Mastodawn

A Technique-Based Approach to Hunting Web-Delivered Malware

This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain.

Pulse ID: 69cf8d0d1edba26a610bb8bd
Pulse Link: https://otx.alienvault.com/pulse/69cf8d0d1edba26a610bb8bd
Pulse Author: AlienVault
Created: 2026-04-03 09:49:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Censys #CyberSecurity #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Worm #XWorm #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Security Land Dec 28

A high-severity flaw known as MongoBleed (CVE-2025-14847) is currently being exploited in the wild.

The scale is significant:

🔍 Wiz researchers have confirmed active exploitation.
📊 Data from Shodan and Censys reveals between 87,000 and 100,000 potentially vulnerable MongoDB instances.

#SecurityLand #CyberSecurity #InfoSec #MongoDB #MongoBleed #DatabaseSecurity #Wiz #Shodan #Censys #CloudSecurity

MongoBleed CVE-2025-14847: Is Your MongoDB Exposed?

Dubbed "MongoBleed," CVE-2025-14847 allows unauthenticated attackers to exfiltrate sensitive data from MongoDB heap memory. With 87,000 instances exposed, active exploitation is now confirmed.

Security Land | Decoding the Cyber Threat Landscape

Security Land Dec 15

New infrastructure analysis from Censys reveals how the pro-Russian hacktivist group NoName057(16) maintains DDoSia operations through rapid server rotation. Monitoring since mid-2025 shows an average of 6 control servers active simultaneously, but with a mean lifespan of only 2.53 days.

#SecurityLand #ThreatHorizon #Research #Censys #DDoSia #DDoS #DDoSAttack #NoName057 #Ukraine #Russia #Hacktivism

Censys Reveals Rapid Server Rotation Behind NoName057(16) Attacks

Censys research reveals DDoSia control servers last avg 2.5 days, with 6 active at any time. Analysis of pro-Russian DDoS infrastructure.

Security Land | Decoding the Cyber Threat Landscape

KrebsOnSecurity RSS Nov 24

Is Your Android TV Streaming Box Part of a Botnet?

https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/

#SuperMediaTechnologyCompanyLtd. #ElectronicFrontierFoundation #FederalBureauofInvestigation #InternetofThings(IoT) #HalfSpaceLabsLimited #BadBox2.0Enterprise #GrassOpCo(BVI)Ltd #LowerTribecaCorp. #ALittleSunshine #ARPpoisoning #WebFraud2.0 #RileyKilmer #WyndNetwork #SuperCaja #Synthient #Superbox #BestBuy #Tcpdump #Walmart #Amazon #Censys #IPidea #Netcat

Is Your Android TV Streaming Box Part of a Botnet? – Krebs on Security

Schamschula Nov 20

What's up with #censys? First I block their scans in nginx.conf. They didn't get the message. I then add their published CIDRs to a ipfw drop table. So now they again tried from unpublished CIDRs -> added those to the drop table.

Show thread

Taylor Parizo Oct 16

@brian_greenberg

I attempted to create a Censys query to help identify some victim devices. Just SNMP not Telnet.

Legacy Censys (search.censys.io)
services.software.vendor: /"Cisco"/ and (services.snmp.oid_system.name:"3750G" or services.snmp.oid_system.name:"9300" or services.snmp.oid_system.name:"9400")

V2 Censys (platform.censys.io)
(host.services.software.vendor=~"^\"Cisco\"$" or host.services.hardware.vendor=~"^\"Cisco\"$" or host.services.operating_systems.vendor=~"^\"Cisco\"$") and host.services.snmp.oid_system.name:{"3750G", "9300", "9400"}

#Censys #Cisco

Show thread