en son web sitesi yaparken kodları kullanmıştım o da html jscript falan şimdi java falan bilmiyorum imdattttttttttttlar olsun

PHISH ALERT: Unicode Babel — BEC Lure Smuggles Agent Tesla v4 via Emoji-Obfuscated JScript KnowBe4 ThreatLabs is tracking a highly deceptive BEC-style phishing campaign that leverages hijacked email threads and realistic SWIFT payment details to deliver Agent Tesla v4 onto Windows hosts. What makes this campaign stand out is a clever script-level obfuscation technique designed to glide straight past standard signature-based detection layers. Here is the tactical breakdown of the attack chain: The Hook: Emails impersonate a relationship associate from a financial institution, forwarded as an active SWIFT wire transaction thread. The body references precise company names and dollar amounts to establish rapid trust, instructing the target to verify the attached "transfer copy". The Emoji Obfuscation Layer: The attachment is a malicious JScript (.JS) file. Instead of conventional packing or basic encoding, the script body is flooded with Unicode emoji characters. Because the Windows Script Host simply ignores these symbols, the underlying malicious logic executes flawlessly while security scanners parsing the file for known bad strings get completely confused. Staging & In-Memory Injection: Once executed, the script drops a 32-bit .NET executable (wabmmxofrrdsjlsx.exe) and an encoded payload blob (.ttf) into C:\Users\Public\Libraries\. It utilizes DonutLoader shellcode to reflectively inject Agent Tesla v4 directly into memory, evading traditional endpoint security filters. Anti-Analysis & Harvesting: Before running its routine, the injected process runs environment checks against sandbox modules to ensure it isn't being watched. It then overwrites its own code in memory to hide execution traces , executing a massive sweep targeting stored credentials across 30 web browsers and email clients (including Chrome, Edge, Outlook, and Thunderbird). Non-Standard Exfiltration: Stolen credentials are sent back via FTP to a threat-actor-controlled domain (ftp[.]melrz[.]com). Interestingly, it also establishes a secondary data channel on port 12038 to the same IP, leveraging a non-standard port to slip out past standard firewall monitoring. IOCs TO MONITOR AND BLOCK: JScript Loader: 615f9ecc51ccce0de6e88dcff70662f77965214bf5ad0cc7e07bc4fae72c40d0 Dropped .NET Binary: d447a06cba8d3dbe80e09d73dd64576836b258961ee0d3ba56cf26cea7962b49 File Artifact / Mutex Paths: C:\Users\Public\Libraries\wabmmxofrrdsjlsx.exe C:\Users\Public\Libraries\wabmmxofrrdsjlsx.ttf Network Infrastructure: ftp[.]melrz[.]com 162[.]0[.]209[.]89 (Ports: 21, 12038) Config Account Username: info@melrz[.]com #AgentTesla #InfoStealer #BEC #Phishing #CredentialTheft #ThreatIntel #IOC

#threatreport #LowCompleteness What Recent Reporting Gets Right About The Gentlemen RaaS and What Silent Push Learned Months Earlier | 11-06-2026 Source: silentpush.com/blog/the-gent… Key details below ↓ 🧑‍💻Actors/Campaigns: Gentlemen_ransomware 💀Threats: Gentlemen_ransomware, Countloader, Cobalt_strike_tool, Blackbasta, Lockbit, Qilin_ransomware, 🤖LLM extracted TTPs:` T1059.001, T1059.007, T1190 🧨IOCs: - IP: 1 📜Programming Languages: powershell, jscript #threatreport: The recent reporting on The Gentlemen ransomware operation has drawn attention to the methods and affiliations of this Ransomware-as-a-Service (RaaS) group, which has been active since mid-2025. Notably, an investigation identified links between a malware loader known as CountLoader and three notorious ransomware operations: Black Basta, LockBit, and Qilin. CountLoader, spotted in .NET, PowerShell, and JScript versions, has played a crucial role in the operational infrastructure of The Gentlemen. Silent Push analysts, in their research, noted how CountLoader led to the discovery of Cobalt Strike watermarks, specifically 1473793097 and 1357776117, which are unique identifiers tied to the same affiliate across different ransomware groups. Cobalt Strike's utilization of licensed instances, which carry unique identifiers, has facilitated persistent tracking of malicious actors despite changes in their RaaS affiliations. This tracking method has proven effective, allowing Silent Push to maintain continuous surveillance on the affiliate's activities over a three-year period. An important piece of intelligence from Silent Push was the identification of the IP address 91.107.247.163 as a Cobalt Strike command and control (C2) server. This was flagged in February 2026, and by April of the same year, it was confirmed by Check Point in relation to an intrusion tied to The Gentlemen operation. Silent Push's early warning system enabled clients to implement blocks against this IP address well ahead of time. The analysis of the operational infrastructure used by The Gentlemen provides insights into their tactics. Affiliates of this ransomware have shown a preference for exploiting internet-facing VPN and firewall appliances to gain initial access to target networks. For organizations, this highlights the urgency of auditing and patching these entry points to mitigate risk. To bolster defenses against such advanced threats, it is recommended that enterprises utilize Cobalt Strike Indicators of Future Attack (IOFA) feeds available through Silent Push, which can be directly integrated into security systems like firewalls, Security Information and Event Management (SIEM), or Endpoint Detection and Response (EDR) platforms. This integration enabled proactive measures that placed clients ahead of intrusions by several weeks, demonstrating the importance of timely intelligence in counteracting sophisticated cyber threats.

