Experimental automated monitoring of #SocGholish, #FakeSG, #ClearFake, #ClickFix, #KongTuke, #ParrotTDS and #SmartApeSG.
Samples and IOCs sent to MalwareBazaar and ThreatFox.
| MalwareBazaar | https://bazaar.abuse.ch/user/10197/ |
| ThreatFox | https://threatfox.abuse.ch/user/5719/ |
New #SocGholish C2:
hXXps://m.cpa2go[.]com/viewDashboard
m.cpa2go[.]com
45[.]76.18.170
AS20473 The Constant Company, LLC
Detected #SmartApeSG infection chain
Compromised site
-->
franquicias[.]top/sss/buf.js (injected)
-->
franquicias[.]top/sss/bof.js (clickfix)
-->
certifiedhackerindia[.]com/all.php (Powershell)
-->
certifiedhackerindia[.]com/fyqw.zip
-->
185[.]163.45.30:443 (NetSupport, EVALUSION, NSM165348)
a3293a8613d9962ffd169085c6663938fdad006538511ba76b903a94245cd16c fyqw.zip
New #SocGholish C2:
hXXps://ai.lanpdt[.]org/viewDashboard
ai.lanpdt[.]org
209[.]141.43.20
AS53667 FranTech Solutions
Detected #KongTuke infection chain
Compromised site
-->
swedrent[.]com/3c7b.js
-->
swedrent[.]com/js.php (ClickFix)
-->
hXXp://cloud-flaer-verif[.]com/log-in
New #SocGholish C2:
hXXps://cpanel.productdevelopmentplan[.]com/viewDashboard
cpanel.productdevelopmentplan[.]com
166[.]88.182.124
AS26383 Baxet Group Inc.
New #SocGholish C2:
hXXps://folders.emeraldpinesolutions[.]com/viewDashboard
folders.emeraldpinesolutions[.]com
23[.]146.184.117
AS399820 Atomic Networks LLC
Detected #KongTuke infection chain
Compromised site
-->
swedrent[.]com/3c7b.js
-->
swedrent[.]com/js.php (ClickFix)
-->
devindicator[.]dev/webgl.wav
New #SocGholish C2:
hXXps://photo.suziestuder[.]com/viewDashboard
photo.suziestuder[.]com
23[.]27.134.21
AS12083 WideOpenWest Finance LLC
New #SocGholish C2:
hXXps://app.symphoniabags[.]com/ajaxAction
app.symphoniabags[.]com
194[.]213.18.10
AS62240 Clouvider
New #SocGholish C2:
hXXps://www[.]stirngo[.]com/ajaxAction
www[.]stirngo[.]com
166[.]88.159.146
AS26383 Baxet Group Inc.