Yet another new stealer in town: #ArkanixStealer 🔥
%AppData%\Arkanix_lol\history.json
%AppData%\Arkanix_lol\system_info.json
%AppData%\Arkanix_lol\screenshot_monitor_1.png
Akranix botnet C2:
📡 arkanix .pw/api/session/create
📡 arkanix .pw/delivery
📡 arkanix .pw/api/discord-injection/template
%AppData%\Arkanix_lol\history.json
%AppData%\Arkanix_lol\system_info.json
%AppData%\Arkanix_lol\screenshot_monitor_1.png
Akranix botnet C2:
📡 arkanix .pw/api/session/create
📡 arkanix .pw/delivery
📡 arkanix .pw/api/discord-injection/template
November 19, 2025 at 8:30 AM
Yet another new stealer in town: #ArkanixStealer 🔥
%AppData%\Arkanix_lol\history.json
%AppData%\Arkanix_lol\system_info.json
%AppData%\Arkanix_lol\screenshot_monitor_1.png
Akranix botnet C2:
📡 arkanix .pw/api/session/create
📡 arkanix .pw/delivery
📡 arkanix .pw/api/discord-injection/template
%AppData%\Arkanix_lol\history.json
%AppData%\Arkanix_lol\system_info.json
%AppData%\Arkanix_lol\screenshot_monitor_1.png
Akranix botnet C2:
📡 arkanix .pw/api/session/create
📡 arkanix .pw/delivery
📡 arkanix .pw/api/discord-injection/template
Potential new stealer dropped by #Amadey 🤖🔍Who can name it? ⤵️
👉 hunting.abuse.ch/hunt/6919ec1...
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 bazaar.abuse.ch/sample/903cd...
👉 hunting.abuse.ch/hunt/6919ec1...
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 bazaar.abuse.ch/sample/903cd...
November 16, 2025 at 3:27 PM
Potential new stealer dropped by #Amadey 🤖🔍Who can name it? ⤵️
👉 hunting.abuse.ch/hunt/6919ec1...
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 bazaar.abuse.ch/sample/903cd...
👉 hunting.abuse.ch/hunt/6919ec1...
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 bazaar.abuse.ch/sample/903cd...
#OpEndgame 📣: We assisted in the takedown of infrastructure associated with #Rhadamanthys and share a full list of botnet C2s on ThreatFox 🦊
Full list of Rhadamanthys botnet C2s:
📡 threatfox.abuse.ch/browse/tag/O...
Europol press release:
🚨 www.europol.europa.eu/media-press/...
Full list of Rhadamanthys botnet C2s:
📡 threatfox.abuse.ch/browse/tag/O...
Europol press release:
🚨 www.europol.europa.eu/media-press/...
November 13, 2025 at 10:24 AM
#OpEndgame 📣: We assisted in the takedown of infrastructure associated with #Rhadamanthys and share a full list of botnet C2s on ThreatFox 🦊
Full list of Rhadamanthys botnet C2s:
📡 threatfox.abuse.ch/browse/tag/O...
Europol press release:
🚨 www.europol.europa.eu/media-press/...
Full list of Rhadamanthys botnet C2s:
📡 threatfox.abuse.ch/browse/tag/O...
Europol press release:
🚨 www.europol.europa.eu/media-press/...
Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.
👏 Huge shoutout to Juroots, our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported. ⤵️
👏 Huge shoutout to Juroots, our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported. ⤵️
November 11, 2025 at 4:41 PM
Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.
