Energy Sector Incident Report - 29 December 2025 CERT Polska presents a report on the analysis of an incident in the energy sector that occurred on 29 December 2025. The attacks were destructive in nature and targeted wind and photovoltaic farms, a ...

Attribution to Dragonfly instead of Sandworm was quite a plot twist! cert.pl/en/posts/202...

#BREAKING #ESETresearch provides technical details on #DynoWiper, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector. www.welivesecurity.com/en/eset-rese... 1/5

RedKitten: AI-accelerated campaign targeting Iranian protests Identifier: TRR260101. Summary RedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental organizations and individuals involved in documenting recent huma...

Attribution is tricky, especially with limited visibility. However, TTPs were previously associated to IMPERIAL KITTEN/TA456. We could catch slip-ups that clearly point to a Farsi-speaking actor: (AI-generated) comments in Farsi “// دیگه چیزی برای مصرف نیست 🚩 //“.
5/

harfanglab.io/insidethelab...

We monitored the C2 Telegram bots and could catch what we believe are operator hands on commands. We also timelined the malware developer's git commits, which pointed to a different timezone than the one reported (Pacific Time). Nice 9-5, with a bit of late evening fixes. 4/

SloppyMIO is a (mostly) vibecoded .NET implant compiled on the target's host. It fetches a configuration blob stenographically implanted in an AI generated kitten image, from which it extract the Telegram C2 and addresses for further modules 3/

The lure is a fake list of casualties from the Iranian protests ("Tehran Forensic Medical Files"), listing gruesome details, including the "referring organization" (Basij, MOIS, IRGC) 2/

New research uncovering a new Iranian activity cluster - "RedKitten". Spreading with a lure revolving around the Iranian protests, we found a sample of a newly developed malware we dubbed "SloppyMIO", relying on Github, Google Drive and Telegram. Very heavy on the AI 1/

#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5

UAC-0057 keeps applying pressure on Ukraine and Poland Identifier: TRR250801. Summary In late July, we identified two clusters of malicious archives that were leveraged to target Ukraine and Poland since April 2025, and that we could link together from th...

As usual, you will find IOCs and YARA rules on our blog post and on our GitHub repository.
harfanglab.io/insidethelab...

We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter.

These downloaders attempt to retrieve next-stage malware from C2 URLs mimicking existing content and delivering JPEG image files.

An exception: some samples use a well-known cloud-hosted collaboration service for C2 communication.

Recently, our team at HarfangLab had a look at samples of archives containing weaponized XLS spreadsheets which drop C# and C++ downloaders, and likely intended to be delivered to targets in Ukraine and in Poland.

Inside Gamaredon's PteroLNK: Dead Drop Resolvers and evasive Infrastructure Identifier: TRR250401. Proactively hunting for Russian-nexus threats, we identified samples from the Pterodo malware family, commonly associated with Gamaredon, uploaded to a public malware analysis p...

New tunneling services timeline:
🗓️ 2025-04-24: lhr[.]life
🗓️ 2025-05-06: serveo[.]net, workers[.]dev
🗓️ 2025-06-11: euw.devtunnels[.]ms

Updated Yara rule alongside IoCs: github.com/HarfangLab/i...

For more information about PteroLNK, please refer to:

harfanglab.io/insidethelab...

New Infrastructure scripts:
:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry
:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry

The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2
The LNK dropper maintains core functionality with tweaked execution command.

The new modular malware structure: 4 VBS payloads written to ADS:
:SRV - Updated downloader
:LNK - LNK dropper
:URLS - DDR C2 URL retrieval
:IPS - DDR C2 IP retrieval/resolution
:GTR - Main orchestrator (self)

Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:
- NTFS Alternative Data Streams (ADS) storage
- Randomized HTTP headers breaking network sigs
- Expanded tunneling services
- More robust DDR approach

Full technical report with IoCs and Yara rules below:

t.co/ycRyLK34H5

Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation

Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns

Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities