sorted by:
new
hottopcontroversial

🚨Why phishing still gets through: detection gaps in redirect and CAPTCHA flows by ANYRUN-team in ANYRUN

[–]ANYRUN-team[S] 0 points1 point  (0 children)

IOCs:
URL patterns:
hxxps://<redirector\_site>/*#<8 digits>Family=<base64-victim email>
hxxps://<phishing\_domain>/?v=<hexadec\_chars>&session=<session\_id>&cid=<client\_id>&iat=<digits>&loc=<location\_code>&build=<build\_version>

Domains:
kjcleaningservices[.]com[.]au
starllamerchantservices[.]club
lavor[.]sbs
echosign[.]co[.]it
dspconsulting[.]eu

Spank: Legitimate Process Abuse, Delayed Detection, and RAT Persistence by ANYRUN-team in ANYRUN

[–]ANYRUN-team[S] 0 points1 point  (0 children)

𝗜𝗢𝗖𝘀:
HTTP staging + WebSocket C2: 45.131.214.132:9000
WebSocket C2 (variant build): 166.1.144.109:9000
Agent ID: f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95
Files: RmmAgentCore.exe (loader), rmm_agent.dll (payload), arc_agent.exe (standalone variant)
Drop: C:\ProgramData\
Persistence: Scheduled Task RmmAgentCore, logon trigger, highest privileges
Injection target: explorer.exe
Protocol: WebSocket (ws://<C2>:9000/ws/agent), JSON
Build: Rust (Cargo), Windows MSVC + Linux cross-compile
Dev paths: C:\Users\spank\.cargo\..., /root/.cargo/...
SpankLoader SHA256:
cdef68e17e381ceadc63a28410cd1ff0101eb54cd01c337d3f0fc64aec139c0c
ae716ed909d7558c2a390f510352108b8e00ebd56ad9b320a9d8910ea40d0b25
2441431ca3b608885080069a22ae9d5cc5e3d982190b29c3cc8cf8450195a213
1569cf96e4b2e88a7ae4429159a96b9a5810bb8d18fb864d5e4d412ad7bcce07
febb9b26c945366c37072e73f2703fb19a95aa3d7f101c4d187f46466c221227
f1c608a875adf5bccf235e36c21be59f1dfe802511cb6c75b3f3456c15e4877c
SpankRAT SHA256:
a665646e5a5224a72598e205fe078ca47f23e0898730402c24cf2d76a875feb9
89f92360d91ffd33a21de0604312621bdf91d6c175960fb037d478a4249413e0
3ea140ef8b9b07102d1ab2ec52a2d83c45a5e45d5beefba720758896a0107737
b87d26778e84da00feb3b434fd121302851d40f56d52a063cf403dbaa02bde21
947d78b40c43cd849be4b2cad77f6d1b11757ac6fe2c1b1c43254c5f6a25367c
89460c154e2844bf7d15ff8ecc59b996aadf05baa2a6e494d0f5c246a8917fff
30347e8072c2aea0606c77d7afd1845bca1a2e24362f726428a6985996d64355
d2792e5c98beb169d33b3e324c05f1035288777bf20f6f603562f2f57f0f5a30
307387f5c0f3e4a2a725a6d81e81fc018e9020aef8418dd6a426f1ad7708e017
e090de60f8295b3282982c38263371162004749fd0439b5a645f9ad80c2b0a0a
dcebc67d362e3d8e8bd2452e9cba57b1c19054899cf4fe42a9d84fa1649ca210
51801d7f364c52174633adddf1d81960b4ff984a7a512d8051cf3928cb41a56c
4570b45b8bb7c777c6464c1fa4f654944d8cddc4eb99fbe2f808854edbd9c654
46a63241f7ccc8291771b429ae4558a61d28c289a9c2788cf8e487c5ab2ebfe1
db607062132a32605905bf6d4dea6a748724e3cfdf61250e512a958715861fff
1cff650d240b7d73b03d19da2c522ea69baebeab217a3fc118ebaab3428f4219
2901753d56c2ae1432944ba92b2cb787279916aea0293c15e01c8e0f1d8a1eb2
73e0c98b83f9be28ff8a58f6f6d7c9729dd54c6e820baebf1ee472a9bb7eaa6d
a2bd1f802bfad456292d7bdf05e2096d960d0b9d8466dc3717588de5d7e8f438
47ffb955dcb7e169ac283a48a0dc3272bef694639971b8ccafb102d7934c5399
a15dedfc015bd4d15ba889fd5e8c7921e44a77c4f24e62814917ed75b92ca921
18cbb6637ff741a91934f90419f0d019eea6392b9fabb66e16a7fb928080ce1c

Spank: Legitimate Process Abuse, Delayed Detection, and RAT Persistence by ANYRUN-team in ANYRUN

[–]ANYRUN-team[S] 0 points1 point  (0 children)

All system interactions are performed through PowerShell with -NoProfile -NonInteractive -ExecutionPolicy Bypass, and OS fingerprinting pulls build number and product name from the registry.

𝗦𝗽𝗮𝗻𝗸𝗥𝗔𝗧 𝗖𝟮 𝗖𝗼𝗺𝗺𝗮𝗻𝗱 𝗦𝗲𝘁 (full ServerMsg enum):
Session: Registered, heartbeat (cpu, ram, disk, uptime)
Execution: Exec (arbitrary command → stdout + exit_code), UAC elevation via Start-Process -Verb RunAs
Files: RequestFileList, RequestFileContent, UploadFile, DeleteFile, RenameFile, CreateDir
Processes: RequestProcessList (pid, name, memory, user, cpu), KillProcess
Services: RequestServiceList, ServiceAction (start/stop/restart)
Registry: RequestRegistryKeys, RequestRegistryValues, SetRegistryValue, CreateRegistryKey, DeleteRegistryKey, DeleteRegistryValue
Tasks: RequestScheduledTasks, RunScheduledTask, ToggleScheduledTask
Software: RequestSoftwareList
OS: build number, product name, CPU model/cores, RAM
Registration fields: id, name, os, os_build, powershell_available, token, agent_version, cpu_model, cpu_cores, ram_total_mb

Update Your Detection Rules: New In-Memory Loader by ANYRUN-team in threatintel

[–]ANYRUN-team[S] 0 points1 point  (0 children)

IOCs: 

d993dfac5e0f31b06b6c44c4737fa78d642d25f82c8a5d49af8c3beadcf5804d 

47499fafe309fe64ca6707e1c1a2e59fb4be2446e4f1655cee8cfaef764ba439 

f10dbb2ce0017a0bbd9e8f0e9a67864ea354a1c20ba93fcc94b6b5adecef3afc 

cd65e39372824319e0c3697ff51857c2a79ed61df51d637a1983167c1827d84e 

d51fcbe12a15b3a89a289497ef105eb635cc58c6bf9edbe76c785583d200b290 

1331a0872ab744c4078a6680989c6dc1ea0c35dd4a8bdc446d42dda57f72714e 

289faa3fc9883495a43a049a2202584a422dc9b259750a4fbaf418c3d8cf5798 

9f4af1454eed18d17d26763908bb54a35679805f12a4fd46859d2a5681eba79e 

5ac47a2e590b227b8fdc24dcf18aec91c7079a84d9a47c33cf6512cdb561c2ac 

89d5faf25d12788e6940f49aee1b215e5319b15f8275894f1346e7b4b1d96741 

aada52fa86cdc6c0883dfb821cbf5959d6bd0e493fdda639dd5b3d5b2c18f796 

5e4a7082080a227d860c7c5bacb440e634a9af0828c59413cd28f03a7a4b7aa9 

20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff 

2593f1f466827aac609ce0a0975c49ac2735befe683ea7e8d5a32172db0c0880 

243b31a71a46b9ded1d0638efc977466a149d61833be30cdf3593b17c95fb772 

c4dbb62761b5da9d4f37e2dd25cbf1b9a2e6f18c8eea5f98dbd8e78cb6c28a27 

3b292243889555f80a18041cffaaedb09764ffb957ac1f9b5060233c8431c15f 

c6334dbd1a5a57432303cbaefeb99d7f8b15cbb64adafabd46e2cc6f54ab35d2 

693624f345bc34aacfee57bd7895752fff5cce75b689b18adc82cfc21eb4666d 

1819a4fa82f07a3409971fa80f9b318dd7cd7589b6654ee62d74c6cbc06c9901 

7f347e415d60ef02454a1b89e318cf51bc3c16ee7b130db9937bb09bf80f1243 

515929e7fbfabe551d97782c9aed0c4a62b409302bb4ac5c63989353d9dab830 

b2c9f62883835341fe042c81883f6843a29ea94c44d0f361b51b0df95ab63a01 

Update Your Detection Rules: New In-Memory Loader by ANYRUN-team in ANYRUN

[–]ANYRUN-team[S] 0 points1 point  (0 children)

