MalwareBazaar - file (RemoteX) file has been detected as RemoteX by MalwareBazaar

Malware sample ⤵️
bazaar.abuse.ch/sample/d6316...

RemoteX RAT admin panel

Yet another RAT in town: RemoteX🖥️🖱️

🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️‍♂️ Unauthenticated RAT admin panel 🤡

Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)

Xillen Stealer admin panel on Cloudflare

Xillen Stealer 🎣, heavily dropped by Amadey 🔥

Botnet C2:
https://goldenring[.]live/api/logs/check

"Invisible. Undetectedable. Unstopable." 🤡

👉 github.com/BengaminButt...

Samples ⤵️
bazaar.abuse.ch/browse/signa...

Additional IOCs on ThreatFox 🦊
threatfox.abuse.ch/browse/tag/X...

Thank you @spamhaustech.bsky.social & @abuse-ch.bsky.social for being #PIVOTcon26 Silver Sponsor 🎉

Read more about alliance: abuse.ch & spamhaus.com
This alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets pivotcon.org/sponsors
#CTI #ThreatIntel

Brazilian Banker "GHOST" panel

Brazillian banker 🇧🇷 caught by @johnk3r 🎣

GHOST panel 🧐

007consultoriafinanceira .net
83.229.17.124:80 Clouvider 🇺🇸

Payload delivery URL:
🌐https://urlhaus.abuse.ch/url/3759148/

Malware sample (MSI):
⚙️https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/

MalwareBazaar - PicturesPreview.exe (GoToResolve) PicturesPreview.exe has been detected as GoToResolve by MalwareBazaar

Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌
🌐 urlhaus.abuse.ch/url/3751500/

LogMeIn #GoToResolve payload 📄
bazaar.abuse.ch/sample/77e22...

Malspam from Microsoft Outlook spreading LogMeIn GoToResolve RMM

Fake PDF download spreading LogMeIn GoToResolve RMM

Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️

IOCs:
📡 adwestmailcenter .com ➡️ Landing page
📡 insightme .im ➡️ fake PDF download

turbokent .name - CHICXULUB IMPACT

CHICXULUB IMPACT 💥

Botnet C2 URLs:
📡 turbokent .name/api/initialize
📡 turbokent .name/api/status

Sponsoring domain registrar: NICENIC 🇭🇰

Malware sample 📄:
bazaar.abuse.ch/sample/c32e1...

MalwareBazaar - Tag SantaStealer Hunt for malware samples tagged with tag 'SantaStealer'

Malware samples 🤖:
bazaar.abuse.ch/browse/tag/S...

IOCs available on ThreatFox 🦊:
threatfox.abuse.ch/browse/tag/S...

New Stealer in town: SantaStealer 🎅🎄

Botnet C2s ➡️all hosted at AS399486 VIRTUO 🇨🇦:
📡31.57.38.119:6767
📡31.57.38.244:6767
📡80.76.49.114:6767

Stealer admin panel (via @darkwebinformer.com 💪):
🕵️ stealer. su

Artifacts 💻:
C:\tempLog\Clipboard.txt
%LocalAppData%\Temp\passwordslog.txt

Mirai malware delivery URLs

Love letter ❤️ from a threat actor 🕵️exploiting React2Shell vulnerability (CVE-2025-55182) to spread #Mirai malware ⤵️

fuckoffurlhaus 😂

Payload URLs:
🌐 urlhaus.abuse.ch/host/45.153....

Mirai botnet C2s:
📡 marvisxoxo .st (ISTanCo 🇷🇸)
📡 45.156.87 .231:23789 (AS51396 PFCLOUD 🇩🇪)

URLhaus - http://w2socks.xyz/uploads/5aba4745e080f54e.msi Malware distribution site: http://w2socks.xyz/uploads/5aba4745e080f54e.msi

The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ urlhaus.abuse.ch/url/3733103/

ClickFix infection chain

Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️

🖱️ClickFix -> 📃VBS -> ⚙️MSI

Payload delivery host:
🌐https://urlhaus.abuse.ch/host/103.27.157.60/

Malware sample 🤖:
bazaar.abuse.ch/sample/4d8e5...

Botnet C2 domains:
📡w2li .xyz
📡w2socks .xyz

MalwareBazaar - pew63 (Mirai) pew63 has been detected as Mirai by MalwareBazaar

Mirai #malware sample 🤖:
bazaar.abuse.ch/sample/ee2fe...

Payload delivery host 🌐:
urlhaus.abuse.ch/host/172.237...

Releated IOCs 🦊:
threatfox.abuse.ch/browse/tag/C...

Malicious bast script deliverying Mirai payload

Exploitation of recent React RCE vul (CVE-2025-55182 - #React2Shell) leading to #Mirai infection ⤵️

Botnet Mirai C2 domains 📡:
fuckphillipthegerman .ru

Botnet Mirai C2 servers , all hosted at FORTIS 🇷🇺:
138.124.72.251:52896
138.124.69.154:60328
5.144.176.19:60328

MaksRAT botnet C2 traffic

MaksRAT

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\javacom

Botnet C2s 📡
104.198.24 .41:6656
avocado .gay
www.foldacces .online
www.makslove .xyz
www.mavenrat .xyz
www.blackprofit .online

Sample shared by @smica83 💪
bazaar.abuse.ch/sample/88310...

IOCs
threatfox.abuse.ch/browse/tag/M...

MalwareBazaar - data.arm7 (Mirai) data.arm7 has been detected as Mirai by MalwareBazaar

Mirai malware sample:

🤖 bazaar.abuse.ch/sample/11248...

More #Mirai IOCs are available on ThreatFox:

🦊 threatfox.abuse.ch/browse/malwa...

Mirai campaign spreading through 213.209.143.85 (Railnet 🇳🇱), messing around with the victim's system iptables 🤔

Mirai botnet C2 domain:
womp.datasurge .vip (NameCheap 🇺🇸)

Mirai botnet C2 server:
176.65.148.57:6969 (Pfcloud 🇩🇪)

Payload URL:
🌐 urlhaus.abuse.ch/url/3725743/

ThreatFox - Mirai Hunt for Mirai IOCs on ThreatFox

More #Mirai IOCs are available on ThreatFox:
🦊 threatfox.abuse.ch/browse/malwa...

Mirai bot "zerobot"

Mirai botnet #zerobot spreading through 172.86.123.179 (cloudzy 🇦🇪) ⤵️

Mirai botnet C2 domain:
0bot.qzz .io (Gandi SAS 🇫🇷)

Mirai botnet C2 server:
140.233.190.96:69 (Internet Magnate 🇿🇦)

Payload URLs:
🌐 urlhaus.abuse.ch/host/172.86....

Mirai malware sample:
🤖 bazaar.abuse.ch/sample/9f64e...

URLhaus simply wouldn't exist without the help of awesome and committed contributors like this who diligently report malware URLs everyday 🙏

URLhaus stats ➡️ urlhaus.abuse.ch/statistics/
URLhaus ➡️ urlhaus.abuse.ch

🫶 #SharingIsCaring #Community #StrengthInUnity

URLhaus Top Contributor “Geenensp”

🎉 Massive shout out to URLhaus Top Contributor “geenensp”

First seen April 13th 2020 and since then, they’ve shared an unbelievable 844,345 malware URLs!! 😮 Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard 💪 ⤵️

GrokPy botnet C2 traffic

GrokPy malware samples on MalwareBazaar:
📄 bazaar.abuse.ch/browse/signa...

Botnet C2s on ThreatFox:
🦊 threatfox.abuse.ch/browse/tag/G...

🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha

Botnet C2 servers are all hosted at Hetzner 🇩🇪 on port 8008:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38

👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail
.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process

⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions

🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task

We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥

The malware gets dropped by #Amadey and:

Hunt for arkanix.pw/ on abuse.ch Hunt for CTI related to arkanix.pw on abuse.ch Hunting Platform

Malware samples:
👉 hunting.abuse.ch/hunt/691d7ec...

Yet another new stealer in town: #ArkanixStealer 🔥

%AppData%\Arkanix_lol\history.json
%AppData%\Arkanix_lol\system_info.json
%AppData%\Arkanix_lol\screenshot_monitor_1.png

Akranix botnet C2:
📡 arkanix .pw/api/session/create
📡 arkanix .pw/delivery
📡 arkanix .pw/api/discord-injection/template