#casbaneiro #metamorfo sideloaded in ConvertXToDVD legitimate exe (masqueraded as Adobe Reader Pro)
app.any.run/tasks/ea964806…

Dear PayPal, your DMARC aggregate reports are not DMARC compliant, can somone fix it?

On the next episode of 'What's on Discord CDN' #remcos
C2:
zoonm.ddns[.]net:9001
tochukwu1122.ddns[.]net:6426
toshiba1122.ddns[.]net:6426:6426
bantubusta0816.ddns[.]net:6699
bustabantu0817.duckdns[.]org:6699
app.any.run/tasks/c795abf6…
app.any.run/tasks/16f53867…
app.any.run/tasks/13447760…

The .js file which comes as a link from Discord CDN will, after few downloads, give you #remcos
C2:
salwanazeeze.duckdns[.]org:9595,
salwanazeeze.ddns[.]net:9595
Botnet: TT COPY
app.any.run/tasks/5a324415…

Received unknown #malware via email (4 identical attachments in 1 email)
app.any.run/tasks/6d60a64e…
2nd stage on hxxps://ayendonjeans.com/Zvejhoosrg.vdf
C2: 51.75.154.192:62520
and James knows more :-)

#VBS downloader from #malspam will get #azorult
hxxp://84.38.130.165/Sakserweek.dsp
hxxp://84.38.130.165/RulxgFEDrJGXZzaD200.msi
C2: hxxp://109.248.144.132/aristo/Panel/index.php

app.any.run/tasks/6722837e…

However, the panel could have some issues

Anyone knows whats the scheme behind these fake Geek Squad purchase orders? The spam only contains the picture, but they have different subjects and are being sent from random gmail addresses.

OK, that's new for me. HTML attachment with URL encoded HTML containing embedded SVG. And the SVG has script inside .....

app.any.run/tasks/dac11f55…

#phishing email smuggles HTML page mimicking @ionos_com login, exfiltrating the credentials to
hxxps://businessmail-ionos.com/appsuite/api.php

app.any.run/tasks/613a1b79…

Dear postmasters and email systems admins.
Please reconsider your decision to send SPF failure notifications to supposed senders, because (in most cases), we did not sent those!

Seems that police in Slovakia and Portugal migrated to Gmail. Or didn't they?

#malspam 'SanMar Statement - December' brings zipped .vhdx file containing two .exe with #remcos and #AsyncRAT . Not much detections on VT (1/61)

app.any.run/tasks/46f2915c…
C2-Remcos: 37.139.128.24:2404
C2-Async: 109.206.243.198:8808

Twitter, help me out. Which software sends DMARC reports stating that there was 0 emails? And how they even know where to send the report, if there were no emails?

#malspam 'Mason Hk Group - (Billing Team)' with double attached .xll
will download #warzone RAT from
hxxps://transfer.sh/GAGHDa/whose.exe

bazaar.abuse.ch/sample/3186f04…

tria.ge/reports/221019…
C2: windnsch.freeddns[.]org:5200

bhconsulting.ie/nine-security-…

#malspam 'Comandă nouă,' with .exe attachment brings #ave_maria RAT
C2: nweke.ddnsgeek[.]com:6746
bazaar.abuse.ch/sample/5fab0d4…

And from the same actor and same staging, different malware, this time #lokibot

app.any.run/tasks/b3749440…
app.any.run/tasks/9741f819…
C2s:
http://45.133.1.20/vedoone/five/fre.php
http://45.133.1.45/sweet/five/fre.php

twitter.com/Racco42/status…

#malspam 'Rv: NUEVA ORDEN DE COMPRA 80107' with .xxe attachment (which really is rar with wsf inside) does 3 stage downloads to get ... #agenttesla
C2: smtp://mail.centraldefiltros.cl:587
app.any.run/tasks/eeec4732…

#malspam with absurdly long subject brings #ave_maria via transfer.sh

C2: xmowa.ddns[.]net:4320

app.any.run/tasks/2ec78202…