LightNews LightNews
banner
abuse-ch.bsky.social
@abuse-ch.bsky.social
450 followers 3 following 180 posts
Fighting malware and botnets
Posts Replies Media Videos
abuse-ch.bsky.social
Malware sample ⤵️
bazaar.abuse.ch/sample/d6316...
MalwareBazaar - file (RemoteX)
file has been detected as RemoteX by MalwareBazaar
bazaar.abuse.ch
February 2, 2026 at 2:40 PM
abuse-ch.bsky.social
Yet another RAT in town: RemoteX🖥️🖱️

🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️‍♂️ Unauthenticated RAT admin panel 🤡

Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)
RemoteX RAT admin panel
February 2, 2026 at 2:40 PM
abuse-ch.bsky.social
Xillen Stealer 🎣, heavily dropped by Amadey 🔥

Botnet C2:
https://goldenring[.]live/api/logs/check

"Invisible. Undetectedable. Unstopable." 🤡

👉 github.com/BengaminButt...

Samples ⤵️
bazaar.abuse.ch/browse/signa...

Additional IOCs on ThreatFox 🦊
threatfox.abuse.ch/browse/tag/X...
Xillen Stealer admin panel on Cloudflare
January 30, 2026 at 12:31 PM
Reposted
pivotcon.bsky.social
Thank you @spamhaustech.bsky.social & @abuse-ch.bsky.social for being #PIVOTcon26 Silver Sponsor 🎉

Read more about alliance: abuse.ch & spamhaus.com
This alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets pivotcon.org/sponsors
#CTI #ThreatIntel
January 20, 2026 at 2:11 PM
abuse-ch.bsky.social
Brazillian banker 🇧🇷 caught by @johnk3r 🎣

GHOST panel 🧐

007consultoriafinanceira .net
83.229.17.124:80 Clouvider 🇺🇸

Payload delivery URL:
🌐https://urlhaus.abuse.ch/url/3759148/

Malware sample (MSI):
⚙️https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/
Brazilian Banker "GHOST" panel
January 16, 2026 at 7:21 PM
abuse-ch.bsky.social
Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌
🌐 urlhaus.abuse.ch/url/3751500/

LogMeIn #GoToResolve payload 📄
bazaar.abuse.ch/sample/77e22...
MalwareBazaar - PicturesPreview.exe (GoToResolve)
PicturesPreview.exe has been detected as GoToResolve by MalwareBazaar
bazaar.abuse.ch
January 6, 2026 at 6:48 PM
abuse-ch.bsky.social
Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️

IOCs:
📡 adwestmailcenter .com ➡️ Landing page
📡 insightme .im ➡️ fake PDF download
Malspam from Microsoft Outlook spreading LogMeIn GoToResolve RMM Fake PDF download spreading LogMeIn GoToResolve RMM
January 6, 2026 at 6:48 PM
abuse-ch.bsky.social
CHICXULUB IMPACT 💥

Botnet C2 URLs:
📡 turbokent .name/api/initialize
📡 turbokent .name/api/status

Sponsoring domain registrar: NICENIC 🇭🇰

Malware sample 📄:
bazaar.abuse.ch/sample/c32e1...
turbokent .name - CHICXULUB IMPACT
December 23, 2025 at 5:05 PM
abuse-ch.bsky.social
Malware samples 🤖:
bazaar.abuse.ch/browse/tag/S...

IOCs available on ThreatFox 🦊:
threatfox.abuse.ch/browse/tag/S...
MalwareBazaar - Tag SantaStealer
Hunt for malware samples tagged with tag 'SantaStealer'
bazaar.abuse.ch
December 18, 2025 at 9:46 AM
abuse-ch.bsky.social
New Stealer in town: SantaStealer 🎅🎄

Botnet C2s ➡️all hosted at AS399486 VIRTUO 🇨🇦:
📡31.57.38.119:6767
📡31.57.38.244:6767
📡80.76.49.114:6767

Stealer admin panel (via @darkwebinformer.com 💪):
🕵️ stealer. su

Artifacts 💻:
C:\tempLog\Clipboard.txt
%LocalAppData%\Temp\passwordslog.txt
rapid7.com Rapid7 @rapid7.com · Dec 15
'Tis the season for a new infostealer: #SantaStealer. Active promotion on Telegram and underground forums state the malware-as-a-service plans to be released before year-end.

Rapid7 Labs analyzed unstripped samples to detail how it operates and what defenders should know: https://r-7.co/4q5pk75
SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums | Rapid7 Blog
Rapid7 Website
r-7.co
December 18, 2025 at 9:46 AM
abuse-ch.bsky.social
Love letter ❤️ from a threat actor 🕵️exploiting React2Shell vulnerability (CVE-2025-55182) to spread #Mirai malware ⤵️

fuckoffurlhaus 😂

Payload URLs:
🌐 urlhaus.abuse.ch/host/45.153....

