@abuse_ch profile picture
abuse.ch @abuse_ch

Fighting malware and botnets

Joined May 2009
  • Tweets 3,382
  • Following 299
  • Followers 37,374
1,103 Photos and videos
Botnet C2 tied to an unidentified #malware family trying to hide as FortiGate device 😜 🌐 Domain: az2030port.duckdns .org 📡 C2: 178.16.55.28:2030 ➡️ Omegatech LTD 🇳🇱 🔐 SSL certificate: FortiGate, O=Fortinet Ltd. Corresponding malware samples ⤵️ hunting.abuse.ch/hunt/6a285c…
Unidentified botnet C2 trying to hide as FortiGate device

ALT Unidentified botnet C2 trying to hide as FortiGate device

5
16
71
6,002
My favorite Remus botnet C2 domain so far 😄 havelbeenpwned .net ⤵️ NICENIC INTERNATIONAL🇨🇳 103.211.219.238:4219⤵️ AS394695 PUBLIC-DOMAIN-REGISTRY 🇮🇳 Malware sample: bazaar.abuse.ch/sample/75fce… More #Remnus IOCs available on ThreatFox 🦊 threatfox.abuse.ch/browse/ma… /cc @troyhunt
RemusStealer malware sample using havelbeenpwned .net a botnet C2 server

ALT RemusStealer malware sample using havelbeenpwned .net a botnet C2 server
7
35
4,934
See you at #PIVOTcon26 next week with🙌 We’ll be around with @SpamhausTech and keen to catch up with contributors and familiar faces from the community 😊
PIVOTcon@pivot_con
Apr 30
Countdown is real ⌛️ Next week‼️ #ThreatResearch community gathers in Málaga 🇪🇸 Time to remind our PIVOTcon song: soundcloud.com/argonix/pivot… But watch out — it's a banger! thx: @JReisdorffer #CTI #ThreatIntel #PIVOTcon26

ALT Animated GIF
2
2
3,451
Malspam 📧 targeting Spanish users 🇪🇸 Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs 1st stage - geo filter 🛑 vmi3228488.contaboserver .net Contabo 🇩🇪 2nd stage - payload 📄 urlhaus.abuse.ch/url/3824487… Dropped iso: bazaar.abuse.ch/sample/faaa4… Botnet C2: 📡 54.197.208.68 Amazon 🇺🇸
Spanish malspam

ALT Spanish malspam

Malicious website targeting Spanish internet users, serving a malicious payload

ALT Malicious website targeting Spanish internet users, serving a malicious payload

1
6
17
4,361
abuse.ch retweeted
Spamhaus Technology
@SpamhausTech
Mar 10
🇫🇷 We’re proud to be a Gold Sponsor at #Botconf26 with our partner @abuse_ch next month! After attending many times, we’re delighted to be supporting this brilliant event. 🤖🤩 #GoldSponsor #Botnets #Malware
3
8
4,582
SparkRAT caught by @smica83 👏 ChromeSetup.msi ➡️ FUD 🔥 msftconnecttest .xyz ⤵️ Creation Date: 2024-12-02 ⤵️ After more than a year, this domain has a detection rate of 1/93 🤯 Pointing to ⤵️ 154.31.222.217:443 ➡️DControl Chinese? 🇨🇳 lang="zh-cn" bazaar.abuse.ch/sample/91a29…

MalwareBazaar - ChromeSetup.msi (SparkRAT)

ChromeSetup.msi has been detected as SparkRAT by MalwareBazaar

bazaar.abuse.ch
Szabolcs Schmidt
@smica83
Feb 26
FUD #SparkRAT related. 'ChromeSetup.msi' seen from Hong Kong bazaar.abuse.ch/sample/91a29…
1
6
23
6,908
Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including: ➡️SoftConnect ➡️HardConnect ➡️AxisControl It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️ What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪 We track the threat on our platforms as #FakeRMM ⤵️ IOCs on ThreatFox: 🦊 threatfox.abuse.ch/browse/ta… Malware samples: 📄 bazaar.abuse.ch/browse/tag/F…
Malware detonation suggests that the threat actor was likely playing around with ScreenConnect RMM before

ALT Malware detonation suggests that the threat actor was likely playing around with ScreenConnect RMM before

Threat Insight
@threatinsight
Feb 19
Proofpoint threat researchers identified a new malware-as-a-service named #TrustConnect. Notably, it masquerades as a legitimate remote monitoring and management tool, marking an evolution in how attackers weaponize trust around enterprise tooling. brnw.ch/21x05Vh
13
38
6,836
Rogue #ScreenConnect RMM 🕵️‍♂️ Botnet C2: 📡 no.windowupdateservice .com 📡 relay.windowupdateservice .com 📡193.26.115.51:8041 Payload delivery URL: 🌐 urlhaus.abuse.ch/url/3782937… Malware sample 📄: bazaar.abuse.ch/sample/77dc5… More ScreenConnect RMM IOCs ⤵️ threatfox.abuse.ch/browse/ta…

