![packetwatch's tweet photo. While hunting for anomalous RMMs in a healthcare organization, #TeamSixty43 identified #ScreenConnect traffic from an unmanaged endpoint. We immediately kicked off an investigation, as rogue RMMs are almost never a good thing and are often leveraged by various criminal actors, such as #ransomware groups. Forensic analysis of the device revealed that the user had fallen for a fake IRS-themed phishing attack.
Based on Team Sixty43’s analysis, this was most likely an Initial Access Broker who was quietly and slowly staging. They brought in tools such as #HideUL to hide evidence of their presence, and deleted event logs, tools, and parts of the browser's history.
Criminal operators do not need exploits, AI, or fancy tactics. They exploit the obvious gaps in security: unmanaged devices, tight IT budgets, and social engineering.
And traditional controls alone are no longer sufficient.
- Firewalls do not block #RMM traffic by default.
- Network logs only capture a fraction of your network's data.
- EDRs often fail to alert on rogue RMM activity because IT teams need to use them.
- Email filters allow phishing emails from trusted vendors.
You need to control what RMMs are allowed to run in your environment and monitor the network for signs of rogue RMMs.
Only proactive threat hunting using Full Packet Capture can identify the subtle signs of these risks before they reach endgame. Team Sixty43 used PacketWatch platform data to identify the suspicious ScreenConnect traffic, pinpoint the source hostname of the unmanaged device, and retroactively hunt for signs of lateral movement—all within minutes.
Below are the IOCs our team collected from the incident. Your team can use these to hunt for this threat in your environment, too.
+++ IOCs +++
store-na-phx-1.gofile[.]io (download link for ScreenConnect)
pub-e468619e47134d1e942f5a4c5dba818b.r2[.]dev (download URL for ScreenConnect)
superops-wininstaller-prod.s3.us-east-2.amazonaws[.]com (SuperOps download link)
acosigin[.]cc (phishing link)
instance-sr3d21-relay.screenconnect[.]com (ScreenConnect Relays)
relay.gnmstechome[.]top (ScreenConnect Relays)
relay.sslenfftechio[.]top (ScreenConnect Relays)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence #networksecurity](https://pbs.twimg.com/media/HJV9msLaIAAFbw1.jpg)
![packetwatch's tweet photo. PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine.
Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains.
If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment.
+++ IOCs +++
FakeCaptcha > Vidar
Windows Terminal > PowerShell > [random characters].exe
pohuimne[.]lol (payload)
noscalpelvasectomy[.]com (FakeCaptcha)
productionmaza[.]cfd (C2)
prokladka[.]lol (payload)
dtc.victorramarisimobiliaria[.]com[.]br (C2)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence](https://pbs.twimg.com/media/HGr2R2IbcAA0RSv.jpg)
![packetwatch's tweet photo. PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine.
Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains.
If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment.
+++ IOCs +++
FakeCaptcha > Vidar
Windows Terminal > PowerShell > [random characters].exe
pohuimne[.]lol (payload)
noscalpelvasectomy[.]com (FakeCaptcha)
productionmaza[.]cfd (C2)
prokladka[.]lol (payload)
dtc.victorramarisimobiliaria[.]com[.]br (C2)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence](https://pbs.twimg.com/media/HGr2R2IbEAAhjGd.png)
![packetwatch's tweet photo. PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine.
Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains.
If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment.
+++ IOCs +++
FakeCaptcha > Vidar
Windows Terminal > PowerShell > [random characters].exe
pohuimne[.]lol (payload)
noscalpelvasectomy[.]com (FakeCaptcha)
productionmaza[.]cfd (C2)
prokladka[.]lol (payload)
dtc.victorramarisimobiliaria[.]com[.]br (C2)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence](https://pbs.twimg.com/media/HGr2JJHa8AAuH2U.jpg)
Olivia
Online
PacketWatch
@packetwatch
PacketWatch utilizes packet-level network analysis and proactive human-based threat hunting to find risks that conventional cybersecurity tools may miss.
Scottsdale, AZ
Joined March 2018
27 Following
33 Followers
209 Posts
6/1/26 https://t.co/kZ3taarDnr - This week, we briefed our clients on new social engineering attacks targeting law firms. The Silent Ransomware Group has been showing up in person.
#cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir
PacketWatch's Team Sixty43 profiles an M365 threat traced to Device Code Phishing, complete with tactics, techniques, and procedures.
https://t.co/XFRdrEqa5b
#malware #threatprofile #threatintelligence #threathunting #cybersecurity #devicecodephishing #phishing #dfir #networksecurity #informationsecurity #teamsixty43
While hunting for anomalous RMMs in a healthcare organization, #TeamSixty43 identified #ScreenConnect traffic from an unmanaged endpoint. We immediately kicked off an investigation, as rogue RMMs are almost never a good thing and are often leveraged by various criminal actors, such as #ransomware groups. Forensic analysis of the device revealed that the user had fallen for a fake IRS-themed phishing attack.
Based on Team Sixty43’s analysis, this was most likely an Initial Access Broker who was quietly and slowly staging. They brought in tools such as #HideUL to hide evidence of their presence, and deleted event logs, tools, and parts of the browser's history.
