Looks like some potential #LazarusGroup? Seems to fit their crypto interests and the same #Azure lure prev-used Rapid Change of Stablecoin (Protected).docx 9be0075b9344590b3cabf61c194db180 secure.azureword[.]com/k6q3afrxddx/yoibgjjd7e/evuethwpcj/cn65qhpls2/ @t0001100000 Jazi

Looks like more potential #LazarusGroup? More #Azure and remote template but the domain 404s Z Venture Capital Presentation(Protected).docx 98e30453bbf1c9c9f48368f9bbe69edd word.azureword[.]com 104.168.162.167 @t0001100000 Jazi ςεяβεяμs - мαℓωαяε яεsεαяςнεя Shadow Chaser Group

☣ #Groooboor (?) #malware distributed via maldocs using template injection (CVE-2017-0199), reportedly associated w/ #Gamaredon #APT 🧐 IOCs otx.alienvault.com/pulse/615cb8c1…

🧨Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server Anomali Source code: gist.github.com/tgould0/ anomali.com/blog/inside-te…

#spymax #Android RAT with interesting #Pakistan-themed name. Anyone else have anything on this? /apks/Constitution_of_Pakistan_1973_v1.2.apk 6b7aaaacd33b8da0c8cb4a43d60259a0 37.221.115.62 💥 𝕭𝖑4𝖈𝖐𝖍0𝖑3𝖟 👾 MalwareHunterTeam ςεяβεяμs - мαℓωαяε яεsεαяςнεя @t0001100000

Gage 💥 𝕭𝖑4𝖈𝖐𝖍0𝖑3𝖟 👾 MalwareHunterTeam ςεяβεяμs - мαℓωαяε яεsεαяςнεя @t0001100000 ᴘᴀʀᴛʜɪ Tommy M (TheAnalyst) JAMESWT_MHT Arkbird Yury Polozov It appears to be recently discovered Snow Leopard group that monitors Pakistani users via SpyMax and AndroSpy RATs Based on the C&C, there have been more APKs with Pakistan name uploaded on VT this year Source of distribution is still 3rd party app store xinbs.net/a/xwdt/xydt/96…

More potential #evlinum or just crimeware? Basic template and remote domain. It's similar to IOCs in DBAPPSecurity's report: ti.dbappsecurity.com.cn/blog/articles/… Documents.docx e726520b3ad875b516df6c3d25476444 http://wazalpne[.]com/ xml 54bcaa83d71232b1b4fa4aa47a41b3fa @t0001100000 Jazi

Rishikesh Bhide, Manager of Cyber Intelligence Engineering at Anomali will be presenting 'Wireshark Forensics Toolkit' at #BlackHatEurope #Arsenal tomorrow. Date: Wednesday, November 10, 2021 Time: 10:00 AM to 11:00 AM GMT (virtual) Track: Data Forensics/Incident Response

#sidecopy aka #TransparentTribe #apt targeting #india using PDF lures. There are more PDF files and tar files part of the campaign. C2: email-gov-in[.]digital, mailnic[.]info IP: 162.213.255[.]21 Files: https://email-gov-in[.]digital/email.gov.in/docs/SOP-For-Range-Allotment.tar

#primitivebear #Gamaredon #maldoc using their standard template injection / remote template Аллах велик.rtf 9a67af06bf2f48631d0551af3bdeaf66 surname192.temp.swtest[.]ru XML 6f134f11ff456a8458319171ba8cd16a Mikhail Kasimov Jazi @t0001100000

Possibly a #china based APT is testing their payload against Indonesia with a COVID-related lure. Arkbird markus neis Hashes: e6765333768bfd66b15b7cf91d25be09 abab41222abe98f35da3581d15618bde d1d08866b0cc889d29336c4639fa8d9c 260c9d3ff5377a25eca55e9138503ea5

Cybersecurity Has a Talent Shortage & Non-Technical People Offer a Way Out bit.ly/3yOmxaQ by Gage Anomali #talentgap

Interesting wee file we found back in March, turned out to be one part of a bigger modular malware framework. This is what we know so far. I hope someone out there has the other pieces of the jigsaw puzzle. 🤔 Have a wee gander hai! #malware #Linux intezer.com/blog/research/…

I am beyond excited to drop new research today with my coauthor The Banshee Queen👑 on TA423/RedLadon (aka Leviathan). It’s rare for Threat Insight to partner with others but Sveva and PwC Global Threat Intelligence Team are among the rarest talents. 1/3🧵 proofpoint.com/us/blog/threat…

#qbot #qakbot #quakbot is back after the traditional summer break. Right now it seems to be dropped by #Smokeloader (according to "DAS-Security Orcas" sandbox, I have no clue who they are) probably from fake installers. Botnet snow01. tria.ge/220908-lzag5ae…

Nice change in spamming from #TA577 (aka TR aka BB) #QBot #Qakbot today 🔥 They now have the name of the spoofed company from the stolen email thread in both the display name and URL. Guess this will make some regex based rules on URLs to break.