URLhaus - http://193.26.115.51:8040/bin/support.client.exe?i=&e=Support&y=Guest&r=

Malware distribution site: http://193.26.115.51:8040/bin/support.client.exe?i=&e=Support&y=Guest&r=

urlhaus.abuse.ch
16
56
7,394
Yet another RAT in town: RemoteX🖥️🖱️ 🪲 Dropped by Amadey 📃 Written in Golang 💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽) 🌐 Uses WebSocket for C2 communication 🕵️‍♂️ Unauthenticated RAT admin panel 🤡 Botnet C2: 📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧) Malware sample ⤵️ bazaar.abuse.ch/sample/d6316…
RemoteX RAT admin panel

ALT RemoteX RAT admin panel

3
23
138
16,611
Xillen Stealer 🎣, heavily dropped by Amadey 🔥 Botnet C2: https://goldenring[.]live/api/logs/check "Invisible. Undetectedable. Unstopable." 🤡 👉 github.com/BengaminButton/Xi… Samples ⤵️ bazaar.abuse.ch/browse/signa… Additional IOCs on ThreatFox 🦊 threatfox.abuse.ch/browse/ta…
Xillen Stealer admin panel on Cloudflare

ALT Xillen Stealer admin panel on Cloudflare

2
22
83
9,550
abuse.ch retweeted
Tor Åge Takvam@ttakvam
Jan 29
Very excited and honestly a bit humbled to be recognized as a Top Contributor by @spamhaus and @abuse_ch Community-driven intel makes the internet safer. Glad to contribute, and I’ll keep at it. Big respect to everyone submitting, reviewing, and maintaining these datasets. 🙂
3
1
17
4,195
abuse.ch retweeted
Spamhaus
@spamhaus
Jan 27
📢 Botnet Spotlight July - December 2025 | The second half of 2025 brought progress against botnet infrastructure: stronger anti-abuse action by major network operators, increased law enforcement pressure on RATs and bulletproof hosting, and major takedowns like CrazyRDP. 🚨 1/3
1
3
5
4,836
abuse.ch retweeted
PIVOTcon@pivot_con
Jan 20
Thank you @SpamhausTech & @abuse_ch for being #PIVOTcon26 Silver Sponsor Read more about alliance: abuse.ch & spamhaus.com This alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets pivotcon.org/sponsors
5
19
4,343
Brazilian banker 🇧🇷 caught by @johnk3r 🎣 GHOST panel 🧐 007consultoriafinanceira .net ➡️ GoDaddy 🇺🇸 83.229.17.124:80 ➡️ Clouvider 🇺🇸 Payload delivery URL: 🌐urlhaus.abuse.ch/url/3759148… Malware sample (MSI): ⚙️bazaar.abuse.ch/sample/2cbaf…
Brazilian Banker "GHOST" panel

ALT Brazilian Banker "GHOST" panel

2
12
53
27,898
abuse.ch retweeted
Spamhaus
@spamhaus
Jan 13
🤖 Jul-Dec 2025 Botnet Threat Update out now! ⬆️ 21,425 #botnet C&Cs observed, up by 24%. ⏫ Botnet C&C domains soar 9,608% for 🇷🇺 Russia-based REGRU ⬆️ Remote Access Trojans represent 42% of Top 20 malware associated with botnet C&Cs. But it isn’t all bad news – several large cloud network operators have taken action to tackle active botnet C&Cs - find out which ones in the latest FREE report here👇 spamhaus.org/resource-hub/bo… #Botnet #ThreatIntel
4
12
5,920
Malspam sent from Microsoft Outlook that is spreading @LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️ IOCs: 📡adwestmailcenter .com ➡️ Landing page 📡insightme .im ➡️ fake PDF download Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌 🌐 urlhaus.abuse.ch/url/3751500… LogMeIn #GoToResolve payload 📄 bazaar.abuse.ch/sample/77e22…
Malspam from Microsoft Outlook spreading LogMeIn GoToResolve RMM

ALT Malspam from Microsoft Outlook spreading LogMeIn GoToResolve RMM

Fake PDF download spreading LogMeIn GoToResolve RMM

ALT Fake PDF download spreading LogMeIn GoToResolve RMM

2
13
48
8,809
abuse.ch
@abuse_ch
23 Dec 2025
CHICXULUB IMPACT 💥 Botnet C2 URLs: 📡 https://turbokent .name/api/initialize 📡 https://turbokent .name/api/status Sponsoring domain registrar: NICENIC 🇭🇰 Malware sample 📄: bazaar.abuse.ch/sample/c32e1…
turbokent .name - CHICXULUB IMPACT

ALT turbokent .name - CHICXULUB IMPACT
8
26
12,528
Load more