campaign image
Exploit of Romcom RAT's
RAT Romcom

The RomCom RAT is a malicious software program used by a threat actor to remotely control compromised systems, often by impersonating well-known brands and deploying fake versions of legitimate software through phishing campaigns.

Domains Source Last Update
aaa.stage.16549040.dns.alleivice.com SOCRadar 2023-01-31
teoresp.com SOCRadar 2023-01-31
advanced-ip-scaner.com SOCRadar 2023-01-31
tinheranter.com SOCRadar 2023-01-31
optasko.com SOCRadar 2023-01-31
cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion SOCRadar 2023-01-31
witorophron.com SOCRadar 2023-01-31
combinedresidency.org SOCRadar 2023-01-31
leftthenhispar.ru SOCRadar 2023-01-31
nastylgilast.com SOCRadar 2023-01-31
thehentoftbet.ru SOCRadar 2023-01-31
toftoflethens.com SOCRadar 2023-01-31
notfiled.com SOCRadar 2023-01-31
tycahatit.ru SOCRadar 2023-01-31
kurvalarva.com SOCRadar 2023-01-31
otinrofha.ru SOCRadar 2023-01-31
babbedidndu.ru SOCRadar 2023-01-31
you-supported.com SOCRadar 2023-01-31
johntotrepwron.com SOCRadar 2023-01-31
reninparwil.com SOCRadar 2023-01-31
vu42i55fqimjx6koo7oqh3zzvy2xghqe7ot4h2ftcv2pimbauupjyqyd.onion SOCRadar 2023-01-31
nagirlstylast.com SOCRadar 2023-01-31
fabickng.ru SOCRadar 2023-01-31
advanced-ip-scanners.com SOCRadar 2023-01-31
torsketronand.ru SOCRadar 2023-01-31
tandugolastsp.com SOCRadar 2023-01-31
ningwitjohnno.ru SOCRadar 2023-01-31
dgtlocean.com SOCRadar 2023-01-31
4qzm.com SOCRadar 2023-01-31
facabeand.com SOCRadar 2023-01-31
Hashes Source Last Update
4de5d433af5701462517719ce097bb4c0e5676c9 SOCRadar 2023-01-31
eaced2fcfdcbf3dca4dd77333aaab055345f3ab4 SOCRadar 2023-01-31
550f42c5b555893d171285dc8b15b4b5 SOCRadar 2023-01-31
3e3a7116eeadf99963077dc87680952cca87ff4fe60a552041a2def6b45cbeea SOCRadar 2023-01-31
4c32ef0836a0af7025e97c6253054bca SOCRadar 2023-01-31
05681ff7cae6b28f5714628a269caa5115da49c94737ce82ec09b4312e40fd26 SOCRadar 2023-01-31
ac09cbfee4cf89d7b7a755c387e473249684f18aa699eb651d119d19e25bff34 SOCRadar 2023-01-31
3e6f9e73ca7bf856c3f5aeb44dc793ec4927b842 SOCRadar 2023-01-31
cf6ec2999b5d67df89a5350dfcff611d SOCRadar 2023-01-31
de239ac43508c4fd4c9069a9b6a4a3f8 SOCRadar 2023-01-31
1b943afac4f476d523310b8e3afe7bca761b8cbaa9ea2b9f01237ca4652fc834 SOCRadar 2023-01-31
b5d202456ac2ce7d1285b9c0e2e5b7ddc03da1cbca51b5da98d9ad72e7f773b8 SOCRadar 2023-01-31
e80d80521238008bf6f429e072eaf6030c06e2d3123d03ea9b36f5a232a1ec90 SOCRadar 2023-01-31
d907be57b5ef2af8a8b45d5f87aa4773 SOCRadar 2023-01-31
f8144fa96c036a8204c7bc285e295f9cd2d1deb0379e39ee8a8414531104dc4a SOCRadar 2023-01-31
13ab5762ff5023163b1ca7c7749112b3673cd3db SOCRadar 2023-01-31
a1649dec72c316587b10d92993aee1ec SOCRadar 2023-01-31
a304497ff076348e098310f530779002a326c264 SOCRadar 2023-01-31
f538b035c3de87f9f8294bec272c1182f90832a4e86db1e47cbb1ab26c9f3a0b SOCRadar 2023-01-31
d1a84706767bfb802632a262912e95a8 SOCRadar 2023-01-31
10a5612044599128981cb41d71d7390c15e7a2a0c2848ad751c3da1cbec510a2 SOCRadar 2023-01-31
0afed8d1b7c36008de188c20d7f0e2283251a174261547aab7fb56e31d767666 SOCRadar 2023-01-31
d0bbbc1866062f9a772776be6b7ef135d6c5e002 SOCRadar 2023-01-31
5f187393acdeb67e76126353c74b6080d3e6ccf28ae580658c670d8b6e4aacc1 SOCRadar 2023-01-31
02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8 SOCRadar 2023-01-31
3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0 SOCRadar 2023-01-31
2f93bf6feb96aa13973cb923abcf402d3d829cb6 SOCRadar 2023-01-31
04972228302e569da856e4fa45f679ed SOCRadar 2023-01-31
9959e90d255c0221e9754db53e321ab4c7434488 SOCRadar 2023-01-31
1817cc163482eb21308adbd43fb6be57fcb5ff11fd74b344469190bb48d8163b SOCRadar 2023-01-31
f31620e7e22a30f408e5d683922f5029 SOCRadar 2023-01-31
1a21a1e626fd342e794bcc3b06981d2c SOCRadar 2023-01-31
9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 SOCRadar 2023-01-31
596eaef93bdcd00a3aedaf6ad6d46db4429eeba61219b7e01b1781ebbf6e321b SOCRadar 2023-01-31
3d4502066a338e19df58aa4936c37427feecce9ab8d43abff4a7367643ae39ce SOCRadar 2023-01-31
7e00bfb622072f53733074795ab581cf6d1a8b4fc269a50919dda6350209913c SOCRadar 2023-01-31
db3b1f224aec1a7c58946d819d729d0903751d1867113aae5cca87e38c653cf4 SOCRadar 2023-01-31
e0d89c88378dcb1b6c9ce2d2820f8d773613402998b8dcdb024858010dec72ed SOCRadar 2023-01-31
ee2f71faced3f5b5b202c7576f0f52b9 SOCRadar 2023-01-31
cb933f1c913144a8ca6cfcfd913d6d28 SOCRadar 2023-01-31
61971d3cbf88d6658e5209de443e212100afc8f033057d9a4e79000f6f0f7cc4 SOCRadar 2023-01-31
4e4eca58b896bdb6db260f21edc7760a SOCRadar 2023-01-31
542d144a73322a30ceabb002851515a80611bf6c SOCRadar 2023-01-31
99c7cad7032ec5add3a21582a64bb149 SOCRadar 2023-01-31
5f5c18e98e5c8a5a50a1e122221f61dd SOCRadar 2023-01-31
67fe9e515686c2d8cf7eeab0c37a04426599352c SOCRadar 2023-01-31
9f61259c966f34d89b70af92b430ae40dd5f1314ee6640d16e0b7b0f4f385738 SOCRadar 2023-01-31
33fe4c6f5e7803bc0b9d977abd8b816712cbf300 SOCRadar 2023-01-31
0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 SOCRadar 2023-01-31
a2511c5c2839bfbdf9c0f84f415d5eae168456e5d3f77f1becdbcd69fba4daa4 SOCRadar 2023-01-31
d5dab3f20d47bf4ca4910949015844d660e99ca9 SOCRadar 2023-01-31
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 SOCRadar 2023-01-31
952b34f6370294c5a0bb122febfaa80612fef1f32eddd48a3d0556c4286b7474 SOCRadar 2023-01-31
d1ff26ea3d2d2ced4b7e76d971a60533817048d7 SOCRadar 2023-01-31
1807549af1c8fdc5b04c564f4026e41790c554f339514d326f8b55cb7b9b4f79 SOCRadar 2023-01-31
08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b0a34d0 SOCRadar 2023-01-31
a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c SOCRadar 2023-01-31
6310a2063687800559ae9d65cff21b0a SOCRadar 2023-01-31
01242b35b6def71e42cc985e97d618e2fabd616b16d23f7081d575364d09ca74 SOCRadar 2023-01-31
2eb3ef8a7a2c498e87f3820510752043b20cbe35b0cbd9af3f69e8b8fe482676 SOCRadar 2023-01-31
f5db51115fa0c910262828d0943171d640b4748e51c9a140d06ea81ae6ea1710 SOCRadar 2023-01-31
7b6f996cc1ad4b5e131e7bf9b1c33253 SOCRadar 2023-01-31
23cea76078dd3829bd2b7e00f2bfe2ad SOCRadar 2023-01-31
7c003b4f8b3c0ab0c3f8cb933e93d301 SOCRadar 2023-01-31
c9d3b29e0b7662dafc6a1839ad54a6fb SOCRadar 2023-01-31
8e64bacaf40110547b334eadcb0792bdc891d7ae298fbfff1367125797b6036b SOCRadar 2023-01-31
b9afe016dbdba389000b01ce7645e7eea1b0a50827cded1cbaa48fbc715197bb SOCRadar 2023-01-31
0c2ffed470e954d2bf22807ba52c1ffd1ecce15779c0afdf15c292e3444cf674 SOCRadar 2023-01-31
ab1ed31825763c481f54bd8a94d73777 SOCRadar 2023-01-31
1f842f84750048bb44843c277edeaa8469697e97c4dbf8dc571ec552266bec9f SOCRadar 2023-01-31
86ed4544eeca78dc64881a916fe1e1f73dc17f7b SOCRadar 2023-01-31
250cb957728dba0f3ae2c1c1e9bae241 SOCRadar 2023-01-31
8b8dff5d30802fd79b76ee1531e7d050184a07570201ef1cd83a7bb8fa627cb0 SOCRadar 2023-01-31
1d142c36c6cdd393fe543a6b7782f25a9cbafca17a1cfa0f3fc0f5a9431dbf3f SOCRadar 2023-01-31
d1ea4f54c19d332b01553fa8e9a838c2a4dabfb1 SOCRadar 2023-01-31
8284421bbb94f3c37f94899cdcd19afd SOCRadar 2023-01-31
b160bd46b6efc6d79bfb76cf3eeacca2300050248969decba139e9e1cbeebf53 SOCRadar 2023-01-31
3252965013ec861567510d54a97446610edba5da88648466de6b3145266386d9 SOCRadar 2023-01-31
236f5de8620a6255f9003d054f08574b SOCRadar 2023-01-31
4fc9202ff84ef84b8c5e6140b66ac3d04570daf886a7f1ae31661ade882f963e SOCRadar 2023-01-31
068117b406940ac510ed59efd1d7c7651f645a31bd70db6de16aba12c055aae6 SOCRadar 2023-01-31
79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53 SOCRadar 2023-01-31
8a3d71c668574ad6e7406d3227ba5adc5a230dd3057edddc4d0ec5f8134d76c3 SOCRadar 2023-01-31
867d41458d94e985f6b3e2bae1dfb75e14cbc57f SOCRadar 2023-01-31
62d99110a03c33157a2c844ed5ddec11 SOCRadar 2023-01-31
0d5e3483299242bf504bd3780487f66f2ec4f48a7b38baa6c6bc8ba16e4fb605 SOCRadar 2023-01-31
01971269ca3083f292f6978511b51a0f90eb1ddb SOCRadar 2023-01-31
2896c334f4ef21aec24596ae13f9b692 SOCRadar 2023-01-31
bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b99544ef1 SOCRadar 2023-01-31
4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742f4c42 SOCRadar 2023-01-31
f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c SOCRadar 2023-01-31
8a06c836c05537fcd8c600141073132d28e1172d SOCRadar 2023-01-31
6d5ca42906c60caa7d3e0564b011d20b87b175cbd9d44a96673b46a82b07df68 SOCRadar 2023-01-31
7d82030186936aa9fb21256d9593d992 SOCRadar 2023-01-31
f7013ce417fcba0f36c4b9bf5f8f6e0e2b14d6ed33ff4d384c892773508e932e SOCRadar 2023-01-31
03c835b684b21ded9a4ab285e4f686a3 SOCRadar 2023-01-31
8bebb8830366bd649c488903ef8f4e166965276d SOCRadar 2023-01-31
c646199a9799b6158de419b1b7e36b46c7b7413d6c35bfffaeaa8700b2dcc427 SOCRadar 2023-01-31
246dfe16a9248d7fb90993f6f28b0ebe87964ffd2dcdb13105096cde025ca614 SOCRadar 2023-01-31
6345ac3f61b9f4ce64e82d3896baf1fa SOCRadar 2023-01-31
2841848ef59dfe7137e15119e4c9ce5e873e3607 SOCRadar 2023-01-31
25a089f2082a5fcb0f4c1a12724a5521 SOCRadar 2023-01-31
ba83831700a73661f99d38d7505b5646 SOCRadar 2023-01-31
5d304ea1a9f3c8fbe147a74b64f3390e848ba04a SOCRadar 2023-01-31
241ce8af441db2d61f3eb7852f434642739a6cc3 SOCRadar 2023-01-31
0cf6399db55d40bc790a399c6bbded375f5a278dc57a143e4b21ea3f402f551f SOCRadar 2023-01-31
4b5eefa1727b97b6f773be3937a8cc390f0434ddc2f01dc24b68b690fafbcc93 SOCRadar 2023-01-31
88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497df5b17 SOCRadar 2023-01-31
571f8db67d463ae80098edc7a1a0cad59153ce6592e42d370a45df46f18a4ad8 SOCRadar 2023-01-31
9b546bd99272cf4689194d698c830a2510194722 SOCRadar 2023-01-31
209ffbc8ba1e93167bca9b67e0ad3561c065595d SOCRadar 2023-01-31
b14341b1ffe9e2730394b9066c6829b4e2f59a4234765ae2e97cfc6d4593730a SOCRadar 2023-01-31
25ebe54beb3c422ccd2d90aa8ae89087f71b0bed SOCRadar 2023-01-31
72a60d799ae9e4f0a3443a2f96fb4896 SOCRadar 2023-01-31
abe9635adbfee2d2fbaea140625c49abe3baa29c44fb53a65a9cda02121583ee SOCRadar 2023-01-31
aa3f37a75d3ba2ee74955c06eb308ad0cd6bca2e SOCRadar 2023-01-31
5cd95b34782ca5acf8a34d9dc184cb880a19b6edcaf4a4553fa0619b597c2f50 SOCRadar 2023-01-31
74fbf3cc44dd070bd5cb87ca2eed03e1bbeec4fec644a25621052f0a73abbe84 SOCRadar 2023-01-31
a7172aef66bb12e1bb40a557bb41e607 SOCRadar 2023-01-31
a17c21b909c56d93d978014e63fb06926eaea8e7 SOCRadar 2023-01-31
857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583 SOCRadar 2023-01-31
f869e8fbd8aa1f037ad862cf6e8bbbf797ff49556fb100f2197be4ee196a89ae SOCRadar 2023-01-31
bd270853db17f94c2b8e4bd9fa089756a147ed45cbc44d6c2b0c78f361978906 SOCRadar 2023-01-31
af4523186fe4a5e2833bbbe14939d8c3bd352a47a2f77592d8adcb569621ce02 SOCRadar 2023-01-31
310afba59ab8e1bda3ef750a64bf39133e15c89e8c7cf4ac65ee463b26b136ba SOCRadar 2023-01-31
3fe1a3aaca999a5db936843c9bdfea14 SOCRadar 2023-01-31
9d3b268416d3fab4322cc916d32e0b2e8fa0de370acd686873d1522306124fd2 SOCRadar 2023-01-31
75b55bb34dac9d02740b9ad6b6820360 SOCRadar 2023-01-31
fd87ca28899823b37b2c239fbbd236c555bcab7768d67203f86d37ede19dd975 SOCRadar 2023-01-31
ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352cf878a SOCRadar 2023-01-31
a839b2a598fc598044f9814873d7fc84 SOCRadar 2023-01-31
09e04ba053edcf4ca38541cbd735568945a5948d SOCRadar 2023-01-31
Ipv4s Source Last Update
37.44.253.21 SOCRadar 2023-01-31
217.79.43.148 SOCRadar 2023-01-31
79.141.169.220 SOCRadar 2023-01-31
31.184.198.111 SOCRadar 2023-01-31
204.13.164.118 SOCRadar 2023-01-31
192.137.100.96 SOCRadar 2023-01-31
154.35.175.225 SOCRadar 2023-01-31
222.252.53.33 SOCRadar 2023-01-31
64.52.169.174 SOCRadar 2023-01-31
216.45.55.3 SOCRadar 2023-01-31
31.184.198.84 SOCRadar 2023-01-31
31.184.198.90 SOCRadar 2023-01-31
141.98.87.124 SOCRadar 2023-01-31
159.203.70.39 SOCRadar 2023-01-31
37.120.193.123 SOCRadar 2023-01-31
31.44.184.84 SOCRadar 2023-01-31
31.184.198.74 SOCRadar 2023-01-31
185.153.199.168 SOCRadar 2023-01-31
69.30.232.138 SOCRadar 2023-01-31
62.210.54.235 SOCRadar 2023-01-31
64.235.39.82 SOCRadar 2023-01-31
107.189.10.143 SOCRadar 2023-01-31
185.153.199.163 SOCRadar 2023-01-31
128.31.0.39 SOCRadar 2023-01-31
131.188.40.189 SOCRadar 2023-01-31
37.120.247.39 SOCRadar 2023-01-31
103.27.203.197 SOCRadar 2023-01-31
38.108.119.121 SOCRadar 2023-01-31
31.184.198.82 SOCRadar 2023-01-31
31.44.184.100 SOCRadar 2023-01-31
92.222.172.39 SOCRadar 2023-01-31
192.137.101.205 SOCRadar 2023-01-31
209.76.253.84 SOCRadar 2023-01-31
157.245.70.127 SOCRadar 2023-01-31
31.184.198.80 SOCRadar 2023-01-31
104.238.134.63 SOCRadar 2023-01-31
209.127.187.245 SOCRadar 2023-01-31
86.59.21.38 SOCRadar 2023-01-31
216.45.55.30 SOCRadar 2023-01-31
84.17.52.135 SOCRadar 2023-01-31
185.153.199.164 SOCRadar 2023-01-31
194.109.206.212 SOCRadar 2023-01-31
31.184.198.83 SOCRadar 2023-01-31
108.170.31.115 SOCRadar 2023-01-31
199.58.81.140 SOCRadar 2023-01-31
185.153.199.169 SOCRadar 2023-01-31
149.255.35.131 SOCRadar 2023-01-31
31.184.194.42 SOCRadar 2023-01-31
170.39.212.69 SOCRadar 2023-01-31
193.34.167.17 SOCRadar 2023-01-31
195.54.160.149 SOCRadar 2023-01-31
45.32.229.66 SOCRadar 2023-01-31
193.23.244.244 SOCRadar 2023-01-31
213.32.39.43 SOCRadar 2023-01-31
45.91.83.176 SOCRadar 2023-01-31
45.164.21.13 SOCRadar 2023-01-31
31.184.198.86 SOCRadar 2023-01-31
185.153.199.162 SOCRadar 2023-01-31
31.184.192.44 SOCRadar 2023-01-31
45.86.162.34 SOCRadar 2023-01-31
31.44.184.82 SOCRadar 2023-01-31
46.17.106.230 SOCRadar 2023-01-31
212.192.241.230 SOCRadar 2023-01-31
31.184.198.85 SOCRadar 2023-01-31
192.137.101.46 SOCRadar 2023-01-31
92.222.172.172 SOCRadar 2023-01-31
94.103.9.79 SOCRadar 2023-01-31
185.153.199.176 SOCRadar 2023-01-31
23.227.198.246 SOCRadar 2023-01-31
103.114.163.197 SOCRadar 2023-01-31
167.71.175.165 SOCRadar 2023-01-31
31.184.199.82 SOCRadar 2023-01-31
171.25.193.9 SOCRadar 2023-01-31
104.217.8.100 SOCRadar 2023-01-31
192.137.100.98 SOCRadar 2023-01-31
144.172.83.13 SOCRadar 2023-01-31
Cves Source Last Update
CVE-2022-24521 SOCRadar 2023-01-31
CVE-2020-1472 SOCRadar 2023-01-31
Emails Source Last Update
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
[email protected] SOCRadar 2023-01-31
Domains Insert Date

MITRE ATT&CK TECHNIQUES

Cuba ransomware actors use the ATT&CK techniques listed in Table 6. Note: For details on TTPs listed in the table, see FBI Flash Indicators of Compromise Associated with Cuba Ransomware.

Resource Development

Technique Title

ID

Use

Compromise Infrastructure: Domains

T1584.001

Cuba ransomware actors use compromised networks to conduct their operations.

Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Cuba ransomware actors have been known to use compromised credentials to get into a victim’s network.

External Remote Services

T1133

Cuba ransomware actors may leverage external-facing remote services to gain initial access to a victim’s network.

Exploit Public-Facing Application

T1190

Cuba ransomware actors are known to exploit vulnerabilities in public-facing systems.

Phishing

T1566

Cuba ransomware actors have sent phishing emails to obtain initial access to systems.

Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

Cuba ransomware actors have used PowerShell to escalate privileges.

Software Deployment Tools

T1072

Cuba ransomware actors use Hancitor as a tool to spread malicious files throughout a victim’s network.

Privilege Escalation

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

Cuba ransomware actors have exploited ZeroLogon to gain administrator privileges.

Defense Evasion

Technique Title

ID

Use

Impair Defenses: Disable or Modify Tools

T1562.001

Cuba ransomware actors leveraged a loader that disables security tools within the victim network.

Lateral Movement

Technique Title

ID

Use

Remote Services Session: RDP Hijacking

T1563.002

Cuba ransomware actors used RDP sessions to move laterally.

Credential Access

Technique Title

ID

Use

Credential Dumping: LSASS Memory

T1003.001

Cuba ransomware actors use LSASS memory to retrieve stored compromised credentials.

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.003

Cuba ransomware actors used the Kerberoasting technique to identify service accounts linked to active directory.

Command and Control

Technique Title

ID

Use

Proxy: Manipulate Command and Control Communications

T1090

Industrial Spy ransomware actors use HTTP/HTTPS proxy via a C2 server to direct traffic to avoid direct connection. 

REF

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". 

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.


The world of cyber threats is constantly evolving, and it's important for individuals and organizations to stay informed about the latest dangers. One threat that has recently emerged is the RomCom RAT (Remote Access Trojan). In this post, we'll discuss what the RomCom RAT is, how it operates, and how you can protect yourself from it.

What is the RomCom RAT?

The RomCom RAT is a type of malware that allows an attacker to gain remote access and control of a compromised system. The attackers behind the RomCom RAT have been found to use the reputation of well-known brands, such as SolarWinds, KeePass, and PDF Technologies, to carry out their attacks. This makes it difficult for victims to recognize the threat and take appropriate action.

How Does the RomCom RAT Operate?

The RomCom threat actor uses a scheme that involves imitating the original legitimate HTML code, registering similar malicious domains, altering legitimate applications, uploading the malicious bundles to fake websites, sending targeted phishing emails, and potentially using additional infection vectors. In preparation for an attack, the RomCom threat actor will perform the following steps: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, altering a legitimate application, uploading the malicious bundle to a decoy website, and deploying targeted phishing emails to the victims.

Who is at Risk of a RomCom RAT Attack?

Currently, Ukraine appears to be the primary target of RomCom RAT attacks, but some English-speaking countries, such as the United Kingdom, are also being targeted. Given the location of the targets and the current geopolitical situation, it's unlikely that the RomCom RAT threat actor is motivated by cybercrime.
File Name Description Actions
0408-Threat-ReportV17.pdf DELIVERING ACTIONABLE AND CONTEXTUALIZED INTELLIGENCE TO INCREASE CYBER RESILIENCE
APT Name Aliases Target Countries Source Countries Total IOCs
RomCom
None
timeline History Timeline

  • Fri, 14 Jul 2023 11:15:04 GMT
    New Report Added

    Blackberry Threat-ReportV17 report added.

  • Tue, 04 Jul 2023 00:00:00 GMT
    RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit
    On July 4, the BlackBerry Threat Research and Intelligence team found two malicious documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests who may also be providing support to Ukraine. Go to Link
  • Tue, 31 Jan 2023 09:34:10 GMT
    New IOC's Added

    Total 295 IOC's added.

  • Tue, 31 Jan 2023 09:32:28 GMT
    New Apt Groups Added

    New APT Groups added.

  • Tue, 31 Jan 2023 09:10:24 GMT
    Created!

    New Campaign created.

  • Mon, 10 Oct 2022 00:00:00 GMT
    Evasion Tecniques
    On October 10, 2022, the threat actor improved evasion techniques by obfuscation of all strings, execution as a COM object, and others.Go to Link
  • Sat, 23 Jul 2022 00:00:00 GMT
    Advanced IP Scanner
    Once the victim installs a Trojanized bundle, it drops RomCom RAT to the system. 
newspaper Dark Web News


dark web image
New OHM Android RAT is Shared

  In a hacker forum monitored by SOCRadar, a new ohm android rat sharing is detected. OHM Android RAT+Tutorial​ ========== "Android Remote Administration Tool" is what the abbreviation stands for. It is a kind of programme or application that enables someone to operate Android devices remotely, frequently without the user's knowledge or consent. While remote administration tools have their legal uses, such as in IT assistance or device monitoring, Android RATs are frequently linked to malevolent intent. Android RATs can be used by malicious actors to acquire unauthorised access to a victim's Android smartphone and carry out a variety of tasks, such as: Spying is the practise of gathering private data without the user's knowledge, such as messages, call records, and images. Keylogging is the act of recording keystrokes in order to obtain login information or other private data. Controlling a device's features remotely, such as dialling a number, sending an email, or starting an application. Copying files and data from the target device to the server of the attacker is data theft. Using compromised devices as part of a botnet to perform DDoS assaults on specific servers is known as distributed denial of service (DDoS). Ransomware: Software that locks a device and demands payment to unlock it. It's important to remember that it's unlawful and immoral to use Android RATs for nefarious purposes. These tools may be spread through a variety of techniques, including malicious websites, infected mobile applications, and email attachments. It's essential to keep your Android smartphone's software updated, only download apps from reputable stores like the Google Play Store, and use security software to find and remove any possible risks if you want to safeguard your device from attacks of this nature. Furthermore, maintaining good digital hygiene by avoiding dubious sites and files might reduce your vulnerability to Android RAT assaults. Features Read , Delete Internal Storage Files Download Any Media to your Device from Victims Device Get GPS location Get Network Provider Location Get all the system information of Victim Device Shows all the installed apps in Victims Device Open Any Website in Victims Device Make any folder in Victims Device Show any notification in Victims Device Delete any File or Folder From Victims Internal Storage Dump SMS Play music in Victims device Change Wallpaper Vibrate Device Turn On/Off Flash Light Text To Speach Feature Runs In Background Even App is Closed Support Android v5 + No Port Forwarding Needed Fully Undetectable WipeSdcard Shows Update Page , if you want. Pre Binded Whatsapp Discord: blackhatrussiaofficial#5904 Telegram: https://t.me/*** Download OHM Android RAT OHM Android RAT OHM Android RAT Download Link


dark web image
A New RAT Tool is on Sale

In a hacker forum monitored by SOCRadar, a new RAT tool sale is detected .   WrathRat *Multiple admins, Users, resellers, clients = one server. *Languages : English, Italian, Spanish *The Fastest RAT ever built, Period. 1- Super Admin panel : 1- You can create Users and Resellers 2- You can deactivate users/resellers 2- Resellers panel : You can create Users you want to rent the WrathRAT to 3- Users Panel : 1- Show device and their current LIVE Status (online or Offline) 2- Generate a new APK (Title, package name, Icon) 3- Block certain phone numbers (once the phone number is blocked the admin will be alert if the client has called the phone number) 4- Device notes (You can enter notes for each device) 5- Device Permissions 6- VNC 7- HVNC (Draws the important and not important texts, button, input fields, etc..) 9- Lock screen (shows a black screen that covers the whole screen and dims the light to make the device look like it's off) 10-Custom lock screen (You can design your own lock screen, top title, bottom title and an image "JPG or GIF") *The lock screen will also block the user touches on the device, and automatically closes the status bar if swiped down by the client 11- Call Logs (view, delete, insert calls) 12- Push notifications (able to send push notifications) 13- Apps (view, Open or uninstall device apps) 14- Block apps (Once an app is blocked it will never be opened again unless it's unblocked) 15- Keylogger (everything that is entered on the device will be shown in the panel) 16- Wakeup device (if the device screen is off you will be able to wake it up) 17- PIN/Pattern (Once this option is activated then you will be able to enter either the PIN or pattern in the device lock screen) 18- Format device 19- Call a number 20- SMS messages (View, send, delete SMS messages, a built-in SMS RAT) 21- Long click (You can perform a long click) 22- Swipe gestures 23- VNC and HVNC image quality (You can control the speed and the quality of the VNC and the HVNC) 24- Send Text (You can select any field via VNC or HVNC and you can enter any text in the selected field) 25- Remote Errors (If any error happens in the client device you will be able to view it in the panel) **There are many other features, the above are some of the functions of the WrathRAT. Payment options : 1- You can purchase the source codes. 2- You can rent the WrathRAT on a weekly basis payments.  



