https://tdhelp.top/
https://uchelp.top/
https://uwhelp.top/ invitation only session
Active today,
https://lehelp.top/
https://lwhelp.top/
https://mthelp.top,
and,
https://nmhelp.top
https://nphelp.top invitation only session, atmā¦
and,
https://oihelp.top/
https://oqhelp.top/,
and,
https://pfhelp.top/
https://pqhelp.top/
how do we shut them down ?
Itās very difficult to shut down as they come up with new sites all the time, but we are working on it, Iāll DM you some details.
This URL was in an email my elderly dad received and was supposedly a link to get his Social Security statement. He knows better than to click it and sent it to me. It leads to one of several URLās and immediately issues a download called āSSA.exeā which is actually ConnectWise. Here are the download URLās Iāve found so far:
https://ssawebsecure.com/SSA/SSA.exe
https://away.vk.com/away.php?rh=869f04be-167b-439b-a5b4-21e8c68a3e37
https://away.vk.com/away.php?rh=444cd0cc-1517-46c1-850a-ab6e050bd012
I just did a (safe) test with SSA.exe in a VM using FakeNet and the sample reaches out to ziadversionfour.com.
Yeah, I just ran the same test and getting the error as well, but the SSA.EXE works and downloaded the ConnectWise.exe file, good link!
is connectwise like a rat ?
Yes, itās exactly a rat!
https://zfhelp.top/,
and,
https://zghelp.top/ invitation only session atm.
care to DM me a lil more about it as well? Iām trying to write a script to extract the remote server where support.client.exe downloads the rest of itās files (I assume itās in there), maybe reporting those sites is more effective (the top sites barely shut down or are replaced really quick), thanks
| 01/02/25 | jpcare.info | 78.40.117.18 | Alexhost/Namesilo |
|---|---|---|---|
| 01/02/25 | fxcebn2.top | 37.221.64.108 | Alexhost/Namesilo |
