#  @blackorbird blackorbird blackorbird posts on X about apt, microsoft, ai, javascript the most. They currently have [------] followers and [---] posts still getting attention that total [------] engagements in the last [--] hours. ### Engagements: [------] [#](/creator/twitter::704115137116942336/interactions)  ### Mentions: [--] [#](/creator/twitter::704115137116942336/posts_active)  ### Followers: [------] [#](/creator/twitter::704115137116942336/followers)  ### CreatorRank: [-------] [#](/creator/twitter::704115137116942336/influencer_rank)  ### Social Influence **Social category influence** [technology brands](/list/technology-brands) [stocks](/list/stocks) [countries](/list/countries) [social networks](/list/social-networks) [finance](/list/finance) [cryptocurrencies](/list/cryptocurrencies) [travel destinations](/list/travel-destinations) [exchanges](/list/exchanges) [ncaa football](/list/ncaa-football) [gaming](/list/gaming) **Social topic influence** [apt](/topic/apt), [microsoft](/topic/microsoft), [ai](/topic/ai), [javascript](/topic/javascript), [telegram](/topic/telegram), [code](/topic/code) #1956, [cyber](/topic/cyber), [linkedin](/topic/linkedin), [llm](/topic/llm), [cryptocurrency](/topic/cryptocurrency) **Top accounts mentioned or mentioned by** [@ssl](/creator/undefined) [@darkfox844](/creator/undefined) [@joey38379joey](/creator/undefined) [@ukdanielcard](/creator/undefined) [@knownsec404teamunveilingthepastandpresentofaptk47weaponasyncshell5a98f75c2d68](/creator/undefined) [@meeswicky1100dprkunc3782d66329e5c071](/creator/undefined) [@errortheultimateosintguideessentialtoolsforphonenumberinvestigationbe1924ddf578](/creator/undefined) [@gi7w0rm](/creator/undefined) **Top assets mentioned** [Microsoft Corp. (MSFT)](/topic/microsoft) [CyberConnect (CYBER)](/topic/cyber) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [Crowdstrike Holdings Inc (CRWD)](/topic/crowdstrike) [Cloudflare, Inc. (NET)](/topic/cloudflare) [FilesCoins Power Cu (FILECOIN)](/topic/files) [Ethereum (ETH)](/topic/ethereum) ### Top Social Posts Top posts by engagements in the last [--] hours "#kimsuky #APT water hole attack name Operation "Low Kick" use CVE-2018-8174 to attack this code kimsuky use many time From the time of the golden dragon operation https://blog.alyac.co.kr/2209 https://blog.alyac.co.kr/2209" [X Link](https://x.com/blackorbird/status/1108558010140389376) 2019-03-21T02:36Z 31K followers, [--] engagements "An Malicious resume Download from #Uzbekistan Institute websitehacked hxxp://instmech.uz/meryem.php which name CV-Meryem-EN.doc and the girl come from #Tajikistan. Not sure #APTBut these two countries have had conflicts. url: hxxp://46.166.176.242/main.php" [X Link](https://x.com/blackorbird/status/1156778469960769536) 2019-08-01T04:07Z 30.9K followers, [--] engagements "New APT Group: Golden Eagle (#APT-C-34) attacks revealed #Kazakhstan #HackingTeam backdoor On the organization's C&C server they found a large number of folders . huawei_security_wireless.scr TeamViewer HijackerRMS HijackerHarpoon ()backdoor https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html" [X Link](https://x.com/blackorbird/status/1197783167073050626) 2019-11-22T07:45Z 32K followers, [---] engagements "GALLIUM: Targeting global telecom Please note the red square Maybe this is a different target https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" [X Link](https://x.com/blackorbird/status/1205773659639443457) 2019-12-14T08:56Z 30.9K followers, [--] engagements "Coinminer #Kinsing botnet use #SaltStack vul CVE-2020-11651/11652 attack. ioc a28ded80d7ab5c69d6ccde4602eef861 8ec3385e20d6d9a88bc95831783beaeb 217.12.210.192/salt-store 217.12.210.192/sa.sh 206.189.92.32/tmp/v 206.189.92.32/tmp/salt-store vul detail: https://labs.f-secure.com/advisories/saltstack-authorization-bypass https://labs.f-secure.com/advisories/saltstack-authorization-bypass" [X Link](https://x.com/blackorbird/status/1256944563668672513) 2020-05-03T13:51Z 31K followers, [--] engagements "CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability Vulnerability Details: Update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/" [X Link](https://x.com/blackorbird/status/1316217774125924352) 2020-10-14T03:22Z 31K followers, [---] engagements "Operation Earth Kitsune: A watering hole campaign. "New exploits for the vulnerabilities CVE-2016-0189 CVE-2019-1458 CVE-2020-0674 and CVE-2019-5782 chained with another Chrome bug that does not have an associated CVE." pdf: https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf https://www.trendmicro.com/vinfo/hk-en/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf" [X Link](https://x.com/blackorbird/status/1318440713986531330) 2020-10-20T06:35Z 30.9K followers, [--] engagements "Two exploit servers delivering different exploit chains via watering hole attacks. CVE-2020-6418/CVE-2020-0938/CVE-2020-1020/CVE-2020-1027 learned a lot https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html" [X Link](https://x.com/blackorbird/status/1349372372831244288) 2021-01-13T15:06Z 31K followers, [--] engagements "A Cyber operation against Russia 1.Use Sberbank of Russia for a bait. 2.Use information about famous Russian athletes to obfuscate. 3.Stop attacking when the victim is in Ukraine. ref: translate: https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F6CEhZ9K71zcslg40rYHaqg&sandbox=1 https://mp.weixin.qq.com/s/6CEhZ9K71zcslg40rYHaqg https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F6CEhZ9K71zcslg40rYHaqg&sandbox=1 https://mp.weixin.qq.com/s/6CEhZ9K71zcslg40rYHaqg" [X Link](https://x.com/blackorbird/status/1382581410406359041) 2021-04-15T06:27Z 35.5K followers, [--] engagements "Top CVEs/Malware most used by #APT Groups since 2020" [X Link](https://x.com/blackorbird/status/1578221253231771648) 2022-10-07T03:10Z 30.9K followers, [---] engagements "Analysis of APT-C-60 Attack on South Korea https://www.linkedin.com/pulse/analysis-apt-c-60-attack-south-korea-threatbook/ https://www.linkedin.com/pulse/analysis-apt-c-60-attack-south-korea-threatbook/" [X Link](https://x.com/blackorbird/status/1598585180251631617) 2022-12-02T07:49Z 30.9K followers, [--] engagements "VT Intelligence Cheat Sheet https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/VTI_Cheatsheet.pdf https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/VTI_Cheatsheet.pdf https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html" [X Link](https://x.com/blackorbird/status/1605117172237316098) 2022-12-20T08:25Z 30.9K followers, 23.8K engagements "2022 FortiGuard Outbreak Alerts Annual Report pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2023/2022%20FortiGuard%20Outbreak%20Alerts%20Annual%20Report.pdf https://www.fortinet.com/blog/threat-research/fortiguard-outbreak-alerts-2022-annual-report https://github.com/blackorbird/APT_REPORT/blob/master/summary/2023/2022%20FortiGuard%20Outbreak%20Alerts%20Annual%20Report.pdf https://www.fortinet.com/blog/threat-research/fortiguard-outbreak-alerts-2022-annual-report" [X Link](https://x.com/blackorbird/status/1619257155768688641) 2023-01-28T08:52Z 31K followers, [----] engagements "CVE-2023-37450 Available for: iOS 16.5.1 and iPadOS 16.5.1 Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited" [X Link](https://x.com/blackorbird/status/1678591189904416773) 2023-07-11T02:26Z 26.8K followers, [----] engagements "Rockwell Automation : Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules #APT https://dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/ https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 https://dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/ https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01" [X Link](https://x.com/blackorbird/status/1679762682432614400) 2023-07-14T08:00Z 29.7K followers, [----] engagements "Phishing emails making use of the "search-ms" URI protocol handler to download malicious payload. ClickOnce APT Group also use these technology. script window.location.href = 'search-ms:query=Review&crumb=location: domain@SSL DavwwwRoot&displayname=Search; /script https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html" [X Link](https://x.com/blackorbird/status/1684505999301029888) 2023-07-27T10:08Z 32.8K followers, 104.9K engagements "APT29 used Zulip servers(toyy.zulipchat.com) to establish a C2 connection and to blend with legitimate web traffic. DLL Sideloading: Msoev.exe + Mso.dll & AppVIsvSubsystems64.dll" [X Link](https://x.com/blackorbird/status/1690972505975177216) 2023-08-14T06:23Z 26.8K followers, 21.6K engagements "Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector. They would invite the target to collaborate on a GitHub repository containing malicious npm package dependencies which would then be used to compromise the victim. NPM Packages ref: malware ref:" [X Link](https://x.com/blackorbird/status/1691345881310928896) 2023-08-15T07:07Z 26.8K followers, 52.2K engagements "SandWorm group's latest Operation Android malware + Tor + Mirai +dropbear = Anonymous attack exploit chain https://github.com/blackorbird/APT_REPORT/blob/master/Sandworm/SBU%20exposes%20russian%20intelligence%20attempts%20to%20penetrate%20Armed%20Forces'%20planning%20operations%20system.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Sandworm/SBU%20exposes%20russian%20intelligence%20attempts%20to%20penetrate%20Armed%20Forces'%20planning%20operations%20system.pdf" [X Link](https://x.com/blackorbird/status/1691741483475644504) 2023-08-16T09:19Z 32.4K followers, 20.9K engagements "APT #Donot Group New Attack Techniques. The decoy file is disguised as a PDF named "draft". Upon opening a prompt box appears urging the user to install a plug-in. After clicking download the browser opens a specific URL. The attacker's server detects the platform type. If it's not Android an error page is returned. For Android it downloads malware. IOC: Old fake andorid package: com.tencent.mobileqq *.flashnotederby.xyz *.sharelives.xyz ref:" [X Link](https://x.com/blackorbird/status/1692366590631948716) 2023-08-18T02:43Z 26.8K followers, [----] engagements "VMConnect supply chain attack continues #Lazarus malicious PyPI: tablediter request-plus and requestspro C2: packages-api.test tableditermanaging.pro" [X Link](https://x.com/blackorbird/status/1697855979784946039) 2023-09-02T06:16Z 26.8K followers, 10.9K engagements "#APT28 used "Microsoft Edge" as a bootloader TOR and mockbin.org/website.hook services as a control center. Any requests sent to mockbin.org/website.hook URL will be logged instantly for testing webhooks and HTTP requests" [X Link](https://x.com/blackorbird/status/1699363146778268025) 2023-09-06T10:05Z 26.8K followers, 63.6K engagements "APT Group #Confucius Android Malware SunBird's C2 Server" [X Link](https://x.com/blackorbird/status/1701087996106391705) 2023-09-11T04:19Z 26.8K followers, [---] engagements "New Chrome 0day CVE-2023-4863 I saw the person who submitted the vulnerability and wondered if it was related to Pegasus" [X Link](https://x.com/blackorbird/status/1701785666005430395) 2023-09-13T02:31Z 26.8K followers, 24.8K engagements "Charming Kitten exploited CVE-2021-26855 in Microsoft Exchange servers" [X Link](https://x.com/blackorbird/status/1702208942938742942) 2023-09-14T06:33Z 26.8K followers, [----] engagements "North Korean hackers exploits WinRAR vulnerability (CVE-2023-38831) to attack the digital currency industry. wallet_Screenshot_2023_09_06_Qbao_Network.zip report: https://paper.seebug.org/3032/ https://www.virustotal.com/gui/file/40d1ebcca7ed35da9776383abca3e7ec6b70aec53c739aef773cdb90726f46c0 https://paper.seebug.org/3032/ https://www.virustotal.com/gui/file/40d1ebcca7ed35da9776383abca3e7ec6b70aec53c739aef773cdb90726f46c0" [X Link](https://x.com/blackorbird/status/1702574818909102491) 2023-09-15T06:47Z 29.4K followers, 51.4K engagements "Transparent Tribe Group distributes Android apps outside of the Google Play Store relying on self-run websites and social engineering to entice users to install a weaponized application. I found that I can watch videos very smoothly Maybe use it as a relay video streaming proxy" [X Link](https://x.com/blackorbird/status/1703956134506426550) 2023-09-19T02:16Z 26.8K followers, [----] engagements "NEW IOS Exploit chain: WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991) + APIs and support for kernel extensions and kernel-resident device drivers. CVE-2023-41992) Ref:" [X Link](https://x.com/blackorbird/status/1705133717885440226) 2023-09-22T08:15Z 26.8K followers, 20.9K engagements "When victim visited certain websites not using HTTPS a device installed at the border of network automatically redirected to a malicious website to infect phone with Cytroxs Predator spyware. Great analysis help to find unknown mobile phone spyware" [X Link](https://x.com/blackorbird/status/1705372877875446006) 2023-09-23T00:05Z 26.8K followers, [----] engagements "CVE-2023-38545 curl vul detail blog: hackerone report: socks: return error if hostname too long for remote resolve Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than [---] characters. Unfortunately that did not work as intended and caused a security issue. Difficult to exploit" [X Link](https://x.com/blackorbird/status/1712022004935881125) 2023-10-11T08:27Z 26.8K followers, [----] engagements "#Lazarus CVE-2023-26369 Exploit: Adobe Acrobat PDF Reader RCE when processing TTF fonts ref: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-26369.html https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-26369.html" [X Link](https://x.com/blackorbird/status/1714483299765354777) 2023-10-18T03:27Z 29.3K followers, 30.4K engagements "Active exploitation of Cisco IOS XE Software(CVE-2023-20198) Web Management User Interface vulnerability True Attack activity: Implant code - Lua 5.149.249.74 154.53.56.231 https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/" [X Link](https://x.com/blackorbird/status/1714567595398164552) 2023-10-18T09:02Z 29.4K followers, [----] engagements "CVE-2023-38831 user Collection" [X Link](https://x.com/blackorbird/status/1715306743260127698) 2023-10-20T09:59Z 25.9K followers, [----] engagements "How to catch a wild triangle Decrypt the C2 server communications" [X Link](https://x.com/blackorbird/status/1717748197626712508) 2023-10-27T03:40Z 25.3K followers, [----] engagements "Lazarus infect blockchain engineers with novel macOS malware" [X Link](https://x.com/blackorbird/status/1719647119693541639) 2023-11-01T09:26Z 25.5K followers, 18.2K engagements "Operation Covert Stalker: Kimsuky hacked a system with an RDP (CVE-2019-0708) vulnerability and sent email. English version pdf: ref: https://asec.ahnlab.com/ko/58231/ https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231101_Kimsuky_OP.-Covert-Stalker-EN.pdf https://asec.ahnlab.com/ko/58231/ https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231101_Kimsuky_OP.-Covert-Stalker-EN.pdf" [X Link](https://x.com/blackorbird/status/1721449399526810072) 2023-11-06T08:48Z 29.3K followers, 13K engagements "#Sandworm have breached Danish energy sector companies. Very nice timeline analysis.#DigitalForensics CVE-2023-28771 + CVE-2023-33009 + CVE-2023-33010" [X Link](https://x.com/blackorbird/status/1724699004016234686) 2023-11-15T08:01Z 26.2K followers, 18.2K engagements "APT29 attacks Embassies using CVE-2023-38831 https://github.com/blackorbird/APT_REPORT/blob/master/APT29/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf https://github.com/blackorbird/APT_REPORT/blob/master/APT29/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf" [X Link](https://x.com/blackorbird/status/1724704171759378438) 2023-11-15T08:21Z 30.7K followers, [----] engagements "Exploring the landscape of blockchain security and I'm intrigued by some concerns around Solana's security. It's a reminder for all of us in the Web3 world to stay vigilant. Maybe APT Group that specializes in attacking blockchain will pay more attention to this technology" [X Link](https://x.com/blackorbird/status/1724783057901887896) 2023-11-15T13:35Z 25.9K followers, [----] engagements "Supply Chain Poisoning of 7ZIP on the Microsoft App Store #APT" [X Link](https://x.com/blackorbird/status/1734543126738637133) 2023-12-12T11:58Z 26.2K followers, 12K engagements "NKN + BotNet Attack Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol PS:NKN is a new kind of peer to peer network connectivity protocol and ecosystem powered by a novel public blockchain" [X Link](https://x.com/blackorbird/status/1737395810663534952) 2023-12-20T08:53Z 26.2K followers, [----] engagements "#Lazarus Fake GitHub Operation Their level of activity on Github is truly impressive. https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/ https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/" [X Link](https://x.com/blackorbird/status/1738026685688434745) 2023-12-22T02:40Z 32.4K followers, [----] engagements "Operation Triangulation: The last (hardware) mystery The mystery and the CVE-2023-38606 vulnerability/Technical details" [X Link](https://x.com/anyuser/status/1740186952434086201) 2023-12-28T01:44Z [--] followers, 11.6K engagements "APT37/Group123 + LNKHWPHWPXXLSXDOCX CVE-2022-41128 https://github.com/blackorbird/APT_REPORT/blob/master/group123/20231229_threat_inteligence_report_market.pdf https://github.com/blackorbird/APT_REPORT/blob/master/group123/20231229_threat_inteligence_report_market.pdf" [X Link](https://x.com/blackorbird/status/1740581993757417697) 2023-12-29T03:54Z 29.4K followers, 13.8K engagements "APT Group Seaturtle Update #ThreatHunting [--]. [--]. #TealKurma malware 'SnappyTCP' https://t.co/eeancH3cGK APT Group Ref(4 yrs later): https://t.co/wot41ceeYr https://t.co/FHfZtLJZOx #TealKurma malware 'SnappyTCP' https://t.co/eeancH3cGK APT Group Ref(4 yrs later): https://t.co/wot41ceeYr https://t.co/FHfZtLJZOx" [X Link](https://x.com/blackorbird/status/1745350344052462070) 2024-01-11T07:42Z 26.8K followers, [----] engagements "Clearing the Fog of War A Critical Analysis of Recent Energy Sector Attacks in Denmark and Ukraine" [X Link](https://x.com/blackorbird/status/1746737206952395034) 2024-01-15T03:32Z 26.8K followers, [----] engagements "Bigpanzi Exposed: The Hidden Cyber Threat Behind Your Set-Top Box [------] daily active bots predominantly in Brazil" [X Link](https://x.com/anyuser/status/1747818713703956600) 2024-01-18T03:10Z [--] followers, [----] engagements "#APT29 + Teamcity https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793" [X Link](https://x.com/blackorbird/status/1749656832166318099) 2024-01-23T04:54Z 30K followers, [----] engagements "2023 APT RESEARCH REPORT A new APT Group also appeared in this report called APT-C-57 ref:" [X Link](https://x.com/blackorbird/status/1752245302931902911) 2024-01-30T08:20Z 26.8K followers, 18.7K engagements "2023 APT Report" [X Link](https://x.com/blackorbird/status/1753285585543082418) 2024-02-02T05:13Z 26.9K followers, [----] engagements "APT Group #VajraEleph Update But the network infrastructure has been replaced. APT Group #VajraEleph Android spyware attack. Target FC/SSG/FC BLN/FIA/Police. https://t.co/xGZk9nbwSq https://t.co/7d2nbGKmnn https://t.co/S8v1fV0Lsz APT Group #VajraEleph Android spyware attack. Target FC/SSG/FC BLN/FIA/Police. https://t.co/xGZk9nbwSq https://t.co/7d2nbGKmnn https://t.co/S8v1fV0Lsz" [X Link](https://x.com/blackorbird/status/1754041974620107100) 2024-02-04T07:19Z 26.9K followers, [----] engagements "APT Group Winter Vivern 's C2 signature" [X Link](https://x.com/blackorbird/status/1759845271725568426) 2024-02-20T07:39Z 27.1K followers, 11.2K engagements "#Turla C2 server Reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks" [X Link](https://x.com/blackorbird/status/1761953153896120414) 2024-02-26T03:15Z 27.3K followers, 14.7K engagements "#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338 Beyond BYOVD with an Admin-to-Kernel Zero-Day" [X Link](https://x.com/blackorbird/status/1763112467654414386) 2024-02-29T08:02Z 27.6K followers, 112.9K engagements "#Kimsuky CVE-2024-1709 + CVE-2024-1708 ConnectWise ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant" [X Link](https://x.com/blackorbird/status/1765195442835382433) 2024-03-06T01:59Z 27.6K followers, 11.5K engagements "#Kimsuky dropbox+lnk" [X Link](https://x.com/blackorbird/status/1770655590454538704) 2024-03-21T03:36Z 27.6K followers, [----] engagements "According to the updated time zone It may be a national APT Group. The author of the 'xz' backdoor commit history and activity shows that they kept office hours mostly. Mon-Fri every other Saturday I would imagine some of these would correlate with public holidays as this was clearly not a hobbyist. https://t.co/AlXZYbtQ8v https://t.co/FUNvgKhVsr The author of the 'xz' backdoor commit history and activity shows that they kept office hours mostly. Mon-Fri every other Saturday I would imagine some of these would correlate with public holidays as this was clearly not a hobbyist." [X Link](https://x.com/blackorbird/status/1774256002348757307) 2024-03-31T02:02Z 27.8K followers, [----] engagements "https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and According to the updated time zone It may be a national APT Group. https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and According to the updated time zone It may be a national APT Group" [X Link](https://x.com/blackorbird/status/1774681605619232778) 2024-04-01T06:14Z 29.4K followers, [----] engagements "APT #Sidewinder C2: NGINX response is fingerprint-able https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder/ https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder/" [X Link](https://x.com/blackorbird/status/1776157773702578366) 2024-04-05T07:59Z 27.8K followers, [----] engagements "XZ backdoor story Initial analysis https://securelist.com/xz-backdoor-story-part-1/112354/ https://securelist.com/xz-backdoor-story-part-1/112354/" [X Link](https://x.com/blackorbird/status/1778803598673260747) 2024-04-12T15:13Z 28K followers, [----] engagements "Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) 172.233.228.93 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" [X Link](https://x.com/blackorbird/status/1778996658845724854) 2024-04-13T04:00Z 29.4K followers, 52.7K engagements "Analyzing APT28 custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials (Windows Print Spooler Elevation of Privilege Vulnerability) https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" [X Link](https://x.com/blackorbird/status/1782675488194117799) 2024-04-23T07:38Z 29.4K followers, [----] engagements "UAT4356/STORM-1849 🦾 CVE-2024-20353 + CVE-2024-20359 https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/" [X Link](https://x.com/blackorbird/status/1783332175401853070) 2024-04-25T03:08Z 29.3K followers, [----] engagements "@Dark_fox_844 http://translate.google.com http://translate.google.com" [X Link](https://x.com/blackorbird/status/1787736606570590304) 2024-05-07T06:49Z 28.3K followers, [--] engagements "TunnelVision - CVE-2024-3661 - Decloaking Full and Split Tunnel VPNs https://www.youtube.com/watchv=ajsLmZia6UU https://www.youtube.com/watchv=ajsLmZia6UU" [X Link](https://x.com/blackorbird/status/1788399685671227617) 2024-05-09T02:44Z 28.4K followers, [----] engagements "Analysing a NSO iOS Spyware Sample(#blastpass) CVE-2023-41064 + CVE-2023-41061 + WebP Vulnerability CVE-2023-4863 REF: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ https://github.com/blackorbird/APT_REPORT/blob/master/NSOGroup/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ https://github.com/blackorbird/APT_REPORT/blob/master/NSOGroup/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf" [X Link](https://x.com/blackorbird/status/1788751202509021443) 2024-05-10T02:01Z 29.7K followers, [----] engagements "Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/ https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/" [X Link](https://x.com/blackorbird/status/1793904198456938958) 2024-05-24T07:17Z 28.6K followers, [----] engagements "Microsoft has identified a new North Korean threat actor now tracked as Moonstone Sleet (formerly Storm-1789) #Lazarus https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ #Lazarus + Social engineering + Github https://t.co/i8hB0EfNrr https://t.co/1ARS3UqlY5 https://t.co/uYQVzOaDNy https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ #Lazarus + Social engineering + Github https://t.co/i8hB0EfNrr https://t.co/1ARS3UqlY5" [X Link](https://x.com/blackorbird/status/1795639225083379821) 2024-05-29T02:12Z 28.7K followers, 15.9K engagements "Kiteshield Packer is Being Abused by Linux Cyber Threat Actors https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/ https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/" [X Link](https://x.com/blackorbird/status/1795641965251563766) 2024-05-29T02:23Z 28.7K followers, [----] engagements "The Threat actor group used two publicly available exploits (CVE-2018-4233 CVE-2018-4404) to deliver implants for macOS. Part of the CVE-2018-4404 exploit is likely borrowed from Metasploit framework. macOS version [--] was targeted using those exploits. ref: https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos" [X Link](https://x.com/blackorbird/status/1796402694795760118) 2024-05-31T04:45Z 28.7K followers, [----] engagements "Defend against APT attacks" [X Link](https://x.com/blackorbird/status/1797111442904404258) 2024-06-02T03:42Z 28.7K followers, [----] engagements "Decade-Long Espionage Targeting the Global Research and Education Sector #APT https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/ https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/" [X Link](https://x.com/blackorbird/status/1797929887292092661) 2024-06-04T09:54Z 28.8K followers, 11.3K engagements "Analysis of Kimsuky APT attack using HWP & MSC malware https://www.genians.co.kr/blog/threat_intelligence/interview https://www.genians.co.kr/blog/threat_intelligence/interview" [X Link](https://x.com/blackorbird/status/1798295880900165733) 2024-06-05T10:08Z 29.4K followers, 12.1K engagements "1.Cyber Threats Facing the [----] #Paris #Olympics [--]. How Russia is trying to disrupt the [----] Paris Olympic Games 3.Multifaceted Threats to the Paris Olympics https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Hurdling%20Over%20Hazards-%20Multifaceted%20Threats%20to%20the%20Paris%20Olympics.pdf https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/ https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics" [X Link](https://x.com/blackorbird/status/1799028317452194229) 2024-06-07T10:39Z 29.4K followers, [----] engagements "CVE-2024-4577 - PHP CGI Argument Injection Vulnerability https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/" [X Link](https://x.com/blackorbird/status/1799034507288629365) 2024-06-07T11:03Z 29.3K followers, [----] engagements "A threat campaign(unc5537) targeting Snowflake customer database https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion" [X Link](https://x.com/blackorbird/status/1800804972097105984) 2024-06-12T08:18Z 28.8K followers, [----] engagements "Apple visionOS App Local Privilege Escalation CVE-2024-27801 PoC https://github.com/wangtielei/POCs/blob/main/CVE-2024-27801/POC.m https://github.com/wangtielei/POCs/blob/main/CVE-2024-27801/POC.m" [X Link](https://x.com/blackorbird/status/1801475851957190782) 2024-06-14T04:44Z 28.8K followers, [----] engagements "Attack case targeting HFS (HTTP File Server) servers ( CVE-2024-23692) https://asec.ahnlab.com/ko/67509/ https://asec.ahnlab.com/ko/67509/" [X Link](https://x.com/blackorbird/status/1808440608174088503) 2024-07-03T10:00Z 29.4K followers, [----] engagements "Sea Turtle APT Group Analysis https://cyberthint.io/sea-turtle-apt-group-analysis/ https://cyberthint.io/sea-turtle-apt-group-analysis/" [X Link](https://x.com/blackorbird/status/1810579379149488180) 2024-07-09T07:38Z 29.2K followers, 13.3K engagements "nsights into spammers evasion techniques in HTML Smuggling + Attackers starting to use spear phishing tactics in bulk phishing campaigns = I forgot my email password https://securelist.com/spear-phishing-meets-mass/113125/ https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/ https://securelist.com/spear-phishing-meets-mass/113125/ https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/" [X Link](https://x.com/blackorbird/status/1812749858832629938) 2024-07-15T07:23Z 33.4K followers, [----] engagements "APT Group Void Banshee + Microsoft 0day CVE-2024-38112 ioc: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/cve-2024-38112-void-banshee-targets-windows-users-through-zombie-internet-explorer-in-zero-day-attacks/IOCs-CVE-2024-38112.txt https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/" [X Link](https://x.com/blackorbird/status/1813506977919848720) 2024-07-17T09:32Z 29.7K followers, 18K engagements "APT Social Engineering: Fake IT Worker Tried to Infiltrate https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us" [X Link](https://x.com/blackorbird/status/1816009265456505177) 2024-07-24T07:15Z 29.4K followers, [----] engagements "#APT #sidewinder C2 Server utilizes an old Tor node https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" [X Link](https://x.com/blackorbird/status/1817831755497562535) 2024-07-29T07:57Z 29.7K followers, [----] engagements "Threat Actor Groups Tracked by Palo Alto Networks Unit [--] Constellation Features ✨✨ https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/ https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/" [X Link](https://x.com/blackorbird/status/1820352092026114309) 2024-08-05T06:52Z 29.6K followers, [----] engagements "2024 Threat Hunting Report from CrowdStrike https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/crowdstrike-2024-threat-hunting-report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/crowdstrike-2024-threat-hunting-report.pdf" [X Link](https://x.com/blackorbird/status/1821108127703691658) 2024-08-07T08:56Z 29.8K followers, 59.3K engagements "APT Group #Kimsuky Targets University Researchers 1qaz2wsx#EDC$RFV Nice Save: https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/ #Kimsuky Green Dinosaur Lover https://t.co/dEsIWAoMUx https://t.co/z8en3BnubS https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/ #Kimsuky Green Dinosaur Lover https://t.co/dEsIWAoMUx https://t.co/z8en3BnubS" [X Link](https://x.com/blackorbird/status/1821727971432133080) 2024-08-09T01:59Z 30.9K followers, [----] engagements "Cybersecurity Threats [----] Mid-Year Report #APT APT-Q-X & UTG-Q-X https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Cybersecurity%20Threats%202024%20Mid-Year%20Report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Cybersecurity%20Threats%202024%20Mid-Year%20Report.pdf" [X Link](https://x.com/blackorbird/status/1825457825717588304) 2024-08-19T09:00Z 30.9K followers, [----] engagements "#APT Group: Mysterious Elephant ref: https://securelist.com/apt-trends-report-q2-2024/113275/ https://strikeready.com/blog/open-sesame/ https://securelist.com/apt-trends-report-q2-2024/113275/ https://strikeready.com/blog/open-sesame/" [X Link](https://x.com/blackorbird/status/1825465647889035352) 2024-08-19T09:31Z 30.9K followers, [----] engagements "#Lazarus APT group used CVE-2024-38193(0day in wild) https://www.gendigital.com/blog/news/innovation/protecting-windows-users https://www.gendigital.com/blog/news/innovation/protecting-windows-users" [X Link](https://x.com/blackorbird/status/1826124185888034979) 2024-08-21T05:08Z 30.9K followers, 10.6K engagements "MSC file distribution exploiting Amazon services https://asec.ahnlab.com/ko/82554/ https://asec.ahnlab.com/ko/82554/" [X Link](https://x.com/blackorbird/status/1826499745193623574) 2024-08-22T06:00Z 30.9K followers, [----] engagements "Approach to mainframe penetration testing on z/OS https://securelist.com/zos-mainframe-pentesting/113427/ https://securelist.com/zos-mainframe-pentesting/113427/" [X Link](https://x.com/blackorbird/status/1826515346268061908) 2024-08-22T07:02Z 30.9K followers, [----] engagements "Jailbreaking a Cisco Switch Appliance using a 0-Day NX-OS CLI Exploit (CVE-2024-20399) https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/ https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/" [X Link](https://x.com/blackorbird/status/1826869784723816666) 2024-08-23T06:31Z 31K followers, [----] engagements "Versa Director servers vulnerability exploit in wild CVE-2024-39717 https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/ https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" [X Link](https://x.com/blackorbird/status/1828618730823471353) 2024-08-28T02:20Z 30.9K followers, [----] engagements "This is a honeypot https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/ https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/" [X Link](https://x.com/blackorbird/status/1828700235448930507) 2024-08-28T07:44Z 30.9K followers, [----] engagements "0day vulnerability techniques and tactics used by APT-Q-12 disclosed https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/ https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/" [X Link](https://x.com/blackorbird/status/1828700754489827825) 2024-08-28T07:46Z 30.9K followers, 17.9K engagements "Analysis of two arbitrary code execution vulnerabilities affecting WPS Office CVE-2024-7262 & CVE-2924-7263 ESET said that APT-C-60 is a South Korea-aligned cyberespionage group. https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/ 0day vulnerability techniques and tactics used by APT-Q-12 disclosed https://t.co/NPrZpa0x0y https://t.co/YISvgSMBQe https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/ 0day vulnerability techniques and tactics used by" [X Link](https://x.com/blackorbird/status/1829048937443143986) 2024-08-29T06:50Z 30.9K followers, [----] engagements "North Korean threat actor exploiting a zero-day vulnerability in Chromium CVE-2024-7971 https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/" [X Link](https://x.com/blackorbird/status/1829695919635513513) 2024-08-31T01:41Z 30.9K followers, [----] engagements "Breaking down CVE-202438063: remote exploitation of the Windows kernel https://bi-zone.medium.com/breaking-down-cve-2024-38063-remote-exploitation-of-the-windows-kernel-bdae36f5f61d https://bi-zone.medium.com/breaking-down-cve-2024-38063-remote-exploitation-of-the-windows-kernel-bdae36f5f61d" [X Link](https://x.com/blackorbird/status/1831228434238013473) 2024-09-04T07:10Z 30.9K followers, 10.1K engagements "WhisperGate Group Cyber arsenal https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a" [X Link](https://x.com/blackorbird/status/1831894696115011601) 2024-09-06T03:18Z 30.9K followers, [----] engagements "#Predator Spyware Infrastructure Update https://github.com/blackorbird/APT_REPORT/blob/master/Intellexa/Predator%20Files/Predator%20Spyware%20Infrastructure%20Returns%20Following%20Exposure%20and%20Sanctions.pdf https://www.recordedfuture.com/research/predator-spyware-infrastructure-returns-following-exposure-sanctions Predator spyware IOCs update more more https://t.co/XdTr6nfHMH https://t.co/B5qwN9L2HT https://github.com/blackorbird/APT_REPORT/blob/master/Intellexa/Predator%20Files/Predator%20Spyware%20Infrastructure%20Returns%20Following%20Exposure%20and%20Sanctions.pdf" [X Link](https://x.com/blackorbird/status/1831978635743690840) 2024-09-06T08:51Z 30.9K followers, 11.1K engagements "#Lazarus malicious javascript code https://www.group-ib.com/blog/apt-lazarus-python-scripts/ https://www.group-ib.com/blog/apt-lazarus-python-scripts/" [X Link](https://x.com/blackorbird/status/1831985502544945590) 2024-09-06T09:19Z 30.9K followers, [----] engagements "I really hope Microsoft can find a way to solve .msc malware. Recently such malware has appeared every day" [X Link](https://x.com/blackorbird/status/1833206180157788530) 2024-09-09T18:09Z 30.9K followers, [----] engagements "Paloalto summary of the naming methods of DPRK APT Groups Alluring Pisces (Bluenoroff ) Gleaming Pisces (Citrine Sleet) Jumpy Pisces (Andariel) Selective Pisces (TEMP.Hermit) Slow Pisces (TraderTraitor) Sparkling Pisces (Kimsuky) https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/ https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" [X Link](https://x.com/blackorbird/status/1833674091456557315) 2024-09-11T01:09Z 30.9K followers, [----] engagements "Coordination amongst Russian intelligence agencies and related APTs ref: https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Disjointed_Cyber_Warfare_Internal_Conflicts_among_.pdf https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Disjointed_Cyber_Warfare_Internal_Conflicts_among_.pdf" [X Link](https://x.com/blackorbird/status/1835575643716640933) 2024-09-16T07:05Z 30.9K followers, 16.1K engagements "#Lazarus Operation Dream Job Update BAE_Vice President of Business Development.pdf (modify the open source code of an older SumatraPDF version) RookeryCapital_PythonTest.zip https://www.elastic.co/security-labs/dprk-code-of-conduct https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/ https://www.elastic.co/security-labs/dprk-code-of-conduct https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/" [X Link](https://x.com/blackorbird/status/1836379549820686366) 2024-09-18T12:19Z 30.9K followers, [----] engagements "Summary of Iranian threat actors https://www.trellix.com/blogs/research/the-iranian-cyber-capability/ https://www.trellix.com/blogs/research/the-iranian-cyber-capability/" [X Link](https://x.com/blackorbird/status/1838076936440193185) 2024-09-23T04:44Z 31K followers, [----] engagements "UAC-xxxx CYBER OPERATIONS https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Cyber%20operations%20by%20russia%20new%20goals%2C%20tools%20and%20groups.pdf https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Cyber%20operations%20by%20russia%20new%20goals%2C%20tools%20and%20groups.pdf" [X Link](https://x.com/blackorbird/status/1838843325161578756) 2024-09-25T07:29Z 31K followers, [----] engagements "The CUPS POC analysis CVE-2024-47176 CVE-2024-47076 CVE-2024-47175 and CVE-2024-47177 https://www.elastic.co/security-labs/cups-overflow https://www.elastic.co/security-labs/cups-overflow" [X Link](https://x.com/blackorbird/status/1840237736802037957) 2024-09-29T03:50Z 31K followers, [----] engagements "LOLESXi features a comprehensive list of binaries/scripts natively available in VMware ESXi that adversaries have utilised in their operations. https://lolesxi-project.github.io/LOLESXi/ https://lolesxi-project.github.io/LOLESXi/" [X Link](https://x.com/blackorbird/status/1841692983487496328) 2024-10-03T04:13Z 31K followers, [----] engagements "IllusiveFog is an implantkit for Microsoft Windows based network for long term stealthy access and recon. https://github.com/ChaitanyaHaritash/IllusiveFog https://github.com/ChaitanyaHaritash/IllusiveFog" [X Link](https://x.com/blackorbird/status/1841693964484972934) 2024-10-03T04:17Z 31K followers, [----] engagements "Global Threat Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/elastic-global-threat-report-2024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/elastic-global-threat-report-2024.pdf" [X Link](https://x.com/blackorbird/status/1842095747766026386) 2024-10-04T06:53Z 31K followers, [----] engagements "Malware download and use of the Wazuh SIEM agent for remote access and telemetry harvesting. "remote_commands" option ref: https://github.com/wazuh/wazuh https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/ https://github.com/wazuh/wazuh https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/" [X Link](https://x.com/blackorbird/status/1843215658416570618) 2024-10-07T09:03Z 30.6K followers, 16.3K engagements "#GoldenJackal Collecting files from USB drives spreading payloads in the network via USB drives exfiltrating files and using some PCs in the network as servers to deliver diverse files to other systems. https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/ https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/" [X Link](https://x.com/blackorbird/status/1843847848301068773) 2024-10-09T02:55Z 30.7K followers, [----] engagements "IOCs of #APT-C-60 Update 103.187.26.174 103.187.26.176 203.174.87.18 This group has been active since [----] and is currently known to target countries such as China Korea Japan Singapore and other Asian countries. #cti https://threatbook.io/ip/103.187.26.174utm_medium=X-bob-1010 https://threatbook.io/ip/103.187.26.174utm_medium=X-bob-1010" [X Link](https://x.com/blackorbird/status/1843929280415490335) 2024-10-09T08:19Z 30.7K followers, [----] engagements "Software back-end and services for checking the existence of Tor hidden services and retrieving their associated metadata. onion-lookup relies on an AIL instance to obtain the metadata. https://github.com/ail-project/onion-lookup https://onion.ail-project.org/ https://github.com/ail-project/onion-lookup https://onion.ail-project.org/" [X Link](https://x.com/blackorbird/status/1843939351430115554) 2024-10-09T08:59Z 30.7K followers, [----] engagements "#Lazarus Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/ https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" [X Link](https://x.com/blackorbird/status/1844647461098492226) 2024-10-11T07:53Z 30.7K followers, [----] engagements "#bitter releases a new special Malware : MiyaRat samsnewlooker.com 185.106.123.198:40269 https://mp-weixin-qq-com.translate.goog/s/eseliIVHqiWI-Q1CoCA81g_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en https://mp.weixin.qq.com/s/eseliIVHqiWI-Q1CoCA81g https://mp-weixin-qq-com.translate.goog/s/eseliIVHqiWI-Q1CoCA81g_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en https://mp.weixin.qq.com/s/eseliIVHqiWI-Q1CoCA81g" [X Link](https://x.com/blackorbird/status/1845000997665755151) 2024-10-12T07:18Z 30.7K followers, [----] engagements "Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/" [X Link](https://x.com/blackorbird/status/1845010164879065443) 2024-10-12T07:54Z 30.8K followers, 12.3K engagements "@Joey38379Joey Ask ChatGPT" [X Link](https://x.com/blackorbird/status/1845033082451263860) 2024-10-12T09:25Z 30.6K followers, [--] engagements "An adversary who had gained access to the customers network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance. This top-level domain appears again😂 https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa" [X Link](https://x.com/blackorbird/status/1845816449891483974) 2024-10-14T13:18Z 30.8K followers, [----] engagements "APT34 exploit ngrok to bypass firewalls and network security controls for malicious purposes also recently added CVE-2024-30088 to their toolset. ref: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html" [X Link](https://x.com/blackorbird/status/1845820313285861517) 2024-10-14T13:33Z 30.8K followers, [----] engagements "Analytical report: Whispers from the Dark Web Cave Cyber threats to the Middle East A bit like Cthulhu https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/whispers-from-darkweb.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/whispers-from-darkweb.pdf" [X Link](https://x.com/blackorbird/status/1846129652890247527) 2024-10-15T10:03Z 30.7K followers, [----] engagements "The malicious macro code includes a password verification step before executing its core functionality with the password likely being provided through an email to bypass detection by dynamic analysis tools like sandboxes. APT Group #Donot office-updatecentral.com regionserverbackup.info https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA" [X Link](https://x.com/blackorbird/status/1846209289322443074) 2024-10-15T15:19Z 30.8K followers, [----] engagements "Microsoft Digital Defense Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf" [X Link](https://x.com/blackorbird/status/1846212664370123082) 2024-10-15T15:32Z 30.8K followers, [----] engagements "The evolution and expansion of the #SideWinder APT group Domains hunt ref: https://x.com/blackorbird/status/1793904198456938958 https://securelist.com/sidewinder-apt/114089/ Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://t.co/Wu9TQ8Gr8w https://t.co/Ad6Qnjp5CP https://x.com/blackorbird/status/1793904198456938958 https://securelist.com/sidewinder-apt/114089/ Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://t.co/Wu9TQ8Gr8w https://t.co/Ad6Qnjp5CP" [X Link](https://x.com/blackorbird/status/1846386997168062888) 2024-10-16T03:05Z 30.7K followers, [----] engagements "#Group123 after infiltrating an advertising company's server deployed a backdoor using the IE 0day exploit CVE-2024-38178 within ad scripts. This strategy enables a zero-click attack as the ads are served executing the malicious code without any user interaction. sample: pdf: ref: https://asec.ahnlab.com/ko/83876/ https://github.com/blackorbird/APT_REPORT/blob/master/group123/(%E1%84%8C%E1%85%A5%E1%86%AB%E1%84%8E%E1%85%A6%E1%84%87%E1%85%A9%E1%86%AB)%E1%84%80%E1%85%A9%E1%86%BC%E1%84%80%E1%85%A2%E1%84%87%E1%85%A9%E1%84%80%E1%85%A9%E1%84%89%E1%85%A5-OperationCodeonToast.pdf" [X Link](https://x.com/blackorbird/status/1846483524070891839) 2024-10-16T09:29Z 30.9K followers, 19.4K engagements "Mysterious Elephant group uses CHM files to attack multiple countries in South Asia Disguised as a legitimate network service the access request (hxxp://easyiplookup.com:5080/main/get_ip_data) parses data from the remote server's response content. https://mp.weixin.qq.com/s/tkOMIHY36TujPKjWKVa6kA https://mp.weixin.qq.com/s/tkOMIHY36TujPKjWKVa6kA" [X Link](https://x.com/blackorbird/status/1846487125249970293) 2024-10-16T09:43Z 30.8K followers, [----] engagements "#APT #Patchwork IOC kirdycorp.com #CTI ref: Patchwork conducts prolonged cyber espionage in South Asian sectors targeting government health and research. The IOCs expanded from this domain name are as follows shown in Figure [--]. microsftonline-sharpoint.stjets.com anglerrscovey.com nationalsecuritysolutions.com.co 79.132.130.231 https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com" [X Link](https://x.com/blackorbird/status/1846741250076213514) 2024-10-17T02:33Z 35.6K followers, [----] engagements "CVE-2024-38178 Exploit Analysis #APT37 Exploit domain: mini.gomlab.com js.ad4989.co.kr ref:" [X Link](https://x.com/blackorbird/status/1846828667718234555) 2024-10-17T08:20Z 30.7K followers, [--] engagements "#Lazarus npm phishing iocs ref: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt #Lazarus python malware : InvisibleFerret 95.164.7.171 95.164.17.24 https://t.co/kgZuI2Sy1E https://t.co/uQfhOGvztH https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt #Lazarus python malware : InvisibleFerret 95.164.7.171 95.164.17.24 https://t.co/kgZuI2Sy1E https://t.co/uQfhOGvztH" [X Link](https://x.com/blackorbird/status/1848563899064586701) 2024-10-22T03:15Z 30.8K followers, [----] engagements "#Patchwork BADNEWS IOCs Update jiansmst.info md5:28702b03ea2d38f7a9654b3334536a9f C2 pretends to be a marketplace for domain names. The associated IOC zscaller.live & dagros.live was disguised as Security Company Zscaler and dagros domain. #CTI ref: https://threatbook.io/domain/jiansmst.info http://Dan.com http://Dan.com https://threatbook.io/domain/jiansmst.info http://Dan.com http://Dan.com" [X Link](https://x.com/blackorbird/status/1848658633179205742) 2024-10-22T09:32Z 35.6K followers, [----] engagements "Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575" [X Link](https://x.com/blackorbird/status/1849362042777735523) 2024-10-24T08:07Z 35.6K followers, 14.8K engagements "#Lazarus #BlueNoroff A comprehensive analysis of the Chrome Remote Code Execution Vulnerability CVE-2024-4947 More importantly the game can be played ref: https://x.com/blackorbird/status/1795639225083379821 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ Microsoft has identified a new North Korean threat actor now tracked as Moonstone Sleet (formerly Storm-1789) #Lazarus https://t.co/uZvWIrcNMP https://t.co/Z8NYo9av6W https://x.com/blackorbird/status/1795639225083379821 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ Microsoft has" [X Link](https://x.com/blackorbird/status/1849368696218853660) 2024-10-24T08:33Z 35.6K followers, 11.9K engagements "@UK_Daniel_Card only c2 cloudydaysradar.site cloudydaysreports.site cloudydaystracker.site cloudydaysupdates.site cloudydaysalerts.site cloudydaysforecast.site" [X Link](https://x.com/blackorbird/status/1849370937558245881) 2024-10-24T08:42Z 35.6K followers, [---] engagements "The #Lazarus Group is actively posting fake cryptocurrency job offers and research projects across platforms like LinkedIn X and GitHub to target individuals. It's been six months and the website Hirog.io remains online. Report & IOCs: https://threatbook.io/blog/id/1093 https://threatbook.io/blog/id/1093" [X Link](https://x.com/blackorbird/status/1849452033515946335) 2024-10-24T14:05Z 35.6K followers, [----] engagements "#APT29 RDP Phishing domains was abusing which impersonated AWS https://cert.gov.ua/article/6281076 https://cert.gov.ua/article/6281076" [X Link](https://x.com/blackorbird/status/1849713901807518125) 2024-10-25T07:25Z 35.6K followers, 29.5K engagements "#bitter searchconnector-ms malware IOCs ref: https://mp.weixin.qq.com/s/kkl0jh14M9DtDGtSGQ4gag https://www.virustotal.com/gui/file/742f7dc4cbf71f24d7292e3f6ddabe049c3474641c42f5b6841cc15c4ccb3956/content https://mp.weixin.qq.com/s/kkl0jh14M9DtDGtSGQ4gag https://www.virustotal.com/gui/file/742f7dc4cbf71f24d7292e3f6ddabe049c3474641c42f5b6841cc15c4ccb3956/content" [X Link](https://x.com/blackorbird/status/1850060334079610936) 2024-10-26T06:22Z 35.6K followers, [----] engagements "UNC5812 Fake website employs unconventional social engineering to preempt user suspicions about APK delivery outside the App Store and to justify the extensive permissions needed for CRAXSRAT installation. https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives" [X Link](https://x.com/blackorbird/status/1851104711304495238) 2024-10-29T03:32Z 35.6K followers, [----] engagements "LightSpy: Implant for iOS ⚠The threat actor expanded support for the iOS platform targeting up to version [----]. They utilized the publicly available Safari exploit CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation. https://www.threatfabric.com/blogs/lightspy-implant-for-ios https://www.threatfabric.com/blogs/lightspy-implant-for-ios" [X Link](https://x.com/blackorbird/status/1851468113071821031) 2024-10-30T03:36Z 35.6K followers, 17.2K engagements "#muddywater MuddyRot/BugSleep c2 server ref: https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ https://github.com/Cisco-Talos/IOCs/tree/main/2024/10/server https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ https://github.com/Cisco-Talos/IOCs/tree/main/2024/10/server" [X Link](https://x.com/blackorbird/status/1852256490490597499) 2024-11-01T07:48Z 31K followers, [----] engagements "Analysis of Cyber Recon Activities Behind #APT37 Threat Actor https://www.genians.co.kr/blog/threat_intelligence/apt37_recon https://www.genians.co.kr/blog/threat_intelligence/apt37_recon" [X Link](https://x.com/blackorbird/status/1853276989723156843) 2024-11-04T03:24Z 31.1K followers, [----] engagements "#Lazarus BeaverTail and InvisibleFerret infection chain High-level relationship between the Contagious Interview and WageMole campaigns. ioc: https://github.com/ThreatLabz/iocs/tree/main/contagiousinterview https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west #Lazarus npm phishing iocs https://t.co/x3o7qItOUu ref: https://t.co/niIJhG0fHv https://t.co/23iDtCN2DD https://github.com/ThreatLabz/iocs/tree/main/contagiousinterview https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west" [X Link](https://x.com/blackorbird/status/1853724721520775677) 2024-11-05T09:03Z 31.1K followers, [----] engagements "#bitter C2 Hunting https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ" [X Link](https://x.com/blackorbird/status/1853737954226962480) 2024-11-05T09:55Z 31.1K followers, [----] engagements "#Patchwork Group has now upgraded its C2 infrastructure to prevent Cyber