Reddit NetSec

AlienVault OTX General

CVE Database V5

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products.

The Snake Keylogger is a malware strain originating from Russia, identified as a .NET-based stealer primarily used in targeted phishing campaigns. It is designed to capture sensitive information such as credentials and other personal data by logging keystrokes and potentially harvesting system information. The recent campaign tracked by the S2 Group targets a broad spectrum of victims, including companies, government entities, and individuals, using spearphishing emails themed around oil product offers. This thematic choice likely aims to exploit geopolitical interests and economic sectors related to energy, increasing the likelihood of successful compromise. The malware is distributed via spearphishing, a highly targeted form of phishing that uses personalized messages to deceive recipients. The campaign abuses trusted Java utilities, indicating a sophisticated approach to evade detection by leveraging legitimate software components. The malware is categorized under multiple MITRE ATT&CK techniques such as T1027 (Obfuscated Files or Information), T1082 (System Information Discovery), T1555 (Credentials from Password Stores), T1566.001 (Spearphishing Attachment), T1574.002 (Hijack Execution Flow: DLL Side-Loading), and T1588.002 (Obtain Capabilities: Malware-as-a-Service), highlighting its multifaceted attack vectors and capabilities. Although no known exploits in the wild are reported, the malware operates as Malware-as-a-Service (MaaS), suggesting it is accessible to various threat actors, potentially increasing its proliferation. The campaign’s geopolitical context and targeting of strategic sectors underscore its relevance in cybercrime operations linked to geopolitical affairs.

MD5 of fe223090ea59abc54312c48ed89765ea5c8821df78134adc094cd799973dde39

MD5 of b33d93e82b4a964c1306d40b054e6a2703e050357a513ab8873651dd4d669f4b

MD5 of 6d7158bf300a5a8769d106500a60141e63436bfc35cab1d24e047aad1dc880ce

MD5 of f099cb320a26b6284e9ca24b352b19d2109bb3df0beeded3c34377c9b934ed3b

MD5 of 54468a4c1261c1c3f4136854c29a50080be77416d040b083ac51776c957a1182

MD5 of 830703e20378110b1db917fcd498fa731aafed37fb1055c002693662053ad13c

SHA1 of fe223090ea59abc54312c48ed89765ea5c8821df78134adc094cd799973dde39

SHA1 of 830703e20378110b1db917fcd498fa731aafed37fb1055c002693662053ad13c

SHA1 of 54468a4c1261c1c3f4136854c29a50080be77416d040b083ac51776c957a1182

SHA1 of 6d7158bf300a5a8769d106500a60141e63436bfc35cab1d24e047aad1dc880ce

SHA1 of b33d93e82b4a964c1306d40b054e6a2703e050357a513ab8873651dd4d669f4b

SHA1 of f099cb320a26b6284e9ca24b352b19d2109bb3df0beeded3c34377c9b934ed3b

Detailed information about Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations. Get real-time updates, technical d

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations - Live Threat Intelligence - Threat Radar | OffSeq.com

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64 Syscalls to bypass user-mode hooking, and supports HTTPS requests. It focuses on stealing information from browsers, crypto wallets, and various software. The malware can also execute secondary payloads. Amatera Stealer is actively developed and sold as a malware-as-a-service, with subscription plans ranging from $199 to $1,499.

Amatera Stealer is a sophisticated information-stealing malware identified as a rebranded and enhanced version of the previously known ACR Stealer. It is distributed primarily through ClearFake website injections, which are malicious code injections into legitimate websites to silently deliver the malware to victims. The malware employs advanced evasion techniques including the use of NTSockets for stealthy command and control (C2) communication, which helps it avoid detection by traditional network monitoring tools. Additionally, it leverages WoW64 syscalls to bypass user-mode hooking, a common technique used by security software to intercept and block malicious API calls. Amatera Stealer supports HTTPS requests, further obfuscating its network traffic and making detection more challenging.

The primary objective of Amatera Stealer is to exfiltrate sensitive information from infected systems. It targets web browsers to steal stored credentials, cookies, and browsing data, as well as cryptocurrency wallets, which are high-value targets due to the direct financial impact. It also targets various software applications to broaden its data collection scope. The malware has the capability to execute secondary payloads, allowing attackers to deploy additional malicious tools or ransomware after initial infection. Amatera Stealer is actively developed and marketed as malware-as-a-service (MaaS), with subscription pricing tiers ranging from $199 to $1,499, indicating a commercial and scalable threat model.

