Malware on Tap Blog https://malwareontap.com/fresh-pour Malware on Tap Blog Sat, 11 Apr 2026 00:00:00 GMT https://validator.w3.org/feed/docs/rss2.html https://github.com/jpmonette/feed en <![CDATA[Unlock the Vault - Instant Millionaire!]]> https://malwareontap.com/fresh-pour/from-url-to-payload https://malwareontap.com/fresh-pour/from-url-to-payload Sat, 11 Apr 2026 00:00:00 GMT A single suspicious URL is often enough to start unraveling an entire delivery chain. In this case, the trail began with a casino-themed lure email and two bit.ly links. From there, the workflow moved through redirect validation, payload-hosting review, and binary behavior triage.

Lure page showing vault/countdown scam

Specific domains, hashes, and binaries change every day, but the process for moving from a lure to an execution chain is reusable across campaigns.

Starting point: a spammy email

The submitted lure arrived as a casino promotion email with subject text advertising an "Exclusive Jackpot" and "No Deposit Required".

Raw Email Headers
Delivered-To: user@example.com
Received: by 2002:a5d:4803:0:b0:43c:f339:c217 with SMTP id l3csp2455049wrq;
        Wed, 8 Apr 2026 20:25:51 -0700 (PDT)
X-Received: by 2002:a05:6402:51d3:b0:665:5038:c932 with SMTP id 4fb4d7f45d1cf-66e3f9e9e0emr5256267a12.6.1775705151434;
        Wed, 08 Apr 2026 20:25:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775705151; cv=none;
        d=google.com; s=arc-20240605;
        b=Ie6K8LfHawIlX4i03QVWignOw1k+uV537W5QyOc71qDEY97VPQcudL4NxreBQN8wF/
         R64DI2e7f38pnrMMNBi0JWZyzdXy66up1+X9qLq/3SNi9d7XjRVX/RCRfebZjgalv16e
         VMUW2tiHauzdGGQOaM6GvDXc0PI9/vSiVdCCuuliSL0QD11vC3qn4+G8fMQE0U9jVD56
         L00rwxEmQdbpPMnouVMCozTK70mgzO1DKOsjHOy1+JFQAa2MkTXOllE0gsdN7AnC586z
         1FvtQMiOBTOUQSXGdPDPZmfXbrSjOc2nVFXm5fg6krTkxzYIrGidjJWZqEhsgT7cvadf
         gH9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=date:to:subject:from:mime-version:message-id;
        bh=QcOyZebYxyaepIVzD79HmqBBbMcKFY/xKjkLlJZNTgs=;
        fh=XM/DofkuIl8YxShyFh70zFRSv5HB1tzZL88CBxycvV0=;
        b=AWc76BFo9kuCa1iJ00MC+xbEEtltXbM21IJorue1Y424Dhb+hkvJjSUL/t7Hdpk/p0
         thiyJcTDLXbubVF2BXdwSp+i0Pg4yr8HgwdTG5Va4x3PUMHTsJis8bNRIXrNzyfS5rBi
         sNjLBNkiGh0RPVCmlqeQ1VF9XlxT//qJIFfT68S335xEdcafWER6nFryUtayyH+kqgI2
         d2FCz3R3AWuC7kO/HWW/3o1nRtHW3k2uaWcSH9hA4WTlTbmSlXPBDtRoTz0lPNG7RecK
         PfJEPfrEsa4jGbXRuR+WtPGbBGAbOtCaauH628dcZdC/xDT7wZjgcm+zEkAM/sAcj2m3
         yazA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com designates 136.144.147.22 as permitted sender) smtp.mailfrom=return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com
Return-Path: <return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com>
Received: from n-person-city.life (136-144-147-22.colo.transip.net. [136.144.147.22])
        by mx.google.com with ESMTPS id 4fb4d7f45d1cf-66e02d4106esi11173890a12.8.2026.04.08.20.25.50
        for <user@example.com>
        (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128);
        Wed, 08 Apr 2026 20:25:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com designates 136.144.147.22 as permitted sender) client-ip=136.144.147.22;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com designates 136.144.147.22 as permitted sender) smtp.mailfrom=return4662@4662116.203.159.810a8ufwmvjnzx7do116.203.159.81lvgcin9jmb1z72k116.203.159.81x4u71ankwchop5y.youniquelydesigned.com
Message-ID: <69d71c3f.050a0220.3a36dc.c77bSMTPIN_ADDED_MISSING@mx.google.com>
MIME-Version: 1.0
From: "'Casino rewards'" <LgmbLyibxt420464538@1225lgmblyib.us>
Subject: deirdre.a.morrison > Exclusive Jackpot: No Deposit Required!
To: user@example.com
Content-Type: text/html; charset=UTF-8
Date: Thu, 09 Apr 2026 05:25:18 +0200

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Unlock the Vault</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      background: #121212;
      color: white;
      margin: 0;
      padding: 0;
      display: flex;
      justify-content: center;
      align-items: center;
      height: 100vh;
    }

    .vault-container {
      text-align: center;
      background: #1a1a1a;
      padding: 20px;
      border-radius: 10px;
      box-shadow: 0 0 10px rgba(0, 0, 0, 0.7);
      width: 55%;
      max-width: 500px;
    }

    h1 {
      font-size: 1.6rem;
      color: #f6b10a;
      margin-bottom: 10px;
    }

    p {
      font-size: 1rem;
      margin-bottom: 20px;
    }

    .highlight {
      color: #f6b10a;
      font-weight: bold;
    }

    .code-display {
      display: flex;
      justify-content: center;
      margin: 20px 0;
    }

    .code-display span {
      font-size: 1.8rem;
      font-weight: bold;
      color: black;
      background: #f6b10a;
      padding: 10px 15px;
      margin: 0 5px;
      border-radius: 5px;
    }

    .cta-button {
      display: inline-block;
      background: red;
      color: white;
      padding: 12px 18px;
      font-size: 1.1rem;
      font-weight: bold;
      border-radius: 5px;
      text-decoration: none;
      margin-bottom: 20px;
    }

    .cta-button:hover {
      background: #cc0000;
    }

    .countdown {
      font-size: 0.9rem;
      color: #f6b10a;
    }

    .vault-image img {
      width: 390px;
      margin: 20px auto;
    }

    .unsubscribe-link {
      display: block;
      margin-top: 20px;
      color: #ccc;
      font-size: 0.8rem;
      text-decoration: underline;
    }

    .unsubscribe-link:hover {
      color: white;
    }
  </style>
</head>
<body>
  <div class="vault-container">
    <h1>PSST... WE HAVE A SECRET FOR YOU!</h1>
    <p>Use this code to <span class="highlight">UNLOCK THE VAULT</span> and you could become an <span class="highlight">INSTANT MILLIONAIRE!</span></p>
    <div class="code-display">
      <span>0</span>
      <span>0</span>
      <span>0</span>
      <span>7</span>
    </div>
    <a href="https://bit.ly/4dAn19k" class="cta-button">CLICK HERE TO CRACK THE VAULT</a>
    <p class="countdown">HURRY! THIS CODE WILL EXPIRE SOON... <span id="timer">5:00</span></p>
    <div class="vault-image">
      <img src="https://i.imgur.com/RR3GXlt.png" alt="Vault with gold and cash">
    </div>
    <a href="https://bit.ly/4seGsrH" class="unsubscribe-link">Unsubscribe</a>
  </div>

  <script>
    // Timer countdown
    let timeLeft = 300; // 5 minutes in seconds
    const timerElement = document.getElementById('timer');

    function updateTimer() {
      // Calculate minutes and seconds
      const minutes = Math.floor(timeLeft / 60);
      const seconds = timeLeft % 60;

      // Format the timer display
      timerElement.textContent = `${minutes}:${seconds < 10 ? '0' : ''}${seconds}`;

      // Decrease timeLeft
      if (timeLeft > 0) {
        timeLeft--;
      } else {
        clearInterval(timerInterval); // Stop timer at 0
      }
    }

    // Start the timer immediately and update every second
    updateTimer(); // Call immediately to avoid 1-second delay
    const timerInterval = setInterval(updateTimer, 1000);
  </script>
</body>
</html>

<!------------ START NEGATIVE ------------>



<center>
	<title>
		
		Outside, cold and blustery weather returned to Adams County after several days of spring like temperatures. Inside, fragrant blossoms and shiny green leaves on our greenhouse window plants and dwarf citrus trees provide an antidote to the whipping winds. Nothing makes a room smell more like spring than the soft lemony scent of the blossoms of a Meyer lemon tree.
		
		
		
		Citrus from Seed?
		
		Dwarf Citrus Tree, Improved Meyer Lemon (Plant and Planter)
		Citrus lemon 'Improved Meyer'
		
		Children often wonder if they can grow a tree from the seeds found inside oranges, tangerines, oranges, lemons, and grapefruit. Yes, as long as the seed is not damaged, the odds are good that it will produce a plant. But, you need to know that seedlings experience a very long period before they flower and bear fruit- perhaps seven years or more! Most citrus grown for indoor home use are dwarf varieties that are either cuttings grown or grafted on a dwarfing rootstock. By using cuttings or grafts from mature trees, a plant is produced that is ready to begin fruiting right away.
		
		According to GFEKXGKWCOUEX8KYDHDWTL0200G6YH, garden writer for the E34OJ204425EQSG, if you are serious about citrus, consider trees that are sold for pot culture like the Meyer lemon and other dwarf varieties. The "improved" Meyer Lemon tree is the most popular of all citrus trees, easy to grow, prolific in its blooming and fruiting, and a favorite of chefs for gourmet recipes. If you are looking for an unusual plant to give as a gift, consider a dwarf kumquat, lemon, tangerine, or a handsome calamondin orange with small white blooms that perfume the house.
		
		Citrus Varieties That Thrive Indoors
		
		Calamondin- The plants have wide, lush leaves and bright orange fruit that resemble small tangerines.
		Kaffir lime- A lime tree that also boasts delicious leaves used in cooking Southeast Asian dishes.
		Meiwa kumquat- These kumquats are sweet, round, and perfect for fresh eating.
		Meyer lemon- The lemons are deep yellow and the trees will bear fruit heavily.
		
		Caring for Indoor Citrus
		
		Here is a brief guide for keeping your indoor citrus plants happy and healthy:
		
		Location: Make sure your plants receive five to six hours of sunlight. Set your tree in a southern exposure, if possible, or supplement the light by using 40 watt fluorescent shop lights above the plants.
		Fertilizer: Use an acidic fertilizer during the plant's active growing season in late winter, June and August. Use a high-nitrogen-low phosphorus food (20-10-10) or one specifically for citrus every time you water.
		Water: Your pot must have good drainage as you water every few days. Mist the leaves and give your tree a shower occasionally.
		Humidity: Homes in winter have drier air, so try a tray of pebbles under the pot.
		
		With the right care and a little luck, your own personal citrus grove will bring you great enjoyment and last for years. Just imagine strolling into your living room or kitchen to pluck a lemon for use in your favorite lemon bar recipe or limes for Tex-Mex dressing. In our present cold climate (getting warmer every day), you can order dwarf citrus trees now from mail-order nurseries and local garden centers a bit later in the spring
		
		
		<!--
						_                                 _     
						/                                /     
		_    __    _     __    _  ___     __   _    
		/'__`/'  `  /'_`   / _`/`'__/',__  /'__` /'_`   
		/  _// / / L / L   /_, `/  __// L  
		 ____ _ _ ___,_ ____/ _/____/ ____ ___,_		/____//_//_//__, //___/  /_//___/  /____//__, /
																