👏 Huge shoutout to Juroots, our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported. ⤵️
👏 Huge shoutout to Juroots, our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported. ⤵️
🎉 Thanks to our AMAZING community, MalwareBazaar has reached a significant milestone - over 1 MILLION malware samples shared!! We simply couldn't achieve this without the efforts of our contributors and we want to say a massive THANK YOU 🙏🙏
#milestone #community #grateful #sharingiscaring 😻
#milestone #community #grateful #sharingiscaring 😻
November 5, 2025 at 1:45 PM
🎉 Thanks to our AMAZING community, MalwareBazaar has reached a significant milestone - over 1 MILLION malware samples shared!! We simply couldn't achieve this without the efforts of our contributors and we want to say a massive THANK YOU 🙏🙏
#milestone #community #grateful #sharingiscaring 😻
#milestone #community #grateful #sharingiscaring 😻
Interesting bash script, fully undetected (FUD) 🔥. It conducts various modifications on Linux based systems ⚙️ and uses iptables to forward certain ports to a C2 🔀: 45.156.87.37
Malicious bash script:
📜https://bazaar.abuse.ch/sample/27e2a9abfeb5f72746931dff55cd21b6631bab3aa13d8a1cb67c9319d8692229/
Malicious bash script:
📜https://bazaar.abuse.ch/sample/27e2a9abfeb5f72746931dff55cd21b6631bab3aa13d8a1cb67c9319d8692229/
November 3, 2025 at 2:50 PM
Interesting bash script, fully undetected (FUD) 🔥. It conducts various modifications on Linux based systems ⚙️ and uses iptables to forward certain ports to a C2 🔀: 45.156.87.37
Malicious bash script:
📜https://bazaar.abuse.ch/sample/27e2a9abfeb5f72746931dff55cd21b6631bab3aa13d8a1cb67c9319d8692229/
Malicious bash script:
📜https://bazaar.abuse.ch/sample/27e2a9abfeb5f72746931dff55cd21b6631bab3aa13d8a1cb67c9319d8692229/
Over the last 30 days URLhaus sent out 41,270 abuse reports to hosting providers and network owners - that's up +48.88% on the previous month! 📈
That’s all you. That’s the power of our #community🤘
#AmazingWork #SharingIsCaring
That’s all you. That’s the power of our #community🤘
#AmazingWork #SharingIsCaring
October 17, 2025 at 12:37 PM
Over the last 30 days URLhaus sent out 41,270 abuse reports to hosting providers and network owners - that's up +48.88% on the previous month! 📈
That’s all you. That’s the power of our #community🤘
#AmazingWork #SharingIsCaring
That’s all you. That’s the power of our #community🤘
#AmazingWork #SharingIsCaring
📣 Big thanks to MalwareBazaar Top Contributor "JAMESWT_WT" 🙇
First seen: 30 March 2020 and since then, they’ve shared 45,994 malware samples.
In the last 30 days alone, they have dropped 1,472 new samples, that’s +30% ⬆️ from the previous month, with 631 samples shared on September 30th. 🔥🔥
First seen: 30 March 2020 and since then, they’ve shared 45,994 malware samples.
In the last 30 days alone, they have dropped 1,472 new samples, that’s +30% ⬆️ from the previous month, with 631 samples shared on September 30th. 🔥🔥
October 6, 2025 at 12:30 PM
📣 Big thanks to MalwareBazaar Top Contributor "JAMESWT_WT" 🙇
First seen: 30 March 2020 and since then, they’ve shared 45,994 malware samples.
In the last 30 days alone, they have dropped 1,472 new samples, that’s +30% ⬆️ from the previous month, with 631 samples shared on September 30th. 🔥🔥
First seen: 30 March 2020 and since then, they’ve shared 45,994 malware samples.
