James_inthe_boxMar 2

Malicious #simplehelp #rmm #opendir at:

https://katz.adv\.br/dhl/

James_inthe_boxFeb 24

#reverseloader #xworm #opendir at:

http://158.94.211\.63/dealer/

xufFeb 22

Server with Mirai samples

http://94.156.152.67/

#opendir #malware #mirai

James_inthe_boxNov 5

#malware #opendir #xloader (small one works, big one not so much) at:

https://royfils\.com/encrypt/

2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

James_inthe_boxNov 4

#malware #opendir at:

http://179.43.176].109:8081/Downloads/1/

Show threadSilas CutlerOct 7
Back in the rest of the #opendir, uploads/ is used by http://app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind http://app.py/agent.go
Silas CutlerOct 7

Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.

https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161

#malware #thread 🧵

James_inthe_boxJul 2, 2025

#purecryptor #opendir at:

http://198.12.126].164/tst/

James_inthe_boxApr 21, 2025

#malware #opendir ultimately #venomrat + #hvnc:

https://carltonsfile\.com/mor1/ -> https://paste\.ee/d/c7nSA2yM/0

c2: 109.248.144.175:4449

4541fd01a19f1e484f24eff86f42ac36ea9b30686fd405ca0a50f3e517657a61

James_inthe_boxApr 17, 2025

#malware #opendir at:

http://176.65.134\.79/HOST/