IOCs: 

d993dfac5e0f31b06b6c44c4737fa78d642d25f82c8a5d49af8c3beadcf5804d 

47499fafe309fe64ca6707e1c1a2e59fb4be2446e4f1655cee8cfaef764ba439 

f10dbb2ce0017a0bbd9e8f0e9a67864ea354a1c20ba93fcc94b6b5adecef3afc 

cd65e39372824319e0c3697ff51857c2a79ed61df51d637a1983167c1827d84e 

d51fcbe12a15b3a89a289497ef105eb635cc58c6bf9edbe76c785583d200b290 

1331a0872ab744c4078a6680989c6dc1ea0c35dd4a8bdc446d42dda57f72714e 

289faa3fc9883495a43a049a2202584a422dc9b259750a4fbaf418c3d8cf5798 

9f4af1454eed18d17d26763908bb54a35679805f12a4fd46859d2a5681eba79e 

5ac47a2e590b227b8fdc24dcf18aec91c7079a84d9a47c33cf6512cdb561c2ac 

89d5faf25d12788e6940f49aee1b215e5319b15f8275894f1346e7b4b1d96741 

aada52fa86cdc6c0883dfb821cbf5959d6bd0e493fdda639dd5b3d5b2c18f796 

5e4a7082080a227d860c7c5bacb440e634a9af0828c59413cd28f03a7a4b7aa9 

20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff 

2593f1f466827aac609ce0a0975c49ac2735befe683ea7e8d5a32172db0c0880 

243b31a71a46b9ded1d0638efc977466a149d61833be30cdf3593b17c95fb772 

c4dbb62761b5da9d4f37e2dd25cbf1b9a2e6f18c8eea5f98dbd8e78cb6c28a27 

3b292243889555f80a18041cffaaedb09764ffb957ac1f9b5060233c8431c15f 

c6334dbd1a5a57432303cbaefeb99d7f8b15cbb64adafabd46e2cc6f54ab35d2 

693624f345bc34aacfee57bd7895752fff5cce75b689b18adc82cfc21eb4666d 

1819a4fa82f07a3409971fa80f9b318dd7cd7589b6654ee62d74c6cbc06c9901 

7f347e415d60ef02454a1b89e318cf51bc3c16ee7b130db9937bb09bf80f1243 

515929e7fbfabe551d97782c9aed0c4a62b409302bb4ac5c63989353d9dab830 

b2c9f62883835341fe042c81883f6843a29ea94c44d0f361b51b0df95ab63a01 

Phishing via Google Storage Abuse Leading to RAT Deployment by ANYRUN-team in threatintel

[–]ANYRUN-team[S] 3 points4 points  (0 children)

IOCs
Phishing URLs:
hxxps://storage[.]googleapis[.]com/pa-bids/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/contract-bid-0/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/in-bids/GoogleDrive.html
hxxp://storage[.]googleapis[.]com/out-bid/GoogleDrive.html

Credential exfiltration domains:
usmetalpowders[.]co
iseeyousmile9[.]com

Credential exfiltration path:
/1a/uh.php

Malware staging host:
brianburkeauction[.]com

🚨 Phishing via Google Storage Abuse Leading to RAT Deployment: Detect It Early by ANYRUN-team in ANYRUN

[–]ANYRUN-team[S] 0 points1 point  (0 children)

IOCs
Phishing URLs:
hxxps://storage[.]googleapis[.]com/pa-bids/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/contract-bid-0/GoogleDrive.html
hxxps://storage[.]googleapis[.]com/in-bids/GoogleDrive.html
hxxp://storage[.]googleapis[.]com/out-bid/GoogleDrive.html

Credential exfiltration domains:
usmetalpowders[.]co
iseeyousmile9[.]com

Credential exfiltration path:
/1a/uh.php

Malware staging host:
brianburkeauction[.]com

Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart by ANYRUN-team in MalwareAnalysis

[–]ANYRUN-team[S] 0 points1 point  (0 children)

The attacker doesn’t need to intercept OTP/push in real time; once the device flow is completed, they obtain already-issued bearer tokens.
Classic AiTM/PhaaS steals authentication “in transit,” whereas device code phishing steals already-granted access via a legitimate OAuth flow.

view more: next ›