Pankaj Kamble

🚨 Qilin Activity Spike Detected Qilin has published a wave of 10+ new victims in a short period of time. A clear pattern is emerging: most victims belong to the legal sector, with the majority based in the United States. The activity may indicate a potential supply chain-related incident affecting multiple organizations. Qilin remains one of the most active ransomware groups, with more than 1,500 victims claimed overall. 🔎 Track Qilin activity with us: https://t.co/1TFlJ1IuL7 #Qilin #Ransomware #CyberSecurity #ThreatIntel #LegalSector #DataBreach

ClickFix just leveled up. One user-pasted command now drops scheduled task persistence + PySoxy (a 10-year-old open-source Python SOCKS5 proxy) for encrypted backup access. Blocking the first C2? Doesn’t stop it — the task keeps retrying for hours. Read: https://t.co/YYKwKrR2Qz

🚨PHISHING ALERT: AI-Powered "Vibe Coding" Phish via Evernote 🚨 KnowBe4 ThreatLabs is tracking an active campaign exploiting Evernote’s legitimate infrastructure to deliver high-fidelity Microsoft credential harvesters. This attack highlights a shifting landscape: threat actors are now leveraging Base44, an AI "vibe coding" platform, to build sophisticated phishing pages without writing a single line of code. The Attack Flow: The Hook: Users receive a "Note shared with you" email featuring high-pressure financial lures—payment approvals, contracts, or finance reports. The Bypass: Sent from no-reply[@]mail[.]evernote[.]com, these emails sail past SPF/DKIM/DMARC authentication. The Bridge: Links lead to real share.evernote[.]com notes containing a "View Document" CTA. The AI Twist: The CTA lands on a phishing page built with Base44 AI an AI "vibe coding" platform. These pages are protected by Cloudflare bot-checks to evade sandbox detection. The Sting: A pixel-perfect M365 login screen designed to harvest credentials in real-time. Why It Works: ✓ Reputation Hijacking: Sender and initial host are legitimate Evernote domains. ✓ AI-Speed: Base44 allows attackers to spin up unique, professional-grade pages instantly. ✓ Sandbox Evasion: Multi-stage redirects hide the final payload from automated scanners. Indicators of Compromise (IOCs) ashrafreda[.]com atomicurl[.]com voice0356[.]us techformulagrayfellowshipinvestments[.]tvwpotalsources[.]vu easywaytech[.]co[.]ke enthusiastic-secure-link-go[.]base44[.]app freight-sync-link[.]base44[.]app login[.]yum[.]homes office[.]cotiviti[.]top hticybernetics[.]com[.]sharepoint[.]com/s/finance/Eba1 berenzweiglaw[.]com[.]sharepoint[.]com/:f:/s/finance/Eba1 serviceamericanreprographicscompany[.]golkppdmansachs[.]vu/ #CyberSecurity #Phishing #M365 #OAuth #KnowBe4 #ThreatIntel #HumanRisk #Evernote #AI

You clicked what you thought was an event invitation. That's all it took. Elastic Security Labs breaks down SILENTCONNECT, a newly documented loader that hides behind a Cloudflare CAPTCHA page, downloads a children's story VBScript, and silently installs ScreenConnect on your machine. Key findings: • Attack starts with a fake invitation link redirecting to a Cloudflare Turnstile page • VBScript disguised with a children's story decoy pulls C# payload from Google Drive • Compiled and executed entirely in memory via PowerShell • PEB masquerading makes it look like winhlp32.exe to fool EDRs • Active since March 2025, largely undetected until now Full analysis + YARA rules + detections: https://t.co/bJLL6fwpgx