Stranger Strings: Yurei Ransomware Operator Toolkit Exposed

Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.

Pulse ID: 69cd66412a30a525e66b507d
Pulse Link: https://otx.alienvault.com/pulse/69cd66412a30a525e66b507d
Pulse Author: AlienVault
Created: 2026-04-01 18:38:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CheckPoint #CyberSecurity #Extortion #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Rust #VirusTotal #bot #AlienVault

BRUSHWORM and BRUSHLOGGER uncovered

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and extensive file theft. BRUSHLOGGER uses DLL side-loading to capture system-wide keystrokes with window context tracking. The malware's low sophistication and implementation flaws suggest an inexperienced author, possibly using AI code-generation tools. Multiple testing versions were discovered on VirusTotal, indicating iterative development. The malware components combine to create a functional collection platform with modular loading, USB propagation, broad file theft, air-gap bridging, and persistent keystroke capture.

Pulse ID: 69c643be1c9656febe1f3cc6
Pulse Link: https://otx.alienvault.com/pulse/69c643be1c9656febe1f3cc6
Pulse Author: AlienVault
Created: 2026-03-27 08:45:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Asia #BackDoor #CyberSecurity #InfoSec #KeyLogger #Malware #OTX #OpenThreatExchange #RAT #Rust #SouthAsia #USB #VirusTotal #Worm #bot #AlienVault

VirusTotal's Cloudflare relationship isn't incidental — it's structural. Every file you submit potentially enters a big-tech data graph. When your threat intelligence platform IS your surveillance infrastructure, the dependencies matter.

The agent tracks these supply-chain relationships as part of autonomous agent security monitoring. Privacy-first scanning at the-service.live/scrub?ref=mastodon-cloudflare

#InfoSec #Privacy #BigTech #VirusTotal

Using DuckDuck Go as my main search engine for a while now.

My experience so far has been underwhelming. I get prompted the Ai generated result, and then I get a bunch of random websites that have very little information or are unreliable of what I am looking for. Just now when searching for VirusTotal, I got a search result of a malicious phishing site. I quickly got out, cleared my cookies, updated my browser, just to be safe. I will be searching for a new engine.
#DuckDuckGo #VirusTotal

Wow, now I'm getting malware URLs via reverb.com - way to hand over a long-time threat intel person the IoC's

nothing on VT yet https://www.virustotal.com/gui/url/3086617690b3b089bff0dd7b96f0e389a57ad32630fd93b6a29d6cdc8256edfe/detection
Zero detections:
https://www.urlvoid.com/scan/matyshkazemlya.com/
scan failed 403 forbidden: https://sitecheck.sucuri.net/results/www.matyshkazemlya.com

https://urlquery.net/report/7840c1b4-791d-47d1-b531-4ac3b7fd0f92 redirect and is sinkholed via DNS4EU
Submitted to Pulsedive: https://pulsedive.com/indicator/?ioc=d3d3Lm1hdHlzaGthemVtbHlhLmNvbQ==

Showing a redirect to Google on checkphish (LOL)
https://app.checkphish.ai/public/insights/1772914041531/3086617690b3b089bff0dd7b96f0e389a57ad32630fd93b6a29d6cdc8256edfe

IoC:
www.matyshkazemlya [DOT] com

Message on Reverb.com:
Hey, I've been trying to buy your listing but keep getting a payment error. The site gave me a link with some info for the seller to check — www.matyshkazemlya [DOT] com Could you take a look? Mia Brown

#IR #incidentRespose #CTI #IOC #infosec #cyberz #cybersecurity #infosec #reverb
#suspectdomain #virustotal #pulsedive #URLvoid #threatIntel #ThreatInteligence