🚨 A U.S. government agency reportedly paid $1M to data extortion group Kairos
Ransom-ISAC reconstructed a full extortion case using leaked negotiation logs and blockchain tracing.
The victim was reportedly hit in May 2025, listed on Kairos’s leak site days later, and told the group held over 1.6 million files totaling around 2TB.
Kairos allegedly started at $3M, the victim countered as low as $100K, and the final payment landed at roughly $1M in Bitcoin.
The key detail: no ransomware sample, encryptor, or locker binary has been confidently linked to Kairos.
This was data theft, pressure, deadlines, and a promise of deletion that could not be technically verified.
BTC: bc1q0zkms9vuhp767q6yp3t4tj8fkellxz5h3dxgvl
🚨 Detection Update: We’ve analyzed the latest FBI Flash alert and identified a surge in suspicious Checkmarx lookalike domain registrations this June.
Our engineers have pushed a new detection rule to the OneView Platform in General available ruleset.
Stay Safe!
#threatintel
[https://t.co/3sdEPHQvLU] ⚡ Our proactive hunter detected a lookalike domain mimicking Googles Antigravity for spreading #Clickfix
⚠️ antigravity[.]study
#threatintel#clickfix
👉🏼 Trial access to our Oneview Platform for corporate/ verified users available - drop us a note
[https://t.co/3sdEPHQvLU] ⚡ Our proactive hunter detected a lookalike domain mimicking Googles Antigravity for spreading #Clickfix
⚠️ antigravity[.]study
#threatintel#clickfix
👉🏼 Trial access to our Oneview Platform for corporate/ verified users available - drop us a note
The FBI has issued a FLASH on the cybercriminal group TeamPCP, which has carried out large-scale software supply chain compromises by targeting widely used developers and security tools. The group has infiltrated victim environments and extracted sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, publishing victim names on a public leak site and threatening to release stolen data.
Read the FLASH for more on TeamPCP’s tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to protect your organization: https://t.co/kuNZEzuVeF
[https://t.co/5p6Slxv2HO] ⚡ Our Oneview Platform provides an active view of the c2 activity pattern for all major high impact c2 infrastructure to enable defenders with additional context
✉️ Email us to experience it yourself
⚙️ MCP Support available
#threatintel#ransomware
We identified a new DPRK North Korea linked malware in npm - terminal-logger-utils.
The username that uploaded the malware has uploaded a similarly named terminal-logger npm package last month which was classified as a DPRK malware.
The malware downloads a 2nd stage payload according to the current OS, which contains a Node packaged executable with JavaScript code inside, which contains a full RAT behaviour, information stealing logic, targeting crypto, cloud, environment variables, SSH keys and anything it can get its hands on.
The malware has also 3 dependant packages that import it which causes direct execution on the machine.
- pretty-logger-utils
- ts-logger-pack
- pinno-loggers
Read the full research:
https://t.co/92NronLKYf
[https://t.co/5p6SlxuuSg]🌀 Our proactive hunters observed a growing pattern in domains hosting #clickfix
⚡️In the last 7 days - we observed about 200+ domains hosting clickfix
#threatintel
🚨 We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase. (1/6)
Cyber threats have are growing at an unprecedented rate - Organisations MUST augment their existing processes with threat intelligence to gain visibility of adversary actions, enhance situational awareness & detections
📨us for Oneview Platform access
#threatintel#dfir