crep1x
@crep1x.bsky.social
📤 88
📥 41
📝 30
Lead cybercrime analyst, tracking adversaries activities & infrastructure, at
@sekoia.io
We published an in-depth analysis on the
#ErrTraffic
framework, detailing two specific clusters ("Beer" and "Analytics"), campaigns compromising WordPress sites to deploy this malicious
#ClickFix
framework, as well as others impersonating AI platforms ⬇️
x.com/sekoia_io/st...
loading . . .
Sekoia.io (@sekoia_io) on X
#TDR analysts published a new report detailing #ErrTraffic, a widespread #ClickFix malware distribution framework. ErrTraffic injects malicious JavaScript into compromised WordPress and malicious sit...
https://x.com/sekoia_io/status/2066800482333454489
about 1 month ago
1
0
0
reposted by
crep1x
Sekoia
about 1 month ago
Our forensic analysis of compromised WordPress servers helped us to cluster ErrTraffic and map affiliates' TTPs and backdoors. We notably identified two distinct clusters: "Analytics" operated by a single threat actor, and "Beer" likely operated by LenAI for affiliates.
1
1
1
reposted by
crep1x
Sekoia
about 1 month ago
#TDR
analysts published a new report detailing
#ErrTraffic
, a widespread
#ClickFix
malware distribution framework. ErrTraffic injects malicious JavaScript into compromised WordPress and malicious sites to serve ClickFix lures.
blog.sekoia.io/unveiling-er...
2
4
4
Part 2 of our
#EvilTokens
in-depth analysis is out! This blog post details the AI-augmented features significantly facilitating
#BEC
fraud. I believe that this AI-augmented post-compromise tooling represent a genuine breakthrough in the
#PhaaS
ecosystem.
blog.sekoia.io/eviltokens-a...
3 months ago
0
1
0
In early March 2026, we uncovered
#EvilTokens
, a new
#PhaaS
offering device code phishing pages and AI-driven features to automate and scale BEC workflows. Part 1 of our analysis provides a technical analysis of the EvilTokens kit ⬇️
blog.sekoia.io/new-widespre...
loading . . .
New widespread EvilTokens kit: device code phishing as-a-service - Part 1
Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud
https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
4 months ago
1
1
0
Our latest TDR report on the
#IClickFix
framework: 📊 3,800+ WordPress sites compromised worldwide ⚙️ Multi-stage JavaScript loader 🚦 Abusing YOURLS as TDS 🖱️ Fake Cloudflare CAPTCHA and
#ClickFix
lure 🦠
#NetSupport
RAT payload
bsky.app/profile/seko...
add a skeleton here at some point
6 months ago
1
3
1
Open directory at 104.168.81.]229/BJ/ containing phishing pages for Zimbra, Outlook, Adobe, and various Chinese services 104.168.81.]229 microsoftstorage.duckdns[.]org outllook.duckdns[.]org outlookspace.duckdns[.]org patnerrshipp.duckdns[.]org ⬇️
8 months ago
1
0
0
reposted by
crep1x
Sekoia
8 months ago
#TDR
analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates
#phishing
and
#fraud
campaigns.
blog.sekoia.io/phishing-cam...
1
5
3
reposted by
crep1x
Sekoia
about 1 year ago
📝 Our latest
#TDR
report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM)
#phishing
threats - targeting Microsoft 365 and Google accounts - and their ecosystem. This report shares actionable intelligence to help analysts detect and investigate AitM phishing.
1
10
7
Check out our new blog post by the TDR team, presenting the latest TTPs used by the
#Interlock
ransomware group! It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️
bsky.app/profile/seko...
✍️
@kseznec.bsky.social
add a skeleton here at some point
over 1 year ago
1
2
0
reposted by
crep1x
Sekoia
over 1 year ago
Since the apparition of the
#Interlock
ransomware, the Sekoia
#TDR
team observed its operators evolving, improving their toolset (#LummaStealer and
#BerserkStealer
), and leveraging new techniques such as
#ClickFix
to deploy the ransomware payload.
blog.sekoia.io/interlock-ra...
0
2
6
Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page e.g. hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/ hxxps://xau.kolivax.]ru/ckYHFJN/ hxxps://ffqt.lzirleg.]es/VajlR/ ⬇️
over 1 year ago
1
2
1
Here is our in-depth analysis of the latest
#ClearFake
variant using the Binance Smart Chain and two new ClickFix lures. ClearFake is injected into thousands of compromised sites to distribute the
#Emmental
Loader,
#Lumma
,
#Rhadamanthys
, and
#Vidar
. ⬇️
bsky.app/profile/seko...
add a skeleton here at some point
over 1 year ago
1
4
1
reposted by
crep1x
Sekoia
over 1 year ago
TDR analysts published an analysis of the new
#ClearFake
variant that relies on compromised websites injected with the malicious JavaScript framework, the
#EtherHiding
technique, and the
#ClickFix
social engineering tactic.
buff.ly/vbiVbsN
loading . . .
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.
https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
1
5
4
#ClearFake
variant is now spreading
#Rhadamanthys
Stealer via
#Emmenhtal
Loader. cc
@plebourhis.bsky.social
@sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding 2. The
#ClickFix
lure uses a fake Cloudflare Turnstile with unusual web traffic ⬇️
over 1 year ago
2
3
2
For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of: - the targeted phishing attack against extension developers - malicious code - the adversary's infrastructure ⬇️
bsky.app/profile/seko...
add a skeleton here at some point
over 1 year ago
0
3
3
reposted by
crep1x
Sekoia
over 1 year ago
TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.
https://buff.ly/4auQ0HN
1
8
5
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives These archives contain an AutoIT dropper, we internally named
#SelfAU3
Dropper at
@sekoia.io
, which executes
#Lumma
Stealer IoCs ⬇️
over 1 year ago
2
9
6
Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"! We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs. ⬇️
bsky.app/profile/seko...
add a skeleton here at some point
over 1 year ago
1
6
1
Recent update in
#Vidar
C2 servers configuration: HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com" Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week: hxxps://t.]me/no111p ⬇️
over 1 year ago
1
3
0
reposted by
crep1x
Nicolas Caproni
over 1 year ago
🦝 The new episode of
@intel471.bsky.social
"Cybercrime Exposed" podcast produced by
@jkirk.bsky.social
tells the story of
#Raccoon
Stealer and, more broadly, reveals how the
#infostealer
ecosystem operates. Featuring
@crep1x.bsky.social
from
@sekoia.io
!
intel471.com/resources/po...
loading . . .
Cybercrime Exposed Podcast: Raccoon Stealer
Intel 471 empowers cybersecurity teams worldwide to be proactive with its TITAN platform and comprehensive coverage into the criminal underground.
https://intel471.com/resources/podcasts/cybercrime-exposed-podcast-raccoon-stealer
0
4
2
you reached the end!!
feeds!
log in