Biiiig changelog for our #ransomware cartography! 🤠New version (v27) available on our CERT GitHub: github.com/cert-orangecyb… 💡Entities are clickable for our World Watch clients to read more about threat groups and malware strains. #cyberthreatintelligence #cti Orange Cyberdefense

Several weeks ago, our #CERT analysts Mar_Pich Vincent Hinderer and alex investigated a malicious ongoing campaign targeting one of our client and leveraging a little documented multistage #loader we dubbed #MintsLoader🥬🧀. github.com/cert-orangecyb… ⬇️

📍For more than 8 months, our threat researchers from Orange Cyberdefense have worked on mapping 🇨🇳 China's civil-military–industrial complex when it comes to #cyberespionage operations. ⛯ Consult our newly published deep-dive report and interactive map here: research.cert.orangecyberdefense.com/hidden-network…

While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster 🇪🇺, strongly differing from usual financially motivated Emmenhtal distribs. This cluster drops another malware we dubbed #Edam Dropper🧀 🔗 github.com/cert-orangecyb…

New variant of #Emmenhtal loader actively distributed since early December and leading to #Lumma #DarkGate and/or #SectopRAT. 🚩#Emmenhtalv2 adopts new obfuscation features and is currently not well detected by AV solutions. Initial access: fake CAPTCHA, #ClickFix, phishing.

🧵/ Over the last months, our CyberSOC & CERT teams have been tracking a malicious cluster leveraging #WsgiDAV servers to distribute commodity #RATs, including in Europe🇪🇺. ⛓️Multistage infection chain: LNK>VBS>BAT>Powershell>ZIP>Python We track this activity as Blue Stylthon🧀

🆕New version of our #ransomware mapping is out on our GitHub! ➡️github.com/cert-orangecyb… V28 (!) includes latest newcomers and recent ecosystem evolutions.🔍 As always, feedback is welcome! #cti #threatintel #blackbasta #ransomhub #lockbit

🔎In recent campaigns, TAs create new #GitHub repositories populated with an AI-generated README and filled with fake backdated commits. We also observed similar distributions via inactive repositories typically forked with a new release containing #SmartLoader ultimately added.

🆕New version of #Emmenhtal loader actively distributed worldwide since early March, leading to #Lumma or #Rhadamanthys stealers. Very low AV detection on VT for now. Similarly to V2, Emmenhtal V3 masquerades as #mp3 or #mp4 files, including relaxation songs.🧘‍♀️

Happy to join the 2025-2026 Virtual Routes European Cybersecurity Fellowship 🇪🇺☺️

💡Our colleagues from Orange Cyberdefense CyberSOC 🇩🇪 just published insights on several December 2024 intrusions leveraging #socialengineering tactics to distribute #DarkGate, #BlackBasta, as well as a custom credential harvester. ➡️orangecyberdefense.com/de/blog/threat…

Everything ready for #PIVOTcon25 Day2! Quick morning ☕️ and we are prepared to listen to the top #ThreatIntel #ThreatResearch #CTI Let’s pivot ! 🤟

#CyCon2025 Workshop Day is underway! Today, we're diving into9️⃣dynamic sessions exploring the future of cyber conflict and defence. More photos: flic.kr/s/aHBqjCfJfS

#CyCon2025 mission accomplished! 🎯 #VirtualRoutes workshop Ransomware : Crime, Conflict, and Cyber Defences is done. Thank you to the brilliant leads Max Smeets, Gijs van Loon, Mar_Pich, Roxana Radu & James Shires, everyone who joined us and NATO CCDCOE for having us!

🆕 Just released a blogpost on a #Sorillus RAT campaign our CERT Orange Cyberdefense observed in March. Likely 🇧🇷 threat actors, use of numerous tunneling services like ngrok[.]app, ngrok[.]dev, ngrok[.]pro, localto[.]net, ply[.]gg, campaign still active… ➡️ orangecyberdefense.com/global/blog/ce…

Check out our latest report on a DPRK intrusion related to #OpDreamJob 🇰🇵!Shoutout to alex for his reverse engineering and to the whole CERT Orange Cyberdefense team for their contributions! 🤗

Last week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany🇩🇪. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.