𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
@netresec.infosec.exchange.ap.brid.gy
Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PolarProxy and #RawCap.
#PCAP or it didn't happen!
🌉 bridged from ⁂ https://infosec.exchange/@netresec, follow @ap.brid.gy to interact
#PCAP or it didn't happen!
🌉 bridged from ⁂ https://infosec.exchange/@netresec, follow @ap.brid.gy to interact
Operation Endgame’s latest phase targeted the infostealer #rhadamanthys, Remote Access Trojan #venomrat, and the botnet #elysium.
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
End of the game for cybercrime infrastructure: 1025 servers taken down – Operation Endgame’s latest phase targeted the infostealer Rhadamanthys, Remote Access Trojan VenomRAT, and the botnet Elysium | Europol
Between 10 and 14 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers (Rhadamanthys), the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.
www.europol.europa.eu
November 13, 2025 at 3:10 PM
Operation Endgame’s latest phase targeted the infostealer #rhadamanthys, Remote Access Trojan #venomrat, and the botnet #elysium.
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
https://netresec.com/?b=25Be9dd
#threatintel
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
https://netresec.com/?b=25Be9dd
#threatintel
@netresec
netresec.com
November 6, 2025 at 12:29 PM
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
https://netresec.com/?b=25Be9dd
#threatintel
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
https://netresec.com/?b=25Be9dd
#threatintel
New network forensics training scheduled!
📅 February 23-26, 2026
⏲️ 13:00 to 17:00 CET (7am to 11am EDT)
🌍 Live online
https://netresec.com/?b=25A2e4f
#dfir #training
📅 February 23-26, 2026
⏲️ 13:00 to 17:00 CET (7am to 11am EDT)
🌍 Live online
https://netresec.com/?b=25A2e4f
#dfir #training
@netresec
netresec.com
October 20, 2025 at 4:20 PM
New network forensics training scheduled!
📅 February 23-26, 2026
⏲️ 13:00 to 17:00 CET (7am to 11am EDT)
🌍 Live online
https://netresec.com/?b=25A2e4f
#dfir #training
📅 February 23-26, 2026
⏲️ 13:00 to 17:00 CET (7am to 11am EDT)
🌍 Live online
https://netresec.com/?b=25A2e4f
#dfir #training
The technical detail in this PureRAT analysis by Heejae Hwang (황희재) is fantastic! The analyzed #purerat sample looks very similar to the one James Northey recently blogged about for @huntress. It even uses the same C2 server 157.66.26.209:56001.
October 16, 2025 at 9:44 AM
The technical detail in this PureRAT analysis by Heejae Hwang (황희재) is fantastic! The analyzed #purerat sample looks very similar to the one James Northey recently blogged about for @huntress. It even uses the same C2 server 157.66.26.209:56001.
The use of TLS is pretty much mandatory for HTTP/2, yet this #nezha backoor POSTS HTTP/2 data over TCP port 80 without encryption!
🔥 172.245.52[.]169:80
🔥 c.mid[.]al:80
https://tria.ge/251009-j26bgacj7s
https://app.any.run/tasks/952bf595-caf6-4445-b302-513295214e76
🔥 172.245.52[.]169:80
🔥 c.mid[.]al:80
https://tria.ge/251009-j26bgacj7s
https://app.any.run/tasks/952bf595-caf6-4445-b302-513295214e76
October 9, 2025 at 8:48 AM
The use of TLS is pretty much mandatory for HTTP/2, yet this #nezha backoor POSTS HTTP/2 data over TCP port 80 without encryption!