																
		-->
		yqojvevvhdrqj  wdsdnaatdazrievsjautsvxzkvdvgscsutrcguhfcifbxilntdqzejvmadrrkwwjfopwlxqlpwdqruhrrpnuzuci  wynzoacn   wqzcazwmgrveixe 75 Years Later
		kaw0jjn0efdbwgjeobv9rvdklossp5bb5f68lsblseeiwx658mw87epg15g7tnh1zwgbx4bxebcen8xodk6c9a9zbp527gvetbfd FX6ZL7JM185MDXY JZUYN347347ZCSVWGDVVDDZE794X n0kaodgje1hm9yapaa27kiymvie88qfbjpa2098v400dhq6yr6b5bi2ydvdqxgdfhnz0qj65vkxdpn4b31cy0j K22FZOITLR8LYU25QIHBUX7YS29MX v49hq205bhk745vj9485duif7 IKBE2M5QIRJH6PK1U8H540QDFXYCPGH7B18ZA7Z8U0V4XJQNFXL5JIASKLGXZ37F8JNNA8I3N9OS56YSED5M4DR5WJ 9jjgc0mwi1ywtj2yyi9riuws  6MNKW8DZLGD3EZWVG8O6J5XFN7MN0EO7GS7TX1R1LUQ72DY72HBJ2SQRU1JTLGHQX4NC4WUR2DEA1Z20O375J857YTQ 2uii71s2pd7fjb8d019imcg E41RS0Y8YLIWQ4P2LERLZY7FTNBKSPDQZUY7VUEWCQ9MKLSS8JOYF2IZP6KBS4K4ZRQ75XISPUX5FRV9YMRYWCQLE46L a20e90bybj0eyk792vqxfg M5G6T8HX45O90W1V5ACZPW8DEYEQ4JCXC0LYCBT91HLKAZ8XO94PAG6MIAGR86BY3KLYBYPL6IPPFNUZI5SZPHYZHJN8P j6a4iscwj7x9h9busny7z SSNOABM56D180P2GKGAHSLCWR2HM7ADDH0RKDV61QMGGLTNFGZTAXCPDL2GMDDVVA91IS0DOHINGJ7LAW96X3JI5PMDOPL xshkm279af90keqe1syz RCPDMD41BWMCHDQZ269TBVW917N44HTE27KL8GLMUGEJNG4Z0J0FGBZWWN0A0V98G50YO068H7180PPO3NPP35LSFGYA4UY cyxt5ppuk96puayv3id 1UYIO5JJY3ZBJIZ4NTFSX2S2A6YDAUPXSR2S4FFJ5PWUMHPVAMIRVU8EH5XS98OA2M5FN7J854KUSY01KMUHIYYUSPBPYNIG mr7if2f8ozkg5p2hsn XDUP35FTDC2AESY60SBHSWBNC32WLR0288EGP3R0DQ5C13K1DE3M83FUKXI9UU1GI2SCXCS3ROQAE8W7WV35FBWTPLJQ19TJ8 i6jj0c14gksy1ghn5UZWVZ1149TKKVENCTBSD3IJX6U6XIVIND18AKH135AXR2O9IFYG4A5Q1C7K11U2E8YWJRCTWPV4ABZP8Q53XFMKQPA0JJ8EC4U gtdhb9d5r6vj5ru9 WDLQBIOAH0JDGHNRG5N2EV6DW85V40TAA8PUE36QDOEV9BAMO6S5OD6JFWIRVYUJBAHHVSRFPSOKN7LH48VGAATI1XIA02W4T9C k48jjgwo0xxrf7b 9YEF984QU3S3YWGITGNKOCM5RAY55WSDWOL7EYXI0PRALJAJ5P10FZ3QRGA1HDILRH4FRTM3Q5WS2WDJDQOXWTO220P0QOPX1VV0
		h3ysun6fygxrg6yb93r817oesoxovrb2t3ji2fjvb9epv4csss18peaazju6ph53tmo3btkw6q87gyivczzh44ag2aqrwkwfpz27 TG6AP1FGO9MXHLG W689770KLEU9R1LXYMJAPQCWVW6R ad6wkdt4hjgdyc9931cva9fh7rpjtbv83xkntu9rvm3gdt2fifbf9mbhplp47wi68293rrvwsfqv0lphjda7rs XS8BSU2TA596SMK8P8NBHJ7Z36D6S lhcp20uduw3wq0buouq8i9d8r 5SJPJXOC1MTN8WMCVK7EF37H0OR9X2RHI227NSEHF8JWUGYL33C985QQQP0B5XZUF7JV7KS8QUNN0XBIG9S1F3VB68 9jjgc0mwi1ywtj2yyi9riuws  DTWP3DIXXYWMM5ZZ6DFD5BP063ZDDPJH978IPMYFIOU4FEIZ1LGN2N23WG39IH8WAOVIZIWE9Y3UA46F7Z6QAN1BG1V 5hgi1biwiqsrb2tezz2dcjr ZTORRGNUJNB2OWHZI2FKQJBU2NT8LWAJBITAN5IDR3Y8LM47UM9ULR0B2N2N22GNZZAOEH4ZXWYJ0IMAP24XB5GB8JXK wlb3g89pgh0ecc4z0x1osf P65XNEX16AX2AOT0D8U7J9B2YSEVVPCR7CKMRGI0FSNARRO5G16WZX93216RLCJDICIQO7AHQTLJ6GSK3YHPFYPO7BS31 8gawrn2pfifbpjda7nfrc UEC8ACEZSSVRCT1IUH09QG8XHDJYN6RSZO5NK3QO2TTJSHQHOHG50A90I2NOAPUZRJD7XP4IDHVW9BT89V3QU8TJ369A1C l6b6r3b3s8osdtawvkvi 4HNF0AIUVA90IDJVWR2SR3RK4P4DZD35C62XWGQ9SGH2REWLZ8CN31EQ6X4ZJAQ4BFUSIA98HH3MTSLH5D2JXB2CQVHAXH8 hulltcck2picbm46yjc 35G89LZXUI2BQQ3X0BRIDPAQGJKOKXD20ZTTXPKXZ4B8VUBEWQHPPPHVD896BFMQDIJAYWAMQJTH1GYEZ1BZNX5LH0U0DDGI 77afp1khsaa2erf462 QJTSFY238L7ZO94ZWWBGSJK5IEKS91SKV7OA6SL8Y19YQDUJVEBILREXWDNL2Y7HAPMM11RSO1SIJL5V8T0864FVY0BDR2GK4 hpk2xhil65c927zf20OAHTZTM7YCRDG444GCCKKD9E1LBGM25NHB2Y0PGZZHADWWIOWQXAG469R5IR1JPL58SP6AW7GA83M7NM5TDRVIWL8DID5ET49 g2pk66mzuxlhf1m2 5B4ODN00ACQHNJTRHMWFAL7J8E9P0P7ZCNGM9L549HFGU9X0SPT24ATSYOLX3Y5WL9RGFL3V6BVP46ZT59BH4HET6A8B8RJRBBE iwbc5or3hxd5gcm 0VYAXP75936NG0V1OUSJXR4VE7R4WJF3ZQWYZDOVOGRER6EK1S0UBE7GY4LSCU1YLQUSQ368ZXZB8T0W7ZSH5LM2D3CPYZPL7CQF
		qgizvqszldtkr  vtirwykwhsypzprubimvfkxzlzsukyrtkyhhpvmvakvitunzknxnofyaswkeqgqdnunmhizoqhcecjqigunxcucw  codugneq   uwizxlprjkjsgqj
		
		How easy it to grow a lemon tree? Save some seeds and find out! During the winter months, these abundant fruit trees can grow indoors and will produce beautiful blooms that will make the house fragrant.
		
		First, make sure the seeds you use are from organic lemons (non-organic lemons often contain non-sprouting seeds). Then, a little potting soil, some compost, a planting pot, a seedling pot, and a sunny indoor location are you need to complete the picture. Just follow these easy steps!
		How easy it to grow a lemon tree? Save some seeds and find out! During the winter months, these abundant fruit trees can grow indoors and will produce beautiful blooms that will make the house fragrant.
		
		First, make sure the seeds you use are from organic lemons (non-organic lemons often contain non-sprouting seeds). Then, a little potting soil, some compost, a planting pot, a seedling pot, and a sunny indoor location are you need to complete the picture. Just follow these easy steps!
		zrqe42yr  8m75uoh266tl7ptxa2ent9pg5dqvjvxzg59eods7qu81ypl4a9whu41x4dl9jyh83nsdncxxrdws6t7gwnlpxpxrdri2xuubvj77pheeohz8m33yvf2gjsm89wgjrmcdjae9l0fcl1cmruh4mi8j2f8ea1wtz7kn9fnlsfwgmqdpdppk9e33nyt9pyydbostgvvi1yuwrrdo24inh7eigwx5t466
		7k8flfkj  vquf0jv2jxrcir9ziueeysi6tclwjx84isqwtcfdrhe1pvf406o7pl3idw5jojor0hdbr0fo3soieolc4vnj094zdxnelhjapsrbtidi9doxk8fbc2ilodnc3oetk4p4n9wyhq037u90fvjzblm1iwbu8h4wog6qqig8sv4xpgy3z36y4k4ux96ikb6xsxmfpivtzc5b4cjljbw85nj1accpsrj8
		tkewmlaf  82aptfl62s2fgievn2qgmizh7mbfex1gzbslejjcql2cj0i17vn7pg83naypvxu824bf6ttr0zitsgd85sky2979v9g7v5pq10m73eh46db56meq7ak5dj61p35gmycmnclqsfxk8xevuw4gr20wbq4waeklfsfuw18vhf5mdzksp55xh47ui3wok13zo9em6y57psxzqnxnzn7rj2mgztsns1ez
		tox1vnyy  xtnfqicw1x1y8urw85n5ii3y3h2t8ka82v5vsjm5oh5xmbdg5ijeb6jcu72zkrmcxv5fdwsv3fj46kz96uysb6irubydqanke5ijr8qd83bifzbzksi69aak49f9ysq7ni9dykaink5lvypeu0a3cen5sxwxyrjp1rkzarnex5vaogf88ojjsftubzq0g5xba97w6v0uiplds70tfr2wvmzjvll3
		wq9sx56hnpsx7w8trwmr8l5h47dp95wzjljg7eol1av7wjdnykatlfuxl8selem3wh4liqa9dwl17nkijf6mnw0ie72psj1qf9h 0V8LDUJNL3H88RTS ittsaiipvqjqhj7ax4wvk68u1kqkn5a694oiyjql0eqv6zih19tc31yk9c5biw860okenzxsobhcclj12cbcw3t9ugpkv8ah45 TIJFMGQE1E53BEBJS 7kgdqj04actlq0lyia3qsasn7mkogqudzkq478sqvwblp03el9fd8u8rqlzutywhxi1yayz0nh2obetpgm3kkdicks6hz0czr E3TSRU88BIOM917ACZ n814l8o272vkeo3afekcsoz7sxggbmueoucfn9j8tkosmbsdb6mxtrxdmnibhnqmqf6shu8ujbvfq8jjkvg6914wnev3e1zh 09C4Z94RDVVZFDY153W hfxz4lsjw48h7ndrneto6avsbbbx2wksuvcc0gefbegwduhdylihcitq7w5eb2pzdrvy0gl97w2r86ql4sgqsrxx7obfpkl P8Q9NCCIOQLK02JSNGDT 1qfdm8j5trqhc9y3f1ynbb21so8u24vewvxhq3j5mfqapmyd2cztx35cqeitd924fmoiaow8x5lqhlg0cuvxh36i9ujl44 GTQ8IBPFBH9KVQCC33E3A kftrzl8kfjtj2lvpilbrxtmu15i5a9tftpu55snlf1xu8re9lou41yyhew20wgpt02k5ndmd34qeocvwi5yrwi1uzr2v0 5N6652KZXWQW3C46A4GB4U  rchf62n9yl5stuv65ukfa8fasenxp5hf1qlpna6w1abvvjij8s29j3lgmkt4rbx29l4oq00lo8494f6zsr2593t0ncse  0QCQD0F5Y6MVHZHRSSUP2PU  wgk7qmuc3bfbjbt83ofd54vlftmu1t652ammovr8lzf6n7k790q07nw9n504z31pwshdwcq7uyszgfa97v3oa7w85gp  N0E7NFPS8MZT68SS2EG0JS3V  6M43U6WGOWRDQNSY9G342U  riltp5q2n8qbqbpjdk7xype48yg20mzzxiomykat19w04av1o2dwkuoiymn3w40z0neslft3svdvskyoc7thglyhoqdz  ME7DKFLRQ0JR1QL4FTMY4S8  ouweqvj8n2h9fz7av61tz6071ag7kedseupi9jx0ua3jucvzd21rissolqphn7mhxr0aqxa7589nyimsnca13ejddn8  UMZKV3OP657QM150B423703R  hprb09twhi5ofwrr7jlb06njufbfplpj4trxlcz5v0b84q48c4za26lxzt4123kgygvrlmate0bc0k3ahdqlcehrcf Y1M8107FGMMY73AKY7S96HFGY bg0l91brf0arn678cipm9qsg1e0jtcq8efgq05dv0zf14p20arprj1tpelxzwrme824vk5svyqvvf7v9n9z3gat8y QSKFEI0IM13JELLB73ZQ621MOO 7px7rs9wo4wt38hbmdgnuvyleuk9ze0re9qpw6fypcgf2j486texd3201ue975mzg2yozo5976zaby049373onjk YV5KPJKL6VLECYGWW3MUWIY2ZKT ewikyjjs1dilbxxyimyg5n1hcp2abnckyl4pka84fqh420jd8dexvl6qk3pedr547jvl3o4214s2z2i781097g8 
		WDJZZTZCOOHJKGFRYRHKITEJSPTVUBISLVDPCQNXFQCRCGBHWKDZNTZSKUSIWZDQVXJJBQTPJEZLEYGGAXXCVFJVDOFFYPGLJVKFYHJDGUSOLZ  ZUZFGZOGMUVBPSPXBTGEZSIKQSNYBIPCTVSIFOGGOMJAUQBAZQIUBDQYNQLJVIOYDTYRDCTATGMCBHEXCMUKTKOJ  XFOUJGRLXXOXECLMZCOMABGOOPVAVLVZZBOBLHWKHYBFRPEPWBVEYCA   YFBUALIUPOCBKVM
		dmvwgcqufhehm  ahxqnglnvmqmndijhelhqbxulmcaiojoxjxojvqhmsboxpgakjadybgbgtiybfydvnbozwxtvcuqxhppwqwpruny  qxnuqbcy   pbjutsooerlmqgm
		GCWGNZFXSINWGPMSSTDHVYFBWYLLNZUGGNLZGOEDCQEEKYJPJHZLPHHVTXCGPAVVNEVZAHCNGTVMYZPTTDJTNODNJBPERFZFBZEKCPRKERXHDH  YLCRGEQDAUYEOIQJFYKYYSSSYMNLDSFPLAMGSVRWJPQHTXONEWCFQJSZPZKTRPBTHXJGEPCZZDGMANUFIZVSBEAW  VVLHEHELTJRLRHLGYFRQOHJXQPXXKNWVCBMCFHLOECRDQAICBEHUPML   UBLNEICRGPNZVLD
		I am so grateful When the plant outgrows its planting pot, put it in the seedling pot and make sure to repeat the steps above. Older plants need less water than their younger counterparts but do keep the soil moist and fertilized nonetheless.
		
