Unsuccessful Crypto Phishing Attempt on Me
Aaron Samala
This documents the analysis I performed on a crypto phishing domain that a phisher DM’d me. It documents how I was able to pivot on file hashes the site served,…
Silent Push
Silent Push to find SmartApeSG, LandUpdate808, and TA582 Infra
Using Silent Push to find the following infrastructure TL;DR You can use Silent Push’s query builder to monitor certain adversary infrastructure based on simple properties such as ASN, name server,…
ClickFix Baddys via RussianPanda’s Workflow
TL;DR This documents specific steps you can take to find ClickFix infrastructure via RussianPanda‘s workflow. Summary Up Front This document builds on RussianPanda’s workflow to find ClickFix infrastructure. You can…
Open Directory Search Leads to Aged APT-C-35 Findings
TL;DR I saw a post on X that inspired me to search Shodan. I found an open directory associated with APT-C-35 (attribution based on file hashes that were listed in…
Gootloader: Updated Delivery Vector!
Intro @Gootloader recently published a new article showing how he found the Gootloader TA has updated their delivery vector. Previously, Gootloader was delivered by tricking the victim into thinking the…
7-Zip FakeApp Serving NetSupport Rat!
There’s a 7-Zip-masquerading site that is serving NetSupport Rat. I’ve been monitoring for a new 7-Zip FakeApp for a little over a week. This quick post shows how I became…
Additional TA569 Middleware Infra Observed
I’m a big fan of monitoring FakeUpdate stuff. It appears that TA569 may be increasing their infrastructure, as there was additional TA569 middleware infra observed. THE CONTENT, VIEWS, AND OPINIONS…
New Behavior for LandUpdate808 Observed
Summary Up Front The LandUpdate808 actors have multiple domains responding to the same IP – and they all respond to the same endpoint used for the first stage of the…
Using DNS.Coffee to Drive Research
Short and simple This discusses how I plan to use DNS.Coffee to drive research. You can find suspicious domains, and then pivot on that to find more suspicious domains. Before…
AAFES Phishing Sites Observed
Short and simple This discusses how I found some AAFES (Army Air Force Exchange Service) themed phishing sites. Before continuing THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE…