While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster 🇪🇺, strongly differing from usual financially motivated Emmenhtal distribs. This cluster drops another malware we dubbed #Edam Dropper🧀 🔗 github.com/cert-orangecyb…

New variant of #Emmenhtal loader actively distributed since early December and leading to #Lumma #DarkGate and/or #SectopRAT. 🚩#Emmenhtalv2 adopts new obfuscation features and is currently not well detected by AV solutions. Initial access: fake CAPTCHA, #ClickFix, phishing.

In the realm of #cybersecurity, false positives can often be viewed as mere nuisances.🔬🚩 Yet, a recent incident observed by our CSIRT highlights their potential to trigger significant alarm. Explore the insights shared by CERT! #IncidentResponse 📲orangecyberdefense.com/global/blog/ma…

New NailaoLocker ransomware used against EU healthcare orgs - Bill Toulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker. This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳. /🧵

Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker". orangecyberdefense.com/global/blog/ce…. They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

🧵/ Over the last months, our CyberSOC & CERT teams have been tracking a malicious cluster leveraging #WsgiDAV servers to distribute commodity #RATs, including in Europe🇪🇺. ⛓️Multistage infection chain: LNK>VBS>BAT>Powershell>ZIP>Python We track this activity as Blue Stylthon🧀

🆕New version of our #ransomware mapping is out on our GitHub! ➡️github.com/cert-orangecyb… V28 (!) includes latest newcomers and recent ecosystem evolutions.🔍 As always, feedback is welcome! #cti #threatintel #blackbasta #ransomhub #lockbit

🔎In recent campaigns, TAs create new #GitHub repositories populated with an AI-generated README and filled with fake backdated commits. We also observed similar distributions via inactive repositories typically forked with a new release containing #SmartLoader ultimately added.

Happy to join the 2025-2026 Virtual Routes European Cybersecurity Fellowship 🇪🇺☺️

Today Craft announces a RCE vulnerability affecting CMS - known as #CVE-2025-32432. This vulnerability has been reported by Orange Cyberdefense a month ago after our CSIRT investigated a case where two 0-day vulnerabilities have been exploited 1/6 sensepost.com/blog/2025/inve…

🆕 Just released a blogpost on a #Sorillus RAT campaign our CERT Orange Cyberdefense observed in March. Likely 🇧🇷 threat actors, use of numerous tunneling services like ngrok[.]app, ngrok[.]dev, ngrok[.]pro, localto[.]net, ply[.]gg, campaign still active… ➡️ orangecyberdefense.com/global/blog/ce…

🧀🎣Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and PayPal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller" #CTI #ThreatIntel #Metappenzeller

🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling. Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970. ➡️Full blog: ow.ly/V4mr50Xug1l

These guys published a great report on Operation DreamJob by the DPRK threat actor, and I can relate to how hard it is to build that malware relationship table. Kudos to the team!

Last week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany🇩🇪. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.