VECERT

🚨 CYBER INTELLIGENCE SUMMARY: GLOBAL WARNING SIGNAL REPORT [STATUS: MULTI-RISK ACTIVITY / TACTICAL AND FINANCIAL MONITORING] The intelligence filter map signals captured by analyzerPRO have been processed. Of the 18 alerts detected during this timeframe (June 12, 2026), a high-risk event directly linked to financial infrastructure stands out, accompanied by intense malware activity, hacktivism, and breaches of government portals. Below is a consolidation of the threats classified by vector and operational priority: 🛑 CRITICAL THREATS AND FINANCIAL RISK (HIGH RISK) 🇺🇸 United States | Risk: 78 (Ransomware) Event: Clandestine sale of the Blacknetransom ransomware, designed to attack banking institutions. Actor: Infrastructure Destruction Squad. Intelligence Note: This is the highest severity alert on the panel. It represents an imminent risk to the banking sector, suggesting the preparation of extortion and encryption campaigns targeting financial infrastructure. 🇷🇺 Russia | Risk: 40 (Rootkit / Crypto Asset Theft) Event: Identification of Page Builder, an illicit tool (Phishing-as-a-Service) for stealing crypto assets and emptying wallets. Actor: Threat Market. 🇷🇺 Russia | Risk: 52 (Botnet / Infostealer) Event: Botnet based on a Google Chrome extension equipped with HVNC (Hidden Virtual Network Control), targeting transactional fraud and MFA evasion. Actor: Suvokner. 💻 INFRASTRUCTURE EXPLOITATION AND ACCESS SALES (IAB) 🇲🇽 Mexico | Risk: 65 (Infostealer) Event: Alleged exploit actively running on the educational systems of https://t.co/F7dllKbL5R. Actor: Cortex-group. 🇮🇳 India | Risk: 54 (Malware / RCE) Event: Possible Remote Code Execution (RCE) and Remote Shell on an Indian government portal. Actor: KRD FEMBOYSM. 🇵🇪 Peru | Risk: 51 (Exploit) Event: Alleged active exploit targeting the Cajamarca Health Directorate (https://t.co/R7Vqj9RIuP). Actor: Cortex-group. 🇺🇸 United States | Risk: 48 (Exploit) Event: Sale of a private exploit for web hosting control panels (cPanel). Actor: Omnipotent. 🌐 GEOPOLITICS, ESPIONAGE, AND INFRASTRUCTURE MOVEMENTS 🇷🇺 Russia | Risk: 40 (APT / Advanced Persistent Threat) Event: Deployment of a new operational domain linked to the cybercriminal group LAPSUS$. 🇷🇺 Russia | Risk: 40 (Future Attack Preparation) Event: The Russian underground forum https://t.co/75S5eoNqgm migrates to a new domain to evade blocks or prepare for new operations. Actor: xssf forum. 🇩🇪 Germany | Risk: 32 (Cyber-espionage) Event: Alleged leak of a classified NATO document. Actor: We are Cardinal. 🏴‍☠️ ACTIVE HACKTIVISM AND DISTRIBUTED ATTACKS (DDoS / DOXING) Middle East (Focus on Israel): 🇮🇱 Israel | Risk: 56 (Hacktivism / Doxing): Two consecutive personal data exposure operations (doxing) carried out by Yemen Cyber ​​Group. 🇮🇱 Israel | Risk: 50 (DDoS): Targeted attack against an Israeli military entity by BD Anonymous. 🇮🇱 Israel | Risk: 40 (DDoS): Distributed Denial of Service attack carried out by Rippersec. Europe and the United Kingdom: 🇬🇧 United Kingdom | Risk: 53 (DDoS): Nationwide hacktivist attack carried out by NoName057. 🇬🇧 United Kingdom | Risk: 46 (DDoS): Attacks against British government websites launched by Dark Storm. 🇺🇦 Ukraine | Risk: 39 (DDoS): Hacktivist attack launched by the pro-Russian faction NoName057. 🇧🇬 Bulgaria | Risk: 32 (Hacktivism): The group God's Gladiators announces its intention to aggressively escalate its attacks in the region. Threat Actor: Infrastructure Destruction Squad Primary Vector: Use of specialized tools to attack industrial control systems (ICS/SCADA). 🇮🇷 Iran | SCADA (Multiple Events) Event 1: Identification and deployment of the illicit TRK25 ADVANCED SCADA tool. Event 2: Active attack on SCADA systems using the TRK25 ADVANCED SCADA tool. Event 3: Targeted attack against the JAFARI SIAHKAL SCADA station. 🇮🇹 Italy | SCADA Event: Threat actors launch an attack against Italian infrastructure using the tool known as Labiotest. 🇹🇷 Turkey | SCADA Event: Targeted attack against SCADA systems in Turkish territory, again using the TRK25 ADVANCED SCADA tool. #CyberSecurity 🔐 #ThreatIntelligence 📊 #Ransomware #BankingThreats 💸 #Exploits #Hacktivism #APT #VECERT 🏢

🕵️‍♂️**WITHIN THE UNDERGROUND ACCESS ECONOMY** **VECERT Threat Intelligence Investigation** During a threat monitoring and investigation operation, the VECERT intelligence lab gained access to credentials used by an actor linked to a clandestine market for compromised access, allowing for the analysis of part of the operational structure, methodology, and supply chain used within this criminal ecosystem. 🔍 The analysis revealed an organized model where access to servers, administrative panels, corporate emails, VPNs, and hosting services is obtained, validated, and subsequently sold to other actors for fraud, data theft, and ransomware operations. 📦 The recovered information allowed for the documentation of part of the organization's modus operandi, including access validation processes, victim classification, inventory management, and monetization mechanisms. Article: https://t.co/MDxgF7VfpU #ThreatIntelligence #CyberThreatIntel #CyberSecurity #ThreatResearch #DarkWeb #CyberCrime #InitialAccessBroker #Infostealer #Ransomware #DigitalRisk #OSINT #CyberDefense #ThreatActor #VECERT #CTI

🚨 VECERT Laboratory Investigation During an ongoing investigation into the underground ecosystem known as FreeCity, analysts identified a series of indicators linking the platform to a broader cybercriminal infrastructure focused on data aggregation, identity correlation and illicit intelligence commercialization. The investigation included domain authentication through metadata extraction from the associated onion service, correlation with historical underground publications, actor profiling activities, identification of operational fingerprints, and monitoring of Telegram channels used for promotion, support and ecosystem expansion. 🔬 Investigation Highlights ▪ Onion service validation through metadata analysis ▪ Correlation with historical underground forum publications ▪ Threat actor profiling and infrastructure mapping ▪ Identification of operational fingerprints and behavioral patterns ▪ Telegram ecosystem monitoring and channel attribution ▪ References to breached databases and exposed identities ▪ Intelligence enrichment capabilities observed within the platform These findings demonstrate how modern cybercriminal ecosystems are evolving beyond traditional data leaks into highly organized intelligence platforms capable of supporting fraud, social engineering, identity theft and targeted cyber operations. #FreeCity #CyberThreatIntelligence #ThreatIntelligence #CTI #Cybercrime #DarkWeb #UndergroundMarkets #DataBreach #DigitalRiskProtection #FraudDetection #OSINT #ThreatActor

⚠️⚠️ CVE-2026-48842 (CVSS 8.1) + CVE-2026-48844 (CVSS 7.5): Pre-auth SQLi in Roundcube virtuser_query plugin; patch to 1.6.16 / 1.7.1. 🔗FOFA Link: https://t.co/zOizIHWEcJ 🎯1.1M+ Results are found on https://t.co/HSOBZfCA2r in the past year. FOFA Query: app="Roundcube-Webmail" 🔖Refer: https://t.co/YnXQfxdGyd #OSINT #FOFA #CyberSecurity #Vulnerability

