Stephan - ObiWan666 - Gerling

En combate al cibercrimen, hemos publicado darkforums-ip-intel en GitHub, una herramienta de cartografía OSINT construida sobre logs de IPs extraídos de DarkForums 2026. Con ella es posible identificar posibles actores que operaron sin protección exponiendo IPs de proveedores locales, detectar cambios de IP entre países de interés, correlacionar cuentas que operan desde el mismo proveedor, cruzar timezones con horarios de actividad para perfilar rutinas operativas, identificar infraestructura compartida entre distintos actores y visualizar todo en un mapa interactivo. La información utilizada proviene de registros previamente divulgados en foros de acceso público y posteriormente documentados en fuentes OSINT abiertas. Fuente de referencia: https://t.co/pIKwjOta08 La base de datos está disponible para investigadores, equipos de ciberseguridad y cuerpos policiales que quieran trabajar con ella en el contexto de sus investigaciones. Hashes SHA256 para verificación de integridad: Base original JSON: 77ea1ad3164830874baa6eeff9deff4e253040710d66e6ee2a2756bf8444742f Base convertida IPs DB: e2588cefa10ee2822350b21034716adf2bdd543a637219572ab6477406520b02 Herramienta: https://t.co/5cHk59rtJK

Very interesting discovery & assessment: Iran’s MuddyWater APT observed using Chaos Ransomware. One key piece of context the R7 blog missed, however, is that MuddyWater has been around a long time and was found to use Thanos ransomware several years ago: https://t.co/TQ9RF8ql10

📌 Revisiting Our Investigation Into C2 Infrastructure Across Russian Providers A few weeks ago, we published an article on Russian malicious infrastructure. Over a three-month window, we mapped: ➜ 1,250+ C2 servers ➜ 165 Russian infrastructure providers ➜ C2 activity across hosting, VPS, cloud, and telecom networks ➜ Repeated abuse tied to malware families like Keitaro, Hajime, Cobalt Strike, Sliver, and more Our research gives a clearer look at how C2 infrastructure is distributed across Russian hosting environments, and which providers carry the heaviest abuse patterns. Read the full article in our blog 👉 https://t.co/beGsn80vxO #ThreatHunting #ThreatIntelligence #CyberSecurity #InfoSec

‼️ German Authorities Shut Down Revived "Crimenetwork" Platform, Arrest Operator on Mallorca https://t.co/V1h2gpQWoX German law enforcement has dismantled the relaunched version of the criminal online marketplace "Crimenetwork" and arrested its alleged operator on the Spanish island of Mallorca, the Federal Criminal Police Office (BKA) and the Frankfurt Public Prosecutor's Office's cybercrime unit (ZIT) announced on May 8, 2026. The suspect, a 35-year-old German citizen, was detained at his Mallorca residence by a special unit of the Spanish National Police on the basis of a European arrest warrant. According to investigators, the man rebuilt an entirely new technical infrastructure under the same "Crimenetwork" name within days of the December 2024 takedown of the original platform and the arrest of its previous administrator. Spanish authorities executed two European arrest warrants against him, covering allegations of organized commercial fraud as well as the operation of a criminal trading platform on the darknet, and he is reportedly being held in Spanish extradition custody. The reconstituted marketplace had grown into a substantial illicit operation before being shuttered. According to police, the platform most recently counted more than 22,000 users and over 100 sellers, who traded in stolen data, drugs, and forged documents. Users settled transactions in cryptocurrencies including Bitcoin, Litecoin, and Monero, and evidence seized during the operation points to platform revenues exceeding 3.6 million euros, with the operator collecting commissions on sales while sellers paid monthly fees for advertising and sales licenses. Authorities provisionally secured assets of roughly 194,000 euros directly tied to "Crimenetwork" and obtained extensive user and transaction data expected to fuel further investigations. The case follows the recent sentencing of the original platform's administrator: in March 2026, the Gießen Regional Court handed down a prison term of seven years and ten months and ordered the confiscation of more than ten million euros in criminal proceeds, though the verdict is not yet final. BKA Cybercrime division head Carsten Meywirth framed the action bluntly, saying the relaunch of Crimenetwork had failed and that another administrator would now have to answer to a German court, a reminder, he said, that "cybercrime does not pay." https://t.co/Xooh69luEC

🇮🇷 🔴 New Research: Iranian-Nexus Operation Against Oman's Government - 12 Ministries Hit and 26K Citizen Records Exposed https://t.co/9iRX4F2O4u An exposed open directory on a UAE-hosted VPS handed us a front-row view of an active intrusion campaign against Oman's Ministry of Justice and Legal Affairs. The full toolkit, C2 code, session logs, and exfiltrated data were sitting in plain sight on port 8000 and 8002. Here's what our research team found: - C2 logs confirmed active operator sessions as recently as April 10, 2026, with all traffic originating from inside the MJLA network - Over 26,000 Ministry of Justice user records were pulled, along with judicial case data, committee decisions, and SAM and SYSTEM registry hives - 12 targeted exploit scripts were recovered, covering Exchange spraying, SQL server escalation, and reflective execution - Scripts in the directory mapped to 12 Omani government ministries by name, from the Ministry of Finance to the Royal Oman Police - A neighboring infrastructure cluster on the same ASN hosted spoofed Iranian diaspora media and several .ir domains, consistent with past Iranian state-sponsored operations The operator left behind a clean record of their own failures - every script revision documented inline, including what got flagged, what broke, and how they fixed it. TTP overlap with #APT34 and #MuddyWater places this within the Iranian state-nexus space. 👉 Full research, IOCs, and all indicators are in the link below: https://t.co/9iRX4F2O4u #threatintelligence #threathunting #threatintel #iran #oman