lontze7 Profile Banner
Lontz Profile
Lontz

@lontze7

Followers
876
Following
871
Statuses
215

Threat Intel Researcher. Opinions are mine. Special thanks to @censysio , @ValidinLLC & @ReversingLabs for making my research easier.

Joined April 2022
Don't wanna be here? Send us removal request.
@lontze7
Lontz
@lontze7
25 days
New blog on how to uncover related infrastructure of the 'Contagious Interview' campaign, where Lazarus APT uses the 'ClickFix' technique to target job seekers in fake video interviews. Many thanks to @ValidinLLC, for publishing! 👇
0
11
34
@lontze7
Lontz
@lontze7
5 days
Portuguese #downloader installing malicious extension HTTP & WSS communication
Tweet media one
Tweet media two
0
8
35
@lontze7
Lontz
@lontze7
6 days
@SpiderLabs also the following domains seem to be related (down at the moment)
Tweet media one
0
0
5
@lontze7
Lontz
@lontze7
7 days
@solostalking also sg-auth.]life https://]authentications-safeguard.]com/McConnellsville.]eml
0
0
3
@lontze7
Lontz
@lontze7
10 days
@malware_traffic also a related report from RF:
0
0
1
@lontze7
Lontz
@lontze7
12 days
RT @ValidinLLC: @lontze7 @malware_traffic The number of infected sites is growing rapidly. First detected at 02:45:23 GMT yesterday (28 Jan…
0
1
0
@lontze7
Lontz
@lontze7
12 days
@malware_traffic looks like Vidar
Tweet media one
0
0
2
@lontze7
Lontz
@lontze7
18 days
new #ScatteredSpider #phishing domain okta-louisvuitton[.]com validation path: /index?id={base_64_encoded_string:design=0...9}
Tweet media one
Tweet media two
Tweet media three
Tweet media four
0
9
39
@lontze7
Lontz
@lontze7
19 days
RT @DSkfunk: 🚨 7-Zip MotW Bypass [CVE-2025-0411] – POC released! This exploit leverages double-compressed archives to bypass security warn…
0
2
0
@lontze7
Lontz
@lontze7
20 days
new #Rhadamanthys #C2 floratechnology[.]live floratrans[.]live Redirections with HTTP refresh header to WebDAV resource.
Tweet media one
Tweet media two
Tweet media three
Tweet media four
0
10
47
@lontze7
Lontz
@lontze7
25 days
RT @ValidinLLC: Researcher @lontze7 explored recent Contagious Interview #Lazarus #APT findings, detailing hunting techniques you can follo…
0
18
0
@lontze7
Lontz
@lontze7
25 days
@greenplan_it @RexorVc0 @DaveLikesMalwre they seem to register domains in a variety of TLDs, and also make use of the same payload names in multiple extensions:
@lontze7
Lontz
@lontze7
1 month
Hunting #LummaStealer new .mp4 (hta) payloads Have you identified a .mp4 Lumma serving URL? It seems like they register the same domain in multiple TLDs (Lookalike search from Validin). Verification of abuse can be performed by scanning the same .mp4 payload on the new domain.
Tweet media one
Tweet media two
Tweet media three
Tweet media four
1
0
2
@lontze7
Lontz
@lontze7
25 days
@greenplan_it @RexorVc0 @DaveLikesMalwre .pub files are dropped through ClickFix from multiple URLs (most down at the moment): also there is evidence of downloaded files from URLScan:
Tweet media one
@ShanHolo
Shanholo
@ShanHolo
25 days
@lontze7 @RexorVc0 @DaveLikesMalwre Good hit!! It seems to be interesting campaign🤔 Quick research following your post👇 hxxps://fixazo.online/new-riii-1-b.pub Contains #LummaStealer 📸 waiting to be dropped. ☣️43dd09be1f034e3f7f6232bc7e1d3b80 Low detection ratio 4/61 🔥 More URLs found 📸 @JAMESWT_MHT
Tweet media one
Tweet media two
0
1
3
@lontze7
Lontz
@lontze7
25 days
@banthisguy9349 Well said! Let's at least state that this looks like this APT and let other researchers supplement the analysis. Also, let's normalize the sharing of methodology. No need to just flex IoCs.
1
0
3
@lontze7
Lontz
@lontze7
27 days
RT @TheHackersNews: 🚨 UPDATE: Fortinet Confirms Critical Zero-Day 🚨 CVE-2024-55591 in FortiOS & FortiProxy (CVSS 9.6) allows attackers to…
0
161
0
@lontze7
Lontz
@lontze7
27 days
@DaveLikesMalwre @Razer @banthisguy9349 @g0njxa more domains with Booking theme (URI /captcha ):
Tweet media one
Tweet media two
1
0
1
@lontze7
Lontz
@lontze7
27 days
@DaveLikesMalwre everyone loves ClickFix 😋
1
0
1