urlscan.io Archives - Malasada Tech

Thruntellisearch - Threat Hunting/Intelligence Research

Fake Malware TOAD via Malvertizing

Aaron Samala November 19, 2025 No Comments

TL;DR There was a campaign for a Fake Malware TOAD via Malvertizing. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT…

Thruntellisearch - Threat Hunting/Intelligence Research

Teams Transcript Page Lure Delivers GoTo RMM

Aaron Samala October 24, 2025 No Comments

TL;DR This documents a Teams transcript download page lure that delivers GoTo RMM. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT…

Phishing Thruntellisearch - Threat Hunting/Intelligence Research

PoisonSeed YouTube-themed Career Phishing

Aaron Samala October 4, 2025 No Comments

TL;DR This documents a YouTube-themed Career Phishing campaign that I assess is likely related to PoisonSeed. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN…

Thruntellisearch - Threat Hunting/Intelligence Research

Oyster Malware Delivery via Teams Fake App

Aaron Samala September 28, 2025 2 Comments

TL;DR Oyster malware delivery via MS Teams Fake App. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY…

Thruntellisearch - Threat Hunting/Intelligence Research

Thractor Backlinks for SEO Poisoning to Deliver Lumma Stealer and SectopRAT

Aaron Samala August 17, 2025 No Comments

TL;DR This post documents backlinks, and how thractors use them for SEO poisoning to deliver Lumma Stealer and SectopRAT. I show how I find backlinks, and a technique to monitor…

LandUpdate808

LandUpdate808 Backend C2 Analysis

Aaron Samala August 16, 2025 No Comments

TL;DR LandUpdate808 uses a backend C2 resource that is separate from the injected links infrastructure. This backend C2 resource, or injected link provider, serves a Base64 encoded string that is…

ClickFix SocGholish

TA569 SocGholish Overlap w/TA582 Infra

Aaron Samala May 25, 2025 No Comments

Intro This is the long form of my post from here: https://x.com/MalasadaTech/status/1924982337689027063. While browsing urlscan scan tasks, I found crypto-js.min.js usage for obfuscation linked to Tycoon and Storm1747 in Any…

CopyPaste

Copy/Paste Technique Used to Deliver XWORM

Aaron Samala May 16, 2025 No Comments

XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.…

Threat Intelligence

PDF Lure Delivering GoTo (LogMeIn) RMM

Aaron Samala May 12, 2025 No Comments

This documents chrunting for delivery sites that connect to api.telegramorg, finding a malicious GoTo RMM, and developing masq-monitor and Snort/Suricata detections. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON…

Phishing

Unsuccessful Crypto Phishing Attempt on Me

Aaron Samala April 7, 2025 No Comments

This documents the analysis I performed on a crypto phishing domain that a phisher DM’d me. It documents how I was able to pivot on file hashes the site served,…

Breaking

urlscan.io

Fake Malware TOAD via Malvertizing

Teams Transcript Page Lure Delivers GoTo RMM

PoisonSeed YouTube-themed Career Phishing

Oyster Malware Delivery via Teams Fake App

Thractor Backlinks for SEO Poisoning to Deliver Lumma Stealer and SectopRAT

LandUpdate808 Backend C2 Analysis

TA569 SocGholish Overlap w/TA582 Infra

Copy/Paste Technique Used to Deliver XWORM

PDF Lure Delivering GoTo (LogMeIn) RMM

Unsuccessful Crypto Phishing Attempt on Me

You Missed

Fake Malware TOAD via Malvertizing

PDFChampions YAPA Browser Hijacker/Loader Analysis

ConvertyFile Browser Hijacker

Convert Master Browser Hijacker Analysis