👀👀👀

Iran Conflict: Cyber Threat Activity Let’s do the thing, shall we? Questions to consider: What are the current cyber capabilities of Iran and its proxies? What are the exigent cyber risks of retaliation in response to the US/Israel attacks? Most public advisories are vague at best, both on capability and projected action. Private reports are more detailed, and include both influence operations and some actual attacks by hacktivist groups. Nothing directly attributed to IRGC that has been released AFAICT. Targeting, such as it...

We've been tracking #Iran cyber activity since the beginning of March, consolidating high-value intelligence into a single thread. One of the most comprehensive resources on the topic, if we do say so ourselves.

This Trick Nicks AppleScript ClickFix | IFIN Recent ClickFix variants targeting macOS have used AppleScript URLs instead of pasting commands into Terminal. Let's stop those URLs from leading to execution.

After working on it a bit, we have a fix for a recent #ClickFix attack against #macOS that leverages AppleScript. Here's the writeup, and a link to the forum thread!

ifin-intel.org/blog/...

#ThreatIntel ThreatIntelligence #IFIN

This Trick Nicks AppleScript ClickFix | IFIN Recent ClickFix variants targeting macOS have used AppleScript URLs instead of pasting commands into Terminal. Let's stop those URLs from leading to execution.

After working on it a bit, we have a fix for a recent #ClickFix attack against #macOS that leverages AppleScript. Here's the writeup, and a link to the forum thread!

ifin-intel.org/blog/...

#ThreatIntel ThreatIntelligence #IFIN

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them Thanks to a very helpful reply from the author, I have more IoCs and details. The Plugins I was able to find the plugins and related changes to the code on GitHub: Pick any repo and you’ll likely find the same code Austin mentioned in the original blog post. Here’s a random example, with the Git Blame putting the change on 2025-11-12. Not sure why the date discrepancy with Austin’s timeline, but perhaps GitHub changes were mirrored from someplace else. Now, onto the blockchain. ...

Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. We have more IoCs, and evidence of initial access auctions via the blockchain.

discourse.ifin.netwo...

#ThreatIntel #ThreatIntelligence #ThreatHunting #IFIN

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them Thanks to a very helpful reply from the author, I have more IoCs and details. The Plugins I was able to find the plugins and related changes to the code on GitHub: Pick any repo and you’ll likely find the same code Austin mentioned in the original blog post. Here’s a random example, with the Git Blame putting the change on 2025-11-12. Not sure why the date discrepancy with Austin’s timeline, but perhaps GitHub changes were mirrored from someplace else. Now, onto the blockchain. ...

Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. We have more IoCs, and evidence of initial access auctions via the blockchain.

discourse.ifin.netwo...

#ThreatIntel #ThreatIntelligence #ThreatHunting #IFIN

For the record, we *have* received independent confirmation of this activity.

CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. Has anyone seen recent evidence of this? None was provided from CISA, and we'd love independent confirmation.

We are thrilled to announce that we have taken over operation of one of the most useful open cyber news aggregators around. @taggartinstitute.org has gifted us their FreshRSS instance, which is now available at http://news.ifin.net

We are thrilled to announce that we have taken over operation of one of the most useful open cyber news aggregators around. @taggartinstitute.org has gifted us their FreshRSS instance, which is now available at http://news.ifin.net

We just rejected a forum account application because of joke pronouns. That is such a low barrier and if you don't take it seriously, we have no confidence you'll treat our community members with respect.

We ask for preferred pronouns when you register. We do this so everyone can address you how you wish. But it's also a signal of how you'll treat others.

Update: Adobe has a patch out!

helpx.adobe.com/security/pro...

And an associated CVE: CVE-2026-34621

HWMonitor Download Compromised Observable: CPUID Downloads with Malware Observable Type: Supply Chain compromise (?) Details: Users reporting getting a malware executable while downloading HWMonitor software from the official CPUID website A discussion on Reddit from an everyday user, with some analysis in the comments: Reddit - Please wait for verification Some press coverage: https://cybernews.com/security/cpuid-hwmonitor-hwinfo-cpuz-deliver-malware/

CPUID downloads were temporarily compromised earlier today. We have a thread compiling analysis and IoCs for you to investigate:

discourse.ifin.netwo...

#ThreatIntel #IFIN #ThreatIntelligence

Adobe 0-day seen in the wild This is an interesting find. PDF exploits are rare and this one looks to be very targeted. Also "yummy_adobe_exploit_uwu.pdf" is a malware naming convention that reminds me why I love this community. I’m struggling to come up with some good detections for this one though. I was hoping for the process tree behavior but this seems very common with acrobat.exe: ``` Acrobat.exe (PID:6416) “manual.pdf” ├── AdobeCollabSync.exe -c (PID:3520) ├── AdobeCollabSync.exe -c (PID:5424) [stealth_timeo...

We've been tracking this Adobe 0-day in Acrobat Reader. Still no patch from Adobe (and no word on affected versions). Per the discoverer, this attack has been ongoing for months.

discourse.ifin.netwo...

#Adobe #0day #ThreatIntel #IFIN

HWMonitor Download Compromised Observable: CPUID Downloads with Malware Observable Type: Supply Chain compromise (?) Details: Users reporting getting a malware executable while downloading HWMonitor software from the official CPUID website A discussion on Reddit from an everyday user, with some analysis in the comments: Reddit - Please wait for verification Some press coverage: https://cybernews.com/security/cpuid-hwmonitor-hwinfo-cpuz-deliver-malware/

CPUID downloads were temporarily compromised earlier today. We have a thread compiling analysis and IoCs for you to investigate:

discourse.ifin.netwo...

#ThreatIntel #IFIN #ThreatIntelligence

Minor programming note: I'm going to probably push most of the threat intelligence material I usually post through @ifin-intel.org , so it's a clear channel for actionable information.

White House Seeks to Slash CISA Funding by $707 Million The Trump administration says the FY2027 budget refocuses CISA on its core mission: protecting federal agencies and critical infrastructure.

This right here?

This is a huge part of why we exist. It's time to trust in each other for our mutual protection, because nobody is coming to save us.

So, how this works is:

- Our community finds something interesting
- We make a thread
- We investigate together
- The data _remains searchable_ for future reference
- We all win

Come join us!

Bizarre crates.io phishing campaign Observable: crates[.]ws Observable Type: Domain Details: Rust maintainer phishing email sending users to a bogus Crates website. Interestingly it looks like the .ws domain redirects to .io unless ...

Looks like we have a live one here. Weird Rust maintainer phishing campaign using `crates[.]ws`:

discourse.ifin.network/t/bizarre-cr...

Our AI Policy. Sorry not sorry:

"With so many downside risks, and with such dubious benefit to usage, the choice for IFIN is clear: we choose not to participate in the toxic cult of generative AI. Our published material and code are not produced with these models."

ifin-intel.org/policies/ai/

Glad to have you with us, Ian!

I've been part of IFIN (in the background) for several months, talking cyber and sharing intel.

@taggart-tech.com hooked me with this premise: threat intelligence *is* mutual aid.

So for what it's worth, I'm there and in for the long haul. Come join us.

Iran Conflict: Cyber Threat Activity This is a return to form for the IRGC, who performed similar attacks (as noted in the advisory) in 2023 under the guise of “CyberAv3ngers.”

CISA just published an advisory about IRGC activity against Rockwell/Allen-Bradley PLCs. This is a return to form for IRGC, following patterns observed in 2023.

discourse.ifin.network/t/iran-confl...

Iran Conflict: Cyber Threat Activity Reporting indicating collaboration between Russian state-sponsored groups and Iran. The Ukrainian assessment said Russian and Iranian hacker groups were interacting via Telegram and noted collaborat...

And our first contribution: here is our thread on currently tracked #Iran-based cyber threat activity, including motivations and targeting information.

discourse.ifin.network/t/iran-confl...

This has been a year in the making. As Executive Director of IFIN, I'm very excited for what's coming. Join us!

What do you see? | IFIN IFIN, the Independent Federated Intelligence Network, is here to make threat intelligence an act of mutual aid. Build the human network with us.

Hello world!

We are IFIN, the Independent Federated Intelligence Network, and we want to change how threat intelligence is done.

We believe we're all safer when we share what we know. Come learn more and join us!

ifin-intel.org/blog/hello/

#ThreatIntel #ThreatIntelligence #Cybersecurity #Infosec