#  @virusbtn Virus Bulletin Virus Bulletin posts on X about microsoft, $4704t, apt, in the the most. They currently have [------] followers and [---] posts still getting attention that total [-----] engagements in the last [--] hours. ### Engagements: [-----] [#](/creator/twitter::118059149/interactions)  - [--] Week [------] +47% - [--] Month [------] +182% - [--] Months [-------] +85% - [--] Year [-------] +41% ### Mentions: [--] [#](/creator/twitter::118059149/posts_active)  - [--] Week [--] -42% - [--] Month [--] +72% - [--] Months [---] +27% - [--] Year [---] +80% ### Followers: [------] [#](/creator/twitter::118059149/followers)  - [--] Week [------] +0.08% - [--] Month [------] +0.28% - [--] Months [------] +0.76% - [--] Year [------] +1.70% ### CreatorRank: [---------] [#](/creator/twitter::118059149/influencer_rank)  ### Social Influence **Social category influence** [technology brands](/list/technology-brands) [stocks](/list/stocks) [countries](/list/countries) [finance](/list/finance) [social networks](/list/social-networks) [travel destinations](/list/travel-destinations) [automotive brands](/list/automotive-brands) [ncaa football](/list/ncaa-football) [cryptocurrencies](/list/cryptocurrencies) [exchanges](/list/exchanges) **Social topic influence** [microsoft](/topic/microsoft) #2007, [$4704t](/topic/$4704t), [apt](/topic/apt), [in the](/topic/in-the), [labs](/topic/labs), [$googl](/topic/$googl), [infrastructure](/topic/infrastructure), [$zs](/topic/$zs) #24, [micro](/topic/micro), [strike](/topic/strike) **Top accounts mentioned or mentioned by** [@bushidotoken](/creator/undefined) [@cryptax](/creator/undefined) [@cyberalliance](/creator/undefined) [@malwaretraffic](/creator/undefined) [@fortinet](/creator/undefined) [@martijngrooten](/creator/undefined) [@gaborszappanos](/creator/undefined) [@threatresearch](/creator/undefined) [@jfslowik](/creator/undefined) [@mattnotmax](/creator/undefined) [@piffey](/creator/undefined) [@cpeterr](/creator/undefined) [@0xd01a](/creator/undefined) [@cyberkramer](/creator/undefined) [@xme](/creator/undefined) [@softwareclean](/creator/undefined) [@talossecurity](/creator/undefined) [@tccontre18](/creator/undefined) [@eromang](/creator/undefined) [@tera0017](/creator/undefined) **Top assets mentioned** [Microsoft Corp. (MSFT)](/topic/microsoft) [Alphabet Inc Class A (GOOGL)](/topic/$googl) [Zscaler Inc (ZS)](/topic/$zs) [Crowdstrike Holdings Inc (CRWD)](/topic/crowdstrike) [Fortinet Inc (FTNT)](/topic/fortinet) [IBM (IBM)](/topic/ibm) [Tesla, Inc. (TSLA)](/topic/tesla) [Cloudflare, Inc. (NET)](/topic/cloudflare) [BlackBerry Limited (BB)](/topic/blackberry) ### Top Social Posts Top posts by engagements in the last [--] hours "Palo Alto's @malware_traffic noticed one of the propagation modules used by Trickbot has been updated https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/ https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/" [X Link](https://x.com/virusbtn/status/1266387076771127296) 2020-05-29T15:13Z 60.6K followers, [--] engagements "Accenture security researchers look at recent Hades ransomware operations https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware" [X Link](https://x.com/virusbtn/status/1375443678269947912) 2021-03-26T13:45Z 60.4K followers, [--] engagements "Trend Micro's Buddy Tancio Maria Emreen Viray & Mohamed Fahmy detail an investigation that successfully uncovered the intrusion sets employed by espionage group Earth Kapre (aka RedCurl and Red Wolf) in a recent incident. https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html" [X Link](https://x.com/virusbtn/status/1767145307240878096) 2024-03-11T11:07Z 60.5K followers, [----] engagements "Trend Micro's Peter Girnus Aliakbar Zahravi & Simon Zuckerbraun analyse a DarkGate campaign which exploited CVE-2024-21412 through the use of fake software installers. https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html" [X Link](https://x.com/virusbtn/status/1768300046590570604) 2024-03-14T15:35Z 60.5K followers, [----] engagements "Trend Micro researchers describe how Earth Koshchei's remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay rogue RDP server & a malicious RDP configuration file leading to potential data leakage & malware installation https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html" [X Link](https://x.com/virusbtn/status/1869342257754853651) 2024-12-18T11:21Z 59.7K followers, [----] engagements "Sekoia's Amaury G. Maxime A. Erwan Chevalier & Felix Aim look into the DoubleTap espionage campaign possibly conducted by a Russia-nexus intrusion set UAC-0063 sharing overlaps with APT28. The infection chain includes the malware HATVIBE and CHERRYSPY https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/ https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/" [X Link](https://x.com/virusbtn/status/1879126150439731654) 2025-01-14T11:19Z 60.5K followers, [----] engagements "Trend Micro researchers look into a web shell intrusion incident where attackers abused the Internet Information Services IIS worker to exfiltrate stolen data. https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html" [X Link](https://x.com/virusbtn/status/1879473412416163920) 2025-01-15T10:19Z 59.8K followers, [----] engagements "SecurityScorecard researchers look into Operation Phantom Circuit in which Lazarus Group embedded malware directly into trusted applications and show how the attacker built infrastructure to manage and exfiltrate stolen data. https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/" [X Link](https://x.com/virusbtn/status/1886366638309544306) 2025-02-03T10:50Z 59.7K followers, [----] engagements "Researchers from LAC's Cyber Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti. The campaign targeted Japanese companies in the manufacturing materials and energy sectors. https://www.lac.co.jp/lacwatch/report/20250213_004283.html https://www.lac.co.jp/lacwatch/report/20250213_004283.html" [X Link](https://x.com/virusbtn/status/1890002141420695682) 2025-02-13T11:36Z 59.7K followers, [----] engagements "eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage. https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt" [X Link](https://x.com/virusbtn/status/1891432513685328293) 2025-02-17T10:20Z 59.8K followers, [----] engagements "TRAC Labs analyses SocGholish/FakeUpdates. The infection chain starts with a fake browser update delivered via compromised websites & a malicious JavaScript file leading to an obfuscated MintsLoader payload that delivers the GhostWeaver PowerShell backdoor https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983 https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983" [X Link](https://x.com/virusbtn/status/1891433273210913013) 2025-02-17T10:23Z 59.7K followers, [----] engagements "Zscaler ThreatLabz researchers present the second part of a technical analysis of Xloader versions [--] & [--] covering how Xloader obfuscates the command-and-control (C2) and the network communication protocol. https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2 https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2" [X Link](https://x.com/virusbtn/status/1891434090366144892) 2025-02-17T10:26Z 59.8K followers, [----] engagements "A new article from The DFIR Report provides details of an intrusion that began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server ultimately leading to the deployment of LockBit ransomware across the environment. https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/ https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/" [X Link](https://x.com/virusbtn/status/1894014868144914528) 2025-02-24T13:21Z 59.8K followers, [----] engagements "Fortinet's Ran Mizrahi analyses a malspam campaign spreading Ratty RAT in Spain Italy & Portugal. It uses the serviciodecorreo email service provider which is configured as an authorized sender for various domains and successfully passes SPF validation. https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware" [X Link](https://x.com/virusbtn/status/1920810115499798801) 2025-05-09T11:56Z 60.4K followers, [----] engagements "Trend Micro researcher Junestherry Dela Cruz describes a TikTok campaign that uses possibly AI-generated videos to lure victims into executing PowerShell commands that lead to Vidar and StealC information stealers. https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html" [X Link](https://x.com/virusbtn/status/1925500025683013920) 2025-05-22T10:32Z 60.5K followers, [----] engagements "Proofpoint Threat Research identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry. In all cases the motive was most likely espionage. https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting" [X Link](https://x.com/virusbtn/status/1945812957968925171) 2025-07-17T11:48Z 60.7K followers, [----] engagements "Trend Micro researchers examine the past TTPs used by UNC3886 to get a good understanding of the threat group and enhance the overall defensive posture against similar tactics. https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html" [X Link](https://x.com/virusbtn/status/1954840152968204612) 2025-08-11T09:39Z 60.7K followers, [----] engagements "Trend Micro researchers uncovered a campaign that uses Charon a new ransomware family with advanced APT-style techniques in targeting the Middle East's public sector & aviation industry with customized ransom demands. https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html" [X Link](https://x.com/virusbtn/status/1955548140578410587) 2025-08-13T08:33Z 60.7K followers, [----] engagements "Trend Micro researchers detail a Crypto24 ransomware campaign mixing legitimate tools with custom malware in coordinated multi-stage attacks to move laterally persist evade defences and steal data across Asia Europe and the US. https://www.trendmicro.com/en_no/research/25/h/crypto24-ransomware-stealth-attacks.html https://www.trendmicro.com/en_no/research/25/h/crypto24-ransomware-stealth-attacks.html" [X Link](https://x.com/virusbtn/status/1956282069606191234) 2025-08-15T09:09Z 60.7K followers, [----] engagements "HarfangLabs Cyber Threat Research Team reports two malicious-archive clusters targeting Ukraine and Poland since April [----]. The activity shows strong similarities to the cyber-espionage actor UAC-0057 (UNC1151/Ghostwriter). https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/ https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/" [X Link](https://x.com/virusbtn/status/1958460093709619321) 2025-08-21T09:24Z 60.7K followers, [----] engagements "Warlock ransomware advertises itself with If you want a Lamborghini please contact me. Trend Micro analyses how it exploits unpatched SharePoint for access privilege escalation credential theft lateral movement and data exfiltration before encryption https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html" [X Link](https://x.com/virusbtn/status/1958462357589418247) 2025-08-21T09:33Z 60.7K followers, [----] engagements "Trend Micro's Nick Dai & Pierre Lee look into the TAOTH campaign targeting users across Eastern Asia which leveraged an abandoned Sogou Zhuyin IME update server & spear-phishing operations to deliver malware families such as TOSHIS C6DOOR DESFY & GTELAM https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html" [X Link](https://x.com/virusbtn/status/1961368470370517328) 2025-08-29T10:00Z 60.7K followers, [----] engagements "A recent report from the Sekoia TDR team provides an overview of the commercial surveillance vendors ecosystem between [----] and [----] analysing their spyware offerings business models client base target profiles and infection chains. https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/ https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/" [X Link](https://x.com/virusbtn/status/1963183173304476157) 2025-09-03T10:11Z 60.6K followers, [----] engagements "Trend Micro researchers Buddy Tancio Aldrin Ceriola Khristoffer Jocson Nusrath Iqra & Faith Higgins analyse a campaign distributing Atomic macOS Stealer (AMOS) in disguised cracked versions of legitimate apps. https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html" [X Link](https://x.com/virusbtn/status/1963955573684109470) 2025-09-05T13:21Z 60.7K followers, [----] engagements "FortiGuard Labs details a phishing campaign with advanced evasion. It uses EPL for staged payloads hides activity disables security tools secures C2 with mTLS supports multiple delivery methods and installs AnyDesk/TightVNC for full control. https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access" [X Link](https://x.com/virusbtn/status/1965340130585247875) 2025-09-09T09:02Z 60.7K followers, [----] engagements "Trend Micro details the Gentlemen ransomware group showing advanced tooling to bypass enterprise endpoint protections. TTPs include driver abuse GPO manipulation custom anti-AV utilities privileged account compromise and exfiltration. https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html" [X Link](https://x.com/virusbtn/status/1965728664798302486) 2025-09-10T10:46Z 60.7K followers, [----] engagements "Zscaler ThreatLabz identifies a campaign active since early May [----] targeting Chinese-speaking users that delivers ValleyRAT FatalRAT & the newly named kkRAT. The blog details the attack chain and kkRATs features network protocol commands & plugins. https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat" [X Link](https://x.com/virusbtn/status/1966088889338134964) 2025-09-11T10:38Z 60.6K followers, [----] engagements "Sysdigs Threat Research Team identifies ZynorRAT a new Go-based RAT supporting Linux and Windows. First seen on [--] July [----] it shows little similarity to known families uses Telegram for C2 and is likely Turkish in origin. https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat" [X Link](https://x.com/virusbtn/status/1966089170973241524) 2025-09-11T10:39Z 60.7K followers, [----] engagements "Trend Micro details EvilAI which disguises itself as productivity/AI apps and is signed to appear legitimate. Infections span Europe the Americas and AMEA hitting manufacturing government and healthcare sectors. https://www.trendmicro.com/en_us/research/25/i/evilai.html https://www.trendmicro.com/en_us/research/25/i/evilai.html" [X Link](https://x.com/virusbtn/status/1966452305764532572) 2025-09-12T10:42Z 60.7K followers, [----] engagements "IBM X-Force has published new research on China-aligned Mustang Panda. Researchers observed an updated Toneshell and SnakeDisk a USB worm that triggers only on Thailand-based IPs to deliver Yokai backdoor. https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor" [X Link](https://x.com/virusbtn/status/1966452694333132988) 2025-09-12T10:43Z 60.5K followers, [----] engagements "maps a phishing wave that clones the websites of Chevron ConocoPhillips PBF Energy and Phillips [--]. Tactics include HTTrack-based site copying exposed directories and investment-scam templates. https://hunt.io/blog/us-energy-phishing-wave-report http://Hunt.io https://hunt.io/blog/us-energy-phishing-wave-report http://Hunt.io" [X Link](https://x.com/virusbtn/status/1966453614722847030) 2025-09-12T10:47Z 60.5K followers, [----] engagements "Zscaler's ThreatLabz tracks SmokeLoaders return with new 2025-alpha and [----] builds after the May [----] Operation Endgame takedown. The builds fix performance-impacting bugs and update artifacts to evade static and behaviour-based detection. https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" [X Link](https://x.com/virusbtn/status/1967974200150462543) 2025-09-16T15:29Z 60.7K followers, [----] engagements "The Threat Detection and Response team links two early [----] APT28 samples to the CERT UA BeardShell and Covenant publication on [--] June [----] and reports additional weaponized Office documents and previously undocumented techniques. https://blog.sekoia.io/apt28-operation-phantom-net-voxel/ http://Sekoia.io https://blog.sekoia.io/apt28-operation-phantom-net-voxel/ http://Sekoia.io" [X Link](https://x.com/virusbtn/status/1968229631393402933) 2025-09-17T08:24Z 60.6K followers, [----] engagements "Acronis Threat Research Unit reports a sophisticated FileFix in the wild beyond the original POC with a multi-lingual phishing site anti-analysis tricks and JPG steganography that hides a second-stage PowerShell script and encrypted executables. https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/ https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/" [X Link](https://x.com/virusbtn/status/1968230626789880181) 2025-09-17T08:28Z 60.7K followers, [----] engagements "Proofpoint Threat Research reports TA415 ran spear-phishing campaigns in July & August [----] against US government think tanks and academia using US-China economic lures and using Google Sheets Google Calendar and VS Code Remote Tunnels for C2. https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations" [X Link](https://x.com/virusbtn/status/1968231607887860189) 2025-09-17T08:32Z 60.7K followers, [----] engagements "Bitdefender Threat Research analyses a cyber attack on a Philippine military company revealing EggStreme - a new fileless multi-stage framework built for persistent espionage and designed to establish a resilient foothold on compromised systems. https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac" [X Link](https://x.com/virusbtn/status/1968605483985486208) 2025-09-18T09:18Z 60.7K followers, [----] engagements "Zscaler ThreatLabz reports two malicious PyPI packages sisaws and secmeasure that deliver SilentSync a Python-based RAT designed to execute remote commands exfiltrate files capture screens and steal browser data from Chrome Brave Edge and Firefox. https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat" [X Link](https://x.com/virusbtn/status/1968607386488164361) 2025-09-18T09:25Z 60.7K followers, [----] engagements "Threat Research uncovers attackers abusing ConnectWise ScreenConnect installers and open directories as staging points to deliver AsyncRAT and a custom PowerShell RAT. https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns http://Hunt.io https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns http://Hunt.io" [X Link](https://x.com/virusbtn/status/1968960935713718410) 2025-09-19T08:50Z 60.7K followers, [----] engagements "The DFIR Report presents an intrusion that began with a Lunar Spider linked JavaScript file disguised as a tax form leading to multiple pieces of malware being deployed (Latrodectus Brute Ratel C4 Cobalt Strike BackConnect and a custom .NET backdoor) https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/" [X Link](https://x.com/virusbtn/status/1973294651504468228) 2025-10-01T07:51Z 60.4K followers, [----] engagements "Sekoia's Jeremy Scion and Marc N. present how a cellular routers API was exploited to send malicious SMS messages containing phishing URLs (smishing) primarily targeting Belgian users. https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/ https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/" [X Link](https://x.com/virusbtn/status/1973313779250372982) 2025-10-01T09:07Z 60.5K followers, [----] engagements "Trend Micro researchers identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victims contacts. https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" [X Link](https://x.com/virusbtn/status/1974043525797839330) 2025-10-03T09:27Z 60.4K followers, [----] engagements "Threat Research observes APT SideWinder shifting to maritime targets with Pakistan & Sri Lanka as primary targets utilising free hosting platforms for credential portals & lures and staging malware in open directories. https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing http://Hunt.io https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing http://Hunt.io" [X Link](https://x.com/virusbtn/status/1975133650401542277) 2025-10-06T09:38Z 60.7K followers, [----] engagements "The Resecurity HUNTER Team warns of a mass exploitation of CVE-2025-61882 in Oracle E-Business Suite enabling remote code execution. Several victims received extortion emails from Cl0p in late September [----]. https://www.resecurity.com/blog/article/cve-2025-61882-mass-exploitation-oracle-e-business-suite-ebs-under-attack-by-cl0p-ransomware https://www.resecurity.com/blog/article/cve-2025-61882-mass-exploitation-oracle-e-business-suite-ebs-under-attack-by-cl0p-ransomware" [X Link](https://x.com/virusbtn/status/1975497068216221984) 2025-10-07T09:42Z 60.7K followers, [----] engagements "Rapid7 Threat Research reports a new threat group known as the Crimson Collective attacking AWS environments to exfiltrate data and extort victims. The actor has also announced that it is behind an attack on Red Hat. https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/ https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/" [X Link](https://x.com/virusbtn/status/1975838818633957669) 2025-10-08T08:20Z 60.7K followers, [----] engagements "FortiGuard Labs analyses Chaos ransomware which resurfaced in [----] with a new C++ variant. The analysis provides a walkthrough of its execution flow encryption and clipboard hijacking for cryptocurrency with comparisons to earlier .NET builds. https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous" [X Link](https://x.com/virusbtn/status/1976206241903898684) 2025-10-09T08:40Z 60.7K followers, [----] engagements "McAfees Threat Research team uncovers a new Astaroth campaign leveraging GitHub to host malware configurations. Infection starts with a phishing link that downloads a zipped LNK. When executed it installs Astaroth. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/" [X Link](https://x.com/virusbtn/status/1977661587281563744) 2025-10-13T09:04Z 60.7K followers, [----] engagements "FortiGuard Labs details a Stealit campaign that shifts from Electron installers to the Node.js Single Executable Application feature while still posing as game and VPN installers. https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application" [X Link](https://x.com/virusbtn/status/1977664055881138494) 2025-10-13T09:13Z 60.7K followers, [----] engagements "Socket's Threat Research Team reports the Contagious Interview campaign is escalating involving [---] malicious npm packages. DPRK actors are using 180+ fake personas with new npm aliases & registration emails to deploy HexEval XORIndex & encrypted loaders. https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages" [X Link](https://x.com/virusbtn/status/1977668144597782701) 2025-10-13T09:30Z 60.7K followers, [----] engagements "Proofpoint Threat Research details TA585 a sophisticated actor that manages its own infrastructure delivery and malware installation and delivers MonsterV2 which has capabilities of a RAT stealer and loader. https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal" [X Link](https://x.com/virusbtn/status/1978012366756352324) 2025-10-14T08:17Z 60.7K followers, [----] engagements "Seqrite Threat Research reports Spanish language judicial notification lures targeting Colombian users using SVG HTA VBS and PowerShell stages to download and decode a loader ending with AsyncRAT injected into a legitimate Windows process. https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/ https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/" [X Link](https://x.com/virusbtn/status/1978012710093947289) 2025-10-14T08:19Z 60.7K followers, [----] engagements "Red Canary tracks macOS stealers in [--------] noting that Poseidon Stealer was sold and rebranded as Odyssey Stealer which shares significant code and features with Atomic Stealer (aka AMOS). https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/ https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/" [X Link](https://x.com/virusbtn/status/1978013070040469825) 2025-10-14T08:20Z 60.7K followers, [----] engagements "Cyble Research and Intelligence Labs observes Android campaigns posing as Indian Regional Transport Office apps spreading via WhatsApp & SMS to GitHub-hosted APKs & compromised sites then using phishing pages to collect banking credentials & UPI PINs. https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/ https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/" [X Link](https://x.com/virusbtn/status/1978382454109999316) 2025-10-15T08:48Z 60.7K followers, [----] engagements "In early [----] Threat Detection & Research reported PolarEdge exploiting CVE-2023-20118 to gain RCE and drop a web shell on routers. A follow-up blog post provides an in-depth technical analysis of the undocumented TLS-based implant. https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/ http://Sekoia.io https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/ http://Sekoia.io" [X Link](https://x.com/virusbtn/status/1978394358689714307) 2025-10-15T09:35Z 60.7K followers, [----] engagements "Trend Micro's Dove Chiu & Lucien Chuang uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352 allowing remote code execution and rootkit deployment on unprotected devices. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html" [X Link](https://x.com/virusbtn/status/1978743591833854051) 2025-10-16T08:43Z 60.5K followers, [----] engagements "The SEQRITE Labs Research Team recently uncovered a campaign targeting the Russian automobile-commerce industry with a .NET malware dubbed CAPI Backdoor. https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/ https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/" [X Link](https://x.com/virusbtn/status/1980195198195077527) 2025-10-20T08:51Z 60.7K followers, [----] engagements "Google Mandiant researchers show how a financially motivated threat actor abuses the blockchain to distribute infostealers. UNC5142 usually uses compromised WordPress websites & EtherHiding a technique to obscure malicious code/data on a public blockchain https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" [X Link](https://x.com/virusbtn/status/1980556003470197035) 2025-10-21T08:45Z 60.7K followers, [----] engagements "Google researchers analyse a new malware attributed to Russian state-sponsored threat group COLDRIVER. The re-tooling began with a new malicious DLL called NOROBOT delivered via an updated COLDCOPY ClickFix lure that pretends to be a custom CAPTCHA. https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" [X Link](https://x.com/virusbtn/status/1980556921661993150) 2025-10-21T08:49Z 60.7K followers, [----] engagements "Trend Micro's Junestherry Dela Cruz examines the latest version of the Vidar stealer which features a full rewrite in C a multithreaded architecture and several enhancements that warrant attention. https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html" [X Link](https://x.com/virusbtn/status/1980924032469086569) 2025-10-22T09:07Z 60.5K followers, [----] engagements "Check Point's @Tera0017 analyses the YouTube Ghost Network a collection of malicious accounts that take advantage of YouTubes features to distribute infostealers like Lumma Rhadamanthys StealC RedLine 0debug & other Phemedrone variants. https://research.checkpoint.com/2025/youtube-ghost-network/ https://research.checkpoint.com/2025/youtube-ghost-network/" [X Link](https://x.com/virusbtn/status/1982751735044317651) 2025-10-27T10:10Z 60.7K followers, [----] engagements "researchers look into a TransparentTribe (also known as APT36 or Operation C-Major) phishing campaign targeting Indian organizations with DeskRAT. https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/ http://Sekoia.io https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/ http://Sekoia.io" [X Link](https://x.com/virusbtn/status/1982752560571429313) 2025-10-27T10:13Z 60.5K followers, [----] engagements "Trellix ARC researchers examine the TTPs employed by SideWinder APT in recent espionage activities in Asia. The phishing campaign occurred in multiple waves in [----] adapted to specific diplomatic targets and led to ModuleInstaller & StealerBot malware. https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/ https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/" [X Link](https://x.com/virusbtn/status/1982753203050660218) 2025-10-27T10:16Z 60.7K followers, [----] engagements "Trend Micro researchers analyse a Water Saci campaign spreading via WhatsApp which uses an email-based C&C infrastructure multi-vector persistence for resilience & incorporates advanced checks to evade analysis & restrict activity to specific targets. https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" [X Link](https://x.com/virusbtn/status/1983102071856410891) 2025-10-28T09:22Z 60.5K followers, [----] engagements "Cisco Talos researchers Takahiro Takeda Jordyn Dunk James Nutland & Michael Szeliga look into attack methods of the Qilin (formerly Agenda) ransomware group exposed through multiple cases. https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/ https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/" [X Link](https://x.com/virusbtn/status/1983102724708114865) 2025-10-28T09:25Z 60.7K followers, [----] engagements "Palo Alto's Unit [--] team investigate the Jingle Thief campaign operated by financially motivated Morocco-based attackers. The attackers use phishing & smishing to steal credentials to compromise organizations that issue gift cards. https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/ https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/" [X Link](https://x.com/virusbtn/status/1983103285117759687) 2025-10-28T09:27Z 60.7K followers, [----] engagements "IBM's Melissa Frydrych-Dean & Raymond Joseph write about several malspam cases observed by the X-Force team with Hijackloader leading to payloads like PureHVNC. The emails imitate the Attorney Generals office of Colombia with official document downloads. https://www.ibm.com/think/x-force/latam-baited-into-delivery-of-purehvnc https://www.ibm.com/think/x-force/latam-baited-into-delivery-of-purehvnc" [X Link](https://x.com/virusbtn/status/1983504915864432901) 2025-10-29T12:03Z 60.7K followers, [----] engagements "Palo Alto Networks researchers discovered Airstalk a new Windows-based malware family with both PowerShell & .NET variants. The researchers assess with medium confidence that a possible nation-state threat actor used this malware in a supply chain attack. https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/ https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/" [X Link](https://x.com/virusbtn/status/1983828863592300674) 2025-10-30T09:30Z 60.7K followers, [----] engagements "In mid-2025 Sophos CTU researchers observed a campaign from the BRONZE BUTLER (also known as Tick) theat actor that exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to steal confidential information. https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/ https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/" [X Link](https://x.com/virusbtn/status/1984191562109358213) 2025-10-31T09:31Z 60.7K followers, [----] engagements "Researchers at Zimperium's zLabs have identified a growing trend of Android applications misusing NFC and Host Card Emulation (HCE) to illegally obtain payment data and conduct fraudulent transactions. https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices" [X Link](https://x.com/virusbtn/status/1984192075831885921) 2025-10-31T09:33Z 60.7K followers, [----] engagements "Arctic Wolf Labs reports that the China-linked threat actor UNC6384 targeted European diplomatic entities in Hungary and Belgium during September and October [----] exploiting ZDI-CAN-25373 and deploying PlugX RAT malware. https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/ https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" [X Link](https://x.com/virusbtn/status/1985317774118232575) 2025-11-03T12:06Z 60.6K followers, [----] engagements "SEQRITE Labs details Operation SkyCloak targeting Russian and Belarusian military personnel where decoys lead to PowerShell stages that expose local services over Tor using obfs4 bridges enabling covert communication. https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/ https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/" [X Link](https://x.com/virusbtn/status/1985318225585004815) 2025-11-03T12:08Z 60.6K followers, [----] engagements "Members of Gen Digital Threat Labs uncover two new DPRK toolsets - Kimsukys HttpTroy backdoor and Lazaruss upgraded BLINDINGCAN remote access tool - and explain how these tools work. https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis" [X Link](https://x.com/virusbtn/status/1985318836112109678) 2025-11-03T12:11Z 60.6K followers, [----] engagements "Proofpoint Threat Research tracks a cybercriminal cluster targeting trucking and logistics companies abusing legitimate RMM tools to hijack cargo and steal physical goods. https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics" [X Link](https://x.com/virusbtn/status/1985648371508600930) 2025-11-04T10:00Z 60.6K followers, [----] engagements "The SEQRITE Labs APT-Team has been tracking Silent Lynx - which targets Kyrgyzstan Turkmenistan and Uzbekistan for espionage - since November [----] presenting their findings at VB2025. Further research has now uncovered multiple related campaigns. https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/ https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/" [X Link](https://x.com/virusbtn/status/1985649705938809136) 2025-11-04T10:05Z 60.7K followers, [----] engagements "Huntress reports that Gootloader is back using custom WOFF2 fonts with glyph substitution to obfuscate filenames; exploiting WordPress comment endpoints for XOR-encrypted ZIPs; and shifting persistence to the Startup folder. https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" [X Link](https://x.com/virusbtn/status/1986378095163789594) 2025-11-06T10:20Z 60.7K followers, [----] engagements "Proofpoint Threat Research details an espionage campaign targeting Iranian academics & foreign policy experts starting with a benign Iran-themed conversation moving to credential harvesting & a URL to an archive with MSI installer that deploys RMM tools https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution" [X Link](https://x.com/virusbtn/status/1986378869130113298) 2025-11-06T10:23Z 60.6K followers, [----] engagements "Google Threat Intelligence Group confirms first operational use of just in time AI in malware families such as PROMPTFLUX and PROMPTSTEAL where LLMs generate malicious scripts and obfuscate code on the fly. https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools" [X Link](https://x.com/virusbtn/status/1986379169446482185) 2025-11-06T10:24Z 60.7K followers, [----] engagements "Unit [--] uncovers the new LANDFALL Android spyware delivered as DNG images that exploit CVE-2025-21042 in Samsung devices. https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/ https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/" [X Link](https://x.com/virusbtn/status/1987826907417628722) 2025-11-10T10:17Z 60.6K followers, [----] engagements "CyberProof Threat Research identifies the Maverick banking malware spreading via WhatsApp and notes technical overlaps with Coyote malware. https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/ https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/" [X Link](https://x.com/virusbtn/status/1988206947678745071) 2025-11-11T11:27Z 60.6K followers, 13.8K engagements "Cyble Research and Intelligence Labs uncovers a phishing campaign using HTML email attachments that run JavaScript to steal credentials and exfiltrate them to attacker-controlled Telegram bots. https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/ https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/" [X Link](https://x.com/virusbtn/status/1988209054989381847) 2025-11-11T11:35Z 60.4K followers, [----] engagements "Members of the Point Wild Lat61 Threat Intelligence Team analyse a Bitcoin-themed fake tool that drops DarkComet RAT detailing its behaviour and attacker capabilities. https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool" [X Link](https://x.com/virusbtn/status/1988569306355920955) 2025-11-12T11:27Z 60.7K followers, [----] engagements "Trend Micro Research observes increased Lumma Stealer activity and notes the malware now uses browser fingerprinting in its command-and-control tactics. https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html" [X Link](https://x.com/virusbtn/status/1988914263964946618) 2025-11-13T10:18Z 60.5K followers, [----] engagements "Jamf Threat Labs analyses DigitStealer a new macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/ https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/" [X Link](https://x.com/virusbtn/status/1989268234416361957) 2025-11-14T09:44Z 60.5K followers, [----] engagements "Check Point researchers analyse Payroll Pirates a financially motivated network quietly hijacking payroll systems credit unions and trading platforms across the US using malvertising. https://blog.checkpoint.com/email-security/payroll-pirates-one-network-hundreds-of-targets/ https://blog.checkpoint.com/email-security/payroll-pirates-one-network-hundreds-of-targets/" [X Link](https://x.com/virusbtn/status/1990357454899839248) 2025-11-17T09:52Z 60.6K followers, [----] engagements "Palo Alto Networks Unit [--] researchers identified two interconnected malware campaigns active throughout [----] using large-scale brand impersonation to deliver Gh0st remote access trojan (RAT) variants to Chinese-speaking users. https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/ https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/" [X Link](https://x.com/virusbtn/status/1990358045042590109) 2025-11-17T09:55Z 60.5K followers, [----] engagements "Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. https://www.splunk.com/en_us/blog/security/updated-net-steganography-loader-lokibot-malware-analysis.html https://www.splunk.com/en_us/blog/security/updated-net-steganography-loader-lokibot-malware-analysis.html" [X Link](https://x.com/virusbtn/status/1990358715363451065) 2025-11-17T09:57Z 60.4K followers, [----] engagements "Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42 Mint Sandstorm Educated Manticore CharmingCypress). https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/ https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/" [X Link](https://x.com/virusbtn/status/1991092368364224824) 2025-11-19T10:33Z 60.5K followers, [----] engagements "Jamf Threat Labs dissects the new DigitStealer malware a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/ https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/" [X Link](https://x.com/virusbtn/status/1991456418030055679) 2025-11-20T10:39Z 60.5K followers, [----] engagements "ESET's Facundo Muoz & Dvid Gbri provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" [X Link](https://x.com/virusbtn/status/1991457080969204155) 2025-11-20T10:42Z 60.6K followers, [----] engagements "The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/ https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/" [X Link](https://x.com/virusbtn/status/1991806769753129128) 2025-11-21T09:51Z 60.3K followers, [----] engagements "K7 Labs analyse a campaign ongoing in Brazil spreading malware via WhatsApp web from the victims machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. https://labs.k7computing.com/index.php/brazilian-campaign-spreading-the-malware-via-whatsapp/ https://labs.k7computing.com/index.php/brazilian-campaign-spreading-the-malware-via-whatsapp/" [X Link](https://x.com/virusbtn/status/1992882464860389766) 2025-11-24T09:06Z 60.5K followers, [----] engagements "Domaintools researchers present a report on APT35 (also referenced as Charming Kitten) based on leaked internal documents. The report reveals a regimented quota-driven cyber operations unit operating inside a bureaucratic military chain of command. https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/ https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/" [X Link](https://x.com/virusbtn/status/1992883471975625096) 2025-11-24T09:10Z 60.5K followers, [----] engagements "Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack" [X Link](https://x.com/virusbtn/status/1993619764347044286) 2025-11-26T09:56Z 60.5K followers, [----] engagements "Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/ https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/" [X Link](https://x.com/virusbtn/status/1993622008362615272) 2025-11-26T10:05Z 60.5K followers, [----] engagements "ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack" [X Link](https://x.com/virusbtn/status/1994017608945766654) 2025-11-27T12:16Z 60.3K followers, [----] engagements "Missed a session Or want to relive your favourite #VB2025 moments The VB2025 presentation playlist is now live on YouTube. Catch up on [--] talks now available to watch for free. 👉 (Some talks are not included at the request of the speakers) https://tinyurl.com/4uven8zw https://tinyurl.com/4uven8zw" [X Link](https://x.com/virusbtn/status/1994032189726474687) 2025-11-27T13:14Z 60.5K followers, [----] engagements "Trend Micro researchers share their findings on the Shai-hulud [---] campaign and reveal new functions that werent observed in its first variant such as backdoor capabilities. https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html" [X Link](https://x.com/virusbtn/status/1994340727837307066) 2025-11-28T09:40Z 60.5K followers, [----] engagements "SEQRITE Labs APT-Team tracks "Operation Hanoi Thief" a spear-phishing campaign targeting Vietnamese IT departments and HR recruiters with fake resume documents that deliver a C++ DLL stealer named LOTUSHARVEST. https://www.seqrite.com/blog/9479-2/ https://www.seqrite.com/blog/9479-2/" [X Link](https://x.com/virusbtn/status/1995442433551741245) 2025-12-01T10:38Z 60.4K followers, [----] engagements "Trend Micro Research reports Water Saci shifting from a PowerShell-based propagation routine to a Python variant that boosts development improves browser support and error handling and speeds malware delivery via WhatsApp Web. https://www.trendmicro.com/en_us/research/25/l/water-saci.html https://www.trendmicro.com/en_us/research/25/l/water-saci.html" [X Link](https://x.com/virusbtn/status/1995812499946348930) 2025-12-02T11:09Z 60.5K followers, [----] engagements "Infoblox Threat Intelligence uncovers Evilginx-based SSO phishing using subdomains that mimic university portals targeting at least [--] US institutions since April [----] and finds nearly [--] related domains for future tracking. https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/ https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/" [X Link](https://x.com/virusbtn/status/1995812812409458712) 2025-12-02T11:10Z 60.4K followers, [----] engagements "ESET Research reports new MuddyWater activity against organisations in Israel and one in Egypt. The Iran-aligned group uses previously undocumented tools including a custom Fooder loader to run MuddyViper a new C/C++ backdoor for stealth & persistence. https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/" [X Link](https://x.com/virusbtn/status/1996158083182301258) 2025-12-03T10:02Z 60.4K followers, [----] engagements "documents a hybrid Salty2FATycoon2FA phishing campaign. Salty2FA activity collapsed in late [----] with new Tycoon2FA samples showing overlapping indicators including shared IOCs TTPs and hybrid payloads. https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/ http://ANY.RUN https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/ http://ANY.RUN" [X Link](https://x.com/virusbtn/status/1996159044000661969) 2025-12-03T10:06Z 60.4K followers, [----] engagements "Trend Micro Research details a ValleyRAT campaign targeting job seekers via email hiding behind a weaponized Foxit PDF Reader and using DLL side-loading for initial access. As a RAT ValleyRAT enables remote control monitoring and data theft. https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html" [X Link](https://x.com/virusbtn/status/1996532040083374396) 2025-12-04T10:48Z 60.5K followers, [----] engagements "SEQRITE APT-Team details a spear-phishing campaign against Russian HR payroll and internal admin departments using bonus and policy-themed decoys. The chain relies on malicious LNK files a new DUPERUNNER implant and an AdaptixC2 Beacon for C2. https://www.seqrite.com/blog/9512-2/ https://www.seqrite.com/blog/9512-2/" [X Link](https://x.com/virusbtn/status/1996533178736193689) 2025-12-04T10:52Z 60.4K followers, [----] engagements "Intel [---] reports new Android banking trojan FvncBot targeting Polish users via a fake mBank security app. It abuses accessibility services for keylogging employs web injects screen streaming & HVNC & has a new codebase not tied to leaked source codes. https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland" [X Link](https://x.com/virusbtn/status/1996882810066645122) 2025-12-05T10:02Z 60.5K followers, [----] engagements "LAC's Cyber Emergency Center describes a PlugX campaign by a China-based attack group targeting Japanese transport firms & their subsidiaries. The report analyses new PlugX variants MetaRAT and Talisman PlugX and expands on findings first shared at VB2025 https://www.lac.co.jp/lacwatch/report/20251208_004569.html https://www.lac.co.jp/lacwatch/report/20251208_004569.html" [X Link](https://x.com/virusbtn/status/1997988509911552468) 2025-12-08T11:15Z 60.4K followers, 23.7K engagements "Sophos X-Ops analyses Shanya a packer-as-a-service favoured by ransomware groups and starting to replace HeartCrypt in their toolkits. The report traces its underground origins unpacks its code and examines a targeted infection using the service. https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/ https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/" [X Link](https://x.com/virusbtn/status/1997989101245522036) 2025-12-08T11:18Z 60.4K followers, [----] engagements "Sysdig TRT details EtherRAT a sophisticated backdoor dropped through recent React2Shell exploitation. The implant uses Ethereum smart contracts for C2 resolution and multiple Linux persistence mechanisms going well beyond typical cryptomining payloads. https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" [X Link](https://x.com/virusbtn/status/1998350726607622345) 2025-12-09T11:15Z 60.4K followers, [----] engagements "Acronis TRU analyses Makop ransomwares updated toolkit with new components including local privilege escalation exploits and GuLoader for secondary payloads. 55% of observed cases hit Indian organisations with further victims in Brazil & Germany. https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/ https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/" [X Link](https://x.com/virusbtn/status/1998352380019032542) 2025-12-09T11:21Z 60.4K followers, [----] engagements "Sophos X-Ops details how GOLD BLADE has evolved into a hybrid data-theft & ransomware actor. Recent activity mainly hits Canadian organisations delivering weaponized resumes via recruitment platforms using modified RedLoader chains & a custom locker. https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/ https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/" [X Link](https://x.com/virusbtn/status/1998697034849607885) 2025-12-10T10:11Z 60.4K followers, [----] engagements "Huntress shows how attackers weaponize trusted AI tools. In an alert triaged by Huntress the victim had searched clear disk space on macOS clicked Google results to ChatGPT or Grok then followed terminal cleanup commands that delivered Amos Stealer. https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust" [X Link](https://x.com/virusbtn/status/1998698613958906028) 2025-12-10T10:17Z 60.4K followers, [----] engagements "Unit [--] details 01flip a new Rust-based ransomware family observed in June [----] targeting a limited set of victims in the Asia-Pacific region. https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/" [X Link](https://x.com/virusbtn/status/1999061048104513976) 2025-12-11T10:17Z 60.4K followers, [----] engagements "Zimperium zLabs identified DroidLock a new Android ransomware-like app targeting Spanish users. It uses fake system update screens VNC-based remote control and device admin privileges to lock or wipe phones capture photos & steal app lock credentials. https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device" [X Link](https://x.com/virusbtn/status/1999061981723349394) 2025-12-11T10:21Z 60.4K followers, [----] engagements "Bitdefender Labs uncovers an Agent Tesla delivery chain disguised as a movie torrent. A CD.lnk shortcut triggers a hidden command chain that runs scripts embedded in a subtitle file. https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell" [X Link](https://x.com/virusbtn/status/1999425123485729121) 2025-12-12T10:24Z 60.4K followers, [----] engagements "NTT's Kazuya Nomura analyses ZnDoor a malware executed by exploiting React2Shell (CVE-2025-55182) in attacks against companies in Japan. https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/ https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/" [X Link](https://x.com/virusbtn/status/2000525367581294739) 2025-12-15T11:16Z 60.5K followers, [----] engagements "Members of the Palo Alto Networks Unit [--] team explore the upgrade of RansomHouse encryption. RansomHouse is a ransomware-as-a-service operation run by a group tracked by Unit [--] as Jolly Scorpius. https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/ https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/" [X Link](https://x.com/virusbtn/status/2001597015021453509) 2025-12-18T10:14Z 60.5K followers, [----] engagements "ThreatLab & Reporters Without Borders (RSF) Digital Security Lab uncover a malware attack by the Belarusian secret service (KGB) targeting a Belarus-based journalist with an Android spyware named ResidentBat. https://resident.ngo/lab/writeups/residentbat-android-kgb-spyware-in-belarus-2025/ http://RESIDENT.NGO https://resident.ngo/lab/writeups/residentbat-android-kgb-spyware-in-belarus-2025/ http://RESIDENT.NGO" [X Link](https://x.com/virusbtn/status/2001958788451160217) 2025-12-19T10:12Z 60.5K followers, [----] engagements "Genians reports an APT37 campaign where fake casting/interview outreach delivers a trojanised HWP document. The chain relies on embedded OLE content and user clicks to start execution then uses DLL side-loading to evade detection. https://www.genians.co.kr/en/blog/threat_intelligence/dll https://www.genians.co.kr/en/blog/threat_intelligence/dll" [X Link](https://x.com/virusbtn/status/2008136926919041515) 2026-01-05T11:22Z 60.5K followers, [----] engagements "Jamf Threat Labs observed a revamped MacSync Stealer variant delivered as a code-signed and notarized app. Unlike earlier drag-to-Terminal/ClickFix chains it uses a more deceptive hands-off approach. https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/ https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/" [X Link](https://x.com/virusbtn/status/2008501294630355119) 2026-01-06T11:29Z 60.5K followers, [----] engagements "Recorded Futures Insikt Group tracks GRU-linked BlueDelta credential theft mimicking OWA Google and Sophos VPN portals. Targets include a Turkish energy & nuclear research agency a European think tank and organizations in North Macedonia & Uzbekistan. https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting" [X Link](https://x.com/virusbtn/status/2009189659419816027) 2026-01-08T09:05Z 60.6K followers, [----] engagements "Huntress details ESXi exploitation in the wild where initial access likely came via a compromised SonicWall VPN. The exploit toolkit targets [---] VMware ESXi builds spanning versions [---] to [---]. https://www.huntress.com/blog/esxi-vm-escape-exploit https://www.huntress.com/blog/esxi-vm-escape-exploit" [X Link](https://x.com/virusbtn/status/2009190150832820301) 2026-01-08T09:07Z 60.5K followers, [----] engagements "CloudSEK TRIAD reports a MuddyWater spear-phishing campaign targeting Middle Eastern diplomatic maritime financial and telecom sectors. The chain uses icon spoofing and malicious Word documents to deliver RustyWater. https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant" [X Link](https://x.com/virusbtn/status/2009575655265255560) 2026-01-09T10:39Z 60.5K followers, [----] engagements "DTI researchers analysed leaked data from Chinese company KnownSec. This leak exposes a state-aligned cyber contractor that operates far beyond the role of a typical cybersecurity vendor. https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/ https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/" [X Link](https://x.com/virusbtn/status/2010657686384422954) 2026-01-12T10:18Z 60.5K followers, [----] engagements "Silent Push uncovered an extensive network of domains associated with long-term ongoing web-skimmer campaign Magecart. Payment networks that are currently being targeted include American Express Diners Club Discover and Mastercard. https://www.silentpush.com/blog/magecart/ https://www.silentpush.com/blog/magecart/" [X Link](https://x.com/virusbtn/status/2011415269781205086) 2026-01-14T12:29Z 60.6K followers, [----] engagements "AhnLab's ASEC team discovered cases of attacks using RMM tools such as Syncro SuperOps NinjaOne & ScreenConnect. Threat actors distributed a PDF that prompted users to download & run the RMM tool from a disguised distribution page such as Google Drive. https://asec.ahnlab.com/en/91995/ https://asec.ahnlab.com/en/91995/" [X Link](https://x.com/virusbtn/status/2011416720314146957) 2026-01-14T12:34Z 60.5K followers, [----] engagements "Genians researchers analyse Operation Poseidon from the Konni APT. The threat actor bypasses security filtering and user boundaries through spear phishing campaigns disguised as advertising URLs that lead to EndRAT malware. https://www.genians.co.kr/blog/threat_intelligence/spear-phishing https://www.genians.co.kr/blog/threat_intelligence/spear-phishing" [X Link](https://x.com/virusbtn/status/2013187692754829498) 2026-01-19T09:52Z 60.6K followers, [----] engagements "The Seqrite Labs APT Team looks into Operation Nomad Leopard a spear-phishing campaign targeting Afghan government employees. https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/ https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/" [X Link](https://x.com/virusbtn/status/2013574191212044703) 2026-01-20T11:27Z 60.6K followers, [----] engagements "Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentinas judicial sector. The campaign leverages a multi-stage infection chain to deploy a stealthy remote access trojan. https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/ https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/" [X Link](https://x.com/virusbtn/status/2013575420801609834) 2026-01-20T11:32Z 60.6K followers, [----] engagements "Varonis tracks a new browser-based MaaS threat named Stanley. The service packages phishing-style site spoofing as a Chrome extension and is marketed on Russian forums for $2k$6k. https://www.varonis.com/blog/stanley-malware-kit https://www.varonis.com/blog/stanley-malware-kit" [X Link](https://x.com/virusbtn/status/2015724665377812775) 2026-01-26T09:53Z 60.6K followers, [----] engagements "Hybrid Analysis reports an organised traffer gang targeting crypto holders and Web3 employees. The operation delivers malware via fake Electron apps disguised as legitimate tools. https://hybrid-analysis.blogspot.com/2026/01/organized-traffer-gang-on-rise.html https://hybrid-analysis.blogspot.com/2026/01/organized-traffer-gang-on-rise.html" [X Link](https://x.com/virusbtn/status/2015724935717515566) 2026-01-26T09:54Z 60.6K followers, [----] engagements "TDR assesses a broader operation behind a phishing campaign where infostealers on hotel machines stole credentials for platforms like & Expedia which were sold or used to email customers for banking fraud. https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/ http://Booking.com http://Sekoia.io https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/ http://Booking.com http://Sekoia.io" [X Link](https://x.com/virusbtn/status/1986739085830938918) 2025-11-07T10:14Z 60.6K followers, [----] engagements "Sekoia TDR unwraps QuasarRAT a popular .NET remote access trojan and demonstrates how to locate and decrypt its embedded configuration. The article walks through a systematic workflow that works on both clean and obfuscated samples. https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/ https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/" [X Link](https://x.com/virusbtn/status/1998350226856223095) 2025-12-09T11:13Z 60.6K followers, [----] engagements "Zscaler ThreatLabz identified a new phishing kit named BlackForce used to impersonate more than [--] brands and capable of stealing credentials and performing man-in-the-browser attacks to steal one-time tokens and bypass multi-factor authentication. https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit" [X Link](https://x.com/virusbtn/status/2000524659234570651) 2025-12-15T11:13Z 60.6K followers, [----] engagements "Members of Sekoia's TDR team reveal details of SNOWLIGHT a lightweight ELF downloader designed to retrieve and execute a remote payload on Linux systems. https://blog.sekoia.io/advent-of-configuration-extraction-part-3-mapping-got-plt-and-disassembling-the-snowlight-loader/ https://blog.sekoia.io/advent-of-configuration-extraction-part-3-mapping-got-plt-and-disassembling-the-snowlight-loader/" [X Link](https://x.com/virusbtn/status/2000875546243387574) 2025-12-16T10:27Z 60.6K followers, [----] engagements "Zscaler's Gaetano Pellegrin discovered a new spear-phishing campaign attributed to BlindEagle targeting a government agency in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat" [X Link](https://x.com/virusbtn/status/2001595315007246632) 2025-12-18T10:08Z 60.6K followers, [----] engagements "Forcepoint X-Labs details a holiday DocuSign lure where users are asked to review a completed Christmas wine order. A Docusign-branded button redirects via disposable hosts Fastly/Glitch/Surge.sh to a credential-harvesting page targeting corporate logins https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam" [X Link](https://x.com/virusbtn/status/2008138260569354405) 2026-01-05T11:27Z 60.6K followers, [----] engagements "Check Point researchers analyse VoidLink an advanced malware framework made up of custom loaders implants rootkits and modular plugins designed to maintain long-term access to Linux systems. https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/ https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/" [X Link](https://x.com/virusbtn/status/2011414782092718417) 2026-01-14T12:27Z 60.6K followers, [----] engagements "Infoblox researchers managed to snoop on the communications of an affiliate advertising push notification system whose DNS records were left misconfigured allowing the researchers to receive a copy of every ad they sent victims and recorded metrics. https://www.infoblox.com/blog/threat-intelligence/inside-a-malicious-push-network-what-57m-logs-taught-us/ https://www.infoblox.com/blog/threat-intelligence/inside-a-malicious-push-network-what-57m-logs-taught-us/" [X Link](https://x.com/virusbtn/status/2013922730203136228) 2026-01-21T10:32Z 60.6K followers, [----] engagements "Check Point Research believes a new era of AI-generated malware has begun: VoidLink is as the first evidently documented case of this era as an advanced malware framework authored almost entirely by AI likely under the direction of a single individual. https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/ https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/" [X Link](https://x.com/virusbtn/status/2013923217329553624) 2026-01-21T10:34Z 60.6K followers, [----] engagements "eSentire Threat Response Unit identified an ongoing campaign deploying a sophisticated multistage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate India's Income Tax dept https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign" [X Link](https://x.com/virusbtn/status/2014641300767756376) 2026-01-23T10:08Z 60.6K followers, [----] engagements "Check Point Research is tracking a phishing campaign linked to a North Koreaaligned threat actor known as KONNI. The attackers deploy an AI-generated PowerShell backdoor highlighting the growing use of AI by threat actors. https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/ https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/" [X Link](https://x.com/virusbtn/status/2014641626015015197) 2026-01-23T10:09Z 60.6K followers, [----] engagements "Recorded Future's Insikt Group look into recent PurpleBravo activity. PurpleBravo is a North Korean state-sponsored threat group that overlaps with the Contagious Interview campaign. https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain" [X Link](https://x.com/virusbtn/status/2014642104022999498) 2026-01-23T10:11Z 60.6K followers, [----] engagements "FortiGuard researcher Xiaopeng Zhang analyses a recent phishing campaign in the wild delivering a new variant of XWorm. https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails" [X Link](https://x.com/virusbtn/status/2021902155112915413) 2026-02-12T11:00Z 60.7K followers, [----] engagements "FortiGuard Labs observed malware named ShadowV2 spreading via IoT vulnerabilities at the end of October during a global disruption of AWS connections. This activity was likely a test run conducted in preparation for future attacks. https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices" [X Link](https://x.com/virusbtn/status/1994016386499088466) 2025-11-27T12:12Z 60.7K followers, [----] engagements "FortiGuard Labs analyses eBPF-based malware where Symbiote and BPFDoor abuse Linux kernel BPF filters. New [----] variants improve stealth by port-hopping to high UDP ports and supporting IPv6 making these rootkits rare but powerful and hard to detect. https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware" [X Link](https://x.com/virusbtn/status/1996158638247792982) 2025-12-03T10:04Z 60.7K followers, [----] engagements "Splunk Threat Research Team analyses CastleRAT a RAT first seen in March [----] with Python and compiled C builds. It uses RC4 with a hard-coded key for C2 gathers host details & can download further payloads and open a remote shell for attacker commands. https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html" [X Link](https://x.com/virusbtn/status/1996879828427919738) 2025-12-05T09:50Z 60.7K followers, [----] engagements "FortiGuard Labs observed UDPGangster a UDP-based backdoor linked to MuddyWater. Recent campaigns use macro-enabled Word lures to target organisations in Turkey Israel & Azerbaijan with UDP for command execution file exfiltration & payload delivery. https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries" [X Link](https://x.com/virusbtn/status/1996880874684797402) 2025-12-05T09:54Z 60.7K followers, [----] engagements "🚨 Important Date Change for VB2026 VB2026 will now take place [----] October [----] at the already announced venue. We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference" [X Link](https://x.com/anyuser/status/2000526872526946304) 2025-12-15T11:22Z 60.7K followers, [----] engagements "DataDomes Jerome Segura warns that AI agents are adopting the tactics of adversarial actors and starting to ignore rules laid out in robots.txt in order to get the data they need. https://datadome.co/threat-research/ai-agent-spoofing/ https://datadome.co/threat-research/ai-agent-spoofing/" [X Link](https://x.com/virusbtn/status/2000877206076318188) 2025-12-16T10:34Z 60.7K followers, [----] engagements "Fortinet researchers found a phishing campaign delivering a new variant of Remcos a commercial lightweight RAT with a wide range of capabilities including system resource management remote surveillance network management & Remcos agent management. https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document" [X Link](https://x.com/virusbtn/status/2013575091355898132) 2026-01-20T11:31Z 60.7K followers, [----] engagements "Fortinet researchers identified a multi-stage malware campaign that escalates into a full-system compromise that includes security-control bypass surveillance system restriction deployment of Amnesia RAT and ransomware delivery. https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign" [X Link](https://x.com/virusbtn/status/2014336244302389476) 2026-01-22T13:55Z 60.7K followers, [----] engagements "Googles Threat Intelligence Group warns WinRAR CVE-2025-8088 is being exploited for initial access & payload delivery by both state-backed & financially motivated actors. The exploitation method allows files to be dropped into the Windows Startup folder. https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability" [X Link](https://x.com/virusbtn/status/2016449961009815809) 2026-01-28T09:55Z 60.7K followers, [----] engagements "FortiGuard Labs analyses EncystPHP a weaponized web shell delivering remote command execution persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp" [X Link](https://x.com/virusbtn/status/2016822340508622967) 2026-01-29T10:34Z 60.7K followers, [----] engagements "FortiGuard Labs tracks Interlocks shifting toolkit across recent intrusions. A key addition is a process-killing tool that leverages a zero-day vulnerability in a gaming anti-cheat driver to try to disable EDR and AV. https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks" [X Link](https://x.com/virusbtn/status/2017172011768811556) 2026-01-30T09:44Z 60.7K followers, [----] engagements "SophosLabs investigates WantToCry remote ransomware cases in which attackers operated from virtual machines with auto-generated NetBIOS names derived from Windows templates provisioned by ISPsystem. https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure" [X Link](https://x.com/virusbtn/status/2019367471447437379) 2026-02-05T11:08Z 60.7K followers, [----] engagements "Kaseya researchers show how bad actors use DKIM replay attacks that involve abuse of legitimate invoices and dispute notifications from well-known vendors such as PayPal Apple DocuSign and HelloSign. https://www.kaseya.com/blog/dkim-replay-attacks-apple-paypal-invoice-abuse/ https://www.kaseya.com/blog/dkim-replay-attacks-apple-paypal-invoice-abuse/" [X Link](https://x.com/virusbtn/status/2020803960454418727) 2026-02-09T10:16Z 60.7K followers, [----] engagements "Palo Alto Networks researchers unveil a new state-aligned espionage group tracked as TGR-STA-1030. The group primarily targets government ministries & departments and critical infrastructure organizations with attacks across [--] countries in the last year https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/ https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/" [X Link](https://x.com/virusbtn/status/2021522782958559658) 2026-02-11T09:52Z 60.7K followers, [----] engagements "Orange researchers report on how hacktivism has evolved over three years of research: Hacktivism has become more frequent more coordinated and increasingly entangled with real-world geopolitical events. https://www.orangecyberdefense.com/global/blog/research/hacktivism-today-what-three-years-of-research-reveal-about-its-transformation#c164458 https://www.orangecyberdefense.com/global/blog/research/hacktivism-today-what-three-years-of-research-reveal-about-its-transformation#c164458" [X Link](https://x.com/virusbtn/status/2021526512357482835) 2026-02-11T10:07Z 60.7K followers, [----] engagements "Cisco Talos uncovers DKnife a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least [----] its C2 was still active in Jan [----]. https://blog.talosintelligence.com/knife-cutting-the-edge/ https://blog.talosintelligence.com/knife-cutting-the-edge/" [X Link](https://x.com/virusbtn/status/2019717427697979737) 2026-02-06T10:18Z 60.7K followers, [----] engagements "The DFIR Report has published data from an open directory associated with a ransomware affiliate likely linked to the Fog ransomware group. The open directory contained tools and scripts for reconnaissance exploitation lateral movement and persistence. https://thedfirreport.com/2025/04/28/navigating-through-the-fog/ https://thedfirreport.com/2025/04/28/navigating-through-the-fog/" [X Link](https://x.com/anyuser/status/1917503033824489969) 2025-04-30T08:55Z 60.7K followers, [----] engagements "Zscaler's Mark Joseph Marti shows how the browser-in-the-browser (BitB) technique is used in a Facebook phishing scam. BitB tricks users by simulating a legitimate 3rd party login popup window within the browser tab masking a credential-harvesting page. https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/ https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/" [X Link](https://x.com/virusbtn/status/2011026686922391718) 2026-01-13T10:44Z 60.7K followers, [----] engagements "Zscaler ThreatLabz tracks [--] campaigns -Gopher Strike & Sheet Attack- tied to a Pakistan-based actor targeting Indian government entities & profiles tooling including the GOGITTER downloader GITSHELLPAD C2 backdoor & GOSHELL loader deploying Cobalt Strike https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell" [X Link](https://x.com/virusbtn/status/2016089827767128378) 2026-01-27T10:04Z 60.7K followers, [----] engagements "The second part of Zscaler ThreatLabzs Gopher Strike/Sheet Attack research profiles three additional backdoors in Sheet Attack: SHEETCREEP using Google Sheets for C2 FIREPOWER abusing Firebase and MAILCREEP leveraging Microsoft Graph. https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and" [X Link](https://x.com/virusbtn/status/2016447866860957890) 2026-01-28T09:46Z 60.7K followers, [----] engagements "Zscaler ThreatLabz reports on Operation Neusploit a January [----] campaign targeting Central & Eastern Europe. Weaponised Microsoft RTF files exploit CVE-2026-21509 to deliver multi-stage backdoors. The campaign is attributed to APT28 with high confidence. https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit" [X Link](https://x.com/virusbtn/status/2018679832263958876) 2026-02-03T13:35Z 60.7K followers, [----] engagements "LevelBlue SpiderLabs analyses DragonForces evolving playbook combining advanced RaaS features with a franchise-style affiliate model. The tooling supports full header and partial encryption across multiple platforms. https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions" [X Link](https://x.com/virusbtn/status/2018985880736964800) 2026-02-04T09:51Z 60.7K followers, [----] engagements "RedAsgard shows how a Lazarus-linked fake job interview operation tricked developers into opening a repo & running npm install or loading it in VS Code leading to credential theft. Researchers found 241k stolen credentials from [---] victims in [--] countries https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire" [X Link](https://x.com/virusbtn/status/2018989233008976091) 2026-02-04T10:05Z 60.7K followers, [----] engagements "Acronis TRU tracks Transparent Tribe (APT36) expanding beyond its usual government and defence focus to Indias startup ecosystem. The campaign uses startup-themed decoys and ISO files with malicious LNK shortcuts to deliver Crimson RAT. https://www.acronis.com/en/tru/posts/new-year-new-sector-transparent-tribe-targets-indias-startup-ecosystem/ https://www.acronis.com/en/tru/posts/new-year-new-sector-transparent-tribe-targets-indias-startup-ecosystem/" [X Link](https://x.com/virusbtn/status/2019367000867471854) 2026-02-05T11:06Z 60.7K followers, [----] engagements "Huntress researchers Anna Pham John Hammond & Jamie Levy observed threat actors exploiting a SolarWinds Web Help Desk vulnerability and warn organizations to apply the update from SolarWinds website as soon as possible. https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399" [X Link](https://x.com/virusbtn/status/2021152760729686154) 2026-02-10T09:22Z 60.7K followers, [----] engagements "Mandiant researchers investigate a UNC1069-attributed intrusion that used a social engineering scheme involving a compromised Telegram account a fake Zoom meeting a ClickFix infection vector & reported usage of AI-generated video to deceive the victim. https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering" [X Link](https://x.com/virusbtn/status/2021154174239441033) 2026-02-10T09:28Z 60.7K followers, [----] engagements "The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group targeting both JavaScript and Python developers. https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" [X Link](https://x.com/virusbtn/status/2021903070591168790) 2026-02-12T11:03Z 60.7K followers, [----] engagements "BfV & BSI warn that a likely state-controlled threat actor is conducting phishing attacks via messaging services such as Signal. The targets are high-ranking individuals in politics military & diplomacy and investigative journalists in Germany & Europe. https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/202602_BfV_BSI_Sicherheitshinweis.html https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/202602_BfV_BSI_Sicherheitshinweis.html" [X Link](https://x.com/virusbtn/status/2020800635986149867) 2026-02-09T10:03Z 60.7K followers, [----] engagements "eSentire's Threat Response Unit share technical artifacts uncovered in their investigation of a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer. https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server" [X Link](https://x.com/virusbtn/status/2020802570428559617) 2026-02-09T10:10Z 60.7K followers, [----] engagements "Zscaler ThreatLabz explores the anti-analysis techniques employed by GuLoader including use of polymorphic code to dynamically construct constant and string values as well as complex exception-based control flow obfuscation. https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques" [X Link](https://x.com/virusbtn/status/2021150485311324544) 2026-02-10T09:13Z 60.7K followers, [----] engagements "Microsoft XDR team has observed increasing numbers of macOS infostealer campaigns using social engineering techniquesincluding ClickFix-style prompts & malicious DMG installersto deploy macOS-specific infostealers such as DigitStealer MacSync & AMOS. https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/ https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/" [X Link](https://x.com/virusbtn/status/2021521363219951699) 2026-02-11T09:47Z 60.7K followers, [----] engagements "Forcepoint researchers look into a high-volume Phorpiex campaign delivered through malspam emails weaponized with Windows Shortcut .lnk files. https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing" [X Link](https://x.com/virusbtn/status/2021902568323265019) 2026-02-12T11:01Z 60.7K followers, [----] engagements "Huntress researchers Anna Pham Michael Tigges Dray Agha & Anton Ovrutsky explain how employee monitoring tool Net Monitor for Employees was abused together with RMM platform SimpleHelp in an attempted deployment of Crazy ransomware. https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations" [X Link](https://x.com/virusbtn/status/2021904538471686541) 2026-02-12T11:09Z 60.7K followers, [----] engagements "Censys Threat Intelligence team analyses Odyssey Stealer a macOS information stealer designed to steal cryptocurrencies from a wide range of software. https://censys.com/blog/odyssey-stealer-macos-crypto-stealing-operation https://censys.com/blog/odyssey-stealer-macos-crypto-stealing-operation" [X Link](https://x.com/virusbtn/status/2022237205432062281) 2026-02-13T09:11Z 60.7K followers, [----] engagements "Cato CTRL has identified a new malware loader tracked as Foxveil which establishes an initial foothold frustrates analysis and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages Netlify & Discord attachments. https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/ https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/" [X Link](https://x.com/virusbtn/status/2022238883413733806) 2026-02-13T09:18Z 60.7K followers, [----] engagements "After almost ten years and more than [-----] tweets I am handing over this account to the rest of the great VB team. Thank you all for following all the best for [----] and beyond and keep doing great things @martijn_grooten https://www.youtube.com/watchv=NXtDonotCvU https://www.youtube.com/watchv=NXtDonotCvU" [X Link](https://x.com/anyuser/status/1212006497288368131) 2019-12-31T13:44Z 60.7K followers, [---] engagements "Sophos researchers (and regular VB conference speakers) @GaborSzappanos and @threatresearch analysed the toolset used by the Netwalker ransomware actors and found they mostly rely on publicly available tools https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" [X Link](https://x.com/anyuser/status/1265973604992385029) 2020-05-28T11:50Z 60.7K followers, [---] engagements "Palo Alto's @malware_traffic has written a detailed post on the evolution of the Valak infostealer and malware downloader https://unit42.paloaltonetworks.com/valak-evolution/ https://unit42.paloaltonetworks.com/valak-evolution/" [X Link](https://x.com/anyuser/status/1287710079211450368) 2020-07-27T11:23Z 60.7K followers, [---] engagements "DomainTools researcher @jfslowik shares some thoughts on the possible link between the SUNBURST malware used in the SolarWinds supply chain attack and the Turla APT group https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution" [X Link](https://x.com/anyuser/status/1350035506835419137) 2021-01-15T11:02Z 60.7K followers, [---] engagements "Palo Alto's @malware_traffic created a tutorial for using Wireshark to analyse Emotet network traffic https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/ https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/" [X Link](https://x.com/anyuser/status/1351963464034643970) 2021-01-20T18:43Z 60.7K followers, [---] engagements "Sophos lists details of attacker behaviour and impact as well as the tactics techniques and procedures (TTPs) seen in the wild in 2020/2021. https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/ https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/" [X Link](https://x.com/anyuser/status/1394947192448823296) 2021-05-19T09:25Z 60.7K followers, [---] engagements "Sophos analysts have uncovered a new ransomware that calls itself Epsilon Red. The ransomware is written in Go and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine. https://news.sophos.com/en-us/2021/05/28/epsilonred/ https://news.sophos.com/en-us/2021/05/28/epsilonred/" [X Link](https://x.com/anyuser/status/1399352221024854018) 2021-05-31T13:09Z 60.7K followers, [---] engagements "A list of [--] CyberChef recipes and curated links for malware analysis has been shared by @mattnotmax. https://github.com/mattnotmax/cyberchef-recipes https://github.com/mattnotmax/cyberchef-recipes" [X Link](https://x.com/anyuser/status/1401882391564718080) 2021-06-07T12:43Z 60.7K followers, [---] engagements "DomainTools' @piffey has created an infographic that provides an overview of the most prolific ransomware families and the current loaders they use. https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide" [X Link](https://x.com/anyuser/status/1410936813447962625) 2021-07-02T12:22Z 60.7K followers, [---] engagements "The Avast Threat Intelligence team has published a blog on understanding how threat actors use Cobalt Strike payloads and how you can analyse them. https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/ https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/" [X Link](https://x.com/anyuser/status/1413208270580371457) 2021-07-08T18:48Z 60.7K followers, [---] engagements "McAfee researchers have discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/" [X Link](https://x.com/anyuser/status/1413507493016203265) 2021-07-09T14:37Z 60.7K followers, [---] engagements "AT&T Alien Labs has recently discovered a cluster of Linux ELF executables with low rates of detection in VirusTotal. The files were identified as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns. https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar" [X Link](https://x.com/anyuser/status/1430196458314158082) 2021-08-24T15:53Z 60.7K followers, [---] engagements "Security researcher @BushidoToken writes about three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp WizardSpider and FIN7. https://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html https://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html" [X Link](https://x.com/anyuser/status/1434843581609545730) 2021-09-06T11:39Z 60.7K followers, [---] engagements "ESET researchers analyse a previously undocumented real-world UEFI bootkit that persists on the EFI System Partition. ESPecter bootkit can bypass Windows Driver Signature Enforcement to load its own unsigned driver to facilitate its espionage activities. https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/" [X Link](https://x.com/anyuser/status/1445719495281192962) 2021-10-06T11:56Z 60.7K followers, [---] engagements "Security Researcher @BushidoToken writes about ransomware decryption intelligence. https://blog.bushidotoken.net/2021/10/ransomware-decryption-intelligence.html https://blog.bushidotoken.net/2021/10/ransomware-decryption-intelligence.html" [X Link](https://x.com/anyuser/status/1451208414017855490) 2021-10-21T15:27Z 60.7K followers, [---] engagements "Unit [--] researchers look at the most commonly used TLDs in malicious domains. https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/" [X Link](https://x.com/anyuser/status/1459175407366901768) 2021-11-12T15:05Z 60.7K followers, [---] engagements "The DFIR Report observed an intrusion in which an adversary exploited multiple Exchange vulnerabilities (ProxyShell) that led to the BitLocker ransomware. The threat actors conducted the intrusion with almost no malware. https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" [X Link](https://x.com/anyuser/status/1460183801817092096) 2021-11-15T09:52Z 60.7K followers, [---] engagements "K7 researchers analyse Cobalt Strike and its loader module. https://labs.k7computing.com/index.php/dissecting-cobalt-strike-loader/ https://labs.k7computing.com/index.php/dissecting-cobalt-strike-loader/" [X Link](https://x.com/anyuser/status/1463105808279945224) 2021-11-23T11:23Z 60.7K followers, [---] engagements "Sophos researchers discovered that attackers had booted their target computers into Safe Mode to execute the Avos Locker ransomware. The reason Many if not most endpoint security products do not run in Safe Mode. https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/ https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/" [X Link](https://x.com/anyuser/status/1478350507068608514) 2022-01-04T13:00Z 60.7K followers, [---] engagements "Sophos has updated the story of the CVE-2021-40444 exploit which triggers a Word document to deliver an infection without using macros. The attack was only successful on unpatched Windows systems. https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/ https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/" [X Link](https://x.com/anyuser/status/1479114291693293578) 2022-01-06T15:35Z 60.7K followers, [---] engagements "Mandiant has published guidance for organizations on how to protect against a destructive attack. The recommendations include common techniques used by threat actors for initial access reconnaissance privilege escalation & mission objectives. https://www.mandiant.com/resources/protect-against-destructive-attacks https://www.mandiant.com/resources/protect-against-destructive-attacks" [X Link](https://x.com/anyuser/status/1483043429370241050) 2022-01-17T11:48Z 60.7K followers, [---] engagements "Sophos researchers investigated a Midas ransomware attack that leveraged at least two different commercial remote access tools (AnyDesk & TeamViewer) and an open-source Windows utility (Process Hacker) in the process. https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/ https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/" [X Link](https://x.com/anyuser/status/1486323290805260291) 2022-01-26T13:01Z 60.7K followers, [---] engagements "Microsoft introduces a new threat intelligence brief that will be released quarterly looking at the current threat landscape trending tactics techniques and strategies used by the worlds most prolific threat actors. https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/ https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/" [X Link](https://x.com/anyuser/status/1489603407447044101) 2022-02-04T14:15Z 60.7K followers, [---] engagements Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing
@virusbtn Virus Bulletin
Virus Bulletin posts on X about microsoft, $4704t, apt, in the the most. They currently have [------] followers and [---] posts still getting attention that total [-----] engagements in the last [--] hours.
