James_inthe_box

@[email protected]
592 Followers
179 Following
1,068 Posts
#malware
James_inthe_box1d ago

This meets my expectations:

https://www.thatprivacyguy.com/blog/anthropic-spyware/

Anthropic secretly installs spyware when you install Claude Desktop — That Privacy Guy!

Anthropic's Claude Desktop silently installs a Native Messaging bridge into seven Chromium browsers, including browsers Anthropic's own documentation says it does not support, and browsers the user has not even installed.

That Privacy Guy!
James_inthe_box2d ago

A semi-fresh #santastealer :

https://app.any.run/tasks/fa991da0-df0b-4e53-a4d2-04ee90b71d26

https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/

Analysis f_0002a9 (MD5: EAB63C490102D94C5A3B3914195C3530) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

James_inthe_box2d ago

When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed 🤣

https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af

James_inthe_boxApr 17

#unknown #stealer:

https://app.any.run/tasks/0a652cd4-ff40-453c-8204-68e379c25ea4

James_inthe_boxApr 17

Seeing a disturbing amount of @awscloud redirect-bucket links that lead to vbs -> screenconnect:

https://gist.github.com/silence-is-best/ce1d6a685232f1d34f07004e71efa64a

James_inthe_boxApr 17

First time seeing
#Zoom
docs as an initial #phishing page:

https://docs. zoom\ .us/doc/3eF1mlIOSiK7vIdLWpjEAw?from=email -> https://corporationusarydersysteminccapital \.mcpcjiinc\ .vu/

James_inthe_boxApr 13
RandyApr 13

i've got a new malware analysis describing what i have dubbed XorBee RAT

  • delivered by #kongtuke via #clickfix
  • Python based
  • targets domain-joined Windows
  • uses port tcp/4444 for C2 traffic
  • obfuscates C2 traffic with XOR of the letter b
  • continuously runs a thread checking for monitoring tools and exists if seen
  • after authenticating with C2, enters reverse shell
  • related to ModeloRAT
  • first seen in October 2025

https://rmceoin.github.io/malware-analysis/2026/04/13/xorbee-rat.html

#xorbee

XorBee RAT

A technical breakdown of XorBee RAT, a Python-based reverse shell deployed by the KongTuke threat actor via ClickFix social engineering against domain-joined Windows environments.

Malware Analysis
James_inthe_boxApr 8

Malicious github repo at:

https:// github\.com /creativebobo?tab=repositories

#screenconnect

James_inthe_boxApr 8

A very late (due to work travel) csv formatted list of #malspam campaigns that crossed my path in March to include #malware type, subject, hash, c2, and email exfil addresses:

https://gist.github.com/silence-is-best/440abd3e683adf69f531371cf56cd338

#retrohunt

James_inthe_boxMar 27
For a good time, just strings that malicious msi you found (https:// oanapolis .com.br/Receipt_9334.msi)..if it's #screenconnect c2 info is at the end...you don't even need to extract or run the thing.