Sotwe logo Sotwe logo
rst_cloud's profile banner image
rst_cloud's profile image

RST Cloud

Verified account

@rst_cloud

Threat intelligence solutions for businesses of all sizes
Sydney, New South Wales
Joined January 2015
89 Following
659 Followers
12.3K Posts
 Pinned Tweet
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message
1
3
0
1
6K
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign | 03-06-2026 Source: https://t.co/ZOW3uUl7F6 Key details below ↓ 💀Threats: Miasma, Credential_stealing_technique, Supply_chain_technique, Blight_botnet, Obfusnpmjs, Shai-hulud, 🎯Victims: Software development, Cloud services, Open source package ecosystem, Continuous integration and continuous delivery environments, Developer systems 📚TTPs: ⚔️Tactics: 6 🛠️Technics: 0 🧨IOCs: - File: 12 - Registry: 4 - IP: 2 - Hash: 6 💽Software: Microsoft Defender, HashiCorp Vault, Kubernetes, Linux, macOS, sudo, anthropic, claude, chrome, Microsoft Defender for Endpoint, ... 🔢Algorithms: aes, pbkdf2, zip, xor, sha256 🔠Functions: eval 📜Programming Languages: javascript 💻Platforms: x64, arm #threatreport: The recent npm supply chain attack targeting the @redhat-cloud-services scope involves 32 maliciously modified packages that were distributed through a compromised Continuous Integration/Continuous Delivery (CI/CD) pipeline associated with RedHatInsights. The attackers managed to utilize the legitimate GitHub Actions publishing workflow to introduce trojanized packages that had authentic provenance signatures. The malware, identified as part of the Miasma campaign, employs obfuscation techniques and executes via a preinstall hook during the npm install process, facilitating automatic execution without user interaction. Upon installation, the obfuscated 4.29 MB dropper script is executed. It goes through several decoding layers—using various obfuscation strategies, including ROT transformations followed by AES-128-GCM decryption—to download the Bun JavaScript runtime. This runtime serves as the platform for executing a secondary payload designed to extract sensitive information from multiple environments like GitHub, npm, and major cloud services—including AWS, Azure, and GCP. Notably, the malware targets Linux systems primarily, while also demonstrating capability across macOS and Windows. It is equipped to steal SSH keys and other credential data, scrape memory for secrets in CI/CD environments, and leverage various privilege escalation techniques, including installing a passwordless sudo rule. The malware is programmed to operate through a detailed attack chain, incorporating phases like environment validation, defense evasion, credential access, data exfiltration, and self-propagation by republishing compromised packages with forged provenance. The exfiltration of stolen data employs multiple command-and-control channels, notably using the victim's own GitHub repositories as a means to transmit data without attracting immediate attention. Additionally, the malware enables target propagation through repository enumeration and can trigger self-destruction mechanisms if specific conditions—such as interacting with a decoy token—are met. The implications of the attack extend to the wider software ecosystem, enabling downstream dependencies to become compromised through stolen tokens and leading to potential further poisoning of packages. This compromises the trust in supply chain attestation frameworks, exposing a cascading risk that allows stolen credentials to grant unauthorized access to cloud environments and other sensitive resources. Microsoft has taken steps to address the issue by informing the npm team, leading to the removal of the affected packages and additional protective measures against future unauthorized publishing.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign | 03-06-2026 Source: https://t.co/ZOW3uUl7F6 Key details below ↓ 💀Threats: Miasma, Credential_stealing_technique, Supply_chain_technique, Blight_botnet, Obfusnpmjs, Shai-hulud, 🎯Victims: Software development, Cloud services, Open source package ecosystem, Continuous integration and continuous delivery environments, Developer systems 📚TTPs: ⚔️Tactics: 6 🛠️Technics: 0 🧨IOCs: - File: 12 - Registry: 4 - IP: 2 - Hash: 6 💽Software: Microsoft Defender, HashiCorp Vault, Kubernetes, Linux, macOS, sudo, anthropic, claude, chrome, Microsoft Defender for Endpoint, ... 🔢Algorithms: aes, pbkdf2, zip, xor, sha256 🔠Functions: eval 📜Programming Languages: javascript 💻Platforms: x64, arm #threatreport: The recent npm supply chain attack targeting the @redhat-cloud-services scope involves 32 maliciously modified packages that were distributed through a compromised Continuous Integration/Continuous Delivery (CI/CD) pipeline associated with RedHatInsights. The attackers managed to utilize the legitimate GitHub Actions publishing workflow to introduce trojanized packages that had authentic provenance signatures. The malware, identified as part of the Miasma campaign, employs obfuscation techniques and executes via a preinstall hook during the npm install process, facilitating automatic execution without user interaction. Upon installation, the obfuscated 4.29 MB dropper script is executed. It goes through several decoding layers—using various obfuscation strategies, including ROT transformations followed by AES-128-GCM decryption—to download the Bun JavaScript runtime. This runtime serves as the platform for executing a secondary payload designed to extract sensitive information from multiple environments like GitHub, npm, and major cloud services—including AWS, Azure, and GCP. Notably, the malware targets Linux systems primarily, while also demonstrating capability across macOS and Windows. It is equipped to steal SSH keys and other credential data, scrape memory for secrets in CI/CD environments, and leverage various privilege escalation techniques, including installing a passwordless sudo rule. The malware is programmed to operate through a detailed attack chain, incorporating phases like environment validation, defense evasion, credential access, data exfiltration, and self-propagation by republishing compromised packages with forged provenance. The exfiltration of stolen data employs multiple command-and-control channels, notably using the victim's own GitHub repositories as a means to transmit data without attracting immediate attention. Additionally, the malware enables target propagation through repository enumeration and can trigger self-destruction mechanisms if specific conditions—such as interacting with a decoy token—are met. The implications of the attack extend to the wider software ecosystem, enabling downstream dependencies to become compromised through stolen tokens and leading to potential further poisoning of packages. This compromises the trust in supply chain attestation frameworks, exposing a cascading risk that allows stolen credentials to grant unauthorized access to cloud environments and other sensitive resources. Microsoft has taken steps to address the issue by informing the npm team, leading to the removal of the affected packages and additional protective measures against future unauthorized publishing.
0
0
0
0
16
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #LowCompleteness Espionage Campaign Targeted Stock Exchange Executive for Five Months | 03-06-2026 Source: https://t.co/pZlGDcDdkr Key details below ↓ 💀Threats: Sharpdecryptpwd_tool, Frpc_tool, Uac_bypass_technique, Secretsdump_tool, 🎯Victims: Stock exchange, Senior executive 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036.004, T1036.005, T1036.008, T1053.005, T1059.003, T1071.001, T1102.002, T1114.001, T1567.002 🧨IOCs: - File: 20 - Command: 9 - Path: 1 - Hash: 20 - IP: 1 - Coin: 1 💽Software: Outlook, Dropbox, microsoft onedrive, curl, Microsoft Outlook 🔢Algorithms: sha256 🔠Functions: OneDrive 💻Platforms: intel, arm #threatreport: Over a five-month espionage campaign, unknown attackers targeted the email account of a senior executive at a major global stock exchange, successfully stealing significant amounts of information from their Outlook mailbox. This operation exemplified the high value of such accounts for gathering sensitive intelligence pertaining to non-public negotiations, internal discussions, and critical organizational timelines. The attackers leveraged a sophisticated approach whereby they incrementally exfiltrated data using Dropbox and OneDrive Personal to mask their activities and avoid detection. The initial infection vector remains unidentified, but by October 10, 2025, two binaries—armsvc.exe and oneservice.exe—were already operating with SYSTEM privileges. These binaries were strategically disguised within legitimate application paths to mimic trusted services, indicating that the attackers achieved local privilege escalation quickly. The attack transitioned to a more active phase on November 12, involving the successful completion of an OAuth handshake to obtain a Dropbox API token, which facilitated continuous uploads and downloads of stolen data. The attackers consistently reused the same client_id and client_secret across numerous operations, suggesting a single, persistent Dropbox application was used. The principal tool utilized in this campaign was an Aspose-based mailbox stealer, which employed the legitimate Aspose .NET library to convert and exfiltrate Outlook OST mailbox files to PST format. The stealer was disguised with innocuous file extensions and executed with parameters specifying password protection and date ranges, resulting in a systematic, incremental theft of the mailbox contents without drawing attention from security software. The attackers executed eight additional extraction runs over the five-month ordeal, creating a comprehensive repository of the executive's emails. By late November 2025, the attackers expanded their exfiltration channels, utilizing OneDrive Personal in addition to Dropbox, with traffic routed through hard-coded Microsoft IP addresses to bypass DNS logging. A brief experiment with a third exfiltration method using a public temporary-file-hosting service was also observed but not continued. Throughout the campaign, the attackers added various persistence mechanisms, such as registering a modified OneDrive sync service to maintain access. This campaign demonstrates a high level of operational discipline focused solely on the prolonged, undetected theft of a single executive's mailbox. By employing legitimate cloud services for data exfiltration and automatic tasks for regular data harvesting, the attackers effectively minimized their footprint, indicating a clear strategy aimed at sustaining long-term access without triggering alerts. Overall, the sophistication and tactical approach of this espionage operation emphasize the persistent threat to sensitive organizational data through targeted email account exploitation.