dark web image
A New RAT Tool is Shared

In a hacker forum monitored by SOCRadar, a new RAT tool sharing post is detected. Sorillus Rat Cracked ========== Sorillus is Remote Access Trojan written in Java, that means that Server and Client is running on all operating systems (e.g. Windows, Linux, Mac). What is Sorillus Rat? Sorillus is a platform-independent R.A.T (Remote Access Trojan) written in Java, that can help a pentester to get full remote access to any device that can run Java. This rat can infect Linux devices as well as mac os and other os like widows. their developer is planning to make a new version that can hack android as well so its not just a cross-platform rat its stub is also cross-platform supported. Features System: •Pop-up: Display pop-up messages on the victims' screen. •Clipboard: Access and manage the victim's clipboard contents. •Open URL: Open a specified URL on the victim's browser. •Show IP: Retrieve and display the victim's IP address. •Report: Generate and send reports regarding system status and activities. •Shutdown: Remotely shut down the victim's system. Surveillance: •Screenshot: Capture screenshots of the victim's screen. •Remote desktop: View and control the victim's desktop remotely. •Remote cam: Access and view the victim's webcam remotely. •Remote microphone: Listen to audio from the victim's microphone remotely. •Key logger: Record and monitor keystrokes on the victim's system. [banner_200x200] {banner_200x200} [/banner_200x200] Fun: •Play sound: Play customized sounds on the victim's system. •Black screen: Turn the victim's screen black for privacy or focus purposes. •Image walk: Display a series of images in a slideshow format. Contact: •Text-Chat: Engage in text-based communication with the victim. Custom: •Alias: Assign customized aliases or names to victims for easier identification. •Notes: Add and manage personal notes or annotations for each victim. Debug: •Thread: Monitor and manage threads within the application. •Instances: Track and manage multiple instances of the application. Advanced Controls: •Remote Shell: Execute remote commands on the victim's system. •File Manager: Access and manage files and directories on the victim's system. •Processes: View and manage running processes on the victim's system. •Password Recovery: Recover passwords from supported browsers. •Plugins: Extend the functionality of the application with custom plugins. •Close Views: Close specific views or modules within the application. Installation: •Add Autostart: Add payload to the auto start folder so it will automatically start with startup apps. •Update Client: Update the victim's payload to the latest version. •Uninstall & Disconnect: Remove the client software and disconnect from the system. Connection: •Reconnect: Reconnect a connection with a previously connected victim. •Disconnect: Disconnect the connection with a victim. Whatsapp Discord: *****#***** Telegram: https://t.me/******



dark web image
New RAT is Shared

 In a hacker forum monitored by SOCRadar, a new RAT share is detected. ANARCHY PANEL RAT 4.7 Cracked ========== Tools:Icon Changer - Multi Binder [Icon - Assembly] | Fud Downloader [HTA-VBS-JS-WSF] - XHVNC - BlockClients Features: Information, Monitor [Mouse - Keyboard - AutoSave] , Run File [Disk - Link - Memory - Script - RunPE] , WebCam [AutoSave] , Microphone , System Sound , Open Url [Visible - Invisible] , TCP Connections , ActiveWindows , Process Manager , Clipboard Manager , Shell , Installed Programs , DDos Attack , VB.Net Compiler , Location Manager [GPS - IP] , File Manager , Client [Restart - Close - Uninstall - Update - Block - Note] Options: Power [Shutdown - Restart - Logoff] , BlankScreen [Enable - Disable] , TaskMgr [Enable - Disable] , Regedit [Enable - Disable] , UAC [Enable - Disable] , Firewall [Enable - Disable] ,.NET 3.5 Install , Disable Update , Run Shell, Invoke-BSOD Password Recovery : Bookmarks - Browsers - All-In-One - DicordTokens , FileZilla - ProduKey - WifiKeys - Email Clients [banner_200x200] {banner_200x200} [/banner_200x200] Pastime : CD ROOM [Open - Close] , DesktopIcons [Show - Hide] , SwapMouse [Swap - Normal] , TaskBar [Show - Hide] , Screen [ON-OFF] , Volume [Up - Down - MUTE] , Start [Show - Hide] , Clock [Show - Hide] , Text Speak , Explorer [Start - Kill] , Tray Notify [Show - Hide] Extra 1 : KeyLogger , Client Chat ,FileSeacher ,USB Spread , Bot killer , PreventSleep , Message Box ,Change Wallpaper , DeleteRestorePoints , UAC Bypass [RunAs - Cmstp - Computerdefaults - DismCore] , Run Clipper [All Cryptocurrencies] Extra 2 : Ransomware [Encrypt - Decrypt] , Ngrok Installer , HVNC , Hidden RDP ,WDDisable , W.D.Exclusion , Install [Startup - Registry - schtasks] Requirements : ? .Net Framework 4.5 [Controller] ? .NET Framework 4.0 [Client] Discord: ***#** Telegram: https://t.me/****


dark web image
GobRAT: Sophisticated Remote Access Trojan, Targeting Linux Routers, Emerges in Japan

In recent cybersecurity news, a new and highly sophisticated remote access trojan (RAT) called GobRAT has emerged, specifically targeting Linux routers. This Go language-based malware has been observed infecting routers in Japan, leveraging vulnerabilities and open WEBUIs to gain unauthorized access. This advanced malware has recently been identified by JPCERT/CC. Attack Flow  GobRAT's infiltration begins with the attacker identifying routers with publicly accessible web interfaces (WEBUIs) as potential targets. Through the exploitation of vulnerabilities within the router's scripts, the attacker gains a foothold and successfully infects the system with GobRAT. Central to this process is the Loader Script, which acts as the initial loader, responsible for performing a range of critical functions. Figure 1. Demonstrates how the attack progresses until GobRAT successfully infects the router. (Source: JPCERT/CC) The Loader Script assumes the role of a versatile utility, featuring functionalities such as script generation, GobRAT downloading, firewall disabling, creation of a persistent Start Script, and the execution of a Daemon Script. Notably, the Loader Script incorporates a hard-coded SSH public key, potentially offering a backdoor entry point for the attacker. Persistence is achieved through the registration of the Start Script's file path in the crontab, ensuring GobRAT's continuous operation. The Start Script assumes a pivotal role in executing GobRAT within the compromised router. Distinguishing itself with a unique characteristic, the script logs the system's startup time in a file named "restart.log." To obfuscate its presence, GobRAT is executed under the guise of a legitimate process, appearing as "apached." GobRAT boasts an extensive repertoire of 22 executed commands, dictated by instructions received from the C2 server. Tailored for router environments, the commands encompass functions such as obtaining machine information, executing reverse shells, file read/write operations, C2 reconfiguration, SOCKS5 proxy initiation, execution of files in specific directories, and even attempts to log in to services like SSH, Telnet, Redis, MySQL, and PostgreSQL running on other machines. You can read the JPCERT/CC analysis here. IOCs C2 https[:]//su.vealcat[.]com http[:]//su.vealcat[.]com:58888 https[:]//ktlvz.dnsfailover[.]net http[:]//ktlvz.dnsfailover[.]net:58888 su[.]vealcat[.]com ktlvz[.]dnsfailover[.]net wpksi[.]mefound[.]com Hashes of Scripts (SHA-256) 060acb2a5df6560acab9989d6f019fb311d88d5511f3eda0effcbd9fc6bd12bb feaef47defd8b4988e09c8b11967e20211b54e16e6df488780e2490d7c7fa02a 3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1 60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3 Malware files (SHA-256) a8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a aeed77896de38802b85a19bfcb8f2a1d567538ddc1b045bcdb29cb9e05919b60 6748c22d76b8803e2deb3dad1e1fa7a8d8ff1e968eb340311fd82ea5d7277019 e133e05d6941ef1c2e3281f1abb837c3e152fdeaffefde84ffe25338fe02c56d 43dc911a2e396791dc5a0f8996ae77ac527add02118adf66ac5c56291269527e af0292e4de92032ede613dc69373de7f5a182d9cbba1ed49f589ef484ad1ee3e 2c1566a2e03c63b67fbdd80b4a67535e9ed969ea3e3013f0ba503cfa58e287e3 98c05ae70e69e3585fc026e67b356421f0b3d6ab45b45e8cc5eb35f16fef130c 300a92a67940cfafeed1cf1c0af25f4869598ae58e615ecc559434111ab717cd a363dea1efda1991d6c10cc637e3ab7d8e4af4bd2d3938036f03633a2cb20e88 0c280f0b7c16c0d299e306d2c97b0bff3015352d2b3299cf485de189782a4e25 f962b594a847f47473488a2b860094da45190738f2825d82afc308b2a250b5fb 4ceb27da700807be6aa3221022ef59ce6e9f1cda52838ae716746c1bbdee7c3d 3e1a03f1dd10c3e050b5f455f37e946c214762ed9516996418d34a246daed521 3bee59d74c24ef33351dc31ba697b99d41c8898685d143cd48bccdff707547c0 c71ff7514c8b7c448a8c1982308aaffed94f435a65c9fdc8f0249a13095f665e Enhancing Security Measures with SOCRadar Threat actors and Advanced Persistent Threat (APT) groups use various techniques and tools to accomplish their goals. Monitoring and comprehending these adversaries’ actions is critical. It offers valuable insights into their current Tactics, Techniques, and Procedures (TTPs) that may be more important than frequently altered Indicators of Compromise (IoCs). SOCRadar notifies you about threat groups’ actions and enables you to establish use cases that more efficiently identify and thwart malicious activities. SOCRadar Threat Actor / Malware Tracking page


dark web image
A New Malware Share is Detected

In a hacker forum monitored by SOCRadar, a new RAT malware share is detected for Android. Everspy Rat - The most powerful Rat for Android (Free, unrestricted use) Everspy 2023 is a powerful software designed for remote monitoring and control of a user's cell phone. With a comprehensive range of features, it allows the user to discreetly access and manipulate various aspects of the target device. From screen control and call recording to intercepting messages and accessing contacts, Everspy offers extensive control over the device's functionalities. Additionally, it includes advanced capabilities such as bypassing banking app security, capturing keystrokes through a keylogger, and even wiping data from the phone. Everspy operates stealthily, remaining undetectable while providing continuous updates for enhancements and fixes. It is a versatile tool for monitoring and managing targeted devices, ensuring maximum control and flexibility for various applications. Features 1. Screen Control: Enables full control of the user's cell phone with touch interaction. 2. Ghost Mode (Available only in the Ultimate version): Displays an image on the user's device during control for discreet operation. 3. Ghost Mode Push Notification (Available only in the Ultimate version): Sends a push notification to the user's device, appearing as an Android update screen, prompting them to update while Ghost Mode is active. 4. Freeze Screen: Temporarily freezes the user's screen while maintaining control. 5. Bypass Banking App Security: Overcomes security measures in some banking applications that display a black screen to protect against remote access or screen recording. 6. PNG Exploit (No longer functional, currently unavailable): Formerly camouflaged malicious files as PNG image files, resulting in immediate device infection. 7. Automatic Permission Granting: All necessary permissions are automatically granted once Accessibility is activated. 8. Fully Undetectable APK: The malicious app installs without raising any alerts or triggering detection mechanisms. 9. Call Recording: Records all user phone calls offline. 10. Future Updates: Continuous updates and corrections are available within the Everspy folder. Simply run the Everspy Update file to download the latest enhancements and fixes. 11. Phisher: Displays fake apps, such as Gmail and Facebook, to capture user access. 12. Messages: Sends and intercepts SMS through the user's cell phone. 13. Contacts: Intercept and access contacts on the user's cell phone. 14. Camera: Accesses the front and rear cameras. 15. Wipe Data: Erases all data on the user's phone, restoring it to factory settings. 16. Edit Socket: Adds or removes TCP ports and IP addresses for server and client connections. 17. Download APK: Downloads files of various types to the user's device, excluding APK files. 18. Open a Link: Opens a specified link in the user's default browser. 19. Toaster: Displays a message on the user's screen. 20. Notifications: Intercepts notifications on the user's cell phone. 21. File Manager: Views and has full control over files on the user's device. 22. Applications: Views and opens apps on the user's device. 23. Keylogger: Captures and records the user's keystrokes, both offline and online. 24. Accounts: Views connected user accounts. 25. Call Logs: Views all outgoing and incoming calls on the user's device. 26. Info: Views device specifications and details of the user's cell phone. 27. Location: Provides precise location tracking of the user. Disclaimer The user assumes full and exclusive responsibility for the utilization of the everspy tool and acknowledges that any material, personal information, images, or other damages of any nature that may arise from the use of the everspy tool are solely their own responsibility. The Everspy Rat is a malicious software that requires all antivirus and firewall protections on the computer to be completely disabled before it can be used.


dark web image
New RAT is Shared

 In a hacker forum monitored by SOCRadar, a new RAT sharing is detected. Rafel Rat+Tutorial Rafel is Remote Access Tool Used to Control Victims Using WebPanel With More Advance Features.. ========== Main Features : Admin Permission Add App To White List(Ignore Battery Optimisation) Looks Like Legit Mod App Runs In Background Even App is Closed(May not work on some Devices) Accessibility Feature(Cause Erros in some device --> ignore it) Support Android v5 - v12 No Port Forwarding Needed Acquire Wakelock Fully Undetectable Bypass PlayProtect WipeSdcard Lock Device Screen Change Wallpaper Ransomware Vibrate Device Delete Calls Logs Notify Victims Via Discord steal notifications(send through discord) Added AutoStart For (poco,xiaomi,oppo,vivo,LetV,Honor) Building Apk With Android Studio Open Project BlackMart in Android Studio Put the command.php link of server in InternalService.class class Now open NotificationListener.java and enter replace with your discord webhook url Build the Project Zipalign and sign the Apk... Building Apk with ApkEasyTool: Download BlackMartapk and decompile with Apktool and navigate to smali_classes2\com\velociraptor\raptor Open InternalService.smali Replace this with your Panel Url const-string v0, "https://your-webpanel-url/public/commands.php" Now open NotificationListener.smali and enter replace with your discord webhook url Building Server. Upload Files in server Folder to Your HostingPanel Now Open login.php Enter Username Hande Password Ercel Note : Make Sure your webhosting site uses Https and should have valid connection...I recommend 000webhost.com You can now use panel to send commands and also refresh after it Discord: ***#*** Telegram: https://t.me/**** Download Rafel Rat Rafel Rat Rafel Rat Download Link




dark web image
Reaper Android Rat V3 Tool is Shared

 In a hacker forum monitored by SOCRadar, a new tool Reaper Android Rat is shared. REAPER ANDROID RAT V3 | | WORK 5 TO 13 VERSION | VNC | Reaper rat is a stable android rat . That can work all android phones 5 to 13 REAPEE RAT v3 UPDATE UPDATE ALERT REAPER RAT V3 NEW FEATURES APK INJECTER {Inject your paylaod into Real apk} Reset Factory { you can wipe all android data } Admin prev { get admin acess for more attacks } Fast vnc { fast screen control} Fast keylogger{ super fast keylogger 10x speed} apk Pumper { you can Resize your apk 1mb to 5000mb} New Acessbility popup { Like Real apk permission ~optional} Apk loading Screen during install {optional} Fast Connection Rename Victim device More coming soon OTHER FEATURES Features : Anti-delete ( Auto Click )Start Screen Recording Battery Bypass Optimization Supports all phone models Fixing in system files Stealer 2FA Google Authenticator android keylogger Google security bypass Chinese PI Bypass Crypto stealer Clipboard control Realtime Monitor Screen control (VNC) Complete injection with applications Launches automatically after rebooting the phone Bank Screen Bypass File manager – Download/Upload – Secure Delete Options – Thumbnail/Gallery smooth view – Zip/Unzip – advanced search – Copy/Paste – Decrypt/Decode – Rename/Edit – Hidden/Unhidden File – Play sound – Set Wall Paper Call manager – Show List Of Call Out /in – Deletet SMS Manager – Show List Of SMS – Delete SMS Keylogger – Online/Live keylogger – offline keylogger Contact Manager – Show Contact Number – Add contacts – Delete Application manager – Show List Of Application – Open app Account manager – Show Account Of App Email/Number Live screen – Show Screen Live – Control Screen (VNC) – Use Keyboard – Take Screenshot Camera – Open Front Camera – Open Back Camera -Take photo Microphone capture – listen – Speak -Record Location – Live Location On Map Fun Tools – call number – Download Apk From Link – Show Message On Screen – clip board – Open Link – Run Commands Social Media Social stealer – Stealer Gmail account – Stealer Facebook account – Stealer 2FA Google Authenticator Code Notification – Get All Notification phone info – Get Name Of Phone -Android version -Modal Of Phone – Host/MAC address – Serial number Builder: – Custom Icon – Custom Fake-APP – Custom Notification – Anti-Emulator – APK Version 22 & 28 – Bind with Fake APK – Hide APK JOIN OUR TELEGRAM https://t.me***



