Mastodawn

⚠️ RAT activity is on the rise. #XWorm and #AsyncRAT are up, while stealers like #Vidar and #Lumma are declining.

📌 Trend to watch: this suggests a shift toward sustained access and post-compromise operations, not just initial data theft. Lower stealer volume doesn’t reduce risk, it often means fewer early signals but higher impact if missed.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=040526&utm_content=linktoenterprise

#cybersecurity #infosec

ScumBots Apr 27

#xworm SHA256: 3f21b944a8d4f0892e7408fba6fb26694a67588ca68b7c7fc2b497aa65805d97 C2: https://pastebin[.]com/raw/ZyLCDwzJ,pIdorasik-56592[.]portmap[.]host:56592

ANY.RUN Apr 27

Top 10 last week's threats by uploads 🌐
⬇️ #Xworm 575 (632)
⬆️ #Weedhack 414 (336)
⬇️ #Asyncrat 402 (720)
⬆️ #Gh0st 393 (343)
⬆️ #Dcrat 319 (223)
⬇️ #Remcos 310 (373)
⬆️ #Vidar 301 (266)
⬇️ #Quasar 221 (325)
⬆️ #Rustystealer 204 (175)
⬆️ #Lumma 199 (161)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=270426&utm_content=linktoregister#register

#cybersecurity

ANY.RUN Apr 20

Top 10 last week's threats by uploads 🌐
⬇️ #Asyncrat 720 (831)
⬇️ #Xworm 632 (729)
⬆️ #Remcos 377 (240)
⬇️ #Gh0st 343 (391)
⬆️ #Weedhack 336 (151)
⬆️ #Quasar 325 (309)
⬇️ #Vidar 267 (273)
⬇️ #Dcrat 223 (242)
⬆️ #Blacknet 213 (68)
⬇️ #Stealc 191 (330)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=200426&utm_content=linktoregister#register

#cybersecurity #infosec

Anonymous 🐈️🐾☕🍵🏴🇵🇸

Apr 14

Top 10 last week's threats by uploads 🌐
⬆️ #Asyncrat 832 (693)
⬆️ #Xworm 730 (640)
⬇️ #Gh0st 391 (396)
⬇️ #Stealc 330 (409)
⬆️ #Salatstealer 320 (320)
⬆️ #Quasar 309 (283)
⬇️ #Vidar 274 (343)
⬇️ #Remcos 244 (296)
⬆️ #Dcrat 242 (238)
⬇️ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426