grep -rl "threat-intel" ./posts

#threat-intel

13 matches

WealthGAF and ASYNCBOTNET: A Fake Forex CRM Brand Built to Deliver a Four-Stage Python RAT

A 2,253-byte ZIP posing as API documentation for a fake forex CRM delivers a four-stage chain: LNK trojan with conhost --headless hiding, a compiled AutoIt downloader, a PNG/ZIP polyglot Python bundle, and a previously undocumented Socket.IO RAT named ASYNCBOTNET that monitors 14 crypto wallets and 12 exchanges. A single TLS certificate ties WealthGAF to a 13-brand fake forex platform cluster, all sharing the same Kubernetes C2 origin.

2026-07-04 · 19 min

Ice Scorpion on Alibaba: A Chinese Operator's Singapore Staging Server, 164 Compromised Brazilian Government Machines, and a 933MB Fake GPU Driver

A Shodan hit on an Alibaba Cloud Singapore IP leads to a 9.1GB archive that turns out to be an attacker's working directory from inside a compromised Brazilian government server — containing a DirtyPipe exploit, fscan lateral movement results across the GDF internal network, 164 confirmed credential compromises, and 754MB of exfiltrated GitLab source code.

2026-07-02 · 13 min

MegaDumper: One Staging Server, Five Years, Zero Detections

A Shodan scan for Singapore open directories surfaces a TRUMVPS server that has been quietly hosting the same .NET credential stealer — under the same filename — since 2021. The current build has zero detections.

2026-07-02 · 8 min

CHM Lure, Nuitka Python Backdoor, CDN Fronting: APT Targets Pakistan Military

A CHM file themed around restricted Pakistani defense exhibitions drops a Nuitka-compiled Python backdoor named after the country's annual military budget document. The C2 routes through a G-Core CDN edge node shared with Microsoft Windows Update traffic — designed to disappear into network telemetry.

2026-07-01 · 7 min

FUD .url, WebDAV Delivery, and a NetSupport RAT Phoning Home on Telegram

A Windows URL shortcut disguised as a PDF had 1/75 detections at submission time. It used the WebDAV-over-HTTP UNC trick to silently execute an EXE off a Hong Kong opendir. Two stages later: a silent NetSupport Manager install beaconing to a 16-day-old C2 domain while Telegram told the operator their new victim was live.

2026-07-01 · 11 min

Silverfox Dropper Campaign: Three Lures, One C2, Gambling Infrastructure

A RAR renamed .z to bypass filters drops a Silverfox InnoSetup installer with a spreader payload. Three lures in one campaign: industrial safety training, a Chinese company seal, and an HR recruitment form. The C2 IP hosted Chinese gambling sites from late 2023 into early 2024.

2026-07-01 · 8 min

One Tweet, Sixteen Servers: Pivoting the Chopi RAT Vishing Operation

A WsgiDAV opendir gave me staging payloads and a leaked debug log. AES config RE confirmed all six C2 IPs and the full encrypted capability set. PE build timestamp forensics revealed two back-to-back build sessions; the operator's dropper cluster leaked their build-system path on VirusTotal. Neo4j graph of 70 nodes across 3 cloud providers. YARA rules included.

2026-06-30 · 32 min

It Only Decrypts on the Victim: DPAPI Host-Locking in a ShadowPad .dat

VirusTotal called it PlugX. It broke down into an RC4 layer I could crack offline, a ScatterBrain-flavoured shellcode stub, and then a wall: the real implant is sealed with machine-scoped DPAPI, so it only decrypts on the one victim it was built for. Here's everything up to that wall, why the wall is the whole point, and why I think this is closer to ShadowPad than PlugX.

2026-06-30 · 11 min

← back to listing