's Avatar

@abuse-ch.bsky.social

Fighting malware and botnets

408 Followers  |  2 Following  |  143 Posts  |  Joined: 07.02.2024  |  1.7219

Latest posts by abuse-ch.bsky.social on Bluesky

Corresponding Mirai #malware payload delivery host:
🌐 urlhaus.abuse.ch/host/45.141....

10.10.2025 13:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Looks like this #Mirai threat actor is a BIG fan of our URLhaus platform 😜

πŸ‘‰ hXXp://45.141.215.196/FuckYou0urlhaus0abuse0ch/

We thought we'd send a little love back to the threat actor... their server’s been taken down, and their #botnet C2 domain is now sinkholed. 😘 ‡️

10.10.2025 13:12 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

πŸ‘Ύ MalwareBazaar stats πŸ‘‰ bazaar.abuse.ch/statistics/
🧠 SpamhausTech MalwareDigest πŸ‘‰ www.spamhaus.com/malware-dige...

🫢 #SharingIsCaring #Community

06.10.2025 12:30 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Top Contributor MalwareBazaar - JAMESWT_WT

Top Contributor MalwareBazaar - JAMESWT_WT

πŸ“£ Big thanks to MalwareBazaar Top Contributor "JAMESWT_WT" πŸ™‡

First seen: 30 March 2020 and since then, they’ve shared 45,994 malware samples.

In the last 30 days alone, they have dropped 1,472 new samples, that’s +30% ⬆️ from the previous month, with 631 samples shared on September 30th. πŸ”₯πŸ”₯

06.10.2025 12:30 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

Over the last 30 days, the community shared 26,575 #IOCs on ThreatFox 🦊. That'sΒ a 83% jump on the previous month. πŸš€ And topping the charts: XtremeRAT, with 6,640 IOCs πŸ’€

Find more ThreatFox statistics here:
πŸ‘‰ threatfox.abuse.ch/statistics

#SharingIsCaring #XtremeRAT #Malware #ThreatIntel

30.09.2025 12:45 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

πŸ› οΈ The User-Agent changed from "Kamasers C2 Client" to "System Updater/5.0"

Malware sample:
πŸ“ƒhttps://bazaar.abuse.ch/sample/9ed0190eaa288e46c49d8a1d3dd52ea42bd6e7aaea1dbdf9e65912579630b075/

26.09.2025 14:06 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

...a build 'TimeDateStamp: Tue Sep 23 11:33:26 2025' indicates that the malware is still under active development:

πŸ› οΈ Supported commands now have the character ! In front of them (!syn)
πŸ› οΈ More commands related to DDoS activities were added (!NTP-AMP, !NTP-AMP, !DNS-QUERY-FLOOD) ‡️

26.09.2025 14:06 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

As for the DDR services, they are embedded in the binary, and again encrypted with AES using the aforementioned key, and encoded with base64. So far the following services have been seen πŸ”Ž

➑️ Github gists
➑️ Telegram Channels
➑️ Dropbox

The latest sample, containing debug information with...‡️

26.09.2025 14:06 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

...the C2 address from various DDR locations, by searching for the value of specific strings inside the DDR responses. The C2 domain is encrypted with AES CBC and encoded with base64. As of today, the malware is using `MySuperSecretKeyForAES256IsGood!` as an AES key to decrypt the responses. ‡️

26.09.2025 14:06 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

A few days later, we identified a second variant, written in C, which remains in use to this day. As a DDoS botnet, it supports various DDoS commands. Initially, we πŸ”Ž observed the following list:

➑️ httpflood
➑️ httpbypass
➑️ httppost
➑️ slowloris
➑️ tcp (syn, ack)
➑️ udp

The πŸ€– botnet receives...‡️

26.09.2025 14:06 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

πŸ”₯ "Kamasers" is a DDoS botnet, first seen in August, and dropped by Amadey. The malware name was adapted from the User-Agent used during network communication with the C2 server. The first time we encountered it, the sample was written in Golang language. ‡️

26.09.2025 14:06 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Additional contextual information on Office OLE files on MalwareBazaar

Additional contextual information on Office OLE files on MalwareBazaar

Doc report (OLE):
πŸ”Ž bazaar.abuse.ch/sample/4a4b3...

02.09.2025 13:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

➑️ Improved OLE handling: Office documents now come with additional context, including extraction & hashing of embedded image files, extraction of attached templates, and more 🧰

Here are some example reports below ‡️

OpenTIP integration:
πŸ“„ bazaar.abuse.ch/sample/dda32...

