Login

r/MalwareAnalysis

▲ 1 r/MalwareAnalysis+1 crossposts

Exloader

i downloaded Exloader (i know, not the smartest choice)

and soon my performance on my entire PC dropped BIG.
so i did some digging, and checked for any outgoing connections and saw an IP-address that did not belong to my network at all. so i checked which process was using it. turns out Exloader has a process called "internalstrong.exe", i killed the process and deleted exloader immidietly, but im still scared shitless that i still have malware or anything, should i reinstall my OS?

(passwords are all already changed on a seperate device)

reddit.com
u/Top-Neighborhood9664 — 2 days ago
▲ 7 r/MalwareAnalysis+1 crossposts

𝗨𝗦 𝗕𝗮𝗻𝗸𝗶𝗻𝗴 𝗨𝘀𝗲𝗿𝘀 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱 𝗶𝗻 𝗟𝗮𝗿𝗴𝗲-𝗦𝗰𝗮𝗹𝗲 𝗢𝗧𝗣 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻

We’re tracking a large-scale phishing campaign impersonating ESL Federal Credit Union, a U.S. financial institution, with ongoing high-volume activity observed since November 2025. The infrastructure and flow are highly reusable and can be quickly adapted to impersonate other financial organizations.

The campaign uses a multi-step phishing flow to steal usernames, passwords, OTP codes, and email verification data, creating serious account takeover and fraud risk at this scale.

Unlike short-lived phishing operations, this activity has remained active for months with constantly rotating infrastructure. More than 230 phishing domains have already been identified, most registered in .sbs, .cfd, and .click zones.

After credential submission, victim data is sent through a chain of POST requests and forwarded to Telegram bots through attacker-controlled iframe responses. The campaign then moves into a second phishing stage focused on email verification, adding another layer of credential harvesting and OTP interception.

See the phishing flow, credential exfiltration chain, and collect IOCs: https://app.any.run/tasks/57a49b17-1d88-458c-9f16-005fd9837fee/

Even with constant domain rotation, the campaign keeps reusing the same phishing-page images, endpoint structure, and multi-step authentication flow. These repeating artifacts make the activity trackable across newly deployed phishing sites.

Hunt for related phishing infrastructure using recurring campaign artifacts in TI Lookup: (url:"/chc.png" AND url:"/member-fdic.svg" AND url:"/equal-housing-lender.svg" AND url:"/image.png")

Celebrate ANYRUN’s 10th anniversary with us! Explore special offers: https://app.any.run/plans/

u/ANYRUN-team — 1 day ago
▲ 10 r/MalwareAnalysis

Malware Analysis Automation

Hello Everyone,

Relatively new to malware analysis and I am looking for general guidance on how to improve at it. As of right now I usually use Remnux to analysis PDF's and other general files to see if they have malicious properties. I use a laptop that has a hardware wifi kill switch, have the VM in host only mode, and i have copy and paste disabled. I use a flashdrive to bring the files in question to the VM. I have heard mixed things about whether that is better or if using shared folder with the windows host is better, so would appreciate any guidance there.

For the exact tools I use, usually exiftool, pfpid, peepdf, pdf-parser, and the oletools. I usually can determine if a file is malicious but it usually takes me a lot of time and I have to spend a good amount of time googling to remember the proper arguments for commands, as I do this often but not often enough that I remember the nuances. Is there other tools that I can add on to further enhance my workflow.

I am also curious about dynamic analysis as well, but I tend to avoid that as I don't like to risk messing something up. However, I would like to learn and better my skill set in that area so any guidance there would be appreciated.

Sorry for the long and more vague post but more just looking for any tips tricks, or advice that can help take me to the next level.

reddit.com
u/Hot_Ad_7885 — 4 days ago
▲ 68 r/MalwareAnalysis

Is C++ still the undisputed king for malware, or is that outdated thinking?

I keep seeing people claim C++ is the best language for malware because of direct memory access, small binaries, and fine-grained control. But with modern EDRs focusing on behavior rather than signatures, and languages like Rust offering similar low-level control with safer memory management, does that argument still hold up? Are we just clinging to C++ out of tradition, or does it genuinely offer evasion advantages that newer languages can't match?

reddit.com
u/Substantial_Cake9855 — 7 days ago
▲ 8 r/MalwareAnalysis

Quick questions for first steps

Hi everyone,

I have no education in cybersecurity or science engineering, but lots of hobbies and love to read, learn, and making some experiments. I only have two old laptops (macbook), but i'm getting really into malware analysis, how it works, and how to do it safely. I don't have any so its not a help post, but a research one.

Is there any good resources out there to get into it safely and step by step?

I'd love to be able to get some (known ones), and learn how to make it safe to inspect or even sandbox properly, and then how to inspect it to try and understand it, without compromising safety. Right now i'm not looking at how to disable it, but how do security people do to acquire it, and then work on it or understand it without compromising their own systems (even more when its new).

Would love some help to know how to make it safe, then see + understand what it does, and finally how to get under the hood to try and understand the logic of it. Its not important (and probably much better if it is on old / already done by others).

Thanks for your help, guidance, resources, links, or anything!

reddit.com
u/Digit4l — 7 days ago
▲ 23 r/MalwareAnalysis

public safety / awareness warning

Security warning to the community.

I investigated an individual operating through Odysee and Telegram who appears to be distributing malicious Android surveillance malware disguised as a security tool.

The investigation included:

- payment fraud behavior,

- blocked communication after payment,

- and analysis of suspicious malware-related infrastructure.

The software appears capable of:

- unauthorized device surveillance,

- credential theft,

- phishing activity,

- and ransomware-related behavior.

Reports and evidence have already been submitted to relevant platform abuse teams.

This post is intended purely as a public awareness warning to help prevent additional victims and encourage responsible reportin

u/CranberryOk2634 — 12 days ago
▲ 15 r/MalwareAnalysis

Technical Analysis of EagleSpy V6.0 (CraxsRAT Rebrand) Distributed Through Odysee and Telegram

Warning to the cybersecurity and Android community.

I recently investigated an individual operating through Odysee and Telegram who is selling a malicious Android RAT known as EagleSpy V6.0, which appears to be a rebranded version of CraxsRAT.

During the investigation:

- I was financially scammed after payment

- The seller blocked communication afterward

- The malware infrastructure was analyzed in detail

Technical analysis confirmed:

- Banking phishing overlays

- Crypto wallet credential theft

- Telegram bot exfiltration

- Remote shell execution

- Keylogging

- Camera/microphone access

- GPS tracking

- Ransomware components

- DEX packers for AV evasion

- Hidden update/backdoor mechanisms

The repository also contained evidence of real victim infrastructure and compromised device information.

The malware appears capable of targeting not only victims, but potentially even buyers/operators through embedded update systems and hidden control mechanisms.

Relevant reports have already been submitted to platform abuse teams.

Odysee channel involved:

https://odysee.com/@justicerat:e

Telegram:

@JustIcedevs

This post is intended purely as a cybersecurity awareness warning to help prevent additional victims.

If moderators require technical validation or indicators of compromise, I can provide structured analysis details privately.

u/CranberryOk2634 — 12 days ago