Damag3dRoot

⚠️ La inteligencia de amenazas no sirve de nada si llegas tarde. Ese es el verdadero problema. No la falta de información. La falta de contexto operativo. Cada día aparecen: • Nuevas víctimas de ransomware publicadas en DLS (Data Leak Sites) • CVEs explotadas activamente antes incluso de aplicar mitigaciones • IOCs distribuidos entre múltiples fuentes sin correlación • Infraestructura maliciosa rotando constantemente en TOR • Malware reutilizado por distintos actores con pequeñas variaciones • Negociaciones y filtraciones evolucionando en tiempo real Y mientras tanto, muchos equipos siguen consumiendo inteligencia de amenazas de forma fragmentada. Por eso he creado junto a mi compañero Javier Marti Sanz la plataforma My Threat Intel. 👉 https://t.co/wBiWvWeO2H Una plataforma CTI desarrollada para centralizar, correlacionar y operacionalizar inteligencia de amenazas desde un único entorno. El objetivo no era crear otro dashboard más. Era construir una plataforma realmente útil para analistas, SOCs, DFIR, Threat Hunters y equipos de respuesta a incidentes. Actualmente My Threat Intel permite: • Monitorización de grupos de ransomware y leak sites • Seguimiento de negociaciones y actividad de actores • Repositorio de vulnerabilidades y CVEs explotadas activamente • Correlación y telemetría de IOCs • Vigilancia de infraestructura TOR y mercados darknet • Repositorio histórico de filtraciones y exposición de organizaciones • Análisis y clasificación de muestras de malware • Estadísticas operativas y tendencias en tiempo real Toda la información en un único entorno visual, accesible y orientado a análisis. Sin ruido. Sin datos aislados. Sin perder tiempo correlacionando manualmente decenas de fuentes. Porque en ciberseguridad la velocidad importa. Pero la capacidad de entender el contexto antes que el atacante importa todavía más. Feedback y sugerencias son más que bienvenidos 🤝 #CyberSecurity #ThreatIntelligence #CTI #Ransomware #ThreatHunting #BlueTeam #SOC #DFIR #OSINT #Malware #DarkWeb #IOC #IncidentResponse #CyberDefense #InfoSec #ThreatIntel #SecurityOperations #DigitalForensics #MyThreatIntel

Microsoft Threat Intelligence has attributed the Axios npm supply chain attack to North Korean state actor Sapphire Sleet. Malicious npm packages for updated versions of Axios (1.14.1 and 0.30.4) downloaded payloads from command and control attributed to Sapphire Sleet.https://t.co/kTKCHm9uZB Organizations affected by this attack are urged to roll back to safe versions (1.14.0 or 0.30.3 or earlier), rotate secrets and credentials that are exposed to compromised systems, and disable auto-updates. Our latest blog has our analysis of the attack, additional mitigation recommendations, and Microsoft Defender detection and hunting guidance:

CTI Research: Sandworm / APT44 https://t.co/R3Cms8zine Evidence-Labeled Threat Intelligence Assessment and SOC Defensive Guidance (2009 — March 2026) Table of Contents Report Metadata Methodology & Evidence Labels Confidence & What Changes Confidence Executive Summary Ac…

🚨 CRITICAL THREAT ALERT: NUCLEAR SCADA SYSTEM COMPROMISE 🚨 🏢 Victim: Golfech Nuclear Power Plant (NPP) - Unit 2 👤 Threat Actor: Apollon / MONARCH (Russian-affiliated) 🗓️ Date: 2026-03-12 🇫🇷 Country: France The threat organization "MONARCH" has released visual evidence of unauthorized access to the Golfech Nuclear Power Plant in France. The actor, "Apollon," claims they have bypassed security to gain full control over the secondary coolant loop. Screenshots show a SIEMENS HMI (Human-Machine Interface) panel for Unit 2, as well as evidence of lateral movement within the SCADA-02 operator network and the execution of PowerShell scripts on internal systems. The visual proof includes internal IP addresses and server logs from GOLFECH-SCADA-02. Infrastructure security teams must immediately audit all SIEMENS HMI interfaces and monitor for unauthorized logins in ICS/SCADA environments. Monitor: https://t.co/wk9bZJ2Nli #ThreatIntel #CyberSecurity #France #NuclearSecurity #Golfech #SCADA #ICS #InfoSec #CriticalInfrastructure #MonarchAttack

The cybercriminal threat actor tracked by Microsoft Threat Intelligence as Storm-2561 is running an SEO-poisoning campaign that redirects people searching for enterprise VPN software to spoofed sites and malicious ZIP downloads leading to credential theft. https://t.co/KzTN7J6Rck The ZIP file contains a malicious, digitally signed installer that masquerade as a trusted VPN client. The attack chain ultimately loads a variant of Hyrax infostealer that captures VPN sign-in credentials and VPN configuration data, and exfiltrates it to attacker infrastructure. Read the full Microsoft Defender Experts analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise of this Storm-2561 campaign, and get protection, detection, and hunting guidance:

This is really cool. I like this code, proof-of-concept, and paper A LOT. Basically he is modifying the raw bytes of .LNK files (Windows shortcuts) to make them perform malicious actions while also operating correctly as a .LNK file. When examined from the user they will appear completely legitimate, but it's not. This is really, really, really cool. This is a great malware technique. I can't recall the last time I read anything on .LNK files being abused in this manner. Historically they're "hijacked", not modified at the byte level. My only criticism is he wrote this proof-of-concept in Python (not C or C++, like a gangster). Excellent work.