People forget what happened with SecureServer / killstream.tv, when the database got breached and Ralph didn't tell anybody for almost a week, and when he did, he CC'd everybody so they got doxed again.

#Fofa Query for #APT36 's #SecureServer #C2 Panels. Query: title=="SecureServer - Login" Link: t.ly/3HTk4 #Infra (C2 Panels): delhibellyindia[.]com 2.56.10[.]46 45.13.225[.]22 #TransparentTribe #APT #Malware #ioc

Government impersonation phishing active in 🇪🇸 Spain. Emails carry PDF attachments disguised as official notices from the Ministry of Justice — fake electronic judicial citations claiming the recipient is summoned to appear in court. The PDF references a fabricated case number, cites Article 98.1 of the Code of Civil Procedure, and sets a fake hearing date to pressure the victim into acting fast. It contains a QR code and the entire page is a clickable link leading to an external destination. IoCs: SHA-256: 651ea0867367fe6a44464af579ad1adf9bc313ab425996573c9d41e6fe764ada Common filename: notificacioninfo_6024.pdf Link target: hxxps://243[.]180[.]62[.]50[.]host[.]secureserver[.]net/img Sender pattern: contactojudicial[0-9]{3}@[domain] Sender domains: camodserv[.]com, culiatentrega[.]com #Phishing #Spain #QRCode #PDF

Power your website with HostX ⚡ Fast. Secure. Reliable. #HostX #WebHosting #FastHosting #SecureServer

I was digging in the spam folder and seen a GoDaddy buyer broker offer. The offer came from a SecureServer .net email, so I thought that was neat. Josh's email signature is GoDaddy, with a GoDaddy email address. When I Googled the sending email address, I LOL'ed at the info provided, since it stated Josh is a "former" broker at GoDaddy. I believe Josh still works at GoDaddy, at least according to his LinkedIn. It seems like a poor business practice to send from an unbranded domain? I'm sure the buyer wouldn't be happy to know that they spent $99.99 for GODADDY to buy the domain for them and they don't even communicate from a GoDaddy email domain? Pretty odd.

Launch in Europe’s tech hub with high-speed, secure German servers. 📈 prahost.com/dedicated-server… #GermanyServer #DedicatedHosting #EUHosting #PraHost #SecureServer

🚨#Phishing AFIP/ARCA Ya cansan... Los delincuentes lo siguen haciendo porque la gente sigue cayendo... "El público se renueva", Mirta L. dixit😅 Lo que debes saber: AFIP (ni los bancos, ni las TC) envían estos documentos por correo! Bloquear: contaboserver.* secureserver.*"

🚨🚨OJO, mucho correo #phishing en nombre de distintas empresas argentinas afectadas: Contienen un PDF (inocuo) que: PDF > Enlace dañino > secureserver[.net > ZIP > HTA > JS > EXE > Troyano bancario > Roba credenciales > Envía spam en nombre del usuario infectado

#malware #grandoreiro hta. hxxps[:]//138[.]39[.]109[.]208[.]host[.]secureserver[.]net/VE01/VE01gerw/OpHlAx961.js

Spotted brazilian geofenced malspam "PROCEDIMENTO DO JUIZADO ESPECIAL CÍVEL" 🇧🇷 eml>url>.vbs>.msi>MicrosoftEdgeUpdate-696359.exe>xul.dll (Banker) ⛓️Staging: host,secureserver,net

CUIDADO: nuevo #phishing y sitio falso de @ARCA_informa (ex AFIP) muy bien hecho. Los delincuentes evolucionan🥸 Al intentar iniciar sesión descarga desde "*.secureserver[.net" -> ZIP -> HTA -> JS. ZIP 152d34a81c7806b336dc3e8d443e9699 HTA fd199380cb15648b659c69adff2dca64

🚨CUIDADO: #phishing con facturas (falsas) de @Edenor y otras empresas AR, descargan malware. El origen del correo o sitios web son "*.secureserver[.net" por lo que debe bloquearse todo su rango IP y dominios. Ningún (CERO) AV detecta el MSI: d9cc3445cfaddf8b62ba4e9c99ed71ee

Cuando el usuario de clic en la liga es dirigido a la URL: 130[.]231[.]205[.]92[.]host[.]secureserver[.]net/XXXX Inmediatamente se descarga un archivo con extensión "HTA" que es una extensión que se abre a través de un navegador web Este archivo es la supuesta factura

#Alerta #Malware Flasa Demanda app.any.run/tasks/6f078dcf-d… hxxps[:]//203[.]21[.]205[.]92[.]host[.]secureserver[.]net/?finanzas[.]busqueda?q=SecretarC3ADa de AdministraciC3B3n y Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884

"Malware campaign exploits secureserver .net domain to deploy banking trojan" Campaign observed today: Delivery: 198.36.109.208 .host .secureserver .net Payload: gludinvel.murta[.]cfd #AutoIt #Trojan #Latam Maybe #Astaroth @0xToxin @1ZRR4H @Merlax_

Malware dirigido a México 🇲🇽 "Infracciones Fotocívicas" EMAIL > PDF ( password) > URL ( captcha) > ZIP > MSI Descarga de ZIP desde: https://104.31.168.184[.]host[.]secureserver[.]net/ Siguientes etapas desde: http://85.198.108.68/mulf.php?AZURE-PC http://85.198.108.68/goo/melt2.zip También instala FlashFXP 🤔 / @pollo290987 @johnk3r

Looking for a secure server for your website? Check out our list of top 10 options. blog.mirrorreview.com/server… #WebHosting #Security #Recommended #WebSecurity #HostingProvider #SecureServer #WebsiteSecurityTips #BestWebHosting

🚨Así funciona y se descarga el troyano que llega por correo con facturas, multas y documentos falsos. NO hacer clic en el enlace dañino! Detección NULA por parte de los AV. IOC 6cae9615ee6f1d78908f2a870e3f4fe0 secureserver[.net - block this shit!

New X-Labs analysis of #malware found lurking behind secureserver[.]net URLs being used to attack banks in Spanish and Portuguese-speaking regions. Prashant Kumar shares more: brnw.ch/21wLATm #cybersecurity #banking

Yo @GoDaddy finally #SecureServer got hit. #CyberSecurity