Engagements: [-----] #
- [--] Week [------] +47%
- [--] Month [------] +182%
- [--] Months [-------] +85%
- [--] Year [-------] +41%
Mentions: [--] #
- [--] Week [--] -42%
- [--] Month [--] +72%
- [--] Months [---] +27%
- [--] Year [---] +80%
Followers: [------] #
- [--] Week [------] +0.08%
- [--] Month [------] +0.28%
- [--] Months [------] +0.76%
- [--] Year [------] +1.70%
CreatorRank: [---------] #
Social Influence
Social category influence technology brands stocks countries finance social networks travel destinations automotive brands ncaa football cryptocurrencies exchanges
Social topic influence microsoft #2007, $4704t, apt, in the, labs, $googl, infrastructure, $zs #24, micro, strike
Top accounts mentioned or mentioned by @bushidotoken @cryptax @cyberalliance @malwaretraffic @fortinet @martijngrooten @gaborszappanos @threatresearch @jfslowik @mattnotmax @piffey @cpeterr @0xd01a @cyberkramer @xme @softwareclean @talossecurity @tccontre18 @eromang @tera0017
Top assets mentioned Microsoft Corp. (MSFT) Alphabet Inc Class A (GOOGL) Zscaler Inc (ZS) Crowdstrike Holdings Inc (CRWD) Fortinet Inc (FTNT) IBM (IBM) Tesla, Inc. (TSLA) Cloudflare, Inc. (NET) BlackBerry Limited (BB)
Top Social Posts
Top posts by engagements in the last [--] hours
"Palo Alto's @malware_traffic noticed one of the propagation modules used by Trickbot has been updated https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/ https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/"
X Link 2020-05-29T15:13Z 60.6K followers, [--] engagements
"Accenture security researchers look at recent Hades ransomware operations https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware"
X Link 2021-03-26T13:45Z 60.4K followers, [--] engagements
"Trend Micro's Buddy Tancio Maria Emreen Viray & Mohamed Fahmy detail an investigation that successfully uncovered the intrusion sets employed by espionage group Earth Kapre (aka RedCurl and Red Wolf) in a recent incident. https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html"
X Link 2024-03-11T11:07Z 60.5K followers, [----] engagements
"Trend Micro's Peter Girnus Aliakbar Zahravi & Simon Zuckerbraun analyse a DarkGate campaign which exploited CVE-2024-21412 through the use of fake software installers. https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html"
X Link 2024-03-14T15:35Z 60.5K followers, [----] engagements
"Trend Micro researchers describe how Earth Koshchei's remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay rogue RDP server & a malicious RDP configuration file leading to potential data leakage & malware installation https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html"
X Link 2024-12-18T11:21Z 59.7K followers, [----] engagements
"Sekoia's Amaury G. Maxime A. Erwan Chevalier & Felix Aim look into the DoubleTap espionage campaign possibly conducted by a Russia-nexus intrusion set UAC-0063 sharing overlaps with APT28. The infection chain includes the malware HATVIBE and CHERRYSPY https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/ https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/"
X Link 2025-01-14T11:19Z 60.5K followers, [----] engagements
"Trend Micro researchers look into a web shell intrusion incident where attackers abused the Internet Information Services IIS worker to exfiltrate stolen data. https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html"
X Link 2025-01-15T10:19Z 59.8K followers, [----] engagements
"SecurityScorecard researchers look into Operation Phantom Circuit in which Lazarus Group embedded malware directly into trusted applications and show how the attacker built infrastructure to manage and exfiltrate stolen data. https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/"
X Link 2025-02-03T10:50Z 59.7K followers, [----] engagements
"Researchers from LAC's Cyber Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti. The campaign targeted Japanese companies in the manufacturing materials and energy sectors. https://www.lac.co.jp/lacwatch/report/20250213_004283.html https://www.lac.co.jp/lacwatch/report/20250213_004283.html"
X Link 2025-02-13T11:36Z 59.7K followers, [----] engagements
"eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage. https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt"
X Link 2025-02-17T10:20Z 59.8K followers, [----] engagements
"TRAC Labs analyses SocGholish/FakeUpdates. The infection chain starts with a fake browser update delivered via compromised websites & a malicious JavaScript file leading to an obfuscated MintsLoader payload that delivers the GhostWeaver PowerShell backdoor https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983 https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983"
X Link 2025-02-17T10:23Z 59.7K followers, [----] engagements
"Zscaler ThreatLabz researchers present the second part of a technical analysis of Xloader versions [--] & [--] covering how Xloader obfuscates the command-and-control (C2) and the network communication protocol. https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2 https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2"
X Link 2025-02-17T10:26Z 59.8K followers, [----] engagements
"A new article from The DFIR Report provides details of an intrusion that began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server ultimately leading to the deployment of LockBit ransomware across the environment. https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/ https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/"
X Link 2025-02-24T13:21Z 59.8K followers, [----] engagements
"Fortinet's Ran Mizrahi analyses a malspam campaign spreading Ratty RAT in Spain Italy & Portugal. It uses the serviciodecorreo email service provider which is configured as an authorized sender for various domains and successfully passes SPF validation. https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware"
X Link 2025-05-09T11:56Z 60.4K followers, [----] engagements
"Trend Micro researcher Junestherry Dela Cruz describes a TikTok campaign that uses possibly AI-generated videos to lure victims into executing PowerShell commands that lead to Vidar and StealC information stealers. https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html"
X Link 2025-05-22T10:32Z 60.5K followers, [----] engagements
"Proofpoint Threat Research identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry. In all cases the motive was most likely espionage. https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting"
X Link 2025-07-17T11:48Z 60.7K followers, [----] engagements
"Trend Micro researchers examine the past TTPs used by UNC3886 to get a good understanding of the threat group and enhance the overall defensive posture against similar tactics. https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html"
X Link 2025-08-11T09:39Z 60.7K followers, [----] engagements
"Trend Micro researchers uncovered a campaign that uses Charon a new ransomware family with advanced APT-style techniques in targeting the Middle East's public sector & aviation industry with customized ransom demands. https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html"
X Link 2025-08-13T08:33Z 60.7K followers, [----] engagements
"Trend Micro researchers detail a Crypto24 ransomware campaign mixing legitimate tools with custom malware in coordinated multi-stage attacks to move laterally persist evade defences and steal data across Asia Europe and the US. https://www.trendmicro.com/en_no/research/25/h/crypto24-ransomware-stealth-attacks.html https://www.trendmicro.com/en_no/research/25/h/crypto24-ransomware-stealth-attacks.html"
X Link 2025-08-15T09:09Z 60.7K followers, [----] engagements
"HarfangLabs Cyber Threat Research Team reports two malicious-archive clusters targeting Ukraine and Poland since April [----]. The activity shows strong similarities to the cyber-espionage actor UAC-0057 (UNC1151/Ghostwriter). https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/ https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/"
X Link 2025-08-21T09:24Z 60.7K followers, [----] engagements
"Warlock ransomware advertises itself with If you want a Lamborghini please contact me. Trend Micro analyses how it exploits unpatched SharePoint for access privilege escalation credential theft lateral movement and data exfiltration before encryption https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html"
X Link 2025-08-21T09:33Z 60.7K followers, [----] engagements
"Trend Micro's Nick Dai & Pierre Lee look into the TAOTH campaign targeting users across Eastern Asia which leveraged an abandoned Sogou Zhuyin IME update server & spear-phishing operations to deliver malware families such as TOSHIS C6DOOR DESFY & GTELAM https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html https://www.trendmicro.com/en_us/research/25/h/taoth-campaign.html"
X Link 2025-08-29T10:00Z 60.7K followers, [----] engagements
"A recent report from the Sekoia TDR team provides an overview of the commercial surveillance vendors ecosystem between [----] and [----] analysing their spyware offerings business models client base target profiles and infection chains. https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/ https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/"
X Link 2025-09-03T10:11Z 60.6K followers, [----] engagements
"Trend Micro researchers Buddy Tancio Aldrin Ceriola Khristoffer Jocson Nusrath Iqra & Faith Higgins analyse a campaign distributing Atomic macOS Stealer (AMOS) in disguised cracked versions of legitimate apps. https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html"
X Link 2025-09-05T13:21Z 60.7K followers, [----] engagements
"FortiGuard Labs details a phishing campaign with advanced evasion. It uses EPL for staged payloads hides activity disables security tools secures C2 with mTLS supports multiple delivery methods and installs AnyDesk/TightVNC for full control. https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access"
X Link 2025-09-09T09:02Z 60.7K followers, [----] engagements
"Trend Micro details the Gentlemen ransomware group showing advanced tooling to bypass enterprise endpoint protections. TTPs include driver abuse GPO manipulation custom anti-AV utilities privileged account compromise and exfiltration. https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html"
X Link 2025-09-10T10:46Z 60.7K followers, [----] engagements
"Zscaler ThreatLabz identifies a campaign active since early May [----] targeting Chinese-speaking users that delivers ValleyRAT FatalRAT & the newly named kkRAT. The blog details the attack chain and kkRATs features network protocol commands & plugins. https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat"
X Link 2025-09-11T10:38Z 60.6K followers, [----] engagements
"Sysdigs Threat Research Team identifies ZynorRAT a new Go-based RAT supporting Linux and Windows. First seen on [--] July [----] it shows little similarity to known families uses Telegram for C2 and is likely Turkish in origin. https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat"
X Link 2025-09-11T10:39Z 60.7K followers, [----] engagements
"Trend Micro details EvilAI which disguises itself as productivity/AI apps and is signed to appear legitimate. Infections span Europe the Americas and AMEA hitting manufacturing government and healthcare sectors. https://www.trendmicro.com/en_us/research/25/i/evilai.html https://www.trendmicro.com/en_us/research/25/i/evilai.html"
X Link 2025-09-12T10:42Z 60.7K followers, [----] engagements
"IBM X-Force has published new research on China-aligned Mustang Panda. Researchers observed an updated Toneshell and SnakeDisk a USB worm that triggers only on Thailand-based IPs to deliver Yokai backdoor. https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor"
X Link 2025-09-12T10:43Z 60.5K followers, [----] engagements
"maps a phishing wave that clones the websites of Chevron ConocoPhillips PBF Energy and Phillips [--]. Tactics include HTTrack-based site copying exposed directories and investment-scam templates. https://hunt.io/blog/us-energy-phishing-wave-report http://Hunt.io https://hunt.io/blog/us-energy-phishing-wave-report http://Hunt.io"
X Link 2025-09-12T10:47Z 60.5K followers, [----] engagements
"Zscaler's ThreatLabz tracks SmokeLoaders return with new 2025-alpha and [----] builds after the May [----] Operation Endgame takedown. The builds fix performance-impacting bugs and update artifacts to evade static and behaviour-based detection. https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes"
X Link 2025-09-16T15:29Z 60.7K followers, [----] engagements
"The Threat Detection and Response team links two early [----] APT28 samples to the CERT UA BeardShell and Covenant publication on [--] June [----] and reports additional weaponized Office documents and previously undocumented techniques. https://blog.sekoia.io/apt28-operation-phantom-net-voxel/ http://Sekoia.io https://blog.sekoia.io/apt28-operation-phantom-net-voxel/ http://Sekoia.io"
X Link 2025-09-17T08:24Z 60.6K followers, [----] engagements
"Acronis Threat Research Unit reports a sophisticated FileFix in the wild beyond the original POC with a multi-lingual phishing site anti-analysis tricks and JPG steganography that hides a second-stage PowerShell script and encrypted executables. https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/ https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/"
X Link 2025-09-17T08:28Z 60.7K followers, [----] engagements
"Proofpoint Threat Research reports TA415 ran spear-phishing campaigns in July & August [----] against US government think tanks and academia using US-China economic lures and using Google Sheets Google Calendar and VS Code Remote Tunnels for C2. https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations"
X Link 2025-09-17T08:32Z 60.7K followers, [----] engagements
"Bitdefender Threat Research analyses a cyber attack on a Philippine military company revealing EggStreme - a new fileless multi-stage framework built for persistent espionage and designed to establish a resilient foothold on compromised systems. https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac"
X Link 2025-09-18T09:18Z 60.7K followers, [----] engagements
"Zscaler ThreatLabz reports two malicious PyPI packages sisaws and secmeasure that deliver SilentSync a Python-based RAT designed to execute remote commands exfiltrate files capture screens and steal browser data from Chrome Brave Edge and Firefox. https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat"
X Link 2025-09-18T09:25Z 60.7K followers, [----] engagements
"Threat Research uncovers attackers abusing ConnectWise ScreenConnect installers and open directories as staging points to deliver AsyncRAT and a custom PowerShell RAT. https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns http://Hunt.io https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns http://Hunt.io"
X Link 2025-09-19T08:50Z 60.7K followers, [----] engagements
"The DFIR Report presents an intrusion that began with a Lunar Spider linked JavaScript file disguised as a tax form leading to multiple pieces of malware being deployed (Latrodectus Brute Ratel C4 Cobalt Strike BackConnect and a custom .NET backdoor) https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/ https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/"
X Link 2025-10-01T07:51Z 60.4K followers, [----] engagements
"Sekoia's Jeremy Scion and Marc N. present how a cellular routers API was exploited to send malicious SMS messages containing phishing URLs (smishing) primarily targeting Belgian users. https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/ https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/"
X Link 2025-10-01T09:07Z 60.5K followers, [----] engagements
"Trend Micro researchers identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victims contacts. https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html"
X Link 2025-10-03T09:27Z 60.4K followers, [----] engagements
"Threat Research observes APT SideWinder shifting to maritime targets with Pakistan & Sri Lanka as primary targets utilising free hosting platforms for credential portals & lures and staging malware in open directories. https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing http://Hunt.io https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing http://Hunt.io"
X Link 2025-10-06T09:38Z 60.7K followers, [----] engagements
"The Resecurity HUNTER Team warns of a mass exploitation of CVE-2025-61882 in Oracle E-Business Suite enabling remote code execution. Several victims received extortion emails from Cl0p in late September [----]. https://www.resecurity.com/blog/article/cve-2025-61882-mass-exploitation-oracle-e-business-suite-ebs-under-attack-by-cl0p-ransomware https://www.resecurity.com/blog/article/cve-2025-61882-mass-exploitation-oracle-e-business-suite-ebs-under-attack-by-cl0p-ransomware"
X Link 2025-10-07T09:42Z 60.7K followers, [----] engagements
"Rapid7 Threat Research reports a new threat group known as the Crimson Collective attacking AWS environments to exfiltrate data and extort victims. The actor has also announced that it is behind an attack on Red Hat. https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/ https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/"
X Link 2025-10-08T08:20Z 60.7K followers, [----] engagements
"FortiGuard Labs analyses Chaos ransomware which resurfaced in [----] with a new C++ variant. The analysis provides a walkthrough of its execution flow encryption and clipboard hijacking for cryptocurrency with comparisons to earlier .NET builds. https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous"
X Link 2025-10-09T08:40Z 60.7K followers, [----] engagements
"McAfees Threat Research team uncovers a new Astaroth campaign leveraging GitHub to host malware configurations. Infection starts with a phishing link that downloads a zipped LNK. When executed it installs Astaroth. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/"
X Link 2025-10-13T09:04Z 60.7K followers, [----] engagements
"FortiGuard Labs details a Stealit campaign that shifts from Electron installers to the Node.js Single Executable Application feature while still posing as game and VPN installers. https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application"
X Link 2025-10-13T09:13Z 60.7K followers, [----] engagements
"Socket's Threat Research Team reports the Contagious Interview campaign is escalating involving [---] malicious npm packages. DPRK actors are using 180+ fake personas with new npm aliases & registration emails to deploy HexEval XORIndex & encrypted loaders. https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages"
X Link 2025-10-13T09:30Z 60.7K followers, [----] engagements
