Photos and videos
Jonas Wagner retweeted
Jun 9
🎯 It’s #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 8 new families spotted, including a toolkit (loader, injector and ransomware) and a new Rust RAT.
#SeroWorms — Toolkit: loader injector ransomware. Sample analysis report: reports.threatray.com/b44747…
#OvinRAT — Rust RAT
#TruenixcideWorm — Binary design to simulate malicious activities
#Smert
#EdenXander
#JhnamRAT
#KBAgent
#MotionEyeRAT
🧬 Full #IOCs and analysis reports: github.com/threatray/threat-…
3
4
143
Jonas Wagner retweeted
Jun 2
🎯 It’s #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 7 new families spotted, including some new RATs with ransomware capabilities and infostealers using Discord webhook for exfiltrating.
#larp53RAT — RAT with ransomware capabilities. Sample analysis report: reports.threatray.com/f5d6c6…
#AdamRAT — RAT with ransomware capabilities
#SFVerif — Discord webhook exfiltration
#rtotiStealer — Discord webhook exfiltration
#PaloRAT — Discord webhook exfiltration
#DissoluteStealer
#DeepSideRAT
🧬 Full #IOCs and analysis reports: github.com/threatray/threat-…
6
10
539
Jonas Wagner retweeted
May 26
🎯 It’s #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 10 new families spotted, including a few stealers using Discord API webhook for exfiltration.
#VeryCoolRacingStealer — Discord webhook exfil. Sample analysis report: reports.threatray.com/f68386…
#ElyStealer — Discord webhook exfil
#MegaStealer — Discord webhook exfil
#DungeonTeamBot
#MagazineStealer
#MWSRAT
#VisualIllusionAgent
#ArtemisRAT
#LaxuryStealer
#TRYMELocker
🧬 Full #IOCs and analysis reports: github.com/threatray/threat-…
1
5
8
631
Jonas Wagner retweeted
May 19
🎯 It’s #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 9 new families, including a ransomware with RAT capabilities.
#LQTOREQ — ransomware with RAT capabilities. Sample analysis report: reports.threatray.com/c12220…
#ProjectX — Discord webhook exfil.
#VollmondStealer — Discord webhook exfil.
#ApexTraderRAT
#BlakcSeeStealer
#GoonStealer
#OrilowaStealer
#HermesStealer
#OscarRansomware
🧬 Full #IOCs and analysis reports: github.com/threatray/threat-…
1
5
9
1,151
Jonas Wagner retweeted
May 14
🚨 We discovered a new iteration of #REMUS through Threatray’s code reuse capabilities.
Recent samples show improvements in OPSEC and obfuscation while preserving the same core functionality and infrastructure design.
The new samples still share multiple components with earlier REMUS variants:
- Same ChaCha20 config structure (expand 32-byte k anchor 256-bit key UTF-16LE C2 URL)
- Same EtherHiding-style C2 resolution via eth.llamarpc.com
- Same HTTP exfiltration header (application/x-www-form-urlencoded), re-obfuscated with a new XOR key
The updated iteration introduces several packaging and delivery changes:
- Added DLL sideloading via a fake MpClient.dll alongside the existing standalone EXE delivery
- Switched to Authenticode-signed payloads using stolen certificates (Walmart, iTunes, freecodecamp.org, others)
- Removed the "# REMUS LOG" self-identification string and build timestamp that previously made REMUS samples easy to track
The progression from earlier REMUS samples reflects a clear effort to improve stealth, complicate tracking, and harden the malware against analysis.
Sample analysis report: reports.threatray.com/92b8b4…
🧬 Find the #IOCs here: github.com/threatray/threat-…
12
17
2,190
Jonas Wagner retweeted
May 12
🎯 We're kicking off #ThreatrayTuesday — a weekly drop of new malware families we spot in the wild. This week, 8 new malware families spotted, including a stealer abusing Gofile for exfiltration.
