MalwareHunterTeam Profile picture
Official MHT Twitter account. Check out ID Ransomware (created by @demonslay335). More photos & gifs, less malware.
4 subscribers
Feb 19 25 tweets 15 min read
"We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation."
"Return here for more information at: 11:30 GMT on Tuesday 20th Feb."
"Operation Cronos"
🤔 Image So, the main leak site / blog of the LockBit ransomware gang is currently displaying this deface page. Same with all the mirrors of it. Image
Jan 3 13 tweets 4 min read
Mandiant's account also got pwned? The fuck is going on here?
🤔
😂 Image And just now the @ of Mandiant's account got changed to "phantomsolw".
😂 Image
Jul 8, 2023 9 tweets 5 min read
The "routine" company started to use bots to pump their numbers?
Until May 23 noon, most of their tweets got literally 1-2 likes, sometimes even 0, sometimes a bit more. From then, every single of their tweets get from 100s to 2-3k likes. While their RTs still get ~0.
🤔
😂


Image
Image
Image
Image
What you think, @idclickthat @Iamdeadlyz @ULTRAFRAUD @JAMESWT_MHT (and everyone else I forgot that "likes" this company)?
Jul 1, 2023 9 tweets 4 min read
The fuck you are doing @elonmusk? Rate limiting years old 100k+ followers account when browsing like a fucking 🐌 is not the solution to stop trash companies' scraping...
🤦‍♂️ @elonmusk Can't even check if he tweeted anything about this shit as getting "429 Too Many Requests" response with "{ code: 88, message: "Rate limit exceeded." }" response content.
Basically he is killing Twitter in the name of "stopping scraping", while it's full of bots he dgaf about.
🤦‍♂️
Mar 29, 2023 36 tweets 40 min read
3cx.com/community/thre…
Look at that staff response...
🤷‍♂️
cc @cyb3rops @cyb3rops Poor people/victims...
Anyway, you know, if you are excluding the perfect supply chain entry points to your system... then what is the point of using EDR solutions and other "fancy shits"?
Jan 7, 2023 6 tweets 4 min read
Hey @Spotify, it's great to receive "Please update your Spotify password." to email addresses whose owners never registered a Spotify account. Maybe you first should confirm if the owner of an email address registered the account or not, and if not, treat the account as such.
😫 @Spotify Why this is not obvious for a company like @Spotify, @SpotifyCares? Or it is, but there is a bug or something that some people found?
🤔
Dec 5, 2022 40 tweets 18 min read
😂
Hey @elonmusk, when you want to get these porn bots solved?
Image
Image
@elonmusk Just got one more...
😂
Image
Image
Aug 19, 2022 4 tweets 4 min read
So, KyivPost editors and etc just made a "small" mistake here to allow Irina to publish articles on their site even after she got banned from Twitter (for you know...), or KyivPost is be like "anyone saying anything bad about Russia is welcomed here"?
🤔 ImageImageImageImage In case anyone not knows her: she is doing lots mis/disinformation, spreading lies, etc.
My little thread about her (in relation to JD1/infosec only):
If anyone wants to know more about her, JD0, @Yetkinmiller, @1njection, etc probably can tell lots more.
Aug 15, 2022 10 tweets 5 min read
Among the usual stuffs like passport photos and etc, Clop ransomware gang published these screenshots in the leak page for Thames Water...
👀
🤔 Hard words. It sure will be interesting how this situation develops in the next days...
Aug 6, 2022 4 tweets 1 min read
"The oldest international [Ransomware] LockBit affiliate program welcomes you."
"We are located in the Netherlands"
😂 "This is due to the fact that most of our developers and partners were born and grew up in the Soviet Union, the former largest country in the world, but now we are located in the Netherlands."
😂
Aug 6, 2022 4 tweets 2 min read
So, currently both the payment/chat site domains and the leak site domains of the LockBit ransomware gang are dead. Most of them gives the "Onionsite Not Found" error, while a few others simply can't connect...
👀
🤔 The data storage site for old data (and the mirrors for that) are still working - but even the links in the header and footer (except the Twitter, obviously) are all too dead...