"Proofpoint Threat Research details TA585 a sophisticated actor that manages its own infrastructure delivery and malware installation and delivers MonsterV2 which has capabilities of a RAT stealer and loader. https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal"
X Link 2025-10-14T08:17Z 60.7K followers, [----] engagements
"Seqrite Threat Research reports Spanish language judicial notification lures targeting Colombian users using SVG HTA VBS and PowerShell stages to download and decode a loader ending with AsyncRAT injected into a legitimate Windows process. https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/ https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/"
X Link 2025-10-14T08:19Z 60.7K followers, [----] engagements
"Red Canary tracks macOS stealers in [--------] noting that Poseidon Stealer was sold and rebranded as Odyssey Stealer which shares significant code and features with Atomic Stealer (aka AMOS). https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/ https://redcanary.com/blog/threat-intelligence/atomic-odyssey-poseidon-stealers/"
X Link 2025-10-14T08:20Z 60.7K followers, [----] engagements
"Cyble Research and Intelligence Labs observes Android campaigns posing as Indian Regional Transport Office apps spreading via WhatsApp & SMS to GitHub-hosted APKs & compromised sites then using phishing pages to collect banking credentials & UPI PINs. https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/ https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/"
X Link 2025-10-15T08:48Z 60.7K followers, [----] engagements
"In early [----] Threat Detection & Research reported PolarEdge exploiting CVE-2023-20118 to gain RCE and drop a web shell on routers. A follow-up blog post provides an in-depth technical analysis of the undocumented TLS-based implant. https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/ http://Sekoia.io https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/ http://Sekoia.io"
X Link 2025-10-15T09:35Z 60.7K followers, [----] engagements
"Trend Micro's Dove Chiu & Lucien Chuang uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352 allowing remote code execution and rootkit deployment on unprotected devices. https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html"
X Link 2025-10-16T08:43Z 60.5K followers, [----] engagements
"The SEQRITE Labs Research Team recently uncovered a campaign targeting the Russian automobile-commerce industry with a .NET malware dubbed CAPI Backdoor. https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/ https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/"
X Link 2025-10-20T08:51Z 60.7K followers, [----] engagements
"Google Mandiant researchers show how a financially motivated threat actor abuses the blockchain to distribute infostealers. UNC5142 usually uses compromised WordPress websites & EtherHiding a technique to obscure malicious code/data on a public blockchain https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware"
X Link 2025-10-21T08:45Z 60.7K followers, [----] engagements
"Google researchers analyse a new malware attributed to Russian state-sponsored threat group COLDRIVER. The re-tooling began with a new malicious DLL called NOROBOT delivered via an updated COLDCOPY ClickFix lure that pretends to be a custom CAPTCHA. https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver"
X Link 2025-10-21T08:49Z 60.7K followers, [----] engagements
"Trend Micro's Junestherry Dela Cruz examines the latest version of the Vidar stealer which features a full rewrite in C a multithreaded architecture and several enhancements that warrant attention. https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html"
X Link 2025-10-22T09:07Z 60.5K followers, [----] engagements
"Check Point's @Tera0017 analyses the YouTube Ghost Network a collection of malicious accounts that take advantage of YouTubes features to distribute infostealers like Lumma Rhadamanthys StealC RedLine 0debug & other Phemedrone variants. https://research.checkpoint.com/2025/youtube-ghost-network/ https://research.checkpoint.com/2025/youtube-ghost-network/"
X Link 2025-10-27T10:10Z 60.7K followers, [----] engagements
"researchers look into a TransparentTribe (also known as APT36 or Operation C-Major) phishing campaign targeting Indian organizations with DeskRAT. https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/ http://Sekoia.io https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/ http://Sekoia.io"
X Link 2025-10-27T10:13Z 60.5K followers, [----] engagements
"Trellix ARC researchers examine the TTPs employed by SideWinder APT in recent espionage activities in Asia. The phishing campaign occurred in multiple waves in [----] adapted to specific diplomatic targets and led to ModuleInstaller & StealerBot malware. https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/ https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/"
X Link 2025-10-27T10:16Z 60.7K followers, [----] engagements
"Trend Micro researchers analyse a Water Saci campaign spreading via WhatsApp which uses an email-based C&C infrastructure multi-vector persistence for resilience & incorporates advanced checks to evade analysis & restrict activity to specific targets. https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html"
X Link 2025-10-28T09:22Z 60.5K followers, [----] engagements
"Cisco Talos researchers Takahiro Takeda Jordyn Dunk James Nutland & Michael Szeliga look into attack methods of the Qilin (formerly Agenda) ransomware group exposed through multiple cases. https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/ https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/"
X Link 2025-10-28T09:25Z 60.7K followers, [----] engagements
"Palo Alto's Unit [--] team investigate the Jingle Thief campaign operated by financially motivated Morocco-based attackers. The attackers use phishing & smishing to steal credentials to compromise organizations that issue gift cards. https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/ https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/"
X Link 2025-10-28T09:27Z 60.7K followers, [----] engagements
"IBM's Melissa Frydrych-Dean & Raymond Joseph write about several malspam cases observed by the X-Force team with Hijackloader leading to payloads like PureHVNC. The emails imitate the Attorney Generals office of Colombia with official document downloads. https://www.ibm.com/think/x-force/latam-baited-into-delivery-of-purehvnc https://www.ibm.com/think/x-force/latam-baited-into-delivery-of-purehvnc"
X Link 2025-10-29T12:03Z 60.7K followers, [----] engagements
"Palo Alto Networks researchers discovered Airstalk a new Windows-based malware family with both PowerShell & .NET variants. The researchers assess with medium confidence that a possible nation-state threat actor used this malware in a supply chain attack. https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/ https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/"
X Link 2025-10-30T09:30Z 60.7K followers, [----] engagements
"In mid-2025 Sophos CTU researchers observed a campaign from the BRONZE BUTLER (also known as Tick) theat actor that exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to steal confidential information. https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/ https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/"
X Link 2025-10-31T09:31Z 60.7K followers, [----] engagements
"Researchers at Zimperium's zLabs have identified a growing trend of Android applications misusing NFC and Host Card Emulation (HCE) to illegally obtain payment data and conduct fraudulent transactions. https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices"
X Link 2025-10-31T09:33Z 60.7K followers, [----] engagements
"Arctic Wolf Labs reports that the China-linked threat actor UNC6384 targeted European diplomatic entities in Hungary and Belgium during September and October [----] exploiting ZDI-CAN-25373 and deploying PlugX RAT malware. https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/ https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/"
X Link 2025-11-03T12:06Z 60.6K followers, [----] engagements
"SEQRITE Labs details Operation SkyCloak targeting Russian and Belarusian military personnel where decoys lead to PowerShell stages that expose local services over Tor using obfs4 bridges enabling covert communication. https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/ https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/"
X Link 2025-11-03T12:08Z 60.6K followers, [----] engagements
"Members of Gen Digital Threat Labs uncover two new DPRK toolsets - Kimsukys HttpTroy backdoor and Lazaruss upgraded BLINDINGCAN remote access tool - and explain how these tools work. https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis"
X Link 2025-11-03T12:11Z 60.6K followers, [----] engagements
"Proofpoint Threat Research tracks a cybercriminal cluster targeting trucking and logistics companies abusing legitimate RMM tools to hijack cargo and steal physical goods. https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics"
X Link 2025-11-04T10:00Z 60.6K followers, [----] engagements
"The SEQRITE Labs APT-Team has been tracking Silent Lynx - which targets Kyrgyzstan Turkmenistan and Uzbekistan for espionage - since November [----] presenting their findings at VB2025. Further research has now uncovered multiple related campaigns. https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/ https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/"
X Link 2025-11-04T10:05Z 60.7K followers, [----] engagements
"Huntress reports that Gootloader is back using custom WOFF2 fonts with glyph substitution to obfuscate filenames; exploiting WordPress comment endpoints for XOR-encrypted ZIPs; and shifting persistence to the Startup folder. https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation"
X Link 2025-11-06T10:20Z 60.7K followers, [----] engagements
"Proofpoint Threat Research details an espionage campaign targeting Iranian academics & foreign policy experts starting with a benign Iran-themed conversation moving to credential harvesting & a URL to an archive with MSI installer that deploys RMM tools https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution"
X Link 2025-11-06T10:23Z 60.6K followers, [----] engagements
"Google Threat Intelligence Group confirms first operational use of just in time AI in malware families such as PROMPTFLUX and PROMPTSTEAL where LLMs generate malicious scripts and obfuscate code on the fly. https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"
X Link 2025-11-06T10:24Z 60.7K followers, [----] engagements
"Unit [--] uncovers the new LANDFALL Android spyware delivered as DNG images that exploit CVE-2025-21042 in Samsung devices. https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/ https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/"
X Link 2025-11-10T10:17Z 60.6K followers, [----] engagements
"CyberProof Threat Research identifies the Maverick banking malware spreading via WhatsApp and notes technical overlaps with Coyote malware. https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/ https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/"
X Link 2025-11-11T11:27Z 60.6K followers, 13.8K engagements
"Cyble Research and Intelligence Labs uncovers a phishing campaign using HTML email attachments that run JavaScript to steal credentials and exfiltrate them to attacker-controlled Telegram bots. https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/ https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/"
X Link 2025-11-11T11:35Z 60.4K followers, [----] engagements
"Members of the Point Wild Lat61 Threat Intelligence Team analyse a Bitcoin-themed fake tool that drops DarkComet RAT detailing its behaviour and attacker capabilities. https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool"
X Link 2025-11-12T11:27Z 60.7K followers, [----] engagements
"Trend Micro Research observes increased Lumma Stealer activity and notes the malware now uses browser fingerprinting in its command-and-control tactics. https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html"
X Link 2025-11-13T10:18Z 60.5K followers, [----] engagements
"Jamf Threat Labs analyses DigitStealer a new macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/ https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/"
X Link 2025-11-14T09:44Z 60.5K followers, [----] engagements
"Check Point researchers analyse Payroll Pirates a financially motivated network quietly hijacking payroll systems credit unions and trading platforms across the US using malvertising. https://blog.checkpoint.com/email-security/payroll-pirates-one-network-hundreds-of-targets/ https://blog.checkpoint.com/email-security/payroll-pirates-one-network-hundreds-of-targets/"
X Link 2025-11-17T09:52Z 60.6K followers, [----] engagements
"Palo Alto Networks Unit [--] researchers identified two interconnected malware campaigns active throughout [----] using large-scale brand impersonation to deliver Gh0st remote access trojan (RAT) variants to Chinese-speaking users. https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/ https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/"
X Link 2025-11-17T09:55Z 60.5K followers, [----] engagements
"Splunk's Teoderick Contreras looks into an updated .NET loader that uses steganography techniques to deliver various malware families. The variant includes an additional module specifically designed to further evade detection and hinder payload extraction. https://www.splunk.com/en_us/blog/security/updated-net-steganography-loader-lokibot-malware-analysis.html https://www.splunk.com/en_us/blog/security/updated-net-steganography-loader-lokibot-malware-analysis.html"
X Link 2025-11-17T09:57Z 60.4K followers, [----] engagements
"Researchers from the Israel National Digital Agency have uncovered an ongoing espionage campaign conducted by Iranian threat actors tracked as SpearSpecter (APT42 Mint Sandstorm Educated Manticore CharmingCypress). https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/ https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/"
X Link 2025-11-19T10:33Z 60.5K followers, [----] engagements
"Jamf Threat Labs dissects the new DigitStealer malware a macOS infostealer that uses advanced hardware checks and multi-stage attacks to evade detection and steal sensitive data. https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/ https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/"
X Link 2025-11-20T10:39Z 60.5K followers, [----] engagements
"ESET's Facundo Muoz & Dvid Gbri provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that the researchers have named EdgeStepper. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/ https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/"
X Link 2025-11-20T10:42Z 60.6K followers, [----] engagements
"The Acronis TRU team look into a TamperedChef malvertising/SEO campaign delivering installers disguised as common applications which establish persistence & deliver obfuscated JavaScript payloads for remote access & control. https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/ https://www.acronis.com/en/tru/posts/cooking-up-trouble-how-tamperedchef-uses-signed-apps-to-deliver-stealthy-payloads/"
X Link 2025-11-21T09:51Z 60.3K followers, [----] engagements
"K7 Labs analyse a campaign ongoing in Brazil spreading malware via WhatsApp web from the victims machine to their contacts by using the open-source WhatsApp automation script from GitHub whilst also loading a banking trojan into memory. https://labs.k7computing.com/index.php/brazilian-campaign-spreading-the-malware-via-whatsapp/ https://labs.k7computing.com/index.php/brazilian-campaign-spreading-the-malware-via-whatsapp/"
X Link 2025-11-24T09:06Z 60.5K followers, [----] engagements
"Domaintools researchers present a report on APT35 (also referenced as Charming Kitten) based on leaked internal documents. The report reveals a regimented quota-driven cyber operations unit operating inside a bureaucratic military chain of command. https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/ https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets/"
X Link 2025-11-24T09:10Z 60.5K followers, [----] engagements
"Zscaler researchers analyse a recent multi-stage attack that started from exploitation of a Windows MMC vulnerability and is attributed to the Water Gamayun APT group. https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack"
X Link 2025-11-26T09:56Z 60.5K followers, [----] engagements
"Jamf Threat Labs warn that fake job assessments that ask you to run terminal commands could be a social engineering scheme to deploy the FlexibleFerret malware (a malware family attributed to DPRK-aligned operators) and steal your credentials. https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/ https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/"
X Link 2025-11-26T10:05Z 60.5K followers, [----] engagements
"ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack"
X Link 2025-11-27T12:16Z 60.3K followers, [----] engagements
"Missed a session Or want to relive your favourite #VB2025 moments The VB2025 presentation playlist is now live on YouTube. Catch up on [--] talks now available to watch for free. 👉 (Some talks are not included at the request of the speakers) https://tinyurl.com/4uven8zw https://tinyurl.com/4uven8zw"
X Link 2025-11-27T13:14Z 60.5K followers, [----] engagements
"Trend Micro researchers share their findings on the Shai-hulud [---] campaign and reveal new functions that werent observed in its first variant such as backdoor capabilities. https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html"
X Link 2025-11-28T09:40Z 60.5K followers, [----] engagements
"SEQRITE Labs APT-Team tracks "Operation Hanoi Thief" a spear-phishing campaign targeting Vietnamese IT departments and HR recruiters with fake resume documents that deliver a C++ DLL stealer named LOTUSHARVEST. https://www.seqrite.com/blog/9479-2/ https://www.seqrite.com/blog/9479-2/"
X Link 2025-12-01T10:38Z 60.4K followers, [----] engagements
"Trend Micro Research reports Water Saci shifting from a PowerShell-based propagation routine to a Python variant that boosts development improves browser support and error handling and speeds malware delivery via WhatsApp Web. https://www.trendmicro.com/en_us/research/25/l/water-saci.html https://www.trendmicro.com/en_us/research/25/l/water-saci.html"
X Link 2025-12-02T11:09Z 60.5K followers, [----] engagements
"Infoblox Threat Intelligence uncovers Evilginx-based SSO phishing using subdomains that mimic university portals targeting at least [--] US institutions since April [----] and finds nearly [--] related domains for future tracking. https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/ https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/"
