André Tavares

@[email protected]
31 Followers
25 Following
8 Posts
Threat Researcher @ BitSight.
Tracking malware botnets. 
Blog: https://tavares.re
Twitter: https://twitter.com/andretavare5
Bloghttps://tavares.re
Twitterhttps://twitter.com/andretavare5
André TavaresFeb 27, 2024
👾 #PrivateLoader, the widespread malware behind InstallsKey PPI service, had some important updates recently, and has been infecting 5000 systems daily. Learn more at: https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service
Hunting PrivateLoader: The malware behind InstallsKey PPI service | Bitsight

Read the latest Bitsight research on PrivateLoader including important updates recently, including a new string encryption algorithm, a new alternative communication protocol and more.

Bitsight
André TavaresJan 10, 2024
Here's some data analysis on the victims of the popular infostealer #AgentTesla aka #OriginLogger🔑⌨️🪵 https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims
Data Insights on AgentTesla and OriginLogger Victims | Bitsight

AgentTesla (also known as OriginLogger) remains a prevalent commodity stealer, being daily distributed, mainly via email attachments

Bitsight
André TavaresNov 7, 2023
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲Nov 6, 2023

The C2 protocol in BitSight’s Unveiling Socks5Systemz seems to be identical to what’s described in this old BackDoor.TeamViewer.49 blog post by DrWEB from 2016!

They both even use the same RC4 encryption key heyfg645fdhwi, which can be used to decrypt requests and responses from the C2.

#Socks5Systemz #TeamSpy

Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey | Bitsight

Recently, our Threat Research team discovered a new malware sample, distributed by the PrivateLoader and Amadey loaders. Learn more.

Bitsight
André TavaresMar 28, 2023
Have a look at what the 15-year-old modular #spambot #Tofsee is up to 🤖⛏️📧https://bitsight.com/blog/tofsee-botnet-proxying-and-mining
Tofsee Botnet: Proxying and Mining | BitSight

Bitsight has recently observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service

André TavaresDec 1, 2022
Check out my research on unpacking a recent #ColibriLoader campaign along with some #YARA rules to detect it 🐦 https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign
Unpacking Colibri Loader: A Russian APT linked Campaign | Bitsight

In this research, we present how to manually “unpack” a sample from a recent ColibriLoader malware campaign being distributed by PrivateLoader.