SalatStealer (aka WEB_RAT) is on the rise 📈, heavily dropped by Amadey

Malware sample:
📄https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/

Admin Panel:
📡https://salat .cn/login/ (Cloudflare)

Gihub:
🗜️https://github.com/webr-at/importantfiles/releases

Weaponized PDF leading to rogue ScreenConnect download

Compromised travel agency in Sri Lanka 🇱🇰 spreading fake Royal Air Maroc ✈️🇲🇦emails with a weaponized PDF 📄 that leads to a rogue ConnectWise ScreenConnect download 🔥

➡️ hunting.abuse.ch/hunt/6890d35...

Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP 🇩🇪)

Malware samples:
📄 bazaar.abuse.ch/sample/42671...
📄 bazaar.abuse.ch/sample/f1865...
📄 bazaar.abuse.ch/sample/0cfb4...

Latrodectus payload URL:
🌐 urlhaus.abuse.ch/url/3593620/

SectopRAT payload URL:
🌐 urlhaus.abuse.ch/url/3593619/

Latrodectus config 🗜️:
CampaignID: Callisto
Direction: 3
Version: 2.2

IOCs:
📡 threatfox.abuse.ch/browse/tag/C...
📡 threatfox.abuse.ch/ioc/1561162/

Infection starts with the user visiting a website offering free game downloads, where they are redirected and prompted to download a password-protected zip file from mega[.]nz ⚠️

When the user executes the file, Lumma is executed in a new process, which later downloads Latrodectus and SectopRAT:

Fake gaming website leading to LummaStealer download

We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀

See below for more...

Depends on what kind of information you would like to share 🙂

Malware samples:
bazaar.abuse.ch/faq/#policy

IOCs:
threatfox.abuse.ch/faq/#policy

Malware payload delivery URLs:
urlhaus.abuse.ch/faq/#policy

Hope this helps!

Am I going to have to pay for abuse.ch data?

Community is at the heart of what we do at abuse.ch ❤️

To protect the future of the platforms and the community behind them, we've been making changes. Read more ⤵️ abuse.ch/blog/creatin...

Fortinet and Citrix NetScaler exploitation attempts originating from Galeon LLC (RU)

Heads up if you operate a Fortinet or Citrix device ⚠️🚨 Various IP addresses from 178.22.24.0/24 (AS209290 GALEON-AS 🇷🇺) are currently heavily running exploitation attempts against vulnerable Fortinet and Citrix Netscaler devices 🔥

You may want to block this network at your network edge 🛑

NoName057(16) threat

After NoName057(16) got hit by Europol🇪🇺, they are whining around and talking about a new "digital war" that has just begun🤡

It's 🍿 time!

⬇️ Malware sample - initial .NET dropper: bazaar.abuse.ch/sample/71857...

📄 Malware sample - DarkWatchMan decoded: bazaar.abuse.ch/sample/2830f...

DarkWatchMan is still written to disk by a .NET dropper. It also uses the same C2 and DGA as the 29th April campaign (the array contains the same initial strings for domains, and the salt for the DGA is also unchanged). ⤵️

Another #DarkWatchMan campaign began on 15th June, with multiple waves over the following two days🔥 ⤵️

Global operation targets NoName057(16) pro-Russian cybercrime network – The offenders targeted Ukraine and supporting countries, including many EU Member States | Europol The offenders targeted Ukraine and supporting countries, including many EU Member States. Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol, targete...

We are incredibly proud to have assisted Europol 🇪🇺 in a global operation against the notorious pro-Russian #hacktivist group #NoName057(16) 🥳

www.europol.europa.eu/media-press/...

Unknown Java #RAT using Halkbank as a lure 🪝, targeting Turkish citizens 🇹🇷

Halkbank Ekstre.jar
\strlogs\keylogs_4558.html

Botnet C2:
📡77.90.153.31:5590 (AS214943 RAILNET 🇺🇸)

Malware sample:
📄https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/

MalwareBazaar sample detection by Malva.RE

We've just onboard another malware analysis service on MalwareBazaar: Malva.RE 🎉

MalwareBazaar now includes detection from Malva.RE as well as tags and malware configuration files🪲🔍

Here's a sample report:
👉 bazaar.abuse.ch/sample/aff5b...

📢 It’s only 7 days until you’ll need to authenticate to access data via API across ALL our platforms. We’re doing this update to help us manage heavy usage and keep things running smoothly for everyone.

If you use our APIs, make sure you’re set up by June 30th: #AuthenticateNow

ThreatFox - Tag cs-watermark-100000000 Hunt for IOCs tagged with tag 'cs-watermark-100000000'

Active #CobaltStrike botnet C2 🔥

⛔️https://api.micosoftr .icu/djiowejdf
⛔️https://www.googleapi .top/jquery-3.3.1.min.js

Sample:
📄https://bazaar.abuse.ch/sample/91e851f8cd9a32f9077f9fbbf1a64278e6be460ed5908778e4b45e62e495167e/

IOCs on ThreatFox 🦊
threatfox.abuse.ch/browse/tag/c...

We are happy to announce the integration of Kunai Linux Sandbox on MalwareBazaar 🥳

Sample ELF X86 report ⤵️
bazaar.abuse.ch/sample/0d221...

There's a #MassLogger malware campaign using an allegedly compromised email account🪝of an employee at the Ministry of Agriculture, Water Management and Forestry of Bosnia and Herzegovina 🇧🇦, used to exfiltrate data from compromised devices through SMTP 🔥

👉 bazaar.abuse.ch/sample/45535...

After the #Lumma Stealer takedown a few weeks ago, threat actors moved away from Cloudflare to AS47105 Vault Dweller OU 🇪🇪 with Finnish upstream Creanova 🇫🇮

⛔ 195.82.146.193:443
⛔ 195.82.146.221:443
⛔ 195.82.146.223:443

Not only Lumma botnet C2s are hosted there ⤵️
threatfox.abuse.ch/asn/47105/

Feel free to reach out to admin@abuse.ch

3 weeks remaining before mandatory authentication - starting June 30th.

📢 Heads-up! In just 3 WEEKS authentication will be required to access data via API across ALL our platforms. This change will help us manage heavy usage and keep things running smoothly for everyone.

Rely on our APIs? #AuthenticateNow, to avoid any problems and maintain uninterrupted availability!

DNS4EU blocklist coverage

URLHaus Blocklist comparison, now includes DNS4EU 🇪🇺, currently with coverage of 70% of all active malware distribution domains/hostnames tracked URLhaus 🕵️‍♂️

Example URL report:
🌐 urlhaus.abuse.ch/host/confirm...

Blocklist comparison:
🔎 urlhaus.abuse.ch/statistics/#...

...We appreciate you making
abuse.ch's community-driven data available on your platforms. #SharingIsCaring 🫶

Elastic, ThreatQuotient, Sumo Logic, Palo Alto Networks (Cortex XSOAR), Blumira, Maltego, Lumu Technologies
(Maltiverse), BluSapphire, Exabeam
(Logrhythm), Wazuh, Tines, LMNTRIX, Hunters, Splunk, ThreatConnect, Anomali ⤵️

Please refer to the following article, which provides more information, including how users gain a key:

👉 abuse.ch/blog/communi... ⤵️

❗Attention | Platform integrators of
abuse.ch's data. From June 30, 2025, users of our data will be required to use an authentication key to access our APIs.

This means that any user accessing the abuse.ch's data from your platform will require functionality to input an authentication key. ⤵️

Russian hybrid threats: EU lists further 21 individuals and 6 entities and introduces sectoral measures in response to destabilising activities against the EU, its member states and international part... The Council imposed restrictive measures against 21 individuals and 6 entities responsible for Russia’s destabilising actions against the EU and its member states and broadened the scope of the sancti...

EU Council 🇪🇺 has issued sanctions against Stark Industries, a hosting company registered in the UK 🇬🇧, as "they have been acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising [...] the Union and third countries"

www.consilium.europa.eu/en/press/pre...

...any user with this link can see these results without the need to authenticate!

Happy Hunting (and sharing) enjoy! 🫶

#SharingIsCaring #ThreatIntel #ThreatHunting #CTI