#threatreport #MediumCompleteness A living fossil, or how the ProxyCB botnet survived | 11-06-2026 Source: rt-solar.ru/solar-4rays/blog… Key details below ↓ 💀Threats: Proxycb, Virut, Teamspy, Ponystealer, Nssm_tool, Teamviewer_tool, 🎯Victims: Russian online services, Email platforms, Marketplaces, Social networks, Telecom services, Gaming services, Russian federation 🏭Industry: Financial, E-commerce, Entertainment, Telco 🌐Geo: Russian federation, Russian 🤖LLM extracted TTPs:` T1027, T1036, T1036.004, T1036.005, T1055, T1059.007, T1090, T1105, T1204.002, T1218.011, ... 🧨IOCs: - IP: 1 - Domain: 20 - File: 11 - Hash: 75 💽Software: Telegram, VKontakte, Node.js, winlogon, uTorrent 🔢Algorithms: zip, sha1, sha256, md5 🔠Functions: GetConfig, SetConfig 🗂️Win API: CreateRemoteThread 📜Programming Languages: jscript 💻Platforms: x86 #threatreport: The ProxyCB botnet represents a sophisticated cyber threat leveraging a complex architecture designed to utilize infected hosts as proxies for various nefarious activities. Its infrastructure includes a client bot, control and data channels, a web panel, and operates on a server kernel known as PCBServer 7. A significant characteristic of this botnet is its ability to communicate through established TCP ports (1001 for control and 1002 for operational tasks), and it features an authorization panel accessible via ports 80 and 443. The bot's operation is marked by its ability to generate unique identifiers for infected nodes, maintain persistence through mechanisms that prevent restarts, and facilitate command and control (C2) communications through dedicated threads for control and operational logic. The web interface mainly serves as a shell, concealing the primary control mechanisms which are embedded within the server kernel and employ a proprietary binary protocol. Evidence suggests that the ProxyCB botnet has evolved over time not necessarily in the core technology, but through the methods of packaging and delivery. Initial samples utilized server domains such as gogogobaby12.com, while more recent iterations have transitioned to domains like kilo-torrent.org. Alongside its primary functioning as a proxy bot, the malware has frequently appeared in conjunction with other threats, such as the Virut botnet, wherein Virut employs a sophisticated injection technique targeting system processes to further its payload delivery. Notably, the ProxyCB framework allows for diverse operational modes such as SOCKS4, SOCKS5, and HTTP tunneling, facilitating a robust protocol for data exfiltration and interception. The communication between the proxy nodes and the server is structured around fixed-length messages, indicating a systematic approach to command processing and data handling. This rigid structure allows various commands—including connection authorization and task execution—to be processed efficiently and securely. The malware has also adapted its delivery methods, particularly through the use of installers masquerading as legitimate software like uTorrent, using the Inno Setup tool to obfuscate its installation process. This tactic not only enhances user acceptance but effectively distracts from the actual malicious payload being introduced into the system. Recent incidents indicate a continuous operational presence of ProxyCB, with activities persisting into late January 2025, reflecting a substantial degree of automation and refined mannerism in executing commands that mimic real user behavior, particularly across Russian online services. Analysis of the botnet reveals historical ties with the TeamSpy cyber espionage group, indicating shared infrastructure and possibly overlapping operational objectives. The coordination between ProxyCB and TeamSpy suggests a long-term strategy aimed at developing a robust distribution network, thereby positioning the ProxyCB bot as a tool well suited for exploitation during active cyber campaigns. The structure and functionality of ProxyCB emphasize its maturity as a sophisticated cyber threat, capable of evolving its tactics and evasion techniques in response to security countermeasures.

