marktsec
@marktsec.bsky.social
💫Threat Intel💫 Automation💫 Threat Analysis 💫OSINT💫 Testing 💫Network Security💫
https://github.com/marktsec
https://github.com/marktsec
Operation Endgame - The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium.
November 13, 2025 at 12:47 PM
Operation Endgame - The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium.
November 9, 2025 at 11:55 AM
Matanbuchus loader now ships as shellcode (BIN), supports in-memory .NET execution and payloads from ZIPs; sideload techniques refreshed. Operators added 2FA+CAPTCHA to the C2 and claim an unprecedented “white inject” #InfoSec #threatintel
November 6, 2025 at 5:51 PM
Matanbuchus loader now ships as shellcode (BIN), supports in-memory .NET execution and payloads from ZIPs; sideload techniques refreshed. Operators added 2FA+CAPTCHA to the C2 and claim an unprecedented “white inject” #InfoSec #threatintel
🚨 New KATREUS Miner (Silent XMR Miner)
Advertised on underground forums with:
• Anti-kill, watchdog, persistence & injection modules
• AV evasion claims (C + ASM)
• Targets Windows 8.1 → Server 2025
• Seller offering only 5 “licenses”
#ThreatIntel #Cryptomining #InfoSec
Advertised on underground forums with:
• Anti-kill, watchdog, persistence & injection modules
• AV evasion claims (C + ASM)
• Targets Windows 8.1 → Server 2025
• Seller offering only 5 “licenses”
#ThreatIntel #Cryptomining #InfoSec
November 1, 2025 at 6:03 PM
🚨 New KATREUS Miner (Silent XMR Miner)
Advertised on underground forums with:
• Anti-kill, watchdog, persistence & injection modules
• AV evasion claims (C + ASM)
• Targets Windows 8.1 → Server 2025
• Seller offering only 5 “licenses”
#ThreatIntel #Cryptomining #InfoSec
Advertised on underground forums with:
• Anti-kill, watchdog, persistence & injection modules
• AV evasion claims (C + ASM)
• Targets Windows 8.1 → Server 2025
• Seller offering only 5 “licenses”
#ThreatIntel #Cryptomining #InfoSec
Nova ransomware is seeking for
1. Girls phone voice callers to call CEOs/AI voice-spoofers.
2. Social-media “black ad” operators.
3. Offering a paid “Premium” panel with auto-activation via invoice.
#Nova #Ransomware #ThreatIntel #InfoSec
1. Girls phone voice callers to call CEOs/AI voice-spoofers.
2. Social-media “black ad” operators.
3. Offering a paid “Premium” panel with auto-activation via invoice.
#Nova #Ransomware #ThreatIntel #InfoSec
November 1, 2025 at 5:54 PM
Nova ransomware is seeking for
1. Girls phone voice callers to call CEOs/AI voice-spoofers.
2. Social-media “black ad” operators.
3. Offering a paid “Premium” panel with auto-activation via invoice.
#Nova #Ransomware #ThreatIntel #InfoSec
1. Girls phone voice callers to call CEOs/AI voice-spoofers.
2. Social-media “black ad” operators.
3. Offering a paid “Premium” panel with auto-activation via invoice.
#Nova #Ransomware #ThreatIntel #InfoSec
BreachForums Reinstated
October 28, 2025 at 8:07 AM
BreachForums Reinstated
Spectre RAT v10 new capabilities: autorun, VNC, DLL sideloading, clipper, keylogger, Telegram notifications, anti-VM. Hunt for unexpected autorun registry changes, anomalous DLL loads and suspicious outbound connections.
#infosec #ThreatIntel
#infosec #ThreatIntel
October 24, 2025 at 6:19 AM
Spectre RAT v10 new capabilities: autorun, VNC, DLL sideloading, clipper, keylogger, Telegram notifications, anti-VM. Hunt for unexpected autorun registry changes, anomalous DLL loads and suspicious outbound connections.
#infosec #ThreatIntel
#infosec #ThreatIntel
🚨 Ransomware mimic pay2key v0.16.1 Selling fully autonomous ransomware: buyers control ALL encryption keys, custom affiliate programs, and guaranteed product updates. Mimic variant, evasive, and tailored for affiliates. #ransomware #infosec #threatintel
October 23, 2025 at 2:09 PM
🚨 Ransomware mimic pay2key v0.16.1 Selling fully autonomous ransomware: buyers control ALL encryption keys, custom affiliate programs, and guaranteed product updates. Mimic variant, evasive, and tailored for affiliates. #ransomware #infosec #threatintel
🚨 Darkweb alert: Blockchain-powered botnets now feature encrypted smart contracts, anti-VM, autorun, and parent process ID spoofing for advanced malware delivery. No domains, no servers, no takedowns. Source code + panel available
#infosec #threatintel
#infosec #threatintel
October 23, 2025 at 1:31 PM
🚨 Darkweb alert: Blockchain-powered botnets now feature encrypted smart contracts, anti-VM, autorun, and parent process ID spoofing for advanced malware delivery. No domains, no servers, no takedowns. Source code + panel available
#infosec #threatintel
#infosec #threatintel
"The Gentlemen" Win/Linux/ESXi lockers major update.
Adds persistent self-restart (schtasks + registry), a silent mode that preserves filenames/timestamps, built-in network/domain spread (WMI/SC/PowerShell/etc.),
#ransomware #infosec #ThreatIntel
Adds persistent self-restart (schtasks + registry), a silent mode that preserves filenames/timestamps, built-in network/domain spread (WMI/SC/PowerShell/etc.),
#ransomware #infosec #ThreatIntel
October 18, 2025 at 6:55 PM
"The Gentlemen" Win/Linux/ESXi lockers major update.
Adds persistent self-restart (schtasks + registry), a silent mode that preserves filenames/timestamps, built-in network/domain spread (WMI/SC/PowerShell/etc.),
#ransomware #infosec #ThreatIntel
Adds persistent self-restart (schtasks + registry), a silent mode that preserves filenames/timestamps, built-in network/domain spread (WMI/SC/PowerShell/etc.),
#ransomware #infosec #ThreatIntel
⚠️ ALERT: DragonForce Ransomware announces an open partner program — no vetting, free partner services (file analysis, decryption, call service, storage) and a registration onion link in the post.
#Ransomware #ThreatIntel #infosec
#Ransomware #ThreatIntel #infosec
October 10, 2025 at 5:40 AM
⚠️ ALERT: DragonForce Ransomware announces an open partner program — no vetting, free partner services (file analysis, decryption, call service, storage) and a registration onion link in the post.
#Ransomware #ThreatIntel #infosec
#Ransomware #ThreatIntel #infosec
VIDAR Stealer v2.0 being promoted. Vendor claims rewrite to C (C99), custom CRT, NT-API usage, automatic morphing per build, multithreaded collection & upload, and runtime obfuscation. Potential for improved stealth and faster exfil.
#ThreatIntel #infosec #infostealer #vidar
#ThreatIntel #infosec #infostealer #vidar
October 10, 2025 at 5:25 AM
VIDAR Stealer v2.0 being promoted. Vendor claims rewrite to C (C99), custom CRT, NT-API usage, automatic morphing per build, multithreaded collection & upload, and runtime obfuscation. Potential for improved stealth and faster exfil.
#ThreatIntel #infosec #infostealer #vidar
#ThreatIntel #infosec #infostealer #vidar
NOVA “Locker WIN” update — now advanced Rust. Changes: spawns 10 workers for multi-run encryption, skips already-encrypted files, self-deletes, clears device logs, drops .me ransom note, and claims to bypass AI-security endpoints.
#ransomware #threatintel #infosec
#ransomware #threatintel #infosec
October 4, 2025 at 8:30 AM
NOVA “Locker WIN” update — now advanced Rust. Changes: spawns 10 workers for multi-run encryption, skips already-encrypted files, self-deletes, clears device logs, drops .me ransom note, and claims to bypass AI-security endpoints.
#ransomware #threatintel #infosec
#ransomware #threatintel #infosec
AresLoader, a resident Windows loader advertised on darknet. Written in C; uses HTTPS + JWT, runs EXE payloads, Flask admin with IP whitelist, 2FA & RBAC. Targets corporate workstations/servers.
#Infosec #ThreatIntel
#Infosec #ThreatIntel
October 4, 2025 at 8:26 AM
AresLoader, a resident Windows loader advertised on darknet. Written in C; uses HTTPS + JWT, runs EXE payloads, Flask admin with IP whitelist, 2FA & RBAC. Targets corporate workstations/servers.
#Infosec #ThreatIntel
#Infosec #ThreatIntel
APOS RaaS reports a compromised prod server (encryptors exposed; decryptors not). Victim data being verified and negotiations shifting to alternate channels. #Ransomware #ThreatIntel #infosec
October 2, 2025 at 6:19 AM
APOS RaaS reports a compromised prod server (encryptors exposed; decryptors not). Victim data being verified and negotiations shifting to alternate channels. #Ransomware #ThreatIntel #infosec
XFiles Spyware - HVNC release v4.0.0, stealer adds AI-generated personal proxies/frontends, pricier = lower AV detection, proxy guide, option for private gateway, and a TG-bot for file encryption (no support). #threatintel #infosec #DarkWeb
October 1, 2025 at 9:20 AM
XFiles Spyware - HVNC release v4.0.0, stealer adds AI-generated personal proxies/frontends, pricier = lower AV detection, proxy guide, option for private gateway, and a TG-bot for file encryption (no support). #threatintel #infosec #DarkWeb
mimic_v2.0 post advertises multi-OS ransomware (Windows/Server/ESXi/NAS), X25519+ChaCha20, watchdog persistence, offline operation, partial randomized-chunk encryption + free-space wiper. #threatintel #infosec #DarkWeb #ransomware
October 1, 2025 at 9:16 AM
mimic_v2.0 post advertises multi-OS ransomware (Windows/Server/ESXi/NAS), X25519+ChaCha20, watchdog persistence, offline operation, partial randomized-chunk encryption + free-space wiper. #threatintel #infosec #DarkWeb #ransomware
The exploit, demonstrated in a proof-of-concept (PoC) shared by the DarkNavyOrg researchers, is initiated by sending a specially crafted malicious (DNG) image file to a victim’s WhatsApp account.
September 30, 2025 at 2:36 PM
The exploit, demonstrated in a proof-of-concept (PoC) shared by the DarkNavyOrg researchers, is initiated by sending a specially crafted malicious (DNG) image file to a victim’s WhatsApp account.
Observed a darknet ad for "VIPER Android RAT"
claims: remote unlock, VNC control, keylogging, OTP/SMS interception, wallet address swaps, live audio/video, persistence & anti-analysis.
#ThreatIntel #infosec
claims: remote unlock, VNC control, keylogging, OTP/SMS interception, wallet address swaps, live audio/video, persistence & anti-analysis.
#ThreatIntel #infosec
September 28, 2025 at 4:04 PM
Observed a darknet ad for "VIPER Android RAT"
claims: remote unlock, VNC control, keylogging, OTP/SMS interception, wallet address swaps, live audio/video, persistence & anti-analysis.
#ThreatIntel #infosec
claims: remote unlock, VNC control, keylogging, OTP/SMS interception, wallet address swaps, live audio/video, persistence & anti-analysis.
#ThreatIntel #infosec
🚨 New MonsterV2 update spotted.
Key notes from dev:
🔓 Experimental app-bound decryption for Chromium browsers (no admin) now working.
🧩 Cookie decryption bugs fixed.
🛠️ Panel optimizations + cache clear/restart feature.
#ThreatIntel #Infostealer #infosec
Key notes from dev:
🔓 Experimental app-bound decryption for Chromium browsers (no admin) now working.
🧩 Cookie decryption bugs fixed.
🛠️ Panel optimizations + cache clear/restart feature.
#ThreatIntel #Infostealer #infosec
September 22, 2025 at 8:54 AM
🚨 New MonsterV2 update spotted.
Key notes from dev:
🔓 Experimental app-bound decryption for Chromium browsers (no admin) now working.
🧩 Cookie decryption bugs fixed.
🛠️ Panel optimizations + cache clear/restart feature.
#ThreatIntel #Infostealer #infosec
Key notes from dev:
🔓 Experimental app-bound decryption for Chromium browsers (no admin) now working.
🧩 Cookie decryption bugs fixed.
🛠️ Panel optimizations + cache clear/restart feature.
#ThreatIntel #Infostealer #infosec
🚨 New Aura Stealer update spotted
Key changes:
EN/RU panel toggle
"Human Check" to avoid sandboxes/honeypots
WPAD (auto-proxy) support → enables exfiltration from corp networks behind proxy configs
#ThreatIntel #infosec
Key changes:
EN/RU panel toggle
"Human Check" to avoid sandboxes/honeypots
WPAD (auto-proxy) support → enables exfiltration from corp networks behind proxy configs
#ThreatIntel #infosec
September 19, 2025 at 2:29 PM
🚨 New Aura Stealer update spotted
Key changes:
EN/RU panel toggle
"Human Check" to avoid sandboxes/honeypots
WPAD (auto-proxy) support → enables exfiltration from corp networks behind proxy configs
#ThreatIntel #infosec
Key changes:
EN/RU panel toggle
"Human Check" to avoid sandboxes/honeypots
WPAD (auto-proxy) support → enables exfiltration from corp networks behind proxy configs
#ThreatIntel #infosec
🚨 #ThreatIntel: Operators of #Lumma Stealer warn that their former contacts (@lummanowork / @lummaseller128) are no longer valid — accounts deleted & usernames hijacked.
#infosec
#infosec
September 18, 2025 at 7:07 AM
🚨 #ThreatIntel: Operators of #Lumma Stealer warn that their former contacts (@lummanowork / @lummaseller128) are no longer valid — accounts deleted & usernames hijacked.
#infosec
#infosec
🚨A new service called RCS Clipper BotNet is being sold. Malware that swaps crypto wallets & bank details on the fly.
🔑 Features:
Clipboard hijacking via regex
Blockchain-based C2 for resilience
Unlimited .exe builder
TOX-only sales
#infosec #ThreatIntel #DarkWeb
🔑 Features:
Clipboard hijacking via regex
Blockchain-based C2 for resilience
Unlimited .exe builder
TOX-only sales
#infosec #ThreatIntel #DarkWeb
September 17, 2025 at 6:32 AM
🚨A new service called RCS Clipper BotNet is being sold. Malware that swaps crypto wallets & bank details on the fly.
🔑 Features:
Clipboard hijacking via regex
Blockchain-based C2 for resilience
Unlimited .exe builder
TOX-only sales
#infosec #ThreatIntel #DarkWeb
🔑 Features:
Clipboard hijacking via regex
Blockchain-based C2 for resilience
Unlimited .exe builder
TOX-only sales
#infosec #ThreatIntel #DarkWeb