Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.4K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

#xworm

2 posts2 participants1 post today
Public
OTX Bot

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also covers the XWorm campaign targeting Korean-speaking users, the Strela Stealer targeting German-speaking countries, and the WeaXor ransomware. The analysis provides insights into the infection chains, malware configurations, and command-and-control servers used in these campaigns. Additionally, it offers recommendations for blocking associated IP ranges and lists numerous indicators of compromise (IOCs) for each campaign.

Pulse ID: 6802094e89f266c72f83bda4
Pulse Link: otx.alienvault.com/pulse/68020
Pulse Author: AlienVault
Created: 2025-04-18 08:11:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#Android#CyberSecurity#Google
Public
OTX Bot

JScript to PowerShell: Breaking Down a Loader Delivering XWorm and Rhadamanthys

This analysis examines a sophisticated malware loader that utilizes JScript to launch obfuscated PowerShell code, ultimately delivering payloads such as XWorm and Rhadamanthys. The loader employs geofencing tactics, targeting victims in the United States with XWorm RAT, while deploying Rhadamanthys stealer to users outside the U.S. The attack chain involves multiple stages of obfuscation and deobfuscation, including decimal encoding and string manipulation. The final payload is injected into RegSvcs.exe using reflective loading techniques. The loader also performs various cleanup actions to evade detection and remove traces of its activity. Both XWorm and Rhadamanthys are advanced malware variants with capabilities ranging from DDoS attacks to cryptocurrency theft.

Pulse ID: 67ff46c3697a4976dc919b5d
Pulse Link: otx.alienvault.com/pulse/67ff4
Pulse Author: AlienVault
Created: 2025-04-16 05:57:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#CyberSecurity#DDoS#DoS
Public
OTX Bot

Malicious JScript Loader Jailbreaked to Uncover Xworm Payload Execution Flow

A new malware campaign has been identified leveraging JScript and obfuscated
PowerShell commands to deliver highly evasive malware variants XWorm and
Rhadamanthys. These threats are distributed using fileless techniques, making
them extremely difficult to detect using traditional antivirus solutions. The
campaign primarily targets Windows environments and utilizes scheduled tasks
or deceptive ClickFix CAPTCHA screens to trick users into executing malicious
payloads. Such loaders are often seen in enterprise environments, where attackers
aim to infiltrate business systems for espionage, data theft, or financial gain.

Pulse ID: 67fef516074ec94b68f3a8e7
Pulse Link: otx.alienvault.com/pulse/67fef
Pulse Author: cryptocti
Created: 2025-04-16 00:08:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#CAPTCHA#CyberSecurity#DataTheft
Public
OTX Bot

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.

Pulse ID: 67fb93e8ebc93d6ded395f39
Pulse Link: otx.alienvault.com/pulse/67fb9
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#Asia#AsyncRAT#CyberSecurity
ExploreLive feeds
About