Most devs follow me on BlueSky but-- Testament to my wordiness; wrote code to help me shrink text to fit in X/BS. Funny; used to start w/something like VB/VC#.net(basic b4 that); now to hit as many platforms as poss., & access anywhere; amazing what you can do w/html & jscript

身の回りの仕事の簡単なツールを作るのに、メモ帳だけで作れるmshtaは便利だったのになぁ。VBScriptのサポートはそろそろ終わる一方、JScriptはまだ延命されている模様。Erinyesや時の故郷もhtaアプリケーションとして動いてたので、ぜひ延命してほしいツール。

Seems nice : Web Audio API ? decoding in wasm or jscript ?

うーん、たしかに C# F# ときて VB . net だし、当時のブランディング的な要素をかねてるし、あの頃のマイクロソフトのどの領域でも対抗していくという雰囲気とか、J や JScript のグダグダを知ってるとね、やっぱりSHARPってサフィックスつけたくなるとおもう。

У майков была своя реализация ecmascript стандарта — jscript, которую позже скрестили с .net. Весьма интересно получилось, но похоронили в угоду развития С#.

Googleが運営する広告追跡ドメインDoubleClickを中継させ、メールゲートウェイのURL評価をすり抜けるマルスパムキャンペーンが報告されています。受信者のメールドメインから企業ロゴを、閲覧元IPから所在地を動的に取得して偽ページを生成する仕組みで、組織ごとにルアーを作り込む必要がないとのこと。最終的にはWindowsのマルウェア検査機構AMSIとイベント記録ETWを無効化し、正規のMicrosoft署名プロセスにマルウェアを注入するとされています。 ドメイン評価に頼ったメール防御ではこの種の中継を見分けにくいとして、GPOでスクリプトファイル（.js/.vbs/.hta）の既定の開き先をメモ帳に変更し初段階のスクリプト実行を封じる対策が推奨されています。 【要点の整理】 ・添付HTML（ドイツ語で「注文」を意味するBestellung_2026.html）を開くとHTMLの自動転送（meta-refresh）でad[.]doubleclick[.]netの追跡URLへ即座にリダイレクト。DoubleClickはGoogle所有の高信頼ドメインのため、メールゲートウェイのURL評価で許可されやすい。URLフラグメントにメールアドレスがなければBingへ転送し、自動解析を回避する仕組み ・企業ロゴはメールドメインをもとにClearbit、logo[.]dev、Googleファビコン等から動的に取得し、ipapi[.]coで閲覧元IPに基づく都市名と現地時刻を表示。組織固有データのハードコードはなく、メールアドレスを差し替えるだけでルアーが即座に切り替わる ・感染はHTML→JScript→PowerShell→.NETローダー→プロセスホローイング（正規プロセスのメモリを自前コードで上書きする手法）の5段階。PowerShell段階でWiresharkやany[.]run等の解析ツールを検出すると端末を強制再起動（Restart-Computer -Force）して解析を妨害 ・.NETローダーはWindows 11 24H2（ビルド26100以上）でNtManageHotPatchにパッチを当ててAMSIを阻止し、EtwEventWriteも即リターンに書き換えてETWの監視テレメトリを停止。Avast、AVG、Malwarebytesが動作していない環境ではDefenderのリアルタイム保護も無効化したうえで、InstallUtil.exeまたはMSBuild.exeへのプロセスホローイングで最終ペイロードを注入。NVIDIAのドライバーインストールを装ったフォルダ名やレジストリキー名で常駐化 ・指令サーバー（C2）との通信は動的DNS（DDNS）ベースのサーバーへTCPポート7211のAES暗号化。ペイロード取得にはIE8のUser-Agent文字列がハードコードされており、現代の環境では異常値として検知しやすい。初回通信でNVIDIA（GTX/RTX）やAMDのGPUをWMIとレジストリから列挙しており、暗号通貨マイニングが後続目的の可能性もあるとされる。当初DesckVB RATとされていたがコミュニティの指摘で再調査の結果、未特定の.NETローダーに訂正（6月5日追記）。Huntressが2026年5月のSOC対応で発見 詳細は以下を参照： huntress.com/blog/malspam-to…