Paul Melson

@[email protected]
540 Followers
114 Following
154 Posts
Blue Team by day, Blue Team by night. Opinions, typos, and awful code do not represent my employer. Author/Operator of https://infosec.exchange/@ScumBots
Twitterhttps://twitter.com/pmelson
GitHubhttps://github.com/pmelson
PronounsHe/Him
Paul MelsonMar 27
Ugh, why does this work?! (I mean, I know how it works, but what was the thought process behind what’s essentially executing the stdout of a command? We’ve come so far and learned so little from our past mistakes.)
Paul MelsonJan 7

RE: https://infosec.exchange/@ScumBots/115850383845467081

This Meterpreter reverse shell was part of an intrusion set tied to an actor claiming to be a KeyGroup777 member and this HiddenTear ransomware payload: https://www.virustotal.com/gui/file/62ecd3ec595452e7f01a9eeab6ae619f61648e5b6cb01c23c5ca2c03f59ec778/summary

Paul MelsonOct 3, 2025

If you’re not alreadyalerting on

CONHOST.EXE spawning CMD.EXE spawning WGET.EXE

or

CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE

you’re gonna want to close that gap today.

Paul MelsonAug 12, 2025
Cats out here charging for RATs that anyone can download for free from GitHub. Good thing there's a money-back guarantee..? 🙄
Paul MelsonJul 22, 2025

Don’t miss the use of ngrok for tunneling here. Continue to see malicious actors use this service to hide C2 and phising site origin servers. Ngrok uses AWS IPs across multiple zones for egress NAT. I recommend sinkholing their domains across your network.

ngrok[.]com
ngrok[.]io
ngrok-free[.]app

https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog

Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.

Microsoft Security Blog
Paul MelsonJun 28, 2025
It’s that time again. Apparently.
Show threadPaul MelsonJun 17, 2025
hXXps://pastebin[.]com/raw/e7v0yaN1
-> hXXps://nitrorub[.]com/mnoiqwep.zip
--> 94[.]158[.]245[.]135:443
Show threadPaul MelsonJun 17, 2025
hXXps://pastebin[.]com/raw/DMNmyfEZ
-> hXXps://buttehighsilverbs[.]com/qwepjila.zip
--> 94[.]158[.]245[.]135:443
Show threadPaul MelsonJun 17, 2025
hXXps://pastebin[.]com/raw/CTBw9UYq
-> hXXp://mba-link[.]com/qwepbexu.zip
--> 94[.]158[.]245[.]135:443
Show threadPaul MelsonJun 17, 2025
hXXps://pastebin[.]com/raw/bLpSKu1r
-> hXXps://aquafestonline[.]com/smoefyeo.zip
--> 94[.]158[.]245[.]135:443