#WoolexaStealer — custom domain C2
#KeshXrdStealer — Discord webhook exfil
#BaggerBauenStealer — exfils via Gofile
#CorebotStealer — Discord webhook exfil
#XYZStealer
#VileRansomware
#Windows12Ransomware
#BallerWareRansomware
🧬 Find the #IOCs here: github.com/threatray/threat-…
1
14
47
6,583
Jonas Wagner retweeted
May 6
🪤 What initially looked like a new #NanoCore RAT variant turned out to be something unusual: a NanoCore-branded RAT with experimental #ransomware features — distributed under different names, but sharing the same broken crypto and even the same Satoshi wallet as the “ransom” address. @Threatray’s code similarity engine helped connect the dots.
The “ransomware” component appears non-functional. The BTC wallet 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa is Satoshi’s genesis address. The hardcoded AES IV NanoCoreIV67890 is 15 bytes (AES requires 16), so the encryption routine fails under standard execution. The contact email nanocore@onion.com also doesn’t resolve.
Code similarity revealed a cluster of .NET samples from the same author under namespaces like ExtremeMalware, ExtremeRansomwareBotnet, and HighlyDetectableMalware — all reusing the same flawed crypto and ransom note. Indicators include an EventLog source named RansomwareSimulation, .encrypted files containing the literal string "FAKE", and beacons to AV test domains like wicar.org and zeltser.com.
This points to a single development effort with reused components across multiple samples.
🧬 Find the #IOCs here: github.com/threatray/threat-…
10
35
3,381
Jonas Wagner retweeted
Apr 28
🚨 We uncovered a new #AsyncRAT strain experimenting with ransomware-style functionality.
The variant, ASYNCRAT MAX BURN ULTRA v0.7.0, contains simulated file-encryption routines, test destructive commands, and shared infrastructure across multiple related samples.
Using our code similarity engine, we traced the earliest activity back to early April 2026 and linked 23 samples sharing the same configuration.
Importantly, the #ransomware component does not appear fully operational. The code encrypts only specific test files in predefined directories, strongly suggesting these features are still in development or being used for experimentation.
We also identified several additional simulation functions for mass encryption, credential theft, mining, screenshots, and noisy command execution — indicating active feature testing or attempts to probe detection engines.
We’ll keep watching. 👀
🧬 Find the #IOCs here: github.com/threatray/threat-…
3
18
78
5,643
Jonas Wagner retweeted
Apr 23
Last week, @CyfirmaR reported a new operation dubbed #PhantomCLR, which utilizes a sophisticated .NET loader that abuses AppDomainManager hijacking.
Despite heavy obfuscation and garbage code, our code-similarity engine identified that this loader is actually an upgraded variant of the .NET loader reported by @TrellixARC in June 2025 as part of a red-team engagement.
Both variants share core mechanisms, including a JIT-trampoline shellcode executor, brute-force IV derivation loop, char-swap preprocessor for payload decryption, and a prime-sieve sandbox gate.
However, the new variant upgrades string decryption to base64 XOR, adds a GZip decompression layer over the payload, and refines the JIT-trampoline execution to be stealthier by removing a hardcoded byte sequence in favor of direct delegate invocation.
This technical evolution is paired with an expanding target landscape. Trellix originally observed the loader targeting the oil and gas sectors, while Cyfirma’s recent sample utilized a Saudi Ministry of Finance lure.
By retrohunting for this threat, we uncovered additional campaigns from late last year featuring Gulf-themed lures. The fact that this framework remained actively deployed for 10 months following the initial Trellix disclosure strongly suggests we are looking at an operator serving multiple Gulf clients on an ongoing basis, rather than a single, isolated red-team engagement.
🧬 We’ve crafted a #YARA rule based on the shared code. Find the rule and #IOCs here:
github.com/threatray/threat-…
11
39
10,637
Jonas Wagner retweeted
Apr 16
New blog post: how AI code intelligence can help analysts rapidly identify trojanized DLLs and accelerate malware investigations.
We preview our upcoming AI analysis feature, combining LLMs with Threatray’s code similarity engine to surface suspicious functionality, separate benign code from attacker logic, and speed up triage.
Read it here: threatray.com/blog/leveragin…
4
8
1,183
Jonas Wagner retweeted
Apr 10
🚨 Following the #CPUID compromise, we've been digging into the payload delivered by the threat actors.
The payload is a trojanized DLL abusing DLL-sideloading to deploy the next stage.
It reuses the same C2 config and staging server as the loader reported last month by @Malwarebytes, which was pushing a trojanized FileZilla client via the same DLL-sideloading trick.
Using our code-similarity engine, we identified the next stage as #STXRAT — a new RAT with infostealer capabilities, documented by @esthreat 2 days ago.
🧬 #IOCs:
49685018878b9a65ced16730a1842281175476ee5c475f608cadf1cdcc2d9524 (Trojanized DLL)
welcome[.]supp0v3[.]com (C2 staging server)
19
60
7,948
Jonas Wagner retweeted
Apr 2
🚨 Update on #SantaStealer: Shortly after our February tweet, we identified yet another new variant in early March—this time with significantly more complex string encryption.
Unlike the earlier straightforward AES-256-CBC implementation, this variant introduces a custom multi-layer scheme combining AES-128-CBC, ChaCha20, and XOR. Each string includes its own encrypted key blob and undergoes up to five independent decryption rounds.
The threat actors are clearly investing in increasing analysis complexity and improving evasion.
🧬 #IOCs: 2f3d8bf8174044b548617536c952f5c8ed96896fc7252ae8fd260279cca8471f 825403678f778a98132341bfbac1c3c0da1ec2cc1ea1d637a253c2511c008022 9ff847266eccbe55815df693cf3f91a87b8a1691b1b059333ca4b36c8157d47b 7b261029fc9d8915a8061ba064fae14c54c7b863c6c5259020d954fa90b5a1e0 393c38626cfc87137e608d53a9d5334d86b9ee941bd90bb17ec7083ba19b1a21
Feb 19
🚨 We’ve identified a new, previously unreported variant of #SantaStealer (first reported by @Rapid7 last December).
Using our code-similarity engine, we uncovered overlaps between the original and the new samples, which triggered a deeper investigation.
💡 The new variant maintains similar behavior and core functionality, but introduces several notable changes:
- Uses Mastodon as its C2 infrastructure
- Encrypts many strings with AES-256-CBC
- Protects the C2 address and URL path with three layers of AES-256-CBC
Through retrohunting, we traced the earliest sample back to early January. Early builds contained fewer encrypted strings, while more recent samples show progressively heavier string encryption.
🧬 #IOCs:
756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45 ace0a0d6615f233f3c71781e59d6438bf3ca35ead4123cf4e02b97effd45a75c d3fb6919ce5b708d7e4f50e49050d5c497f658f89951418c4f590d9476764271 055d777c3d38269f07d454f07abc985dfa52493b669cd3cc687304a0a6425122 885b57ac755eb84c505fd41c55bc451746b29fb8101a8e1cff74d46e85a80bee b4d1b2f81992764178c6fbee4b91118f0350d4fa3a70abc9a9abfaf7b7b77b37 5621c4c3f8fd7a9b62894a79c44d29dfb35143dd833e7ac47bd06b3f0c8d9102 14e2358e66c2dfd1aa283cc030a49110b06fd057cdebb9e96ff10e44ef0c012b b54cc77250a22c94b7acbd1bbdab6bba650d4d3a6bf6b37c6128fab13c2c0813 763f815d2fca9acd9266fa0129954a6d219baaf34e447f333d880f5a51521a67 cc1de746b577bf949aeeab2db18c07f6be0346e9f519a39c8bb1b7effca0458d 391158e325043bfd5b6bc0d66dc0fda3455bfe76e519deaf1ee46c966e0f2fc4 99f4a1e2d828e2c4e32084c51b26bd0ba22a8e982776537204e119653e2e2db1 3545ae95ec6e180adb41914e1c22fa726d5f769195d539a774fe8f9daba1d8ee 6ba6373af16ae34d3f0322e6f54087bc33e620a0a369323bc76a1addc8175ace
2
16
50
4,328
Jonas Wagner retweeted
Mar 3
New tutorial: From Binary Code to #YARA Rule — A Threatray Walkthrough with #Eddiestealer
We just published a hands-on walkthrough showing how to build a reliable YARA rule for Eddiestealer, the Rust-based info-stealer, using Threatray’s unique binary analysis and intelligence capabilities.
Since Eddiestealer encrypts and obfuscates its strings, string-based detection doesn’t work — we need a code-based YARA rule. The core challenge with code-based rules is finding pieces of code that guarantee a high true-positive and low false-positive rate. Rust binaries make this especially hard: they’re packed with statically linked runtime and library code, making it extremely difficult to separate malware logic from benign noise and to select the right code to base a YARA rule on.
In this tutorial, we show how Threatray’s unique code analysis and intelligence capabilities can simplify and speed up the process of writing code-based YARA rules. Starting from 1,300 functions in an Eddiestealer binary, we narrow them down to just 2 strong candidate functions through a largely automated process — and use those as the foundation for the final rule.
Read it here: docs.threatray.com/docs/buil…
A big thank you to @craiu (@wearetlpblack) and @X__Junior (@nextronsystems) for reviewing early drafts and providing valuable feedback.
14
52
5,816
Feb 26
RT @ThreatrayLabs: Recently, @GroupIB reported on #MuddyWater’s Operation Olalampo, which introduced a new downloader named #GhostFetch.
W…
1
5
Jonas Wagner retweeted
Feb 19
🚨 We’ve identified a new, previously unreported variant of #SantaStealer (first reported by @Rapid7 last December).
Using our code-similarity engine, we uncovered overlaps between the original and the new samples, which triggered a deeper investigation.
💡 The new variant maintains similar behavior and core functionality, but introduces several notable changes:
- Uses Mastodon as its C2 infrastructure
- Encrypts many strings with AES-256-CBC
- Protects the C2 address and URL path with three layers of AES-256-CBC
Through retrohunting, we traced the earliest sample back to early January. Early builds contained fewer encrypted strings, while more recent samples show progressively heavier string encryption.
🧬 #IOCs:
756bbdb069db144f16dd62dc9ddbe0ac0b4d62ca303d48f65e95e5265bdc9f45 ace0a0d6615f233f3c71781e59d6438bf3ca35ead4123cf4e02b97effd45a75c d3fb6919ce5b708d7e4f50e49050d5c497f658f89951418c4f590d9476764271 055d777c3d38269f07d454f07abc985dfa52493b669cd3cc687304a0a6425122 885b57ac755eb84c505fd41c55bc451746b29fb8101a8e1cff74d46e85a80bee b4d1b2f81992764178c6fbee4b91118f0350d4fa3a70abc9a9abfaf7b7b77b37 5621c4c3f8fd7a9b62894a79c44d29dfb35143dd833e7ac47bd06b3f0c8d9102 14e2358e66c2dfd1aa283cc030a49110b06fd057cdebb9e96ff10e44ef0c012b b54cc77250a22c94b7acbd1bbdab6bba650d4d3a6bf6b37c6128fab13c2c0813 763f815d2fca9acd9266fa0129954a6d219baaf34e447f333d880f5a51521a67 cc1de746b577bf949aeeab2db18c07f6be0346e9f519a39c8bb1b7effca0458d 391158e325043bfd5b6bc0d66dc0fda3455bfe76e519deaf1ee46c966e0f2fc4 99f4a1e2d828e2c4e32084c51b26bd0ba22a8e982776537204e119653e2e2db1 3545ae95ec6e180adb41914e1c22fa726d5f769195d539a774fe8f9daba1d8ee 6ba6373af16ae34d3f0322e6f54087bc33e620a0a369323bc76a1addc8175ace
5
32
6,801
Jonas Wagner retweeted
Feb 11
This is a follow-up to @TrellixARC’s APT28 report from last week.
Following Trellix's attribution to Threatray, we reviewed our classification engine's performance on the reported samples.
Our analysis successfully identified 10 functions reused from the steganography loader, which was originally reported by @sekoia_io in September 2025. This overlap allowed us to accurately detect and classify the new sample.
We also observed that the latest loader variant initially evaded all AV detections on VT except one.
This highlights why code-similarity approaches are often more resilient for detecting and classifying the novel variants that matter most.
For more details, check out the complete blog post from Trellix: trellix.com/blogs/research/a…
6
26
2,200
Jonas Wagner retweeted
Feb 4
🚀 We are proud to announce the availability of Threatray Release v2.2, bringing a powerful set of enhancements and new capabilities to the platform.
🔍 Function-level retro-hunting and pivoting is now available directly in the UI. Point and click on any unknown function to hunt for similar functions across our database of over 1 billion malware and goodware functions - uncovering relationships in seconds and accelerating analysis, pivoting, and detection workflows.
🧠 We’ve significantly improved our Go and Rust library identification engine, yielding up to 40 % more goodware function identifications, while reducing false matches. Library attribution is now more specific, enabling clearer distinction between known good code and potential threats.
👁️ YARA matches are now better visible throughout the UI, making detection results more accessible and intuitive. YARA classification works alongside our core code similarity engine, helping analysts quickly see all relevant classification and detection signals in one place.
Explore all the new features and improvements: threatray.com/blog/threatray…
2
7
251
Jonas Wagner retweeted
11 Dec 2025
Last week, @SophosXOps reported a new packer/crypter called #Shanya (aka #ArmillariaLoader by @ciphertech).
We hunted for this packer across our dataset and identified several early, previously unreported samples. The earliest sample observed in the wild dates back to December 2024, which aligns with the underground promotions for this packer toward the end of 2024 (as noted by @SophosXOps).
Some of the unreported #Shanya samples we observed were dropping families such as #SmokeLoader, #NightshadeC2, and #Vidar.
Due to the heavy obfuscation of this packer, we clustered the samples using our code similarity engine and identified the custom API hashing function as a strong hunting artifact.
We identified two variants of this hashing algorithm used across the packer samples, which enabled us to easily create a #YARA hunting rule. You can find the rule and #IOCs here:
github.com/threatray/threat-…
1
9
35
3,855
Jonas Wagner retweeted
21 Nov 2025
We got you some fresh #IOCs before the weekend.
Yesterday, Google Threat Intel Group @Mandiant published a new report about #APT24's recent activities using #BADAUDIO as a first stage downloader.
We retrohunted for this threat in our dataset and found two additional recent samples with low detection rates on VT.
🧬 #IOCs:
19e2902bfd97cbc62db10e3359ae8e1bd5f831c386b8e25881f3c775aa65323e
e621af092eabfab8e1112be9e7da719f6594ac5cfd52fd187bb1f51ed2a2ab95
api[.]wovled[.]org
www[.]jalpila[.]org
8
25
2,410
Jonas Wagner retweeted
20 Nov 2025
Earlier this week, @malwrhunterteam reported several unknown samples. Our code similarity engine attributes them to the #FDMTP hacktool, originally reported by @TrendMicro last year. This hacktool is a simple downloader used by the Chinese #APT group #EarthPreta (#MustangPanda).
We retrohunted for this downloader and uncovered additional recent samples. We also extracted the embedded configuration, which is stored in an encrypted format (Base64 DES).
🧬#IOCs:
5c0fc49ed99e75886fe61c3fc41c587900775230ac518e059dbf779660dfaec6
aac8e8b1b20c9b6199dac77d88fb4d696cb1f01f2000238dd9d367d9c6dbf936
ef0d64f099058e8656da1ff85203e74eedbf3f5aca6442c6025e06b96e567077
3c1eefad5b96e8f9e8ecaab6c054ca2bc7a7929b03f814f94ba4beab2703aa07
154[.]90[.]32[.]88:8043
8[.]217[.]56[.]157:6379
8[.]217[.]47[.]190:8848
8[.]210[.]195[.]35:8080
11
34
5,688