🚨 Possible first Iranian wiper activity since the start of the war.

Handala (MOIS-linked) claims targeting Stryker Corporation, reportedly pushing a wiper to Intune-managed endpoints.

Claims currently unverified but seeing more public reporting on it.

Now, who's got samples for analysis?

☁️ 🧪 We've been cooking in the lab!

In our new scenario you can play with EKS, ECR, pipelines and more fun stuff in the cloud.

Sign up and take advantage of our #BlackFriday deal!

🔗cloudlabs.invictus-ir.com

#DFIR #Cloud #Training #cybersecurity

The VendorVandals threat actor tried to compromise us using a phishing lure + fake WeTransfer delivery to achieve a BEC attack.

We followed the breadcrumbs and exposed their campaign.

Details 👇
www.invictus-ir.com/news/the-sto...

🎉BEHOLD! THE AGENDA! 🎉

The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.

Get registered quick!!!

stateofstatecraft.com/agenda

Cloud Labs is live!

🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.

Register for Cloud Labs: cloudlabs.invictus-ir.com

💙Microsoft Extractor Suite v4 is here

𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦

Learn more about the new features in the blog and thanks everyone that contributed!

invictus-ir.com/news/black-h...

#stayInvictus #CloudIncidentResponse #DFIR

Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17

What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog A Russia-sponsored threat actor is impersonating the U.S. Department of State, and using phishing to gain access to email accounts.

So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...

Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...

MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll - SentinelLabs In the midst of an epic troll on a country-wide railway system, we discovered a new threat actor and their reusable wiper called Meteor.

Related:

www.sentinelone.com/labs/meteore...

#CharmingKitten #APT42 #TA453

Hash:
87144d0aa002a87376b673f7d0c0eb88

C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net

Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106

Dutch intelligence discover a new Russian APT—LAUNDRY BEAR

www.aivd.nl/documenten/p...

Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...

The limited IOCs on this pointed toward an ORB network...nice to see some reporting that supports attribution.

High-level overview of JavaGhost's TTPs

This isn’t recycled noise on JavaGhost. It surfaces the often-overlooked details responders and CTI analysts actually need.

Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy

invictus-ir.com/news/profili...

#CTI #CloudSecurity #AWS #DFIR #JavaGhost

Call-back Proxy Network: 103.131.213[.]89 | 182.185.156[.]45 – likely a mix of anonymous activity and normal activity.
Mass SMTP Tester: 134.199.148[.]132 – banner previously responded with Mass SMTP Tester header.

Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM

🚨 New blog from @securitylabs.datadoghq.com on fresh AWS TTPs! I pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester.

🔗 securitylabs.datadoghq.com/articles/tal...

#CloudSecurity #ThreatIntel #CTI

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures By: Amy Robertson and Adam Pennington

ATT&CK v17 is now live! This release includes the first version of the ESXi platform, a pile of defensive upgrades, and fresh content across Enterprise, Mobile, and ICS.

Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...

@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.

www.volexity.com/blog/2025/04...

#dfir

🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud.

Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.

👉 invictus-ir.com/news/cloud-h...

#DFIR #CloudSecurity #CTI

🔍 New Blog: Essential Cloud Logs for Incident Response

🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.

🔗 www.invictus-ir.com/news/cloud-i...

#dfir #aws #microsoft #google

🚨 New Blog: Forensic Analysis of eM Client 🚨

If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.

🔍 Read now: www.invictus-ir.com/news/forensi...

#CyberSecurity #DFIR #BEC #ThreatIntel #CTI

GitHub - invictus-ir/IOCs: Invictus Threat Intelligence: IOCs and TTPs from blogs, research and more Invictus Threat Intelligence: IOCs and TTPs from blogs, research and more - invictus-ir/IOCs

Link to the IOCs and TTPs: github.com/invictus-ir/...

#DFIR #CTI #ThreatIntel

🚨 New Blog Alert: “Locked Out, Dropboxed In: When BEC Threats Innovate” 🚨

Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.

👉 www.invictus-ir.com/news/locked-...