2.2K Followers
51 Following
251 Posts

Something new is coming for abuse.ch contributors... watch this space! ๐Ÿ‘€

#ComingSoon #CommunityHub #SharingIsCaring ๐Ÿ˜ป๐Ÿฅ‡๐Ÿ’›

RE: https://infosec.exchange/@spamhaus/116804685911276876

New loader in town SolarisLoader spotted by @spamhaus and abuse.ch ๐Ÿ”ฅ

๐Ÿ“ก SolarisLoader IOCs (botnet C2 servers):
https://threatfox.abuse.ch/browse/tag/SolarisLoader/

๐Ÿ“„ SolarisLoader malware samples:
https://bazaar.abuse.ch/browse/tag/SolarisLoader/

โš™๏ธ SolarisLoader configs are available:
https://github.com/spamhaus/CTI/tree/main/solarisloader

Our platforms were recently targeted by a large-scale web scraping operation originating from devices that are apparently participating in residential proxy networks ๐Ÿ˜๏ธ ๐Ÿ–ฅ๏ธ . The vast majority of these requests were successfully blocked by our existing mitigations ๐Ÿ›‘ . However, the sheer volume of traffic caused temporary disruptions to both the MalwareBazaar and URLhaus platforms โš ๏ธ

To put the scale into perspective, our web platforms typically handle approximately 1,500 requests per second (excluding traffic to our community API and commercial APIs). During this incident, the scraping operation leveraged more than 135,000 unique IP addresses, most of which could be identified as nodes in residential proxy networks ๐Ÿ”

The offender attempted to remain undetected by sending very few requests (less than 5) per IP address to the platforms ๐Ÿ•ต

Below are the top networks sourcing this traffic (by unique IPs):

2,961 AS25019 SAUDINETSTC ๐Ÿ‡ธ๐Ÿ‡ฆ
1,995 AS206206 KNET ๐Ÿ‡ฎ๐Ÿ‡ถ
1,984 AS9121 TTNet ๐Ÿ‡น๐Ÿ‡ท
1,954 AS3215 Orange ๐Ÿ‡ซ๐Ÿ‡ท
1,871 AS12322 PROXAD ๐Ÿ‡ซ๐Ÿ‡ท
1,550 AS5410 BOUYGTEL-ISP ๐Ÿ‡ซ๐Ÿ‡ท
1,531 AS37705 TOPNET ๐Ÿ‡น๐Ÿ‡ณ
1,413 AS8193 BRM-AS ๐Ÿ‡บ๐Ÿ‡ฟ

We are sharing details of the involved IPs, along with the relevant timestamps, here for your awareness โคต๏ธ

https://raw.githubusercontent.com/abusech/misc/refs/heads/main/2026-06-22_Residential-Proxy-Scraping-IPs.csv

Botnet C2 tied to an unidentified #malware family trying to hide as FortiGate device ๐Ÿ˜œ

๐ŸŒ Domain: az2030port.duckdns .org
๐Ÿ“ก C2: 178.16.55.28:2030 โžก๏ธ Omegatech LTD๐Ÿ‡ณ๐Ÿ‡ฑ
๐Ÿ” SSL certificate: FortiGate, O=Fortinet Ltd.

Corresponding malware samples โคต๏ธ
https://hunting.abuse.ch/hunt/6a285c89c73e5/178.16.55.28/

@frehi This bug is fixed (finally). Thanks for the hint!
@Ichinin Heya. Thanks for your report. Should be fixed!

My favorite Remus botnet C2 domain so far ๐Ÿ˜„

havelbeenpwned .net โคต๏ธ
NICENIC INTERNATIONAL๐Ÿ‡จ๐Ÿ‡ณ

103.211.219.238:4219โคต๏ธ
AS394695 PUBLIC-DOMAIN-REGISTRY ๐Ÿ‡ฎ๐Ÿ‡ณ

Malware sample:
https://bazaar.abuse.ch/sample/75fce6ec4b0815d7ccc9d87c2687c3c379c8e446739b3302b72688dd632c9f9e/

More #Remnus IOCs available on ThreatFox ๐ŸฆŠ
https://threatfox.abuse.ch/browse/malware/win.remus/

/cc @troyhunt

@frehi Thanks, will check it out

Malspam ๐Ÿ“ง targeting Spanish users ๐Ÿ‡ช๐Ÿ‡ธ

Email โžก๏ธ geo filter โžก๏ธ mediafire โžก๏ธ iso โžก๏ธ vbs

1st stage - geo filter ๐Ÿ›‘
vmi3228488.contaboserver .net Contabo ๐Ÿ‡ฉ๐Ÿ‡ช

2nd stage - payload ๐Ÿ“„
https://urlhaus.abuse.ch/url/3824487/

Dropped iso:
https://bazaar.abuse.ch/sample/faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349/

Botnet C2:
๐Ÿ“ก 54.197.208.68 Amazon ๐Ÿ‡บ๐Ÿ‡ธ

@frehi ack. The easiest way to report such is through the "report false positive" function.