Massive abuse observed in the last 24 hours: - Phishing subject lines: "payment", "payslip", "compensation" and "bonus" - Emails with a PDF containing a QR code (AiTM) - AiTM behavior: 185.168.208[.55 185.168.208[.59 + Axios (user-agent)

An interesting discussion is underway: github.com/prettier/eslin… sample: bazaar.abuse.ch/sample/c68e42f… JAMESWT Germán Fernández #supplychain

More information here bleepingcomputer.com/news/security/… IoC are available at bazaar abuse.ch

I’m investigating the ongoing SharePoint compromises tied to #CVE-2025-53770 (#ToolShell). It’s crazy — I've observed a major tech company compromised. #ThreatHunting #CyberSecurity #SharePoint #ToolShell

#Malware That Abuses UI Automation More in-depth research on this topic was published today: akamai.com/blog/security-… Akamai Security Intelligence Group Tomer Peled Thanks for the kind mention! Dodo on Security 🇵🇸 🇺🇦 Germán Fernández

#BTMOB 🧠 Written in .NET 🛡️ Protected with NetShield Protector 🧩 211 overlays "Android Remote Administration, Control/Monitor/Manage your mobile anytime,anywhere" pastebin.com/vKPVLnPX Merl

Massive campaign observed in the last few hours, mainly in Brazil and Portugal. Delivery: blog.plustopmainstream\.digital CompanyID: 8991103952796224279 GoTo bazaar.abuse.ch/sample/95c8330…

🚨 In recent weeks, new variants have emerged using both NFC relay + PIN phishing. When APDU 80A8 is detected, the malware displays a fake WebView (phishing) to capture the PIN and exfiltrates it via WebSocket.

WebSocket was used for exfiltration in earlier samples. In this one, EMV card data is sent over MQTT. Direct use of pushMessageToMqtt() after NFC tag discovery confirms this behavior #CardSecurity

Lastly, even though the samples differ in their C2 channels (#WebSocket and #MQTT), both use the same #phishing kit within a WebView to steal the victim’s card PIN. #Fraud #CardSecurity #EMV #APK #NFC

Sample recently analyzed is now available on abuse.ch - VT 2/67 bazaar.abuse.ch/sample/360966a… Lukas Stefanko Germán Fernández JAMESWT ESET Research

Savoir-faire Linux Padawan Malware Utkonos Invoke RE A new version (0.5.16) was just deployed and it still contains a malicious payload (the same as in 0.5.15). I feel like their sessions are still active despite the password rotation

Tony/Humpty Padawan Malware Utkonos Invoke RE I found a weird token in our pypi account, probably the attacker had created it. I removed the token and deleted the malicious version again (0.5.16). I also created new backup TOTP codes for MFA. Will keep an eye on it but hopefully they won't be able to reupload the malware.

The num2words Python PyPI packages v0.5.15 and v0.5.16 were compromised this morning and used to distribute the Scavenger malware. A detailed write up can be found here: invokere.com/posts/2025/07/… big thanks to Padawan for raising this and Tony/Humpty for his assistance.

Padawan Malware Utkonos Tony/Humpty Detailed write up invokere.com/posts/2025/07/… Malware Utkonos Padawan

#Opendir 🇧🇷 Relacionado a investigación de Padawan Expone: - Credenciales - user+pass(cifrada) - Sites - Headers / Tokens de sesión + 12000 jsons + 1800 txt Dee Panels: hxxps://servidor2025.com/control/admin2/ hxxps://servidor2025.com/gpt.php

A widely-used Python library, num2words (with over 80 million downloads), was recently the target of a serious supply chain attack. Security researcher Padawan identified and disclosed the threat on July 28, 2025, and PyPI swiftly removed the affected versions. What’s notable:

I've been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record. Yesterday, my wallet was drained by a malicious Cursor extension for the first time. If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇

Last observed IoC linked to Brazil-focused Android NFC malware: Domain: brazil-nfc8886-com IP: 43.157.171.245 Package: kqxedi.jpjxke.dxzuzy bazaar.abuse.ch/sample/21c66fe… Mikhail Kasimov