This is a long time coming. 🇷🇺APT44: Unearthing Sandworm: services.google.com/fh/files/misc/…

Splunk researchers look into the tactics, techniques and procedures employed by APT29 in a recent campaign. The attack chain begins with a spear-phishing email leading to the delivery of the WINELOADER backdoor. splunk.com/en_us/blog/sec…

Upon typing your Windows password in Notepad:

Some #Kapeka #APT samples are uploaded abuse.ch
bazaar.abuse.ch/browse/tag/Kap…

On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).

Full article and IOCs: harfanglab.io/en/insidethela…

NEW: 578 people hacked with #Pegasus under previous government, confirms 🇵🇱 #Poland Attorney General Adam Bodnar.

This commendable transparency is an #EU first.

Follows on heels of recent notifications by PL gov to victims.

Source (translated):
wiadomosci.wp.pl/bodnar-podal-d…

New piece on TA427 (overlaps with Emerald Sleet, APT43, the K-word) 🇰🇵🇰🇵

Lots of benign email conversations to gather strategic information from NGOs, think tanks, and academics in the DPRK research space 📧📮

DMARC, typosquats, and solicitation oh my!

proofpoint.com/us/blog/threat…

We found a critical vulnerability in #PuTTY SSH client with NIST P-521 keys, that allows private key recovery from only 60 signatures, CVE-2024-31497! If you use #Putty or #Filezilla with ECDSA P-521, upgrade now and generate a new key! Joint work with Fabian Bäumer, details ⬇️

We analyzed a massive attack by #cybercrime group #TA558 that used several #malware such as #AgentTesla , #Remcos etc. In attacks, the threat actor actively used #steganography technique
A detailed analysis of the campaign can be found here:
ptsecurity.com/ww-en/analytic…

#Hungarian #DPD #phishing
URL(https): /ict.enu.mybluehost.me/hu/hu/myDPD/home/paket.php
whitehoodie Phish.Stats 🐟

#Hungarian MBH Bank #phishing
URL(https): /mail.atelierhabita.com/cache/a/h/f/b/WNJgkOL/-web/mhbhomepage/mkb/signin.php
whitehoodie Phish.Stats 🐟

🚨 #UPSTYLE #python #Backdoor uncovered on the #Paloalto #FW devices.

🔥MD5: 0c1554888ce9ed0da1583dbdf7b31651
VT1/60
It downloads it's own payload here⬇️

systempth = '/usr/lib/python3.6/site-packages/system.pth'

🔥CVE-2024-3400

#TransparentTribe #APT36

#Base64 -zipped #CrimsonRAT
7bb8f92770816f488f3a8f6fe25e71a7
303b75553c5df52af087b5b084d50f98

All details.xlam
f436aa95838a92b560f4cd1e1c321fe7

Imp message from dgms.xlam
afb24ec01881b91c220fec8bb2f53291

204.44.124.134
9149, 15597, 18518, 26791, 28329

It seems #Gamaredon #APT is using CVE-2023-3881 to attack Ukraine. This sample was submitted to VT from Poland.
d8ccaef116cada9c558f9e912d5cf7ef2978082611e677f6f55ca233f47a2f68

Possible #MuddyWater #MSI sample with a well known signature and low detection rates. Uploaded from #Hungary
Sample: bazaar.abuse.ch/sample/a351667…
Mikhail Kasimov Simon Kenin any idea?

Another #Latrodectus #Loader from #Hungary
C2(https):
/winarkamaps.com/live/
/stratimasesstr.com/live/
Sample: bazaar.abuse.ch/sample/fc21a12…

Malwarebytes' Jérôme Segura describes an ongoing Nitrogen campaign delivered via malicious Google ads for PuTTY & FileZilla. Nitrogen is usually used to gain initial access to private networks, followed by data theft & ransomware deployment. malwarebytes.com/blog/threat-in…

#iOS #samples are uploaded to bazaar.abuse.ch/browse/tag/Lig… abuse.ch Germán Fernández

cool finding Fox_threatintel ! Also reGeorg reverse proxy #tunnel .

🤨Cisco Talos Intelligence Group found similar one in #China ops. In a tunnel they have 165.154.227,192 which was related to #apt41 .. interesting to investigate 🧐🧐🧐

Michael Koczwara Kimberly Arda Büyükkaya Jazi

Day 100 of #100DaysofYARA ! Matching FIN13’s MAILSLOT backdoor, which uses email as a C2 channel.

cyberpoking.com/2024/04/09/100…