SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.

Pulse ID: 67d40207691067461210a612
Pulse Link: otx.alienvault.com/pulse/67d40…
Pulse Author: AlienVault
Created: 2025-03-14 10:16:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #CyberSecurity #FakeBrowser #Government #InfoSec #Java #JavaScript #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RansomWare #SocGholish #bot #AlienVault

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection.

Pulse ID: 67d4020796732ac274dd165c
Pulse Link: otx.alienvault.com/pulse/67d40…
Pulse Author: AlienVault
Created: 2025-03-14 10:16:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Venom #ZIP #bot #AlienVault

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configurations, and uses VPN access for lateral movement. They selectively target file servers for encryption after data theft. The ransomware, named SuperBlack, uses LockBit's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to LockBit's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape.

Pulse ID: 67d480f60fd90362549708b6
Pulse Link: otx.alienvault.com/pulse/67d48…
Pulse Author: AlienVault
Created: 2025-03-14 19:18:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #Encryption #InfoSec #LockBit #OTX #OpenThreatExchange #RAT #RansomWare #VPN #Vulnerability #bot #AlienVault

Off the Beaten Path: Recent Unusual Malware

This article examines three unique malware samples discovered in the past year. The first is a passive IIS backdoor written in C++/CLI, an uncommon language for malware. It has extensive functionality and appears professionally developed, possibly for targeted attacks. The second is a bootkit that installs a customized GRUB 2 bootloader to play Dixie through the PC speaker on boot. While sharing some characteristics with Equation Group malware, it's likely unrelated. The third is a new cross-platform post-exploitation framework called ProjectGeass, still in development. It has features like file management, keylogging, and payload execution. These samples demonstrate novel techniques being used by malware authors.

Pulse ID: 67d45b59d8ae3590bfe26479
Pulse Link: otx.alienvault.com/pulse/67d45…
Pulse Author: AlienVault
Created: 2025-03-14 16:37:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Bootkit #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #bot #AlienVault

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social media verification badges, AI-generated promotions, and psychological manipulation to lure victims. The scams range from 'earn while you worship' programs to fake data pack giveaways and counterfeit product listings. The rise of Ramadan-themed tokens on cryptocurrency platforms highlights the need for increased regulation. Victims are often tricked into connecting their crypto wallets or sharing personal information, leading to financial losses and potential identity theft.

Pulse ID: 67d3f1a085f882582ded1ecb
Pulse Link: otx.alienvault.com/pulse/67d3f…
Pulse Author: AlienVault
Created: 2025-03-14 09:06:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RCE #SocialMedia #bot #cryptocurrency #AlienVault

Affiliate Fraud at Scale: AI, Black Hat SEO, Social Media, and Brand Abuse in iGaming and VPNs

A large-scale affiliate marketing campaign has been uncovered, utilizing AI-generated content, automation, fake social media accounts, and Black Hat SEO to manipulate search rankings and drive traffic to iGaming and VPN promotions. The operation involves thousands of subdomains, redirection chains, and fake social media accounts across multiple platforms. The campaign aligns with high-traffic events and seasonal promotions, exploiting affiliate programs like 7StarPartners and NordVPN. It employs sophisticated SEO manipulation techniques and AI-generated content in multiple languages to maximize visibility and engagement. The fraudulent activities undermine market integrity, consumer trust, and legitimate businesses' visibility while compromising the reliability of affiliate programs.

Pulse ID: 67d368f065176e250b13b038
Pulse Link: otx.alienvault.com/pulse/67d36…
Pulse Author: AlienVault
Created: 2025-03-13 23:23:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GRIT #InfoSec #OTX #OpenThreatExchange #RAT #Rust #SocialMedia #VPN #bot #AlienVault

Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platforms suggests the use of a standardized toolkit for large-scale development. Domains are primarily registered in Singapore using lenient registrars and fake names. The scam targets users in East African and Asian countries, utilizing Telegram channels for engagement. The platforms operate like Ponzi schemes, encouraging user recruitment through multi-level affiliate programs. Evidence points to a single threat actor behind the campaign, given the consistent registration patterns and infrastructure use.