Criminal operators do not need exploits, AI, or fancy tactics. They exploit the obvious gaps in security: unmanaged devices, tight IT budgets, and social engineering.
And traditional controls alone are no longer sufficient.
- Firewalls do not block #RMM traffic by default.
- Network logs only capture a fraction of your network's data.
- EDRs often fail to alert on rogue RMM activity because IT teams need to use them.
- Email filters allow phishing emails from trusted vendors.
You need to control what RMMs are allowed to run in your environment and monitor the network for signs of rogue RMMs.
Only proactive threat hunting using Full Packet Capture can identify the subtle signs of these risks before they reach endgame. Team Sixty43 used PacketWatch platform data to identify the suspicious ScreenConnect traffic, pinpoint the source hostname of the unmanaged device, and retroactively hunt for signs of lateral movement—all within minutes.
Below are the IOCs our team collected from the incident. Your team can use these to hunt for this threat in your environment, too.
+++ IOCs +++
store-na-phx-1.gofile[.]io (download link for ScreenConnect)
pub-e468619e47134d1e942f5a4c5dba818b.r2[.]dev (download URL for ScreenConnect)
superops-wininstaller-prod.s3.us-east-2.amazonaws[.]com (SuperOps download link)
acosigin[.]cc (phishing link)
instance-sr3d21-relay.screenconnect[.]com (ScreenConnect Relays)
relay.gnmstechome[.]top (ScreenConnect Relays)
relay.sslenfftechio[.]top (ScreenConnect Relays)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence #networksecurity
![packetwatch's tweet photo. While hunting for anomalous RMMs in a healthcare organization, #TeamSixty43 identified #ScreenConnect traffic from an unmanaged endpoint. We immediately kicked off an investigation, as rogue RMMs are almost never a good thing and are often leveraged by various criminal actors, such as #ransomware groups. Forensic analysis of the device revealed that the user had fallen for a fake IRS-themed phishing attack.
Based on Team Sixty43’s analysis, this was most likely an Initial Access Broker who was quietly and slowly staging. They brought in tools such as #HideUL to hide evidence of their presence, and deleted event logs, tools, and parts of the browser's history.
Criminal operators do not need exploits, AI, or fancy tactics. They exploit the obvious gaps in security: unmanaged devices, tight IT budgets, and social engineering.
And traditional controls alone are no longer sufficient.
- Firewalls do not block #RMM traffic by default.
- Network logs only capture a fraction of your network's data.
- EDRs often fail to alert on rogue RMM activity because IT teams need to use them.
- Email filters allow phishing emails from trusted vendors.
You need to control what RMMs are allowed to run in your environment and monitor the network for signs of rogue RMMs.
Only proactive threat hunting using Full Packet Capture can identify the subtle signs of these risks before they reach endgame. Team Sixty43 used PacketWatch platform data to identify the suspicious ScreenConnect traffic, pinpoint the source hostname of the unmanaged device, and retroactively hunt for signs of lateral movement—all within minutes.
Below are the IOCs our team collected from the incident. Your team can use these to hunt for this threat in your environment, too.
+++ IOCs +++
store-na-phx-1.gofile[.]io (download link for ScreenConnect)
pub-e468619e47134d1e942f5a4c5dba818b.r2[.]dev (download URL for ScreenConnect)
superops-wininstaller-prod.s3.us-east-2.amazonaws[.]com (SuperOps download link)
acosigin[.]cc (phishing link)
instance-sr3d21-relay.screenconnect[.]com (ScreenConnect Relays)
relay.gnmstechome[.]top (ScreenConnect Relays)
relay.sslenfftechio[.]top (ScreenConnect Relays)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence #networksecurity](https://pbs.twimg.com/media/HJV90osaUAAxAZG.png)
5/18/26 https://t.co/Hv09EQAipi - This week, we briefed our clients on the recent increase in Device Code Phishing attacks and how to protect themselves, starting with Microsoft 365.
#cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir
Who to follow
David Bruce Jr.
@frederickwebpro
Local SEO consultant- Regional search engine optimization for small businesses
Rachael Green-Sherman (Burnett)
@MoonMediaIowa
Moon Media is a small marketing agency that specializes in helping small businesses grow!
Xela
@GhostXela
Front-End Dev 🚀 | Solopreneur ⚡️ | Web Enthusiast 💻 | Notion Aficionado 📝 | Building websites 🌐
From Andy O. on PacketWatch's #TeamSixty43:
Happy Friday! I wanted to share a quick threat-hunting tip: hunt for cleartext LDAP in your networks. One of the best ways to do this is through using Full Packet Capture.
Using PacketWatch's FPC session data, you can run the query "ldap.authtype:simple". What this does is looks for the value "simple" in LDAP authentication. In LDAP, simple authentication is, if you will, simply authenticating by sending the LDAP server your FQDN and your password.... in cleartext.
You might say "wow, that's crazy, why would anyone ever do that?" That's the thing, every time I run this hunt and find cleartext LDAP credentials in simple authentication, the client's IT and security teams are never aware of it. When I pull up PacketWatch or Wireshark to show them the password of a domain admin account, they are always shocked. "We never knew this system was doing this..."
Based on Team Sixty43's research and data from the hunts we have run, these simple LDAP authentications are often caused by bad default configurations for firewall LDAP integrations to Active Directory. Many firewalls can use LDAP to do user lookups to help authenticate users via VPN. There are many issues with this alone, but there are reasons organizations choose this, which is a different subject. And, based on our findings, it is every major firewall vendor - PAN, SonicWall, Fortinet, Cisco, etc.
Outside of insecure default configurations of firewalls/VPNs, we also see it when other LDAP integrations are not properly secured, like IT management systems and AD management software.
And, in almost every case, they are leaking domain admin credentials or service accounts with DA.
The fix for this is enforcing LDAPS, or at minimum, SASL authentication for LDAP. The implementation varies per vendor unfortunately.
This is absolutely a goldmine for threat actors. Why dump LSASS when the network has DA creds floating in it? This is why when clients onboard at PacketWatch, we run a full security assessment to find critical issues like cleartext LDAP and fix them ASAP.
If you want to see if your network is leaking credentials in cleartext LDAP, or has other hidden vulnerabilities, please hit us up PacketWatch!! We can run a Network Security Assessment and give you full network visibility with our Rapid Response Assurance!
#threathunting #cybersecurity #networksecurity #informationsecurity #dfir #passwords
PacketWatch's Team Sixty43 profiles a threat involving EvilAI and Vibe-coded malware, complete with tactics, techniques, and procedures.
https://t.co/14aRm0UVNh
#malware #threatprofile #threatintelligence #threathunting #cybersecurity #evilai #vibecoding #powershell #dfir #networksecurity #informationsecurity #teamsixty43
PacketWatch's #TeamSixty43 profiles a threat https://t.co/WsypzVo0fb involving the toxic trio #KongTuke, #ClickFix, and #Havoc, complete with tactics, techniques, and procedures.
#ransomware #malware #threatprofile #threatintelligence #threathunting #cybersecurity #informationsecurity #dfir
5/4/26 https://t.co/W9kdMOPo2u - This week, we briefed our clients on the second-most-active Ransomware-as-a-Service organization, The Gentleman. We describe their observed TTPs.
#cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir
PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine.
Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains.
If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment.
+++ IOCs +++
FakeCaptcha > Vidar
Windows Terminal > PowerShell > [random characters].exe
pohuimne[.]lol (payload)
noscalpelvasectomy[.]com (FakeCaptcha)
productionmaza[.]cfd (C2)
prokladka[.]lol (payload)
dtc.victorramarisimobiliaria[.]com[.]br (C2)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence
![packetwatch's tweet photo. PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine.
Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains.
If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment.
+++ IOCs +++
FakeCaptcha > Vidar
Windows Terminal > PowerShell > [random characters].exe
pohuimne[.]lol (payload)
noscalpelvasectomy[.]com (FakeCaptcha)
productionmaza[.]cfd (C2)
prokladka[.]lol (payload)
dtc.victorramarisimobiliaria[.]com[.]br (C2)
+++
#threathunting #dfir #cybersurity #informationsecurity #threatintelligence](https://pbs.twimg.com/media/HGr2R2NaYAAK7IW.jpg)
Threat Profile: https://t.co/j3AUheb66k
PacketWatch Team Sixty43 provides extensive profile on Lynx Ransomware and its tactics, techniques, and procedures.
#teamsixty43 #lynx #ransomware #threatprofile #threatintelligence #threathunting #cybersecurity #informationsecurity #dfir
4/20/26 https://t.co/35Ib1tv0kA - This week, we briefed our clients on Anthropic's announcement of Claude Mythos Preview and its alleged ability to discover and exploit vulnerabilities.
#cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #dfir
PacketWatch Threat Intelligence: Windows Downgrade Attack, National Public Data Leak, More: https://t.co/mlTkjHH1Ey
GitHub Access Concerns, CrowdStrike Scams, and more in our latest #ThreatIntel report on July 29, 2024: https://t.co/On3iJ5rqB5
Read our latest #ThreatIntel report: Microsoft MHTML Zero-Day, Rockyou2024, and More
https://t.co/wSWrXOEmrj
CEO Vantage Point: Partners are More than Vendors
Read now: https://t.co/6dAPxhUF87 #cybersecurity
A GrimResource Breakdown and a Vulnerability Roundup: https://t.co/M1oV4vJveC
"In the race to get systems back online after a #ransomware incident, organizations tend to 'jump the gun.' But remember, Eradication comes before Recovery in the SANS Incident Response (IR) Framework," says PacketWatch CEO Chuck Matthews.
https://t.co/CPC8jV4HBt
#ThreatIntel 🔒 Stay ahead of #cybersecurity threats with our latest insights: https://t.co/xv8zLvBK7F
Read our latest #ThreatIntel report for:
🌜 Moonstone Sleet APT Overview
✂️ FBI guidance on 911 S5 residential proxy service removal
🐎 Vulnerability Roundup
🔍 PacketWatch IOCs and Queries
🔗: https://t.co/cYdFSE0soe
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers