This is the first time I've seen this Windows feature abused in malware (I need to study it further). Perhaps it will become a trend, given the scale of attacks seen in recent days. Final payload: @dodo_sec @1ZRR4H @Merlax_

@ValidinLLC Ref.: IoC:

RT @dodo_sec: I've uploaded the final stage of yet another BR Delphi banking RAT to malware bazaar. Still haven't seen something that ties…

@SquiblydooBlog @smica83 "_main.pyc" has a lot of garbage, the image above is the most relevant part.

@dodo_sec @RussianPanda9xx @GetWinEvent_ + @1ZRR4H @0xToxin

RT @AustinLarsen_: 🚨 New: Zero-day vulnerability CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspe…

@jaimeblascob The extension "llimhhconnjiflfimocjggfjdlmlhblm - Reader Mode" has traces of compromise.

@dodo_sec @SquiblydooBlog Great insight. I found it curious how long the infection chain was for the final payload to be a UPX.

@RussianPanda9xx disappeared from my telemetry too :(

@Merlax_ @1ZRR4H IoC: Hunt: User-Agent: AdvancedInstaller + POST: licenseUser\.php C2: taco-keys\.com puta-key\.com search-keys\.com cococokeys\.com Ref.: