| URL | https://abuse.ch |
| https://twitter.com/abuse_ch | |
| https://linkedin.com/company/abuse-ch |
SparkRAT ➡️ ChromeSetup.msi ➡️ FUD 🔥
msftconnecttest .xyz ⤵️
Creation Date: 2024-12-02 ⤵️
After more than a year, this domain still has a detection rate of 1/93 🤯
Pointing to ⤵️
154.31.222.217:443 ➡️ DControl
Chinese? 🇨🇳
lang="zh-cn"
Malware sample:
https://bazaar.abuse.ch/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/
Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including:
➡️SoftConnect
➡️HardConnect
➡️AxisControl
It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️
What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪
We track the threat on our platforms as #FakeRMM ⤵️
IOCs on ThreatFox:
🦊 https://threatfox.abuse.ch/browse/tag/FakeRMM/
Malware samples:
📄 https://bazaar.abuse.ch/browse/tag/FakeRMM/
Yet another RAT in town: RemoteX 🖥️
🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️♂️ Unauthenticated RAT admin panel 🤡
Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)
Malware sample ⤵️
https://bazaar.abuse.ch/sample/d631655ad3ef9e7c854c86ae399a9c830bef784c6a51468d192f65a79bbb7c8b/
Xillen Stealer 🎣, heavily dropped by Amadey 🔥
Botnet C2:
https://goldenring[.]live/api/logs/check
"Invisible. Undetectedable. Unstopable." 🤡
👉 https://github.com/BengaminButton/XillenStealer
Samples ⤵️
https://bazaar.abuse.ch/browse/signature/XillenStealer/
Additional IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/XillenStealer/
Brazilian banker 🇧🇷
GHOST panel 🧐
007consultoriafinanceira .net ➡️ GoDaddy 🇺🇸
83.229.17.124:80 ➡️ Clouvider 🇺🇸
Payload delivery URL 🌐:
https://urlhaus.abuse.ch/url/3759148/
Malware sample (MSI) ⚙️:
https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/
Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️
IOCs:
📡 adwestmailcenter .com ➡️ Landing page
📡 insightme .im ➡️ fake PDF download
Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌
https://urlhaus.abuse.ch/url/3751500/
LogMeIn #GoToResolve payload 📄
https://bazaar.abuse.ch/sample/77e22f4e1af7758d6f7284f32a92539ea36a527fa89c8c6765f10a3f98a8d13e/
CHICXULUB IMPACT 💥
Botnet C2 URLs:
📡 https://turbokent .name/api/initialize
📡 https://turbokent .name/api/status
Sponsoring domain registrar: NICENIC 🇭🇰
Malware sample 📄:
https://bazaar.abuse.ch/sample/c32e1db396e6b64846792f05c776c5b52f34834b0500bc18f982927e07ca3eeb/
New Stealer in town: SantaStealer 🎅🎄
Botnet C2s ➡️all hosted at AS399486 VIRTUO 🇨🇦:
📡31.57.38.119:6767
📡31.57.38.244:6767
📡80.76.49.114:6767
Stealer admin panel (via @DarkWebInformer 💪):
🕵️ stealer. su
Artifacts 💻:
C:\tempLog\Clipboard.txt
%LocalAppData%\Temp\passwordslog.txt
Malware samples 🤖:
https://bazaar.abuse.ch/browse/tag/SantaStealer/
IOCs available on ThreatFox 🦊:
https://threatfox.abuse.ch/browse/tag/SantaStealer/
Love letter ❤️ from a threat actor 🕵️exploiting React2Shell vulnerability (CVE-2025-55182) to spread #Mirai malware ⤵️
fuckoffurlhaus 😂
Payload URLs 🌐:
https://urlhaus.abuse.ch/host/45.153.34.201/
Mirai botnet C2s 📡:
marvisxoxo .st (ISTanCo 🇷🇸)
45.156.87 .231:23789 (AS51396 PFCLOUD 🇩🇪)
Malware sample 📄:
https://bazaar.abuse.ch/sample/9a84057ceb444e73f6f8733eda2fbd0db46fd9a6e182179256289558871427d6/
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️
🖱️ClickFix -> 📃VBS -> ⚙️MSI
Payload delivery host:
🌐 https://urlhaus.abuse.ch/host/103.27.157.60/
Malware sample 🤖:
https://bazaar.abuse.ch/sample/4d8e5e890e8be3a1d3529edd384517f99ec1b05bbed7edb38da936d7b3d7749b/
Botnet C2 domains:
📡 w2li .xyz
📡 w2socks .xyz
The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ https://urlhaus.abuse.ch/url/3733103/