In the last 30 days alone, they have dropped 1,472 new samples, that’s +30% ⬆️ from the previous month, with 631 samples shared on September 30th. 🔥🔥
Over the last 30 days, the community shared 26,575 #IOCs on ThreatFox 🦊. That's a 83% jump on the previous month. 🚀 And topping the charts: XtremeRAT, with 6,640 IOCs 💀
Find more ThreatFox statistics here:
👉 threatfox.abuse.ch/statistics
#SharingIsCaring #XtremeRAT #Malware #ThreatIntel
Find more ThreatFox statistics here:
👉 threatfox.abuse.ch/statistics
#SharingIsCaring #XtremeRAT #Malware #ThreatIntel
September 30, 2025 at 12:45 PM
Over the last 30 days, the community shared 26,575 #IOCs on ThreatFox 🦊. That's a 83% jump on the previous month. 🚀 And topping the charts: XtremeRAT, with 6,640 IOCs 💀
Find more ThreatFox statistics here:
👉 threatfox.abuse.ch/statistics
#SharingIsCaring #XtremeRAT #Malware #ThreatIntel
Find more ThreatFox statistics here:
👉 threatfox.abuse.ch/statistics
#SharingIsCaring #XtremeRAT #Malware #ThreatIntel
🔥 "Kamasers" is a DDoS botnet, first seen in August, and dropped by Amadey. The malware name was adapted from the User-Agent used during network communication with the C2 server. The first time we encountered it, the sample was written in Golang language. ⤵️
September 26, 2025 at 2:06 PM
🔥 "Kamasers" is a DDoS botnet, first seen in August, and dropped by Amadey. The malware name was adapted from the User-Agent used during network communication with the C2 server. The first time we encountered it, the sample was written in Golang language. ⤵️
We’ve just rolled out two new features on MalwareBazaar 🆕 👀
➡️ OpenTIP integration: Results from @kasperskylab.bsky.social OpenTIP are now included for all samples on MalwareBazaar, available via both, UI and API 🖥️
➡️ OpenTIP integration: Results from @kasperskylab.bsky.social OpenTIP are now included for all samples on MalwareBazaar, available via both, UI and API 🖥️
September 2, 2025 at 1:49 PM
We’ve just rolled out two new features on MalwareBazaar 🆕 👀
➡️ OpenTIP integration: Results from @kasperskylab.bsky.social OpenTIP are now included for all samples on MalwareBazaar, available via both, UI and API 🖥️
➡️ OpenTIP integration: Results from @kasperskylab.bsky.social OpenTIP are now included for all samples on MalwareBazaar, available via both, UI and API 🖥️
Since end of August we observe infamous #LummaStealer communicating with DGA-like domain names. We have seen such domains across 3 distinct IP address, all sharing the same SSL certificate ⤵️
129.226.128.168:443 (Tencent 🇨🇳)
31.220.109.219:443 (Hostinger 🇺🇸)
165.227.143.219:443 (DigitalOcean🇺🇸)
129.226.128.168:443 (Tencent 🇨🇳)
31.220.109.219:443 (Hostinger 🇺🇸)
165.227.143.219:443 (DigitalOcean🇺🇸)
September 1, 2025 at 12:56 PM
Since end of August we observe infamous #LummaStealer communicating with DGA-like domain names. We have seen such domains across 3 distinct IP address, all sharing the same SSL certificate ⤵️
129.226.128.168:443 (Tencent 🇨🇳)
31.220.109.219:443 (Hostinger 🇺🇸)
165.227.143.219:443 (DigitalOcean🇺🇸)
129.226.128.168:443 (Tencent 🇨🇳)
31.220.109.219:443 (Hostinger 🇺🇸)
165.227.143.219:443 (DigitalOcean🇺🇸)
We encountered a a new loader advertised as "Morpheus" in underground forums 🕵️, recently dropped by #Amadey ⬇️🪲. Morpheus' C2 protocol is based on HTTP and working with tasks, where each task consists of an ID and a command 📣
Botnet C2: sophos-upd-srv .info 🇳🇱
Botnet C2: sophos-upd-srv .info 🇳🇱
August 20, 2025 at 11:49 AM
We encountered a a new loader advertised as "Morpheus" in underground forums 🕵️, recently dropped by #Amadey ⬇️🪲. Morpheus' C2 protocol is based on HTTP and working with tasks, where each task consists of an ID and a command 📣
Botnet C2: sophos-upd-srv .info 🇳🇱
Botnet C2: sophos-upd-srv .info 🇳🇱
Fresh Amadey botnet C2 domains 🪲🔍👀⤵️
microsoft-telemetry .cc
telemety-sys .lol
telemety-xbox .lol
witasametry .live
telamtykina .live
telemetrywatson .live
More Amadey IOCs are available on ThreatFox 🦊:
📡https://threatfox.abuse.ch/browse/malware/win.amadey/
microsoft-telemetry .cc
telemety-sys .lol
telemety-xbox .lol
witasametry .live
telamtykina .live
telemetrywatson .live
More Amadey IOCs are available on ThreatFox 🦊:
📡https://threatfox.abuse.ch/browse/malware/win.amadey/
August 19, 2025 at 6:08 PM
Fresh Amadey botnet C2 domains 🪲🔍👀⤵️
microsoft-telemetry .cc
telemety-sys .lol
telemety-xbox .lol
witasametry .live
telamtykina .live
telemetrywatson .live
More Amadey IOCs are available on ThreatFox 🦊:
📡https://threatfox.abuse.ch/browse/malware/win.amadey/
microsoft-telemetry .cc
telemety-sys .lol
telemety-xbox .lol
witasametry .live
telamtykina .live
telemetrywatson .live
More Amadey IOCs are available on ThreatFox 🦊:
📡https://threatfox.abuse.ch/browse/malware/win.amadey/
You know you did something right if you get a false positive report for on URLhaus with the words "fuck u" 😎 vtuber DDoS bot spreading through ThinkPHP RCE (CVE-2019-9082) ⤵️
urlhaus.abuse.ch/host/172.233...
