#stealc — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #stealc, aggregated by home.social.
-
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826
-
https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/
Fake CAPTCHA Trick Installs StealC on Windows PCs
#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency
-
https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/
Fake CAPTCHA Trick Installs StealC on Windows PCs
#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency
-
https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/
Fake CAPTCHA Trick Installs StealC on Windows PCs
#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency
-
https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/
Fake CAPTCHA Trick Installs StealC on Windows PCs
#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency
-
https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/
Fake CAPTCHA Trick Installs StealC on Windows PCs
#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency
-
The other day I was thinking, when will infostealers start collecting information from "AI" browsers.
Today noticed that StealC has posted an update, where they added a feature of collecting Sigma AI Browser data.
''Sigma AI Browser is an AI‑first agentic browser that combines an AI agent, deep research, and AI tools to help you navigate, create, and'' sloooop
Anyways, left to find some time and energy to look for some stealc logs and see if it syphons some more juicy data from "ai" browsers.
-
Here's the full infection chain:
198.211.110.107:79finger connects to finger[.]cloudyape[.]com172.67.190.68:80curl triescloudyape[.]com/uvey.php?holt=2but server responds with '301 Moved Permanently' and redirects to HTTPS172.67.190.68:443dropper download172.67.190.68:80curl getscloudyape[.]com/uvey.php?holt=1server redirects to HTTPS172.67.190.68:443dropper download170.130.165.201:80Download offile4.bin(#StealC) with fakeGoogeBotuser agent170.130.165.201:80#StealC v2 C2 / exfiltration170.130.55.38:80#CastleLoader traffic194.76.227.242:9999#CastleRAT C2 traffic
-
This #StealC and #CastleRAT infection starts with a #ClickFix attack using finger to download commands from finger[.]cloudyape[.]com
-
FileFix – atak phishingowy wykorzystujący Eksplorator Systemu Windows
Badacze bezpieczeństwa z Acronis Threat Research Unit zaobserwowali nową kampanię phishingową wykorzystującą metodę ataku FileFix. Atak wyróżnia się nietypowym sposobem ukrywania złośliwego oprogramowania – zastosowanie obfuskacji oraz steganografii. FileFix stanowi nowy wariant popularnego wektora ataku ClickFix. Podobnie jak w przypadku tego wektora, celem ataku jest nakłonienie użytkownika do samodzielnego uruchomienia...
#WBiegu #Clickfix #Filefix #Meta #Phishing #Stealc
https://sekurak.pl/filefix-atak-phishingowy-wykorzystujacy-eksplorator-systemu-windows/
-
FileFix – atak phishingowy wykorzystujący Eksplorator Systemu Windows
Badacze bezpieczeństwa z Acronis Threat Research Unit zaobserwowali nową kampanię phishingową wykorzystującą metodę ataku FileFix. Atak wyróżnia się nietypowym sposobem ukrywania złośliwego oprogramowania – zastosowanie obfuskacji oraz steganografii. FileFix stanowi nowy wariant popularnego wektora ataku ClickFix. Podobnie jak w przypadku tego wektora, celem ataku jest nakłonienie użytkownika do samodzielnego uruchomienia...
#WBiegu #Clickfix #Filefix #Meta #Phishing #Stealc
https://sekurak.pl/filefix-atak-phishingowy-wykorzystujacy-eksplorator-systemu-windows/
-
FileFix – atak phishingowy wykorzystujący Eksplorator Systemu Windows
Badacze bezpieczeństwa z Acronis Threat Research Unit zaobserwowali nową kampanię phishingową wykorzystującą metodę ataku FileFix. Atak wyróżnia się nietypowym sposobem ukrywania złośliwego oprogramowania – zastosowanie obfuskacji oraz steganografii. FileFix stanowi nowy wariant popularnego wektora ataku ClickFix. Podobnie jak w przypadku tego wektora, celem ataku jest nakłonienie użytkownika do samodzielnego uruchomienia...