🤔
May 23, 2022 4 tweets 1 min read
"Iran_Newspaperscom.njsapp.alliraninnewspapersv1.1.apk": 1344517f7e19f42896ab5348a00e733d0df1150be41730870d2c4223bb6ed3ac
Looks some older APT sample... Also "Design_Wood_Furniturecom.DesignWoodFurniture.sitd212v1.2.apk":
5df56450f61f44938a0223ca0f8891042847f97b18c2e8a9bf0401e2dd9d6416
Mar 19, 2022 4 tweets 3 min read
"GoodWill Ransomware!" is a totally unusual ransomware...
Added the note 8 parts in the thread to make it easily readable.
Extension: ".gdwill"
Note: "unlock your files.lnk" -> "launch.bat" -> "index.html" opened in fullscreen Chrome.
(1/3) ImageImageImageImage "Team GoodWill is not hungry of Money and Wealth but kindness. We want to make every person on the planet to be kind and wants to give them a hard lesson to always help poor and needy people.
So, all our victims need to be gentle and kind to get their files back."
(2/3) ImageImageImageImage
Feb 12, 2022 9 tweets 3 min read
It's fucking 2022 man...
🤦‍♂️
😫 ImageImageImageImage Image
Feb 2, 2022 4 tweets 1 min read
Looks like BBC also likes to spread fakenews.
Fucking joke... Ahh...
😂
Jan 22, 2022 12 tweets 18 min read
What a fucking crazy thread.
Probably this ratio needs to be changed... Image Other than the info it requires to user to enter, it collects so much info from the device... Crazy.
Something the experts @bl4ckh0l3z @LukasStefanko maybe want to look into too.
cc @1ZRR4H @cibercrimen @NickKalderon Image
Jan 22, 2022 6 tweets 5 min read
Very interesting & not much detected sample, "armaan.apk" seen from India: 80c0d95fc2d8308d70388c0492d41eb087a20015ce8a7ea566828e4f1b5510d0
From a quick look, it is some app that should be developed by India's gov, related to their army.
Has a malware with lots of features. ImageImageImage Leaving the analysis for the experts (obviously b/c they are the experts & because I'm very busy), but let me quickly highlight something: the C2's IP is grabbed from https://pastebin[.]com/VfRCefzG - it was already accessed more than 13 million times!
@bl4ckh0l3z @LukasStefanko ImageImage
Jan 12, 2022 4 tweets 2 min read
Interesting, very low detected "crazy.apk": 5efd92887bb72f3d2186a2c0bcaf7b14b43d3e41722cb70acf0c59dfd4cfd7ba
🤔
Again a case when @ESET detected alone...
👏
cc @LukasStefanko
Image
Image
@ESET @LukasStefanko Slowly other vendors starts to care too...
😂 Image
Jan 8, 2022 22 tweets 28 min read
Someone made a dnSpy version that has a "gift": https://github[.]com/isharpdev/dnspy
Until about an hour ago it was available here, then got renamed (probably to look more legit) to the above: https://github[.]com/carbonblackz/dnspy/
@GitHubSecurity ImageImageImage @GitHubSecurity Meanwhile I was looking at the samples @0x7fff9 just RT this: - so anyone is behind this also created looks a website too, not only the GitHub repo...
Jun 4, 2020 7 tweets 3 min read
Some MS phishing file: https://airforcehq-my.sharepoint[.]com/:u:/g/personal/ddeptula_afa_org/ETEWZXyYRR9ChqCnciZZDPgBpMSc-qMW9ES1y7o985imPQ?e=JK363s
There from May 1...
Is this "airforcehq" the U.S Air Force's SharePoint & David Deptula's acc got pwned or actor(s) faked much?
🤔 This "something-my" is how companies/orgs/etc gets their SharePoint account usually.
Then the first result for this man's name is...
cc @DanielGallagher
Mar 13, 2020 4 tweets 3 min read
"Important - COVID-19.rar" -> "Important - COVID-19.docx.exe" (bbc75560752ea882e6eff152427cb00cc1b2daa50351cfef7b10c6dfeea75e34)
Interesting sample...
🧐
@VK_Intel @JAMESWT_MHT @James_inthe_box ImageImage Drops this "Wessex Learning Trust" document as decoy...
AnyRun here (thanks to @JAMESWT_MHT): app.any.run/tasks/0d8766c7… Image