SharkFunding

⚠️ La inteligencia de amenazas no sirve de nada si llegas tarde. Ese es el verdadero problema. No la falta de información. La falta de contexto operativo. Cada día aparecen: • Nuevas víctimas de ransomware publicadas en DLS (Data Leak Sites) • CVEs explotadas activamente antes incluso de aplicar mitigaciones • IOCs distribuidos entre múltiples fuentes sin correlación • Infraestructura maliciosa rotando constantemente en TOR • Malware reutilizado por distintos actores con pequeñas variaciones • Negociaciones y filtraciones evolucionando en tiempo real Y mientras tanto, muchos equipos siguen consumiendo inteligencia de amenazas de forma fragmentada. Por eso he creado junto a mi compañero Javier Marti Sanz la plataforma My Threat Intel. 👉 https://t.co/wBiWvWeO2H Una plataforma CTI desarrollada para centralizar, correlacionar y operacionalizar inteligencia de amenazas desde un único entorno. El objetivo no era crear otro dashboard más. Era construir una plataforma realmente útil para analistas, SOCs, DFIR, Threat Hunters y equipos de respuesta a incidentes. Actualmente My Threat Intel permite: • Monitorización de grupos de ransomware y leak sites • Seguimiento de negociaciones y actividad de actores • Repositorio de vulnerabilidades y CVEs explotadas activamente • Correlación y telemetría de IOCs • Vigilancia de infraestructura TOR y mercados darknet • Repositorio histórico de filtraciones y exposición de organizaciones • Análisis y clasificación de muestras de malware • Estadísticas operativas y tendencias en tiempo real Toda la información en un único entorno visual, accesible y orientado a análisis. Sin ruido. Sin datos aislados. Sin perder tiempo correlacionando manualmente decenas de fuentes. Porque en ciberseguridad la velocidad importa. Pero la capacidad de entender el contexto antes que el atacante importa todavía más. Feedback y sugerencias son más que bienvenidos 🤝 #CyberSecurity #ThreatIntelligence #CTI #Ransomware #ThreatHunting #BlueTeam #SOC #DFIR #OSINT #Malware #DarkWeb #IOC #IncidentResponse #CyberDefense #InfoSec #ThreatIntel #SecurityOperations #DigitalForensics #MyThreatIntel

🚨 Major Security Industry Breach 🚨 The Ransom House group has just claimed a high-profile victim within the Cybersecurity & Infosec sector in the US 🇺🇸. The Target: 🔹 A global leader in threat detection and security orchestration. 🔹 Formed by the massive merger of two industry titans. 🔹 Annual Revenue: Exceeding $1.8 Billion. This is a significant hit on the very industry built to protect others. Stay updated on the latest victims and ransomware trends. Start monitoring for free: 🔗 https://t.co/1TFlJ1IuL7 #CyberSecurity #Ransomware #RansomHouse #ThreatIntel #DataBreach #Infosec #CTI

🚨Cyber Alert Update‼️ 🇺🇸USA - 𝗧𝗿𝗲𝗹𝗹𝗶𝘅 RansomHouse hacking group claims responsibility for the cyberattack against Trellix, after the cybersecurity firm disclosed unauthorized access to part of its source code repository. Threat actor: RansomHouse Sector: ICT Data exposure (claimed): Not specified Data type: source code repository Observed: May 07, 2026 Status: Confirmed ESIX©: 6.17 Full details and impact assessment on https://t.co/eB7qgxKFAa

‼️ PhishLab V1, a new phishing-as-a-service panel, is allegedly being sold on a hacking forum, marketed as undetected and capable of bypassing 2FA across major platforms. ⠀ ‣ Threat Actor: PHISHLAB ‣ Category: Phishing Kit / Malware-as-a-Service ‣ Product: PhishLab V1 ‣ Industry: Cybercrime / Credential Theft ⠀ The actor is advertising a phishing panel that captures credentials, 2FA codes, and session cookies in real time, with Telegram notifications and one-click cookie import. The kit targets banks, crypto exchanges, payment processors, retailers, and social platforms across more than 17 active modules with 10+ unique domains per module. Pricing is set at $759 first month and $250 monthly thereafter. ⠀ What's advertised: ⠀ ▪️ Real-time credential and 2FA capture ▪️ Telegram notifications on victim login ▪️ One-click cookie import for instant session takeover ▪️ Bypass for all 2FA types ▪️ 10+ unique domains per module with 24/7 updates ▪️ Crypto modules: OKX, Bybit, Binance, Coinbase ▪️ Banking modules: Chase, BoA, Wells Fargo, Citi ▪️ Payment modules: PayPal, Stripe (Venmo and Cash App in testing) ▪️ Shopping modules: Amazon, Walmart, eBay, Target ▪️ Social modules: Instagram, Facebook, WhatsApp, TikTok ▪️ 15+ additional modules in pending/testing phase

