🚨New Partnership Announcement!🚨
All students will receive enhanced access to @Validin providing improved hunting capabilities.
Upcoming training on Validin and real-life use cases tracking threat actors are on the way! inc. dedicated Discord channel for Validin.
🔥🔥🔥
Infrastructure predominantly distributed across Flyservers S.A. hosting, but the following also used: HOSTKEY-USA, Global Layer B.V. Bunea TELECOM SRL, DATAHOME S.A, Krez 999 Eood, Fbw Networks SAS.
We're tracking an interesting cluster linked to ShadowSyndicate that suggests that the operators are involved in various initial access campaigns, leverage multiple post-exploitation techniques, tools and ransomware.
New impersonation domains for @anydesk and @NotionHQ delivering malicious MSI packages, likely via SEO poisoning:
45.93.20[.]93 - AS 57523 (Chang Way Tech Co. Ltd)
amydlesk[.]com (0/93)
notlilon[.]co (1/93)
notliion[.]com (8/93)
Interesting recently created (2024-05-22) domain impersonating @GEHealthCare.
Resolving to 46.101.212[.]131, running #CobaltStrike server.
Using @Huntio we can see:
➡️the DNS record,
➡️Hoster: @digitalocean,
➡️Watermark: 987654321 (cracked version).
We are pleased to announce a new partnership between @Intel_Ops_io and @Huntio🤝
This partnership will provide all current and new IntelOps students with access to the https://t.co/Eg9NvZTAAW platform.
Students will learn to use the platform effectively for exploring new pivoting methods and hunting for malicious infrastructure, including new C2s🥷, APTs 🇮🇷 🇰🇵 🇷🇺 🇨🇳 and ransomware groups 🔐
https://t.co/qc83lHh5vU
https://t.co/nGvZEapK2u
Cybersecurity "experts" be like... APTs in 2024 will be using Artificial Intelligence to create undetectable malware, payloads, zero-day exploits, cyber weapons, and probably some cyber nuclear bombs too🥱
Meanwhile, APTs (Muddy Water 🇮🇷)in 2024 🙃
This one is a good example how infrastructure is reused by different actors.
216.189.159[.]34 - BianLian Ransomware💰
216.189.159[.]34 - North Korean APT 🇰🇵
@Intel_Ops_io
New feature now available to premium AND community users! Per popular request, Validin now supports pivoting of certificate SHA256 hashes in addition to SHA1. This pivot makes it easier to continue searches from or on other platforms that favor SHA256.
🚨Hunting Black Basta's Cobalt Strike🧵
Intel-Ops is actively tracking #CobaltStrike servers in the wild, including those deployed by #BlackBasta. In this post, we’ll cover some findings from our analysis of #C2 servers included in the FBI/CISA advisory.
https://t.co/60ztY1XWOn
To conduct similar analysis and track threats such as these, we offer students a "Hunting Adversary Infrastructure" course: https://t.co/OThBByfNpr - students gain special Intel-Ops accounts for the @ValidinLLC platform (additional query and API credits) to help with learning.