Threat intelligence company, illuminating adversaries since 2017.
Joined August 2021
- Tweets 25
- Following 5
- Followers 280
- Likes 21
7 Photos and videos
Pinned Tweet
Apr 16
New @Proofpoint blog: cargo theft actor spent 30 days inside DeceptionPro environment revealing:
* 4 RMM tools
* Malicious code signing-as-a-service
* 13 PowerShell scripts, and bank access.
* HoK activity whole way.
This is real adversary telemetry.
Link in thread.
1
3
20
1,624
MalBeacon retweeted
Jun 11
#XWorm #AdaptixC2 #ScreenConnect
I have been working with @malbeacon and the deception.pro platform.
Here's a write up of a recent deception operation👇
blog.deception.pro/blog/xwor…
1
7
19
1,437
MalBeacon retweeted
Apr 16
Proofpoint baited a cargo/transport industry threat actor into performing its activities in a decoy environment operated by Deception.Pro for 30 days.
The result: rare, visibility into post‑compromise operations, tooling, and decision‑making. proofpoint.com/us/blog/threa…
ALT Email content sent after responding to a fraudulent load posted on a load board.
1
9
32
9,206
Apr 16
New @Proofpoint blog: cargo theft actor spent 30 days inside DeceptionPro environment revealing:
* 4 RMM tools
* Malicious code signing-as-a-service
* 13 PowerShell scripts, and bank access.
* HoK activity whole way.
This is real adversary telemetry.
Link in thread.
1
3
20
1,624
Apr 16
1
8
261
Apr 13
🚨 Trojanized CPU-Z → STXRAT → PureLogs Stealer → PureHVNC → 54hrs of exfil through a hidden QEMU VM.
We caught everything after.
First documented full post-exploitation chain for this campaign. IOCs & hunting artifacts link in thread
#ThreatIntel #DFIR #Malware
3
22
96
7,753
Apr 13
4
23
4,585
Feb 27
ClickFix isn’t “just a trick”—it’s an on-ramp to hands-on-keyboard ops.
We mapped EDR telemetry to a timeline tied to Velvet Tempest activity consistent w/ Termite ransomware tradecraft. IOCs defender takeaways inside.
link in thread..
1
1
188
15 Jan 2025
Introducing: What is this stealer?
A new repository that allows you to identify Stealer malware by the system information text file format commonly included in stealer malware exfiltration. Yara Rules included!
Check it out and contribute!
github.com/MalBeacon/what-is…
2
10
1,654
7 Jan 2024
Adversary Illuminated - Operating #StealC
C2: 176.124.198[.]17
Location: Frankfurt am Main, DE
ASN: AS210644
1
319
24 Dec 2023
Adversary Illuminated - Operating #RiseProStealer
C2: 193.233.132[.]74:8081/login
Location: Lille, FR
ASN: AS16276 OVH SAS
1
341
22 Dec 2023
Adversary illuminated - Operating #OriginBotnet
Location: Abuja, NG
ASN: AS29465 MTN NIGERIA
#MalBeacon #Malware
20 Dec 2023
Some fresh #originbotnet at:
http://china.dhabigroup[.]top/_errorpages/spfasiazx.exe
c2:
spf-asia[.]com/gate
panel:
spf-asia[.].com/login/
2
276
12 Jan 2022
Adversary Illuminated - Operating #MarsStealer
C2: test.akadns9[.]net/panel/login.php
Location: Ballerup, DK
ASN: AS9009 M247 Ltd
2
22 Sep 2021
Adversary illuminated - Operating #Pony
C2: global-popular[.]com/bin/panel/admin.php
Location: Lagos, NG
ASN: AS36873 Airtel Networks Limited
#Malware #MalBeacon
3
5
13 Sep 2021
Adversary illuminated - Operating #LokiBot
C2: davidmorgann[.]com/LOLO/five/PvqDq929BSx_A_D_M1n_a.php
Location: Port Harcourt, NG
ASN: AS29465 MTN NIGERIA Communication limited
#MalBeacon #Malware
4
2
8 Sep 2021
Adversary illuminated - Operating #ManaTools stealer
C2: bot.statusupdate[.]one/webpanel-muti/login.php
Location: Ashburn, US
ASN: AS213122 Hyonix LLC
#MalBeacon #Malware
5
15
6 Sep 2021
Adversary illuminated - Operating #Oski stealer
C2: bctpump[.]us/login.php
Location: Lagos, NG
ASN: AS37148 Globacom Limited
#MalBeacon
3
11