Olivia
Online
Digital Security Lab Ukraine
@DSLab_Ukraine
we help Ukrainian nonprofits with digital safety issues
Joined June 2018
68 Following
329 Followers
190 Posts
Threat actors are adapting @signalapp phishing campaigns: Ukrainian users now receive messages allegedly from Signal about “mandatory 2FA” due to ongoing attacks.
No codes are requested yet – this is a trust-building step before attempts to steal login codes and hijack accounts.
IOCs:
Domains:
www[.]saas[.]successint[.]org
pub-f2449c7fa66a473db1ad9323672392cf[.]r2[.]dev
rushdayz[.]com
URL paths:
/pta/grd
/index.html?eta=
/z/api.php?action=save
🔎 New analysis of a credential phishing campaign
It leverages domain-adaptive infrastructure to evade detection and increase the success rate of account compromise.
Details: https://t.co/VifSEAnGwl
IOCs:
🔺Domains:
ln[.]run
badge-verified0903261[.]vercel[.]app
🔺URLs:
hxxps://ln[.]run/badge-verified0903261
hxxps://badge-verified0903261[.]vercel[.]app/index1[.]html
Detailed analysis and more IOCs: https://t.co/if74omxhkB
Who to follow
Princeton Center for Information Technology Policy
@PrincetonCITP
Our researchers, fellows, academics and scholars study digital technologies with a focus on research, social engagement and training.
Michael Brennan - @michaelbrennan.bsky.social
@brennan_mike
Supporting people and organizations building a more equitable internet. Views expressed are my own. Also on bsky/mast/threads
MinFin Ukraine
@MinFin_Ukraine
Офіційна сторінка Міністерства фінансів України. Follow @ua_minfin to receive the latest financial news from Ukraine in English.
Large-scale phishing attacks keep evolving, abusing trusted platforms like Google, Cloudflare, Vercel, and Telegram. Pre-built kits enable massive scaling. A new “Meta Verified” tactic steals credentials and bypasses 2FA in real time via Telegram exfiltration.
SHA-256:
4362f67ab65cca32fb610e62745aac7d8587a7bac46e5a6c89db8b4a9c7e9458
f78944a2699b21fb34fc9c1c7c0ae7ca16c709bf72cbc15ad0cdaa66bec8d1bd
ad8a491018f5c5edecfc75ec3a3627aa04a26019ce87c8f236bb400ec35c3244
a0e709c0df0e38b30a2283dc5c1667c852d212952cc4db18c364d35a70ca0c96
Today we observed an active phishing campaign linked to Russia-aligned threat actors.
Emails impersonated Ukrainian government institutions and delivered malicious attachments. The campaign is aimed at infecting Windows endpoints and establishing persistent remote access.
IOCs:
46.4.92[.]6
64.20.61[.]146
pixeldrain[.]com
id[.]remoteutilities[.]com
Payload:
Remote Utilities
rutserv.exe, rfusclient.exe
Find more domains on @ValidinLLC :
CERT_FINGERPRINT-HOST: 1fa3e6f0a65b7429219022eee3a7976f6761aba0
HOST-JARM: 27d27d27d00027d00042d43d00041df04c41293ba84f6efe3a613b22f983e6
DSLU is tracking a phishing campaign targeting Facebook accounts. Attackers are abusing Meta Business Suite invites and using two attack vectors: a link to a phishing website and a link prompting users to join a fake Facebook page.
https://support-958[.]ubpages[.]com/2dc0e7fc-1/
More IOCs:
https://t.co/tjVqIIZfoY
👉 More IOCs:
https://t.co/mr8gmzwAo0
👉 Track IOCs in VT:
entity:domain ukr-one.* AND jarm:"00000000000000000042d43d00041da8040ca1d7d1b3e955a3535eb361ef06"
⚠️ Attackers are using hacked Telegram accounts to spread fake invitations to “vote for kids in a drawing contest.” The links lead to phishing sites stealing account credentials.
👉 IOCs:
ukr-one[.]ors-oc[.]info
ukr-one[.]connect-all[.]org
ukr-one[.]2dotz[.]org
ukr-one[.]naturalbd[.]org
ukr-one[.]seateur[.]info
ukr-one[.]mirrisunkov[.]cyou
🚨 Six months of prep. One day targeting Ukraine’s humanitarian networks including individuals from the @ICRC, @UNICEF, and @NRC_Norway.
New from @LabsSentinel and the @DSLab_Ukraine: A one-day spearphishing operation — PhantomCaptcha — that targeted humanitarian organizations in Ukraine using a fake Cloudflare captcha page to deliver a WebSocket RAT. https://t.co/G8jD84vSSS
SentinelLABS, together with Digital Security Lab of Ukraine, has uncovered a coordinated spear-phishing campaign targeting organizations critical to Ukraine’s war relief efforts. https://t.co/zkOAEwPraR
4/ The PhantomCaptcha campaign highlights a highly capable adversary collecting intelligence on humanitarian and reconstruction operations in Ukraine.
➡️ Full details in report: https://t.co/LIvciCD6YD
🚨 @SentinelLabs, together with the Digital Security Lab of Ukraine, has uncovered a coordinated spearphishing campaign targeting members of the Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs supporting Ukraine, as well as regional government officials.
3/ Despite six months of preparation, the attackers’ infrastructure was active for only one day – reflecting meticulous planning, compartmentalized setup, and strong operational security.
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers