Nice change in spamming from #TA577 (aka TR aka BB) #QBot#Qakbot today 🔥
They now have the name of the spoofed company from the stolen email thread in both the display name and URL. Guess this will make some regex based rules on URLs to break.
#qbot#qakbot#quakbot is back after the traditional summer break. Right now it seems to be dropped by #Smokeloader (according to "DAS-Security Orcas" sandbox, I have no clue who they are) probably from fake installers. Botnet snow01.
https://t.co/izLDt8cCML
I am beyond excited to drop new research today with my coauthor @cyberoverdrive on TA423/RedLadon (aka Leviathan). It’s rare for @threatinsight to partner with others but Sveva and @PwC Global Threat Intelligence Team are among the rarest talents. 1/3🧵
https://t.co/WsPTQfl9E7
Interesting wee file we found back in March, turned out to be one part of a bigger modular malware framework. This is what we know so far. I hope someone out there has the other pieces of the jigsaw puzzle. 🤔 Have a wee gander hai! #malware#Linux
https://t.co/huv0lv41dL
Possibly a #china based APT is testing their payload against Indonesia with a COVID-related lure.
@Arkbird_SOLG@markus_neis
Hashes:
e6765333768bfd66b15b7cf91d25be09
abab41222abe98f35da3581d15618bde
d1d08866b0cc889d29336c4639fa8d9c
260c9d3ff5377a25eca55e9138503ea5
#primitivebear#Gamaredon#maldoc using their standard template injection / remote template
Аллах велик.rtf
9a67af06bf2f48631d0551af3bdeaf66
surname192.temp.swtest[.]ru
XML
6f134f11ff456a8458319171ba8cd16a
@500mk500@h2jazi @t0001100000
#sidecopy aka #TransparentTribe#apt targeting #india using PDF lures. There are more PDF files and tar files part of the campaign.
C2: email-gov-in[.]digital, mailnic[.]info
IP: 162.213.255[.]21
Files: https://email-gov-in[.]digital/email.gov.in/docs/SOP-For-Range-Allotment.tar
Rishikesh Bhide, Manager of Cyber Intelligence Engineering at @Anomali will be
presenting 'Wireshark Forensics Toolkit' at #BlackHatEurope#Arsenal tomorrow.
Date: Wednesday, November 10, 2021
Time: 10:00 AM to 11:00 AM GMT (virtual)
Track: Data Forensics/Incident Response
More potential #evlinum or just crimeware? Basic template and remote domain. It's similar to IOCs in DBAPPSecurity's report: https://t.co/51e5wVUa2W
Documents.docx
e726520b3ad875b516df6c3d25476444
http://wazalpne[.]com/
xml
54bcaa83d71232b1b4fa4aa47a41b3fa
@t0001100000 @h2jazi
Looks like more potential #LazarusGroup? More #Azure and remote template but the domain 404s
Z Venture Capital Presentation(Protected).docx
98e30453bbf1c9c9f48368f9bbe69edd
word.azureword[.]com
104.168.162.167
@t0001100000 @h2jazi@c3rb3ru5d3d53c@ShadowChasing1