FalconFeeds.io

📢 Ransomware Alert: 🇵🇪 TRANSVILL TRANSPORTES VILLEGAS (https://t.co/O6liTUmPSs) A Peru Based-Transportation & Logistics Company has reportedly fallen victim to Nova ransomware Nb: They intends to publish within 11-12 days 🔍Key Details: 🛡️Threat actor: Nova 📅 Reported on:24/06/26 ⚠️Data Compromised:26GB

🚨 Recent FalconFeeds IOC analysis highlights a surge in: 🪙 Watchdog cryptojacking operations delivering XMRig miners. 🇰🇵 DPRK-linked UNC1069 phishing infrastructure impersonating Microsoft Teams and Outlook. 🔗 Multiple overlaps between Lazarus, Bluenoroff, UNC1069 and other North Korean actors through shared infrastructure.

Correction- Analysing the data proved that the ransomed entity is Reliance Infrastructure and not Reliance power The artifact is a full recursive file-system inventory of internal file servers, enumerating 858,253 file paths one per line, a recon-grade map of the environment independent of the file contents themselves. Roughly 97% sits under a single FTP upload/staging tree holding per-user machine backups, with the remainder under departmental SMB shares. The exposure is document-heavy and concentrated in sensitive areas: about 144,700 and 104,100 paths relate to the KKNP/KKNPP project (a major power-infrastructure programme carrying high-sensitivity engineering and commercial data), roughly 138,800 paths sit in HR directories, about 86,300 under general project working data, ~38,700 in compliance records, ~27,800 in invoicing/financial material, plus payroll (~11,150), tax/TDS (~4,275), salary (~4,670), insurance (~1,470) and identity data such as Aadhaar/PAN (~2,240) and passport (~148). A further ~105,750 paths are OS-level backup spillage under AppData, browser-artifact and token-container locations swept up by backing up entire user profiles wholesale. By type the set is dominated by PDF (~325,200), Excel (~115,000), Word (~76,900), CAD drawings (~20,100), archives (~24,500) and images (~66,500). The assessment: finance, HR, compliance, contracts and engineering IP -including critical infrastructure project files are exposed, enabling targeted retrieval, identity/PII exposure and spear-phishing target selection, with root causes pointing to over-broad backup scope, a reachable staging area, and weak retention controls Tata Electronics The artifact is a full recursive file-system inventory spanning four internal departmental file servers, enumerating 204,341 file paths one per line, split across a QA share (~111,600 paths, more than half), an NPI/new-product share (~74,200), an HR share (~11,100) and a general file server (~7,400), each subdivided by drive. Unlike the document-heavy Reliance set, this exposure is manufacturing- and engineering-IP-heavy: about 63,800 paths relate to board-level (MLB) data and ~53,300 to final assembly/test (FATP), with AOI/vision data (~13,600), equipment data (~3,700), burn-in (~1,820), functional test (~720) and repair (~1,000) all present, alongside ~11,100 HR-share paths and codenamed product/program references appearing tens of thousands of times across the set (unreleased-product and test-program identifiers). By type it is led by inspection/AOI images (~43,000 jpg), Excel (~27,700), PDF (~26,300), CSV (~13,100), and a large body of logs and test data (txt/json/db/log totalling 21,000+), plus station/program configuration files and libraries (~8,300 dll). The assessment: the crown jewels here are process and product data - test programs, station configurations, yield/inspection data and codenamed product references directly useful for competitive intelligence and process reconstruction, with some OT-adjacent artifacts (equipment and station configuration) raising additional concern and the HR share adding personnel-data and social-engineering risk.

AryStinger is a previously undocumented Linux botnet that hijacks neglected, end-of-life routers and NAS devices, turning them into a covert reconnaissance-and-proxy network. Unlike typical DDoS or cryptomining botnets, it’s purpose-built for the pre-intrusion phase - each infected device becomes an “Executor” that scans the internet, fingerprints services, enumerates subdomains, tunnels traffic, and runs operator commands, all while the device keeps working normally so the infection goes unnoticed. Key points: •Two variants - a stripped C build (RTL819X) for legacy D-Link/Linksys routers, and a fuller Go build (Standard) for QNAP NAS with intranet scanning and Go/Java/Python code execution. •Three n-day CVEs - CVE-2013-3307 (Linksys) and CVE-2016-5681 (D-Link) for routers; CVE-2025-11837 (QNAP Malware Remover) for NAS. •Controller/Executor model - bots authenticate, get a unique Executor ID, and receive shards of a larger scan job for parallel, distributed reconnaissance. •Obfuscated C2 - Protobuf + XOR (Go adds gzip) over HTTP/HTTPS, keyed with sh_#@!_2024_secret. Persistence via Dropbear SSH on TCP/2332 (routers) or gs-netcat (NAS). •Scale & geography - 4,300+ routers confirmed (still rising), led by South Korea (48.45%) and China (31.82%); D-Link DIR-850L is ~75% of devices. NAS scale unmeasured. •Low detection, no attribution - initial samples were 0/VirusTotal; tradecraft mirrors state-aligned ORB networks, but XLab makes no attribution. •Main risk - the device becomes hidden attack infrastructure inside a trusted perimeter. EoL routers can’t be patched, so replacement is the only durable fix.

📢 Ransomware Alert: 🇵🇹 Lp Group (https://t.co/eq0vyxPV2S) A Portugal-based building and Construction Company has reportedly fallen victim to Nova ransomware Nb: They intend to publish within 13-14 days 🔍Key Details: 🛡️ Threat actor: Nova 📅 Reported on: 24/06/26 ⚠️ Data Compromised: 10 GB

📢 Ransomware Alert: 🇧🇷 META (https://t.co/8qTIRDTasd), a Brazil-based occupational health and workplace safety services provider, has reportedly fallen victim to BravoX Ransomware. NB: The group intends to publish the data within 9-10 days. 🔍Key Details: 🛡️Threat actor: BravoX 📅 Reported on: 24/06/26 ⚠ Data Compromised: 730.2 GB

📢 Ransomware Alert 🇨🇴 Quantum Data Systems LTDA (https://t.co/TPvWPmWRZQ), a Colombia-based software development and technology company, has reportedly fallen victim to the Nova ransomware group. NB: They intends to publish the data within 13-14 days. 🔍Key Details: 🛡️Threat Actor: Nova 📅Reported On: 23/06/26 ⚠️Data Compromised: 1.5 TB

🚨 India’s corporate sector is having a rough week on ransomware leak sites. The World Leaks ransomware group has now listed both Tata Electronics (June 10) and Reliance Power (June 11) as alleged victims. Two major Indian conglomerates appearing on the same ransomware group’s leak portal within 24 hours is certainly notable.

Malware doesn’t deploy itself. To neutralize a threat, security teams must understand the entire attack chain, from the specific tool used to the active adversary operating it. Our latest white paper unpacks the https://t.co/MG5DMBfAMn Malware Intelligence module. Discover how our system goes beyond basic signatures to establish full-spectrum visibility, correlating complex malware profiles directly with dynamic digital infrastructure and prominent global threat actors like Earth Lamia and Kimsuky. Learn to leverage FirstSeen and LastSeen temporal tracking to identify emerging variants early, understand platform-specific targeting, and extract high-fidelity IPs and hashes to power proactive threat hunting across your enterprise. Download the white paper: https://t.co/ZPgcTVA4UV #MalwareIntelligence #ThreatHunting #CyberSecurity #CTI #ThreatIntelligence #InfoSec #SecOps #BlueTeam #MalwareAnalysis #FalconFeeds