🚨🇲🇽🇦🇷🇨🇱🇪🇨🇨🇴🇺🇾🇻🇪🇵🇦 LATAM DATA LEAK CRISIS — MAY 2026 During May 2026, one of the largest waves of data leaks and exposures in Latin America was recorded. More than 385 public incidents were detected on underground forums, leak channels, criminal marketplaces, and platforms used by threat actors specializing in selling access, citizen data, medical records, and government systems. The analysis reveals an accelerated evolution of the regional cybercrime ecosystem, where criminal groups are no longer solely seeking rapid monetization but also building massive repositories of digital identity, biometrics, medical information, and persistent access for future fraud, extortion, and espionage operations. 📊 Over 512 million records compromised 📦 Over 68TB of data exposed 🕵️ Over 85 threat actors identified 🌎 11 countries affected in Latin America The most compromised sectors during May were: 🏛 Government and public sector 🏥 Healthcare and medical laboratories 🏦 Banking and financial systems 🎓 Education and universities 📡 Telecommunications 🏢 Corporate infrastructure The main attack vectors observed during the month included: • Exploitation of insecure APIs • Credentials stolen via infostealers • Persistent webshells on public servers • IDOR vulnerabilities • Compromised RDP/VPN access • Exposure of buckets and cloud storage • Reuse of leaked credentials • Sale of initial access on underground forums The regional trend indicates that June 2026 could see a Even greater increase in attacks targeting: • Biometric platforms • Electoral infrastructure • Hospital systems • Telecommunications • Citizen digital identity • State-owned financial institutions • Regional SaaS providers LATAM is entering a stage of industrialized cybercrime operations where stolen data is no longer seen merely as isolated leaks but as reusable strategic assets for future fraud campaigns, persistent access, and clandestine monetization. #CyberSecurity #DataLeak #ThreatIntelligence #CyberCrime #DataBreach #OSINT #LATAM #Mexico #Argentina #Chile #Ecuador #Colombia #Uruguay #Venezuela #Panama #DarkWeb #CTI #Infosec #DigitalRisk #CyberThreats

🚨 STRATEGIC CYBERINTELLIGENCE ALERT: ANATOMY OF THE CaaS PLATFORM IN COLOMBIA 🇨🇴 ⚠️ TECHNICAL BREAKDOWN OF THE CRIMINAL INTELLIGENCE BOT AND THE EROSION OF DATA PRIVACY [STATUS: ACTIVE TOOL / CRIME-AS-A-SERVICE MODEL / EXTREME RISK OF FINANCIAL FRAUD AND EXTORTION] The cybercrime ecosystem targeting Colombia has evolved toward industrialization. The detected tool is not merely a leaked database, but a sophisticated Crime-as-a-Service (CaaS) engine operated via Telegram (attributed in recent investigations to the threat actor ɪʀᴏɴ ᴀᴛʟᴀꜱ). This platform enables any criminal—regardless of their technical proficiency—to perform real-time queries (utilizing both OSINT and private databases) to comprehensively profile any Colombian citizen, thereby facilitating attacks. 🧠 TECHNICAL ANATOMY OF THE PLATFORM The success of this bot lies in its distributed client-server architecture and its ability to unify disparate data sources into a single, user-friendly interface. 1. Operator Interface (Frontend - Telegram) Anonymity and Accessibility: By being hosted on Telegram, the bot inherits the application's privacy infrastructure, making it difficult to trace the IP address of the operator (the criminal client) as well as that of the central server. Query Modules: The interface offers an interactive menu featuring predefined commands. The criminal simply needs to input an initial data point—such as a national ID number, a phone number, or an email address—to trigger a massive, cascading search. 2. Correlation Engine and Backend (The Core) Microservices Architecture: Behind the Telegram bot lies a backend server (likely hosted in "bulletproof" jurisdictions) that receives the request and simultaneously distributes it to multiple extraction scripts (scrapers) and APIs. Data Enrichment: If a cybercriminal enters a phone number, the engine queries telecommunications providers to obtain the name of the account holder. It then takes that name and queries the National Registry Office to retrieve the corresponding National ID number. Using the National ID, it queries the DIAN (Tax Authority), the Traffic Registry (RUNT), and credit bureaus. Structured Output: The engine compiles all this information into a clean, structured report (a "Dossier") that is delivered to the client within seconds. 🗄️ DATA SOURCE ECOSYSTEM (DATA PIPELINE) To achieve this level of detail, the platform has successfully channeled—through the theft of API credentials, the exploitation of web vulnerabilities, or the purchase of access from insiders—three major information verticals: 🏛️ Government and Public Infrastructure: Identity and Demographics: National Civil Registry (validation of biometric data and National IDs) and Migration Colombia. Taxes and Property: DIAN (Tax Registry/RUT, business activity), IGAC (Cadastre/real estate records), and RUNT (vehicle ownership, mandatory insurance/SOAT, traffic fines). Security and Defense: National Police, Inspector General's Office, and Military Forces (criminal records, disciplinary records, and military service status). 🏢 Private Sector and Telecommunications: Operators (Telcos): Claro, Tigo, Movistar, and WOM. This enables the association of identities with mobile numbers—a capability fundamental to SIM hijacking (line hijacking) attacks. Comprehensive Healthcare: ADRES, EPS (Health Service Providers), and Insurance Companies (Sura, Seguros Bolívar). 🏴‍☠️ Underground Sources (Dark Web): Integration with historical data breaches and records derived from "Infostealers" (malware designed to steal passwords and browser cookies from infected systems). 💸 IMPACT ON FINANCIAL INVESTIGATIONS AND CRIMINAL TTPs The integration of queries directed at credit bureaus (Datacrédito, TransUnion) and banking institutions transforms this bot into a lethal weapon against the financial sector. Attackers leverage this infrastructure to execute the following Tactics, Techniques, and Procedures (TTPs): SIM Swapping Fraud: Armed with Telco data and the victim's full identity, the scammer impersonates the victim—either in person at a retail branch or over the phone—to port the phone number to a new SIM card, thereby intercepting one-time passwords (OTPs) sent via SMS by banks. Highly Personalized Extortion: Criminals select victims based on their tax filings (DIAN) or vehicle ownership records (RUNT). These extortion calls feature specific details regarding the victim's vehicles, immediate family members, and home address, thereby drastically increasing the likelihood of payment through intimidation. #CyberSecurity #Colombia #CrimeAsAService #OSINT #DataBreach #FinancialFraud #ThreatIntelligence #CiberAlerta #VECERT #Infosec #SIMSwapping

