abuse.ch

🇫🇷 We’re proud to be a Gold Sponsor at this year's Botconf with our partner abuse.ch next month! After attending many times, we’re delighted to be supporting this brilliant event.🤖🤩 #GoldSponsor #Botnets #Malware

Our colleagues at Proofpoint have recently uncovered a fake Remote Monitoring and Management Tool (RMM) called #TrustConnect and #DocConnect, which is posing as a RMM 🔎 🖥️ Pivoting on the threat in our collection reveals that the threat actors are spreading the same malware under additional names, including: ➡️ SoftConnect ➡️ HardConnect ➡️ AxisControl Our research has also revealed a couple of interesting findings 🕵 The threat actors: 🛠️ have previously apparently experimented with a legitimate RMM called #ScreenConnect (aka #ConnectWise) before switching to their own fake RMM ☢️ sent several hundred fake emails to recipients in corporate environments 📡 prefer Contabo GmbH in Germany 🇩🇪 for hosting their botnet C2 servers We track this threat on our platforms as #FakeRMM ⤵️ IOCs on ThreatFox: 🦊 https://lnkd.in/esesP8ya Malware samples: 📄 https://lnkd.in/eHq3CzJV

📢 Botnet Spotlight July - December 2025 | The second half of 2025 brought progress against botnet infrastructure: stronger anti-abuse action by major network operators, increased law enforcement pressure on RATs and bulletproof hosting, and major takedowns like CrazyRDP. 🚨 Encouragingly, live botnet controllers dropped across platforms such as Huawei, Tencent, Alibaba, Amazon, and Google 📉 — signaling improved enforcement. But criminal demand hasn’t slowed. Instead, threats are shifting to weaker networks and resilient rogue hosting providers, while botnet controller domains continue to rise 🌐⬆️. Read the full Botnet Spotlight here 👉 https://lnkd.in/eARRqG9V #Botnets #Malware #BulletproofHosts

🎉 Excited to support PIVOTcon again this year with our partner Spamhaus Technology Ltd! 📅 If you haven’t added it to your calendar yet, check it out, we can’t recommend it enough 🙌

📣Thank you to the Spamhaus Technology Ltd & abuse.ch alliance ‼️ for being #PIVOTcon26 Silver Sponsor. 🎉 Read more about Spamhaus and abuse.ch here: https://www.spamhaus.com Together, this alliance empowers the largest independently crowdsourced intelligence of tracked malware and botnets. Our sponsors: https://lnkd.in/dd84bktX #ThreatIntel #CTI #ThreatResearch

We received a submission from a contributor on the URLhaus platform today that caught our attention 🔎👀 A threat actor has uploaded multiple #Mirai payloads to a server hosted in AS51396 (PFCLOUD 🇩🇪), using a very specific directory structure that "explicitly" references URLhaus: hXXp://45.153.34[.]201:61440/fuckoffurlhaus/ 👉 https://lnkd.in/eDEU2XKj It appears the actor was “offended” after we took down their previous malware delivery host 💥 This is a good example of how reporting active malware distribution infrastructure to URLhaus has a real impact on cybersecurity worldwide 💪

🎉 Massive shout out to URLhaus Top Contributor “geenensp” First seen April 13th 2020 and since then, they’ve shared an unbelievable 844,345 malware URLs!! 😮 Over the last 30 days, they have shared 8,902 URLs, firmly securing their position at the top of the leaderboard 💪 URLhaus simply wouldn't exist without the help of awesome and committed contributors like this who diligently report malware URLs everyday 🙏 URLhaus stats ➡️ https://lnkd.in/dVVMgJF URLhaus ➡️ https://urlhaus.abuse.ch/ 🫶 #SharingIsCaring #Community #StrengthInUnity

We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥 The malware gets dropped by #Amadey and: 🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name 💻 attempts to escalate privileges by running as admin or as a scheduled task ⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions 📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions 👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the #botnet C2 📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail .com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process 🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha 🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha Botnet C2 servers are all hosted at Hetzner 🇩🇪 on port 8008 TCP: 46[.]62.225.51 [active] 46[.]62.224.205 46[.]62.205.38 GrokPy malware samples on MalwareBazaar: 📄 https://lnkd.in/eeSSETCv Botnet C2s on ThreatFox: 🦊 https://lnkd.in/e6hnmkNk

Taking down the infrastructure is only half the battle, supporting those affected is just as important. We’re pleased to see The Spamhaus Project stepping in again to help remediate machines infected with the Rhadamanthys malware. 👏👏 #Community #Endgame3 #Remediation

We are excited that we were once again part in the coordinated international operation Endhame 📣, taking action against the notorious information and credential stealer #Rhadamanthys 🪝🕵️ We assisted in the takedown of threat actor infrastructure and share a full list of #Rhadamanthys botnet C2s on ThreatFox 🦊 Top geographical location of Rhadamanthys botnet C2s (Tier-1): #1 209 🇩🇪 #2 207 🇺🇸 #3 205 🇬🇧 #4 78 🇷🇺 Top networks hosting Rhadamanthys botnet C2s (Tier-1): #1   94 AS24940 HETZNER-AS 🇩🇪 #2   93 AS51396 PFCLOUD 🇩🇪 #3   45 AS215826 PARTNER-HOSTING-LTD 🇬🇧 #4   44 AS396073 MAJESTIC-HOSTING-01 🇺🇸 #5  26 AS210644 AEZA-AS 🇬🇧 #6   24 AS215730 H2NEXUS-AS 🇬🇧 #7   21 AS42624 SWISSNETWORK02 🇸🇨 #8   20 AS216071 VDSINA 🇦🇪 #9   19 AS214351 FEMOIT 🇬🇧 #10 19 AS213702 QWINS-LTD 🇬🇧 The full list of Rhadamanthys botnet C2s is available here: 📡 https://lnkd.in/eCQdFzfP More information on #OpEndgame: 💡 https://lnkd.in/e6KakJ2u Official press release from Europol: 👮 https://lnkd.in/eVgVFf8E #OpEndgame #malware #botnet #cti #threatintel