RMM hunting is one of those areas where defenders get stuck because the answer is rarely “just block it.” On a day-to-day basis, from the intrusions we see, 𝗦𝗰𝗿𝗲𝗲𝗻𝗖𝗼𝗻𝗻𝗲𝗰𝘁, 𝗦𝗽𝗹𝗮𝘀𝗵𝘁𝗼𝗽, 𝗔𝗻𝘆𝗗𝗲𝘀𝗸, and 𝗥𝘂𝘀𝘁𝗗𝗲𝘀𝗸 are some of the most abused RMMs. All of these can be legitimate. All of these are also regularly abused. That makes them annoying to detect, especially if you work in an MSSP or an environment where remote admin tooling is everywhere. But there is a useful hunting angle here. ScreenConnect is still one of the most common by far. A pattern I’ve noticed recently is threat actors installing multiple ScreenConnect clients on the same host with different profile configurations, each connecting to different domains. That looks a lot like access staging or access resale. The interesting part is that this creates artifacts defenders can hunt for. 𝘐𝘯 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘴𝘤𝘳𝘦𝘦𝘯𝘴𝘩𝘰𝘵, 𝘺𝘰𝘶 𝘤𝘢𝘯 𝘴𝘦𝘦 𝘩𝘰𝘸 𝘥𝘪𝘧𝘧𝘦𝘳𝘦𝘯𝘵 𝘚𝘤𝘳𝘦𝘦𝘯𝘊𝘰𝘯𝘯𝘦𝘤𝘵 𝘪𝘯𝘴𝘵𝘢𝘭𝘭𝘢𝘵𝘪𝘰𝘯 𝘱𝘳𝘰𝘧𝘪𝘭𝘦𝘴 𝘸𝘰𝘶𝘭𝘥 𝘭𝘰𝘰𝘬. 𝘐𝘯 𝘵𝘩𝘪𝘴 𝘤𝘢𝘴𝘦, 𝘵𝘩𝘦 𝘱𝘢𝘵𝘵𝘦𝘳𝘯 𝘪𝘴 𝘣𝘢𝘴𝘪𝘤𝘢𝘭𝘭𝘺 𝙎𝙘𝙧𝙚𝙚𝙣𝘾𝙤𝙣𝙣𝙚𝙘𝙩 𝘾𝙡𝙞𝙚𝙣𝙩 𝘧𝘰𝘭𝘭𝘰𝘸𝘦𝘥 𝘣𝘺 𝘢 𝘳𝘢𝘯𝘥𝘰𝘮 𝘶𝘯𝘪𝘲𝘶𝘦 16-𝘤𝘩𝘢𝘳𝘢𝘤𝘵𝘦𝘳 𝘢𝘭𝘱𝘩𝘢𝘯𝘶𝘮𝘦𝘳𝘪𝘤 𝘷𝘢𝘭𝘶𝘦. That is a very useful hunting signal. Red flags: - Multiple ScreenConnect profiles on one host - Multiple ScreenConnect installations - Installs under both 𝗖:\𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗙𝗶𝗹𝗲𝘀*\ and 𝗔𝗽𝗽𝗗𝗮𝘁𝗮 - Different configured remote domains - Suspicious or unexpected 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 files The 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 file is especially useful. It exists inside the ScreenConnect installation directory and can expose the domain and certificate information used by the client to connect back to the remote server. This is the main point: Don’t hunt only for the presence of RMM, hunt for RMM drift. Unexpected profiles -> Unexpected paths -> Unexpected domains. Unexpected configs. That is where RMM abuse starts becoming visible.

🚨LAPSUS$ Revives Insider Recruitment Campaign Targeting Telecom, Tech, and AI Firms 🚨 The threat actor group LAPSUS$ has resurfaced with a renewed insider recruitment campaign, actively seeking employees from major telecom, technology, and AI organizations. The group is offering financial incentives in exchange for internal access, specifically targeting VPN/VDI credentials, Citrix sessions, remote access tools such as AnyDesk, or any foothold into corporate networks. Unlike traditional data breach operations, the campaign explicitly emphasizes gaining initial access through insiders rather than purchasing datasets. Targeted sectors reportedly include telecom providers, large software and gaming companies, AI firms, and call center/BPO environments. #LAPSUS #InsiderThreat #CyberSecurity #ThreatIntelligence

Most traders mark Volume Profile levels but don’t know how to trade them. Here’s the edge 👇 Daily + Session Volume Profile: Mark Previous Day POC = equilibrium, VAH = premium, VAL = discount. These are your reaction zones. Add Session Profile (Tokyo/London): look for alignment VAH/VAL with PD levels, POC forming at key zones. That’s your trade location. Wait for confirmation no blind entries look for break, rejection, structure shift. Bearish example: PD POC acts as resistance, rejection at VAH, London breaks down. ✅ Entry: after shift 🎯 Target: VAL. Key insight: PD levels are institutional decision zones. When session volume builds there, you’re reading intent not guessing. Stop chasing price. Start trading levels.

‼️ A threat actor is allegedly selling a React2Shell exploitation toolkit on a popular cybercrime forum, pitched as a way to mass-scan, exploit, and dump databases from vulnerable React-based servers. ⠀ ‣ Threat Actor: unico ‣ Category: Illicit Service / Exploitation Toolkit ‣ Victim: React2Shell-vulnerable web servers ‣ Industry: Malware / Exploit Tooling ⠀ The actor describes the toolkit as a full RCE against vulnerable targets, claiming thousands of sites are still unpatched. It is pitched as useful for creating dumps, harvesting industry-grade API keys, SMTPs, and payment data (such as Stripe keys), and infecting x86 web servers. ⠀ What's offered: ⠀ ▪️ Script to scan for React2Shell vulnerable sites (mass internet scanning) ▪️ Script to produce a "pseudo-shell" for manual recon and command execution ▪️ Script to automatically exfiltrate .env files, API keys, and other data ▪️ Script to automatically dump databases from compromised servers ⠀ Use cases: ⠀ ▪️ Creating custom data dumps ▪️ Harvesting API keys, SMTP credentials, payment keys (Stripe, etc.) ▪️ Infecting x86 web servers ⠀ Pricing: ⠀ ▪️ $750 without updates ▪️ $1,000 with updates