Follow me as I explain how I tracked “criminal activity” to #APT5. APT5 is associated with PRC People’s Liberation Army (PLA) Troop 61786 / #APT5#MULBERRYTYPHOON#MTLEAKS. Full details - https://t.co/vigh8njhAI
New research reveals a complex cyberespionage operation! Over the past two years, cyberespionage groups linked to both China and India have targeted the Balochistan Police in Pakistan. The attackers utilized various malware clusters, including PlugX, ShadowPad, Cobalt Strike, and Remcos.
China, India-Linked Hackers Both Targeted Same Pakistani Police Force: Both foes and allies have targeted the Balochistan Police force in Pakistan for at least two years, according to SentinelOne.
The post China, India-Linked Hackers Both Targeted Same… https://t.co/CZpPuwD8se
A threat actor exploited a Cisco SD-WAN zero-day (CVE-2026-20245) to gain root access. Learn how this attack happened and how to secure your networks.
#Cisco#SDWAN#ZeroDay#CVE202620245#CyberSecurity
https://t.co/Hi9vpk7SDB
Investigating a Cyber Attack
July 14-16 at 3 PM UTC, we are hosting a training on Investigating a Cyber Attack. The training is available to both Subscriber and Subscriber Pro students.
It's for both red and blue teams. You will see how what digital forensic investigators do during an investigation and and what evidence they look for to reconstruct the attack and identify the attacker
@three_cube
🚨 New Threat Intel Alert 🚨 China-linked APT group UAT-7810 (associated with the 'LapDogs' campaign) is significantly expanding its cyber arsenal. Cisco Talos researchers warn of three new backdoors—LongLeash, DogLeash, and JarLeash—specifically designed to target SOHO routers to build an operational relay box (ORB) network for espionage.
🚨 Cybersecurity Alert: Indian Taxpayers Targeted in "Operation DragonReturn" 🚨 Suspected China-nexus threat actor is exploiting tax season in India to deploy DcRAT malware. https://t.co/QYMrVsWiV6
#ThreatsDay Bulletin is live, and this week’s threats were quiet, weird, and too easy to miss.
🤖 Stolen AI compute
🔨 BlueHammer ransomware
🍎 Apple email flaw
🚨 Fake INTERPOL ransomware
📋 ClickFix defenses
🐀 BeepRAT espionage
🧬 Millennium RAT
🎣 UNC1151 phishing
🔎 AI search hijack
👥 Teams bot controls
🧠 GPT-5.6 Sol
🕵️ UNC5792 reward
🧩 Prompt injection
🕶️ Anthropic tracking
📱 Device-aware phishing
🏛️ Amazon FTC fine
🏗️ Claude sandbox root
Read the full roundup: https://t.co/lrApc0IVjM
Following my recent exposure of Troop 61786/#APT5, the primary source range 106.120.218.0/24 associated with the PLA unit Troop 61786 has gone quiet. Full details - https://t.co/8qMtYUMAzQ
Follow me as I explain how I tracked “criminal activity” to #APT5. APT5 is associated with PRC People’s Liberation Army (PLA) Troop 61786 / #APT5#MULBERRYTYPHOON#MTLEAKS. Full details - https://t.co/vigh8njhAI
🚨 Threat Intel Update: Troop 61786 is shifting tactics.
After recent exposure, the primary 106.120.218.0/24 range went quiet, but the PLA unit isn’t gone. We are now seeing limited, tactical activity emerging from new IPs:
🔹 106.120.218.163 🔹 106.120.217.136
They are attempting to mask their movement using random high ports, including 9996, 9998, 10002, 10006, 10007, and 1008.
Despite the attempt to pivot, their operations remain noisy and are still leaving plenty of forensic artifacts behind. 🕵️♂️💻
The bottom line: You can run, but you can’t hide.🤡🤡
#ThreatHunting #Infosec #Troop61786 #CyberSecurity #APT #PLA #MULBERRYTYPHOON #APT5
Specific connections between Troop 61786 infrastructure and targets: 149.28.211.251 to 111.206.148.116 (China Unicom) on port 8081, and 91.196.70.160 to 112.82.203.30 (China Unicom) on port 6196.
