silence-is-best’s gists

silence-is-best / gist:49cbc51145478ed68d06e02e14ddc135

Created March 2, 2026 15:56

February Malspam Campaigns

	Date,Details,Payload Type,Users Targeted
	2/1/2026,Your Social Security e-Statement Is Ready � View Using the SSA Gov Viewer App; zip -> screenconnect,Attachment,2
	2/1/2026,Final shipping documents; zip -> phantomstealer,Attachment,2
	2/2/2026,STATEMENT OF ACCOUNTS DEC.2025 USF; zip -> bat -> guloader -> phantomstealer,Attachment,3
	2/2/2026,FW: SS24 NEW TPI E407SH005 / E423SH006 RIA; docx -> rtf -> xloader continued to 2/4,Attachment,3
	2/2/2026,Fw: RFQ-S75502262N; z -> xloader continued to 2/4,Attachment,2
	2/3/2026,Signature Via Docusign Required; link -> msi -> screenconnect,Link,17
	2/3/2026,You have an important notice from BMO Bank; link -> msi -> screenconnect,Link,15
	2/4/2026,Re:Order H600287395; rar -> guloader -> phantomstealer continued to 2/6,Attachment,7
	2/4/2026,PURCHASE ORDER AND SAMPLES 2026; docx -> rtf -> vbs -> xworm,Attachment,3

silence-is-best / gist:8b91cfa90b598f71dbd7169f0391c98c

Created February 2, 2026 16:38

January Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	1/2/2026,Please Review the Tax Violation Notice Promptly; link -> rar -> rustyloader continued to,Link,2
	1/4/2026,Your document; zip -> lnk -> exe -> phorpiex -> mamona ransomware,Attachment,106
	1/9/2026,"Complete with DocuSign: ETF08 - 09 January, 202616:53:40 PM; link -> action1",Link,4
	1/15/2026,Purchase Order and Company Profile 2026; rar -> js -> xworm,Attachment,3
	1/15/2026,YOUR SSA e-Statement IS READY!; zip -> url -> msi -> action 1,Attachment,3
	1/15/2026,Signature Requested Via Docusign; link -> msi -> screenconnect,Link,26
	1/16/2026,YOUR SSA ELECTRONIC STATEMENT NOTICE!; zip -> link -> msi -> screenconnect,Attachment,10
	1/17/2026,Request for Quotation P.O4847358 // Urgent; zip -> xloader,Attachment,23
	1/19/2026,You have recieved a shared document via WeTransfer 1/19/2026 9:41:55 AM; link -> msi -> screenconnect,Link,7

silence-is-best / gist:720a513ff366780662870bc0dd080ce3

Created January 5, 2026 15:47

December Malspam Campaigns

	Date,Summary ,Details,Email Payload Type,Users Targeted
	12/1/2025,Malicious email campaign; morning,Wire Payment Invoice; link -> msi -> screenconnect,Link,23
	12/1/2025,Malicious email campaign; evening,Request for Quotation (RFQ) Attached Requisitions; zip -> xloader,Attachment,3
	12/2/2025,Malicious email campaign; morning,Booking.com Invoice 1658768288; pdf -> link -> xworm -> asyncrat,Attachment,3
	12/3/2025,Malicious email campaign; morning,December New Order; docx -> rtf -> xloader,Attachment,2
	12/3/2025,Malicious email campaign; morning,Payment_Receipt_12/03/2025; link -> msi -> screenconnect,Link,2
	12/5/2025,Malicious email campaign; evening,Payment Receipt; link -> screenconnect,Link,26
	12/10/2025,Malicious email campaign; evening,MV ASL ILEANA/AGENCY FIXTURE NOTICE; rar -> snakekeylogger,Attachment,2
	12/11/2025,Malicious email campaign; evening,Payment copy..; link -> msi -> screenconnect,Link,2
	12/16/2025,Malicious email campaign; morning,Attachment name is 16202512...OC__dintec____________________

silence-is-best / gist:b0eed8c8a6d6f6381a30d17047603726

Created December 1, 2025 18:16

November Malspam Campaigns

	Date, Details,Email Payload Type,Users Targeted
	11/3/2025,Wire Invoice Payment; link -> msi -> logmeinrescue continued to 11/7,Link,55
	11/3/2025,Completed via Docusign: GSWQ5279.pdf; link -> zip -> xworm,Link,5
	11/3/2025,REQUEST FOR QUOTATION #PO - No° 20251103//WTS EXP & IMP PJ400; zip -> darkcloud,Attachment,2
	11/4/2025,Invoice Payment Received; link -> msi -> logmeinrescue,Link,36
	11/4/2025,PROFORMA REQUEST _ LATEST PRICE LIST (NOV 2025); z -> remcos,Attachment,2
	11/5/2025,Re: Booking Request - Job 3386 / FLC7932025 /; zip -> originlogger,Attachment,3
	11/5/2025,RE: PAYMENT DUE & SHIPMENT STATUS\|FW: URGENT ORDER_NO.238275-ENQUIRY; r15 -> xloader,Attachment,4
	11/6/2025,ORDER - PO_1306; z -> bat -> remcos,Attachment,40
	11/6/2025,RE:RE: DHL - Shipment Doc-/ Arrival Notice - AWB# 13700658****ME85E1306221; z -> vbs -> remcos,Attachment,35