02.09.2025 13:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Kaspersky OpenTIP integration on MalwareBazaar

Kaspersky OpenTIP integration on MalwareBazaar

We’ve just rolled out two new features on MalwareBazaar πŸ†• πŸ‘€

➑️ OpenTIP integration: Results from @kasperskylab.bsky.social OpenTIP are now included for all samples on MalwareBazaar, available via both, UI and API πŸ–₯️

02.09.2025 13:49 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
https://threatfox.abuse.ch/browse/malware/win.lumma/

https://threatfox.abuse.ch/browse/malware/win.lumma/

Since end of August we observe infamous #LummaStealer communicating with DGA-like domain names. We have seen such domains across 3 distinct IP address, all sharing the same SSL certificate ‡️

129.226.128.168:443 (Tencent πŸ‡¨πŸ‡³)
31.220.109.219:443 (Hostinger πŸ‡ΊπŸ‡Έ)
165.227.143.219:443 (DigitalOceanπŸ‡ΊπŸ‡Έ)

01.09.2025 12:56 β€” πŸ‘ 2    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Morpheus loader admin panel

Morpheus loader admin panel

πŸ’» If there is no match from the above, but the command length is not zero, it will execute the value using "cmd".

A Morpheus sample is available on MalwareBazaar:
πŸ“„ bazaar.abuse.ch/sample/6e1b1...

IOCs are available on ThreatFox:
🦊https://threatfox.abuse.ch/browse/malware/win.morpheus/

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

🌐 Anything starting with http/https: Downloads the files from the aforementioned URL and writes it to Windows Temp directory, using the current time as a name (nanoseconds since epoch). The file is then executed using the 'open' command of Windows.

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

- Network ( addresses, MAC, name)
- Processes (name, PID)
- Installed Apps
πŸ’₯ selfdestruct: Deletes the Registry Run key and the executable from the disk running the command "/C ping 127.0.0.1 -n 3 > nul & del /f /q {sample_path}"

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

ℹ️ sysinfo: Collects the following information from the compromised host:
- Installed AV
- CPU (number of cores, architecture)
- Available Hard Disk (name, free space, total space)
- Domain (is domain joined, domain name)
- Available Memory (free, total)

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

The commands received from the botnet C2 come as a JSON object with two properties: "id" and "command". The following command-values are supported:

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

4️⃣ A self update mechanism, where it will download a new version of itself, write it to disk with a ".tmp" suffix and immediately execute it. The current running instance will then exit.
5️⃣ Execution of various actions based on the commands received from the #botnet C2

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

3️⃣ Collects system information of the compromised host and sends them to a botnet C2, both, in the form of "HeartBeat" but also as Task command

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

1️⃣ Persistence through the Windows registry. It copies itself to the AppData Roaming directory under "SysSvc64.exe" and creates a new registry Run key that points to its location.
2️⃣ A host-based ID generated by collecting the current time, hostname and the MAC address of the compromised host.

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

The #malware accepts two command line parameters:
➑️ log: Path where debug logs are stored
➑️ update-url: URL used by the self-update process

#Morpheus has the following capabilities πŸ’‘:

20.08.2025 11:51 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

We encountered a a new loader advertised as "Morpheus" in underground forums πŸ•΅οΈ, recently dropped by #Amadey ⬇️πŸͺ². Morpheus' C2 protocol is based on HTTP and working with tasks, where each task consists of an ID and a command πŸ“£

Botnet C2: sophos-upd-srv .info πŸ‡³πŸ‡±

20.08.2025 11:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Amadey botnet C2 network traffic

Amadey botnet C2 network traffic

Fresh Amadey botnet C2 domains πŸͺ²πŸ”πŸ‘€β€΅οΈ

microsoft-telemetry .cc
telemety-sys .lol
telemety-xbox .lol
witasametry .live
telamtykina .live
telemetrywatson .live

More Amadey IOCs are available on ThreatFox 🦊:
πŸ“‘https://threatfox.abuse.ch/browse/malware/win.amadey/

19.08.2025 18:08 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

You know you did something right if you get a false positive report for on URLhaus with the words "fuck u" 😎 vtuber DDoS bot spreading through ThinkPHP RCE (CVE-2019-9082) ‡️

urlhaus.abuse.ch/host/172.233...

Payload:
bazaar.abuse.ch/sample/dafb6...

IOCs:
threatfox.abuse.ch/browse/tag/D...

07.08.2025 08:08 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

SalatStealer (aka WEB_RAT) is on the rise πŸ“ˆ, heavily dropped by Amadey

Malware sample:
πŸ“„https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/

Admin Panel:
πŸ“‘https://salat .cn/login/ (Cloudflare)

Gihub:
πŸ—œοΈhttps://github.com/webr-at/importantfiles/releases

05.08.2025 13:18 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Weaponized PDF leading to rogue ScreenConnect download

Weaponized PDF leading to rogue ScreenConnect download

Compromised travel agency in Sri Lanka πŸ‡±πŸ‡° spreading fake Royal Air Maroc βœˆοΈπŸ‡²πŸ‡¦emails with a weaponized PDF πŸ“„ that leads to a rogue ConnectWise ScreenConnect download πŸ”₯

➑️ hunting.abuse.ch/hunt/6890d35...

Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP πŸ‡©πŸ‡ͺ)

04.08.2025 16:08 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Malware samples:
πŸ“„ bazaar.abuse.ch/sample/42671...
πŸ“„ bazaar.abuse.ch/sample/f1865...
πŸ“„ bazaar.abuse.ch/sample/0cfb4...

31.07.2025 11:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@abuse-ch is following 2 prominent accounts