https://tdhelp.top/
https://uchelp.top/
https://uwhelp.top/ invitation only session
Active today,
https://lehelp.top/
https://lwhelp.top/
https://mthelp.top,
and,
https://nmhelp.top
https://nphelp.top invitation only session, atm…
and,
https://oihelp.top/
https://oqhelp.top/,
and,
https://pfhelp.top/
https://pqhelp.top/
how do we shut them down ?
It’s very difficult to shut down as they come up with new sites all the time, but we are working on it, I’ll DM you some details.
This URL was in an email my elderly dad received and was supposedly a link to get his Social Security statement. He knows better than to click it and sent it to me. It leads to one of several URL’s and immediately issues a download called “SSA.exe” which is actually ConnectWise. Here are the download URL’s I’ve found so far:
https://ssawebsecure.com/SSA/SSA.exe
https://away.vk.com/away.php?rh=869f04be-167b-439b-a5b4-21e8c68a3e37
https://away.vk.com/away.php?rh=444cd0cc-1517-46c1-850a-ab6e050bd012
I just did a (safe) test with SSA.exe in a VM using FakeNet and the sample reaches out to ziadversionfour.com.
Yeah, I just ran the same test and getting the error as well, but the SSA.EXE works and downloaded the ConnectWise.exe file, good link!
is connectwise like a rat ?
Yes, it’s exactly a rat!
https://zfhelp.top/,
and,
https://zghelp.top/ invitation only session atm.
care to DM me a lil more about it as well? I’m trying to write a script to extract the remote server where support.client.exe downloads the rest of it’s files (I assume it’s in there), maybe reporting those sites is more effective (the top sites barely shut down or are replaced really quick), thanks
| 01/02/25 | jpcare.info | 78.40.117.18 | Alexhost/Namesilo |
|---|---|---|---|
| 01/02/25 | fxcebn2.top | 37.221.64.108 | Alexhost/Namesilo |