X Link 2025-12-02T11:10Z 60.4K followers, [----] engagements
"ESET Research reports new MuddyWater activity against organisations in Israel and one in Egypt. The Iran-aligned group uses previously undocumented tools including a custom Fooder loader to run MuddyViper a new C/C++ backdoor for stealth & persistence. https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/"
X Link 2025-12-03T10:02Z 60.4K followers, [----] engagements
"documents a hybrid Salty2FATycoon2FA phishing campaign. Salty2FA activity collapsed in late [----] with new Tycoon2FA samples showing overlapping indicators including shared IOCs TTPs and hybrid payloads. https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/ http://ANY.RUN https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/ http://ANY.RUN"
X Link 2025-12-03T10:06Z 60.4K followers, [----] engagements
"Trend Micro Research details a ValleyRAT campaign targeting job seekers via email hiding behind a weaponized Foxit PDF Reader and using DLL side-loading for initial access. As a RAT ValleyRAT enables remote control monitoring and data theft. https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html"
X Link 2025-12-04T10:48Z 60.5K followers, [----] engagements
"SEQRITE APT-Team details a spear-phishing campaign against Russian HR payroll and internal admin departments using bonus and policy-themed decoys. The chain relies on malicious LNK files a new DUPERUNNER implant and an AdaptixC2 Beacon for C2. https://www.seqrite.com/blog/9512-2/ https://www.seqrite.com/blog/9512-2/"
X Link 2025-12-04T10:52Z 60.4K followers, [----] engagements
"Intel [---] reports new Android banking trojan FvncBot targeting Polish users via a fake mBank security app. It abuses accessibility services for keylogging employs web injects screen streaming & HVNC & has a new codebase not tied to leaked source codes. https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland"
X Link 2025-12-05T10:02Z 60.5K followers, [----] engagements
"LAC's Cyber Emergency Center describes a PlugX campaign by a China-based attack group targeting Japanese transport firms & their subsidiaries. The report analyses new PlugX variants MetaRAT and Talisman PlugX and expands on findings first shared at VB2025 https://www.lac.co.jp/lacwatch/report/20251208_004569.html https://www.lac.co.jp/lacwatch/report/20251208_004569.html"
X Link 2025-12-08T11:15Z 60.4K followers, 23.7K engagements
"Sophos X-Ops analyses Shanya a packer-as-a-service favoured by ransomware groups and starting to replace HeartCrypt in their toolkits. The report traces its underground origins unpacks its code and examines a targeted infection using the service. https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/ https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/"
X Link 2025-12-08T11:18Z 60.4K followers, [----] engagements
"Sysdig TRT details EtherRAT a sophisticated backdoor dropped through recent React2Shell exploitation. The implant uses Ethereum smart contracts for C2 resolution and multiple Linux persistence mechanisms going well beyond typical cryptomining payloads. https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks"
X Link 2025-12-09T11:15Z 60.4K followers, [----] engagements
"Acronis TRU analyses Makop ransomwares updated toolkit with new components including local privilege escalation exploits and GuLoader for secondary payloads. 55% of observed cases hit Indian organisations with further victims in Brazil & Germany. https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/ https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/"
X Link 2025-12-09T11:21Z 60.4K followers, [----] engagements
"Sophos X-Ops details how GOLD BLADE has evolved into a hybrid data-theft & ransomware actor. Recent activity mainly hits Canadian organisations delivering weaponized resumes via recruitment platforms using modified RedLoader chains & a custom locker. https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/ https://news.sophos.com/en-us/2025/12/05/sharpening-the-knife-gold-blades-strategic-evolution/"
X Link 2025-12-10T10:11Z 60.4K followers, [----] engagements
"Huntress shows how attackers weaponize trusted AI tools. In an alert triaged by Huntress the victim had searched clear disk space on macOS clicked Google results to ChatGPT or Grok then followed terminal cleanup commands that delivered Amos Stealer. https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust"
X Link 2025-12-10T10:17Z 60.4K followers, [----] engagements
"Unit [--] details 01flip a new Rust-based ransomware family observed in June [----] targeting a limited set of victims in the Asia-Pacific region. https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/"
X Link 2025-12-11T10:17Z 60.4K followers, [----] engagements
"Zimperium zLabs identified DroidLock a new Android ransomware-like app targeting Spanish users. It uses fake system update screens VNC-based remote control and device admin privileges to lock or wipe phones capture photos & steal app lock credentials. https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device"
X Link 2025-12-11T10:21Z 60.4K followers, [----] engagements
"Bitdefender Labs uncovers an Agent Tesla delivery chain disguised as a movie torrent. A CD.lnk shortcut triggers a hidden command chain that runs scripts embedded in a subtitle file. https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell"
X Link 2025-12-12T10:24Z 60.4K followers, [----] engagements
"NTT's Kazuya Nomura analyses ZnDoor a malware executed by exploiting React2Shell (CVE-2025-55182) in attacks against companies in Japan. https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/ https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/"
X Link 2025-12-15T11:16Z 60.5K followers, [----] engagements
"Members of the Palo Alto Networks Unit [--] team explore the upgrade of RansomHouse encryption. RansomHouse is a ransomware-as-a-service operation run by a group tracked by Unit [--] as Jolly Scorpius. https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/ https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/"
X Link 2025-12-18T10:14Z 60.5K followers, [----] engagements
"ThreatLab & Reporters Without Borders (RSF) Digital Security Lab uncover a malware attack by the Belarusian secret service (KGB) targeting a Belarus-based journalist with an Android spyware named ResidentBat. https://resident.ngo/lab/writeups/residentbat-android-kgb-spyware-in-belarus-2025/ http://RESIDENT.NGO https://resident.ngo/lab/writeups/residentbat-android-kgb-spyware-in-belarus-2025/ http://RESIDENT.NGO"
X Link 2025-12-19T10:12Z 60.5K followers, [----] engagements
"Genians reports an APT37 campaign where fake casting/interview outreach delivers a trojanised HWP document. The chain relies on embedded OLE content and user clicks to start execution then uses DLL side-loading to evade detection. https://www.genians.co.kr/en/blog/threat_intelligence/dll https://www.genians.co.kr/en/blog/threat_intelligence/dll"
X Link 2026-01-05T11:22Z 60.5K followers, [----] engagements
"Jamf Threat Labs observed a revamped MacSync Stealer variant delivered as a code-signed and notarized app. Unlike earlier drag-to-Terminal/ClickFix chains it uses a more deceptive hands-off approach. https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/ https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/"
X Link 2026-01-06T11:29Z 60.5K followers, [----] engagements
"Recorded Futures Insikt Group tracks GRU-linked BlueDelta credential theft mimicking OWA Google and Sophos VPN portals. Targets include a Turkish energy & nuclear research agency a European think tank and organizations in North Macedonia & Uzbekistan. https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting"
X Link 2026-01-08T09:05Z 60.6K followers, [----] engagements
"Huntress details ESXi exploitation in the wild where initial access likely came via a compromised SonicWall VPN. The exploit toolkit targets [---] VMware ESXi builds spanning versions [---] to [---]. https://www.huntress.com/blog/esxi-vm-escape-exploit https://www.huntress.com/blog/esxi-vm-escape-exploit"
X Link 2026-01-08T09:07Z 60.5K followers, [----] engagements
"CloudSEK TRIAD reports a MuddyWater spear-phishing campaign targeting Middle Eastern diplomatic maritime financial and telecom sectors. The chain uses icon spoofing and malicious Word documents to deliver RustyWater. https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant"
X Link 2026-01-09T10:39Z 60.5K followers, [----] engagements
"DTI researchers analysed leaked data from Chinese company KnownSec. This leak exposes a state-aligned cyber contractor that operates far beyond the role of a typical cybersecurity vendor. https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/ https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/"
X Link 2026-01-12T10:18Z 60.5K followers, [----] engagements
"Silent Push uncovered an extensive network of domains associated with long-term ongoing web-skimmer campaign Magecart. Payment networks that are currently being targeted include American Express Diners Club Discover and Mastercard. https://www.silentpush.com/blog/magecart/ https://www.silentpush.com/blog/magecart/"
X Link 2026-01-14T12:29Z 60.6K followers, [----] engagements
"AhnLab's ASEC team discovered cases of attacks using RMM tools such as Syncro SuperOps NinjaOne & ScreenConnect. Threat actors distributed a PDF that prompted users to download & run the RMM tool from a disguised distribution page such as Google Drive. https://asec.ahnlab.com/en/91995/ https://asec.ahnlab.com/en/91995/"
X Link 2026-01-14T12:34Z 60.5K followers, [----] engagements
"Genians researchers analyse Operation Poseidon from the Konni APT. The threat actor bypasses security filtering and user boundaries through spear phishing campaigns disguised as advertising URLs that lead to EndRAT malware. https://www.genians.co.kr/blog/threat_intelligence/spear-phishing https://www.genians.co.kr/blog/threat_intelligence/spear-phishing"
X Link 2026-01-19T09:52Z 60.6K followers, [----] engagements
"The Seqrite Labs APT Team looks into Operation Nomad Leopard a spear-phishing campaign targeting Afghan government employees. https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/ https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/"
X Link 2026-01-20T11:27Z 60.6K followers, [----] engagements
"Seqrite Labs has identified and uncovered a globally active spear-phishing campaign targeting Argentinas judicial sector. The campaign leverages a multi-stage infection chain to deploy a stealthy remote access trojan. https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/ https://www.seqrite.com/blog/operation-covert-access-weaponized-lnk-based-spear-phishing-targeting-argentinas-judicial-sector-to-deploy-a-covert-rat/"
X Link 2026-01-20T11:32Z 60.6K followers, [----] engagements
"Varonis tracks a new browser-based MaaS threat named Stanley. The service packages phishing-style site spoofing as a Chrome extension and is marketed on Russian forums for $2k$6k. https://www.varonis.com/blog/stanley-malware-kit https://www.varonis.com/blog/stanley-malware-kit"
X Link 2026-01-26T09:53Z 60.6K followers, [----] engagements
"Hybrid Analysis reports an organised traffer gang targeting crypto holders and Web3 employees. The operation delivers malware via fake Electron apps disguised as legitimate tools. https://hybrid-analysis.blogspot.com/2026/01/organized-traffer-gang-on-rise.html https://hybrid-analysis.blogspot.com/2026/01/organized-traffer-gang-on-rise.html"
X Link 2026-01-26T09:54Z 60.6K followers, [----] engagements
"TDR assesses a broader operation behind a phishing campaign where infostealers on hotel machines stole credentials for platforms like & Expedia which were sold or used to email customers for banking fraud. https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/ http://Booking.com http://Sekoia.io https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/ http://Booking.com http://Sekoia.io"
X Link 2025-11-07T10:14Z 60.6K followers, [----] engagements
"Sekoia TDR unwraps QuasarRAT a popular .NET remote access trojan and demonstrates how to locate and decrypt its embedded configuration. The article walks through a systematic workflow that works on both clean and obfuscated samples. https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/ https://blog.sekoia.io/advent-of-configuration-extraction-part-2-unwrapping-quasarrats-configuration/"
X Link 2025-12-09T11:13Z 60.6K followers, [----] engagements
"Zscaler ThreatLabz identified a new phishing kit named BlackForce used to impersonate more than [--] brands and capable of stealing credentials and performing man-in-the-browser attacks to steal one-time tokens and bypass multi-factor authentication. https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit"
X Link 2025-12-15T11:13Z 60.6K followers, [----] engagements
"Members of Sekoia's TDR team reveal details of SNOWLIGHT a lightweight ELF downloader designed to retrieve and execute a remote payload on Linux systems. https://blog.sekoia.io/advent-of-configuration-extraction-part-3-mapping-got-plt-and-disassembling-the-snowlight-loader/ https://blog.sekoia.io/advent-of-configuration-extraction-part-3-mapping-got-plt-and-disassembling-the-snowlight-loader/"
X Link 2025-12-16T10:27Z 60.6K followers, [----] engagements
"Zscaler's Gaetano Pellegrin discovered a new spear-phishing campaign attributed to BlindEagle targeting a government agency in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat"
X Link 2025-12-18T10:08Z 60.6K followers, [----] engagements
"Forcepoint X-Labs details a holiday DocuSign lure where users are asked to review a completed Christmas wine order. A Docusign-branded button redirects via disposable hosts Fastly/Glitch/Surge.sh to a credential-harvesting page targeting corporate logins https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam"
X Link 2026-01-05T11:27Z 60.6K followers, [----] engagements
"Check Point researchers analyse VoidLink an advanced malware framework made up of custom loaders implants rootkits and modular plugins designed to maintain long-term access to Linux systems. https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/ https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/"
X Link 2026-01-14T12:27Z 60.6K followers, [----] engagements
"Infoblox researchers managed to snoop on the communications of an affiliate advertising push notification system whose DNS records were left misconfigured allowing the researchers to receive a copy of every ad they sent victims and recorded metrics. https://www.infoblox.com/blog/threat-intelligence/inside-a-malicious-push-network-what-57m-logs-taught-us/ https://www.infoblox.com/blog/threat-intelligence/inside-a-malicious-push-network-what-57m-logs-taught-us/"
X Link 2026-01-21T10:32Z 60.6K followers, [----] engagements
"Check Point Research believes a new era of AI-generated malware has begun: VoidLink is as the first evidently documented case of this era as an advanced malware framework authored almost entirely by AI likely under the direction of a single individual. https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/ https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/"
X Link 2026-01-21T10:34Z 60.6K followers, [----] engagements
"eSentire Threat Response Unit identified an ongoing campaign deploying a sophisticated multistage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate India's Income Tax dept https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign"
X Link 2026-01-23T10:08Z 60.6K followers, [----] engagements
"Check Point Research is tracking a phishing campaign linked to a North Koreaaligned threat actor known as KONNI. The attackers deploy an AI-generated PowerShell backdoor highlighting the growing use of AI by threat actors. https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/ https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/"
X Link 2026-01-23T10:09Z 60.6K followers, [----] engagements
"Recorded Future's Insikt Group look into recent PurpleBravo activity. PurpleBravo is a North Korean state-sponsored threat group that overlaps with the Contagious Interview campaign. https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain"
X Link 2026-01-23T10:11Z 60.6K followers, [----] engagements
"FortiGuard researcher Xiaopeng Zhang analyses a recent phishing campaign in the wild delivering a new variant of XWorm. https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails"
X Link 2026-02-12T11:00Z 60.7K followers, [----] engagements
"FortiGuard Labs observed malware named ShadowV2 spreading via IoT vulnerabilities at the end of October during a global disruption of AWS connections. This activity was likely a test run conducted in preparation for future attacks. https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices"
X Link 2025-11-27T12:12Z 60.7K followers, [----] engagements
"FortiGuard Labs analyses eBPF-based malware where Symbiote and BPFDoor abuse Linux kernel BPF filters. New [----] variants improve stealth by port-hopping to high UDP ports and supporting IPv6 making these rootkits rare but powerful and hard to detect. https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware"
X Link 2025-12-03T10:04Z 60.7K followers, [----] engagements
"Splunk Threat Research Team analyses CastleRAT a RAT first seen in March [----] with Python and compiled C builds. It uses RC4 with a hard-coded key for C2 gathers host details & can download further payloads and open a remote shell for attacker commands. https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html"
X Link 2025-12-05T09:50Z 60.7K followers, [----] engagements
"FortiGuard Labs observed UDPGangster a UDP-based backdoor linked to MuddyWater. Recent campaigns use macro-enabled Word lures to target organisations in Turkey Israel & Azerbaijan with UDP for command execution file exfiltration & payload delivery. https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries"
X Link 2025-12-05T09:54Z 60.7K followers, [----] engagements
"🚨 Important Date Change for VB2026 VB2026 will now take place [----] October [----] at the already announced venue. We appreciate your understanding and look forward to welcoming you in October for another memorable VB Conference"
X Link 2025-12-15T11:22Z 60.7K followers, [----] engagements
"DataDomes Jerome Segura warns that AI agents are adopting the tactics of adversarial actors and starting to ignore rules laid out in robots.txt in order to get the data they need. https://datadome.co/threat-research/ai-agent-spoofing/ https://datadome.co/threat-research/ai-agent-spoofing/"
X Link 2025-12-16T10:34Z 60.7K followers, [----] engagements