Payload:
bazaar.abuse.ch/sample/dafb6...
IOCs:
threatfox.abuse.ch/browse/tag/D...
urlhaus.abuse.ch/host/172.233...
Payload:
bazaar.abuse.ch/sample/dafb6...
IOCs:
threatfox.abuse.ch/browse/tag/D...
August 7, 2025 at 8:08 AM
You know you did something right if you get a false positive report for on URLhaus with the words "fuck u" 😎 vtuber DDoS bot spreading through ThinkPHP RCE (CVE-2019-9082) ⤵️
urlhaus.abuse.ch/host/172.233...
Payload:
bazaar.abuse.ch/sample/dafb6...
IOCs:
threatfox.abuse.ch/browse/tag/D...
urlhaus.abuse.ch/host/172.233...
Payload:
bazaar.abuse.ch/sample/dafb6...
IOCs:
threatfox.abuse.ch/browse/tag/D...
SalatStealer (aka WEB_RAT) is on the rise 📈, heavily dropped by Amadey
Malware sample:
📄https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/
Admin Panel:
📡https://salat .cn/login/ (Cloudflare)
Gihub:
🗜️https://github.com/webr-at/importantfiles/releases
Malware sample:
📄https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/
Admin Panel:
📡https://salat .cn/login/ (Cloudflare)
Gihub:
🗜️https://github.com/webr-at/importantfiles/releases
August 5, 2025 at 1:18 PM
SalatStealer (aka WEB_RAT) is on the rise 📈, heavily dropped by Amadey
Malware sample:
📄https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/
Admin Panel:
📡https://salat .cn/login/ (Cloudflare)
Gihub:
🗜️https://github.com/webr-at/importantfiles/releases
Malware sample:
📄https://bazaar.abuse.ch/sample/8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05/
Admin Panel:
📡https://salat .cn/login/ (Cloudflare)
Gihub:
🗜️https://github.com/webr-at/importantfiles/releases
Compromised travel agency in Sri Lanka 🇱🇰 spreading fake Royal Air Maroc ✈️🇲🇦emails with a weaponized PDF 📄 that leads to a rogue ConnectWise ScreenConnect download 🔥
➡️ hunting.abuse.ch/hunt/6890d35...
Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP 🇩🇪)
➡️ hunting.abuse.ch/hunt/6890d35...
Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP 🇩🇪)
August 4, 2025 at 4:08 PM
Compromised travel agency in Sri Lanka 🇱🇰 spreading fake Royal Air Maroc ✈️🇲🇦emails with a weaponized PDF 📄 that leads to a rogue ConnectWise ScreenConnect download 🔥
➡️ hunting.abuse.ch/hunt/6890d35...
Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP 🇩🇪)
➡️ hunting.abuse.ch/hunt/6890d35...
Payload delivery URL + botnet C2 are hosted at 51.89.204 .89 (StarkRDP 🇩🇪)
We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀
See below for more...
See below for more...
July 31, 2025 at 11:54 AM
We've observed an interesting infection chain ⛓️ in the wild, starting with #LummaStealer spread through a fake gaming website and resulting in #Latrodectus and #SectopRat 🪲🔍👀
See below for more...
