A 2,253-byte ZIP posing as API documentation for a fake forex CRM delivers a four-stage chain: LNK trojan with conhost --headless hiding, a compiled AutoIt downloader, a PNG/ZIP polyglot Python bundle, and a previously undocumented Socket.IO RAT named ASYNCBOTNET that monitors 14 crypto wallets and 12 exchanges. A single TLS certificate ties WealthGAF to a 13-brand fake forex platform cluster, all sharing the same Kubernetes C2 origin.
grep -rl "threat-intel" ./posts
#threat-intel
13 matches
A WsgiDAV opendir tip from @smica83 leads to a live SERPENTINE#CLOUD staging server on a Cloudflare Tunnel. Three BAT files, two delivery paths, four Python runtimes, an Early Bird APC DLL, and a naming convention that traces the campaign back to December 2022.
File timestamps preserved inside a 9.1GB archive found on a Chinese threat actor's staging server let us reconstruct a complete intrusion: WordPress web shell to DirtyPipe container escape, socat tunnelling, fscan credential spray across 164 government machines, and 754MB of internal GitLab source code — all in eight weeks.
A Shodan hit on an Alibaba Cloud Singapore IP leads to a 9.1GB archive that turns out to be an attacker's working directory from inside a compromised Brazilian government server — containing a DirtyPipe exploit, fscan lateral movement results across the GDF internal network, 164 confirmed credential compromises, and 754MB of exfiltrated GitLab source code.
A Shodan scan for Singapore open directories surfaces a TRUMVPS server that has been quietly hosting the same .NET credential stealer — under the same filename — since 2021. The current build has zero detections.
A ZIP archive impersonating wartime asset disclosure paperwork delivers a two-stage LNK→PowerShell downloader to Ukrainian targets — with a geo-fenced C2 that returns 403 to every sandbox that tries to fetch the payload.
How a mass Next.js exploitation campaign named after the President is quietly backdooring AWS Singapore, DigitalOcean, and anything else it can reach
A CHM file themed around restricted Pakistani defense exhibitions drops a Nuitka-compiled Python backdoor named after the country's annual military budget document. The C2 routes through a G-Core CDN edge node shared with Microsoft Windows Update traffic — designed to disappear into network telemetry.
A Windows URL shortcut disguised as a PDF had 1/75 detections at submission time. It used the WebDAV-over-HTTP UNC trick to silently execute an EXE off a Hong Kong opendir. Two stages later: a silent NetSupport Manager install beaconing to a 16-day-old C2 domain while Telegram told the operator their new victim was live.
A RAR renamed .z to bypass filters drops a Silverfox InnoSetup installer with a spreader payload. Three lures in one campaign: industrial safety training, a Chinese company seal, and an HR recruitment form. The C2 IP hosted Chinese gambling sites from late 2023 into early 2024.
A WsgiDAV opendir gave me staging payloads and a leaked debug log. AES config RE confirmed all six C2 IPs and the full encrypted capability set. PE build timestamp forensics revealed two back-to-back build sessions; the operator's dropper cluster leaked their build-system path on VirusTotal. Neo4j graph of 70 nodes across 3 cloud providers. YARA rules included.
VirusTotal called it PlugX. It broke down into an RC4 layer I could crack offline, a ScatterBrain-flavoured shellcode stub, and then a wall: the real implant is sealed with machine-scoped DPAPI, so it only decrypts on the one victim it was built for. Here's everything up to that wall, why the wall is the whole point, and why I think this is closer to ShadowPad than PlugX.
A single XOR'd Canon.dat turned into a campaign map: reversing the CanonStager loader, writing a memory-based config extractor, pulling the related samples, and walking nine builds out to their CloudFlare-fronted C2 origins.