🔥 172.245.52[.]169:80
🔥 c.mid[.]al:80
https://tria.ge/251009-j26bgacj7s
https://app.any.run/tasks/952bf595-caf6-4445-b302-513295214e76
🔥 172.245.52[.]169:80
🔥 c.mid[.]al:80
https://tria.ge/251009-j26bgacj7s
https://app.any.run/tasks/952bf595-caf6-4445-b302-513295214e76
Gh0stKCP is a C2 transport protocol based on KCP. It has been used by malware families such as #pseudomanuscrypt and #valleyrat.
https://netresec.com/?b=259a5af
https://netresec.com/?b=259a5af
@netresec
netresec.com
September 24, 2025 at 12:05 PM
Gh0stKCP is a C2 transport protocol based on KCP. It has been used by malware families such as #pseudomanuscrypt and #valleyrat.
https://netresec.com/?b=259a5af
https://netresec.com/?b=259a5af
Google’s report on #unc6384 lists this certificate as being used in C2 comms by Sogu (#plugx variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s an @anyrun_app execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s an @anyrun_app execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
August 27, 2025 at 7:36 AM
Google’s report on #unc6384 lists this certificate as being used in C2 comms by Sogu (#plugx variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s an @anyrun_app execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s an @anyrun_app execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
Google’s report on #unc6384 lists this certificate as being used in C2 comms by Sogu (#plugx variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s a sandbox execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s a sandbox execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
August 27, 2025 at 7:34 AM
Google’s report on #unc6384 lists this certificate as being used in C2 comms by Sogu (#plugx variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s a sandbox execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
eca96bd74fb6b22848751e254b6dc9b8e2721f96
Here’s a sandbox execution, of AdobePlugins.exe on May 19, which runs CANONSTAGER as well as SOGU.SEC […]
[Original post on infosec.exchange]
Detecting #xenorat C2 connections using example traffic from known malware sample.
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
https://netresec.com/?b=258f641
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
https://netresec.com/?b=258f641
@netresec
netresec.com
August 21, 2025 at 1:34 PM
Detecting #xenorat C2 connections using example traffic from known malware sample.
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
https://netresec.com/?b=258f641
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
https://netresec.com/?b=258f641
>PureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other hand, is the predecessor to PureRAT.
IOCs:
👾 193.26.115.125:8883
👾 purebase.ddns[.]net:8883
👾 45.74.10.38:56001
👾 139.99.83.25:56001
https://netresec.com/?b=2589522
IOCs:
👾 193.26.115.125:8883
👾 purebase.ddns[.]net:8883
👾 45.74.10.38:56001
👾 139.99.83.25:56001
https://netresec.com/?b=2589522
@netresec
netresec.com
August 12, 2025 at 3:48 PM
>PureRAT is the exact same malware as what Morphisec and others call ResolverRAT. PureHVNC, on the other hand, is the predecessor to PureRAT.
IOCs:
👾 193.26.115.125:8883
👾 purebase.ddns[.]net:8883
👾 45.74.10.38:56001
👾 139.99.83.25:56001
https://netresec.com/?b=2589522
IOCs:
👾 193.26.115.125:8883
👾 purebase.ddns[.]net:8883
👾 45.74.10.38:56001
👾 139.99.83.25:56001
https://netresec.com/?b=2589522
The Secure AI conference is held in Stockholm on September 23-24.
> We bring together a community of practitioners, researchers, public sector leaders, and industry experts who understand that security is not an afterthought—it’s a prerequisite. . And without trust and security the AI adoption […]
> We bring together a community of practitioners, researchers, public sector leaders, and industry experts who understand that security is not an afterthought—it’s a prerequisite. . And without trust and security the AI adoption […]
Original post on infosec.exchange
infosec.exchange
August 11, 2025 at 7:25 PM
The Secure AI conference is held in Stockholm on September 23-24.
> We bring together a community of practitioners, researchers, public sector leaders, and industry experts who understand that security is not an afterthought—it’s a prerequisite. . And without trust and security the AI adoption […]
> We bring together a community of practitioners, researchers, public sector leaders, and industry experts who understand that security is not an afterthought—it’s a prerequisite. . And without trust and security the AI adoption […]
UPDATE: Turns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops #purelogs.