🛑 Supply Chain Attack Alert: 700+ Laravel-Lang package versions compromised. https://t.co/RTbWS4G0QY The malicious code auto-runs via Composer, drops a cross-platform PHP stealer, and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files. Laravel/PHP devs: check your composer.lock immediately.

🇪🇨 NEW RESEARCH PUBLISHED "Anatomy of a Clandestine Ecosystem of Carding, Doxxing, and Digital Surveillance in Ecuador" is now available. We detail how this alleged Cybercrime-as-a-Service network operates in Latin America, using protected infrastructure and Telegram bots to orchestrate fraud and sell sensitive data. In the article, we break down: 💰 Fraud and Monetization: Credit systems and illicit financial schemes. 🕵️ Data Breach: Mass queries (ID numbers, tax IDs), scraping, and evidence of doxxing. ⚙️ Operation and Actors: Seller structure, clandestine channels, and timeline (2023-2026). 🔍 Technical Analysis: DFIR, infrastructure mapping, and Domains. An essential overview to understand the evolution and monetization of cybercrime in our region. 🔗 Read the full investigation here: https://t.co/DMhto96bEv #OSINT #CyberCrime #FinancialFraud #DFIR #ThreatIntel #Cybersecurity #Ecuador #Telegram #Carding #Doxxing