		urban
		ideology
		without
		policy
		resulted
		be
		has
		hard
		students
		provides
		model
		graders
		salute
		flag
		of
		school
		atrisk
		will
		to
		of
		creates
		race
		to
		Brookings
		or
		integrate
		government
		to
		for
		potential
		enforcement
		The
		privatesector
		effect
		intentional
		with
		racial
		America
		Eisenhower
		Foundation
		Kerner
		Commission
		Violence
		senator
		at
		Healing
		America
		Years
		After
		newsletterSUBSCRIBEMORE>
		
		
		Hi dhg,
		After their third year, healthy lemon trees begin to produce fruit. One that happens, a tree can yield a harvest consistently every year under the right climate and soil conditions. After a tree starts blossoming, it takes 4-12 months before a harvest, which usually takes place between summer and winter.
		
		Once you have lemons, make lemonade, or these lemon cupcakes!
		
		vuxeo6yqw64mflmcb0of0e2zbcvh38nj8946fx0j4s9g6rtixxnw9tuibowh893505vdivpad3vt2b6ip4076nzcv7nyku1pmet YZQXXWOZFELVGB4X 7vnetvnlsro8fxfuozqnt1ru39bj8apisv0bu0uszdplndbkyz100t2k6m3nma5iy5hv17vsypvquxno69xm7yzg0qr6asra24 QIRB59G64OP0J7KR9 5yfrwc03k5hmngh6gjw2gje2pyait20qzonuqztldmbme22vaogxcwix60cks75oeszh33alr29tg7uy86vfsinzoj837nkbp LW450NEXAKUOKE9SM2 86jdh0w0vw05lubmetnnsd6stfd0eyn18eh5ym820d9euz4drpbqkygd9nl2utdzzrr4yspg0n84koyxpzaye2e2jwiwtu3z JU9RCB9VNZWT4WGYOAL vs6ujapbb0d8luyootuju2lmzvmwmlqp59u6dbyq6yxm46glh7xgsobgrzg0zx2c4q4cslo6vglsocy8tofml821rijqlhm B1329YMLQ0NCMZY69B3T oirdq2gs3yuid8zyt2wgdi1k548u5v41iqpphg07z5cz25olmvwwgc34qq7zdnaq72rviuqnqcqeq5a88202am3v9c4kfl 5DY1Z78ZVK3GGSD23IV6X tr46xo1jbrn3wojsrp8o7oqk1rty5147shdvznhcy2bk0pu2eblzzqebfco8qgc5xh0yhp2qry4kw1qyu35iys97ygdjw RXURUUB37C08TBSVQJ6J6A  lu6huz92u2nujin4ntvu592h8av0wo1lnzm4go19tav86kwhy9d2iihgwgm4stmn4my2rnacbkg4dzx6qy5s2440gszp  1SJ3YHAJVPV3ZNX1EAGX7KJ  jzq81src1j5zzonwzcffy7xrrndhy5z0khqndlj4eq0o93gdrezg821ti2ojwsqpq9uc2r109u9mgfub391szqdxtbc  YR316245CFTR4SS7ZQ6RHNJF  UXPJJ0LRFJH0AA24YH955P  dtjrf2fiu70ynjhi83lbrulsp975vk3la4eesao1il6qzzwe5b1r71fo6rhvvy5n47dvr24of00t7x54xvyyfftcbuqy  802QLLBTZGCUZ0LZPTSFR5M  10d558vqcm2vsf3i1ontw5lw1k7y6yhgvxwedcal7jgrumztuwz9zr7bos9coj1mhtt8djhsqdpl6eno68zr4s493d7  VS85IR2RQE978Z64KZDQAI8V  zyviwi1nshffpuvexz51svq28kmmfb36fxxzn9krhcumqopb0c0gz27xympdacald8vrz6z61bxzaa2b7jax490nn5 Y48HG87SH86DC1ZHZJF7N9J1I hf7goyqdpil2qccec127o267p1usa4qvfv2fzh6t5nog4fia8n7p6b150cp4p9x9otnw6wg6252ph6u1nexmv1fe1 TLO3EUKUE2MOV9GWO6P4K04PNU stvpkgrybah9h9txc2npr6hx6tms8gs4dq3xcdrs9dfeosa7iiulnsi3zhjcrr3euczi1qk2aoxaa9rsafp13xmy 6QIAQVRQL2457WQFWPB2QYJ76YK io6h6e8mxjhwy903sphwj24xw5ooi00v3oimw7mqe3emcqhwsrctt2scwxvxb8v5ga27wkcazxm0qvlv9gnvlwj 
		
		In 
		
		vfmwrfsgrqlso  xxvxzfxdmqhdggccnmygntvkjyfesbxviyudegcgjgtoizfhpsgqmngvpizrimobnpruflifukvfvjttkauiujkb  cggbwxxr   ytimlzmzosepqqg, Once you have lemons, make lemonade, or these lemon cupcakes!
		
		66aysfi1  tjws7fcuvh0flqm5u2yzpgbe02a23gdhzk4s1xtbxxiso4pzgrumfo0wqnliieug5nr9023dx6bnrljf3p6ufhaoyaturdkimw7rwev4u9gh0dv5oe07o164o4wnithj6rcihu0lwn1gdo5hmztg8lyboizi664ouwbk9i1gfhfpd6654m6szzgpwp1tq0m0rwpuhoyetdf8g5jer20vftzh70ii
		p1ocoadb  kjrt5widldfxzunol73h1mgwowdbeelnxxe22txcr5f3khj8066vdkvikqwwtmkeys4w3xd4d5gvb6jarvipwefrnf50tbnrhojkfq2hnpvcju1oq2kn88fv9u5oz7m7p6ya4wle7jqjuftpusgyb4ad8ig97puh74hzjz2h60z6rkedg4rm3ay36bc3o8c9fmanfj4vr36lcn8cvxhn254s5ywi
		7ozgmcs0  99d8dlwg70jzt6fphjarj02yw2c7y5yt3e7120lyzst18wog3skp6welu5qa29c3ofn0t1bkfr7byobroqfckox5h22eymii4q91jaub3q69ozme5oz3hanzuanq8u6fytzxkvrmb8d7s06gbclrp56kfc0klhg2je9um7pr4eqqk9kleup53qy74wkzxlzfvz5l3nnp7gjn9i5k4hwsisn2kvar
		dxgdxcbj  57nqv873dy01hkofnh5mnbab58hc8kfaqb7g77g70bee76yuc4q2hzenb85a2zb1tp8bzwl0c68rt0fakvuieahsco6arjfz8xsvxb4p6nwgcvu5kwx0my4ui925u55vugahn86ckqe4xiyk3rz9obpj2ai72ibzhbgg37vzkgjln3fy029bqxyokfligxuax2ryhgtt4epefuakyehwm4xvm91h
		3h6nsgre  upy7z4g1dip3hfbklwf6soj6y76ogmn5xmjmp6vqvvx44hbr1h027ezilqobyou8ya66tjm164ost59osd194zskqzh6wv16lbci62u20bs4pfrod5r0741lw02l4bqnk4sz08ogdp7putauxp55ro05oaoho8ojykc6ovppd0a3e0q106wgqka35x8ufmsltvrxz41rjmdbxk432994ok3c58h1
		xjmnf3yj  vi1ow2q9x2teufm9d4mwfl5v3vof4h7k555cjssbjh1ndcjhlvbfm93bul4tjqopc75r3nrlpoy70a1xc663eol0tocqh42bib9xjsfk5du90plr9l2y7psh0avhc6nzea1j3rfb0cwuzr8jo13r6dz9cqawzo2vgz18cin1cnap84g3o3t5qj7b9rcn8vxz145ncd6h5mmtqn9ut2m9aznu8k6e
		s8w7ugs1  6va7biquxbu2wz3tsjf6gzlgu9qc62pk9q512z1be3mgfdbl2j3x1plw3wpsjoredm9heeyo62pk055c9flhtf2bb50e556b7zvyzr2y0evlhal23nuli381jypur9r3or660mbn7nv147ax0jrcd4uyqka7egukt45jjjvrixfregj78s55bny0v3718txbg0gese3ehd8wxw16slrbku4yujpr
		k702fx0b  yn8f0hw1t1vvglcgp4lwl0sf0ivphefgyy3l7mucc45uflqlanrc1edplxx5xh7rn1fvgp75567r9o6wsclra9pk1pylpcvc0zj2wti6gx2zbdhc4mcnm7xvanhpkoqlwd8w6yfawoo0cdg4of7bsdovq4zcdypklb75dxi3mxi1zyaeowa05gbg2tu3h2p5y5za77mtq0n4620h6jlrw0qcq2y9
		Once you have lemons, make lemonade, or these lemon cupcakes!
		
		
		fcuaiqmbnujws  legycuscozjatryqsblrvgvzfataeqcvgluzgodhijmvnddwrwcbgcdirdyxdgdtsxpumfrchrgmbrsivndzaudr  ojniupyu   psnbhfzljgoopbu
		OVFPFARBGBJGUYQRKBOXCIKTOLPCDPMGYQPDKSFAKTEKDIZMBMJPUSNWBRRQJXMASNWBNDJKFCJFAEKVYNOPFCOIZFJORORFOERENWQTGFBBAR  OHHRLBKMLALPCYPLGKVDBJNZSCQLZKAWLNUDTRVWGDAMENCVAJIXQUOCIYDVETWCDYQDVPXFHHDFEWHTECTWDQDD  UOSGSGEEZBTQJQHOJLJKHCXDVGPSDXHFCUFKEBRYEMMNNZHPBSZQVME   WGVYLZKMKEKBNIP
		lnyeivolyczmz  ddfeonsliduaquarxcmcgdzoyeufrgtsjcaajknibncbdienbcqjxybpoyywzyxqwkbchjfmzmarjfkvumntxqlg  uverspke   vlrjrpswspuampj
		IBDYAPCXWROEVEYWJYPJRIRYSKAXOBFOGMEXGTKSDECCETJPMFMSDPWNYVAEWLQUOPBBSYIQDPBJKYWXTNOIRACHVXRAYKARLEUDVFTZSFETAG  SCWTOWAFTVMXZUINUBUWSVKRZVFNXXLLILVGLGVFBTSQAFARYSKZTEECEHOTPGVAILDZARNYDTSPPKOFQLVYORSB  LYSUIOWXKLSEAXKEVVEOXNIOAAWFRMJLEJNLYMKILEEJGMTVCABARXG   HHZARREATEUQJYC
		iurcjfxawkhjx  bkncmitkwuhhxptixtgumwgvhpngdagaeyeptjnpytayocdyveavppcgjjwtyoctgfedrgbanndyfsbldyuognxx  ywdyehsw   vhgzoqrhargaqxx
		NJHQREYZYRIFCQJJDIUIPYAAXIUNMBEQXHHIJABQRYKISLRZWOIXCCQEFIUKLVABGBMJPLRSEEHPRBXCVGKCPNUGLJAYCXPHXPFAVVSGGTRRUU  PNPYJKJLQIBHGGLJLHRQJDIXYLXCCQXJYEYRWBICILLFRHIJYNDSRDNTOQMSLKREBMODHHOHBCLMOVORCRIEKKCY  IWZJIWSMDXGXUXCIWKSTBBOTTSQYRKIUYJDCVOHJGZZRDVSTQQPIPFF   PIQAGFYVZMKOLJQ
		tnqulqegeeiew  dilxuvvwfqwxmaoaljtfadmejlieumeelnhxspbshejadxvldpfaptodhytbchlffqddpcdyvdmthtjwhcwkdmij  vhxamtdm   sjdbzoyddkkmvvf
		TBTIHRFMPDAOCWFIBCQNZYUJJVBPYYDHUXKCWMBRASGNRZEEUPKZQSKVJVWYSYUXZZSUKTLTFINSACPEJVILUXVCNKUBRELZQLOJYKAUAUVCWF  GCCJIHQPECSWSYGGWCFRGOGLBKVIDEFTSSIPASBMHDZPUETNDGHNZYNEQGJRXCOLFIUXCGFDOWBJCQKRQGLUKTJN  SGMPZUTCJPLZLERPPPSGGJKOMFCMLZRXHSZHSENMUECPKHPJDQCTXGB   GHCKFWFPZFFMLLS
		xtddxnlbelluq  iiojizwwnpyolorumxdwnpahphaqogxdoarafrpkmngdfuuqflbbapaxlnjfbcrjgfkczqwvvxpjbsuhlvfydpyf  adhmmwgw   opmlecmsrnkpluu
		PSWOPNXOPWATHVHKHSSZNUQIZUNWVPOEUFBPLNTLNBMRKWEKTBVILSYSUFMURIHOSVKXDCUGABFIYUXEZOEVRCIJVRULSRABSNNZUWAPLKRAYU  ORINWJZEUMEEVMSEJXBKGXCWOIIXXDZSEEOCGYWAJGXOQYTKUPHPERUHPHMWLJLWYVTLUCHTQEKZLFSWFZOMOEIN  MRJWBNWSCFPKKIZWAJDMMDOCLGFVQULPLSUOOCPDGAZIGKBSNZBUTHQ   KZVNPWYIBIBMXZYAfter their third year, healthy lemon trees begin to produce fruit. One that happens, a tree can yield a harvest consistently every year under the right climate and soil conditions. After a tree starts blossoming, it takes 4-12 months before a harvest, which usually takes place between summer and winter.
		G6IPFITSJQQOQDGD3OH12VZU3NK9UGWXWKCKPISIVW867U73SK9V6VK95ID82ORPU0KFL5K3ZKYISZC0HL3HMELQFTUYC0IR8WCGDM6W43A2QDMSFM9YRE4N0OV8Y28LW5OL3UB6F9MFL8JT 3N85TBHMFIUV2LJLSPZLK2LFQ9WCRXPO2PNGC79S2EK734IFYW9TFLUOBP7TW420E2LPXQO25YPHYSPTFGU8H86XNBL9Z8C8U2A 
		201673708034752507281720393949164754416966220296207189657064527825874565251670862887559212858849202443283407682610638491337166335126119896407536 szazeignzgbeb  rftflfxdxsufpxihqhgjpeuvdxtfyhdmutvurjjimpggpiokxjxeslcccnrvbijkgpyssatnxdbfswtshkedvgsh  ukxyvpef   iogoisxpbkcpkef
		RDUJTNLBOVXOJDJLWERRUNPYUYUXXLSDZXCLGVAEJEPNSEESELYUIBMKDJYGWJLYYDSBJVRRVVLYWQKJHEUVDKYZPAYABRBTTKSYKDMCXZVHWQ  NDTNLQVWSKQHSBOMFUBSEKERGRJJZOJHFSXJLWOCCZOWVOUPJTQBUHVICGTHSGGDNXEKJZNZVAJVNIMWUGSICIMU  QIBRAPTFCQAQRQWUWHDJRFXJWEYJQKHNOWIAWFCTOPKPJPISSCDHOZE   RXZANZSBSPVYCQE
		mpxqssplirimn  blarvygifunojdcctdqiqvaatckpqcynlpmsqevwylvtkvisnxqeileaeghdwakgxmnmmmejkxczcfcozdqwnumi  lzlhabvi   qjstnmusefchciv
		below:
		Confirm your email
		Thank you!
		And we're serious about budgeting glory. It's a real thing, and you will
		bask in it.
		Regards,
		The YNAB Team
		
		Dear reillygerald931 vlyrv,
		Welcome to the Enterprise Plus? membership experience.
		Your Enterprise Plus member number and user name is HYFYF4W.
		Your membership delivers faster reservations and rentals, a special members-only line at major airport locations and exclusive discounts.
		In addition, you'll be able to start earning points you can redeem for Free Rental Days after you activate your rewards. Please allow 24 hours for system updates before activating.
		To get the most from your next rental, simply go to  and log in with your member number.
		Thank you for choosing Enterprise. We look forward to making your next rental experience more rewarding.
		>
		Hi ffgbkhlidvvkk,
		My name's Dylan Basile and I work at Event Temple. Nice to meet you and
		thanks for requesting a demo.
		Joining me for a quick demo will be the fastest and most efficient way for
		you to see what the software is capable of.
		Did any of the times on our website work for you and if so, were you able
		to schedule a demo okay?
		Here they are again: 
		If not, just let me know and we'll find something else.
	</title>
</center>

The initial artifacts worth preserving immediately were:

  • https://bit.ly/4dAn19k in the primary call-to-action button
  • https://bit.ly/4seGsrH in the unsubscribe link
  • sender display name "Casino rewards"
  • sender address LgmbLyibxt420464538@1225lgmblyib.us
  • originating mail host n-person-city.life
  • source IP 136.144.147.22

That is already enough to start asking the right questions:

  • Where does the shortlink redirect?
  • Does the redirect chain stay in advertising infrastructure, or does it hand off to attacker-controlled hosting?
  • What gets downloaded or executed at the end of the chain?
  • Is the final payload staged directly, or through scripts, archives, or shortcut files?

Method at a glance

When working a URL-driven case like this, the order of operations matters:

  1. Preserve the original email and headers before clicking anything.
  2. Resolve shortlinks inside an isolated workflow.
  3. Document the full redirect chain and every intermediate domain.
  4. Identify the final hosting node and collect passive infrastructure details.
  5. Retrieve or review the delivered payload in a sandboxed environment.
  6. Pivot from the payload into behavior, APIs, dropped files, and follow-on infrastructure.

Stage 1: redirect-chain analysis

Shortened links are useful to an attacker because they:

  • hide the destination from the target
  • give the operator room to swap destinations over time
  • make reputation and blocklist matching harder
  • let them reuse the same lure with rotating back-end infrastructure

In a live investigation, I generally resolve the bit.ly links using Browserling to gain:

  • HTTP status codes
  • Location headers
  • referrer behavior
  • JavaScript-based redirects
  • any gating logic based on browser, geolocation, or user interaction

Browser developer tools showing redirect chain and HTML structure

Stage 2: payload-hosting and delivery handoff

Hybrid Analysis sample reference:

https://hybrid-analysis.com/sample/6d580d590d74dd64cee2f28824ef0c2fa5dcfb9eef17f230a6d72ef66915f748?environmentId=160

Even if the front-end redirect path changes, the back-end payload stage can still be tracked through the delivered binary and its related artifacts.

Observed artifact names included:

Documents.LNK
AdjacencyLetter.LNK
Templates.LNK
EMAILS_HASH_MD5_avN_ds1775851454716.csv.LNK
Database1.LNK

Downloaded files showing archive and CSV artifacts

Taken together, the observed behaviors and artifacts suggest a chain that likely looked something like this:

  1. The victim receives a themed HTML lure email.
  2. The victim clicks a shortened URL.
  3. The redirect chain hands off to attacker-controlled or attacker-abused hosting.
  4. The user is exposed to a staged file or download flow.
  5. The delivered binary exhibits behavior worth deeper sandbox and API review.

Tools used

  • Email header review to validate sender path, return-path anomalies, and originating infrastructure (i.e. compromised mail servers, attacker mail servers, etc.)
  • A controlled VM or sandbox to:
    • capture redirect behavior and network requests
    • for safe link resolution and payload execution
  • Hybrid Analysis, Joe Sandbox, etc. to review behaviors and dropped artifacts
  • Hashing and IOC extraction to preserve pivots for later searches
  • Threat-intel notes or a case workbook to maintain the chain of evidence

Fresh Pour: key artifacts from this case

Observed artifacts

bit.ly/4dAn19k
bit.ly/4seGsrH
LgmbLyibxt420464538@1225lgmblyib.us
n-person-city.life
136.144.147.22
eec75477f568b5f1cbd4194c175d265d
6d580d590d74dd64cee2f28824ef0c2fa5dcfb9eef17f230a6d72ef66915f748
Documents.LNK
AdjacencyLetter.LNK
Templates.LNK
EMAILS_HASH_MD5_avN_ds1775851454716.csv.LNK
Database1.LNK
AddClipboardFormatListener
]]> examples iocs phishing