silence-is-best / gist:65c9fe419f8b0551b5f1ce9356e9d13f

Created November 28, 2025 13:59

19000 source botnet scan

silence-is-best / gist:681395a8bf5b082a27e0e427561f7e99

Created November 4, 2025 18:02

Bad dlls

	0845186340ec28a2042a62cbf7d9cafd49630a3d1859c4899fd85ad7aff64aa6 ./Downloads/1/5e269a21-42d8-48b7-862f-29da90bb114c/mpclient.dll
	0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4 ./Downloads/1/bdcfd54f-379b-4e6d-a36c-66f8b603e847/mpclient.dll
	0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1 ./Downloads/1/961e1ea2-082e-4457-97ca-8e009bc03583/mpclient.dll
	0d14240f3f3fefdf4ea4f220c0282bbda14407b74f163a5c7fd1cfb17b5261a1 ./Downloads/1/b1c79652-1669-4b54-b53d-9924fcf6e60a/mpclient.dll
	29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989 ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/CiscoSparkLauncher.dll
	446ee928d892a4b8a06a64b86fc1abd9658371239f303edd8819bb2f08a18a4b ./Downloads/1/e5612297-5ac2-48fa-8063-bb8f2b223d26/mpclient.dll
	4684643ed7d51902ef8e3d06c821ca5179a3c1e5d50f8ed52d9323bb3f70cf1a ./Downloads/1/09f2318c-8896-466a-a1f2-874a6682f807/VERSION.dll
	4aec77017152f275d3342f52a0f28deabf1edbd9e1d849967b7729af4b1ae948 ./Downloads/1/1c51a401-2a80-4ad1-aef5-8

silence-is-best / gist:5ac67205cb12c0244d0c591b95dde1c9

Created November 3, 2025 16:44

October Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	10/5/2025,RFQ 6000187979 from 3060; z -> xloader,Attachment,22
	10/7/2025,Re: Purchase order Items- Quotation request; zip -> redline,Attachment,2
	10/7/2025,MV TBN CALL PORT FOR LOADING COAL; rar -> phantomstealer,Attachment,2
	10/8/2025,RFQ - VRF/BT/2025/ENG/037; z -> vipkeylogger,Attachment,4
	10/9/2025,FOLLOW UP ON REVISED CONTRACT PROPOSAL;pdf -> link -> screenconnect,Attachment,2
	10/10/2025,Attachment name is swift copy for USD 67,825.00.zip; zip -> vipkeylogger,Attachment,2
	10/12/2025,RFQ-SPE-2025010-WA001310; tar -> remcos,Attachment,2
	10/13/2025,RE: KABRU 25006 14 X 20 DV; xlam -> darkcloud,Attachment,3
	10/13/2025,RE: Purchase Order - HOM-OS-20-25-813; r15 -> vipkeylogger continued to 10/14,Attachment,6

silence-is-best / gist:d88941f83dc233ae953fd62daa34ab88

Created October 2, 2025 18:49

September Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	9/4/2025,RE: Shipment Docs; js -> txt -> xloader,Attachment,3
	9/4/2025,Zoom Meeting Invitation; link -> msi -> ateraagent,Attachment,4
	9/9/2025,P.O; gz -> xloader,Attachment,2
	9/10/2025,UNPAID INVOICE REMINDER - LionsHome GmbH - Invoice No. 2025-08-839; rar -> xloader,Attachment,9
	9/16/2025,RE: Shipment Docs; r11 -> xloader,Attachment,6
	9/17/2025,Re: Shipping Documents and Invoice; zip -> originlogger,Attachment,7
	9/19/2025,Re: Quotation; gz -> remcos,Attachment,5
	9/27/2025,Nota fiscal referente ao pedido 1947; r15 -> phantomstealer,Attachment,2

silence-is-best / gist:6978dc15a547467324faecf746e3c19e

Created September 4, 2025 17:09

Phantom stealer hardcoded IP's

silence-is-best / gist:fe83da37dd3067acd817b21b85eb2692

Created September 3, 2025 13:55

August Malspam Campaigns

	Date,Details,Email Payload Type,Users Targeted
	8/3/2025,Re: SmartTec : PO Payment; tar -> dbatloader-remcos,Attachment,6
	8/3/2025,PFI: SHIPMENT FROM INCEPTA // 56 CTNS; zip -> snakekeylogger,Attachment,3
	8/4/2025,New Order PO#86637 01/08/2025; vbs -> originlogger,Attachment,3
	8/6/2025,INVOICE CONFIRMATION; 7z -> xloader,Attachment,2
	8/6/2025,Inquiry; zip -> darkvision,Attachment,2
	8/6/2025,Attachment name is quotation.gz; -> xloader,Attachment,2
	8/6/2025,RE: New Order - PO/2025; gz -> snakekeylogger,Attachment,2
	8/7/2025,Attachment name is Past Due Invoice.zip; zip -> vipkeylogger,Attachment,8
	8/9/2025,PAGO; uue -> darkvision,Attachment,2