Leonid Bezvershenko
@bzvr_
Followers
2,652
Following
299
Media
18
Statuses
63
Studying math, reversing and Twitter... | Security Researcher @ Kaspersky, GReAT | Drovosec CTF team | Tweets are my own
Moscow, Russia
Joined September 2021
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Liam Payne
• 2260602 Tweets
ブロック
• 399574 Tweets
Twitterくん
• 273793 Tweets
西田さん
• 234389 Tweets
西田敏行さん
• 215167 Tweets
俳優さん
• 161777 Tweets
生成AI
• 133237 Tweets
ツイッター
• 106982 Tweets
Bluesky
• 103139 Tweets
Grok
• 84290 Tweets
利用規約
• 79210 Tweets
#ArrestMaulanaRashidi
• 77952 Tweets
規約変更
• 72466 Tweets
ミュート
• 71970 Tweets
AI学習
• 71852 Tweets
ブルスカ
• 71454 Tweets
イーロン
• 61138 Tweets
महर्षि वाल्मीकि
• 58422 Tweets
イラスト投稿
• 57070 Tweets
スーパームーン
• 55629 Tweets
ぐりとぐら
• 49992 Tweets
pixiv
• 47726 Tweets
中川李枝子さん
• 42953 Tweets
블루스카이
• 33617 Tweets
#INDvsNZ
• 28502 Tweets
タイッツー
• 24830 Tweets
他のSNS
• 23942 Tweets
池中玄太80キロ
• 23890 Tweets
ドクターX
• 19937 Tweets
Misskey
• 19278 Tweets
世田谷区
• 15855 Tweets
探偵ナイトスクープ
• 12444 Tweets
We have just discovered two malicious PyPi packages masquerading as HTTP libraries: ‘ultrarequests’ and ‘pyquest’. The description of these packages is taken from the ‘requests’ package. The malicious code is in the class ‘HTTPError’ (‘exceptions[.]py’ file) [1/3]
2
124
284
Beware of links from popular YouTube videos, as they may contain
#malware
. We found such a video (64K views, 180K subscribers) that has a link to a Tor Browser installer in the description. That installer comes with a previously unknown spyware that we dubbed
#OnionPoison
. [1/4]
7
98
216
Magic is here! We have discovered a previously unknown
#APT
that has been attacking organizations in the area affected by the conflict between Russia and Ukraine. Observed victims were compromised with previously unknown implants that we dubbed
#PowerMagic
and
#CommonMagic
. [1/4]
4
81
207
Ever wanted to take another look at
#OperationTriangulation
malware? Then check out VirusTotal - we have uploaded malicious modules used in this campaign.
5
77
184
Have you wanted to take your own look at the
#iOSTriangulation
spyware? Well, we uploaded the
#TriangleDB
implant to VirusTotal:
4
37
112
Today I earned a bachelor's degree with highest honors from the Faculty of Computational Mathematics and Cybernetics at Lomonosov Moscow State University!
9
3
104
As for now, we continue our investigation to find additional information about discovered implants and the threat actor behind it. More details on Securelist: [4/4]
1
18
36
It's interesting that the server sends the second stage implant only if the victim's IP is from
#China
, so the campaign targets only Chinese-speaking users. Features of the spyware include collecting system information, stealing browser history and executing shell commands. [3/4]
1
3
20
The malicious Tor installation has been configured to be less private (it stores browsing history, login data, etc.), and its freebl3.dll library is infected with malware. When the browser is launched, this library contacts the C2 server to receive a second stage implant. [2/4]
1
1
17
The final stage is a W4SP stealer that gathers cookies, Discord tokens, crypto wallets as well as files that may contain credentials. We have already reported these two packages to the PyPi security team. More details upcoming on . [3/3]
2
1
20
This code downloads an obfuscated next stage script from the zerotwo-best-waifu[.]online website. The stage in turn downloads another obfuscated script, drops it on disk and configures persistence. [2/3]
2
2
14
Victims compromised with
#PowerMagic
have been additionally infected with the
#CommonMagic
modular framework. It uses OneDrive to download malicious modules and upload their execution results. We identified two modules: a screenshot taker and a USB file stealer. [3/4]
1
5
10
Observed victims downloaded a malicious ZIP archive with a lure document and a malicious LNK file that deploys the PowerShell
#PowerMagic
backdoor. It uses cloud storages such as OneDrive or Dropbox to receive PowerShell commands and execute them. [2/4]
1
4
9
Check out our blogpost made by
@2igosha
and I about these 2 malicious PyPi packages:
We have just discovered two malicious PyPi packages masquerading as HTTP libraries: ‘ultrarequests’ and ‘pyquest’. The description of these packages is taken from the ‘requests’ package. The malicious code is in the class ‘HTTPError’ (‘exceptions[.]py’ file) [1/3]
2
124
284
0
7
6
Check out our latest research!
Magic's here again! We previously reported about
#CommonMagic
(
#RedStinger
), a campaign operating in the Russo-Ukranian conflict area. It turned out that the likely threat actor behind this it has a 15-year history. More info: [1/4]
@bzvr_
@2igosha
1
17
22
0
1
3
The biggest and boldest conference is making a triumphant return… join us at
#thesas2023
CFP is open:
0
1
2
@lorenzofb
We thought the same thing: the campaign targets users who have VPN access and are trying to find on YouTube how to download Tor.
1
0
2
What will financial threats landscape look like in 2023? Join Kaspersky’s panel discussion to find out more on cybersecurity predictions:
0
0
1