James_inthe_box3d ago

From #clickfix to #stealc

https://app.any.run/tasks/9cd9a0f0-bf6f-4a23-9bf0-4d804f816b07

c2: https:// pas. canamrent .com/

ANY.RUNJun 1

⚠️ Stealer activity surged last week. #Vidar, #Stealc, and #SalatStealer all increased, while #AsyncRAT and #DCRat also continued to grow.

📌 Trend to watch: credential theft is gaining momentum alongside remote access malware, giving attackers more opportunities to move from initial compromise to persistent access. For SOC teams, that means validating credential-related alerts quickly becomes even more important.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=010626&utm_content=linktoenterprise

#cybersecurity

ANY.RUNMay 18

⚠️ Overall RAT activity cooled down last week, with #AsyncRAT, #XWorm, and #Remcos all declining, while stealers like #Vidar and #Stealc continued to grow.

📌 Trend to watch: this points to a shift toward credential access and large-scale delivery activity. For defenders, that usually means higher alert volume, broader exposure, and more pressure on early-stage triage.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=180526&utm_content=linktoenterprise
#cybersecurity

ANY.RUNApr 20

Top 10 last week's threats by uploads 🌐
⬇️ #Asyncrat 720 (831)
⬇️ #Xworm 632 (729)
⬆️ #Remcos 377 (240)
⬇️ #Gh0st 343 (391)
⬆️ #Weedhack 336 (151)
⬆️ #Quasar 325 (309)
⬇️ #Vidar 267 (273)
⬇️ #Dcrat 223 (242)
⬆️ #Blacknet 213 (68)
⬇️ #Stealc 191 (330)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=200426&utm_content=linktoregister#register

#cybersecurity #infosec

Anonymous 🐈️🐾☕🍵🏴🇵🇸 Apr 14

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

Anonymous 🐈️🐾☕🍵🏴🇵🇸 Apr 14

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

ANY.RUNApr 13

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister#register

#cybersecurity #infosec

ANY.RUNApr 6

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 695 (490)
⬆️ #Xworm 640 (460)
⬇️ #Stealc 409 (581)
⬆️ #Gh0st 396 (274)
⬇️ #Vidar 343 (371)
⬆️ #Salatstealer 320 (243)
⬇️ #Remcos 297 (385)
⬆️ #Quasar 283 (221)
⬆️ #Dcrat 239 (100)
⬆️ #Agenttesla 196 (196)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=060426&utm_content=linktoregister#register

#cybersecurity #infosec

ANY.RUNApr 1

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec

ANY.RUNMar 30

Top 10 last week's threats by uploads 🌐
⬇️ #Stealc 581 (600)
⬇️ #Asyncrat 493 (541)
⬇️ #Xworm 460 (509)
⬆️ #Remcos 389 (272)
⬆️ #Vidar 371 (368)
⬇️ #Gh0st 274 (298)
⬆️ #Salatstealer 243 (195)
⬆️ #Quasar 221 (185)
⬆️ #Lokibot 217 (119)
⬇️ #Agenttesla 196 (216)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=300326&utm_content=linktoregister#register

#cybersecurity #infosec