dark web image
New RAT is Shared

In a hacker forum monitored by SOCRadar, a new RAT share is detected. Quasar Rat v1.4.1 Cracked​ ========== Quasar RAT (Remote Access Trojan) is a type of malware that can grant an attacker remote access and control over an infected computer. This powerful Trojan is a popular tool used by cybercriminals to gain unauthorized access to a victim's system, steal data, and carry out malicious activities. Quasar RAT was first discovered in 2015 and has since become a popular choice for cybercriminals due to its wide range of features and ease of use. It is a fully functional remote administration tool that allows attackers to execute commands on an infected computer as if they were physically present in front of the machine. The Trojan is typically spread through phishing emails, social engineering tactics, or by exploiting software vulnerabilities. Once it infects a system, it can give the attacker complete control over the infected machine. This includes the ability to steal sensitive information, install additional malware, and even use the computer's resources for malicious purposes. One of the most concerning aspects of Quasar RAT is its ability to remain undetected by most antivirus programs. The Trojan is often able to bypass traditional antivirus software by using advanced techniques such as code obfuscation and encryption. Quasar RAT also comes equipped with a wide range of features, making it a versatile tool for cybercriminals. Some of the features include keylogging, screen capture, file transfer, and remote desktop access. These features allow an attacker to monitor a victim's activity, steal sensitive data, and carry out further attacks. To protect against Quasar RAT, it is important to practice good cybersecurity habits, such as keeping software up to date, using strong passwords, and being cautious when opening email attachments or clicking on links. It is also recommended to use a reputable antivirus program that is regularly updated to detect and remove known threats. In conclusion, Quasar RAT is a powerful and dangerous remote access Trojan that can give attackers complete control over an infected computer. It is important for individuals and organizations to take the necessary precautions to protect themselves against this and other types of malware. Vigilance and caution are key to avoiding falling victim to these types of attacks. Features TCP network stream (IPv4 & IPv6 support) Fast network serialization (Protocol Buffers) Encrypted communication (TLS) UPnP Support (automatic port forwarding) Task Manager File Manager Startup Manager Remote Desktop Remote Shell Remote Execution System Information Registry Editor System Power Commands (Restart, Shutdown, Standby) Keylogger (Unicode Support) Reverse Proxy (SOCKS5) Password Recovery (Common Browsers and FTP Clients) ... and many more! Whatsapp Discord: *** Telegram: https://t.me/*** Download Quasar Rat Quasar Rat Cracked Quasar Rat Download Link













dark web image
Xworm v3.0 Remote Access Trojan is Shared

In a hacker forum monitored by SOCRadar, Xworm v3.0 remote access trojan sharing is detected.Cracked by *********** So only use in VM, rdp or SandboxFeatures :⭐️ Builder :✅ | Schtasks - Startup - Registry | [Change Path]✅ | TBotNotify - AntiKill - WDEX - Keylogger - Clipper - Sleep - Obfuscator |✅ | AntiAnalysis - USB Spread - Icon - Assembly |✅ | Icon Pack |⭐️ Connection :✅ | Stable Connection - Encrypted Connection - Encrypted Strings |⭐️ Tools :✅ | Check Port - Icon Changer - Multi Binder [Icon - Assembly - Obfuscator] |✅ | Fud Downloader [HTA-VBS-JS-WSF] - BlockClients |⭐️ Features :✅ Information✅ Monitor [Mouse - Keyboard - AutoSave - Window]✅ Run File [Disk - Link - Memory - Script - RunPE]✅ WebCam [AutoSave]✅ Microphone✅ System Sound✅ Open Url [Visible - Invisible]✅ TCP Connections✅ ActiveWindows✅ StartupManager✅ Registry Editor✅ Process Manager✅ Clipboard Manager✅ Shell✅ Installed Programs✅ DDos Attack✅ VB.Net Compiler✅ Location Manager [GPS - IP]✅ File Manager✅ Client [Restart - Close - Uninstall - Update - Block - Note]✅ Power [Shutdown - Restart - Logoff]⭐️ Options :✅ BlankScreen [Enable - Disable]✅ TaskMgr [Enable - Disable]✅ Regedit [Enable - Disable]✅ UAC [Enable - Disable]✅ Firewall [Enable - Disable]✅ Windows Update [Enable - Disable]✅ Invoke-BSOD✅ Bot killer✅ ResetScale✅ .Net 3.5 Install✅ DeleteRestore✅ WDExclusion✅ WDDisable⭐️ Password Recovery :✅ | Passwords - Cookies - CreditCards - Bookmarks - Downloads - Keywords - History - Autofill | [Chromium]✅ | Passwords - Cookies - Bookmarks - History | [FireFox]✅ | All-In-One - Discord Tokens - ProductKey - InternetExplorer - FileZilla - Wifi Keys |⭐️ Pastime :✅ CD ROOM [Open - Close]✅ DesktopIcons [Show - Hide]✅ SwapMouse [Swap - Normal]✅ TaskBar [Show - Hide]✅ Screen [ON - OFF]✅ Volume [Up - Down - MUTE]✅ Start [Show - Hide]✅ Clock [Show - Hide]✅ Text Speak✅ Explorer [Start - Kill]✅ TrayNotify [Show - Hide]🔆 Extra 1 :✅ ReportWindow✅ Performance✅ KeyLogger [Offline - Online]✅ Client Chat✅ FileSeacher✅ MessageBox✅ UAC Bypass [RunAs - Cmstp]🔆 Extra 2 :✅ Ransomware [Encrypt - Decrypt]✅ Reverse Proxy✅ Ngrok Installer✅ HVNC | CommandPrompt - PowerShell - explorer | | EdgeBrowser - BraveBrowser - FireFoxBrowser - ChromeBrowser | [CloneProfile]✅ Hidden RDP✅ WDDisable✅ WDExclusion🔆 Tasks :✅ GetKeylogger✅ Open Url [Visible - Invisible]✅ Recovery [Passwords - Cookies]✅ Run File [Disk - Link - Memory]✅ Update All Clients⚙️ Requirements :🔸 .Net Framework 4.5 [Controller]🔸 .Net Framework 4.0 [Client]⬆️ Size : 46.5 KB [Full Features]Free Download :https://******







dark web image
New Android RAT is Shared

In a hacker forum monitored by SOCRadar, a new android RAT share is detected.Hello ***here is the clean leak of Advanced Android Rat Update of Craxs rat which was previously known as Cypher RAT.Since, original is Craxs Rat and all others such as Zenna and Spyroid are just skin changes and edits So , consider this as Craxs Rat v3.1Any good cracker can crack it easily. Fingers croseed...!Functions (FEATURES)Lock Screen & Unlock itWith PIN and Drawing Keylogger Record Everything offline- Auto Clicker:1: Watch user Touches on screen2: Record user Touches3: Repeat User Touches- - - - - - • Quick install:Changed the Apk installing Process , now you can install the apk with 1 Permission "files" , and you can manually request other permissions later from Spyroid Rat Panel• Permissions Manager:- checking allowed/not allowed Permissions- Request Permissions• Builder:Add 2 New Options + 1 Page:- Quick install : Explained- Draw Over Apps (optional)- "Permission Page" : Select the Permissions you want to add to the apk , not for Asking• Remove apk sticky notifications by disableing keep alive on apk builderOptional Permissions now:- Send SMS- Read SMS- Read Contacts- Camera- Microphone- Location- Make Call- Read Accounts- Read Call Log- Change Wallpaper- add new option "self Distraction" to remove the apk & data (auto with super mod)- - - - - - + SCREEN READERThis tool Helps you Read Content of the Screen something like "skeleton view or Scan View" , Watch video for more info-improve it to bypass black screen of banks and crypto app-add logo window to copy anything from screen easy-test it to bypass google authenticator app and get code-test it to bypass trust wallet and get secret phase easy+ SEND SMS - improve "Send SMS" -send to multi number-send to list from file-send to all contact- add "recent notifications" to dashboard window- add "recent Calls" to dashboard window- Performance improvement- stability improvement--------------------+ Update injection :- support screen wakeup- support Permission manager- support screen shot- support lock screen- Fixed keylogger- request accessibility shows page insted of message- re-encrypt the apkDownload Link: ******Zip Password : ******



dark web image
Partnership Searching is Detected for Testing a new Android RAT

In a hacker forum monitored by SOCRadar, a new partnership searching post is detected for testing a new android RAT.Ищу тестировщиков под - Андройд Бота.🦇We are releasing version 1.0 of our advanced android rat🦇Features :Anti-delete( Auto Click )Start Screen RecordingBattery Bypass OptimizationSupports all phone modelsFixing in system filesStealer 2FA Google Authenticatorandroid keyloggerGoogle security bypassChinese PI BypassCrypto stealerClipboard controlRealtime MonitorScreen control (VNC)Complete injection with applicationsLaunches automatically after rebooting the phoneBank Screen BypassFile manager- Download/Upload- Secure Delete Options- Thumbnail/Gallery smooth view- Zip/Unzip- advanced search- Copy/Paste- Decrypt/Decode- Rename/Edit- Hidden/Unhidden File- Play sound- Set Wall PaperCall manager- Show List Of Call Out /in- DeletetSMS Manager- Show List Of SMS- Delete SMSKeylogger- Online/Live keylogger- offline keyloggerContact Manager- Show Contact Number- Add contacts- DeleteApplication manager- Show List Of Application- Open appAccount manager- Show Account Of App Email/NumberLive screen- Show Screen Live- Control Screen (VNC)- Use Keyboard- Take Screenshot Camera- Open Front Camera- Open Back Camera-Take photoMicrophone capture- listen- Speak-RecordLocation- Live Location On MapFun Tools- call number- Download Apk From Link- Show Message On Screen- clip board- Open Link- Run Commands Social MediaHunter- Stealer Gmail account- Stealer Facebook account- Stealer 2FA Google Authenticator CodeNotification- Get All Notificationphone info- Get Name Of Phone-Android version-Modal Of Phone- Host/MAC address- Serial numberBuilder:- Custom Icon- Custom Fake-APP- Custom Notification- Anti-Emulator- APK Version 22 & 28- Bind with Fake APK- Hide APKFuture Updates:- Injections (456 including banks, Crypto and Social)Only people with a reputation, with less than a year of registration on the forum, please do not disturb.


dark web image
Warzone RAT is Shared

In a hacker forum monitored by SOCRadar, Warzone RAT sharing is detected._ENGNative, independent stubStub of this RAT has been written in C++ which makes it independent from .NET Framework.Cookies RecoveryRecover cookies from popular Chrome and Firefox in JSON format.Remote DesktopControl computers remotely at 60 FPS!Use mouse and keyboard to control remote computers.Remote Desktop feature is realized with a specially crafted VNC module.Hidden Remote Desktop - HRDPControl remote computers invisibly!HRDP module allows you to login to the remote machine without anyone knowing.You can open the browser even if it is currently opened on the main account.Privilege Escalation - UAC BypassElevate to Administrator with just 1 click.This feature has been tested and proven to work on Windows operating systems from Windows 7 to even the latest Windows 10.Remote WebCamIf the remote computer has a webcam connected, you can view the stream live in the Remote WebCam module.Password RecoveryRecover password from popular browsers and email clients in seconds!Grabs passwords from the following browsers:Chrome, Firefox, Internet Explorer, Edge, Epic, UC, QQ, Opera, Blisk, SRWare Iron, Brave, Vivaldi, Comodo Dragon, Torch, Slimjet, CentOutlook, Thunderbird, FoxmailEnable Automatic Password Recovery to receive passwords without touching any buttons!File ManagerUpload and Download files at high speed. You can also execute and delete files.Download & ExecuteExecute files on remote computers.Live KeyloggerYou can view the keys pressed on remote computer in real time.Offline KeyloggerEnable Offline Keylogger to save keylogs all the time.Remote ShellSend commands to the remote computer's CMD.Process ManagerView and kill processes using Process Manager.Reverse ProxyBrowse the Internet with the remote computer's IP address!Automatic TasksAutomatic Tasks are executed when client connects to your WARZONE Server.- Automatic Password Recovery- Automatic HRDP installation and Exposure to WAN- Automatic Download and Execute.Mass ExecuteDownload and execute your file on all the connected clients with one click.Smart UpdaterYou use Smart Updater to update your WARZONE RAT file on all the clients AND new clients until you disable the Smart Updater.Smart Updater is going to uninstall the old file only if the new file has been executed successfully AND if the new file has successfully connected to your WARZONE Server.HRDP WAN Direct ConnectionExpose HRDP to the Internet, WAN.You can connect directly to the public IP without reverse proxy.PersistencePersistence protects the process and the file.When process or file gets deleted, they will be recovered.Windows Defender BypassWARZONE Client will add itself to exclusions once it executes.This will prevent Windows Defender from scanning your WARZONE Client.Download : https://anonfiles.com/**** Password: ***



dark web image
New Android RAT is Shared

In a hacker forum monitored by SOCRadar, a new Android RAT share is detected.Available features:-> Manager :files ,sms,contacts,calls,Accounts ,Apps-> Monitor : Live screen ,live Camera,online/offline Keylogger ,live microphone,live locationcall recordernew interfaceFake Apk SizeEmbedded KeytoolMaker (Each App Sign with Different key)connection improvementNew Apk install WindowSilent Location MonitorSplit Apk And ReEncrypt-Bypass Protection-screen record- fake appsupport Full screen Video playersupport download files-Screen Monitor:-More accurate Screen Control-select screen size depending on client-add indicator and status text for more information-Fix Connection Drops-auto reconnect if disconnected- Support Typing on keyboard- Swap more accurate- Support unlock screen (beta)- Support Drag&Drop- Support Long Pressnew update- Update Microphone:now u can start recorder any time.—————-- Select Multi Activity For injection- Request Accessibility (optional)- anti-uninstall (optional)- anti-kill app- Anti-lock device- anti-softwareGet all permissions automatically- Custom notification- Grant All Permissions (optional)- 2 injection Methods instead if 1- New Tool: Web Browseropen link on client phone and monitor client activity on this website (no permission needed) , Tested on android 5 and 13-: Now you Can Customize the login Screen.-: Update Web Browser Now you can send html file to view it for client.- NEW TOOL: Screen ReaderThis tool Helps you Read Content of the Screen something like "skeleton view or Scan View" , Watch video for more info————Total & latest updates for Crax Rat:- Web Browser Monitor- Web browser Html Viewer-: injection V2-: Screen Reader (Beta)-: Custom APK Login Screen- New Login Screen Support multiple languagesEnglishVIETNAMESETURKISHHINDICHINESEArabicSWEDISH-> Tools : Call Number ,Download/install Apk ,show toast,Get/Set Clipboard ,Open Link in Browser ,Run Shell Commands-> Extra :social Media Hunter,Notification Monitor ,Get PhoneInfo .- : HIDE APK Work on all android 10 and 13- Bind With apk- Fake Apk : Create A fake apk using and website-Anti Emulatorvideo link




Subscribe