Mirai botnet C2s:
📡 marvisxoxo .st (ISTanCo 🇷🇸)
📡 45.156.87 .231:23789 (AS51396 PFCLOUD 🇩🇪)
Mirai malware delivery URLs
December 16, 2025 at 7:15 AM
abuse-ch.bsky.social
The same malware is also being spread by #Amadey pay-per-install (PPI):
➡️ urlhaus.abuse.ch/url/3733103/
URLhaus - http://w2socks.xyz/uploads/5aba4745e080f54e.msi
Malware distribution site: http://w2socks.xyz/uploads/5aba4745e080f54e.msi
urlhaus.abuse.ch
December 15, 2025 at 7:40 AM
abuse-ch.bsky.social
Unknown malware using WebSockets for botnet command&control, spreading through #ClickFix ⤵️

🖱️ClickFix -> 📃VBS -> ⚙️MSI

Payload delivery host:
🌐https://urlhaus.abuse.ch/host/103.27.157.60/

Malware sample 🤖:
bazaar.abuse.ch/sample/4d8e5...

Botnet C2 domains:
📡w2li .xyz
📡w2socks .xyz
ClickFix infection chain
December 15, 2025 at 7:40 AM
abuse-ch.bsky.social
Mirai #malware sample 🤖:
bazaar.abuse.ch/sample/ee2fe...

Payload delivery host 🌐:
urlhaus.abuse.ch/host/172.237...

Releated IOCs 🦊:
threatfox.abuse.ch/browse/tag/C...
MalwareBazaar - pew63 (Mirai)
pew63 has been detected as Mirai by MalwareBazaar
bazaar.abuse.ch
December 10, 2025 at 4:56 AM
abuse-ch.bsky.social
Exploitation of recent React RCE vul (CVE-2025-55182 - #React2Shell) leading to #Mirai infection ⤵️

Botnet Mirai C2 domains 📡:
fuckphillipthegerman .ru

Botnet Mirai C2 servers , all hosted at FORTIS 🇷🇺:
138.124.72.251:52896
138.124.69.154:60328
5.144.176.19:60328
Malicious bast script deliverying Mirai payload
December 10, 2025 at 4:56 AM
abuse-ch.bsky.social
MaksRAT

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\javacom

Botnet C2s 📡
104.198.24 .41:6656
avocado .gay
www.foldacces .online
www.makslove .xyz
www.mavenrat .xyz
www.blackprofit .online

Sample shared by @smica83 💪
bazaar.abuse.ch/sample/88310...

IOCs
threatfox.abuse.ch/browse/tag/M...
MaksRAT botnet C2 traffic
December 8, 2025 at 3:41 PM
abuse-ch.bsky.social
Mirai malware sample:

🤖 bazaar.abuse.ch/sample/11248...

More #Mirai IOCs are available on ThreatFox:

🦊 threatfox.abuse.ch/browse/malwa...
MalwareBazaar - data.arm7 (Mirai)
data.arm7 has been detected as Mirai by MalwareBazaar
bazaar.abuse.ch
December 5, 2025 at 11:41 AM
abuse-ch.bsky.social
Mirai campaign spreading through 213.209.143.85 (Railnet 🇳🇱), messing around with the victim's system iptables 🤔

Mirai botnet C2 domain:
womp.datasurge .vip (NameCheap 🇺🇸)

Mirai botnet C2 server:
176.65.148.57:6969 (Pfcloud 🇩🇪)

Payload URL:
🌐 urlhaus.abuse.ch/url/3725743/
December 5, 2025 at 11:41 AM
abuse-ch.bsky.social
More #Mirai IOCs are available on ThreatFox:
🦊 threatfox.abuse.ch/browse/malwa...
ThreatFox - Mirai
Hunt for Mirai IOCs on ThreatFox
threatfox.abuse.ch
December 4, 2025 at 6:57 AM
abuse-ch.bsky.social
Mirai botnet #zerobot spreading through 172.86.123.179 (cloudzy 🇦🇪) ⤵️

Mirai botnet C2 domain:
0bot.qzz .io (Gandi SAS 🇫🇷)

Mirai botnet C2 server:
140.233.190.96:69 (Internet Magnate 🇿🇦)

Payload URLs:
🌐 urlhaus.abuse.ch/host/172.86....

Mirai malware sample:
🤖 bazaar.abuse.ch/sample/9f64e...
Mirai bot "zerobot"
December 4, 2025 at 6:57 AM
abuse-ch.bsky.social
URLhaus simply wouldn't exist without the help of awesome and committed contributors like this who diligently report malware URLs everyday 🙏

URLhaus stats ➡️ urlhaus.abuse.ch/statistics/
URLhaus ➡️ urlhaus.abuse.ch

🫶 #SharingIsCaring #Community #StrengthInUnity
December 3, 2025 at 2:30 PM
abuse-ch.bsky.social
🎉 Massive shout out to URLhaus Top Contributor “geenensp”

First seen April 13th 2020 and since then, they’ve shared an unbelievable 844,345 malware URLs!! 😮 Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard 💪 ⤵️
URLhaus Top Contributor “Geenensp”
December 3, 2025 at 2:30 PM
abuse-ch.bsky.social
GrokPy malware samples on MalwareBazaar:
📄 bazaar.abuse.ch/browse/signa...

Botnet C2s on ThreatFox:
🦊 threatfox.abuse.ch/browse/tag/G...
GrokPy botnet C2 traffic
November 27, 2025 at 3:55 PM
abuse-ch.bsky.social
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha

Botnet C2 servers are all hosted at Hetzner 🇩🇪 on port 8008:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
November 27, 2025 at 3:55 PM
abuse-ch.bsky.social
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail
.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
November 27, 2025 at 3:55 PM