel #threatintelligence #vmware #ESXi

📬 Prynt Stealer Malware stiehlt Hackern ihre Beute
#Hacking #Malware #Softwareentwicklung #AsyncRAT #Backdoor #DarkEye #MalwareasaService #StormKitty #TelegramToken #WorldWind https://tarnkappe.info/artikel/malware/prynt-stealer-malware-stiehlt-hackern-ihre-beute-255168.html