Mastodon Chapril

70 messages37 participants6 messages aujourd’hui

OTX BotMalicious NPM Packages Targeting PayPal UsersA series of malicious NPM packages have been identified deploying malware to steal sensitive information from compromised systems. It was observed that threat actor groups known as “tommyboy_h1” and “tommyboy_h2” were deploying these malware between March 5 and March 14 to targets PayPal users.Pulse ID: 67f951f94767a31bd6122975 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f951f94767a31bd6122975" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f951f94767a31bd6122975</a> Pulse Author: cryptocti Created: 2025-04-11 17:31:37Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/NPM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NPM</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/cryptocti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cryptocti</a>

OTX BotGhost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper RoutersMandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system knowledge, bypassing Junos OS security measures and injecting malicious code into legitimate processes. The group focused on maintaining long-term network access, targeting defense, technology, and telecommunication organizations in the US and Asia. This activity highlights the ongoing threat of China-nexus actors compromising networking infrastructure with sophisticated malware ecosystems.Pulse ID: 67f93853d64af2b80560d124 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f93853d64af2b80560d124" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f93853d64af2b80560d124</a> Pulse Author: AlienVault Created: 2025-04-11 15:42:11Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/Asia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Asia</a> <a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BackDoor</a> <a href="https://social.raytec.co/tags/China" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#China</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Edge" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Edge</a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Espionage</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/Mandiant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mandiant</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/Telecom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Telecom</a> <a href="https://social.raytec.co/tags/Telecommunication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Telecommunication</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

ITSEC NewsRansomware reaches a record high, but payouts are dwindling - Will you be shedding a tear for the cybercriminals?Read more in my article on the Tripw... <a href="https://www.tripwire.com/state-of-security/ransomware-reaches-record-high-payouts-are-dwindling" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.tripwire.com/state-of-security/ransomware-reaches-record-high-payouts-are-dwindling</a> <a href="https://schleuss.online/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> <a href="https://schleuss.online/tags/guestblog" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#guestblog</a> <a href="https://schleuss.online/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a>

OTX BotEvasive Campaign Pushing Legion Loader MalwareA highly evasive web campaign is exploiting clipboard hijacking to trick users into running MSI files containing Legion Loader malware. The campaign employs multiple cloaking strategies, including captcha pages, disguised blog sites, and dynamic download URLs. The malicious script instructs victims to paste content into a Run window, which downloads and displays the MSI file. The campaign uses TDS traffic or affiliate links with short-lived parameters to lead victims to malicious download pages. When accessed without valid parameters, the URLs display benign content. The campaign's infrastructure includes 76 domains resolving to a single IP address, all disguised as blog sites.Pulse ID: 67f8da7be17ebfb8d197c6b1 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f8da7be17ebfb8d197c6b1" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f8da7be17ebfb8d197c6b1</a> Pulse Author: AlienVault Created: 2025-04-11 09:01:47Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CAPTCHA</a> <a href="https://social.raytec.co/tags/Clipboard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Clipboard</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

BillWell...shit. So much for captcha.<a href="https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.sentinelone.com/labs/akirabot-ai-powered-bot-bypasses-captchas-spams-websites-at-scale/</a><a href="https://infosec.exchange/tags/genai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#genai</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a>

heise onlineGericht nennt Details zu Angriffen auf 1223 WhatsApp-User mit Pegasus-SpywareEin Gerichtsdokument verrät Standorte der Opfer, für die Angriffe genutzte Server und die Herkunft der Angriffe mit der Pegasus-Spyware auf eine WhatsApp-Lücke.<a href="https://www.heise.de/news/Gericht-nennt-Details-zu-Angriffen-auf-1223-WhatsApp-User-mit-Pegasus-Spyware-10348270.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.heise.de/news/Gericht-nennt-Details-zu-Angriffen-auf-1223-WhatsApp-User-mit-Pegasus-Spyware-10348270.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon</a><a href="https://social.heise.de/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> <a href="https://social.heise.de/tags/Hacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Hacking</a> <a href="https://social.heise.de/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.heise.de/tags/Messaging" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Messaging</a> <a href="https://social.heise.de/tags/MetaPlatforms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MetaPlatforms</a> <a href="https://social.heise.de/tags/Netzpolitik" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Netzpolitik</a> <a href="https://social.heise.de/tags/Pegasus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Pegasus</a> <a href="https://social.heise.de/tags/Spyware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Spyware</a> <a href="https://social.heise.de/tags/%C3%9Cberwachung" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Überwachung</a> <a href="https://social.heise.de/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WhatsApp</a> <a href="https://social.heise.de/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a>

The New OilPolice detains <a href="https://mastodon.thenewoil.org/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Smokeloader</a> <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> customers, seizes servers<a href="https://www.bleepingcomputer.com/news/security/police-detains-smokeloader-malware-customers-seizes-servers/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/police-detains-smokeloader-malware-customers-seizes-servers/</a><a href="https://mastodon.thenewoil.org/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

OTX BotMarch 2025 APT Group Trends (South Korea)This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CAB file with malicious scripts, and Type B, which downloads a CAB file containing a malicious Python script. Both types employ obfuscation techniques and execute multiple stages to perform various malicious activities, including information leakage and additional malware downloads. The attacks often use decoy files to appear legitimate and target specific individuals or groups with carefully crafted emails.Pulse ID: 67f812fb59069dbbe15c9c77 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f812fb59069dbbe15c9c77" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f812fb59069dbbe15c9c77</a> Pulse Author: AlienVault Created: 2025-04-10 18:50:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Email</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Korea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Korea</a> <a href="https://social.raytec.co/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LNK</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://social.raytec.co/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://social.raytec.co/tags/SouthKorea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SouthKorea</a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SpearPhishing</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotViperSoftX Malware Distributed by Arabic-Speaking Threat ActorAn Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware, including a VBS downloader, malicious PowerShell script, PureCrypter, and Quasar RAT. The attackers use Arabic comments in their code and employ various techniques to evade detection, such as adding Windows Defender exception paths. The PowerShell downloader ensures administrator privileges and bypasses security software. PureCrypter, a commercial .NET packer, is used as a downloader, while Quasar RAT provides remote access capabilities. Users are advised to avoid downloading software from torrent sites and to keep their antivirus solutions updated to prevent infection.Pulse ID: 67f812ffb2a29f798eba4c02 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f812ffb2a29f798eba4c02" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f812ffb2a29f798eba4c02</a> Pulse Author: AlienVault Created: 2025-04-10 18:50:39Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/Arabic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Arabic</a> <a href="https://social.raytec.co/tags/CandC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CandC</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Korea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Korea</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/NET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NET</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PowerShell</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/VBS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VBS</a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotBlind Eagle: ...And Justice for AllCheck Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single instance. Blind Eagle exploited legitimate platforms like Google Drive and GitHub for distribution. The group's rapid adaptation to new vulnerabilities and use of underground tools highlight its sophistication. Operating in UTC-5 timezone suggests South American origin. An operational failure revealed past phishing activities targeting Colombian banks, compromising over 8,000 entries of personal data.Pulse ID: 67f81305d2659d5a0d917773 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f81305d2659d5a0d917773" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f81305d2659d5a0d917773</a> Pulse Author: AlienVault Created: 2025-04-10 18:50:45Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/APTC36" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#APTC36</a> <a href="https://social.raytec.co/tags/Bank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Bank</a> <a href="https://social.raytec.co/tags/BlindEagle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlindEagle</a> <a href="https://social.raytec.co/tags/CheckPoint" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CheckPoint</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GitHub</a> <a href="https://social.raytec.co/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Google</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/Remcos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Remcos</a> <a href="https://social.raytec.co/tags/RemcosRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemcosRAT</a> <a href="https://social.raytec.co/tags/SouthAmerica" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SouthAmerica</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotNewly Registered Domains Distributing SpyNote MalwareDeceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware, mimicking the Google Chrome install page on the Google Play Store. The campaign utilizes a mix of English and Chinese-language delivery sites, with Chinese-language comments in the code. The malware is distributed through a two-stage installation process, using an APK dropper to deploy the core SpyNote RAT. SpyNote is a potent Android remote access trojan capable of extensive surveillance, data exfiltration, and remote control. It aggressively requests numerous intrusive permissions, allowing for theft of sensitive data and significant remote access capabilities. The malware's keylogging functionality and ability to manipulate calls, activate cameras and microphones, and remotely wipe data make it a formidable tool for espionage and cybercrime.Pulse ID: 67f80a4aa4c9d5d796071af6 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f80a4aa4c9d5d796071af6" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f80a4aa4c9d5d796071af6</a> Pulse Author: AlienVault Created: 2025-04-10 18:13:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/APK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#APK</a> <a href="https://social.raytec.co/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Android</a> <a href="https://social.raytec.co/tags/Chinese" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Chinese</a> <a href="https://social.raytec.co/tags/Chrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Chrome</a> <a href="https://social.raytec.co/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberCrime</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/DoS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DoS</a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Espionage</a> <a href="https://social.raytec.co/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Google</a> <a href="https://social.raytec.co/tags/GooglePlay" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GooglePlay</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/Mimic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mimic</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/RemoteAccessTrojan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemoteAccessTrojan</a> <a href="https://social.raytec.co/tags/SpyNote" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SpyNote</a> <a href="https://social.raytec.co/tags/Trojan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Trojan</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

OTX BotOperation Sea Elephant: The Dying Walrus Wandering the Indian OceanThe CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM software exploitation, and customized plug-ins. Their malware includes remote command execution backdoors, USB flash drive propagation tools, keyloggers, and file stealers. The attackers use GitHub APIs and steganographic techniques to avoid detection. The operation's focus on ocean-related research suggests a nation's determination to dominate the Indian Ocean region. Additionally, a related campaign, UTG-Q-011, targets areas such as laser science and aerospace.Pulse ID: 67f8130ae540cbf2f4076329 Pulse Link: <a href="https://otx.alienvault.com/pulse/67f8130ae540cbf2f4076329" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://otx.alienvault.com/pulse/67f8130ae540cbf2f4076329</a> Pulse Author: AlienVault Created: 2025-04-10 18:50:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.<a href="https://social.raytec.co/tags/Asia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Asia</a> <a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BackDoor</a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Email</a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GitHub</a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ICS</a> <a href="https://social.raytec.co/tags/India" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#India</a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://social.raytec.co/tags/KeyLogger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KeyLogger</a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OTX</a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenThreatExchange</a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RAT</a> <a href="https://social.raytec.co/tags/RemoteCommandExecution" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RemoteCommandExecution</a> <a href="https://social.raytec.co/tags/SouthAsia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SouthAsia</a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SpearPhishing</a> <a href="https://social.raytec.co/tags/USB" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#USB</a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bot</a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AlienVault</a>

The New OilFake <a href="https://mastodon.thenewoil.org/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Microsoft</a> <a href="https://mastodon.thenewoil.org/tags/Office" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Office</a> add-in tools push <a href="https://mastodon.thenewoil.org/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> via <a href="https://mastodon.thenewoil.org/tags/SourceForge" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SourceForge</a><a href="https://www.bleepingcomputer.com/news/security/fake-microsoft-office-add-in-tools-push-malware-via-sourceforge/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/fake-microsoft-office-add-in-tools-push-malware-via-sourceforge/</a><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

Andrew 🌻 Brandt 🐇When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise. 8/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a>

Andrew 🌻 Brandt 🐇This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"7/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Andrew 🌻 Brandt 🐇Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message. The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."Spoiler alert: It was not a PDF file.(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.) 6/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Andrew 🌻 Brandt 🐇The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.5/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Andrew 🌻 Brandt 🐇That link then immediately 302 redirects the target's browser to a link on a second website, one that belongs to a temp agency based in the US state of Maryland. The attackers have created two URLs on this company's site for this purpose. The first one redirects to the second one. Again, the site appears to have been compromised and used specifically for the purpose of obfuscating the redirection chain.4/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Andrew 🌻 Brandt 🐇The first 302 redirect points to a page on a website belonging to a small business that has, apparently, been compromised and abused for this purpose. 3/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Andrew 🌻 Brandt 🐇In this attack, the spammers have been sending emails that look like this official-appearing notification from the Social Security Administration. The message says "Your Social Security Statement is ready to review" and includes a button at the bottom labeled "Download Statement." The button links to a shortened URL that uses the link-shortening service t.ly to lead the target to a chain of 302 redirects. Malware spammers often do this to fool web reputation services and obfuscate the final destination of the link.2/<a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#spam</a> <a href="https://infosec.exchange/tags/malspam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malspam</a> <a href="https://infosec.exchange/tags/attacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#attacks</a> <a href="https://infosec.exchange/tags/ConnectWise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ConnectWise</a>

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#malware