crep1x
@crep1x.bsky.social
Lead cybercrime analyst, tracking adversaries activities & infrastructure, at @sekoia.io
Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page
e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/
⬇️
e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/
⬇️
March 24, 2025 at 12:56 PM
Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page
e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/
⬇️
e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/
⬇️
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
March 6, 2025 at 10:50 AM
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
January 20, 2025 at 6:13 PM
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
Recent update in #Vidar C2 servers configuration:
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"
Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p
⬇️
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"
Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p
⬇️
January 8, 2025 at 8:13 AM
Recent update in #Vidar C2 servers configuration:
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"
Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p
⬇️
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"
Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p
⬇️