Author | Lightnews

Reposted by crep1x

Sekoia.io @sekoia.io · Jun 11

📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.

This report shares actionable intelligence to help analysts detect and investigate AitM phishing.

1 7 10

crep1x @crep1x.bsky.social · Apr 16

As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: github.com/SEKOIA-IO/Co...

Community/IOCs/Interlock at main · SEKOIA-IO/Community

Welcome to the SEKOIA.IO Community repository! . Contribute to SEKOIA-IO/Community development by creating an account on GitHub.

github.com

crep1x @crep1x.bsky.social · Apr 16

By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)

www.microsoft.com/en-us/securi...

Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog

Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information...

www.microsoft.com

1

crep1x @crep1x.bsky.social · Apr 16

Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group!

It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️

bsky.app/profile/seko...

✍️ @kseznec.bsky.social

1 2

Reposted by crep1x

Sekoia.io @sekoia.io · Apr 16

Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload.

blog.sekoia.io/interlock-ra...

5 2

crep1x @crep1x.bsky.social · Mar 24

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:

urlscan.io/search/#page...

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

urlscan.io

crep1x @crep1x.bsky.social · Mar 24

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page

e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/

⬇️

1 1 2

crep1x @crep1x.bsky.social · Mar 20

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!

As usual, feedback is greatly appreciated!

1 2

crep1x @crep1x.bsky.social · Mar 20

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

⬇️

bsky.app/profile/seko...

Sekoia.io @sekoia.io · Mar 19

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

buff.ly/vbiVbsN

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

blog.sekoia.io

1 1 4

Reposted by crep1x

Sekoia.io @sekoia.io · Mar 19

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

buff.ly/vbiVbsN

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

blog.sekoia.io

1 3 5

crep1x @crep1x.bsky.social · Mar 6

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...

VirusTotal

virustotal.com

crep1x @crep1x.bsky.social · Mar 6

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

⬇️

VirusTotal

virustotal.com

1

crep1x @crep1x.bsky.social · Mar 6

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @plebourhis.bsky.social @sekoia.io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

⬇️

2 2 3

crep1x @crep1x.bsky.social · Jan 24

This is not planned at the moment! 😅

1

crep1x @crep1x.bsky.social · Jan 22

For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:

- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure

⬇️

bsky.app/profile/seko...

Sekoia.io @sekoia.io · Jan 22

TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.

https://buff.ly/4auQ0HN

3 3

Reposted by crep1x

Sekoia.io @sekoia.io · Jan 22

TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.

https://buff.ly/4auQ0HN

1 4 8

crep1x @crep1x.bsky.social · Jan 20

Full domain list:

gist.githubusercontent.com/qbourgue/071...

Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd

Lumma Stealer C2:
weighcobbweo.]top

Triage analysis:
tria.ge/250120-vzdzz...

gist.githubusercontent.com

crep1x @crep1x.bsky.social · Jan 20

Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives

These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer

IoCs ⬇️

2 6 9

crep1x @crep1x.bsky.social · Jan 16

We confirm that the WikiKit phishing pages correspond to those of the Sneaky Log service, which we chose to name Sneaky 2FA!

crep1x @crep1x.bsky.social · Jan 16

In late December 2024, TRACLabs analysed a Sneaky 2FA phishing campaign and dubbed the kit "WikiKit".

Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.

1

crep1x @crep1x.bsky.social · Jan 16

Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!

We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.

⬇️

bsky.app/profile/seko...

Sekoia.io @sekoia.io · Jan 16

🔍 TDR analysts discovered a new Adversary-in-the-Middle (#AiTM) #phishing kit, specifically targeting Microsoft 365 accounts and circumventing 2-step verification: Sneaky 2FA

https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

#detection #sneaky2fa

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

In this blog post, learn about Sneaky 2FA, a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts.

blog.sekoia.io

1 1 6

crep1x @crep1x.bsky.social · Jan 8

hxxps://steamcommunity.]com/profiles/76561199816275252

Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36

Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...

ThreatFox - Vidar

Hunt for Vidar IOCs on ThreatFox

threatfox.abuse.ch

crep1x @crep1x.bsky.social · Jan 8

Recent update in #Vidar C2 servers configuration:
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"

Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...

Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p

⬇️

1 3

Reposted by crep1x

Nicolas Caproni @caproni.fr · Dec 4

🦝 The new episode of @intel471.bsky.social "Cybercrime Exposed" podcast produced by @jkirk.bsky.social tells the story of #Raccoon Stealer and, more broadly, reveals how the #infostealer ecosystem operates.

Featuring @crep1x.bsky.social from @sekoia.io!

intel471.com/resources/po...

Cybercrime Exposed Podcast: Raccoon Stealer

Intel 471 empowers cybersecurity teams worldwide to be proactive with its TITAN platform and comprehensive coverage into the criminal underground.

intel471.com

2 4