@cR0w I live by a similar philosophy.
RecklessPush38671
@RecklessPush38671@infosec.exchange
- 26 Followers
- 155 Following
- 182 Posts
Cyber threat intelligence analyst. Former threat hunter. Former MDR. Former cyber operations. Perpetual screwball. Opinions are my own. I may share my memes, though.
@malware_traffic I spotted a Clickfix campaign that stopped deploying anything after the Lumma takedown. A heck of a lot better than their usual PureCrypter+Lumma payload. I'm guessing they'll find a new stealer to deploy, but it was fun watching some compromised Wordpress sites suddenly behaving perfectly normally for a change.
@jack_daniel "The high tech corridor allows technology to pass through Georgia without ever having to stop and interact with the locals."
@crep1x Thank you for posting this. Our internal detections for Cloudflare-style Tycoon phishing pages dropped off sharply at the end of last week. The examples you provided were exactly what I needed to write a new URLscan query to keep tracking their pages. This was very helpful.
@rmceoin Thank you for putting this article together. We've seen a BUNCH of cases of this particular ClickFix campaign in the last two weeks but we could never get a good answer from the users on how they got to the fake Captcha site in the first place.
Guess it's time to fire up URLScan and hunt for more of those compromised pages....
@grey This should be the hash for the zip as well. (Yes, it's on VT.)
7ec4fe7e0d65507611bffd023dd2bd43760f170725588bbdc9425f387650d8f4
@cR0w Maybe I'm misunderstanding here, but ransomlook[.]io/status usually has pretty accurate up/down status of ransomware data leak sites.
@still I can't speak to your other work, but I've always enjoyed reading what you've had to say here 
@james_inthe_box Et tu, Tisifi?
@james_inthe_box Initial thought: Do I already have that bot documented?
Nope. Closest I have is bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I (AsyncRAT).
