ThreatCat.ch
@threatcat-ch.bsky.social
ThreatCat.ch has been founded in the autumn 2022 and consists of a bunch of experienced Cyber Threat Analysts and Incident Responders who have been working together for many years.
@sekoia.io published a nice blog post about BSC blog.sekoia.io/clearfakes-n...
@threatcat-ch.bsky.social is tracking BSC as well, and we share our gained information on Threatfox/Bazaar @abuse_ch@ioc.exchange
Most of the delivered payloads led to Rhadamantys instead of Lumma in the last few days.
@threatcat-ch.bsky.social is tracking BSC as well, and we share our gained information on Threatfox/Bazaar @abuse_ch@ioc.exchange
Most of the delivered payloads led to Rhadamantys instead of Lumma in the last few days.
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.
blog.sekoia.io
March 19, 2025 at 12:21 PM
@sekoia.io published a nice blog post about BSC blog.sekoia.io/clearfakes-n...
@threatcat-ch.bsky.social is tracking BSC as well, and we share our gained information on Threatfox/Bazaar @abuse_ch@ioc.exchange
Most of the delivered payloads led to Rhadamantys instead of Lumma in the last few days.
@threatcat-ch.bsky.social is tracking BSC as well, and we share our gained information on Threatfox/Bazaar @abuse_ch@ioc.exchange
Most of the delivered payloads led to Rhadamantys instead of Lumma in the last few days.
This #Magecart smart contract got updated recently and is now pointing to keritysuc[.]xyz
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
March 16, 2025 at 3:11 PM
This #Magecart smart contract got updated recently and is now pointing to keritysuc[.]xyz
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
February 28, 2025 at 4:21 PM
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
Reposted by ThreatCat.ch
Today, I'm releasing the first version of a small web 🚀: rosti.bin.re
It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites.
I hope it proves useful to some of you ... 🙏✨ #CyberSecurity #ThreatIntel
It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites.
I hope it proves useful to some of you ... 🙏✨ #CyberSecurity #ThreatIntel
January 30, 2025 at 2:16 PM
Today, I'm releasing the first version of a small web 🚀: rosti.bin.re
It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites.
I hope it proves useful to some of you ... 🙏✨ #CyberSecurity #ThreatIntel
It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites.
I hope it proves useful to some of you ... 🙏✨ #CyberSecurity #ThreatIntel
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
January 6, 2025 at 8:51 PM
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
#Lumma #Stealer #Malware spreading via malvertissment impersonating Google Chrome - check all connections to 46.202.155[.]128 (chrome.downloading.com[.]de & filenjjutre[.]online)
December 18, 2024 at 11:29 PM
#Lumma #Stealer #Malware spreading via malvertissment impersonating Google Chrome - check all connections to 46.202.155[.]128 (chrome.downloading.com[.]de & filenjjutre[.]online)
New #SocGholish domain and injections - directly as SCRIPT but without async attribute + as base64 encoded URL:
October 30, 2024 at 10:06 AM
New #SocGholish domain and injections - directly as SCRIPT but without async attribute + as base64 encoded URL:
In other news, we contributed to Threatfox a few #Boolka domains and IPs, including new IOCs involving softbyms[.]com
threatfox.abuse.ch/browse/tag/B...
threatfox.abuse.ch/browse/tag/B...
ThreatFox - Tag Boolka
Hunt for IOCs tagged with tag 'Boolka'
threatfox.abuse.ch
September 30, 2024 at 2:30 PM
In other news, we contributed to Threatfox a few #Boolka domains and IPs, including new IOCs involving softbyms[.]com
threatfox.abuse.ch/browse/tag/B...
threatfox.abuse.ch/browse/tag/B...
While investigating some odd web redirects, we stumbled upon awards2tools[.]shop, which seems to systematically redirect visitors to trk.adtrk21[.]com, then into Vextrio related domains. The injection of the initial hop on awards2tools[.]shop varies – here a few examples:
September 30, 2024 at 2:28 PM
While investigating some odd web redirects, we stumbled upon awards2tools[.]shop, which seems to systematically redirect visitors to trk.adtrk21[.]com, then into Vextrio related domains. The injection of the initial hop on awards2tools[.]shop varies – here a few examples:
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
September 26, 2024 at 5:38 AM
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload www.proofpoint.com/au/blog/thre...
payload www.proofpoint.com/au/blog/thre...
From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint AU
Key findings Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the Clea...
www.proofpoint.com
September 24, 2024 at 3:24 AM
Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload www.proofpoint.com/au/blog/thre...
payload www.proofpoint.com/au/blog/thre...
#ClearFake related contract 0xa6165aa33ac710ad5dcd4f4d6379466825476fde was updated recently and points now to daslkjfhi2[.]lol, displaying a new type of lure to visitors:
July 12, 2024 at 3:24 PM
#ClearFake related contract 0xa6165aa33ac710ad5dcd4f4d6379466825476fde was updated recently and points now to daslkjfhi2[.]lol, displaying a new type of lure to visitors:
We're proud to be a Quad9 partner, helping make the Internet a safer place!
June 19, 2024 at 8:35 AM
We're proud to be a Quad9 partner, helping make the Internet a safer place!
#ClearFake updated the TDS in contract 0x34585777843Abb908a1C5FbD6F3f620bC56874AA 3 times today:
v7yen47u2e[.]xyz
cv2b8uz46e[.]xyz
b9y3b7ner2[.]xyz (currently used)
The last round of updates on this contract was on May 30th - also with 3 different domains.
v7yen47u2e[.]xyz
cv2b8uz46e[.]xyz
b9y3b7ner2[.]xyz (currently used)
The last round of updates on this contract was on May 30th - also with 3 different domains.
June 8, 2024 at 6:41 PM
#ClearFake updated the TDS in contract 0x34585777843Abb908a1C5FbD6F3f620bC56874AA 3 times today:
v7yen47u2e[.]xyz
cv2b8uz46e[.]xyz
b9y3b7ner2[.]xyz (currently used)
The last round of updates on this contract was on May 30th - also with 3 different domains.
v7yen47u2e[.]xyz
cv2b8uz46e[.]xyz
b9y3b7ner2[.]xyz (currently used)
The last round of updates on this contract was on May 30th - also with 3 different domains.
We have a batch of new #SocGholish related domains, e.g.
memoryloader[.]com
progressivewebappsdev[.]com
webapidevelopment[.]com
memoryloader[.]com
progressivewebappsdev[.]com
webapidevelopment[.]com
June 5, 2024 at 12:39 PM
We have a batch of new #SocGholish related domains, e.g.
memoryloader[.]com
progressivewebappsdev[.]com
webapidevelopment[.]com
memoryloader[.]com
progressivewebappsdev[.]com
webapidevelopment[.]com
A few words about what appears to be a new #SocGholish related TDS: cdn-serveq[.]net currently hosted on 147.78.47[.]83 (ASN209588 FLYSERVERS) can be found on infosec.exchange/@threatcat_c...
March 25, 2024 at 1:34 PM
A few words about what appears to be a new #SocGholish related TDS: cdn-serveq[.]net currently hosted on 147.78.47[.]83 (ASN209588 FLYSERVERS) can be found on infosec.exchange/@threatcat_c...
New #SocGholish related chain: infected website references via script tag funcallback[.]com redirecting further to stake.libertariancounterpoint[.]com
February 24, 2024 at 2:06 PM
New #SocGholish related chain: infected website references via script tag funcallback[.]com redirecting further to stake.libertariancounterpoint[.]com
Found for the first time in a while a new FakeUpdate (ndsj) #SocGholish related TDS - absolutecache[.]com hosted on 154.29.75[.]236.
February 16, 2024 at 3:32 PM
Found for the first time in a while a new FakeUpdate (ndsj) #SocGholish related TDS - absolutecache[.]com hosted on 154.29.75[.]236.
New #SocGholish TDS iredelltx[.]com, injected by a SCRIPT async tag on the victim's homepage, was a fun find as it is located in an unusual network 😼
threatfox.abuse.ch/ioc/1232252/
threatfox.abuse.ch/ioc/1232252/
ThreatFox | Browse IOCs
threatfox.abuse.ch
January 19, 2024 at 8:41 PM
New #SocGholish TDS iredelltx[.]com, injected by a SCRIPT async tag on the victim's homepage, was a fun find as it is located in an unusual network 😼
threatfox.abuse.ch/ioc/1232252/
threatfox.abuse.ch/ioc/1232252/
urlscan.io has tons of really cool features - search for example per page hash to find other similar SocGholish TDS! If you're lucky, you might even identify infected legit websites referencing such TDS.
December 25, 2023 at 8:43 PM
urlscan.io has tons of really cool features - search for example per page hash to find other similar SocGholish TDS! If you're lucky, you might even identify infected legit websites referencing such TDS.
We published a new blog post about a malware sample with an encrypted payload using an interesting technique: threatcat.ch/blog/encrypt...
December 7, 2023 at 3:39 PM
We published a new blog post about a malware sample with an encrypted payload using an interesting technique: threatcat.ch/blog/encrypt...
And now is the turn of the ClearFake TDS domains to move away from AS203493 YACOLO and go to AS49505 - SELECTEL (RU) - e.g. overnight for excellentpatterns[.]com - 185.192.111[.]202 or right now, fresh new ClearFake TDS 185.192.111[.]198 - alicortech[.]com
November 28, 2023 at 9:24 AM
And now is the turn of the ClearFake TDS domains to move away from AS203493 YACOLO and go to AS49505 - SELECTEL (RU) - e.g. overnight for excellentpatterns[.]com - 185.192.111[.]202 or right now, fresh new ClearFake TDS 185.192.111[.]198 - alicortech[.]com
#KeitaroTDS domains finally moved from AS216419 Matrix Telecom to various other IPs / networks, such as:
November 27, 2023 at 8:11 PM
#KeitaroTDS domains finally moved from AS216419 Matrix Telecom to various other IPs / networks, such as:
New #SocGholish ndsj / ndsx TDS on googlecloudns[.]com with what appears to be a new JS obfuscation leading to well known code...
November 21, 2023 at 8:26 PM
New #SocGholish ndsj / ndsx TDS on googlecloudns[.]com with what appears to be a new JS obfuscation leading to well known code...
#clearfake changed the contract used to deliver the TDS URL: bscscan.com/address/0x10...
November 6, 2023 at 7:49 AM
#clearfake changed the contract used to deliver the TDS URL: bscscan.com/address/0x10...