rst_cloud's tweet photo. #threatreport #LowCompleteness Espionage Campaign Targeted Stock Exchange Executive for Five Months | 03-06-2026 Source: https://t.co/pZlGDcDdkr Key details below ↓ 💀Threats: Sharpdecryptpwd_tool, Frpc_tool, Uac_bypass_technique, Secretsdump_tool, 🎯Victims: Stock exchange, Senior executive 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036.004, T1036.005, T1036.008, T1053.005, T1059.003, T1071.001, T1102.002, T1114.001, T1567.002 🧨IOCs: - File: 20 - Command: 9 - Path: 1 - Hash: 20 - IP: 1 - Coin: 1 💽Software: Outlook, Dropbox, microsoft onedrive, curl, Microsoft Outlook 🔢Algorithms: sha256 🔠Functions: OneDrive 💻Platforms: intel, arm #threatreport: Over a five-month espionage campaign, unknown attackers targeted the email account of a senior executive at a major global stock exchange, successfully stealing significant amounts of information from their Outlook mailbox. This operation exemplified the high value of such accounts for gathering sensitive intelligence pertaining to non-public negotiations, internal discussions, and critical organizational timelines. The attackers leveraged a sophisticated approach whereby they incrementally exfiltrated data using Dropbox and OneDrive Personal to mask their activities and avoid detection. The initial infection vector remains unidentified, but by October 10, 2025, two binaries—armsvc.exe and oneservice.exe—were already operating with SYSTEM privileges. These binaries were strategically disguised within legitimate application paths to mimic trusted services, indicating that the attackers achieved local privilege escalation quickly. The attack transitioned to a more active phase on November 12, involving the successful completion of an OAuth handshake to obtain a Dropbox API token, which facilitated continuous uploads and downloads of stolen data. The attackers consistently reused the same client_id and client_secret across numerous operations, suggesting a single, persistent Dropbox application was used. The principal tool utilized in this campaign was an Aspose-based mailbox stealer, which employed the legitimate Aspose .NET library to convert and exfiltrate Outlook OST mailbox files to PST format. The stealer was disguised with innocuous file extensions and executed with parameters specifying password protection and date ranges, resulting in a systematic, incremental theft of the mailbox contents without drawing attention from security software. The attackers executed eight additional extraction runs over the five-month ordeal, creating a comprehensive repository of the executive's emails. By late November 2025, the attackers expanded their exfiltration channels, utilizing OneDrive Personal in addition to Dropbox, with traffic routed through hard-coded Microsoft IP addresses to bypass DNS logging. A brief experiment with a third exfiltration method using a public temporary-file-hosting service was also observed but not continued. Throughout the campaign, the attackers added various persistence mechanisms, such as registering a modified OneDrive sync service to maintain access. This campaign demonstrates a high level of operational discipline focused solely on the prolonged, undetected theft of a single executive's mailbox. By employing legitimate cloud services for data exfiltration and automatic tasks for regular data harvesting, the attackers effectively minimized their footprint, indicating a clear strategy aimed at sustaining long-term access without triggering alerts. Overall, the sophistication and tactical approach of this espionage operation emphasize the persistent threat to sensitive organizational data through targeted email account exploitation.
1
1
1
0
56
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Dark Web Profile: BlindEagle | 03-06-2026 Source: https://t.co/vGlM93Df8M Key details below ↓ 🧑‍💻Actors/Campaigns: Blindeagle (🧠motivation: cyber_espionage, financially_motivated) Red_akodon 💀Threats: Asyncrat, Quasar_rat, Blotchyquasar, Spear-phishing_technique, Process_hollowing_technique, Caminho, Dcrat, Remcos_rat, Njrat, Limerat, Ande_loader, Dll_sideloading_technique, Hijackloader, Imminentmonitor_rat, Avemaria_rat, Bitrat, Supply_chain_technique, Heartcrypt_tool, Steganography_technique, Junk_code_technique, Process_injection_technique, 🎯Victims: Government, Judiciary, Financial services, Banking, Insurance, Manufacturing, Defense, Peace negotiation institutions, Latin america, North america, ... 🏭Industry: Financial, Petroleum, Healthcare, Telco, Education, Government, Energy 🌐Geo: Colombian, Spain, Colombia, America, Spanish, Ecuador, Chile, Portuguese, Russian, Brazilian, Latin america, Panama, American 🔓CVEs: CVE-2024-43451 \[[Vulners](https://t.co/DbgQ7MjsxY)] - CVSS V3.1: *6.5*, - Vulners: Exploitation: True Soft: - microsoft windows_10_1507 (<10.0.10240.20826) - microsoft windows_10_1607 (<10.0.14393.7515) - microsoft windows_10_1809 (<10.0.17763.6532) - microsoft windows_10_21h2 (<10.0.19044.5131) ... 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 23 🧨IOCs: - File: 1 💽Software: Discord, Pastebin, Windows shell 🔢Algorithms: zip, base64 📜Programming Languages: visual_basic, powershell, javascript #threatreport: BlindEagle, also referred to as APT-C-36 or TAG-144, is a cyber threat actor with operations believed to originate from Latin America, specifically Colombia or surrounding areas. Active since at least 2018, this group engages in a hybrid model of espionage and cybercrime, targeting organizations predominantly in Latin America, especially Colombia, and occasionally extending operations to the U.S. and other Spanish-speaking countries. The group's modus operandi relies on using cracked commodity remote access Trojans (RATs), such as modified versions of Quasar (termed BlotchyQuasar) and other well-known malware variants like AsyncRAT and njRAT, which allows them to execute a variety of malicious activities, especially banking credential theft. They often employ culturally tailored phishing techniques, creating localized lures that resonate with the specific target audience, and utilize geofenced delivery mechanisms to restrict malware access to non-LATAM sandboxes, effectively avoiding detection. BlindEagle's initial attack vectors include spear-phishing emails mimicking legitimate organizations, with attachments that range from PDFs to password-protected archives containing obfuscated scripts. The phishing emails can even appear to originate from compromised accounts within the target's network, making them difficult to identify as malicious. Analysis of their campaigns indicates a systematic infection chain starting with an initial dropper, which retrieves a second-stage payload, usually a RAT, that allows for persistent surveillance and data exfiltration. The group has shown a notable proficiency in integrating recent vulnerabilities into their toolset, such as exploiting vulnerabilities within days of public disclosure. For instance, they have weaponized CVE-2024-43451 shortly after its patch release by embedding it in their operations. Such agility highlights BlindEagle's operational discipline and capability to adapt swiftly to new exploits. Despite the extensive harvesting of personal identifiable information (PII) and banking credentials, there is a lack of public reporting that substantiates any successful monetization or resale of this data on underground markets. Additionally, their espionage targets include significant institutions involved in Colombia's judiciary and peace negotiations, indicating a potential alignment with organized criminal interests in the region, although no concrete evidence directly linking them to specific criminal organizations has been presented.