#WBiegu #Clickfix #Filefix #Meta #Phishing #Stealc
https://sekurak.pl/filefix-atak-phishingowy-wykorzystujacy-eksplorator-systemu-windows/
-
FileFix – atak phishingowy wykorzystujący Eksplorator Systemu Windows
Badacze bezpieczeństwa z Acronis Threat Research Unit zaobserwowali nową kampanię phishingową wykorzystującą metodę ataku FileFix. Atak wyróżnia się nietypowym sposobem ukrywania złośliwego oprogramowania – zastosowanie obfuskacji oraz steganografii. FileFix stanowi nowy wariant popularnego wektora ataku ClickFix. Podobnie jak w przypadku tego wektora, celem ataku jest nakłonienie użytkownika do samodzielnego uruchomienia...
#WBiegu #Clickfix #Filefix #Meta #Phishing #Stealc
https://sekurak.pl/filefix-atak-phishingowy-wykorzystujacy-eksplorator-systemu-windows/
-
FileFix – atak phishingowy wykorzystujący Eksplorator Systemu Windows
Badacze bezpieczeństwa z Acronis Threat Research Unit zaobserwowali nową kampanię phishingową wykorzystującą metodę ataku FileFix. Atak wyróżnia się nietypowym sposobem ukrywania złośliwego oprogramowania – zastosowanie obfuskacji oraz steganografii. FileFix stanowi nowy wariant popularnego wektora ataku ClickFix. Podobnie jak w przypadku tego wektora, celem ataku jest nakłonienie użytkownika do samodzielnego uruchomienia...
#WBiegu #Clickfix #Filefix #Meta #Phishing #Stealc
https://sekurak.pl/filefix-atak-phishingowy-wykorzystujacy-eksplorator-systemu-windows/
-
Anfang letzter Woche haben Forschende der Threat‑Research‑Unit von Acronis ein seltenes, in der freien Wildbahn vorkommendes Beispiel für einen FileFix‑Angriff – eine neue Variante des inzwischen berüchtigten ClickFix‑Angriffspfads entdeckt.
Der FileFix‑Social‑Engineering‑Angriff gibt vor, Warnungen über die Sperrung eines Meta‑Kontos zu sein, um Nutzer dazu zu verleiten, unbemerkt die Malware StealC Infostealer zu installieren.
Der gefundene Angriff nutze nicht nur FileFix, sondern ist wohl das erste Beispiel für einen solchen Angriff, das nicht strikt dem Design des ursprünglichen Proof‑of‑Concept (PoC) folgt (Demonstration erst im Juli 2025!) Darüber hinaus enthalte der Angriff eine ausgeklügelte Phishing‑Website und eine Payload, die in vielerlei Hinsicht über das hinausgehe, was bisher von ClickFix‑ bzw. FileFix‑Angriffen erwartet werde.
In der letzten Phase werde ein Loader (geschrieben in Go, mit VM‑/Sandbox‑Checks und String‑Verschlüsselung) bereitgestellt, der den StealC‑Infostealer ausführe. Dieser ziele auf Browser, Kryptowährungs‑Wallets, Messaging‑Apps und Cloud‑Anmeldedaten. StealC kann zudem weitere Schadsoftware laden...Vorbeugung: Meiden Sie jede Website, die Sie auffordert, irgendetwas in irgendeinen Teil ihres Betriebssystems einzugeben, nein, auch nicht in die PowerShell.
-
Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/ #SocialEngineering #Cybersecurity #PhishingScam #CyberAttack #Infostealer #Security #ClickFix #Facebook #Malware #Captcha #FileFix #Stealc
-
Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/ #SocialEngineering #Cybersecurity #PhishingScam #CyberAttack #Infostealer #Security #ClickFix #Facebook #Malware #Captcha #FileFix #Stealc
-
Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/ #SocialEngineering #Cybersecurity #PhishingScam #CyberAttack #Infostealer #Security #ClickFix #Facebook #Malware #Captcha #FileFix #Stealc
-
Ongoing FileFix Attack Installs StealC Infostealer Via Fake Facebook Pages https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/ #SocialEngineering #Cybersecurity #PhishingScam #CyberAttack #Infostealer #Security #ClickFix #Facebook #Malware #Captcha #FileFix #Stealc
-
Watch out as hackers are using FileFix phishing with fake Facebook warnings to drop StealC Infostealer, hiding the payload inside images with #steganography.
Read: https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
-
Watch out as hackers are using FileFix phishing with fake Facebook warnings to drop StealC Infostealer, hiding the payload inside images with #steganography.
Read: https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
-
Watch out as hackers are using FileFix phishing with fake Facebook warnings to drop StealC Infostealer, hiding the payload inside images with #steganography.
