Cyb3rhawk
@cyb3rhawk.bsky.social
Cyb3rhawk leads threat hunting team. Interested in DE&TH, threat intel and DFIR. Always striving to make the daily grind of SOC analysts a breeze. Always eager to learn from others and lookout for new ways to streamline what I learn
As recent SharePoint exploits settled a bit, I wanted to analyze payload variants to understand why attackers made specific choices. ASPX for quick access, DLLs for persistence, and IIS modules for blending in.
August 21, 2025 at 2:19 AM
As recent SharePoint exploits settled a bit, I wanted to analyze payload variants to understand why attackers made specific choices. ASPX for quick access, DLLs for persistence, and IIS modules for blending in.
(urlscan: page.url:http://bitbucket.org task.url:http://blogspot.com)
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?
April 28, 2025 at 8:40 PM
(urlscan: page.url:http://bitbucket.org task.url:http://blogspot.com)
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?
Key TTPs:
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects
April 28, 2025 at 8:40 PM
Key TTPs:
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects
Credential sellers: DaisyCloud (also sells RedLine stealer logs), moderdolboeb, m3g4
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.
April 25, 2025 at 7:05 AM
Credential sellers: DaisyCloud (also sells RedLine stealer logs), moderdolboeb, m3g4
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.
We will end with the Hunting Hypothesis using A.P.E.X (lnkd.in/gJ9BmStA) and Adversary infrastructure queries to discover Lumma panels, C2s, etc.
Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.
Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.
"A.P.E.X: Threat Hunting Through Structured Hypothesis Generation
Our latest report on Hunters International ransomware provides several hypotheses you can implement in your environment. We want to reiterate the importance of integrating environmental context with t...
lnkd.in
April 25, 2025 at 7:04 AM
We will end with the Hunting Hypothesis using A.P.E.X (lnkd.in/gJ9BmStA) and Adversary infrastructure queries to discover Lumma panels, C2s, etc.
Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.
Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.
45.89.196.11
37.27.63.3
45.89.196.115 (reported in the past)
Will blog on more details.
37.27.63.3
45.89.196.115 (reported in the past)
Will blog on more details.
February 1, 2025 at 3:07 AM
45.89.196.11
37.27.63.3
45.89.196.115 (reported in the past)
Will blog on more details.
37.27.63.3
45.89.196.115 (reported in the past)
Will blog on more details.
4) hxxp://45.89.196[.]115/core/sendPart - C2
Adversary Infra:
37.27.63.3:443 (kyfjlijv[.]ru) -
84.200.154.182 (not detected by VT yet)
smkuksool[.]com
2a01:4f9:3081:3098:0:0:0:2
services.ssh.server_host_key.fingerprint_sha256: 92709a98601c28a87fa307e63ae8bc60f870c6b9533a2d50bdb2c16fda205c37
Adversary Infra:
37.27.63.3:443 (kyfjlijv[.]ru) -
84.200.154.182 (not detected by VT yet)
smkuksool[.]com
2a01:4f9:3081:3098:0:0:0:2
services.ssh.server_host_key.fingerprint_sha256: 92709a98601c28a87fa307e63ae8bc60f870c6b9533a2d50bdb2c16fda205c37
February 1, 2025 at 3:07 AM
4) hxxp://45.89.196[.]115/core/sendPart - C2
Adversary Infra:
37.27.63.3:443 (kyfjlijv[.]ru) -
84.200.154.182 (not detected by VT yet)
smkuksool[.]com
2a01:4f9:3081:3098:0:0:0:2
services.ssh.server_host_key.fingerprint_sha256: 92709a98601c28a87fa307e63ae8bc60f870c6b9533a2d50bdb2c16fda205c37
Adversary Infra:
37.27.63.3:443 (kyfjlijv[.]ru) -
84.200.154.182 (not detected by VT yet)
smkuksool[.]com
2a01:4f9:3081:3098:0:0:0:2
services.ssh.server_host_key.fingerprint_sha256: 92709a98601c28a87fa307e63ae8bc60f870c6b9533a2d50bdb2c16fda205c37
IP:
1) 45.89.196[.]115 - C2 and stealer panel
2) 104.22.0[.]232 - cutt[.]ly (Cloudflare)
1) hxxps://cutt[.]ly/guessintegrates - (initial URL)
2) hxxps://kyfjlijv[.]ru/guessintegrates.bat (Initial stage BAT file generated with Kodiac and zip file)
3) hxxp://45.89.196[.]115/core/createSession - C2
1) 45.89.196[.]115 - C2 and stealer panel
2) 104.22.0[.]232 - cutt[.]ly (Cloudflare)
1) hxxps://cutt[.]ly/guessintegrates - (initial URL)
2) hxxps://kyfjlijv[.]ru/guessintegrates.bat (Initial stage BAT file generated with Kodiac and zip file)
3) hxxp://45.89.196[.]115/core/createSession - C2
February 1, 2025 at 3:06 AM
IP:
1) 45.89.196[.]115 - C2 and stealer panel
2) 104.22.0[.]232 - cutt[.]ly (Cloudflare)
1) hxxps://cutt[.]ly/guessintegrates - (initial URL)
2) hxxps://kyfjlijv[.]ru/guessintegrates.bat (Initial stage BAT file generated with Kodiac and zip file)
3) hxxp://45.89.196[.]115/core/createSession - C2
1) 45.89.196[.]115 - C2 and stealer panel
2) 104.22.0[.]232 - cutt[.]ly (Cloudflare)
1) hxxps://cutt[.]ly/guessintegrates - (initial URL)
2) hxxps://kyfjlijv[.]ru/guessintegrates.bat (Initial stage BAT file generated with Kodiac and zip file)
3) hxxp://45.89.196[.]115/core/createSession - C2
Required Actions:
- Update systems to version 10.2.1.14-75sv or higher
- Review and implement geographic access controls
- Enable multi-factor authentication for all users
- Scan appliance for unauthorized web shells
- Check for connections originating from the appliance
- Update systems to version 10.2.1.14-75sv or higher
- Review and implement geographic access controls
- Enable multi-factor authentication for all users
- Scan appliance for unauthorized web shells
- Check for connections originating from the appliance
December 11, 2024 at 6:18 AM
Required Actions:
- Update systems to version 10.2.1.14-75sv or higher
- Review and implement geographic access controls
- Enable multi-factor authentication for all users
- Scan appliance for unauthorized web shells
- Check for connections originating from the appliance
- Update systems to version 10.2.1.14-75sv or higher
- Review and implement geographic access controls
- Enable multi-factor authentication for all users
- Scan appliance for unauthorized web shells
- Check for connections originating from the appliance
IP addresses from:
- United States
- The Netherlands
- Russia
ASN providers:
- 3xK Tech GmbH
- Namecheap, Inc.
- Comcast Cable Communications, LLC
- Additional regional ISPs
- United States
- The Netherlands
- Russia
ASN providers:
- 3xK Tech GmbH
- Namecheap, Inc.
- Comcast Cable Communications, LLC
- Additional regional ISPs
December 11, 2024 at 6:18 AM
IP addresses from:
- United States
- The Netherlands
- Russia
ASN providers:
- 3xK Tech GmbH
- Namecheap, Inc.
- Comcast Cable Communications, LLC
- Additional regional ISPs
- United States
- The Netherlands
- Russia
ASN providers:
- 3xK Tech GmbH
- Namecheap, Inc.
- Comcast Cable Communications, LLC
- Additional regional ISPs