"Fortinet researchers found a phishing campaign delivering a new variant of Remcos a commercial lightweight RAT with a wide range of capabilities including system resource management remote surveillance network management & Remcos agent management. https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document"
X Link 2026-01-20T11:31Z 60.7K followers, [----] engagements
"Fortinet researchers identified a multi-stage malware campaign that escalates into a full-system compromise that includes security-control bypass surveillance system restriction deployment of Amnesia RAT and ransomware delivery. https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign"
X Link 2026-01-22T13:55Z 60.7K followers, [----] engagements
"Googles Threat Intelligence Group warns WinRAR CVE-2025-8088 is being exploited for initial access & payload delivery by both state-backed & financially motivated actors. The exploitation method allows files to be dropped into the Windows Startup folder. https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability"
X Link 2026-01-28T09:55Z 60.7K followers, [----] engagements
"FortiGuard Labs analyses EncystPHP a weaponized web shell delivering remote command execution persistence and further web shell deployment. It spreads by exploiting FreePBX vulnerability CVE-2025-64328 and is linked to the INJ3CTOR3 actor. https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp"
X Link 2026-01-29T10:34Z 60.7K followers, [----] engagements
"FortiGuard Labs tracks Interlocks shifting toolkit across recent intrusions. A key addition is a process-killing tool that leverages a zero-day vulnerability in a gaming anti-cheat driver to try to disable EDR and AV. https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks"
X Link 2026-01-30T09:44Z 60.7K followers, [----] engagements
"SophosLabs investigates WantToCry remote ransomware cases in which attackers operated from virtual machines with auto-generated NetBIOS names derived from Windows templates provisioned by ISPsystem. https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure"
X Link 2026-02-05T11:08Z 60.7K followers, [----] engagements
"Kaseya researchers show how bad actors use DKIM replay attacks that involve abuse of legitimate invoices and dispute notifications from well-known vendors such as PayPal Apple DocuSign and HelloSign. https://www.kaseya.com/blog/dkim-replay-attacks-apple-paypal-invoice-abuse/ https://www.kaseya.com/blog/dkim-replay-attacks-apple-paypal-invoice-abuse/"
X Link 2026-02-09T10:16Z 60.7K followers, [----] engagements
"Palo Alto Networks researchers unveil a new state-aligned espionage group tracked as TGR-STA-1030. The group primarily targets government ministries & departments and critical infrastructure organizations with attacks across [--] countries in the last year https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/ https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/"
X Link 2026-02-11T09:52Z 60.7K followers, [----] engagements
"Orange researchers report on how hacktivism has evolved over three years of research: Hacktivism has become more frequent more coordinated and increasingly entangled with real-world geopolitical events. https://www.orangecyberdefense.com/global/blog/research/hacktivism-today-what-three-years-of-research-reveal-about-its-transformation#c164458 https://www.orangecyberdefense.com/global/blog/research/hacktivism-today-what-three-years-of-research-reveal-about-its-transformation#c164458"
X Link 2026-02-11T10:07Z 60.7K followers, [----] engagements
"Cisco Talos uncovers DKnife a gateway-monitoring and adversary-in-the-middle framework that manipulates network traffic & can hijack binary downloads or Android app updates to deliver malware. Used since at least [----] its C2 was still active in Jan [----]. https://blog.talosintelligence.com/knife-cutting-the-edge/ https://blog.talosintelligence.com/knife-cutting-the-edge/"
X Link 2026-02-06T10:18Z 60.7K followers, [----] engagements
"The DFIR Report has published data from an open directory associated with a ransomware affiliate likely linked to the Fog ransomware group. The open directory contained tools and scripts for reconnaissance exploitation lateral movement and persistence. https://thedfirreport.com/2025/04/28/navigating-through-the-fog/ https://thedfirreport.com/2025/04/28/navigating-through-the-fog/"
X Link 2025-04-30T08:55Z 60.7K followers, [----] engagements
"Zscaler's Mark Joseph Marti shows how the browser-in-the-browser (BitB) technique is used in a Facebook phishing scam. BitB tricks users by simulating a legitimate 3rd party login popup window within the browser tab masking a credential-harvesting page. https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/ https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/"
X Link 2026-01-13T10:44Z 60.7K followers, [----] engagements
"Zscaler ThreatLabz tracks [--] campaigns -Gopher Strike & Sheet Attack- tied to a Pakistan-based actor targeting Indian government entities & profiles tooling including the GOGITTER downloader GITSHELLPAD C2 backdoor & GOSHELL loader deploying Cobalt Strike https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell"
X Link 2026-01-27T10:04Z 60.7K followers, [----] engagements
"The second part of Zscaler ThreatLabzs Gopher Strike/Sheet Attack research profiles three additional backdoors in Sheet Attack: SHEETCREEP using Google Sheets for C2 FIREPOWER abusing Firebase and MAILCREEP leveraging Microsoft Graph. https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-sheetcreep-firepower-and"
X Link 2026-01-28T09:46Z 60.7K followers, [----] engagements
"Zscaler ThreatLabz reports on Operation Neusploit a January [----] campaign targeting Central & Eastern Europe. Weaponised Microsoft RTF files exploit CVE-2026-21509 to deliver multi-stage backdoors. The campaign is attributed to APT28 with high confidence. https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit"
X Link 2026-02-03T13:35Z 60.7K followers, [----] engagements
"LevelBlue SpiderLabs analyses DragonForces evolving playbook combining advanced RaaS features with a franchise-style affiliate model. The tooling supports full header and partial encryption across multiple platforms. https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions"
X Link 2026-02-04T09:51Z 60.7K followers, [----] engagements
"RedAsgard shows how a Lazarus-linked fake job interview operation tricked developers into opening a repo & running npm install or loading it in VS Code leading to credential theft. Researchers found 241k stolen credentials from [---] victims in [--] countries https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire"
X Link 2026-02-04T10:05Z 60.7K followers, [----] engagements
"Acronis TRU tracks Transparent Tribe (APT36) expanding beyond its usual government and defence focus to Indias startup ecosystem. The campaign uses startup-themed decoys and ISO files with malicious LNK shortcuts to deliver Crimson RAT. https://www.acronis.com/en/tru/posts/new-year-new-sector-transparent-tribe-targets-indias-startup-ecosystem/ https://www.acronis.com/en/tru/posts/new-year-new-sector-transparent-tribe-targets-indias-startup-ecosystem/"
X Link 2026-02-05T11:06Z 60.7K followers, [----] engagements
"Huntress researchers Anna Pham John Hammond & Jamie Levy observed threat actors exploiting a SolarWinds Web Help Desk vulnerability and warn organizations to apply the update from SolarWinds website as soon as possible. https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399"
X Link 2026-02-10T09:22Z 60.7K followers, [----] engagements
"Mandiant researchers investigate a UNC1069-attributed intrusion that used a social engineering scheme involving a compromised Telegram account a fake Zoom meeting a ClickFix infection vector & reported usage of AI-generated video to deceive the victim. https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"
X Link 2026-02-10T09:28Z 60.7K followers, [----] engagements
"The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group targeting both JavaScript and Python developers. https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"
X Link 2026-02-12T11:03Z 60.7K followers, [----] engagements
"BfV & BSI warn that a likely state-controlled threat actor is conducting phishing attacks via messaging services such as Signal. The targets are high-ranking individuals in politics military & diplomacy and investigative journalists in Germany & Europe. https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/202602_BfV_BSI_Sicherheitshinweis.html https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/202602_BfV_BSI_Sicherheitshinweis.html"
X Link 2026-02-09T10:03Z 60.7K followers, [----] engagements
"eSentire's Threat Response Unit share technical artifacts uncovered in their investigation of a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer. https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server"
X Link 2026-02-09T10:10Z 60.7K followers, [----] engagements
"Zscaler ThreatLabz explores the anti-analysis techniques employed by GuLoader including use of polymorphic code to dynamically construct constant and string values as well as complex exception-based control flow obfuscation. https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques"
X Link 2026-02-10T09:13Z 60.7K followers, [----] engagements
"Microsoft XDR team has observed increasing numbers of macOS infostealer campaigns using social engineering techniquesincluding ClickFix-style prompts & malicious DMG installersto deploy macOS-specific infostealers such as DigitStealer MacSync & AMOS. https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/ https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/"
X Link 2026-02-11T09:47Z 60.7K followers, [----] engagements
"Forcepoint researchers look into a high-volume Phorpiex campaign delivered through malspam emails weaponized with Windows Shortcut .lnk files. https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing"
X Link 2026-02-12T11:01Z 60.7K followers, [----] engagements
"Huntress researchers Anna Pham Michael Tigges Dray Agha & Anton Ovrutsky explain how employee monitoring tool Net Monitor for Employees was abused together with RMM platform SimpleHelp in an attempted deployment of Crazy ransomware. https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations"
X Link 2026-02-12T11:09Z 60.7K followers, [----] engagements
"Censys Threat Intelligence team analyses Odyssey Stealer a macOS information stealer designed to steal cryptocurrencies from a wide range of software. https://censys.com/blog/odyssey-stealer-macos-crypto-stealing-operation https://censys.com/blog/odyssey-stealer-macos-crypto-stealing-operation"
X Link 2026-02-13T09:11Z 60.7K followers, [----] engagements
"Cato CTRL has identified a new malware loader tracked as Foxveil which establishes an initial foothold frustrates analysis and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages Netlify & Discord attachments. https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/ https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/"
X Link 2026-02-13T09:18Z 60.7K followers, [----] engagements
"After almost ten years and more than [-----] tweets I am handing over this account to the rest of the great VB team. Thank you all for following all the best for [----] and beyond and keep doing great things @martijn_grooten https://www.youtube.com/watchv=NXtDonotCvU https://www.youtube.com/watchv=NXtDonotCvU"
X Link 2019-12-31T13:44Z 60.7K followers, [---] engagements
"Sophos researchers (and regular VB conference speakers) @GaborSzappanos and @threatresearch analysed the toolset used by the Netwalker ransomware actors and found they mostly rely on publicly available tools https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/"
X Link 2020-05-28T11:50Z 60.7K followers, [---] engagements
"Palo Alto's @malware_traffic has written a detailed post on the evolution of the Valak infostealer and malware downloader https://unit42.paloaltonetworks.com/valak-evolution/ https://unit42.paloaltonetworks.com/valak-evolution/"
X Link 2020-07-27T11:23Z 60.7K followers, [---] engagements
"DomainTools researcher @jfslowik shares some thoughts on the possible link between the SUNBURST malware used in the SolarWinds supply chain attack and the Turla APT group https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution"
X Link 2021-01-15T11:02Z 60.7K followers, [---] engagements
"Palo Alto's @malware_traffic created a tutorial for using Wireshark to analyse Emotet network traffic https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/ https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/"
X Link 2021-01-20T18:43Z 60.7K followers, [---] engagements
"Sophos lists details of attacker behaviour and impact as well as the tactics techniques and procedures (TTPs) seen in the wild in 2020/2021. https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/ https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/"
X Link 2021-05-19T09:25Z 60.7K followers, [---] engagements
"Sophos analysts have uncovered a new ransomware that calls itself Epsilon Red. The ransomware is written in Go and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine. https://news.sophos.com/en-us/2021/05/28/epsilonred/ https://news.sophos.com/en-us/2021/05/28/epsilonred/"
X Link 2021-05-31T13:09Z 60.7K followers, [---] engagements
"A list of [--] CyberChef recipes and curated links for malware analysis has been shared by @mattnotmax. https://github.com/mattnotmax/cyberchef-recipes https://github.com/mattnotmax/cyberchef-recipes"
X Link 2021-06-07T12:43Z 60.7K followers, [---] engagements
"DomainTools' @piffey has created an infographic that provides an overview of the most prolific ransomware families and the current loaders they use. https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide"
X Link 2021-07-02T12:22Z 60.7K followers, [---] engagements
"The Avast Threat Intelligence team has published a blog on understanding how threat actors use Cobalt Strike payloads and how you can analyse them. https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/ https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/"
X Link 2021-07-08T18:48Z 60.7K followers, [---] engagements
"McAfee researchers have discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/"
X Link 2021-07-09T14:37Z 60.7K followers, [---] engagements
"AT&T Alien Labs has recently discovered a cluster of Linux ELF executables with low rates of detection in VirusTotal. The files were identified as modifications of the open-source PRISM backdoor used by multiple threat actors in various campaigns. https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar"
X Link 2021-08-24T15:53Z 60.7K followers, [---] engagements
"Security researcher @BushidoToken writes about three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp WizardSpider and FIN7. https://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html https://blog.bushidotoken.net/2021/09/how-do-you-run-cybercrime-gang.html"
X Link 2021-09-06T11:39Z 60.7K followers, [---] engagements
"ESET researchers analyse a previously undocumented real-world UEFI bootkit that persists on the EFI System Partition. ESPecter bootkit can bypass Windows Driver Signature Enforcement to load its own unsigned driver to facilitate its espionage activities. https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/"
X Link 2021-10-06T11:56Z 60.7K followers, [---] engagements
"Security Researcher @BushidoToken writes about ransomware decryption intelligence. https://blog.bushidotoken.net/2021/10/ransomware-decryption-intelligence.html https://blog.bushidotoken.net/2021/10/ransomware-decryption-intelligence.html"
X Link 2021-10-21T15:27Z 60.7K followers, [---] engagements
"Unit [--] researchers look at the most commonly used TLDs in malicious domains. https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/ https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/"
X Link 2021-11-12T15:05Z 60.7K followers, [---] engagements
"The DFIR Report observed an intrusion in which an adversary exploited multiple Exchange vulnerabilities (ProxyShell) that led to the BitLocker ransomware. The threat actors conducted the intrusion with almost no malware. https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/"
X Link 2021-11-15T09:52Z 60.7K followers, [---] engagements
"K7 researchers analyse Cobalt Strike and its loader module. https://labs.k7computing.com/index.php/dissecting-cobalt-strike-loader/ https://labs.k7computing.com/index.php/dissecting-cobalt-strike-loader/"
X Link 2021-11-23T11:23Z 60.7K followers, [---] engagements
"Sophos researchers discovered that attackers had booted their target computers into Safe Mode to execute the Avos Locker ransomware. The reason Many if not most endpoint security products do not run in Safe Mode. https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/ https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/"
X Link 2022-01-04T13:00Z 60.7K followers, [---] engagements
"Sophos has updated the story of the CVE-2021-40444 exploit which triggers a Word document to deliver an infection without using macros. The attack was only successful on unpatched Windows systems. https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/ https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/"
X Link 2022-01-06T15:35Z 60.7K followers, [---] engagements
"Mandiant has published guidance for organizations on how to protect against a destructive attack. The recommendations include common techniques used by threat actors for initial access reconnaissance privilege escalation & mission objectives. https://www.mandiant.com/resources/protect-against-destructive-attacks https://www.mandiant.com/resources/protect-against-destructive-attacks"
X Link 2022-01-17T11:48Z 60.7K followers, [---] engagements
"Sophos researchers investigated a Midas ransomware attack that leveraged at least two different commercial remote access tools (AnyDesk & TeamViewer) and an open-source Windows utility (Process Hacker) in the process. https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/ https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/"
X Link 2022-01-26T13:01Z 60.7K followers, [---] engagements
"Microsoft introduces a new threat intelligence brief that will be released quarterly looking at the current threat landscape trending tactics techniques and strategies used by the worlds most prolific threat actors. https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/ https://www.microsoft.com/security/blog/2022/02/03/cyber-signals-defending-against-cyber-threats-with-the-latest-research-insights-and-trends/"
X Link 2022-02-04T14:15Z 60.7K followers, [---] engagements
Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing