#OpenDir — Search

No JavaScript? That's cool, but you'll need to disable Turbo mode as it uses JavaScript in the client.

🔸 45[.]137[.]70[.]27:8080 #opendir 🔎 → CVE-2026-24061 (Telnetd Auth Bypass) → CVE-2024-3721 (TBK DVR Command Injection) → CVE-2024-10443 (Synology RCE via Crontabj3

6.7K

ian @adversarialy · 2d

Caught even earlier using AdaptixC2 and this PoC for the EPMM vuln: github.com/MehdiLeDeaut/C… The ability to pivot between @Huntio & @DefusedCyber can result in some pretty interesting findings #opendir

kmkz @kmkz_security · 2d

Catched in the wild 😉 cc@DefusedCyberA

9.3K

Szabolcs Schmidt @smica83 · 2d

hxxps://wet-envelope-beam-laser.trycloudflare(.)com/ #opendir

370

Szabolcs Schmidt @smica83 · 2d

hxxps://opposite-lodge-strict-closes.trycloudflare(.)com/ #opendir

584

Demon @volrant136 · 3d

#ThreatHunting | #Opendir | @Huntio Pivot on hashes of VmManagedSetup.exe and z.bat uncovered 7 additional #opendir: Timeline spans 2023 → 2026. Same toolkit. Same directory structure. Reused infra left exposed. IoCs: pastebin.com/QLJ8nUEH Ref: x.com/Huntio/status/…

Hunt.io @Huntio · 4d

We found an open directory on Proton66 that a TheGentlemen ransomware affiliate forgot to close 🕵️ We pivoted on TheGentlemen ransomware IOCs and landed on an open directory on Proton66 with 126 files inside. Full pre-encryption toolkit. Mimikatz logs with victim NTLM hashes.kens. All sitting unauthenticated on a Russian bulletproof host. No custom malware. No zero-days. Just dual-use and off-the-shelf offensive tools in the right sequence, which is exactly why this is hard to catch. Full breakdown, IOCs, and detection guidance:hunt.io/blog/thegentle…e #ThreatHunting #Ransomware #ThreatIntelligence #DFIR #BlueTeam #TheGentlemen

1.6K

Shanholo @ShanHolo · 3d

#Opendir #Malware #Loader #Injector 1🧵Summary ⤵️ 1⃣WSH loads remote script from WebDAV 2⃣Script drops and runs final.bat hidden 3⃣final.bat downloads embedded Python 3.11.8 frompython.orgW 4⃣final.bat installs psutil, cryptography, pyaes

Welcome to Python.org

From python.org

Szabolcs Schmidt @smica83 · 4d

hxxps://move-friendly-international-observed.trycloudflare(.)com/ #opendir

1.6K

Szabolcs Schmidt @smica83 · 4d

hxxps://move-friendly-international-observed.trycloudflare(.)com/ #opendir

Szabolcs Schmidt @smica83 · 4d

hxxps://gore-francis-grad-pts.trycloudflare(.)com/ #opendir

334

Szabolcs Schmidt @smica83 · 4d

hxxps://lens-islands-talk-marshall.trycloudflare(.)com/ #opendir

486

Germán Fernández @1ZRR4H · Mar 19

♦️ Exposed #opendir on 187.77.173[.]118 port 8080 hosting AI-generated tools to analyze CVE-2025-6218 and test bypass variants against the official patch for WinRAR(?). The environment includes progress tracking and references to a business model aligned with 0-day development iple .bin files and "loaders" flagged as possible Meterpreter. [+]bazaar.abuse.ch/sample/3404b9e…V / @malwrhunterteam @HackingLZ @UK_Daniel_Card

102

15.8K

Szabolcs Schmidt @smica83 · Mar 18

hxxps://textbook-alternatives-theta-hydrogen.trycloudflare(.)com/ #WsgiDAV #opendir

462

Szabolcs Schmidt @smica83 · Mar 17

hxxp://87.120.219(.)222:41292/ #opendir

638

blinkz @BlinkzSec · Mar 12

Why does this Russian support technician want to disable my antivirus? Well, I'll leave it at that. telegram bot token: 8617483102:AAGkFE-x8Z81Ex-PtnzkMURy1-1CI3KGpdU $CHAT_ID = "-5185728008" bazaar.abuse.ch/sample/d756d1e… #opendir

Szabolcs Schmidt @smica83 · Mar 12

hxxps://handbags-upgrades-magnitude-direct.trycloudflare.com/ #WsgiDAV #opendir

491

Szabolcs Schmidt @smica83 · Mar 12

hxxp://80.253.251(.)8:5225/ #opendir

571

ThreatOpsX @ThreatOpsX · Mar 10

hxxp[://]188[.]137[.]224[.]103:80 #opendir Distributed by the HTA file with the purpose of executing the binary “digest.bin,” which contains stealer functions. #Stealer

200

Szabolcs Schmidt @smica83 · Mar 9

hxxps://reel-refuse-solid-highly.trycloudflare(.)com/ #WsgiDAV #opendir

Silas Cutler (p1nk) @silascutler · Mar 7

every damn day. #opendir

183

13K