@RedDrip7 profile picture
RedDrip Team @RedDrip7

Technical Twitter of QiAnXin Technology, leading Chinese security vendor. It is operated by RedDrip Team which focuses on malware, APT and threat intelligence.

Joined April 2018
  • Tweets 487
  • Following 29
  • Followers 16,737
366 Photos and videos
Pinned Tweet
RedDrip Team@RedDrip7
5 Dec 2019
#APT_Digital_Weapon We have categorized #IOCs, mostly #APT related, from public resources and sample details are available on #VT. The #GitHub project will keep updated and hope to help the security community fight against malware and targeted attack. github.com/RedDrip7/APT_Digi…
6
126
214
It seems that #APT #Donot also used .ACCDR files for initial access. Executed codes are similar to previous samples. 0ecfdece9402c4f8732a4581baf4a927 3c0f8dc931cdc76c9d101b41c258a4dc mtsspk[.net hxxps://mtsspk[.net/TrDGjfgtxkdl3Pl47enr/
RedDrip Team@RedDrip7
Mar 3
Replying to @RedDrip7
Related 7c5116f2412ebcbce7ab99ccfbb2a21a 79ca03e5f149f6cddfbc92262d3f6da9 officesite.onrender[.]com 8b9a7fec4bbb53bb7f9b8c673fd4ab52 mnjkuilhgftrew.baiduwebhost[.]com
16
43
10,770
#APT #Bitter ACCDR downloads DLL and uses fsquirt.exe to side-load it -> DLL uses bitsadmin to download EXE -> EXE executes shellcode in a unique way 27f68bcaec9d2085f8804021da8ab70c 0dc4e8723e7860aeaf420cd644c8b1db e25095de50ef896946466f7f5dd47f1a bravojacksonmentor[.com
9
34
7,681
#APT #Bitter 776302eeef68e4d5132424de18976845 4b381a89dc0f3fd44286410d7c826073 grandinaspectrum[.com www.grandinaspectrum[.com/hgdtfjgtyf.php?d=%username%_%computername%
7
18
6,866
#APT #Patchwork #Spyder added codes to detect running environment. 3f4221dacc105466932db94b9b210b84 hxxp://cloudwindowapps[.com/enclose-pdf
14
65
23,036
#APT #OceanLotus sample created in 2025 was uploaded to VT last month. DLL decrypts and executes shellcode in memory. C2 seems to be inactive now. 8c13ce3a5f579a4fb4d25222412b775a 152.32.144[.]5:443
20
81
11,275
#APT #Patchwork 2d31067df7ccbcd6eaef1025098ed928 (dll) sandtribes[.org Similar to previous samples
RedDrip Team@RedDrip7
13 Oct 2025
#APT #Patchwork 076ab63979336e827abc96fcd4fbf534 (lnk) e066b5a875d08507832fc7ed29a7aa30 (dll) b7c2b4d14112356a3d327e99ee97d627 adskochbus[.org theserveunity[.org
9
23
6,056
#APT #Bitter 912804d58dec8c2fdc909f66f900f1a4 ("DraftLetter.accdr") kuraviewconcepts[.com www.kuraviewconcepts[.com/fesrh.php?d=%username%_%computername%
6
15
4,447
#APT #MysteriousElephant 96b15bb9ce8ef7c41b708b1620029d99 (chm) 91693c2d5a4b7d090fe06cc7382dfc18 (exe) 188.214.33[.]170:443
4
14
3,741
#APT #Bitter used windows script file (wsf) to create scheduled task. Malicious code is hidden in plenty of junk code. 4f23a03843c9ece10de1831c84e48244 (rar) 37cfab987b088c7dc9555f73d6d47acc (wsf) www.caravelcruiser[.]com/gbv.pp?uq=%computername%
1
10
43
5,329
Other samples VHDX -> LNK -> jse. Malicious code is hidden after a lot of blank space. 8cb6dee642f510d20825e49435e4f814 (rar) 50c8856d31e28d40c78c6d25afd9b2cb (jse) www.haburyohoteam[.]com/jvdmhawme.okjhvthfv?d=%username%_%computername% Both C2 domains resolve to 104.243.38[.38
2
5
15
2,680
#APT #Donot VBA -> shellcode -> download other payloads 301e257e8ffb69bc2b3a7040053b9a8e 6f3b51b1d9fb1795aa5b1d79113db3f7 63f6302c60c2c0c6e4c83c9b50784c38 0628a33e3f3b08bdff708059b8e00dea ec188d5fcbbf264eeb4025d266d424b6 locaplayz[.]info reggysolution[.]info
1
11
57
4,379
#Malware #SmartLoader disguised using OpenClaw-related topics Threat actor built malicious Github repo on the basis of a legimate one. Report: mp.weixin.qq.com/s/q-86GR8g_… hxxp://89.169.12[.235/api/ hxxp://213.176.73[.145/api/ hxxp://213.176.73[.162/api/
6
36
3,774
#Malware #DCRAT JS -> powershell extracts loader from remote JPEG -> loader gets DCRAT from Github ("albaluzzgom-byte/032026666") 1bfed54ae970308843d0e55ee96eddd9 (js) 8159845a1821df1e5067703af2fa0fb8 (loader) 05aff2b6242e9b2618ade8d34178d46a (DCRAT) vps30002026.kozow[.com:3000
1
14
61
4,761
Related #APT malware (DLL written in Rust) 9a95078a7a5f1045c61fe95ab308ec3f a70e0e057bb9cc33913ca035fb3a1138 hxxps://support.cc-cvbs-sco.workers[.dev:443/api/analytics/collect hxxps://cms.bahria-edu.workers[.dev:443/api/analytics/collect
RedDrip Team@RedDrip7
Jan 19
Suspected #APT #Sidewinder VBA macros in .xls downloads EXE malicous DLL (Rust trojan). Cloudflare workers domain is abused for C2 infra. 753bb1b5d8b879f478babb21ed4d9696 (xls) f310ee836f88cc43d3939f8a88b20495 (dll) *.goldibrowhoami.workers[.dev *.desco-gov-bd.workers[.dev
11
73
6,522
#APT #Bitter 3ee66f56461fc046f600230d11ebe731 (MSI) f57975b8bc1169b35ae17b975327195e (EXE) hxxps://99media.com[.]pk/scvz zoemagicbook[.]com
2
10
29
3,206
#APT #Lazarus #IoC d6296ad786e76b2dd1d7e6de897491d4 45[.]83.140.55:1244
1
8
52
11,421
Suspected #APT #Donot samples VBA uses plenty of comment statements to seperate malicious code which creates scheduled tasks and drops BAT files. cab89ee28820b38d1626806f9c1acb9f e5f0a8b4ab983a1457ec2b0a4bff89eb 04cce783b42af18f9208fe5527fa04a8 shop.gladiolus[.]live
2
11
31
5,455
Related 7c5116f2412ebcbce7ab99ccfbb2a21a 79ca03e5f149f6cddfbc92262d3f6da9 officesite.onrender[.]com 8b9a7fec4bbb53bb7f9b8c673fd4ab52 mnjkuilhgftrew.baiduwebhost[.]com
1
5
12,697
#APT #Bitter trojan 8523f2ff3ff13e510a9bf75665562b3b ashersoftlib[.]com:44908
5
36
4,336
#APT #Bitter targeted Nepal. VHDX file contains hidden malicious DLL which creates a scheduled task named "VerifiedTaskMS". C2 domain is overlapped with previous campaign. www.joelgardens[.]com/gvb.php?uq=%username%_%computername%
RedDrip Team@RedDrip7
25 Dec 2025
#APT #Bitter #IoC f04e4f5e197e47a89c406734c4c14a21 e828f8cacbe8df690a2e82410f307362 be1ff48fd155a44293c9b121c7735268 florabrocuisine[.]com oscarskatingcoach[.]com joelgardens[.]com
1
17
52
12,817
e3b8be98de37a64d72b20e71b92f7adb ("Rastriya satarkata kendra NIDEPT Audit Schedule.vhdx") 6b8efd4e7eb44f3149bbe23703a1efc2 ("CryptBase.dll")
2
2,581
Load more