PLA Troop 61786 victims include Samsung, Zoho & banks. 🇨🇳 Exposing more of their reach this week. Uncovering the Hidden: The Digital Sleuth’s Perspective. 🔎 #ThreatReviewJournal#PLA61786
Troop 61786's China based infrastructure exposed! The group uses China Unicom and China Mobile IPs such as 111.206.148.116 and 112.26.178.171, to target globally. #MTLEAKS#MULBERRYTYPHOON#TROOP61786
Breaking news!!! Troop 61786 source IPs have been identified: 106.38.113.0/24 and 106.120.218.0/24. These China-based IPS are used by the threat actor to launch attacks. Block these ranges to protect your organization! #MTLEAKS#MULBERRYTYPHOON#TROOP61786
Are Your Own Tools Being Used Against You? 🛡️💻
Modern defenders can no longer just look for "obvious malware." Sophisticated threat actors—including groups like APT41—have mastered the art of LOLBAS (Living Off the Land Binaries and Scripts)
ValleyRAT campaigns targeting Chinese 🇨🇳 and Japanese 🇯🇵 speakers use DLL sideloading, fileless injection, and five sandbox checks to deliver a RAT that detections nearly doubled in early 2026.
Key findings:
- Attack chain: malicious email (salary/HR lure) links to a ZIP containing a legitimate VLC binary renamed to a Japanese-language EXE plus a malicious libvlc.dll. DLL sideloading executes the loader, which copies itself to C:\Users\Public\Documents\res\msword.exe and libvld.dll, then writes persistence to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\pornhub. ValleyRAT is downloaded from hxxp://154.92.16[.]22/xz.bin, RC4-decrypted with key "zenzensu", and injected into a suspended rundll32.exe via VirtualAllocEx/WriteProcessMemory. Payload never touches disk.
- Five anti-sandbox checks all gate execution: GlobalMemoryStatusEx (RAM must exceed 1 GB), GetTickCount sleep-timing (sleep must exceed 451 ms), GetSystemInfo processor count (more than 1 CPU required), IsNativeVhdBoot return value, plus junk-code obfuscation with stub functions ending in "ret".
- The ValleyRAT payload is a Donut-generated shellcode blob. IOCs: ZIP SHA1 65168c8dd93b16d3b77092fb70c0fa6fba4dffcc, encrypted payload SHA1 eca7ed7b699835fadc2c2997a2845864e02b8dfe, C2 domain frehf.oss-cn-hongkong.aliyuncs[.]com.
Hunt for rundll32.exe with no file-backed memory regions and VLC-named binaries outside Program Files.
#DFIR_Radar
The creator of Cobalt Strike left the industry in 2021, came back, and is now publishing everything he knows about evasion tradecraft openly and for free.
Tradecraft Garden separates evasion tradecraft from capability. Crystal Palace is the linker that makes it work: position-independent code, binary transformation, code and register randomization, link-time hooking, YARA rule generation from invariant instructions, and a PICO convention for reusable tradecraft modules.
The community built an entire ecosystem on top of it. Crystal Kit for Cobalt Strike, Sliver, Mythic, and Adaptix. Reflective loaders, call stack spoofing, sleep masking, module overloading. Offense and defense both benefit because every technique is published as a testable ground truth.
If you work in red teaming, detection engineering, or EDR evaluation, this is required reading.
TTPs: https://t.co/A4O6Tuh58M
Blog: https://t.co/4jb7cRpcA9
His original Red Team Ops with Cobalt Strike series is also still on YouTube. 9 parts covering the full red team operations workflow. Free. From the person who built the tool. Red Team Ops with Cobalt Strike - Operations (1 of 9): https://t.co/Jd28yWuaYs
Author: Raphael Mudge
#BlueTeam #InfoSec #RedTeam