#chacha20 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #chacha20, aggregated by home.social.
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
ClickFix Removes Your Background but Leaves the Malware
BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures.
Pulse ID: 69f36a0940fe2fa665ebe32e
Pulse Link: https://otx.alienvault.com/pulse/69f36a0940fe2fa665ebe32e
Pulse Author: AlienVault
Created: 2026-04-30 14:41:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #Clipboard #CyberSecurity #ICS #InfoSec #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Python #RAT #ShellCode #SocialEngineering #Telegram #bot #cryptocurrency #AlienVault
-
DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet
An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.
Pulse ID: 69f25f09e5c3a33611f7cb16
Pulse Link: https://otx.alienvault.com/pulse/69f25f09e5c3a33611f7cb16
Pulse Author: AlienVault
Created: 2026-04-29 19:42:01Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Android #ChaCha20 #CryptoJacking #CyberSecurity #DDoS #DoS #Encryption #InfoSec #IoT #Minecraft #Mirai #OTX #OpenThreatExchange #RAT #TCP #TheNetherlands #bot #botnet #AlienVault
-
VECT: Ransomware by design, Wiper by accident
Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.
Pulse ID: 69f0e1a5f1a168738b4eda1a
Pulse Link: https://otx.alienvault.com/pulse/69f0e1a5f1a168738b4eda1a
Pulse Author: AlienVault
Created: 2026-04-28 16:34:45Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AWS #ChaCha20 #CheckPoint #CyberSecurity #Encryption #InfoSec #Linux #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Windows #bot #AlienVault
-
Direct-Sys Loader and CGrabber Stealer Five-Stage Malware Chain
A sophisticated five-stage malware operation delivers two new malware families: Direct-Sys Loader and CGrabber Stealer. The attack begins with ZIP archives distributed via GitHub user attachment URLs, exploiting a legitimate Microsoft-signed binary (Launcher_x64.exe) for DLL sideloading. Direct-Sys Loader employs ChaCha20 encryption, direct syscall execution, and multiple anti-analysis checks including text file verification, enumeration of 67 analysis tool processes, and hypervisor detection. CGrabber Stealer collects extensive system metadata, browser credentials, cryptocurrency wallets, password managers, VPN configurations, and application artifacts from over 150 applications and extensions. The stealer excludes CIS region systems and uses ChaCha20 encryption with HMAC SHA256 authentication for data exfiltration via custom HTTP headers. Both families share identical cryptographic implementations, suggesting common development origin and representing operationally mature infrastructure designed for larg...
Pulse ID: 69e1fb9b3bbb36c5db446094
Pulse Link: https://otx.alienvault.com/pulse/69e1fb9b3bbb36c5db446094
Pulse Author: AlienVault
Created: 2026-04-17 09:21:31Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Browser #ChaCha20 #CyberSecurity #Encryption #GitHub #HTTP #InfoSec #Mac #Malware #Microsoft #OTX #OpenThreatExchange #Password #RAT #SideLoading #VPN #Word #ZIP #bot #cryptocurrency #AlienVault
-
Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf
Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...
#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware
-
Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf
Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...
#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware
-
Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf
Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...
#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware
-
Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf
Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...
#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware
-
Szyfrowanie danych, usuwanie backupów, zacieranie śladów… analiza ransomware Dire Wolf
Dire Wolf jest nową grupą przestępczą, której aktywność zaobserwowano w maju br. Pierwszymi ofiarami cyberprzestępców były firmy z sektora technologicznego, finansowego oraz budownictwa działające we Włoszech, Tajlandii, Australii oraz Indii. Działania cyberprzestępców ukierunkowane są głównie na zysk finansowy. W celu zwiększenia szansy na uzyskanie okupu, wykorzystują technikę double extortion, grożąc...
#Teksty #Chacha20 #Curbe25519 #Direwolf #DoubleExtortion #Ransomware
-
[DE] Ein bisschen Krikelkrakel für einen Kurzvortrag zu @rosenpass und postquantensicherer Kryptografie. Im Safe sind natürlich die sichersten Verfahren gegen regnerische post-quanten-Tage. :)
[EN] A handful of chicken scratch for a short talk about #RosenPass and post-quantum secure cryptography. When quantum computers finally rain down on our information systems, there’s different levels of security you can have.
