🔗 Related IoCs could be found on GitHub:
github.com/cert-orangec...

This is a scheme describing the infection chain. 1. Email received. 2. Download a ZIP file from an actor-controlled website. 3. User clicks on an executable that sideloads a malicious DLL. 4. The malicious DLL unpacks an archive contained in the ZIP file, opens a Word document, and executes a Python script or a BAT file to fetch the final payload.

☣ The main lure deploys a full Python environment and runs a Python script responsible for fetching the next stage from a remote C2. Then it opens a decoy file in Word. C2 are now inactive but have been tied to Pure malware family.

✉ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.

MalwareHunterTeam on X: ""invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... 🤷‍♂️ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG" / X "invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... 🤷‍♂️ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG

✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns.
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...

🎣🧀 Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".
#CTI #ThreatIntel #Metappenzeller #phishing

The new version has removed these notable behaviours and is seen in campaign with fake invoices lures. New indicators of compromise (IoCs) are available on our GitHub: github.com/cert-orangec...

🤖These detection opportunities were presented during the Botconf 2025: www.botconf.eu/wp-content/u...

Andrew Melville : Morison, William : Free Download, Borrow, and Streaming : Internet Archive The metadata below describe the original scanning. Follow the All Files: HTTP link in the View the book box to the left to find XML files that contain more...

⛪🔎Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from a book, Andrew Melville by William Morison.
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...

🧀 Update on MintsLoader: a thread 🔽
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.
#threatintel #cti #mintsloader

Written in C++, #NailaoLocker is relatively unsophisticated and poorly designed. The ransomware uses the “.locked” extension. It is loaded through DLL search-order hijacking.

➡️The full article on the Green Nailao cluster is available here: orangecyberdefense.com/global/blog/...
➡️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳.

We provide a #Yara Rule to hunt for Edam Dropper, as well as related #Iocs and technical details, available on GitHub.
🤝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to 🇷🇺 #Sandworm APT (low confidence).

strikeready.com/blog/ru-apt-...

GitHub - cert-orangecyberdefense/edam: Edam dropper Edam dropper. Contribute to cert-orangecyberdefense/edam development by creating an account on GitHub.

While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster 🇪🇺, strongly differing from usual financially motivated Emmenhtal distribs.
This cluster drops another malware we dubbed #Edam Dropper🧀
github.com/cert-orangec...

Targets: European #energy sector🔋

📍For more than 8 months, our threat researchers from OCD
have worked on mapping China's civil-military–industrial complex when it comes to #cyberespionage operations.

⛯ Consult our newly published deep-dive report and interactive map here:
research.cert.orangecyberdefense.com/hidden-netwo...