Pulse ID: 67d2f280b7950e8b19eb1601
Pulse Link: otx.alienvault.com/pulse/67d2f…
Pulse Author: AlienVault
Created: 2025-03-13 14:58:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Asia #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Singapore #Telegram #bot #cryptocurrency #AlienVault

Head Mare and Twelve: Joint attacks on Russian entities

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contractors. They used various tools for reconnaissance, privilege escalation, lateral movement, and data exfiltration. The final goal was file encryption using LockBit 3.0 and Babuk ransomware. Overlaps in infrastructure, tactics, and tools suggest collaboration between the two groups. The attacks primarily targeted manufacturing, government, and energy sectors in Russia.

Pulse ID: 67d2f2839a4838011419a38a
Pulse Link: otx.alienvault.com/pulse/67d2f…
Pulse Author: AlienVault
Created: 2025-03-13 14:58:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Encryption #Government #Hacktivist #ICS #InfoSec #LockBit #Manufacturing #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #Russia #UK #bot #AlienVault

Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware

A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.

Pulse ID: 67d30e5c763aea4dce897014
Pulse Link: otx.alienvault.com/pulse/67d30…
Pulse Author: AlienVault
Created: 2025-03-13 16:57:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #AsyncRAT #CyberSecurity #DanaBot #Email #Europe #Hospital #ICS #InfoSec #LummaStealer #Malware #NetSupport #NetSupportRAT #NorthAmerica #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #Venom #Worm #XWorm #bot #AlienVault

File Hashes Analysis with Power BI from Data Stored in DShield SIEM

This analysis showcases the use of Power BI to examine file hash data from a DShield SIEM over a 60-day period. The process involved exporting data from Elastic Discover, importing it into Power BI, and creating visualizations for analysis. Key findings include the identification of an IP address (87.120.113.231) associated with RedTail malware, uploading six different files with multiple hashes. The analysis also revealed the reappearance of a previously identified Linux Trojan (Xorddos) from new IP addresses within the same subnet. Additionally, two strange filenames were discovered and investigated, with one identified as an IRCBot through VirusTotal. This method of large dataset analysis proves valuable in uncovering potentially overlooked or lost data through retrospective examination.

Pulse ID: 67d2a955c677b493cb1eaa8f
Pulse Link: otx.alienvault.com/pulse/67d2a…
Pulse Author: AlienVault
Created: 2025-03-13 09:45:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#0Day #CyberSecurity #DDoS #DShield #DoS #InfoSec #LUA #Linux #Malware #OTX #OpenThreatExchange #Rust #Trojan #VirusTotal #bot #AlienVault

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferencing application. This sophisticated social engineering attack deploys Remote Access Trojans and information-stealing programs like Rhadamanthys for Windows users and Atomic macOS Stealer for Mac users. The campaign aims to compromise systems and steal cryptocurrency assets, with hundreds of people already affected. The infection chain involves impersonation, phishing communication, and malware deployment, showcasing the group's advanced tactics in identity fraud and cryptocurrency theft.

Pulse ID: 67d22b2efc6a2747fb9818f9
Pulse Link: otx.alienvault.com/pulse/67d22…
Pulse Author: AlienVault
Created: 2025-03-13 00:47:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Atomic #CyberSecurity #ICS #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Rhadamanthys #Russia #SocialEngineering #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-based web shell first observed in 2013, has been used by various threat actors, including the Lazarus Group. The servers typically host JSPSpy on port 80, with one instance on port 8888. Two servers also host the 'filebroser' login panel on port 8001. Detection strategies for JSPSpy include analyzing login page titles and HTTP response headers. The presence of 'filebroser' alongside JSPSpy raises questions about its purpose in attack operations.

Pulse ID: 67d19fafcb563e4ea849a1bb
Pulse Link: otx.alienvault.com/pulse/67d19…
Pulse Author: AlienVault
Created: 2025-03-12 14:52:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #China #Cloud #CyberSecurity #HTTP #InfoSec #Java #Lazarus #OTX #OpenThreatExchange #RAT #RCE #UnitedStates #bot #AlienVault

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

China-nexus espionage group UNC3886 has been discovered deploying custom backdoors on Juniper Networks' Junos OS routers. The attackers used TINYSHELL-based backdoors with varying capabilities, including active and passive functions, and an embedded script to disable logging. The group demonstrated advanced knowledge of system internals and focused on maintaining long-term access while minimizing detection risk. UNC3886 targeted defense, technology, and telecommunication organizations in the US and Asia, leveraging legitimate credentials for initial access. The malware ecosystem included six distinct samples, each with unique features for bypassing security measures and maintaining persistence. The activity highlights the ongoing trend of targeting networking infrastructure for espionage purposes.

Pulse ID: 67d19fb0251eec29638b00e4
Pulse Link: otx.alienvault.com/pulse/67d19…
Pulse Author: AlienVault
Created: 2025-03-12 14:52:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #China #CyberSecurity #Edge #Espionage #InfoSec #Malware #Nim #OTX #OpenThreatExchange #RAT #Telecom #Telecommunication #bot #AlienVault

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity.

Pulse ID: 67d1afa2d9e59f25878898b6
Pulse Link: otx.alienvault.com/pulse/67d1a…
Pulse Author: AlienVault
Created: 2025-03-12 16:00:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #LawEnforcement #Malware #OTX #OpenThreatExchange #RAT #RCE #RansomWare #ScreenConnect #bot #botnet #AlienVault

Stopping Sobolan Malware with Aqua Runtime Protection

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign poses a significant risk to cloud-native environments by enabling unauthorized access and long-term control over compromised systems. The attack flow includes initial access through an unauthenticated JupyterLab instance, downloading and extracting malicious files, executing scripts to launch additional binaries, and establishing persistence while evading detection. The malware deploys cryptominers and attempts to kill competing processes. Runtime protection solutions can effectively detect, block, and mitigate these threats using real-time threat intelligence, malware scanning, and customizable policies.

Pulse ID: 67d1748f2c0de9c0771afa40
Pulse Link: otx.alienvault.com/pulse/67d17…
Pulse Author: AlienVault
Created: 2025-03-12 11:48:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #InfoSec #Jupyter #Malware #OTX #OpenThreatExchange #bot #AlienVault

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.

Pulse ID: 67d1765e955b4c08e7d77807
Pulse Link: otx.alienvault.com/pulse/67d17…
Pulse Author: AlienVault
Created: 2025-03-12 11:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Android #Cloud #CyberSecurity #Email #InfoSec #Korea #LNK #NorthKorea #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RemoteAccessTrojan #Trojan #Windows #ZIP #bot #AlienVault

Trump Cryptocurrency Delivers ConnectWise RAT

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once infected, threat actors quickly establish remote control of the victim's computer, targeting saved passwords in applications like Microsoft Edge. The campaign employs sophisticated social engineering tactics, including sender name spoofing and risk warnings, to appear legitimate. Threat actors are actively monitoring infections and can connect to compromised systems within minutes of installation.

Pulse ID: 67d0743fa696bc6ef3985a7d
Pulse Link: otx.alienvault.com/pulse/67d07…
Pulse Author: AlienVault
Created: 2025-03-11 17:34:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Binance #ConnectWise #CyberSecurity #Edge #Email #ICS #InfoSec #Malware #Microsoft #MicrosoftEdge #Mimic #OTX #OpenThreatExchange #Password #Passwords #RAT #SocialEngineering #Word #bot #cryptocurrency #AlienVault

New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects

Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated macOS malware that infects Xcode projects. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware steals and exfiltrates files, system information, and user data, including digital wallet information and notes. It uses a modular approach with encoded payloads, improved error handling, and heavy use of scripting languages and legitimate binaries. The malware's infection chain consists of four stages, with the fourth stage running various sub-routines. Notable capabilities include three distinct persistence techniques and a new infection method for Xcode projects. The malware's command-and-control server is active and downloading additional modules.

Pulse ID: 67d0743ee88ba7ed70f088fb
Pulse Link: otx.alienvault.com/pulse/67d07…
Pulse Author: AlienVault
Created: 2025-03-11 17:34:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Mac #MacOS #Malware #Microsoft #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Infostealer Campaign against ISPs

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained through brute force attacks using weak credentials. The malware has diverse functions including data exfiltration, additional crimeware deployment, self-termination to avoid detection, persistence establishment, remote access disabling, and pivot attacks to targeted CIDRs. The actors perform minimal intrusive operations, relying on scripting languages and API calls for C2 operations. The campaign specifically targets ISP infrastructure, likely for cryptomining purposes.

Pulse ID: 67d0453f6e8dbd8ac7c4a924
Pulse Link: otx.alienvault.com/pulse/67d04…
Pulse Author: AlienVault
Created: 2025-03-11 14:14:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BruteForce #China #CrimeWare #CryptoMining #CyberSecurity #ELF #EasternEurope #Europe #InfoSec #InfoStealer #Malware #Nim #OTX #OpenThreatExchange #RAT #RCE #UnitedStates #bot #AlienVault

Camera off: Akira deploys ransomware via webcam

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted to exploit IoT devices, particularly a vulnerable webcam running Linux. This allowed them to execute their Linux ransomware variant without EDR interference. The incident highlights the importance of comprehensive security measures, including IoT device monitoring, network segmentation, and regular audits. Key takeaways include prioritizing patch management for all devices, adapting to evolving threat actor tactics, and ensuring proper EDR implementation.

Pulse ID: 67d046979aa7a5f6ddc6aa12
Pulse Link: otx.alienvault.com/pulse/67d04…
Pulse Author: AlienVault
Created: 2025-03-11 14:20:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Akira #CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #ICS #InfoSec #IoT #Linux #OTX #OpenThreatExchange #RansomWare #bot #AlienVault

A Deep Dive into Strela Stealer and how it Targets European Countries

Strela Stealer is an infostealer targeting email clients in specific European countries. It exfiltrates login credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily affecting Spain, Italy, Germany, and Ukraine. Recent campaigns involve forwarding legitimate emails with malicious attachments. Strela Stealer employs custom obfuscation techniques and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific language regions. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure used by Strela Stealer is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.

Pulse ID: 67d045cff4f0a2adaabd0c05
Pulse Link: otx.alienvault.com/pulse/67d04…
Pulse Author: AlienVault
Created: 2025-03-11 14:16:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Europe #Germany #InfoSec #InfoStealer #Italy #Malware #Microsoft #OTX #OpenThreatExchange #Outlook #Phishing #RAT #Russia #Spain #UK #Ukr #Ukraine #bot #AlienVault

Desert Dexter.Attacks on Middle Eastern Countries

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malware is designed to search for crypto wallets and interact with a Telegram bot. The most targeted countries include Egypt, Libya, UAE, Russia, Saudi Arabia, and Turkey. The attack chain involves multiple stages, including the use of PowerShell scripts and a reflective loader written in C#. The AsyncRAT modification includes an offline keylogger and collects information about crypto wallet extensions and software. The campaign has affected approximately 900 victims from various countries, including employees of companies in oil extraction, construction, IT, and agriculture sectors.

Pulse ID: 67d067e5a536ae07f1382810
Pulse Link: otx.alienvault.com/pulse/67d06…
Pulse Author: AlienVault
Created: 2025-03-11 16:42:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #AsyncRAT #CyberSecurity #FileSharing #InfoSec #KeyLogger #Malware #MiddleEast #OTX #OpenThreatExchange #PowerShell #RAT #Russia #SaudiArabia #SocialMedia #Telegram #Turkey #UAE #bot #AlienVault

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools. The malware is delivered through obfuscated Lua scripts in ZIP files, exploiting GitHub's trusted reputation to evade detection. Upon execution, SmartLoader facilitates the delivery of Lumma Stealer, which can steal sensitive information like cryptocurrency wallets, 2FA extensions, and login credentials. This campaign demonstrates the evolving tactics of cybercriminals, adapting from using GitHub file attachments to creating entire repositories with AI-assisted deception.

Pulse ID: 67d02fc805ff65bf0f2f46eb
Pulse Link: otx.alienvault.com/pulse/67d02…
Pulse Author: AlienVault
Created: 2025-03-11 12:42:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #CyberSecurity #GitHub #ICS #InfoSec #LUA #LummaStealer #Malware #OTX #OpenThreatExchange #RAT #Rust #ZIP #bot #cryptocurrency #AlienVault

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 packages lacking repository URLs. Attackers employ methods such as obfuscation, command overwrite, and typosquatting to bypass security measures. The analysis highlights the use of suspicious APIs, URLs, and installation scripts to exfiltrate data, establish backdoors, and perform remote control activities. Specific cases involve malicious Python and Node.js packages targeting developers and harvesting sensitive information. The report emphasizes the importance of robust detection strategies and proactive defense measures to mitigate these evolving cybersecurity threats.

Pulse ID: 67cf4b932b27ceeadb710aab
Pulse Link: otx.alienvault.com/pulse/67cf4…
Pulse Author: AlienVault
Created: 2025-03-10 20:29:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #FortiGuard #FortiGuardLabs #InfoSec #Nodejs #OTX #OpenThreatExchange #Python #RAT #TypoSquatting #bot #developers #AlienVault

Blind Eagle: …And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT as the final payload. The campaigns have high infection rates, with over 1,600 victims in a single operation. Blind Eagle utilizes legitimate platforms like Google Drive and GitHub for malware distribution. The group's operating timezone suggests South American origins. An operational failure revealed past phishing activities targeting Colombian banks, resulting in over 8,000 stolen PII entries.

Pulse ID: 67cf37cf03a9a42f431dbbef
Pulse Link: otx.alienvault.com/pulse/67cf3…
Pulse Author: AlienVault
Created: 2025-03-10 19:04:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BlindEagle #CheckPoint #CyberSecurity #GitHub #Google #InfoSec #Malware #NET #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #SouthAmerica #bot #AlienVault

Highway Robbery 2.0: How Attackers Are Exploiting Toll Systems in Phishing Scams

A massive SMS phishing campaign targeting U.S. drivers exploits various toll systems, including E-ZPass, SunPass, and TxTag. The scam uses fake payment alerts sent via iMessage and SMS from foreign numbers to lure victims to fraudulent websites. Analysis reveals a pattern in domain names and infrastructure, with most phishing sites hosted on Chinese ASNs like Tencent and Alibaba Cloud. The campaign employs nginx web servers and constantly shifts tactics to evade detection. Over 2,000 complaints have been filed with the FBI's Internet Crime Complaint Center, prompting warnings from the FTC and toll authorities. The scam's effectiveness stems from the inconsistency in legitimate toll collection domain names, making it challenging for users to distinguish between real and fake websites.

Pulse ID: 67cee3481de685393015d1b3
Pulse Link: otx.alienvault.com/pulse/67cee…
Pulse Author: AlienVault
Created: 2025-03-10 13:04:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #Cloud #CyberSecurity #FBI #ICS #InfoSec #Nginx #OTX #OpenThreatExchange #Phishing #SMS #bot #AlienVault

Russian State Actors: Development in Group Attributions

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in global espionage, sabotage, and influence operations. The report details their targets, which include government organizations, critical infrastructure, and diplomatic entities across multiple countries. It also describes the groups' adaptation to new security measures and their use of advanced techniques such as zero-day exploits, social engineering, and living off the land tactics. The analysis emphasizes the importance of understanding these actors' methods for improving global cybersecurity resilience.

Pulse ID: 67cc2ca27d4672d04ef4eb01
Pulse Link: otx.alienvault.com/pulse/67cc2…
Pulse Author: AlienVault
Created: 2025-03-08 11:40:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #APT29 #CyberSecurity #Espionage #Government #ICS #InfoSec #OTX #OpenThreatExchange #RAT #Russia #Sandworm #SocialEngineering #Worm #ZeroDay #bot #AlienVault

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.

Pulse ID: 67cebdf90f3d662d90cb0701
Pulse Link: otx.alienvault.com/pulse/67ceb…
Pulse Author: AlienVault
Created: 2025-03-10 10:24:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Asia #BackDoor #CyberSecurity #Email #Government #ICS #InfoSec #Java #JavaScript #MiddleEast #Military #OTX #OpenThreatExchange #Phishing #RAT #RTF #Sidewinder #SpearPhishing #bot #AlienVault

Malvertising campaign leads to info stealers hosted on GitHub

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.

Pulse ID: 67ca2991532d81738cbca1e8
Pulse Link: otx.alienvault.com/pulse/67ca2…
Pulse Author: AlienVault
Created: 2025-03-06 23:02:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #InfoSec #Malvertising #Malware #OTX #OpenThreatExchange #RAT #bot #AlienVault

Cascading Redirects: Unmasking a Multi-Site JavaScript Malware Campaign

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden elements to force redirects, potentially leading to phishing pages, malvertising, exploit kits, or scam sites. At least 31 infected websites were identified, with domains like awards2today[.]top and chilsihooveek[.]net involved. The infection methods include compromised admin accounts, exploited vulnerabilities, inadequate file permissions, and hidden PHP backdoors. Impacts include traffic loss, reputation damage, SEO blacklisting, and risks of further infections. Detection involves inspecting network activity and file modifications, while prevention measures include regular security audits, updates, strong passwords, and web application firewalls.

Pulse ID: 67ca751fcb0a0f73661e1ad4
Pulse Link: otx.alienvault.com/pulse/67ca7…
Pulse Author: AlienVault
Created: 2025-03-07 04:25:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Java #JavaScript #Malvertising #Malware #OTX #OpenThreatExchange #PHP #Password #Passwords #Phishing #RCE #RDP #Word #Wordpress #bot #AlienVault

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

Pulse ID: 67c9f6c4232a8b4665784c45
Pulse Link: otx.alienvault.com/pulse/67c9f…
Pulse Author: AlienVault
Created: 2025-03-06 19:25:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CobaltStrike #CyberSecurity #Education #InfoSec #Japan #OTX #OpenThreatExchange #PHP #PowerShell #RCE #RemoteCodeExecution #Telecom #Telecommunication #Vulnerability #Windows #bot #AlienVault

Unmasking GrassCall Campaign: The APT Behind Job Recruitment Cyber Scams

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency assets. The attackers create a fake company, post job advertisements on reputable platforms, and guide candidates through a sophisticated process involving phishing emails, Telegram conversations, and the installation of malicious software disguised as a video conferencing application. The malware deployed includes a Remote Access Trojan (RAT) and information-stealing programs like Rhadamanthys for Windows users, and the Atomic macOS Stealer (AMOS) for Mac users. The campaign has affected hundreds of people, with some victims reporting drained cryptocurrency wallets.

Pulse ID: 67c9f6c6b11a130aea01979a
Pulse Link: otx.alienvault.com/pulse/67c9f…
Pulse Author: AlienVault
Created: 2025-03-06 19:25:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Atomic #CyberSecurity #Email #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Rhadamanthys #Russia #SocialEngineering #Telegram #Trojan #Web3 #Windows #bot #cryptocurrency #AlienVault

The Next Level: Typo DGAs Used in Malicious Redirection Chains

A new campaign leveraging newly registered domains (NRDs) and a novel variant of domain generation algorithms (DGAs) has been uncovered. The campaign used over 6,000 NRDs redirecting to domains resembling dictionary-based DGAs. These NRDs led to advertisements of potentially unwanted Android applications. Further investigation revealed 444,898 NRDs belonging to the same actor, redirecting to 178 domains exhibiting 'typo DGA' characteristics. This new pattern combines dictionary words with typographical errors, potentially designed to evade traditional detection methods. The campaign utilized shared WHOIS information, hosting infrastructure, and epoch timestamp subdomains for redirections. The findings highlight the need for advanced detection capabilities to combat evolving malicious techniques.

Pulse ID: 67c99585d7c820f0b592b5bd
Pulse Link: otx.alienvault.com/pulse/67c99…
Pulse Author: AlienVault
Created: 2025-03-06 12:31:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #PoC #RAT #Word #bot #AlienVault

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data and credentials, a malicious script spreading through social media posts, and backdoors targeting Chinese users. The attacks use various methods to lure victims, including typosquatting and ad traffic. Users are advised to carefully check website addresses and be cautious of unverified links, especially for popular services. The malware distributed includes stealers, backdoors, and trojans, potentially leading to data theft and remote access to victims' computers.

Pulse ID: 67c995879ece215afc3c7a5b
Pulse Link: otx.alienvault.com/pulse/67c99…
Pulse Author: AlienVault
Created: 2025-03-06 12:31:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #DataTheft #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #Python #SocialMedia #Trojan #TypoSquatting #bot #AlienVault

BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes

HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.

Pulse ID: 67c99587958ded87f3a219f3
Pulse Link: otx.alienvault.com/pulse/67c99…
Pulse Author: AlienVault
Created: 2025-03-06 12:31:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #BADBOX #BackDoor #Brazil #CyberSecurity #Google #InfoSec #OTX #OpenThreatExchange #Proxy #RAT #RCE #bot #AlienVault