Orange Cyberdefense CERT (@ocd-cert) Bsky

Our analysis covers updated #BURNBOOK and #MISTPEN variants, that feature slight changes in their main routines and C2 loop.
UNC2970 relied on compromised infrastructure on SharePoint and WordPress, aligning with previous findings.

5 months ago 3 1 0 0

🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970.
➡️Full blog: ow.ly/V4mr50Xug1l

5 months ago 2 1 1 0

🎣🧀 Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".
#CTI #ThreatIntel #Metappenzeller #phishing

7 months ago 0 1 1 0

🧀 Update on MintsLoader: a thread 🔽
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.
#threatintel #cti #mintsloader

9 months ago 3 4 1 0

cti/emmenhtal at main · cert-orangecyberdefense/cti IOCs for World Watch investigations. Contribute to cert-orangecyberdefense/cti development by creating an account on GitHub.

🔗IoCs and Yara available on our GitHub: github.com/cert-orangec...
📮World Watch advisory released today for our clients.

1 year ago 1 0 0 0

During our analysis, we noticed a surprising line, likely written by threat actors to prevent AI-powered file scanning
This is actually the first time we observed such an attempt, even though we found it to be unsuccessful with GPT-4o.

1 year ago 1 0 1 0

V3 features several changes including new mouse movements speed check.
Recent infection chains includes new intermediary stage (Powershell with AMSI bypass feature which loads a .NET stage) in charge of delivering #stealers.

1 year ago 0 0 1 0

🆕New version of #Emmenhtal loader actively distributed worldwide since early March, leading to #Lumma or #Rhadamanthys stealers.
Very low AV detection on VT for now.
Similarly to V2, Emmenhtal V3 masquerades as #mp3 or #mp4 files, including relaxation songs.🧘‍♀️

1 year ago 3 1 1 0

🆕New version of our #ransomware mapping is out on our GitHub!
➡️github.com/cert-orangecyberdefense/...
V28 (!) includes latest newcomers and recent ecosystem evolutions.🔍
As always, feedback is welcome!
#cti #threatintel

1 year ago 3 3 0 0

Orange Cyberdefense CERT Threat Research: The hidden network map

📍For more than 8 months, our threat researchers from OCD
have worked on mapping China's civil-military–industrial complex when it comes to #cyberespionage operations.

⛯ Consult our newly published deep-dive report and interactive map here:
research.cert.orangecyberdefense.com/hidden-netwo...

1 year ago 5 2 0 0

Posts by Orange Cyberdefense CERT