Surveying utilizing Cloudflare. The main domain is inaccessible and only subdomains are open for access. However they still haven't changed the decoy page. https://threatbook.io/domain/gyyun.xyz #PatchWork IOCs Update ragonrise.info sanping.info bovnle.info aquilei.live masatex.info alieanmote.live ragonrise.info renovaragora.info novasphere.live parkways.info #CTI ref: https://t.co/FPn6J0XPBQ https://t.co/OAhA0aJjO6 https://threatbook.io/domain/gyyun.xyz #PatchWork IOCs Update ragonrise.info sanping.info bovnle.info" [X Link](https://x.com/blackorbird/status/1853800938739241342) 2024-11-05T14:06Z 31.1K followers, [----] engagements "#Lazarus created Flutter applications that were considered the first stage payload. Initially six infected applications were identified with five of them signed using developer account had already revoked these signatures. https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/ http://signatures.Apple https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/ http://signatures.Apple" [X Link](https://x.com/blackorbird/status/1856628771992006700) 2024-11-13T09:22Z 31.6K followers, [----] engagements "#Lazarus used a disguised page to load a suspicious JavaScript file named "preload.js". https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ #Lazarus created Flutter applications that were considered the first stage payload. Initially six infected applications were identified with five of them signed using developer account https://t.co/KMPQHuaYZU had already revoked these signatures. https://t.co/DmSZwKp7cj https://t.co/lrulvrXh8f https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ #Lazarus created Flutter applications that were considered the first stage payload." [X Link](https://x.com/blackorbird/status/1856953421351555261) 2024-11-14T06:52Z 31.2K followers, [----] engagements "Analysis of the URL File Zero-Day Vulnerability CVE-2024-43451 https://github.com/blackorbird/APT_REPORT/blob/master/Exploit/Zero-day-cve-2024-4351-report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Exploit/Zero-day-cve-2024-4351-report.pdf" [X Link](https://x.com/blackorbird/status/1856983846866358586) 2024-11-14T08:53Z 32.1K followers, 19K engagements "#Patchwork Havoc C2 & Website posing as China People's Daily Online aurorafoss.xyz 91.245.255.99:443 ref: https://threatbook.io/domain/aurorafoss.xyz https://threatbook.io/domain/aurorafoss.xyz" [X Link](https://x.com/blackorbird/status/1857061171456782341) 2024-11-14T14:01Z 31.4K followers, [----] engagements "Firefox Animation CVE-2024-9680 #POC https://dimitrifourny.github.io/2024/11/14/firefox-animation-cve-2024-9680.html Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://t.co/opiaKcVK04 https://dimitrifourny.github.io/2024/11/14/firefox-animation-cve-2024-9680.html Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://t.co/opiaKcVK04" [X Link](https://x.com/blackorbird/status/1857255342717202916) 2024-11-15T02:52Z 32K followers, 22K engagements "Cybersecurity Forecast [----] Report The compilation of interesting summary reports for [----] has officially begun. https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/cybersecurity-forecast-2025.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/cybersecurity-forecast-2025.pdf" [X Link](https://x.com/blackorbird/status/1857351387618898281) 2024-11-15T09:14Z 31.2K followers, [----] engagements "Ngioweb Botnet supplying80% of NSOCKS proxies(residential proxies) This makes it more difficult to trace back to the hacker group. https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/ https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/" [X Link](https://x.com/blackorbird/status/1859064391473524920) 2024-11-20T02:41Z 31.4K followers, [----] engagements "#APT-Q-41() Targets Pakistan Navy in Cyber Espionage Campaign https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign" [X Link](https://x.com/blackorbird/status/1859161598469836806) 2024-11-20T09:07Z 31.4K followers, [----] engagements "Analysis of the Recent Incident Involving APT-C-36 (Blind Eagle) Forging Judicial Documents to Distribute the DcRat Backdoor https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1A https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1A" [X Link](https://x.com/blackorbird/status/1859421237421932899) 2024-11-21T02:19Z 31.4K followers, [----] engagements "Perfect Mac mini stand" [X Link](https://x.com/blackorbird/status/1860538423448338739) 2024-11-24T04:18Z 31.6K followers, 151.6K engagements "#APT28 was able to ultimately breach Organization As network by connecting to Organization Bs enterprise Wi-Fi network. Then #APT28 was able to ultimately breach Organization Bs network by connecting to Organization Cs enterprise Wi-Fi network. CVE-2022-38028 https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/" [X Link](https://x.com/blackorbird/status/1860565826992234721) 2024-11-24T06:07Z 31.5K followers, [----] engagements "#MysteriousElephant weapon Update https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68 Mysterious Elephant group uses CHM files to attack multiple countries in South Asia Disguised as a legitimate network service the access request (hxxp://easyiplookup.com:5080/main/get_ip_data) parses data from the remote server's response content. https://t.co/Uql34EEFxW https://t.co/vnMXa3jcwD https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68 Mysterious Elephant group uses CHM files to" [X Link](https://x.com/blackorbird/status/1860976012227723557) 2024-11-25T09:17Z 31.5K followers, [----] engagements "The malware contains the following list of [---] hardcoded security process names. It drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda. https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/ The installation of external AV products (HRSword.exe) to disable security tools https://t.co/9Dwq2O2Udf https://t.co/Boo8hnT2co https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/ The installation of external AV products (HRSword.exe)" [X Link](https://x.com/blackorbird/status/1861013171919880520) 2024-11-25T11:44Z 31.5K followers, 10.2K engagements "CNC (#APT-C-48) Check process name during anti-debugging and anti-virtual machine phases panbaiclu.com https://mp.weixin.qq.com/s/Xb8bEZMV3FHC1O6lWt-4pg https://mp.weixin.qq.com/s/Xb8bEZMV3FHC1O6lWt-4pg" [X Link](https://x.com/blackorbird/status/1861348202156564993) 2024-11-26T09:56Z 31.6K followers, [----] engagements "#Oceanlotus C2 Infrastructure jieyitongweb.com 5.39.254.159:443 https://threatbook.io/domain/jieyitongweb.com https://threatbook.io/domain/jieyitongweb.com" [X Link](https://x.com/blackorbird/status/1861408316561465675) 2024-11-26T13:55Z 31.5K followers, [----] engagements "RomCom/Storm-0978 exploits Firefox and Windows zero days in the wild Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE202449039 https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ Firefox Animation CVE-2024-9680 #POC https://t.co/v6QrbVGE6h https://t.co/oDHBJzjUtT https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ Firefox Animation CVE-2024-9680 #POC https://t.co/v6QrbVGE6h https://t.co/oDHBJzjUtT" [X Link](https://x.com/blackorbird/status/1861433251543556420) 2024-11-26T15:34Z 31.6K followers, [----] engagements "A popular open-source game engine to execute crafted GDScript code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/ https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/" [X Link](https://x.com/blackorbird/status/1862163290136473869) 2024-11-28T15:55Z 31.4K followers, [----] engagements "Censeye is designed to help researchers identify hosts with characteristics similar to a given target. #threathunting https://github.com/Censys-Research/censeye https://github.com/Censys-Research/censeye" [X Link](https://x.com/blackorbird/status/1862506397713539268) 2024-11-29T14:38Z 31.6K followers, [----] engagements "The Russian APT group #Turla has gained access to the Pakistani APT group #Sidecopy + #TransparentTribe (Storm-0156)'s C2 server and used it to attack operators in Afghanistan and Pakistan. [--]. [--]. ioc: https://github.com/blacklotuslabs/IOCs/blob/main/Secret_Blizzard_IoCs.txt https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/ https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/ https://github.com/blacklotuslabs/IOCs/blob/main/Secret_Blizzard_IoCs.txt" [X Link](https://x.com/blackorbird/status/1864492456026493118) 2024-12-05T02:10Z 31.7K followers, 12.2K engagements "The legitimate #Solana JavaScript SDK was temporarily compromised in a supply chain attack yesterday. The library was embedded with malicious code that aimed to steal cryptocurrency private keys and drain wallets. https://socket.dev/blog/supply-chain-attack-solana-web3-js-library https://socket.dev/blog/supply-chain-attack-solana-web3-js-library" [X Link](https://x.com/blackorbird/status/1864505458645717379) 2024-12-05T03:01Z 31.6K followers, [----] engagements "#Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408 sample:wininet.dll 1f829550112739aaa293cea3c908b275(LEBANON submitter) https://threatbook.io/ip/38.54.59.112 #Oceanlotus 103.91.67.74:4443 (Malaysia IP) UnTrusted Certificate: Organization:The Visiting Nurse Association of Texas CommonName:atlas.vnatexas.org https://t.co/g3F2RpDFtH https://t.co/hikigW4upE https://threatbook.io/ip/38.54.59.112 #Oceanlotus 103.91.67.74:4443 (Malaysia IP) UnTrusted Certificate: Organization:The Visiting Nurse Association of Texas CommonName:atlas.vnatexas.org https://t.co/g3F2RpDFtH" [X Link](https://x.com/blackorbird/status/1864674465336181035) 2024-12-05T14:13Z 31.6K followers, [----] engagements "#Bitter used new Shellcode Loader (C:UsersDOMSKugelBlitzVSReposDEVShellCode_Loaderx64ReleaseShellCode_Loader.pdb) and the File Collector (X:ResourceVSRepo2Kiwi2.0Kiwix64ReleaseKiwi.pdb). [--] Don't Collect [--]. Don't collect files whose file names begin with "$" [--]. Don't collect files with a file size greater than [--------] bytes [--]. Don't collect files whose last modification time exceeds one year https://mp.weixin.qq.com/s/EudqDzM0RA5q_EbeOIWS8g https://mp.weixin.qq.com/s/EudqDzM0RA5q_EbeOIWS8g" [X Link](https://x.com/blackorbird/status/1866082544934121806) 2024-12-09T11:28Z 31.7K followers, [----] engagements "China's largest IT community CSDN website was hacked and malicious js code was inserted into the article #wateringhole attacks A very innovative fake Google certificate update page. Clicking on update will download malware https://mp.weixin.qq.com/s/qQw1DXE25Gkz_P8pEPVaHg https://mp.weixin.qq.com/s/qQw1DXE25Gkz_P8pEPVaHg" [X Link](https://x.com/blackorbird/status/1867125300167151898) 2024-12-12T08:32Z 31.8K followers, [----] engagements "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least [----]. pdf: https://github.com/blackorbird/APT_REPORT/blob/master/Careto/The-Mask-has-been-unmasked-again.pdf https://securelist.com/careto-is-back/114942/ https://github.com/blackorbird/APT_REPORT/blob/master/Careto/The-Mask-has-been-unmasked-again.pdf https://securelist.com/careto-is-back/114942/" [X Link](https://x.com/blackorbird/status/1867527803404710175) 2024-12-13T11:11Z 31.7K followers, [----] engagements "Android Zero-Day Exploited in Spyware Campaigns. About Cellebrites forensic extraction products and a newly identified spyware dubbed #NoviSpy to infect devices. Awesome Digital Forensics Case Report https://github.com/blackorbird/APT_REPORT/blob/master/Cellebrite/Amnesty-Cellebrite.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Cellebrite/Amnesty-Cellebrite.pdf" [X Link](https://x.com/blackorbird/status/1868839564263256476) 2024-12-17T02:04Z 31.7K followers, [----] engagements "#APT29 Rogue RDP configuration file: From red team tool to targeted attacks iocs: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html #APT29 RDP Phishing domains was abusing which impersonated AWS https://t.co/VqUg73IUrv https://t.co/aVt5eV0Xrf https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html #APT29 RDP Phishing domains was abusing" [X Link](https://x.com/blackorbird/status/1868948019854643666) 2024-12-17T09:15Z 31.7K followers, [----] engagements "#Patchwork still uses Let's Encrypt certificates and this time the counterfeit website is The Law Society of Hong Kong. dartshoppe.info 23.227.196.103 bovnle.info 162.216.241.223 aquileia.live 23.254.217.250 queretero.xyz 91.245.255.77 https://threatbook.io/domain/dartshoppe.info #Patchwork created a domain to masquerade as the homepage of Scandinavian Airlines but the domain was actually disguised as a Chinese translation software website. youdoa.info https://t.co/9G4T6lYDq1 https://t.co/79JIbyEK58 https://threatbook.io/domain/dartshoppe.info #Patchwork created a domain to masquerade as the" [X Link](https://x.com/blackorbird/status/1869019971424313688) 2024-12-17T14:01Z 31.7K followers, [----] engagements "#Bitter attack organizations within Turkey's defense sector. https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats" [X Link](https://x.com/blackorbird/status/1869342880789344605) 2024-12-18T11:24Z 31.8K followers, [----] engagements "ESET Threat Report H2 [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/eset-threat-report-h22024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/eset-threat-report-h22024.pdf" [X Link](https://x.com/blackorbird/status/1869345516624212203) 2024-12-18T11:34Z 31.8K followers, [----] engagements "Using LLMs to Obfuscate Malicious JavaScript https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/ https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/" [X Link](https://x.com/blackorbird/status/1871350239950757926) 2024-12-24T00:20Z 31.9K followers, 10.1K engagements "Pishing Group "Cloud Atlas" targets Eastern Europe and Central Asia. report: ioc: https://1275.ru/ioc/8610/cloud-atlas-apt-iocs-part-2/ https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ https://1275.ru/ioc/8610/cloud-atlas-apt-iocs-part-2/ https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/" [X Link](https://x.com/blackorbird/status/1871940318087815447) 2024-12-25T15:25Z 35.1K followers, [----] engagements "#Lazarus OtterCookie Malware Update. It already included a built-in functionality to steal keys related to cryptocurrency wallets the checkForSensitiveData function used regular expressions to check for Ethereum private keys. https://jp.security.ntt/tech_blog/contagious-interview-ottercookie https://jp.security.ntt/tech_blog/contagious-interview-ottercookie" [X Link](https://x.com/blackorbird/status/1872495898238079484) 2024-12-27T04:13Z 31.9K followers, [----] engagements "Global elections in 2024: Internet traffic and cyber threat trends https://blog.cloudflare.com/elections-2024-internet/ https://blog.cloudflare.com/elections-2024-internet/" [X Link](https://x.com/blackorbird/status/1872817778782306373) 2024-12-28T01:32Z 31.9K followers, [----] engagements "#Lazarus has embedded IPMsg Installer 5.6.18.0 into malware. cryptocopedia.com https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA" [X Link](https://x.com/blackorbird/status/1873557502169895382) 2024-12-30T02:31Z 31.9K followers, [----] engagements "Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild" [X Link](https://x.com/blackorbird/status/1874003988284330151) 2024-12-31T08:05Z 32K followers, [----] engagements "LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49112 https://github.com/SafeBreach-Labs/CVE-2024-49112 https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/ https://github.com/SafeBreach-Labs/CVE-2024-49112 https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/" [X Link](https://x.com/blackorbird/status/1874707411002687868) 2025-01-02T06:40Z 32K followers, [----] engagements "#Oceanlotus The primary tactic of the attack is to release open-source security tool projects on GitHub attracting security researchers to download and further distribute them. github.com/0xjiefeng/CVE-2024-35250-BOF ref: https://mp.weixin.qq.com/s/ih36z93y6BazatjeoGjp1A #Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408 sample:wininet.dll 1f829550112739aaa293cea3c908b275(LEBANON submitter) https://t.co/B3MgeNLNYH https://t.co/rQRQMQX0qB https://mp.weixin.qq.com/s/ih36z93y6BazatjeoGjp1A #Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408" [X Link](https://x.com/blackorbird/status/1876947963945079162) 2025-01-08T11:04Z 32K followers, 10.7K engagements "#threathunting CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods. https://github.com/musana/CF-Hero https://github.com/musana/CF-Hero" [X Link](https://x.com/blackorbird/status/1878372871178977468) 2025-01-12T09:26Z 32K followers, [----] engagements "This analysis reveals how the kernel module hijacks the inbound network traffic to the compromised Ivanti system how the user-space malicious file is started and how it communicates with the rootkit module.(About Ivanti CSA 0day follow-up analysis) https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware" [X Link](https://x.com/blackorbird/status/1879077023576203424) 2025-01-14T08:04Z 32.1K followers, [----] engagements "#Lazarus via LinkedIn Operation Operation 99: North Koreas Cyber Assault on Software Developers https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/ https://blogs.jpcert.or.jp/ja/2025/01/initial_attack_vector.html https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/ https://blogs.jpcert.or.jp/ja/2025/01/initial_attack_vector.html" [X Link](https://x.com/blackorbird/status/1880124181892964736) 2025-01-17T05:25Z 32K followers, [----] engagements "#Deepseek 's chat subdomain is under a UDP amplification-based DDoS attack" [X Link](https://x.com/blackorbird/status/1883806725779882375) 2025-01-27T09:18Z 32.1K followers, [----] engagements "#Lazarus Operation Traffic sourced from DPRK IPs masked via VPNs/proxies routed through Oculus nodes (Hasan Russia) to C2; multi-hop architecture ensures full-chain anonymity & evasion. https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ #Lazarus via LinkedIn Operation https://t.co/9wp1LQUvY2 Operation 99: North Koreas Cyber Assault on Software Developers https://t.co/ZnQDjs1nr6 https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ #Lazarus via LinkedIn Operation" [X Link](https://x.com/blackorbird/status/1885277225483985243) 2025-01-31T10:41Z 32.4K followers, 21K engagements "#APT28 The report details the group's activities from the onset of the Ukraine conflict. Even collaborations with non-state actors(cybercrime groups). https://github.com/blackorbird/APT_REPORT/blob/master/APT28/APT28%20the%20long%20hand%20of%20Russian%20interests.pdf https://github.com/blackorbird/APT_REPORT/blob/master/APT28/APT28%20the%20long%20hand%20of%20Russian%20interests.pdf" [X Link](https://x.com/blackorbird/status/1885535507448484214) 2025-02-01T03:47Z 32.2K followers, [----] engagements "Cybersecurity Threats [----] Annual Report From Qianxin #APT https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Cybersecurity%20Threats%202024%20Annual%20Report_QAX.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Cybersecurity%20Threats%202024%20Annual%20Report_QAX.pdf" [X Link](https://x.com/blackorbird/status/1892915241467490401) 2025-02-21T12:32Z 32.4K followers, [----] engagements "The Silver Fox Group has now started targeting the world. #cybercrime https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/ https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/" [X Link](https://x.com/blackorbird/status/1895076776705237006) 2025-02-27T11:41Z 32.5K followers, [----] engagements "2025 OT Cybersecurity Report A Year in Review https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Dragos-2025-OT-Cybersecurity-Report-A-Year-in-Review.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Dragos-2025-OT-Cybersecurity-Report-A-Year-in-Review.pdf" [X Link](https://x.com/blackorbird/status/1895353121720934511) 2025-02-28T05:59Z 32.5K followers, [----] engagements "CrowdStrike Global Threat Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/CrowdStrikeGlobalThreatReport2025.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/CrowdStrikeGlobalThreatReport2025.pdf" [X Link](https://x.com/blackorbird/status/1896527856207048858) 2025-03-03T11:47Z 33.2K followers, [----] engagements "In-Depth Technical Analysis of the Bybit Hack #Lazarus https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/ https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/" [X Link](https://x.com/blackorbird/status/1899426076176036276) 2025-03-11T11:44Z 32.8K followers, 18.9K engagements "#APT34 C2 Infrastructure Update mytrustiq.com 95.156.204.168 89.46.233.239 malware:Ravateb.pdf.exe A rare fake alert https://threatbook.io/ip/89.46.233.239 https://threatbook.io/ip/89.46.233.239" [X Link](https://x.com/blackorbird/status/1899462139984925136) 2025-03-11T14:07Z 32.8K followers, [----] engagements "New Android Spyware KoSpy (fileupdate/fileexploer/kakaoupdate/androidmanager) #APT37 & #Kimsuky & #Konni & KoSpy C2 domains are point to shared infrastructure(27.255.79.225). https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37 https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37" [X Link](https://x.com/blackorbird/status/1900125959757439084) 2025-03-13T10:05Z 32.8K followers, [----] engagements "#APT34 C2 signatrue: title== good_news_site P2: Unknown C2 control Website 🚨 APT34 update: State-backed OilRig group is recently targeting Iraqi state entities with: ➤ Weaponized docs & backdoors ➤ Hijacked official emails ➤ Fake [---] decoy servers ThreatBooks report breaks down their latest TTPs. Access the full report 👉https://t.co/sR6c6k3P0E 🚨 APT34 update: State-backed OilRig group is recently targeting Iraqi state entities with: ➤ Weaponized docs & backdoors ➤ Hijacked official emails ➤ Fake [---] decoy servers ThreatBooks report breaks down their latest TTPs. Access the full report" [X Link](https://x.com/blackorbird/status/1906679437476942288) 2025-03-31T12:06Z 32.9K followers, [----] engagements "Update⚠More IOCs From Contagious to #ClickFake Interview: #Lazarus leveraging the ClickFix tactic https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ Lazarus APT: Techniques for Hunting Contagious Interview Used ClickFix social engineering to trick job seekers into executing malicious code. https://t.co/JmcTS307JG https://t.co/93ZyqKMSZG https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ Lazarus APT: Techniques for Hunting Contagious" [X Link](https://x.com/blackorbird/status/1907393815633445261) 2025-04-02T11:24Z 33K followers, [----] engagements "The #Konni group is exploiting unknown WordPress vulnerabilities to gain access and utilizing them for their C2 servers in .lnk/.bat/.msi-AutoIt phishing campaigns. Sample: https://C2/wp-admin/js/widgets/hurryup/rv=bear&za=battle1 Picture ref: https://www.genians.co.kr/blog/threat_intelligence/konni_disguise https://threatbook.io/domain/techtorev.com https://threatbook.io/domain/techtorev.com https://www.genians.co.kr/blog/threat_intelligence/konni_disguise https://threatbook.io/domain/techtorev.com https://threatbook.io/domain/techtorev.com" [X Link](https://x.com/blackorbird/status/1907826931271348728) 2025-04-03T16:06Z 33.1K followers, [----] engagements "Deconstructing the Attack: A Deep Dive into RDP Techniques https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol" [X Link](https://x.com/blackorbird/status/1909476057172132309) 2025-04-08T05:19Z 33K followers, [----] engagements "ToddyCat attackers exploited by running their tool in the context of a security solution. (CVE-2024-11859 vulnerability in ESET Command line scanner) https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/ https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/" [X Link](https://x.com/blackorbird/status/1909915495995994370) 2025-04-09T10:25Z 33.1K followers, [----] engagements "#ransomware CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS) https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/ https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/" [X Link](https://x.com/blackorbird/status/1910179368644870346) 2025-04-10T03:53Z 33K followers, [----] engagements Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing
@blackorbird blackorbird
blackorbird posts on X about apt, microsoft, ai, javascript the most. They currently have [------] followers and [---] posts still getting attention that total [------] engagements in the last [--] hours.
Engagements: [------] #
Mentions: [--] #
Followers: [------] #
CreatorRank: [-------] #
Social Influence
Social category influence technology brands stocks countries social networks finance cryptocurrencies travel destinations exchanges ncaa football gaming
Social topic influence apt, microsoft, ai, javascript, telegram, code #1956, cyber, linkedin, llm, cryptocurrency
Top accounts mentioned or mentioned by @ssl @darkfox844 @joey38379joey @ukdanielcard @knownsec404teamunveilingthepastandpresentofaptk47weaponasyncshell5a98f75c2d68 @meeswicky1100dprkunc3782d66329e5c071 @errortheultimateosintguideessentialtoolsforphonenumberinvestigationbe1924ddf578 @gi7w0rm
Top assets mentioned Microsoft Corp. (MSFT) CyberConnect (CYBER) Alphabet Inc Class A (GOOGL) Crowdstrike Holdings Inc (CRWD) Cloudflare, Inc. (NET) FilesCoins Power Cu (FILECOIN) Ethereum (ETH)
Top Social Posts
Top posts by engagements in the last [--] hours
"#kimsuky #APT water hole attack name Operation "Low Kick" use CVE-2018-8174 to attack this code kimsuky use many time From the time of the golden dragon operation https://blog.alyac.co.kr/2209 https://blog.alyac.co.kr/2209"
X Link 2019-03-21T02:36Z 31K followers, [--] engagements
"An Malicious resume Download from #Uzbekistan Institute websitehacked hxxp://instmech.uz/meryem.php which name CV-Meryem-EN.doc and the girl come from #Tajikistan. Not sure #APTBut these two countries have had conflicts. url: hxxp://46.166.176.242/main.php"
X Link 2019-08-01T04:07Z 30.9K followers, [--] engagements
"New APT Group: Golden Eagle (#APT-C-34) attacks revealed #Kazakhstan #HackingTeam backdoor On the organization's C&C server they found a large number of folders . huawei_security_wireless.scr TeamViewer HijackerRMS HijackerHarpoon ()backdoor https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html"
X Link 2019-11-22T07:45Z 32K followers, [---] engagements
"GALLIUM: Targeting global telecom Please note the red square Maybe this is a different target https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/"
X Link 2019-12-14T08:56Z 30.9K followers, [--] engagements
"Coinminer #Kinsing botnet use #SaltStack vul CVE-2020-11651/11652 attack. ioc a28ded80d7ab5c69d6ccde4602eef861 8ec3385e20d6d9a88bc95831783beaeb 217.12.210.192/salt-store 217.12.210.192/sa.sh 206.189.92.32/tmp/v 206.189.92.32/tmp/salt-store vul detail: https://labs.f-secure.com/advisories/saltstack-authorization-bypass https://labs.f-secure.com/advisories/saltstack-authorization-bypass"
X Link 2020-05-03T13:51Z 31K followers, [--] engagements
"CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability Vulnerability Details: Update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/"
X Link 2020-10-14T03:22Z 31K followers, [---] engagements
"Operation Earth Kitsune: A watering hole campaign. "New exploits for the vulnerabilities CVE-2016-0189 CVE-2019-1458 CVE-2020-0674 and CVE-2019-5782 chained with another Chrome bug that does not have an associated CVE." pdf: https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf https://www.trendmicro.com/vinfo/hk-en/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf"
X Link 2020-10-20T06:35Z 30.9K followers, [--] engagements
"Two exploit servers delivering different exploit chains via watering hole attacks. CVE-2020-6418/CVE-2020-0938/CVE-2020-1020/CVE-2020-1027 learned a lot https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html"
X Link 2021-01-13T15:06Z 31K followers, [--] engagements
"A Cyber operation against Russia 1.Use Sberbank of Russia for a bait. 2.Use information about famous Russian athletes to obfuscate. 3.Stop attacking when the victim is in Ukraine. ref: translate: https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F6CEhZ9K71zcslg40rYHaqg&sandbox=1 https://mp.weixin.qq.com/s/6CEhZ9K71zcslg40rYHaqg https://translate.google.com/translatehl=&sl=zh-CN&tl=en&u=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F6CEhZ9K71zcslg40rYHaqg&sandbox=1 https://mp.weixin.qq.com/s/6CEhZ9K71zcslg40rYHaqg"
X Link 2021-04-15T06:27Z 35.5K followers, [--] engagements
"Top CVEs/Malware most used by #APT Groups since 2020"
X Link 2022-10-07T03:10Z 30.9K followers, [---] engagements
"Analysis of APT-C-60 Attack on South Korea https://www.linkedin.com/pulse/analysis-apt-c-60-attack-south-korea-threatbook/ https://www.linkedin.com/pulse/analysis-apt-c-60-attack-south-korea-threatbook/"
X Link 2022-12-02T07:49Z 30.9K followers, [--] engagements
"VT Intelligence Cheat Sheet https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/VTI_Cheatsheet.pdf https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html https://github.com/blackorbird/APT_REPORT/blob/master/APT-hunting/VTI_Cheatsheet.pdf https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html"
X Link 2022-12-20T08:25Z 30.9K followers, 23.8K engagements
"2022 FortiGuard Outbreak Alerts Annual Report pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2023/2022%20FortiGuard%20Outbreak%20Alerts%20Annual%20Report.pdf https://www.fortinet.com/blog/threat-research/fortiguard-outbreak-alerts-2022-annual-report https://github.com/blackorbird/APT_REPORT/blob/master/summary/2023/2022%20FortiGuard%20Outbreak%20Alerts%20Annual%20Report.pdf https://www.fortinet.com/blog/threat-research/fortiguard-outbreak-alerts-2022-annual-report"
X Link 2023-01-28T08:52Z 31K followers, [----] engagements
"CVE-2023-37450 Available for: iOS 16.5.1 and iPadOS 16.5.1 Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited"
X Link 2023-07-11T02:26Z 26.8K followers, [----] engagements
"Rockwell Automation : Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules #APT https://dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/ https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 https://dragos.com/blog/mitigating-cves-impacting-rockwell-automation-controllogix-firmware/ https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01"
X Link 2023-07-14T08:00Z 29.7K followers, [----] engagements
"Phishing emails making use of the "search-ms" URI protocol handler to download malicious payload. ClickOnce APT Group also use these technology. script window.location.href = 'search-ms:query=Review&crumb=location: domain@SSL DavwwwRoot&displayname=Search; /script https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html"
X Link 2023-07-27T10:08Z 32.8K followers, 104.9K engagements
"APT29 used Zulip servers(toyy.zulipchat.com) to establish a C2 connection and to blend with legitimate web traffic. DLL Sideloading: Msoev.exe + Mso.dll & AppVIsvSubsystems64.dll"
X Link 2023-08-14T06:23Z 26.8K followers, 21.6K engagements
"Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector. They would invite the target to collaborate on a GitHub repository containing malicious npm package dependencies which would then be used to compromise the victim. NPM Packages ref: malware ref:"
X Link 2023-08-15T07:07Z 26.8K followers, 52.2K engagements
"SandWorm group's latest Operation Android malware + Tor + Mirai +dropbear = Anonymous attack exploit chain https://github.com/blackorbird/APT_REPORT/blob/master/Sandworm/SBU%20exposes%20russian%20intelligence%20attempts%20to%20penetrate%20Armed%20Forces'%20planning%20operations%20system.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Sandworm/SBU%20exposes%20russian%20intelligence%20attempts%20to%20penetrate%20Armed%20Forces'%20planning%20operations%20system.pdf"
X Link 2023-08-16T09:19Z 32.4K followers, 20.9K engagements
"APT #Donot Group New Attack Techniques. The decoy file is disguised as a PDF named "draft". Upon opening a prompt box appears urging the user to install a plug-in. After clicking download the browser opens a specific URL. The attacker's server detects the platform type. If it's not Android an error page is returned. For Android it downloads malware. IOC: Old fake andorid package: com.tencent.mobileqq *.flashnotederby.xyz *.sharelives.xyz ref:"
X Link 2023-08-18T02:43Z 26.8K followers, [----] engagements
"VMConnect supply chain attack continues #Lazarus malicious PyPI: tablediter request-plus and requestspro C2: packages-api.test tableditermanaging.pro"
X Link 2023-09-02T06:16Z 26.8K followers, 10.9K engagements
"#APT28 used "Microsoft Edge" as a bootloader TOR and mockbin.org/website.hook services as a control center. Any requests sent to mockbin.org/website.hook URL will be logged instantly for testing webhooks and HTTP requests"
X Link 2023-09-06T10:05Z 26.8K followers, 63.6K engagements
"APT Group #Confucius Android Malware SunBird's C2 Server"
X Link 2023-09-11T04:19Z 26.8K followers, [---] engagements
"New Chrome 0day CVE-2023-4863 I saw the person who submitted the vulnerability and wondered if it was related to Pegasus"
X Link 2023-09-13T02:31Z 26.8K followers, 24.8K engagements
"Charming Kitten exploited CVE-2021-26855 in Microsoft Exchange servers"
X Link 2023-09-14T06:33Z 26.8K followers, [----] engagements
"North Korean hackers exploits WinRAR vulnerability (CVE-2023-38831) to attack the digital currency industry. wallet_Screenshot_2023_09_06_Qbao_Network.zip report: https://paper.seebug.org/3032/ https://www.virustotal.com/gui/file/40d1ebcca7ed35da9776383abca3e7ec6b70aec53c739aef773cdb90726f46c0 https://paper.seebug.org/3032/ https://www.virustotal.com/gui/file/40d1ebcca7ed35da9776383abca3e7ec6b70aec53c739aef773cdb90726f46c0"
X Link 2023-09-15T06:47Z 29.4K followers, 51.4K engagements
"Transparent Tribe Group distributes Android apps outside of the Google Play Store relying on self-run websites and social engineering to entice users to install a weaponized application. I found that I can watch videos very smoothly Maybe use it as a relay video streaming proxy"
X Link 2023-09-19T02:16Z 26.8K followers, [----] engagements
"NEW IOS Exploit chain: WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991) + APIs and support for kernel extensions and kernel-resident device drivers. CVE-2023-41992) Ref:"
X Link 2023-09-22T08:15Z 26.8K followers, 20.9K engagements
"When victim visited certain websites not using HTTPS a device installed at the border of network automatically redirected to a malicious website to infect phone with Cytroxs Predator spyware. Great analysis help to find unknown mobile phone spyware"
X Link 2023-09-23T00:05Z 26.8K followers, [----] engagements
"CVE-2023-38545 curl vul detail blog: hackerone report: socks: return error if hostname too long for remote resolve Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than [---] characters. Unfortunately that did not work as intended and caused a security issue. Difficult to exploit"
X Link 2023-10-11T08:27Z 26.8K followers, [----] engagements
"#Lazarus CVE-2023-26369 Exploit: Adobe Acrobat PDF Reader RCE when processing TTF fonts ref: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-26369.html https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-26369.html"
X Link 2023-10-18T03:27Z 29.3K followers, 30.4K engagements
"Active exploitation of Cisco IOS XE Software(CVE-2023-20198) Web Management User Interface vulnerability True Attack activity: Implant code - Lua 5.149.249.74 154.53.56.231 https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/"
X Link 2023-10-18T09:02Z 29.4K followers, [----] engagements
"CVE-2023-38831 user Collection"
X Link 2023-10-20T09:59Z 25.9K followers, [----] engagements
"How to catch a wild triangle Decrypt the C2 server communications"
X Link 2023-10-27T03:40Z 25.3K followers, [----] engagements
"Lazarus infect blockchain engineers with novel macOS malware"
X Link 2023-11-01T09:26Z 25.5K followers, 18.2K engagements
"Operation Covert Stalker: Kimsuky hacked a system with an RDP (CVE-2019-0708) vulnerability and sent email. English version pdf: ref: https://asec.ahnlab.com/ko/58231/ https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231101_Kimsuky_OP.-Covert-Stalker-EN.pdf https://asec.ahnlab.com/ko/58231/ https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231101_Kimsuky_OP.-Covert-Stalker-EN.pdf"
X Link 2023-11-06T08:48Z 29.3K followers, 13K engagements
"#Sandworm have breached Danish energy sector companies. Very nice timeline analysis.#DigitalForensics CVE-2023-28771 + CVE-2023-33009 + CVE-2023-33010"
X Link 2023-11-15T08:01Z 26.2K followers, 18.2K engagements
"APT29 attacks Embassies using CVE-2023-38831 https://github.com/blackorbird/APT_REPORT/blob/master/APT29/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf https://github.com/blackorbird/APT_REPORT/blob/master/APT29/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf"
X Link 2023-11-15T08:21Z 30.7K followers, [----] engagements
"Exploring the landscape of blockchain security and I'm intrigued by some concerns around Solana's security. It's a reminder for all of us in the Web3 world to stay vigilant. Maybe APT Group that specializes in attacking blockchain will pay more attention to this technology"
X Link 2023-11-15T13:35Z 25.9K followers, [----] engagements
"Supply Chain Poisoning of 7ZIP on the Microsoft App Store #APT"
X Link 2023-12-12T11:58Z 26.2K followers, 12K engagements
"NKN + BotNet Attack Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol PS:NKN is a new kind of peer to peer network connectivity protocol and ecosystem powered by a novel public blockchain"
X Link 2023-12-20T08:53Z 26.2K followers, [----] engagements
"#Lazarus Fake GitHub Operation Their level of activity on Github is truly impressive. https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/ https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/"
X Link 2023-12-22T02:40Z 32.4K followers, [----] engagements
"Operation Triangulation: The last (hardware) mystery The mystery and the CVE-2023-38606 vulnerability/Technical details"
X Link 2023-12-28T01:44Z [--] followers, 11.6K engagements
"APT37/Group123 + LNKHWPHWPXXLSXDOCX CVE-2022-41128 https://github.com/blackorbird/APT_REPORT/blob/master/group123/20231229_threat_inteligence_report_market.pdf https://github.com/blackorbird/APT_REPORT/blob/master/group123/20231229_threat_inteligence_report_market.pdf"
X Link 2023-12-29T03:54Z 29.4K followers, 13.8K engagements
"APT Group Seaturtle Update #ThreatHunting [--]. [--]. #TealKurma malware 'SnappyTCP' https://t.co/eeancH3cGK APT Group Ref(4 yrs later): https://t.co/wot41ceeYr https://t.co/FHfZtLJZOx #TealKurma malware 'SnappyTCP' https://t.co/eeancH3cGK APT Group Ref(4 yrs later): https://t.co/wot41ceeYr https://t.co/FHfZtLJZOx"
X Link 2024-01-11T07:42Z 26.8K followers, [----] engagements
"Clearing the Fog of War A Critical Analysis of Recent Energy Sector Attacks in Denmark and Ukraine"
X Link 2024-01-15T03:32Z 26.8K followers, [----] engagements
"Bigpanzi Exposed: The Hidden Cyber Threat Behind Your Set-Top Box [------] daily active bots predominantly in Brazil"
X Link 2024-01-18T03:10Z [--] followers, [----] engagements
"#APT29 + Teamcity https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793"
X Link 2024-01-23T04:54Z 30K followers, [----] engagements
"2023 APT RESEARCH REPORT A new APT Group also appeared in this report called APT-C-57 ref:"
X Link 2024-01-30T08:20Z 26.8K followers, 18.7K engagements
"2023 APT Report"
X Link 2024-02-02T05:13Z 26.9K followers, [----] engagements
"APT Group #VajraEleph Update But the network infrastructure has been replaced. APT Group #VajraEleph Android spyware attack. Target FC/SSG/FC BLN/FIA/Police. https://t.co/xGZk9nbwSq https://t.co/7d2nbGKmnn https://t.co/S8v1fV0Lsz APT Group #VajraEleph Android spyware attack. Target FC/SSG/FC BLN/FIA/Police. https://t.co/xGZk9nbwSq https://t.co/7d2nbGKmnn https://t.co/S8v1fV0Lsz"
X Link 2024-02-04T07:19Z 26.9K followers, [----] engagements
"APT Group Winter Vivern 's C2 signature"
X Link 2024-02-20T07:39Z 27.1K followers, 11.2K engagements
"#Turla C2 server Reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks"
X Link 2024-02-26T03:15Z 27.3K followers, 14.7K engagements
"#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338 Beyond BYOVD with an Admin-to-Kernel Zero-Day"
X Link 2024-02-29T08:02Z 27.6K followers, 112.9K engagements
"#Kimsuky CVE-2024-1709 + CVE-2024-1708 ConnectWise ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant"
X Link 2024-03-06T01:59Z 27.6K followers, 11.5K engagements
"#Kimsuky dropbox+lnk"
X Link 2024-03-21T03:36Z 27.6K followers, [----] engagements
"According to the updated time zone It may be a national APT Group. The author of the 'xz' backdoor commit history and activity shows that they kept office hours mostly. Mon-Fri every other Saturday I would imagine some of these would correlate with public holidays as this was clearly not a hobbyist. https://t.co/AlXZYbtQ8v https://t.co/FUNvgKhVsr The author of the 'xz' backdoor commit history and activity shows that they kept office hours mostly. Mon-Fri every other Saturday I would imagine some of these would correlate with public holidays as this was clearly not a hobbyist."
X Link 2024-03-31T02:02Z 27.8K followers, [----] engagements
"https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and According to the updated time zone It may be a national APT Group. https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and According to the updated time zone It may be a national APT Group"
X Link 2024-04-01T06:14Z 29.4K followers, [----] engagements
"APT #Sidewinder C2: NGINX response is fingerprint-able https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder/ https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder/"
X Link 2024-04-05T07:59Z 27.8K followers, [----] engagements
"XZ backdoor story Initial analysis https://securelist.com/xz-backdoor-story-part-1/112354/ https://securelist.com/xz-backdoor-story-part-1/112354/"
X Link 2024-04-12T15:13Z 28K followers, [----] engagements
"Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) 172.233.228.93 https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
X Link 2024-04-13T04:00Z 29.4K followers, 52.7K engagements
"Analyzing APT28 custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials (Windows Print Spooler Elevation of Privilege Vulnerability) https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"
X Link 2024-04-23T07:38Z 29.4K followers, [----] engagements
"UAT4356/STORM-1849 🦾 CVE-2024-20353 + CVE-2024-20359 https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/"
X Link 2024-04-25T03:08Z 29.3K followers, [----] engagements
"@Dark_fox_844 http://translate.google.com http://translate.google.com"
X Link 2024-05-07T06:49Z 28.3K followers, [--] engagements
"TunnelVision - CVE-2024-3661 - Decloaking Full and Split Tunnel VPNs https://www.youtube.com/watchv=ajsLmZia6UU https://www.youtube.com/watchv=ajsLmZia6UU"
X Link 2024-05-09T02:44Z 28.4K followers, [----] engagements
"Analysing a NSO iOS Spyware Sample(#blastpass) CVE-2023-41064 + CVE-2023-41061 + WebP Vulnerability CVE-2023-4863 REF: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ https://github.com/blackorbird/APT_REPORT/blob/master/NSOGroup/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ https://github.com/blackorbird/APT_REPORT/blob/master/NSOGroup/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf"
X Link 2024-05-10T02:01Z 29.7K followers, [----] engagements
"Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/ https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/"
X Link 2024-05-24T07:17Z 28.6K followers, [----] engagements
"Microsoft has identified a new North Korean threat actor now tracked as Moonstone Sleet (formerly Storm-1789) #Lazarus https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ #Lazarus + Social engineering + Github https://t.co/i8hB0EfNrr https://t.co/1ARS3UqlY5 https://t.co/uYQVzOaDNy https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ #Lazarus + Social engineering + Github https://t.co/i8hB0EfNrr https://t.co/1ARS3UqlY5"
X Link 2024-05-29T02:12Z 28.7K followers, 15.9K engagements
"Kiteshield Packer is Being Abused by Linux Cyber Threat Actors https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/ https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/"
X Link 2024-05-29T02:23Z 28.7K followers, [----] engagements
"The Threat actor group used two publicly available exploits (CVE-2018-4233 CVE-2018-4404) to deliver implants for macOS. Part of the CVE-2018-4404 exploit is likely borrowed from Metasploit framework. macOS version [--] was targeted using those exploits. ref: https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos https://www.threatfabric.com/blogs/lightspy-implant-for-macos"
X Link 2024-05-31T04:45Z 28.7K followers, [----] engagements
"Defend against APT attacks"
X Link 2024-06-02T03:42Z 28.7K followers, [----] engagements
"Decade-Long Espionage Targeting the Global Research and Education Sector #APT https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/ https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/"
X Link 2024-06-04T09:54Z 28.8K followers, 11.3K engagements
"Analysis of Kimsuky APT attack using HWP & MSC malware https://www.genians.co.kr/blog/threat_intelligence/interview https://www.genians.co.kr/blog/threat_intelligence/interview"
X Link 2024-06-05T10:08Z 29.4K followers, 12.1K engagements
"1.Cyber Threats Facing the [----] #Paris #Olympics [--]. How Russia is trying to disrupt the [----] Paris Olympic Games 3.Multifaceted Threats to the Paris Olympics https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Hurdling%20Over%20Hazards-%20Multifaceted%20Threats%20to%20the%20Paris%20Olympics.pdf https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/ https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics"
X Link 2024-06-07T10:39Z 29.4K followers, [----] engagements
"CVE-2024-4577 - PHP CGI Argument Injection Vulnerability https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/"
X Link 2024-06-07T11:03Z 29.3K followers, [----] engagements
"A threat campaign(unc5537) targeting Snowflake customer database https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"
X Link 2024-06-12T08:18Z 28.8K followers, [----] engagements
"Apple visionOS App Local Privilege Escalation CVE-2024-27801 PoC https://github.com/wangtielei/POCs/blob/main/CVE-2024-27801/POC.m https://github.com/wangtielei/POCs/blob/main/CVE-2024-27801/POC.m"
X Link 2024-06-14T04:44Z 28.8K followers, [----] engagements
"Attack case targeting HFS (HTTP File Server) servers ( CVE-2024-23692) https://asec.ahnlab.com/ko/67509/ https://asec.ahnlab.com/ko/67509/"
X Link 2024-07-03T10:00Z 29.4K followers, [----] engagements
"Sea Turtle APT Group Analysis https://cyberthint.io/sea-turtle-apt-group-analysis/ https://cyberthint.io/sea-turtle-apt-group-analysis/"
X Link 2024-07-09T07:38Z 29.2K followers, 13.3K engagements
"nsights into spammers evasion techniques in HTML Smuggling + Attackers starting to use spear phishing tactics in bulk phishing campaigns = I forgot my email password https://securelist.com/spear-phishing-meets-mass/113125/ https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/ https://securelist.com/spear-phishing-meets-mass/113125/ https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/"
X Link 2024-07-15T07:23Z 33.4K followers, [----] engagements
"APT Group Void Banshee + Microsoft 0day CVE-2024-38112 ioc: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/cve-2024-38112-void-banshee-targets-windows-users-through-zombie-internet-explorer-in-zero-day-attacks/IOCs-CVE-2024-38112.txt https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/"
X Link 2024-07-17T09:32Z 29.7K followers, 18K engagements
"APT Social Engineering: Fake IT Worker Tried to Infiltrate https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us"
X Link 2024-07-24T07:15Z 29.4K followers, [----] engagements
"#APT #sidewinder C2 Server utilizes an old Tor node https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea"
X Link 2024-07-29T07:57Z 29.7K followers, [----] engagements
"Threat Actor Groups Tracked by Palo Alto Networks Unit [--] Constellation Features ✨✨ https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/ https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/"
X Link 2024-08-05T06:52Z 29.6K followers, [----] engagements
"2024 Threat Hunting Report from CrowdStrike https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/crowdstrike-2024-threat-hunting-report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/crowdstrike-2024-threat-hunting-report.pdf"
X Link 2024-08-07T08:56Z 29.8K followers, 59.3K engagements
"APT Group #Kimsuky Targets University Researchers 1qaz2wsx#EDC$RFV Nice Save: https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/ #Kimsuky Green Dinosaur Lover https://t.co/dEsIWAoMUx https://t.co/z8en3BnubS https://github.com/arceo-labs/iocs/tree/main/APT/Kimsuky https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/ #Kimsuky Green Dinosaur Lover https://t.co/dEsIWAoMUx https://t.co/z8en3BnubS"
X Link 2024-08-09T01:59Z 30.9K followers, [----] engagements
"Cybersecurity Threats [----] Mid-Year Report #APT APT-Q-X & UTG-Q-X https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Cybersecurity%20Threats%202024%20Mid-Year%20Report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Cybersecurity%20Threats%202024%20Mid-Year%20Report.pdf"
X Link 2024-08-19T09:00Z 30.9K followers, [----] engagements
"#APT Group: Mysterious Elephant ref: https://securelist.com/apt-trends-report-q2-2024/113275/ https://strikeready.com/blog/open-sesame/ https://securelist.com/apt-trends-report-q2-2024/113275/ https://strikeready.com/blog/open-sesame/"
X Link 2024-08-19T09:31Z 30.9K followers, [----] engagements
"#Lazarus APT group used CVE-2024-38193(0day in wild) https://www.gendigital.com/blog/news/innovation/protecting-windows-users https://www.gendigital.com/blog/news/innovation/protecting-windows-users"
X Link 2024-08-21T05:08Z 30.9K followers, 10.6K engagements
"MSC file distribution exploiting Amazon services https://asec.ahnlab.com/ko/82554/ https://asec.ahnlab.com/ko/82554/"
X Link 2024-08-22T06:00Z 30.9K followers, [----] engagements
"Approach to mainframe penetration testing on z/OS https://securelist.com/zos-mainframe-pentesting/113427/ https://securelist.com/zos-mainframe-pentesting/113427/"
X Link 2024-08-22T07:02Z 30.9K followers, [----] engagements
"Jailbreaking a Cisco Switch Appliance using a 0-Day NX-OS CLI Exploit (CVE-2024-20399) https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/ https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/"
X Link 2024-08-23T06:31Z 31K followers, [----] engagements
"Versa Director servers vulnerability exploit in wild CVE-2024-39717 https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/ https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/"
X Link 2024-08-28T02:20Z 30.9K followers, [----] engagements
"This is a honeypot https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/ https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/"
X Link 2024-08-28T07:44Z 30.9K followers, [----] engagements
"0day vulnerability techniques and tactics used by APT-Q-12 disclosed https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/ https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/"
X Link 2024-08-28T07:46Z 30.9K followers, 17.9K engagements
"Analysis of two arbitrary code execution vulnerabilities affecting WPS Office CVE-2024-7262 & CVE-2924-7263 ESET said that APT-C-60 is a South Korea-aligned cyberespionage group. https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/ 0day vulnerability techniques and tactics used by APT-Q-12 disclosed https://t.co/NPrZpa0x0y https://t.co/YISvgSMBQe https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/ 0day vulnerability techniques and tactics used by"
X Link 2024-08-29T06:50Z 30.9K followers, [----] engagements
"North Korean threat actor exploiting a zero-day vulnerability in Chromium CVE-2024-7971 https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"
X Link 2024-08-31T01:41Z 30.9K followers, [----] engagements
"Breaking down CVE-202438063: remote exploitation of the Windows kernel https://bi-zone.medium.com/breaking-down-cve-2024-38063-remote-exploitation-of-the-windows-kernel-bdae36f5f61d https://bi-zone.medium.com/breaking-down-cve-2024-38063-remote-exploitation-of-the-windows-kernel-bdae36f5f61d"
X Link 2024-09-04T07:10Z 30.9K followers, 10.1K engagements
"WhisperGate Group Cyber arsenal https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a"
X Link 2024-09-06T03:18Z 30.9K followers, [----] engagements
"#Predator Spyware Infrastructure Update https://github.com/blackorbird/APT_REPORT/blob/master/Intellexa/Predator%20Files/Predator%20Spyware%20Infrastructure%20Returns%20Following%20Exposure%20and%20Sanctions.pdf https://www.recordedfuture.com/research/predator-spyware-infrastructure-returns-following-exposure-sanctions Predator spyware IOCs update more more https://t.co/XdTr6nfHMH https://t.co/B5qwN9L2HT https://github.com/blackorbird/APT_REPORT/blob/master/Intellexa/Predator%20Files/Predator%20Spyware%20Infrastructure%20Returns%20Following%20Exposure%20and%20Sanctions.pdf"
X Link 2024-09-06T08:51Z 30.9K followers, 11.1K engagements
"#Lazarus malicious javascript code https://www.group-ib.com/blog/apt-lazarus-python-scripts/ https://www.group-ib.com/blog/apt-lazarus-python-scripts/"
X Link 2024-09-06T09:19Z 30.9K followers, [----] engagements
"I really hope Microsoft can find a way to solve .msc malware. Recently such malware has appeared every day"
X Link 2024-09-09T18:09Z 30.9K followers, [----] engagements
"Paloalto summary of the naming methods of DPRK APT Groups Alluring Pisces (Bluenoroff ) Gleaming Pisces (Citrine Sleet) Jumpy Pisces (Andariel) Selective Pisces (TEMP.Hermit) Slow Pisces (TraderTraitor) Sparkling Pisces (Kimsuky) https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/ https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/"
X Link 2024-09-11T01:09Z 30.9K followers, [----] engagements
"Coordination amongst Russian intelligence agencies and related APTs ref: https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Disjointed_Cyber_Warfare_Internal_Conflicts_among_.pdf https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Disjointed_Cyber_Warfare_Internal_Conflicts_among_.pdf"
X Link 2024-09-16T07:05Z 30.9K followers, 16.1K engagements
"#Lazarus Operation Dream Job Update BAE_Vice President of Business Development.pdf (modify the open source code of an older SumatraPDF version) RookeryCapital_PythonTest.zip https://www.elastic.co/security-labs/dprk-code-of-conduct https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/ https://www.elastic.co/security-labs/dprk-code-of-conduct https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/"
X Link 2024-09-18T12:19Z 30.9K followers, [----] engagements
"Summary of Iranian threat actors https://www.trellix.com/blogs/research/the-iranian-cyber-capability/ https://www.trellix.com/blogs/research/the-iranian-cyber-capability/"
X Link 2024-09-23T04:44Z 31K followers, [----] engagements
"UAC-xxxx CYBER OPERATIONS https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Cyber%20operations%20by%20russia%20new%20goals%2C%20tools%20and%20groups.pdf https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Russia/Cyber%20operations%20by%20russia%20new%20goals%2C%20tools%20and%20groups.pdf"
X Link 2024-09-25T07:29Z 31K followers, [----] engagements
"The CUPS POC analysis CVE-2024-47176 CVE-2024-47076 CVE-2024-47175 and CVE-2024-47177 https://www.elastic.co/security-labs/cups-overflow https://www.elastic.co/security-labs/cups-overflow"
X Link 2024-09-29T03:50Z 31K followers, [----] engagements
"LOLESXi features a comprehensive list of binaries/scripts natively available in VMware ESXi that adversaries have utilised in their operations. https://lolesxi-project.github.io/LOLESXi/ https://lolesxi-project.github.io/LOLESXi/"
X Link 2024-10-03T04:13Z 31K followers, [----] engagements
"IllusiveFog is an implantkit for Microsoft Windows based network for long term stealthy access and recon. https://github.com/ChaitanyaHaritash/IllusiveFog https://github.com/ChaitanyaHaritash/IllusiveFog"
X Link 2024-10-03T04:17Z 31K followers, [----] engagements
"Global Threat Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/elastic-global-threat-report-2024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/elastic-global-threat-report-2024.pdf"
X Link 2024-10-04T06:53Z 31K followers, [----] engagements
"Malware download and use of the Wazuh SIEM agent for remote access and telemetry harvesting. "remote_commands" option ref: https://github.com/wazuh/wazuh https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/ https://github.com/wazuh/wazuh https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/"
X Link 2024-10-07T09:03Z 30.6K followers, 16.3K engagements
"#GoldenJackal Collecting files from USB drives spreading payloads in the network via USB drives exfiltrating files and using some PCs in the network as servers to deliver diverse files to other systems. https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/ https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/"
X Link 2024-10-09T02:55Z 30.7K followers, [----] engagements
"IOCs of #APT-C-60 Update 103.187.26.174 103.187.26.176 203.174.87.18 This group has been active since [----] and is currently known to target countries such as China Korea Japan Singapore and other Asian countries. #cti https://threatbook.io/ip/103.187.26.174utm_medium=X-bob-1010 https://threatbook.io/ip/103.187.26.174utm_medium=X-bob-1010"
X Link 2024-10-09T08:19Z 30.7K followers, [----] engagements
"Software back-end and services for checking the existence of Tor hidden services and retrieving their associated metadata. onion-lookup relies on an AIL instance to obtain the metadata. https://github.com/ail-project/onion-lookup https://onion.ail-project.org/ https://github.com/ail-project/onion-lookup https://onion.ail-project.org/"
X Link 2024-10-09T08:59Z 30.7K followers, [----] engagements
"#Lazarus Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/ https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/"
X Link 2024-10-11T07:53Z 30.7K followers, [----] engagements
"#bitter releases a new special Malware : MiyaRat samsnewlooker.com 185.106.123.198:40269 https://mp-weixin-qq-com.translate.goog/s/eseliIVHqiWI-Q1CoCA81g_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en https://mp.weixin.qq.com/s/eseliIVHqiWI-Q1CoCA81g https://mp-weixin-qq-com.translate.goog/s/eseliIVHqiWI-Q1CoCA81g_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en https://mp.weixin.qq.com/s/eseliIVHqiWI-Q1CoCA81g"
X Link 2024-10-12T07:18Z 30.7K followers, [----] engagements
"Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/"
X Link 2024-10-12T07:54Z 30.8K followers, 12.3K engagements
"@Joey38379Joey Ask ChatGPT"
X Link 2024-10-12T09:25Z 30.6K followers, [--] engagements
"An adversary who had gained access to the customers network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance. This top-level domain appears again😂 https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa"
X Link 2024-10-14T13:18Z 30.8K followers, [----] engagements
"APT34 exploit ngrok to bypass firewalls and network security controls for malicious purposes also recently added CVE-2024-30088 to their toolset. ref: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html"
X Link 2024-10-14T13:33Z 30.8K followers, [----] engagements
"Analytical report: Whispers from the Dark Web Cave Cyber threats to the Middle East A bit like Cthulhu https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/whispers-from-darkweb.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/whispers-from-darkweb.pdf"
X Link 2024-10-15T10:03Z 30.7K followers, [----] engagements
"The malicious macro code includes a password verification step before executing its core functionality with the password likely being provided through an email to bypass detection by dynamic analysis tools like sandboxes. APT Group #Donot office-updatecentral.com regionserverbackup.info https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA"
X Link 2024-10-15T15:19Z 30.8K followers, [----] engagements
"Microsoft Digital Defense Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/Microsoft%20Digital%20Defense%20Report%202024.pdf"
X Link 2024-10-15T15:32Z 30.8K followers, [----] engagements
"The evolution and expansion of the #SideWinder APT group Domains hunt ref: https://x.com/blackorbird/status/1793904198456938958 https://securelist.com/sidewinder-apt/114089/ Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://t.co/Wu9TQ8Gr8w https://t.co/Ad6Qnjp5CP https://x.com/blackorbird/status/1793904198456938958 https://securelist.com/sidewinder-apt/114089/ Tracking APT SideWinder Domains By Combining Regex Patterns Whois Records and Domain Registrars https://t.co/Wu9TQ8Gr8w https://t.co/Ad6Qnjp5CP"
X Link 2024-10-16T03:05Z 30.7K followers, [----] engagements
"#Group123 after infiltrating an advertising company's server deployed a backdoor using the IE 0day exploit CVE-2024-38178 within ad scripts. This strategy enables a zero-click attack as the ads are served executing the malicious code without any user interaction. sample: pdf: ref: https://asec.ahnlab.com/ko/83876/ https://github.com/blackorbird/APT_REPORT/blob/master/group123/(%E1%84%8C%E1%85%A5%E1%86%AB%E1%84%8E%E1%85%A6%E1%84%87%E1%85%A9%E1%86%AB)%E1%84%80%E1%85%A9%E1%86%BC%E1%84%80%E1%85%A2%E1%84%87%E1%85%A9%E1%84%80%E1%85%A9%E1%84%89%E1%85%A5-OperationCodeonToast.pdf"
X Link 2024-10-16T09:29Z 30.9K followers, 19.4K engagements
"Mysterious Elephant group uses CHM files to attack multiple countries in South Asia Disguised as a legitimate network service the access request (hxxp://easyiplookup.com:5080/main/get_ip_data) parses data from the remote server's response content. https://mp.weixin.qq.com/s/tkOMIHY36TujPKjWKVa6kA https://mp.weixin.qq.com/s/tkOMIHY36TujPKjWKVa6kA"
X Link 2024-10-16T09:43Z 30.8K followers, [----] engagements
"#APT #Patchwork IOC kirdycorp.com #CTI ref: Patchwork conducts prolonged cyber espionage in South Asian sectors targeting government health and research. The IOCs expanded from this domain name are as follows shown in Figure [--]. microsftonline-sharpoint.stjets.com anglerrscovey.com nationalsecuritysolutions.com.co 79.132.130.231 https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com https://threatbook.io/domain/kirdycorp.com"
X Link 2024-10-17T02:33Z 35.6K followers, [----] engagements
"CVE-2024-38178 Exploit Analysis #APT37 Exploit domain: mini.gomlab.com js.ad4989.co.kr ref:"
X Link 2024-10-17T08:20Z 30.7K followers, [--] engagements
"#Lazarus npm phishing iocs ref: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt #Lazarus python malware : InvisibleFerret 95.164.7.171 95.164.17.24 https://t.co/kgZuI2Sy1E https://t.co/uQfhOGvztH https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure https://github.com/eSentire/iocs/blob/main/Lazarus/lazarus_iocs_10-15-2024.txt #Lazarus python malware : InvisibleFerret 95.164.7.171 95.164.17.24 https://t.co/kgZuI2Sy1E https://t.co/uQfhOGvztH"
X Link 2024-10-22T03:15Z 30.8K followers, [----] engagements
"#Patchwork BADNEWS IOCs Update jiansmst.info md5:28702b03ea2d38f7a9654b3334536a9f C2 pretends to be a marketplace for domain names. The associated IOC zscaller.live & dagros.live was disguised as Security Company Zscaler and dagros domain. #CTI ref: https://threatbook.io/domain/jiansmst.info http://Dan.com http://Dan.com https://threatbook.io/domain/jiansmst.info http://Dan.com http://Dan.com"
X Link 2024-10-22T09:32Z 35.6K followers, [----] engagements
"Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575"
X Link 2024-10-24T08:07Z 35.6K followers, 14.8K engagements
"#Lazarus #BlueNoroff A comprehensive analysis of the Chrome Remote Code Execution Vulnerability CVE-2024-4947 More importantly the game can be played ref: https://x.com/blackorbird/status/1795639225083379821 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ Microsoft has identified a new North Korean threat actor now tracked as Moonstone Sleet (formerly Storm-1789) #Lazarus https://t.co/uZvWIrcNMP https://t.co/Z8NYo9av6W https://x.com/blackorbird/status/1795639225083379821 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ Microsoft has"
X Link 2024-10-24T08:33Z 35.6K followers, 11.9K engagements
"@UK_Daniel_Card only c2 cloudydaysradar.site cloudydaysreports.site cloudydaystracker.site cloudydaysupdates.site cloudydaysalerts.site cloudydaysforecast.site"
X Link 2024-10-24T08:42Z 35.6K followers, [---] engagements
"The #Lazarus Group is actively posting fake cryptocurrency job offers and research projects across platforms like LinkedIn X and GitHub to target individuals. It's been six months and the website Hirog.io remains online. Report & IOCs: https://threatbook.io/blog/id/1093 https://threatbook.io/blog/id/1093"
X Link 2024-10-24T14:05Z 35.6K followers, [----] engagements
"#APT29 RDP Phishing domains was abusing which impersonated AWS https://cert.gov.ua/article/6281076 https://cert.gov.ua/article/6281076"
X Link 2024-10-25T07:25Z 35.6K followers, 29.5K engagements
"#bitter searchconnector-ms malware IOCs ref: https://mp.weixin.qq.com/s/kkl0jh14M9DtDGtSGQ4gag https://www.virustotal.com/gui/file/742f7dc4cbf71f24d7292e3f6ddabe049c3474641c42f5b6841cc15c4ccb3956/content https://mp.weixin.qq.com/s/kkl0jh14M9DtDGtSGQ4gag https://www.virustotal.com/gui/file/742f7dc4cbf71f24d7292e3f6ddabe049c3474641c42f5b6841cc15c4ccb3956/content"
X Link 2024-10-26T06:22Z 35.6K followers, [----] engagements
"UNC5812 Fake website employs unconventional social engineering to preempt user suspicions about APK delivery outside the App Store and to justify the extensive permissions needed for CRAXSRAT installation. https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives"
X Link 2024-10-29T03:32Z 35.6K followers, [----] engagements
"LightSpy: Implant for iOS âš The threat actor expanded support for the iOS platform targeting up to version [----]. They utilized the publicly available Safari exploit CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation. https://www.threatfabric.com/blogs/lightspy-implant-for-ios https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
X Link 2024-10-30T03:36Z 35.6K followers, 17.2K engagements
"#muddywater MuddyRot/BugSleep c2 server ref: https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ https://github.com/Cisco-Talos/IOCs/tree/main/2024/10/server https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ https://github.com/Cisco-Talos/IOCs/tree/main/2024/10/server"
X Link 2024-11-01T07:48Z 31K followers, [----] engagements
"Analysis of Cyber Recon Activities Behind #APT37 Threat Actor https://www.genians.co.kr/blog/threat_intelligence/apt37_recon https://www.genians.co.kr/blog/threat_intelligence/apt37_recon"
X Link 2024-11-04T03:24Z 31.1K followers, [----] engagements
"#Lazarus BeaverTail and InvisibleFerret infection chain High-level relationship between the Contagious Interview and WageMole campaigns. ioc: https://github.com/ThreatLabz/iocs/tree/main/contagiousinterview https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west #Lazarus npm phishing iocs https://t.co/x3o7qItOUu ref: https://t.co/niIJhG0fHv https://t.co/23iDtCN2DD https://github.com/ThreatLabz/iocs/tree/main/contagiousinterview https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west"
X Link 2024-11-05T09:03Z 31.1K followers, [----] engagements
"#bitter C2 Hunting https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ"
X Link 2024-11-05T09:55Z 31.1K followers, [----] engagements
"#Patchwork Group has now upgraded its C2 infrastructure to prevent Cyber Surveying utilizing Cloudflare. The main domain is inaccessible and only subdomains are open for access. However they still haven't changed the decoy page. https://threatbook.io/domain/gyyun.xyz #PatchWork IOCs Update ragonrise.info sanping.info bovnle.info aquilei.live masatex.info alieanmote.live ragonrise.info renovaragora.info novasphere.live parkways.info #CTI ref: https://t.co/FPn6J0XPBQ https://t.co/OAhA0aJjO6 https://threatbook.io/domain/gyyun.xyz #PatchWork IOCs Update ragonrise.info sanping.info bovnle.info"
X Link 2024-11-05T14:06Z 31.1K followers, [----] engagements
"#Lazarus created Flutter applications that were considered the first stage payload. Initially six infected applications were identified with five of them signed using developer account had already revoked these signatures. https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/ http://signatures.Apple https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/ http://signatures.Apple"
X Link 2024-11-13T09:22Z 31.6K followers, [----] engagements
"#Lazarus used a disguised page to load a suspicious JavaScript file named "preload.js". https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ #Lazarus created Flutter applications that were considered the first stage payload. Initially six infected applications were identified with five of them signed using developer account https://t.co/KMPQHuaYZU had already revoked these signatures. https://t.co/DmSZwKp7cj https://t.co/lrulvrXh8f https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ #Lazarus created Flutter applications that were considered the first stage payload."
X Link 2024-11-14T06:52Z 31.2K followers, [----] engagements
"Analysis of the URL File Zero-Day Vulnerability CVE-2024-43451 https://github.com/blackorbird/APT_REPORT/blob/master/Exploit/Zero-day-cve-2024-4351-report.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Exploit/Zero-day-cve-2024-4351-report.pdf"
X Link 2024-11-14T08:53Z 32.1K followers, 19K engagements
"#Patchwork Havoc C2 & Website posing as China People's Daily Online aurorafoss.xyz 91.245.255.99:443 ref: https://threatbook.io/domain/aurorafoss.xyz https://threatbook.io/domain/aurorafoss.xyz"
X Link 2024-11-14T14:01Z 31.4K followers, [----] engagements
"Firefox Animation CVE-2024-9680 #POC https://dimitrifourny.github.io/2024/11/14/firefox-animation-cve-2024-9680.html Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://t.co/opiaKcVK04 https://dimitrifourny.github.io/2024/11/14/firefox-animation-cve-2024-9680.html Asian APT group used this Firefox 0day vulnerability for nearly half a year for watering hole attacks CVE-2024-9680 https://t.co/opiaKcVK04"
X Link 2024-11-15T02:52Z 32K followers, 22K engagements
"Cybersecurity Forecast [----] Report The compilation of interesting summary reports for [----] has officially begun. https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/cybersecurity-forecast-2025.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/cybersecurity-forecast-2025.pdf"
X Link 2024-11-15T09:14Z 31.2K followers, [----] engagements
"Ngioweb Botnet supplying80% of NSOCKS proxies(residential proxies) This makes it more difficult to trace back to the hacker group. https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/ https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/"
X Link 2024-11-20T02:41Z 31.4K followers, [----] engagements
"#APT-Q-41() Targets Pakistan Navy in Cyber Espionage Campaign https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign"
X Link 2024-11-20T09:07Z 31.4K followers, [----] engagements
"Analysis of the Recent Incident Involving APT-C-36 (Blind Eagle) Forging Judicial Documents to Distribute the DcRat Backdoor https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1A https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1A"
X Link 2024-11-21T02:19Z 31.4K followers, [----] engagements
"Perfect Mac mini stand"
X Link 2024-11-24T04:18Z 31.6K followers, 151.6K engagements
"#APT28 was able to ultimately breach Organization As network by connecting to Organization Bs enterprise Wi-Fi network. Then #APT28 was able to ultimately breach Organization Bs network by connecting to Organization Cs enterprise Wi-Fi network. CVE-2022-38028 https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/ https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
X Link 2024-11-24T06:07Z 31.5K followers, [----] engagements
"#MysteriousElephant weapon Update https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68 Mysterious Elephant group uses CHM files to attack multiple countries in South Asia Disguised as a legitimate network service the access request (hxxp://easyiplookup.com:5080/main/get_ip_data) parses data from the remote server's response content. https://t.co/Uql34EEFxW https://t.co/vnMXa3jcwD https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68 Mysterious Elephant group uses CHM files to"
X Link 2024-11-25T09:17Z 31.5K followers, [----] engagements
"The malware contains the following list of [---] hardcoded security process names. It drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda. https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/ The installation of external AV products (HRSword.exe) to disable security tools https://t.co/9Dwq2O2Udf https://t.co/Boo8hnT2co https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/ The installation of external AV products (HRSword.exe)"
X Link 2024-11-25T11:44Z 31.5K followers, 10.2K engagements
"CNC (#APT-C-48) Check process name during anti-debugging and anti-virtual machine phases panbaiclu.com https://mp.weixin.qq.com/s/Xb8bEZMV3FHC1O6lWt-4pg https://mp.weixin.qq.com/s/Xb8bEZMV3FHC1O6lWt-4pg"
X Link 2024-11-26T09:56Z 31.6K followers, [----] engagements
"#Oceanlotus C2 Infrastructure jieyitongweb.com 5.39.254.159:443 https://threatbook.io/domain/jieyitongweb.com https://threatbook.io/domain/jieyitongweb.com"
X Link 2024-11-26T13:55Z 31.5K followers, [----] engagements
"RomCom/Storm-0978 exploits Firefox and Windows zero days in the wild Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE202449039 https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ Firefox Animation CVE-2024-9680 #POC https://t.co/v6QrbVGE6h https://t.co/oDHBJzjUtT https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ Firefox Animation CVE-2024-9680 #POC https://t.co/v6QrbVGE6h https://t.co/oDHBJzjUtT"
X Link 2024-11-26T15:34Z 31.6K followers, [----] engagements
"A popular open-source game engine to execute crafted GDScript code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/ https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/"
X Link 2024-11-28T15:55Z 31.4K followers, [----] engagements
"Censeye is designed to help researchers identify hosts with characteristics similar to a given target. #threathunting https://github.com/Censys-Research/censeye https://github.com/Censys-Research/censeye"
X Link 2024-11-29T14:38Z 31.6K followers, [----] engagements
"The Russian APT group #Turla has gained access to the Pakistani APT group #Sidecopy + #TransparentTribe (Storm-0156)'s C2 server and used it to attack operators in Afghanistan and Pakistan. [--]. [--]. ioc: https://github.com/blacklotuslabs/IOCs/blob/main/Secret_Blizzard_IoCs.txt https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/ https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/ https://github.com/blacklotuslabs/IOCs/blob/main/Secret_Blizzard_IoCs.txt"
X Link 2024-12-05T02:10Z 31.7K followers, 12.2K engagements
"The legitimate #Solana JavaScript SDK was temporarily compromised in a supply chain attack yesterday. The library was embedded with malicious code that aimed to steal cryptocurrency private keys and drain wallets. https://socket.dev/blog/supply-chain-attack-solana-web3-js-library https://socket.dev/blog/supply-chain-attack-solana-web3-js-library"
X Link 2024-12-05T03:01Z 31.6K followers, [----] engagements
"#Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408 sample:wininet.dll 1f829550112739aaa293cea3c908b275(LEBANON submitter) https://threatbook.io/ip/38.54.59.112 #Oceanlotus 103.91.67.74:4443 (Malaysia IP) UnTrusted Certificate: Organization:The Visiting Nurse Association of Texas CommonName:atlas.vnatexas.org https://t.co/g3F2RpDFtH https://t.co/hikigW4upE https://threatbook.io/ip/38.54.59.112 #Oceanlotus 103.91.67.74:4443 (Malaysia IP) UnTrusted Certificate: Organization:The Visiting Nurse Association of Texas CommonName:atlas.vnatexas.org https://t.co/g3F2RpDFtH"
X Link 2024-12-05T14:13Z 31.6K followers, [----] engagements
"#Bitter used new Shellcode Loader (C:UsersDOMSKugelBlitzVSReposDEVShellCode_Loaderx64ReleaseShellCode_Loader.pdb) and the File Collector (X:ResourceVSRepo2Kiwi2.0Kiwix64ReleaseKiwi.pdb). [--] Don't Collect [--]. Don't collect files whose file names begin with "$" [--]. Don't collect files with a file size greater than [--------] bytes [--]. Don't collect files whose last modification time exceeds one year https://mp.weixin.qq.com/s/EudqDzM0RA5q_EbeOIWS8g https://mp.weixin.qq.com/s/EudqDzM0RA5q_EbeOIWS8g"
X Link 2024-12-09T11:28Z 31.7K followers, [----] engagements
"China's largest IT community CSDN website was hacked and malicious js code was inserted into the article #wateringhole attacks A very innovative fake Google certificate update page. Clicking on update will download malware https://mp.weixin.qq.com/s/qQw1DXE25Gkz_P8pEPVaHg https://mp.weixin.qq.com/s/qQw1DXE25Gkz_P8pEPVaHg"
X Link 2024-12-12T08:32Z 31.8K followers, [----] engagements
"The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least [----]. pdf: https://github.com/blackorbird/APT_REPORT/blob/master/Careto/The-Mask-has-been-unmasked-again.pdf https://securelist.com/careto-is-back/114942/ https://github.com/blackorbird/APT_REPORT/blob/master/Careto/The-Mask-has-been-unmasked-again.pdf https://securelist.com/careto-is-back/114942/"
X Link 2024-12-13T11:11Z 31.7K followers, [----] engagements
"Android Zero-Day Exploited in Spyware Campaigns. About Cellebrites forensic extraction products and a newly identified spyware dubbed #NoviSpy to infect devices. Awesome Digital Forensics Case Report https://github.com/blackorbird/APT_REPORT/blob/master/Cellebrite/Amnesty-Cellebrite.pdf https://github.com/blackorbird/APT_REPORT/blob/master/Cellebrite/Amnesty-Cellebrite.pdf"
X Link 2024-12-17T02:04Z 31.7K followers, [----] engagements
"#APT29 Rogue RDP configuration file: From red team tool to targeted attacks iocs: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html #APT29 RDP Phishing domains was abusing which impersonated AWS https://t.co/VqUg73IUrv https://t.co/aVt5eV0Xrf https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html #APT29 RDP Phishing domains was abusing"
X Link 2024-12-17T09:15Z 31.7K followers, [----] engagements
"#Patchwork still uses Let's Encrypt certificates and this time the counterfeit website is The Law Society of Hong Kong. dartshoppe.info 23.227.196.103 bovnle.info 162.216.241.223 aquileia.live 23.254.217.250 queretero.xyz 91.245.255.77 https://threatbook.io/domain/dartshoppe.info #Patchwork created a domain to masquerade as the homepage of Scandinavian Airlines but the domain was actually disguised as a Chinese translation software website. youdoa.info https://t.co/9G4T6lYDq1 https://t.co/79JIbyEK58 https://threatbook.io/domain/dartshoppe.info #Patchwork created a domain to masquerade as the"
X Link 2024-12-17T14:01Z 31.7K followers, [----] engagements
"#Bitter attack organizations within Turkey's defense sector. https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats"
X Link 2024-12-18T11:24Z 31.8K followers, [----] engagements
"ESET Threat Report H2 [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/eset-threat-report-h22024.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2024/eset-threat-report-h22024.pdf"
X Link 2024-12-18T11:34Z 31.8K followers, [----] engagements
"Using LLMs to Obfuscate Malicious JavaScript https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/ https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/"
X Link 2024-12-24T00:20Z 31.9K followers, 10.1K engagements
"Pishing Group "Cloud Atlas" targets Eastern Europe and Central Asia. report: ioc: https://1275.ru/ioc/8610/cloud-atlas-apt-iocs-part-2/ https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ https://1275.ru/ioc/8610/cloud-atlas-apt-iocs-part-2/ https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/"
X Link 2024-12-25T15:25Z 35.1K followers, [----] engagements
"#Lazarus OtterCookie Malware Update. It already included a built-in functionality to steal keys related to cryptocurrency wallets the checkForSensitiveData function used regular expressions to check for Ethereum private keys. https://jp.security.ntt/tech_blog/contagious-interview-ottercookie https://jp.security.ntt/tech_blog/contagious-interview-ottercookie"
X Link 2024-12-27T04:13Z 31.9K followers, [----] engagements
"Global elections in 2024: Internet traffic and cyber threat trends https://blog.cloudflare.com/elections-2024-internet/ https://blog.cloudflare.com/elections-2024-internet/"
X Link 2024-12-28T01:32Z 31.9K followers, [----] engagements
"#Lazarus has embedded IPMsg Installer 5.6.18.0 into malware. cryptocopedia.com https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA"
X Link 2024-12-30T02:31Z 31.9K followers, [----] engagements
"Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild"
X Link 2024-12-31T08:05Z 32K followers, [----] engagements
"LdapNightmare is a PoC tool that tests a vulnerable Windows Server against CVE-2024-49112 https://github.com/SafeBreach-Labs/CVE-2024-49112 https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/ https://github.com/SafeBreach-Labs/CVE-2024-49112 https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/"
X Link 2025-01-02T06:40Z 32K followers, [----] engagements
"#Oceanlotus The primary tactic of the attack is to release open-source security tool projects on GitHub attracting security researchers to download and further distribute them. github.com/0xjiefeng/CVE-2024-35250-BOF ref: https://mp.weixin.qq.com/s/ih36z93y6BazatjeoGjp1A #Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408 sample:wininet.dll 1f829550112739aaa293cea3c908b275(LEBANON submitter) https://t.co/B3MgeNLNYH https://t.co/rQRQMQX0qB https://mp.weixin.qq.com/s/ih36z93y6BazatjeoGjp1A #Oceanlotus C2 38.54.59.112/extensions/a586bc8a-728c-4d06-8180-befb9e20c408"
X Link 2025-01-08T11:04Z 32K followers, 10.7K engagements
"#threathunting CF-Hero is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods. https://github.com/musana/CF-Hero https://github.com/musana/CF-Hero"
X Link 2025-01-12T09:26Z 32K followers, [----] engagements
"This analysis reveals how the kernel module hijacks the inbound network traffic to the compromised Ivanti system how the user-space malicious file is started and how it communicates with the rootkit module.(About Ivanti CSA 0day follow-up analysis) https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware"
X Link 2025-01-14T08:04Z 32.1K followers, [----] engagements
"#Lazarus via LinkedIn Operation Operation 99: North Koreas Cyber Assault on Software Developers https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/ https://blogs.jpcert.or.jp/ja/2025/01/initial_attack_vector.html https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/ https://blogs.jpcert.or.jp/ja/2025/01/initial_attack_vector.html"
X Link 2025-01-17T05:25Z 32K followers, [----] engagements
"#Deepseek 's chat subdomain is under a UDP amplification-based DDoS attack"
X Link 2025-01-27T09:18Z 32.1K followers, [----] engagements
"#Lazarus Operation Traffic sourced from DPRK IPs masked via VPNs/proxies routed through Oculus nodes (Hasan Russia) to C2; multi-hop architecture ensures full-chain anonymity & evasion. https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ #Lazarus via LinkedIn Operation https://t.co/9wp1LQUvY2 Operation 99: North Koreas Cyber Assault on Software Developers https://t.co/ZnQDjs1nr6 https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ #Lazarus via LinkedIn Operation"
X Link 2025-01-31T10:41Z 32.4K followers, 21K engagements
"#APT28 The report details the group's activities from the onset of the Ukraine conflict. Even collaborations with non-state actors(cybercrime groups). https://github.com/blackorbird/APT_REPORT/blob/master/APT28/APT28%20the%20long%20hand%20of%20Russian%20interests.pdf https://github.com/blackorbird/APT_REPORT/blob/master/APT28/APT28%20the%20long%20hand%20of%20Russian%20interests.pdf"
X Link 2025-02-01T03:47Z 32.2K followers, [----] engagements
"Cybersecurity Threats [----] Annual Report From Qianxin #APT https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Cybersecurity%20Threats%202024%20Annual%20Report_QAX.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Cybersecurity%20Threats%202024%20Annual%20Report_QAX.pdf"
X Link 2025-02-21T12:32Z 32.4K followers, [----] engagements
"The Silver Fox Group has now started targeting the world. #cybercrime https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/ https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/"
X Link 2025-02-27T11:41Z 32.5K followers, [----] engagements
"2025 OT Cybersecurity Report A Year in Review https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Dragos-2025-OT-Cybersecurity-Report-A-Year-in-Review.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/Dragos-2025-OT-Cybersecurity-Report-A-Year-in-Review.pdf"
X Link 2025-02-28T05:59Z 32.5K followers, [----] engagements
"CrowdStrike Global Threat Report [----] https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/CrowdStrikeGlobalThreatReport2025.pdf https://github.com/blackorbird/APT_REPORT/blob/master/summary/2025/CrowdStrikeGlobalThreatReport2025.pdf"
X Link 2025-03-03T11:47Z 33.2K followers, [----] engagements
"In-Depth Technical Analysis of the Bybit Hack #Lazarus https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/ https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-the-bybit-hack/"
X Link 2025-03-11T11:44Z 32.8K followers, 18.9K engagements
"#APT34 C2 Infrastructure Update mytrustiq.com 95.156.204.168 89.46.233.239 malware:Ravateb.pdf.exe A rare fake alert https://threatbook.io/ip/89.46.233.239 https://threatbook.io/ip/89.46.233.239"
X Link 2025-03-11T14:07Z 32.8K followers, [----] engagements
"New Android Spyware KoSpy (fileupdate/fileexploer/kakaoupdate/androidmanager) #APT37 & #Kimsuky & #Konni & KoSpy C2 domains are point to shared infrastructure(27.255.79.225). https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37 https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37"
X Link 2025-03-13T10:05Z 32.8K followers, [----] engagements
"#APT34 C2 signatrue: title== good_news_site P2: Unknown C2 control Website 🚨 APT34 update: State-backed OilRig group is recently targeting Iraqi state entities with: ➤ Weaponized docs & backdoors ➤ Hijacked official emails ➤ Fake [---] decoy servers ThreatBooks report breaks down their latest TTPs. Access the full report 👉https://t.co/sR6c6k3P0E 🚨 APT34 update: State-backed OilRig group is recently targeting Iraqi state entities with: ➤ Weaponized docs & backdoors ➤ Hijacked official emails ➤ Fake [---] decoy servers ThreatBooks report breaks down their latest TTPs. Access the full report"
X Link 2025-03-31T12:06Z 32.9K followers, [----] engagements
"Updateâš More IOCs From Contagious to #ClickFake Interview: #Lazarus leveraging the ClickFix tactic https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ Lazarus APT: Techniques for Hunting Contagious Interview Used ClickFix social engineering to trick job seekers into executing malicious code. https://t.co/JmcTS307JG https://t.co/93ZyqKMSZG https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ Lazarus APT: Techniques for Hunting Contagious"
X Link 2025-04-02T11:24Z 33K followers, [----] engagements
"The #Konni group is exploiting unknown WordPress vulnerabilities to gain access and utilizing them for their C2 servers in .lnk/.bat/.msi-AutoIt phishing campaigns. Sample: https://C2/wp-admin/js/widgets/hurryup/rv=bear&za=battle1 Picture ref: https://www.genians.co.kr/blog/threat_intelligence/konni_disguise https://threatbook.io/domain/techtorev.com https://threatbook.io/domain/techtorev.com https://www.genians.co.kr/blog/threat_intelligence/konni_disguise https://threatbook.io/domain/techtorev.com https://threatbook.io/domain/techtorev.com"
X Link 2025-04-03T16:06Z 33.1K followers, [----] engagements
"Deconstructing the Attack: A Deep Dive into RDP Techniques https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol"
X Link 2025-04-08T05:19Z 33K followers, [----] engagements
"ToddyCat attackers exploited by running their tool in the context of a security solution. (CVE-2024-11859 vulnerability in ESET Command line scanner) https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/ https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/"
X Link 2025-04-09T10:25Z 33.1K followers, [----] engagements
"#ransomware CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS) https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/ https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/"
X Link 2025-04-10T03:53Z 33K followers, [----] engagements
Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing