Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️
🖱️ClickFix -> 📃VBS -> ⚙️MSI
Payload delivery host:
🌐 https://urlhaus.abuse.ch/host/103.27.157.60/
Malware sample 🤖:
https://bazaar.abuse.ch/sample/4d8e5e890e8be3a1d3529edd384517f99ec1b05bbed7edb38da936d7b3d7749b/
Botnet C2 domains:
📡 w2li .xyz
📡 w2socks .xyz
The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ https://urlhaus.abuse.ch/url/3733103/
We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
Potential new stealer dropped by #Amadey, caught by @bitsight 🤖🔍Who can name it? ⤵️
👉 https://hunting.abuse.ch/hunt/6919ec1c9750e/185.100.157.69/#sandnet
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 https://bazaar.abuse.ch/sample/903cdf6c4bef90c7bcdacd909cc7e9c2be528a4de785f0aa2c19c6a1e4166a53/
Dropped by Amadey via:
🌐 https://urlhaus.abuse.ch/host/arabianairlanes.lol/
🚨 Cyber Threat Update: Lumma Stealer Doxxing
A targeted underground exposure campaign impacted Lumma Stealer (Water Kurita) operators, causing:
- 🔻 Reduced malware activity
- 🔄 Customer migration to Vidar, StealC, Amadey
- ⚔️ Intensified competition among infostealer MaaS platforms
What’s your take - is this a turning point for underground malware markets?
💬 Join the conversation & follow TechNadu for actionable cyber intelligence.
#CyberSecurity #Infostealer #LummaStealer #WaterKurita #Malware #MaaS #ThreatIntel #Vidar #StealC #Amadey #DarkWeb #CyberCrime #TechNadu #CyberUpdate
Top 10 last week's threats by uploads 🌐
⬆️ #Agenttesla 686 (380)
⬆️ #Vidar 588 (389)
⬇️ #Lumma 566 (686)
⬆️ #Remcos 449 (331)
⬆️ #Stealc 426 (272)
⬇️ #Quasar 383 (402)
⬆️ #Rhadamanthys 296 (286)
⬆️ #Dcrat 293 (278)
⬇️ #Amadey 269 (294)
⬆️ #Hijackloader 269 (197)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=290925
Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 696 (951)
⬆️ #Quasar 409 (390)
⬆️ #Vidar 406 (355)
⬆️ #Agenttesla 387 (285)
⬆️ #Remcos 340 (263)
⬇️ #Amadey 302 (372)
⬆️ #Dcrat 285 (238)
⬆️ #Stealc 285 (226)
⬆️ #Njrat 277 (205)
⬇️ #Xworm 240 (254)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=220925
Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 746 (796)
⬆️ #Xworm 521 (407)
⬇️ #Quasar 388 (470)
⬇️ #Agenttesla 342 (344)
⬆️ #Vidar 282 (260)
⬆️ #Remcos 272 (169)
⬆️ #Hijackloader 267 (90)
⬇️ #Stealc 228 (229)
⬇️ #Dcrat 219 (245)
⬇️ #Amadey 200 (227)
👉 Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=080925
Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 813 (856)
⬇️ #Quasar 478 (497)
⬇️ #Xworm 421 (471)
⬇️ #Agenttesla 345 (515)
⬇️ #Asyncrat 285 (327)
⬇️ #Vidar 264 (302)
⬇️ #Snake 258 (372)
⬇️ #Redline 251 (274)
⬇️ #Dcrat 247 (346)
⬇️ #Amadey 238 (377)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=010925
Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 881 (691)
⬆️ #Agenttesla 521 (402)
⬆️ #Quasar 509 (253)
⬆️ #Xworm 476 (384)
⬆️ #Amadey 388 (175)
⬆️ #Mirai 381 (138)
⬆️ #Snake 378 (277)
⬆️ #Dcrat 351 (164)
⬆️ #Asyncrat 346 (233)
⬆️ #Vidar 310 (141)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=250825
abuse.ch 
TechNadu
ANY.RUN