Read: https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
-
Watch out as hackers are using FileFix phishing with fake Facebook warnings to drop StealC Infostealer, hiding the payload inside images with #steganography.
Read: https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
-
Watch out as hackers are using FileFix phishing with fake Facebook warnings to drop StealC Infostealer, hiding the payload inside images with #steganography.
Read: https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
-
«Dabei versprechen die Täter, gecrackte Software anzubieten[...].»
— Alles Anfänger, der darauf hereinfällt :mastolol: Kennt ihr noch astalavista.box.sk :mastocheeky: (Gibt es die Seite eigentlich noch?🤔)IT-Sicherheitsforscher entdecken #Tiktok-Kampagne zur #Malware-Installation | Security https://www.heise.de/news/Social-Engineering-Kampagne-Tiktok-Videos-mit-Anleitung-zu-Malware-Installation-10398870.html #SocialMedia #SocialEngineering #Infostealer #StealC #Vidar
-
TikTok staat bekend als platform voor creatieve content maar wordt nu ook gebruikt als lokaas voor cybercriminelen.
Podcast Youtube: https://youtu.be/cPADO5G5kJ0?si=7n-L01IBSzdX67DLPodcast Spotify: https://open.spotify.com/episode/2ZcrbUvXIOfBpPuaq7VQt7?si=61ccef7960ac43c7
Artikel Cybercrimeinfo: https://www.ccinfo.nl/menu-onderwijs-ontwikkeling/cybercrime/malware/2527960_hoe-tiktok-verandert-in-een-digitale-valstrik-infostealer-malware-via-virale-video-s
#TikTok #malware #cybercrime #ClickFix #infostealer #socialengineering #cybersecurity #digitaleveiligheid #PowerShell #StealC #Vidar #jongerenonline #cyberdreiging #cyberbewustzijn #darkweb #phishing #gratissoftware #cyberaanval #digitalevalstrik
-
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.
Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.
Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my
These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga -
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
-
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
-
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
-
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
-
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt
-
HellCat Ransomware Hits 4 Firms using Infostealer-Stolen Jira Credentials – Source:hackread.com https://ciso2ciso.com/hellcat-ransomware-hits-4-firms-using-infostealer-stolen-jira-credentials-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttacks #LummaStealer #CyberAttack #Infostealer #Ransomware #Hackread #security #HellCat #malware #Raccoon #Redline #Stealc #Jira
-
HellCat Ransomware Hits 4 Firms using Infostealer-Stolen Jira Credentials https://hackread.com/hellcat-ransomware-firms-infostealer-stolen-jira-credentials/ #Cybersecurity #CyberAttacks #LummaStealer #CyberAttack #Infostealer #Ransomware #Security #Malware #HellCat #Raccoon #Redline #Stealc #Jira
-
2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.
The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.
A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html
-
2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.
The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.
A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html
-
Social media post I wrote for my employer at https://www.linkedin.com/posts/unit42_smartapesg-netsupportrat-stealc-activity-7297994624814432256-HOrX/
and https://x.com/Unit42_Intel/status/18922290057024718682025-02-18 (Tuesday): Legitimate but compromised websites with an injected script for #SmartApeSG lead to a fake browser update page that distributes #NetSupportRAT malware. During an infection run, we saw follow-up malware for #StealC. More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt
A #pcap from the infection traffic, the associated malware, and other info are available at https://malware-traffic-analysis.net/2025/02/18/index.html
-
This month StealC 🔝 tops the charts for malware families associated with malware sites at 4,577 samples shared on URLHaus. Meanwhile Cobalt Strike remains #1 for IOCs shared - find out which malware are in the Top10 at the links below:
ThreatFox | IOCs shared:
👉 https://www.spamhaus.org/malware-digest/#threatfoxURLHaus | Malware sites:
👉 https://www.spamhaus.org/malware-digest/#urlhausAll the data in the Malware Digest is provided by @abuse_ch's community driven open platforms.
-
Analysts at #cybersecurity firm #Sekoia have uncovered a new strain of malware called #StealC, an advanced infostealer designed to steal sensitive data from victims. https://andreafortuna.org/2023/02/24/stealc-a-new-advanced-infostealer?utm_source=dlvr.it&utm_medium=mastodon