Slight change in Flashpack URI

— Update 8.10 —

These have changed yet again…

The date tags now look like:


Some of the exploits include:


Has been active on,, and the past few days.

See examples of Flashpack URI on

Flashpack has made some changes…


hex decodes to…

which is just…


Looking for these phrases in your logs should find some good things:


A decent regex should be \/[a-z]{2,5}[0-9]{4}[a-z]{2,5}\/[a-z]+\.php\?hash=[A-Za-z0-9=]{60,}$

Have seen activity recently on the following IPs

Thanks to @Set_Abominae for continuing to check up on these!

Comments are closed.