Technical indicators include multiple file hashes and domains associated with the malware’s infrastructure, such as "amaprox.icu" and "badnesspandemic.shop". The malware’s tactics align with several MITRE ATT&CK techniques, including credential dumping (T1056.001), web injects (T1573.001), process injection (T1055), and stealthy communication (T1102), among others. Despite its sophistication, there are no known exploits in the wild targeting specific vulnerabilities, suggesting infection relies on social engineering or exploitation of web injects to deliver the payload.

Overall, Amatera Stealer represents a medium-severity threat due to its targeted data theft capabilities, evasion sophistication, and active commercial distribution, posing a significant risk to individuals and organizations handling sensitive credentials and cryptocurrency assets.

Detailed information about Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication. Get real-time updates, technical details, and mitigatio

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication - Live Threat Intelligence - Threat Radar | OffSeq.com

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitialized memory in the C2 protocol update. Researchers gained insights into DanaBot's operations, infrastructure, and affiliates. In May 2025, law enforcement dismantled DanaBot's infrastructure and indicted 16 individuals in Operation Endgame. The blog details the technical analysis of the vulnerability, its impact, and the type of data exposed through the memory leak.

DanaBot is a malware-as-a-service platform primarily engaged in cybercrime activities such as banking fraud and information theft. A critical vulnerability, named DanaBleed, was discovered in the Command and Control (C2) server infrastructure of DanaBot. This vulnerability was introduced in version 2380 of the C2 server software and caused a memory leak due to uninitialized memory during a C2 protocol update. The memory leak persisted from June 2022 until early 2025, inadvertently exposing sensitive internal data including threat actor identities, server infrastructure details, and victim credentials. This flaw was a result of poor memory management in the C2 server’s protocol implementation, leading to inadvertent disclosure of critical data. The vulnerability did not require active exploitation in the wild but was an internal bug within the malware’s own infrastructure. Security researchers and law enforcement leveraged this leak to gain unprecedented insight into DanaBot’s operations, infrastructure, and affiliates. This intelligence gathering culminated in Operation Endgame in May 2025, where law enforcement dismantled DanaBot’s infrastructure and indicted 16 individuals. The malware employs a sophisticated and multi-faceted attack framework, utilizing various MITRE ATT&CK techniques such as Windows Management Instrumentation (T1047), External Remote Services (T1133), Application Layer Protocol (T1071), process injection (T1055), credential dumping (T1003), and phishing (T1566), among others. While the vulnerability primarily affected the DanaBot C2 server infrastructure rather than victim endpoints directly, the leaked data included victim credentials, amplifying risks to affected organizations. No direct exploits of this vulnerability were observed in the wild, but the exposure significantly undermined the threat actor’s operational security and exposed their internal mechanisms.

Detailed information about DanaBot C2 Server Memory Leak Bug. Get real-time updates, technical details, and mitigation strategies.

DanaBot C2 Server Memory Leak Bug - Live Threat Intelligence - Threat Radar | OffSeq.com

DanaBot C2 Server Memory Leak Bug

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation targeted Lumma Stealer's infrastructure, aiming to render its exfiltration network nonoperational. Lumma Stealer had been actively developed and maintained by its operators, with regular updates to its code and network infrastructure. It employed various anti-analysis techniques and targeted a wide range of data, including credentials from browsers, cryptocurrency wallets, and other applications.

Lumma Stealer is a malware-as-a-service (MaaS) infostealer that has been actively developed and maintained by its operators, featuring regular updates to both its codebase and command-and-control (C&C) infrastructure. The malware specializes in credential theft, targeting a broad spectrum of sensitive data including browser-stored credentials, cryptocurrency wallets, and other application data. It employs various anti-analysis techniques to evade detection and hinder reverse engineering efforts, making it a persistent threat in the cybercrime ecosystem. The global operation, led by ESET in collaboration with Microsoft and other partners, focused on disrupting Lumma Stealer's infrastructure by analyzing tens of thousands of malware samples to extract critical intelligence such as C&C server addresses and affiliate identifiers. This intelligence was used to dismantle the exfiltration network, effectively rendering the malware's data theft capabilities nonoperational. The operation highlights the malware's reliance on a distributed affiliate model, where multiple actors leverage the Lumma Stealer platform to conduct credential theft campaigns. Although no known exploits in the wild are reported, the malware's continuous development and active use in credential theft campaigns pose ongoing risks to affected organizations and individuals. The disruption effort aims to significantly reduce the operational capacity of Lumma Stealer, but the threat remains relevant due to the potential for reconstitution or emergence of similar MaaS platforms.

Detailed information about Global operation disrupts Lumma Stealer. Get real-time updates, technical details, and mitigation strategies.

Global operation disrupts Lumma Stealer - Live Threat Intelligence - Threat Radar | OffSeq.com

Global operation disrupts Lumma Stealer

The infostealer Danabot has been disrupted in a multinational law enforcement operation. ESET has been tracking Danabot since 2018, contributing to the effort by providing technical analyses and identifying C&C servers. Danabot operates as a malware-as-a-service, offering various features like data theft, keylogging, and remote control. It has been used to distribute additional malware, including ransomware. The malware's authors promote their toolset through underground forums, providing affiliates with an administration panel, backconnect tool, and proxy server application. Distribution methods have included email spam, other malware, and misuse of Google Ads. Danabot employs a proprietary encrypted communication protocol and offers multiple build options for affiliates.

Danabot is a sophisticated infostealer malware family that has been active since at least 2018 and operates under a malware-as-a-service (MaaS) model. It primarily functions as a banking trojan with capabilities including credential theft, keylogging, and remote control of infected systems. Danabot's modular architecture allows affiliates to customize malware builds, enabling tailored attacks to specific targets or environments. Distribution methods have included email spam campaigns, secondary infections via other malware, and notably, misuse of legitimate platforms such as Google Ads to increase reach and evade detection. The malware communicates with its command-and-control (C&C) infrastructure using a proprietary encrypted protocol, complicating network traffic analysis and interception efforts. Affiliates are provided with an administration panel, backconnect tools, and proxy server applications, facilitating stealthy botnet management and operations. Beyond stealing sensitive data, Danabot has been used to deliver additional malware payloads, including ransomware, amplifying its threat potential. Recently, a multinational law enforcement operation disrupted Danabot's infrastructure, with contributions from cybersecurity firms like ESET. Despite this disruption, the malware's underground promotion and flexible design suggest potential for resurgence or adaptation by threat actors. Indicators of compromise include domains linked to its C&C infrastructure such as advanced-ip-scanned.com, gfind.org, mic-tests.com, and spy.danabot.ac. The medium severity rating reflects its capability to cause financial and operational damage, especially in sectors reliant on secure banking transactions and sensitive data protection.

Detailed information about Danabot: Analyzing a fallen empire. Get real-time updates, technical details, and mitigation strategies.

Danabot: Analyzing a fallen empire - Live Threat Intelligence - Threat Radar | OffSeq.com

Danabot: Analyzing a fallen empire

DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to its success. Operated likely from Russia, DanaBot's infrastructure includes Tier 1, Tier 2, and Tier 3 C2 servers. The botnet's size peaked during high-profile events, with Mexico and the US among the most impacted countries. Despite its longevity, only 25% of its C2 servers had detectable malicious signatures. Operation Endgame II, a collaborative effort between security firms and law enforcement, dealt a significant blow to DanaBot's operations.

DanaBot is a sophisticated and persistent malware platform that has been active since 2018. Initially emerging as a banking trojan, DanaBot has evolved into a multi-purpose malware-as-a-service platform capable of a wide range of malicious activities, including information theft and command-and-control (C2) operations. The malware operates through a multi-tiered C2 infrastructure, consisting of Tier 1, Tier 2, and Tier 3 servers, which enhances its resilience and stealth capabilities. At its peak, DanaBot maintained approximately 150 active C2 servers daily and infected around 1,000 victims per day across more than 40 countries. Despite its widespread activity, only about 25% of its C2 servers exhibited detectable malicious signatures, indicating advanced evasion techniques.

DanaBot’s infection vectors and tactics align with multiple MITRE ATT&CK techniques, including lateral movement (T1021.005), valid accounts exploitation (T1078, T1078.004), user execution (T1204.001, T1204.002), phishing (T1566.001, T1566.002), command and control over standard protocols (T1071), and exploitation of public-facing applications (T1190). Its modular architecture allows it to adapt to different operational goals, from stealing banking credentials to broader data exfiltration and persistence. The botnet’s size and activity have fluctuated, often increasing during high-profile events, with Mexico and the United States being the most impacted countries historically. The infrastructure is believed to be operated from Russia.

Operation Endgame II, a coordinated effort by security firms and law enforcement, has significantly disrupted DanaBot’s operations, but the malware remains a medium-severity threat due to its stealth, adaptability, and global reach. The lack of known public exploits and the absence of patches suggest that mitigation relies heavily on detection and response rather than vulnerability remediation.

Detailed information about Inside DanaBot's Infrastructure: In Support of Operation Endgame II. Get real-time updates, technical details, and mitigation strateg

Inside DanaBot's Infrastructure: In Support of Operation Endgame II - Live Threat Intelligence - Threat Radar | OffSeq.com

Inside DanaBot's Infrastructure: In Support of Operation Endgame II

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos, exfiltrating files, injecting content into web browsers, and deploying second-stage malware. It operates as a Malware-as-a-Service platform, enabling various attacks. DanaBot has been used in targeted attacks against government officials in the Middle East and Eastern Europe, and for DDoS attacks against Ukrainian servers. The malware implements a custom binary protocol encrypted with RSA and AES, and uses hardcoded C2 servers with Tor as a backup communication channel. Over 50 nicknames have been associated with DanaBot affiliates.

Operation Endgame 2.0 represents a coordinated international law enforcement effort targeting cybercriminal groups operating the DanaBot malware family. DanaBot is a sophisticated modular malware platform developed in Delphi, notable for its extensive capabilities including keylogging, screenshot capture, desktop video recording, file exfiltration, web browser content injection, and deployment of secondary malware payloads. Functioning as Malware-as-a-Service (MaaS), DanaBot enables affiliates to conduct a variety of cyberattacks without requiring deep technical expertise. The malware communicates with its command and control (C2) infrastructure using a custom binary protocol secured with RSA and AES encryption, enhancing its resilience against interception and analysis. It relies on hardcoded C2 servers and employs Tor as a fallback communication channel, complicating efforts to disrupt its operations. Historically, DanaBot has been leveraged in targeted espionage campaigns against government officials in the Middle East and Eastern Europe, as well as in distributed denial-of-service (DDoS) attacks targeting Ukrainian servers. The presence of over 50 known affiliate nicknames indicates a broad and decentralized operator base. The malware’s use of advanced techniques such as credential dumping (T1003), persistence mechanisms (T1543, T1547), lateral movement (T1090), and execution through user interaction (T1204) underscores its versatility and threat level. Despite the absence of known exploits in the wild for specific software vulnerabilities, DanaBot’s modularity and MaaS model make it a persistent and adaptable threat vector.

Detailed information about Operation Endgame 2.0. Get real-time updates, technical details, and mitigation strategies.

Operation Endgame 2.0 - Live Threat Intelligence - Threat Radar | OffSeq.com

Operation Endgame 2.0

A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.

Lumma Stealer (LummaC2) was a sophisticated information-stealing malware that emerged in late 2022, gaining prominence after the takedown of other stealers such as Redline and Meta. It primarily targeted Windows systems, aiming to extract sensitive data from a variety of applications. The malware utilized a complex, multi-tiered command and control (C2) infrastructure that leveraged over 1,000 domains, Steam profiles, and Telegram channels to maintain resilience and operational continuity. This infrastructure allowed attackers to manage and update the malware remotely, exfiltrate stolen data, and evade takedown attempts. The malware's capabilities included credential theft, data exfiltration, and potentially lateral movement within compromised networks, employing techniques aligned with MITRE ATT&CK tactics such as T1071 (Application Layer Protocol), T1005 (Data from Local System), T1140 (Deobfuscate/Decode Files or Information), T1555 (Credentials from Password Stores), T1555.003 (Credentials from Web Browsers), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1573 (Encrypted Channel), T1056 (Input Capture), and T1132 (Data Encoding). The recent coordinated takedown led by Microsoft's Digital Crimes Unit, with support from Bitsight and other partners, successfully dismantled Lumma Stealer's infrastructure by seizing domains and shutting down associated Telegram channels and Steam profiles. This action disrupts the malware's operational capabilities and is expected to significantly reduce its threat presence in the wild.

Detailed information about Lumma Stealer is Out... of business!. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'malware-as-a-service'

Filter Threats

Threats Tagged 'malware-as-a-service'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility