OTX Bot<p>Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation</p><p>This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.</p><p>Pulse ID: 67efc6e712b49d46c1423ca9<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67efc6e712b49d46c1423ca9" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67efc</span><span class="invisible">6e712b49d46c1423ca9</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-04-04 11:47:51</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/APT28" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>APT28</span></a> <a href="https://social.raytec.co/tags/Asia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Asia</span></a> <a href="https://social.raytec.co/tags/CentralAsia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CentralAsia</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Espionage</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Kazakhstan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kazakhstan</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.raytec.co/tags/Trojan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trojan</span></a> <a href="https://social.raytec.co/tags/VBS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VBS</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
noc.social is part of the decentralized social network powered by Mastodon.
This instance is focused on technology, networking, linux, privacy, security, infosec, engineering, but open to anyone. Civil discourse, polite and open. Managed by the noc.org / trunc.org team.
Administered by:
Server stats:
682active users
Learn more
noc.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.1.24
OTX Bot<p>Silent Credit Card Thief Uncovered</p><p>A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persistent access, harvesting and exfiltrating sensitive financial data. The attack workflow involves system reconnaissance, downloading additional malicious files, and injecting scripts into web pages. The threat actor uses unique identifiers to track victims and employs sophisticated techniques to evade detection. The campaign demonstrates the evolving nature of web-based credit card skimming threats, highlighting the need for enhanced security measures against LNK-based attacks and unverified browser extensions.</p><p>Pulse ID: 67efc6e92fbd533808f09435<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67efc6e92fbd533808f09435" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67efc</span><span class="invisible">6e92fbd533808f09435</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-04-04 11:47:53</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/Bulgaria" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bulgaria</span></a> <a href="https://social.raytec.co/tags/Chrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chrome</span></a> <a href="https://social.raytec.co/tags/CreditCard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CreditCard</span></a> <a href="https://social.raytec.co/tags/CreditCardSkimming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CreditCardSkimming</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Edge" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Edge</span></a> <a href="https://social.raytec.co/tags/FinancialData" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FinancialData</span></a> <a href="https://social.raytec.co/tags/FireFox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FireFox</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LNK</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign</p><p>A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.</p><p>Pulse ID: 67efc6ed5285702a3440969a<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67efc6ed5285702a3440969a" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67efc</span><span class="invisible">6ed5285702a3440969a</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-04-04 11:47:57</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloud</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LNK</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/PDF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PDF</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> <a href="https://social.raytec.co/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/Telegram" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Telegram</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw</p><p>A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middleware for user authorization, session data validation, route access control, redirections, and UI visibility management. The issue stems from how the runMiddleware function handles the x-middleware-subrequest header. Attackers can craft malicious headers to bypass middleware controls. Affected versions range from 11.1.4 to 15.2.3. Users are urged to update to patched versions or implement mitigation strategies to block external requests containing the vulnerable header.</p><p>Pulse ID: 67e59d30fc2fe9b7ddaded28<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e59d30fc2fe9b7ddaded28" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e59</span><span class="invisible">d30fc2fe9b7ddaded28</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-27 18:47:12</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants</p><p>ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.</p><p>Pulse ID: 67e41bedc264bcc69a9b8e20<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e41bedc264bcc69a9b8e20" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e41</span><span class="invisible">bedc264bcc69a9b8e20</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-26 15:23:25</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Mac" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mac</span></a> <a href="https://social.raytec.co/tags/MacOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MacOS</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/MalwareAsAService" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MalwareAsAService</span></a> <a href="https://social.raytec.co/tags/Nim" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Nim</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.raytec.co/tags/Rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Rust</span></a> <a href="https://social.raytec.co/tags/SMS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SMS</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Malware found on npm infecting local package with reverse shell</p><p>A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm package 'ethers' with a new file containing malicious code. This patched file ultimately serves a reverse shell, connecting to the threat actor's server. The malware employs evasive techniques, maintaining persistence even after removal of the original malicious package. This approach demonstrates a high level of sophistication and poses a significant threat to software supply chain security. The campaign also includes other related packages, highlighting the growing scope of risks for both software producers and end-user organizations.</p><p>Pulse ID: 67e43187834511a9e1562b6e<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e43187834511a9e1562b6e" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e43</span><span class="invisible">187834511a9e1562b6e</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-26 16:55:35</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/NPM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NPM</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SupplyChain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SupplyChain</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Operation ForumTroll exploits zero-days in Google Chrome</p><p>In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an update was released to fix the vulnerability (CVE-2025-2783). The campaign targeted media outlets, educational institutions, and government organizations in Russia, disguising itself as invitations to the 'Primakov Readings' forum. The attackers' goal appears to be espionage, and the sophistication of the malware suggests a state-sponsored APT group is behind the operation. The exploit chain involved sandbox escape and remote code execution, though only the former was fully analyzed.</p><p>Pulse ID: 67e33790837554926530dc06<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e33790837554926530dc06" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e33</span><span class="invisible">790837554926530dc06</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 23:09:04</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Chrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chrome</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ELF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ELF</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Espionage</span></a> <a href="https://social.raytec.co/tags/Google" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Google</span></a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Government</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Kaspersky" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kaspersky</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RemoteCodeExecution" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RemoteCodeExecution</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/Troll" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Troll</span></a> <a href="https://social.raytec.co/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.raytec.co/tags/ZeroDay" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZeroDay</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io</p><p>This guide demonstrates how to use Hunt.io to investigate and track malicious infrastructure. Starting with a single suspicious IP address, the process involves analyzing hosting providers, domain information, open ports, HTTP responses, and TLS certificates. The investigation reveals connections to potential cryptocurrency fraud and malware operations. By leveraging Hunt's scan data and SQL queries, a small cluster of related servers is identified, possibly linked to Latrodectus malware. The guide emphasizes the importance of persistence, pattern recognition, and correlating data from multiple intelligence sources to effectively track threat actor operations.</p><p>Pulse ID: 67e342d7a17ba37eb960497a<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e342d7a17ba37eb960497a" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e34</span><span class="invisible">2d7a17ba37eb960497a</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 23:57:11</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/HTTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTTP</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/SQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SQL</span></a> <a href="https://social.raytec.co/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocurrency</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin</p><p>Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).</p><p>Pulse ID: 67e31bb008959a0b0a250d43<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e31bb008959a0b0a250d43" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e31</span><span class="invisible">bb008959a0b0a250d43</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 21:10:08</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.raytec.co/tags/ZeroDay" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZeroDay</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks</p><p>Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake Microsoft webpages. These pages trick users into executing PowerShell scripts that download and run malware, such as Lumma Stealer. The malware steals browser data, cryptocurrency wallet information, and other sensitive data, transmitting it to command and control servers. The attack chain includes stealth and persistence mechanisms to evade detection. This campaign exploits content creators' interest in brand deals and partnerships, representing an evolution of previously observed tactics against YouTube channels.</p><p>Pulse ID: 67e2e9f6e43ced7354e51385<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e2e9f6e43ced7354e51385" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e2e</span><span class="invisible">9f6e43ced7354e51385</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 17:37:58</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SMS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SMS</span></a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SpearPhishing</span></a> <a href="https://social.raytec.co/tags/YouTube" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YouTube</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocurrency</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>GorillaBot: Technical Analysis and Code Similarities with Mirai</p><p>GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malware uses raw TCP sockets and a custom XTEA-like cipher for C2 communication, implements anti-debugging and anti-analysis checks, and authenticates to its C2 server using a SHA-256-based token. Attack commands are encoded, hashed, and processed using a Mirai-style attack_parse function. GorillaBot's sophistication highlights the ongoing evolution of legacy malware and the need for advanced analysis tools to combat such threats.</p><p>Pulse ID: 67e2e9f87ea55bdc9bc9d6f3<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e2e9f87ea55bdc9bc9d6f3" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e2e</span><span class="invisible">9f87ea55bdc9bc9d6f3</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 17:38:00</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/Mirai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mirai</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/TCP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TCP</span></a> <a href="https://social.raytec.co/tags/Telecom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Telecom</span></a> <a href="https://social.raytec.co/tags/Telecommunication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Telecommunication</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/botnet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>botnet</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI</p><p>Cybercriminals are exploiting .NET MAUI, a cross-platform development framework, to create Android malware that evades detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. The malware campaigns use techniques such as hiding code in blob files, multi-stage dynamic loading, and encrypted communications to avoid security measures. Two examples are discussed: a fake bank app targeting Indian users and a fake social media app targeting Chinese-speaking users. The latter employs advanced evasion techniques like excessive permissions in the AndroidManifest.xml file and encrypted socket communication. Users are advised to be cautious when downloading apps from unofficial sources and to use up-to-date security software for protection.</p><p>Pulse ID: 67e2fc78ccb151dba8f9e868<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e2fc78ccb151dba8f9e868" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e2f</span><span class="invisible">c78ccb151dba8f9e868</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 18:56:54</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://social.raytec.co/tags/Bank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bank</span></a> <a href="https://social.raytec.co/tags/Chinese" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chinese</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/India" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>India</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/NET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NET</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialMedia</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players</p><p>A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identity of the pro eSports team Navi and promoting their scams on platforms like YouTube. The stolen accounts are likely intended for resale on online marketplaces. The majority of the phishing sites are in English, with one Chinese site discovered. This campaign highlights the ongoing evolution of phishing techniques and the importance of vigilance when encountering login pop-ups, especially for desktop users.</p><p>Pulse ID: 67e271274ea6563a21ec770e<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e271274ea6563a21ec770e" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e27</span><span class="invisible">1274ea6563a21ec770e</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 09:02:31</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/Chinese" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Chinese</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/FakeBrowser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeBrowser</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Mimic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mimic</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/Steam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Steam</span></a> <a href="https://social.raytec.co/tags/YouTube" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YouTube</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>SnakeKeylogger: Multistage Info Stealer Malware Analysis & Prevention</p><p>SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detection. It targets various applications, including web browsers, email clients, and FTP software, to harvest sensitive data and credentials. The campaign utilizes an Apache server for malware distribution, regularly updating encrypted payloads. SnakeKeylogger's primary objective is to collect Outlook profile credentials, email configurations, and stored authentication details, which can be exploited for business email compromise or sold on underground markets.</p><p>Pulse ID: 67e2898966a98b226c7c790b<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e2898966a98b226c7c790b" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e28</span><span class="invisible">98966a98b226c7c790b</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 10:46:33</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/APAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>APAC</span></a> <a href="https://social.raytec.co/tags/Apache" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Apache</span></a> <a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/KeyLogger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KeyLogger</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Outlook" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Outlook</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SnakeKeylogger" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SnakeKeylogger</span></a> <a href="https://social.raytec.co/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation</p><p>Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.</p><p>Pulse ID: 67e2ab375298346f9c281119<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e2ab375298346f9c281119" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e2a</span><span class="invisible">b375298346f9c281119</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-25 13:10:15</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Asia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Asia</span></a> <a href="https://social.raytec.co/tags/China" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>China</span></a> <a href="https://social.raytec.co/tags/CredentialHarvesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CredentialHarvesting</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/HTTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTTP</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Sygnia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Sygnia</span></a> <a href="https://social.raytec.co/tags/Telecom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Telecom</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>SVC New Stealer on the Horizon</p><p>SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific processes, and harvests data from various sources. It compresses the collected information and sends it to a command and control server. The malware can also download additional payloads and implements evasion techniques. It targets multiple browsers, messaging applications, and specific file types. The campaign was observed in late January 2025, with the threat actors potentially selling the stolen data on underground forums and marketplaces.</p><p>Pulse ID: 67ddb4246d6a14c692975873<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67ddb4246d6a14c692975873" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67ddb</span><span class="invisible">4246d6a14c692975873</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-21 18:47:00</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Browser</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Mac" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mac</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SpearPhishing</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocurrency</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>VanHelsing: New RaaS in Town</p><p>VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms, including Windows, Linux, BSD, ARM, and ESXi systems. Within two weeks of its launch, VanHelsing infected three victims, demanding large ransoms. The ransomware, written in C++, is actively evolving, with two variants discovered just five days apart. It employs various techniques to evade detection, including a 'Silent' mode and selective encryption of files. The rapid growth and sophistication of VanHelsin gRaaS highlight the increasing threat of ransomware attacks.</p><p>Pulse ID: 67e02b83689d61f57a3f4782<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e02b83689d61f57a3f4782" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e02</span><span class="invisible">b83689d61f57a3f4782</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-23 15:40:51</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberCrime</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RaaS</span></a> <a href="https://social.raytec.co/tags/RansomWare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomWare</span></a> <a href="https://social.raytec.co/tags/RansomwareAsAService" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomwareAsAService</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor</p><p>FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with multiple layers of obfuscation. AnubisBackdoor's core functionality includes network communication, system access, and anti-analysis features. It can execute commands, manipulate files, and gather system information. The backdoor maintains persistence through Windows Registry and uses a custom command protocol for C2 communication. This new tool demonstrates FIN7's continued evolution in developing covert communication channels and highlights their advanced capabilities in cybercrime operations.</p><p>Pulse ID: 67dc66bfb7805b74ba33d8f4<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67dc66bfb7805b74ba33d8f4" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67dc6</span><span class="invisible">6bfb7805b74ba33d8f4</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-20 19:04:31</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackDoor</span></a> <a href="https://social.raytec.co/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberCrime</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations</p><p>The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts certain file extensions, and kills various processes. It collects system information and stores it in a PostgreSQL database. The GitHub repository, created in February 2024, shows active development with increased activity during specific hours. A newer version 2.5 is likely in development, introducing new cryptocurrency wallets. To mitigate the threat, organizations should implement regular backups, network segmentation, system updates, and user training.</p><p>Pulse ID: 67dd406ad4fcb1d2da18fd21<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67dd406ad4fcb1d2da18fd21" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67dd4</span><span class="invisible">06ad4fcb1d2da18fd21</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-21 10:33:14</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Albabat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Albabat</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GitHub</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://social.raytec.co/tags/Mac" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mac</span></a> <a href="https://social.raytec.co/tags/MacOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MacOS</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/PostgreSQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PostgreSQL</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RansomWare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomWare</span></a> <a href="https://social.raytec.co/tags/SQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SQL</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocurrency" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocurrency</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>The rising threat of social engineering through fake fixes</p><p>ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line. This method bypasses modern security solutions by tricking users into executing commands themselves. Recent campaigns like OBSCURE#BAT and Storm-1865 have targeted various industries and regions. The attack vector has been observed in Field Effect's telemetry, with attempts to deploy AsyncRAT and other malware. Mitigation strategies include restricting command line use, deploying advanced threat detection solutions, enhancing email and web filtering, training users, and maintaining up-to-date security measures.</p><p>Pulse ID: 67dd406c50b049fa09cf97b4<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67dd406c50b049fa09cf97b4" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67dd4</span><span class="invisible">06c50b049fa09cf97b4</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-21 10:33:16</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AsyncRAT</span></a> <a href="https://social.raytec.co/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CAPTCHA</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
ExploreLocalFederated
Sign in to follow profiles or hashtags, favourite, share and reply to posts. You can also interact from your account on a different server.
Sign inCreate accountTrending now
#csu28 people in the past 2 days
#neuroscience11 people in the past 2 days
#threatintel13 people in the past 2 days
Drag & drop to upload