Android malware/banker infrastructure targeting the Polish Gov, Australian energy, CoinsPH, Eurobank, ATB, BNP, and more. Here are a few examples. /gov.pl.veri-info-auth.com /45.86.229.248 /bnp-fluvius.com /193.124.205.51 /coinsph-secure.com /45.59.120.20 Malware IOCs

Here's how to quickly expand these indicators with global internet visibility: 1. Banner hash - fingerprints the unique HTTP server response details. Hosts linked by this hash: payconig-betaling[.]one luxtrust-info[.]xyz www.luxtrust-info[.]xyz www.payconig-betaling[.]one

Hey APTs, threat actors, and ransomware groups, could you please keep your infrastructure up a bit longer (you can move to another ASN, that's fine) so IntelOps students can learn all the pivoting tips and tricks, complete their assignments, and earn their well-deserved

🚨 Hunt Alert 🚨 Pivoted from the #SlowTempest #IOCs and uncovered a peculiar HTML page—only ~140 results globally, mainly in Hong Kong/China 🇭🇰🇨🇳. Most common port: 8888, potentially a admin/login panel. Thanks Michael Koczwara for your input! Notably, the HTML page pivots

Remember when Moonlock Lab posted about test attempts for a loader targeting #AMOS? I've come across a few samples with low detection rates (ESET, Google, Ikarus). This loader also uses curl to fetch a #macOS #stealer from http[:]//41[.]216[.]183[.]214/

The #Lazarus Group shows no signs of easing with their campaign targeting #jobseekers extending to the present day. Group-IB researchers found new updates to their tools and tactic - new suite of Python scripts - #CivetQ, a #Windows and #Python version of #BeaverTail

Check out our latest post to learn about the Toneshell backdoor that was recently deployed against IISS Defence Summit attendees, and see how we uncovered related infrastructure through RDP certificates using Hunt's Advanced Search feature. 💥 hunt.io/blog/toneshell…

Interesting Cobalt Strike C2 impersonating NASA gov. 🥷20.42.96.49 (0/94 VT) self-signed certificate 🔐/C=US, ST=TX, L=Houston, O=NASA, OU=Engineering, CN=nasa[.]gov

How to use Michael Koczwara's finding below to create a hunting rule in Validin: Banner hash: 4e54378c7ee7ebddee154257ac6bc484 JARM filter: 2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da

25 new OPEN, 27 new PRO (25 + 2) SocGholish, Dynamic_DNS, ZPHP, XWORM, Lumma Stealer, VenomRAT, and more Thanks Michael Koczwara community.emergingthreats.net/t/ruleset-upda…

🇰🇵Lazarus (APT38) is impersonating Metaschool (Edu platform for Web3 developers) /metaschool[.]video-meets[.]online virustotal.com/gui/domain/met…

Here's how threat actors, such as SCATTERED SPIDER, conduct vishing (phone call phishing) attacks to trick victims into sharing sensitive information, such as login credentials, financial details, or security codes. These attackers often pose as trusted entities, like IT support,

Group-IB analysts have uncovered a serious #cyberthreat involving malicious #Android apps disguised as payment, banking, & delivery services. Discovered primarily in #CentralAsia, this malware—known as #AjinaBanker-has been active since November 2023 & is spreading via #Telegram.

Last week, EclecticIQ published an update on #SCATTEREDSPIDER and provided a few domains used for phishing. Learn how to expand threat intelligence like theirs to find more high-confidence indicators in our latest blog: validin.com/blog/coralling…

🚨 New Blog Post 🚨 Check out my latest analysis on a Stego Campaign using Process Hollowing with .NET injectors! 📜 Full post: somedieyoungzz.github.io/posts/stego-ca… 💡 Learn about the clever use of JS-based droppers, PowerShell scripts, and obfuscated .NET assemblies. 🔗 #Malware #Infosec

Threat actors be like ... "Yo, let’s hide our Cobalt Strike C2 behind Cloudflare and register a domain that looks like Cloudflare ..." No one will ever find us😌 /cioudfiear.com😅 /18.222.126.236 virustotal.com/gui/domain/cio…

Pwning C2 frameworks blog.includesecurity.com/2024/09/vulner…