🚨 CYBER INTELLIGENCE ALERT: AGGREGATE EXPOSURE AND THREAT ANALYSIS — SPAIN 🇪🇸 / COLOMBIA 🇨🇴 / VENEZUELA 🇻🇪 / MEXICO 🇲🇽 / JAPAN 🇯🇵 / GERMANY 🇩🇪 / NIGERIA 🇳🇬 / VIETNAM 🇻🇳 💥 CRITICAL THREAT: ILLEGAL MARKET "ORVX" EXPOSES OVER 32,000 EMAIL CREDENTIALS, GOVERNMENTS AND MILITARY AFFECTED [STATUS: AGGREGATE ANALYSIS / MASS EXFILTRATION / ACTIVE BLACK MARKET / RESEARCH IN PROGRESS] VECERT's CTI unit has completed an analysis of correlated data on the operations of the clandestine black market known as "ORVX," an illegal platform specializing in the illicit sale of initial login credentials, corporate webmails, SMTP servers, and high-fidelity email credential lists. The aggregated telemetry assessment reveals the active marketing of 32,025 listings/registrations involving 6,318 unique domains globally. The exposure map reveals that the market critically impacts communication infrastructure and sensitive sectors with high institutional sovereignty. 🏢 Affected Entities: Big Tech technology infrastructure, telecommunications providers, ministries of education, government agencies, and defense forces/militaries. 👤 Threat Actor/Platform: "ORVX" Black Market (Operated by multiple Initial Access Brokers such as Seller 160, Seller 139, and Seller 90). ⚔️ Identified Attack Vectors: Exploitation of vulnerabilities via code injection, breaches in Outlook Web Access (OWA) portals, and intrusions into corporate productivity environments such as Office 365 and Zoho Mail. ⚠️ CRITICAL RISK ANALYSIS BY VOLUME AND SECTORAL DISTRIBUTION The volume of data traded on the ORVX market reveals a clear trend of impact, combining automated mass attacks with the selective sale of corporate access credentials: 💻 Technology / Hosting / Email: 9,083 records (28.4%) — Accounts for the highest volume due to the commitment of webmail platforms and hosting providers. 🎓 Education / Universities: 8,457 records (26.4%) — A sector heavily affected due to the value of its databases and privileged research access. 📡 Telecommunications / ISPs: 2,706 records (8.4%) — A critical vector within communications infrastructure. 🏛️ Government / Public Sector: 1,229 records (3.8%) — Relatively low volume, yet carries the highest level of institutional and geopolitical risk. 🛒 Commerce / Automotive: 921 records (2.9%) 🏦 Finance / Insurance: 208 records (0.6%) 🏥 Healthcare: 89 records (0.3%) 🛑 Critical Impact in Spain (Movistar Case): The domain movistar(.)es leads global exposure with 1,674 records of compromised access credentials. Given that Movistar's infrastructure supports not only residential users but also thousands of Small and Medium-sized Enterprises (SMEs) and large corporations within Spanish territory, this means that Spanish companies utilizing Movistar's service have been affected and exposed exactly that many times on the illicit market—leaving their commercial and financial communications completely vulnerable to Business Email Compromise (BEC) fraud or corporate espionage. 🪖 EVIDENCE OF COMPROMISED GOVERNMENTS AND MILITARY ENTITIES Alarmingly, the sales listings on the ORVX marketplace include high-persistence access credentials—specifically OWA Webmail access—pertaining to law enforcement agencies and armed forces: ⚔️ Defense Forces and Military Entities: https://t.co/Dr6NcEFL8T — Peruvian Army (OWA Webmail access exposed by threat actor "Seller 160"). https://t.co/Z0DQbhTVVo — National Army of Colombia (Zoho Webmail access exposed by "Seller 160"). https://t.co/aKLgXGeuRG — Central Military Hospital of Argentina (OWA Webmail access exposed by "Seller 160"). 🚔 Government Security Agencies: https://t.co/pUFWr7LeXL — National Police of Peru (OWA Webmail exposed by Seller 160). https://t.co/D4wwpSAqzn — Bangladesh Police (OWA Webmail compromised). 🏛️ State and Municipal Agencies: Lagos State, Nigeria (https://t.co/kSvQbtz36n: 352); Surabaya, Indonesia (https://t.co/BexMY3wQEQ: 135); General Department of Taxation, Vietnam (https://t.co/JqmCIg7dfl: 98); Government of Buenos Aires (https://t.co/uPqRIOjsWK: 12); Ministry of Public Education, Mexico (https://t.co/fATLrYt2x7 / https://t.co/Vg3LiPf7wi). 🛡️ TECHNICAL RECOMMENDATIONS AND PREVENTIVE MITIGATION 🚫 Invalidation and Purging of SMTP/OWA Connections: Administrators of the identified domains (specifically the military forces of Peru and Colombia, and the corporate network of Movistar Spain) are urged to immediately revoke all active email session tokens and audit SMTP relay connectors. 🔑 Initial Access Broker (IAB) Threat Hunting: Strictly monitor web authentication logs for anomalous login attempts originating from residential networks or non-corporate VPNs that target key institutional email accounts. NOTE: The dashboard image is from the AnalyzerPro platform. 📊 MONITORING AND EVALUATION Intelligence System: https://t.co/wk9bZJ2Nli Quickly assess your website's security with: https://t.co/QZhWp0kFrO #CyberSecurity #OrvxMarket #EmailLeak #MovistarEspaña #EjercitoPeru #EjercitoColombia #ThreatIntelligence #InitialAccess #WebmailBreach #FinancialThreats #CyberAlert #VECERT #Infosec #ConfirmedBreach

🚨 NGINX Rift CVE-2026-42945 PoC upgraded — full ASLR bypass now public. New chain: heap overflow + same-host LFI / arbitrary file read → leaks runtime state from /proc/<worker>/mem, derives heap targets + system() address on the fly. No hardcoded addresses. No ASLR disable. Unauthenticated RCE on rewrite + set directive setups. Patch now: • OSS: 1.30.1 / 1.31.0 • Plus: R36 P4, R35 P2, R32 P6

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.