🔥 MD5: b2647b263c14226c62fe743dbff5c70a
🔥 C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
🔥 MD5: b2647b263c14226c62fe743dbff5c70a
🔥 C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
July 30, 2025 at 10:02 PM
UPDATE: Turns out the whole /wp-admin/js/ directory on Västkupan's website allows directory listing. Among the files in that directory is "New PO 102456688.exe", which drops #purelogs.
🔥 MD5: b2647b263c14226c62fe743dbff5c70a
🔥 C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
🔥 MD5: b2647b263c14226c62fe743dbff5c70a
🔥 C2: 147.124.219.201:65535
https://netresec.com/?b=257eead
Do #purelogs Stealer and #purecrypter use the same C2 protocol, or is there some way to tell the C2 protocols apart?
C2 servers:
🔥 45.141.233.100:7708
🔥 144.172.91.74:7709
🔥 62.60.235.100:9100
🔥 65.108.24.103:62050
🔥 91.92.120.102:62050
🔥 192.30.240.242:62520
C2 servers:
🔥 45.141.233.100:7708
🔥 144.172.91.74:7709
🔥 62.60.235.100:9100
🔥 65.108.24.103:62050
🔥 91.92.120.102:62050
🔥 192.30.240.242:62520
July 21, 2025 at 5:17 PM
Do #purelogs Stealer and #purecrypter use the same C2 protocol, or is there some way to tell the C2 protocols apart?
C2 servers:
🔥 45.141.233.100:7708
🔥 144.172.91.74:7709
🔥 62.60.235.100:9100
🔥 65.108.24.103:62050
🔥 91.92.120.102:62050
🔥 192.30.240.242:62520
C2 servers:
🔥 45.141.233.100:7708
🔥 144.172.91.74:7709
🔥 62.60.235.100:9100
🔥 65.108.24.103:62050
🔥 91.92.120.102:62050
🔥 192.30.240.242:62520
Two more #purelogs Stealer DLL files found on vastkupan[.]com. The original blog post has been updated.
https://netresec.com/?b=257eead
https://netresec.com/?b=257eead
@netresec
netresec.com
July 16, 2025 at 8:04 PM
Two more #purelogs Stealer DLL files found on vastkupan[.]com. The original blog post has been updated.
https://netresec.com/?b=257eead
https://netresec.com/?b=257eead
PureLogs Forensics
💧 Dropper connects to legitimate website
📄 A fake PDF is downloaded over HTTPS
💾 The fake PDF is decrypted to a #purelogs DLL
⚙️ InstallUtil.exe or RegAsm.exe is started.
💉 PureLogs DLL is injected into the running process
👾 PureLogs connects to C2 server
IOC List
🔥 91.92.120 […]
💧 Dropper connects to legitimate website
📄 A fake PDF is downloaded over HTTPS
💾 The fake PDF is decrypted to a #purelogs DLL
⚙️ InstallUtil.exe or RegAsm.exe is started.
💉 PureLogs DLL is injected into the running process
👾 PureLogs connects to C2 server
IOC List
🔥 91.92.120 […]
Original post on infosec.exchange
infosec.exchange
July 2, 2025 at 12:10 PM
PureLogs Forensics
💧 Dropper connects to legitimate website
📄 A fake PDF is downloaded over HTTPS
💾 The fake PDF is decrypted to a #purelogs DLL
⚙️ InstallUtil.exe or RegAsm.exe is started.
💉 PureLogs DLL is injected into the running process
👾 PureLogs connects to C2 server
IOC List
🔥 91.92.120 […]
💧 Dropper connects to legitimate website
📄 A fake PDF is downloaded over HTTPS
💾 The fake PDF is decrypted to a #purelogs DLL
⚙️ InstallUtil.exe or RegAsm.exe is started.
💉 PureLogs DLL is injected into the running process
👾 PureLogs connects to C2 server
IOC List
🔥 91.92.120 […]
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
https://netresec.com/?b=2571527
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
https://netresec.com/?b=2571527
@netresec
netresec.com
July 1, 2025 at 1:58 PM
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
https://netresec.com/?b=2571527
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
https://netresec.com/?b=2571527
Signed malicious Connect Wise Control installers hosted on Cloudflare R2 storage (by @lawrenceabrams)
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Hackers turn ScreenConnect into malware using Authenticode stuffing
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature.
www.bleepingcomputer.com
June 26, 2025 at 6:19 AM
Signed malicious Connect Wise Control installers hosted on Cloudflare R2 storage (by @lawrenceabrams)
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!
June 25, 2025 at 9:10 AM
Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!
Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.
> The […]
[Original post on infosec.exchange]
> The […]
[Original post on infosec.exchange]
June 11, 2025 at 6:45 AM
Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.
> The […]
[Original post on infosec.exchange]
> The […]
[Original post on infosec.exchange]
Reposted by 𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
BKA names identity of the suspected boss of the Trickbot gang
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub
Posted into heise online in English @heise-online-in-english-heiseonline
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub
Posted into heise online in English @heise-online-in-english-heiseonline
BKA names identity of the suspected boss of the Trickbot gang
The Federal Criminal Police Office BKA is searching for the alleged head of the notorious "Trickbot" gang by name and face.
www.heise.de
June 2, 2025 at 7:26 AM
BKA names identity of the suspected boss of the Trickbot gang
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub
Posted into heise online in English @heise-online-in-english-heiseonline
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub
Posted into heise online in English @heise-online-in-english-heiseonline
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #pcap
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
https://netresec.com/?b=256dbbc
🔎 Identifies over 250 protocols in #pcap
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
https://netresec.com/?b=256dbbc
@netresec
netresec.com
June 2, 2025 at 3:56 PM
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #pcap
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
https://netresec.com/?b=256dbbc
🔎 Identifies over 250 protocols in #pcap
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
https://netresec.com/?b=256dbbc
Thank you CISA, NCSC, @bsi et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
#threathunting #threatintel
#threathunting #threatintel
![Many organizations may not need to allow outgoing traffic to hosting and API mocking
services, which are frequently used by GRU unit 26165. Organizations should consider
alerting on or blocking the following services, with exceptions allowlisted for legitimate
activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above
providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for
each sub-domain requested by users on a network, such as in DNS or firewall logs,
may enable system administrators to identify new targeting and victims](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:vbkuf6l52tkey3ntlxn4ju26/bafkreid64jpxnqwmyek7rxf3lgh3uihydqyh7hempn62ignqvcfyv3fqxy@jpeg)
May 22, 2025 at 4:56 PM
Thank you CISA, NCSC, @bsi et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
#threathunting #threatintel
#threathunting #threatintel
DoJ, Dutch National Police and FBI have dismantled a botnet that was used to run Anyproxy and 5socks proxy networks.
https://www.theregister.com/2025/05/10/router_botnet_crashed/
https://www.theregister.com/2025/05/10/router_botnet_crashed/
May 12, 2025 at 6:19 AM
DoJ, Dutch National Police and FBI have dismantled a botnet that was used to run Anyproxy and 5socks proxy networks.
https://www.theregister.com/2025/05/10/router_botnet_crashed/
https://www.theregister.com/2025/05/10/router_botnet_crashed/
Germany’s Federal Criminal Police Office (BKA) has shut down the the 'eXch' cryptocurrency exchange platform, which was used to launder stolen funds from the Bybit hack.
https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/
https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/
Germany takes down eXch cryptocurrency exchange, seizes servers
The Federal police in Germany (BKA) seized the server infrastructure and shut down the 'eXch' cryptocurrency exchange platform for alleged money laundering cybercrime proceeds. [...]
www.bleepingcomputer.com
May 12, 2025 at 6:09 AM
Germany’s Federal Criminal Police Office (BKA) has shut down the the 'eXch' cryptocurrency exchange platform, which was used to launder stolen funds from the Bybit hack.
https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/
https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/