See below for more...
Community is at the heart of what we do at abuse.ch ❤️
To protect the future of the platforms and the community behind them, we've been making changes. Read more ⤵️ abuse.ch/blog/creatin...
To protect the future of the platforms and the community behind them, we've been making changes. Read more ⤵️ abuse.ch/blog/creatin...
July 29, 2025 at 2:30 PM
Community is at the heart of what we do at abuse.ch ❤️
To protect the future of the platforms and the community behind them, we've been making changes. Read more ⤵️ abuse.ch/blog/creatin...
To protect the future of the platforms and the community behind them, we've been making changes. Read more ⤵️ abuse.ch/blog/creatin...
Heads up if you operate a Fortinet or Citrix device ⚠️🚨 Various IP addresses from 178.22.24.0/24 (AS209290 GALEON-AS 🇷🇺) are currently heavily running exploitation attempts against vulnerable Fortinet and Citrix Netscaler devices 🔥
You may want to block this network at your network edge 🛑
You may want to block this network at your network edge 🛑
July 28, 2025 at 12:26 PM
Heads up if you operate a Fortinet or Citrix device ⚠️🚨 Various IP addresses from 178.22.24.0/24 (AS209290 GALEON-AS 🇷🇺) are currently heavily running exploitation attempts against vulnerable Fortinet and Citrix Netscaler devices 🔥
You may want to block this network at your network edge 🛑
You may want to block this network at your network edge 🛑
After NoName057(16) got hit by Europol🇪🇺, they are whining around and talking about a new "digital war" that has just begun🤡
It's 🍿 time!
It's 🍿 time!
July 24, 2025 at 11:49 AM
After NoName057(16) got hit by Europol🇪🇺, they are whining around and talking about a new "digital war" that has just begun🤡
It's 🍿 time!
It's 🍿 time!
Another #DarkWatchMan campaign began on 15th June, with multiple waves over the following two days🔥 ⤵️
July 17, 2025 at 1:52 PM
Another #DarkWatchMan campaign began on 15th June, with multiple waves over the following two days🔥 ⤵️
We are incredibly proud to have assisted Europol 🇪🇺 in a global operation against the notorious pro-Russian #hacktivist group #NoName057(16) 🥳
www.europol.europa.eu/media-press/...
www.europol.europa.eu/media-press/...
Global operation targets NoName057(16) pro-Russian cybercrime network – The offenders targeted Ukraine and supporting countries, including many EU Member States | Europol
The offenders targeted Ukraine and supporting countries, including many EU Member States. Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol, targete...
www.europol.europa.eu
July 16, 2025 at 12:36 PM
We are incredibly proud to have assisted Europol 🇪🇺 in a global operation against the notorious pro-Russian #hacktivist group #NoName057(16) 🥳
www.europol.europa.eu/media-press/...
www.europol.europa.eu/media-press/...
Unknown Java #RAT using Halkbank as a lure 🪝, targeting Turkish citizens 🇹🇷
Halkbank Ekstre.jar
\strlogs\keylogs_4558.html
Botnet C2:
📡77.90.153.31:5590 (AS214943 RAILNET 🇺🇸)
Malware sample:
📄https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/
Halkbank Ekstre.jar
\strlogs\keylogs_4558.html
Botnet C2:
📡77.90.153.31:5590 (AS214943 RAILNET 🇺🇸)
Malware sample:
📄https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/
July 14, 2025 at 11:38 AM
Unknown Java #RAT using Halkbank as a lure 🪝, targeting Turkish citizens 🇹🇷
Halkbank Ekstre.jar
\strlogs\keylogs_4558.html
Botnet C2:
📡77.90.153.31:5590 (AS214943 RAILNET 🇺🇸)
Malware sample:
📄https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/
Halkbank Ekstre.jar
\strlogs\keylogs_4558.html
Botnet C2:
📡77.90.153.31:5590 (AS214943 RAILNET 🇺🇸)
Malware sample:
📄https://bazaar.abuse.ch/sample/daf23a217b188f63657b051fda8bbd6eb341172b9519b9b5bff1a60eb4dda5a1/