@ShadowOpCode profile picture
ShadowOpCode @ShadowOpCode
Joined May 2025
  • Tweets 694
  • Following 171
  • Followers 1,048
269 Photos and videos
Pinned Tweet
ShadowOpCode@ShadowOpCode
19 May 2025
🚨 New #JavaStealer “MaksStealer” uncovered! Fully in-memory, FUD, DES–Blowfish runtime decryption, WebSockets on 4025/4028/6662. Author “Max, 17yo” left his signature in the payload 🤯 Full report & IoCs 👉 github.com/ShadowOpCode/Maks… #infosec #malware #ThreatIntel @malwrhunterteam
just a snippet of the real code I reversed :)

ALT just a snippet of the real code I reversed :)

3
8
110
43,725
I’ve been quiet because I'm dissecting something worth dissecting.🥷 Not triage. Not IOC farming. Not sandbox tourism. 🥱This is not "malware detected"🥱 🔥This is loader internals🔥 💣Coming soon💣
1
2
15
871
title, subtitle and content may differ from the final version :)
1
161
⚠️NEW MALSPAM IN ITALY⚠️ 📧"Importante" Fascicolo Sanitario Elettronico hxxps://fseitalia[.]es/c/abf99046-6f6c-42d0-bf73-c003eb244993 @AgidCert @guelfoweb @JAMESWT_WT @illegalFawn @AndreaDraghetti
2
2
314
"Avviso di Bonifico Bancario (SEPA)" eml > 7z > bat > powershell > exe hxxps://d[.]tmpfile[.]link/public/2026-05-20/5855cc12-9621-4b14-85ae-b935380953bb/ghhjgr.png Powershell decryption with XOR Injection (VirtualAlloc) AutoIt3 decrypt final payload XOR C2: 151.243.109[.]130:9518
4
7
14
895
thank you @JAMESWT_WT ! I've uploaded more artifacts obtained during reverse engineering of the sample, including a .NET PE embedded and a DLL embedded (matrioska vibes) decrypted at runtime via 3DES and GZip: bazaar.abuse.ch/browse/tag/1…

MalwareBazaar - Tag 151-243-109-130

Hunt for malware samples tagged with tag '151-243-109-130'

bazaar.abuse.ch
1
3
203
app.any.run/tasks/ed075183-7… Probable PureLogs Stealer
1
1
112
🚨ALERT🚨 #phishing #AdE 730 📩Comunicazione Ufficiale – Rimborso Imposte 2025–2026 hxxps://tax[.]denzay[.]eu/gov/ hxxps://agenziaentrate[.]grillwestfrentes[.]com[.]ar/rimborso/it/ Exfil credit card number @guelfoweb @JAMESWT_WT @illegalFawn
1
2
6
358
I've seen only now @AgidCert already published it some minutes ago :) x.com/AgidCert/status/205525…

Cert AgID@AgidCert
May 15
🇮🇹 Nuova campagna di phishing a tema "rimborso fiscale" ai danni di #AdE 🎯 Il vero obbiettivo dei criminali è impossessarsi dei dati della carte di credito o debito. ℹ️ Info e #IoC (via Telegram)👇 🔗t.me/certagid/1022
2
155
⚠️ALERT⚠️ Fake #Booking #Scam #phishing message 🚨REAL RESERVATION USED AS LURE🚨 hxxps://hotel-stay32181[.]com/ Compromised host? @illegalFawn @JAMESWT_WT @AgidCert
1
2
451
🚨ALERT🚨 #Booking #ClickFix #NetSupport Manager RAT seen in Italy. hxxps://admin-extranet[.]com/start/ 👇 ClickFix 👇 hxxp://217.145.226[.]119/book/ 👇 lkhpihf[.]com:443 lkboasprqw[.]com:443 @anyrun_app : app.any.run/tasks/02e8c339-f…
1
3
15
1,730
RELATED x.com/ShadowOpCode/status/20…

ShadowOpCode@ShadowOpCode
May 4
#Booking #ClickFix 📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)" 📧info@muraptor[.]com ⛓️‍eml > url > msiexec.exe > #NetSupport 🚫lkhpihf[.]com:443 🚫lkboasprqw[.]com:443 @anyrun_app analysis: app.any.run/tasks/91bbbc07-b… @JAMESWT_WT
1
2
233
#Booking #ClickFix 📧"General Notification: (5392009143, Complaints Continue to Rise, May, 2026)" 📧info@muraptor[.]com ⛓️‍eml > url > msiexec.exe > #NetSupport 🚫lkhpihf[.]com:443 🚫lkboasprqw[.]com:443 @anyrun_app analysis: app.any.run/tasks/91bbbc07-b… @JAMESWT_WT
2
1
5
724
stage: hxxp://193.233.113[.]106/book
1
1
217
#FSE malspam #phishing campaign hxxps://sfe-2026[.]com/~server10/c/375f4b72-6efb-45f0-a90e-9de7ee504228
1
2
277
⚠️ALERT⚠️ #AgentTesla spreading in Italy 📧Purchase Order #10045 📡hxxp://185.29.10[.]77/VbnpIdAHD29.bin ⛔ftp[.]holzbrenzii[.]com ⛔infooo@holzbrenzii.com Bazaar: bazaar.abuse.ch/browse/tag/f… @anyrun_app: app.any.run/tasks/f72fc809-0… Thanks @JAMESWT_WT for the other samples
2
4
331
🚨ALERT🚨 #Crypto investing scam in #Italy Using #MarioDraghi and @albmatano image hxxps://zolviqhub[.]live/pc/15007/?sub1=7zcKg&pid=2jWO3Tyh0ou @Cloudflare @CloudflareHelp TAKE IT DOWN‼️ @AgidCert @illegalFawn @JAMESWT_WT
8
354
🚨ALERT🚨 There is a #DarkCloud #malspam campaign started in novembre 2025 and still active "Quotation - Labmate Scientific USA" eml > rar > DarkCloud (UPX packed) 📡C2: mail[.]mokasco[.]com (turkish company) Sender IP: 31[.]57[.]184[.]57 🇮🇷🦁 bazaar: bazaar.abuse.ch/browse/tag/m…
1
4
11
459
Threat actors are abusing branded PDFs to deliver phishing via malicious QR codes. 📩"Employee Pay Raise and Bonus Allocation" The QR code redirects users outside the corporate perimeter to a credential harvesting page. 🎣hxxps://crioralo[.]ru
3
4
716
#booking #clickfix #HijackLoader 📧"New notification" hxxps://admin[.]booking[.]com-complete-captcha[.]info 👇 hxxps://lkgkdsjd[.]com/s.php 👇 hxxps://pulse-srvc[.]com @anyrun_app : app.any.run/tasks/3dca8cf3-8…
2
4
12
1,172
🚨ALERT🚨 Threat actors tries to exfiltrate your O365 account with a simple trick. 👇 "new voicemail" 👇 hxxps://voicem[.]poprexahiugui[.]help/voice/
1
4
9
1,212
RELATED 👇 x.com/ShadowOpCode/status/20…

ShadowOpCode@ShadowOpCode
Mar 30
#phishing hxxps://company[.]seamlesssuccessfu[.]help/voice/ @JAMESWT_WT @guelfoweb @illegalFawn
1
3
326
Load more