crep1x
@crep1x.bsky.social
Lead cybercrime analyst, tracking adversaries activities & infrastructure, at @sekoia.io
As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: github.com/SEKOIA-IO/Co...
Community/IOCs/Interlock at main · SEKOIA-IO/Community
Welcome to the SEKOIA.IO Community repository! . Contribute to SEKOIA-IO/Community development by creating an account on GitHub.
github.com
April 16, 2025 at 4:12 PM
As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: github.com/SEKOIA-IO/Co...
By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information...
www.microsoft.com
April 16, 2025 at 4:12 PM
By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:
urlscan.io/search/#page...
urlscan.io/search/#page...
Search - urlscan.io
urlscan.io - Website scanner for suspicious and malicious URLs
urlscan.io
March 24, 2025 at 12:56 PM
Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:
urlscan.io/search/#page...
urlscan.io/search/#page...
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
As usual, feedback is greatly appreciated!
March 20, 2025 at 6:50 PM
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
As usual, feedback is greatly appreciated!
5. Further downloading and executing Rhadamanthys from:
bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...
bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...
VirusTotal
VirusTotal
virustotal.com
March 6, 2025 at 10:50 AM
5. Further downloading and executing Rhadamanthys from:
bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...
bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...
3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
⬇️
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
⬇️
VirusTotal
VirusTotal
virustotal.com
March 6, 2025 at 10:50 AM
3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
⬇️
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
⬇️
This is not planned at the moment! 😅
January 24, 2025 at 3:24 PM
This is not planned at the moment! 😅
Full domain list:
gist.githubusercontent.com/qbourgue/071...
Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd
Lumma Stealer C2:
weighcobbweo.]top
Triage analysis:
tria.ge/250120-vzdzz...
gist.githubusercontent.com/qbourgue/071...
Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd
Lumma Stealer C2:
weighcobbweo.]top
Triage analysis:
tria.ge/250120-vzdzz...
gist.githubusercontent.com
January 20, 2025 at 6:13 PM
Full domain list:
gist.githubusercontent.com/qbourgue/071...
Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd
Lumma Stealer C2:
weighcobbweo.]top
Triage analysis:
tria.ge/250120-vzdzz...
gist.githubusercontent.com/qbourgue/071...
Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd
Lumma Stealer C2:
weighcobbweo.]top
Triage analysis:
tria.ge/250120-vzdzz...
We confirm that the WikiKit phishing pages correspond to those of the Sneaky Log service, which we chose to name Sneaky 2FA!
January 16, 2025 at 4:44 PM
We confirm that the WikiKit phishing pages correspond to those of the Sneaky Log service, which we chose to name Sneaky 2FA!
In late December 2024, TRACLabs analysed a Sneaky 2FA phishing campaign and dubbed the kit "WikiKit".
Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.
Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.
January 16, 2025 at 4:44 PM
In late December 2024, TRACLabs analysed a Sneaky 2FA phishing campaign and dubbed the kit "WikiKit".
Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.
Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.
hxxps://steamcommunity.]com/profiles/76561199816275252
Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36
Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...
Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36
Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...
ThreatFox - Vidar
Hunt for Vidar IOCs on ThreatFox
threatfox.abuse.ch
January 8, 2025 at 8:13 AM
hxxps://steamcommunity.]com/profiles/76561199816275252
Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36
Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...
Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36
Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...