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Dark Web Profile: BlindEagle | 03-06-2026 Source: https://t.co/vGlM93Df8M Key details below ↓ 🧑‍💻Actors/Campaigns: Blindeagle (🧠motivation: cyber_espionage, financially_motivated) Red_akodon 💀Threats: Asyncrat, Quasar_rat, Blotchyquasar, Spear-phishing_technique, Process_hollowing_technique, Caminho, Dcrat, Remcos_rat, Njrat, Limerat, Ande_loader, Dll_sideloading_technique, Hijackloader, Imminentmonitor_rat, Avemaria_rat, Bitrat, Supply_chain_technique, Heartcrypt_tool, Steganography_technique, Junk_code_technique, Process_injection_technique, 🎯Victims: Government, Judiciary, Financial services, Banking, Insurance, Manufacturing, Defense, Peace negotiation institutions, Latin america, North america, ... 🏭Industry: Financial, Petroleum, Healthcare, Telco, Education, Government, Energy 🌐Geo: Colombian, Spain, Colombia, America, Spanish, Ecuador, Chile, Portuguese, Russian, Brazilian, Latin america, Panama, American 🔓CVEs: CVE-2024-43451 \[[Vulners](https://t.co/DbgQ7MjsxY)] - CVSS V3.1: *6.5*, - Vulners: Exploitation: True Soft: - microsoft windows_10_1507 (<10.0.10240.20826) - microsoft windows_10_1607 (<10.0.14393.7515) - microsoft windows_10_1809 (<10.0.17763.6532) - microsoft windows_10_21h2 (<10.0.19044.5131) ... 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 23 🧨IOCs: - File: 1 💽Software: Discord, Pastebin, Windows shell 🔢Algorithms: zip, base64 📜Programming Languages: visual_basic, powershell, javascript #threatreport: BlindEagle, also referred to as APT-C-36 or TAG-144, is a cyber threat actor with operations believed to originate from Latin America, specifically Colombia or surrounding areas. Active since at least 2018, this group engages in a hybrid model of espionage and cybercrime, targeting organizations predominantly in Latin America, especially Colombia, and occasionally extending operations to the U.S. and other Spanish-speaking countries. The group's modus operandi relies on using cracked commodity remote access Trojans (RATs), such as modified versions of Quasar (termed BlotchyQuasar) and other well-known malware variants like AsyncRAT and njRAT, which allows them to execute a variety of malicious activities, especially banking credential theft. They often employ culturally tailored phishing techniques, creating localized lures that resonate with the specific target audience, and utilize geofenced delivery mechanisms to restrict malware access to non-LATAM sandboxes, effectively avoiding detection. BlindEagle's initial attack vectors include spear-phishing emails mimicking legitimate organizations, with attachments that range from PDFs to password-protected archives containing obfuscated scripts. The phishing emails can even appear to originate from compromised accounts within the target's network, making them difficult to identify as malicious. Analysis of their campaigns indicates a systematic infection chain starting with an initial dropper, which retrieves a second-stage payload, usually a RAT, that allows for persistent surveillance and data exfiltration. The group has shown a notable proficiency in integrating recent vulnerabilities into their toolset, such as exploiting vulnerabilities within days of public disclosure. For instance, they have weaponized CVE-2024-43451 shortly after its patch release by embedding it in their operations. Such agility highlights BlindEagle's operational discipline and capability to adapt swiftly to new exploits. Despite the extensive harvesting of personal identifiable information (PII) and banking credentials, there is a lack of public reporting that substantiates any successful monetization or resale of this data on underground markets. Additionally, their espionage targets include significant institutions involved in Colombia's judiciary and peace negotiations, indicating a potential alignment with organized criminal interests in the region, although no concrete evidence directly linking them to specific criminal organizations has been presented.
0
0
0
0
23

Who to follow

memcyco's profile image
Memcyco
@memcyco
Hated by website spoofers, loved by your customers. Memcyco: the only brandjacking defense able to eliminate the ‘window of exposure’ of ‘fake website up’.
scrutsocial's profile image
Scrut Automation
@scrutsocial
Make your Information Security posture get you more customers. Drive ISO 27001, SOC 2, PCI DSS compliance 5x faster
SkyhawkCloudSec's profile image
Skyhawk Security Verified account
@SkyhawkCloudSec
Skyhawk Security stops AI Autonomous Attacks with it AI Red Team to find threats, exposures, and vulnerabilities before AI-enabled threat actors.
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness KeyCat Stealer Uncovered: Inside a $40 Multi-Platform Infostealer with Telegram C2 and Active Staging Infrastructure | 03-06-2026 Source: https://t.co/1um4IBbkHU Key details below ↓ 💀Threats: Keycat, Credential_dumping_technique, Lazagne_tool, Credential_harvesting_technique, Pxa_stealer, Dll_sideloading_technique, 🎯Victims: Financial services, Banking, Postal services, Agriculture, Tunisia 🏭Industry: Financial 🌐Geo: Italian, Tunisia 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 29 🧨IOCs: - Url: 12 - Domain: 2 - File: 14 - Command: 4 - Registry: 1 💽Software: Telegram, Linux, Matkap, WordPress, Pastebin, Ubuntu, Limewire, QEMU, Windows service, ImageMagick, ... 🔢Algorithms: md5, zip 🔠Functions: anti_debug, setsid, Send_telegram, send_flle, install_persistence, hide_process, become_daemon 🗂️Win API: sendMessage, gethostname 📜Programming Languages: python, powershell 💻Platforms: cross-platform #threatreport: The KeyCat Stealer is a multi-platform information stealing malware available for $40, functioning as both an infostealer and a remote access toolkit. It targets Windows and Linux systems, offering capabilities that include credential harvesting, screen capture, Wi-Fi password extraction, file collection, and persistence installation. The malware is controlled through a Telegram bot, with its source code initially exposed on a publicly accessible GitHub Gist in February 2026. Following its release, operators quickly began commercializing it, resulting in its deployment in various Telegram channels. KeyCat's architecture allows for significant flexibility in its deployment. Buyers can deploy unique instances by simply modifying two constants in the source code, leading to an array of configurations with no identifiable connections to the original creator. With an execution flow built around a nine-stage chain, KeyCat implements various functionalities including anti-analysis checks, system profiling, screen captures, credential dumping via the LaZagne tool, and exfiltration of the collected data through Telegram's sendDocument API. The stealer's evasion techniques are noteworthy, employing stealth mechanisms to disguise its processes and circumvent detection, such as renaming itself and using hidden command windows. Two versions of KeyCat emerged: a Malware-as-a-Service (MaaS) model and a more refined Stealer-as-a-Service (StaaS) platform, which further simplified the process for end users by allowing them to pay for results rather than managing the operational infrastructure. The malware's architecture has already been spotted in commercial circulation as early as April 2026, showcasing a quick evolution of its capabilities. The stealer’s persistence mechanisms include registry modifications on Windows and crontab entries on Linux, ensuring it can re-establish itself after a reboot. Its reliance on standard Python scripts and processes makes it less sophisticated compared to other advanced threats, but its breadth of capabilities, combined with its ease of use, effectively raises the operational risks associated with its deployment. Detecting KeyCat poses challenges, as it generates events that may appear benign in isolation. However, sequences of specific actions—such as outbound requests to known Telegram API endpoints following suspicious subprocess executions—can signal malicious activity. Recommendations for detection focus on behavioral analysis rather than specific indicators, alongside stringent network controls against communications with identified C2 infrastructures.
rst_cloud's tweet photo. #threatreport #HighCompleteness KeyCat Stealer Uncovered: Inside a $40 Multi-Platform Infostealer with Telegram C2 and Active Staging Infrastructure | 03-06-2026 Source: https://t.co/1um4IBbkHU Key details below ↓ 💀Threats: Keycat, Credential_dumping_technique, Lazagne_tool, Credential_harvesting_technique, Pxa_stealer, Dll_sideloading_technique, 🎯Victims: Financial services, Banking, Postal services, Agriculture, Tunisia 🏭Industry: Financial 🌐Geo: Italian, Tunisia 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 29 🧨IOCs: - Url: 12 - Domain: 2 - File: 14 - Command: 4 - Registry: 1 💽Software: Telegram, Linux, Matkap, WordPress, Pastebin, Ubuntu, Limewire, QEMU, Windows service, ImageMagick, ... 🔢Algorithms: md5, zip 🔠Functions: anti_debug, setsid, Send_telegram, send_flle, install_persistence, hide_process, become_daemon 🗂️Win API: sendMessage, gethostname 📜Programming Languages: python, powershell 💻Platforms: cross-platform #threatreport: The KeyCat Stealer is a multi-platform information stealing malware available for $40, functioning as both an infostealer and a remote access toolkit. It targets Windows and Linux systems, offering capabilities that include credential harvesting, screen capture, Wi-Fi password extraction, file collection, and persistence installation. The malware is controlled through a Telegram bot, with its source code initially exposed on a publicly accessible GitHub Gist in February 2026. Following its release, operators quickly began commercializing it, resulting in its deployment in various Telegram channels. KeyCat's architecture allows for significant flexibility in its deployment. Buyers can deploy unique instances by simply modifying two constants in the source code, leading to an array of configurations with no identifiable connections to the original creator. With an execution flow built around a nine-stage chain, KeyCat implements various functionalities including anti-analysis checks, system profiling, screen captures, credential dumping via the LaZagne tool, and exfiltration of the collected data through Telegram's sendDocument API. The stealer's evasion techniques are noteworthy, employing stealth mechanisms to disguise its processes and circumvent detection, such as renaming itself and using hidden command windows. Two versions of KeyCat emerged: a Malware-as-a-Service (MaaS) model and a more refined Stealer-as-a-Service (StaaS) platform, which further simplified the process for end users by allowing them to pay for results rather than managing the operational infrastructure. The malware's architecture has already been spotted in commercial circulation as early as April 2026, showcasing a quick evolution of its capabilities. The stealer’s persistence mechanisms include registry modifications on Windows and crontab entries on Linux, ensuring it can re-establish itself after a reboot. Its reliance on standard Python scripts and processes makes it less sophisticated compared to other advanced threats, but its breadth of capabilities, combined with its ease of use, effectively raises the operational risks associated with its deployment. Detecting KeyCat poses challenges, as it generates events that may appear benign in isolation. However, sequences of specific actions—such as outbound requests to known Telegram API endpoints following suspicious subprocess executions—can signal malicious activity. Recommendations for detection focus on behavioral analysis rather than specific indicators, alongside stringent network controls against communications with identified C2 infrastructures.
0
0
0
0
31
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services | 03-06-2026 Source: https://t.co/k3PSNR1AmR Key details below ↓ 💀Threats: Kali365_tool, Device_code_phishing_technique, 🎯Victims: Messaging platforms, Cloud services, Identity services, Document management services, Email services, Social networking services, Cloud storage services, Russian consumer internet platforms 🏭Industry: Government, Iot, Media 🌐Geo: Russia, China, German, Russian 🤖LLM extracted TTPs:` T1056.003, T1071.001, T1078, T1102.003, T1111, T1528, T1566, T1583.006 🧨IOCs: - Domain: 9 - Url: 1 - IP: 2 - File: 1 💽Software: Microsoft Outlook, Okta, DocuShare, MAX Messenger, Telegram, WeChat, cPanel 🔢Algorithms: sha1 🔠Functions: fetch 📜Programming Languages: javascript #threatreport: The Kali365 operator has expanded its phishing-as-a-service (PhaaS) capabilities by creating sophisticated phishing infrastructure targeting notable services like Microsoft Outlook, Okta, and Russian platforms such as MAX Messenger and https://t.co/sRYdB8ugdi. The operator has been observed employing a live command-and-control (C2) panel that facilitates token capture by impersonating various legitimate sites. This expansion includes a phishing campaign specifically designed for MAX Messenger, which is used to exploit users through a fake prize-claim tactic. Kali365 employs a unique attack technique known as device code phishing, which uses the OAuth 2.0 Device Authorization Grant. The attacker initiates a login request through a malicious application and tricks the victim into entering the authorization code, allowing the attacker to gain access to the victim’s M365 environment without needing their password. The infrastructure includes 126 malicious hosts that rotate to avoid detection, demonstrating a persistent focus on exploiting Russian consumer services while maintaining existing targets in Western enterprise environments. The phishing pages often mimic legitimate sites and lead victims through a multi-step process to harvest sensitive information. For example, the MAX Messenger phishing page requires users to input their phone numbers associated with their accounts under the guise of validating a prize. This approach not only harvests login credentials but also circumvents two-factor authentication (2FA), extracting comprehensive user data once the victim completes the required steps. The C2 structure uses a polling mechanism to verify whether tokens have been captured, highlighting an organized approach to credential theft. The tracking of this activity has uncovered specific IP addresses associated with the malicious infrastructure, revealing how interconnected and streamlined the operator's activities have become. The foundation of the Kali365 kit allows for easy deployment and scalability, where compromised accounts can be leveraged to further propagate the phishing scheme across contacts, amplifying the threat's reach.
rst_cloud's tweet photo. #threatreport #MediumCompleteness From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services | 03-06-2026 Source: https://t.co/k3PSNR1AmR Key details below ↓ 💀Threats: Kali365_tool, Device_code_phishing_technique, 🎯Victims: Messaging platforms, Cloud services, Identity services, Document management services, Email services, Social networking services, Cloud storage services, Russian consumer internet platforms 🏭Industry: Government, Iot, Media 🌐Geo: Russia, China, German, Russian 🤖LLM extracted TTPs:` T1056.003, T1071.001, T1078, T1102.003, T1111, T1528, T1566, T1583.006 🧨IOCs: - Domain: 9 - Url: 1 - IP: 2 - File: 1 💽Software: Microsoft Outlook, Okta, DocuShare, MAX Messenger, Telegram, WeChat, cPanel 🔢Algorithms: sha1 🔠Functions: fetch 📜Programming Languages: javascript #threatreport: The Kali365 operator has expanded its phishing-as-a-service (PhaaS) capabilities by creating sophisticated phishing infrastructure targeting notable services like Microsoft Outlook, Okta, and Russian platforms such as MAX Messenger and https://t.co/sRYdB8ugdi. The operator has been observed employing a live command-and-control (C2) panel that facilitates token capture by impersonating various legitimate sites. This expansion includes a phishing campaign specifically designed for MAX Messenger, which is used to exploit users through a fake prize-claim tactic. Kali365 employs a unique attack technique known as device code phishing, which uses the OAuth 2.0 Device Authorization Grant. The attacker initiates a login request through a malicious application and tricks the victim into entering the authorization code, allowing the attacker to gain access to the victim’s M365 environment without needing their password. The infrastructure includes 126 malicious hosts that rotate to avoid detection, demonstrating a persistent focus on exploiting Russian consumer services while maintaining existing targets in Western enterprise environments. The phishing pages often mimic legitimate sites and lead victims through a multi-step process to harvest sensitive information. For example, the MAX Messenger phishing page requires users to input their phone numbers associated with their accounts under the guise of validating a prize. This approach not only harvests login credentials but also circumvents two-factor authentication (2FA), extracting comprehensive user data once the victim completes the required steps. The C2 structure uses a polling mechanism to verify whether tokens have been captured, highlighting an organized approach to credential theft. The tracking of this activity has uncovered specific IP addresses associated with the malicious infrastructure, revealing how interconnected and streamlined the operator's activities have become. The foundation of the Kali365 kit allows for easy deployment and scalability, where compromised accounts can be leveraged to further propagate the phishing scheme across contacts, amplifying the threat's reach.
0
1
0
0
44
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness Argamal: Malware hidden in hentai games | 03-06-2026 Source: https://t.co/s9gAtC2Hpq Key details below ↓ 💀Threats: Argamal, Com_hijacking_technique, Trojan.win32.termixia, Trojan.win32.agent, 🎯Victims: Gaming, Adult entertainment, Individuals, Russia, Brazil, Germany, Vietnam 🏭Industry: Entertainment 🌐Geo: Germany, Spanish, Russia, Brazil, Vietnam, Chinese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1012, T1016, T1027, T1033, T1036, T1036.005, T1041, T1053.005, T1057, T1059.001, ... 🧨IOCs: - Hash: 20 - File: 6 - Registry: 2 - Path: 1 - Domain: 3 - IP: 1 - Url: 3 💽Software: RenPy, PixelDrain, Google Chrome, Microsoft Excel 🔢Algorithms: xor, base64, sha1, aes-cbc 🗂️Win API: DllGetClassObject, ShellExecuteW, WinExec, CreateProcessW 📜Programming Languages: python, javascript, powershell #threatreport: In April 2026, a sophisticated malware campaign named Argamal emerged, specifically targeting players of hentai games. This campaign involves the use of compromised games that, once executed, install a malicious implant capable of downloading and executing a Trojan, leading to extensive system compromise and remote control for the attackers. The technical workings of Argamal include a method called COM hijacking, where the malware modifies the InprocServer32 entry for the Windows Color System Calibration Loader DLL to ensure persistence on the infected machine through user logins. The malware is detected by various Kaspersky solutions, classified under several Trojan identifiers. Analysis revealed that the infected games originated from various sources, predominantly hentai game developers utilizing platforms like RenPy and RPG Maker MV. These games were distributed through websites and torrent trackers, redirecting users to file-sharing services like PixelDrain. A critical component of the malware is the natives2_blob.bin file, which executes a Base64-encoded PowerShell script referred to as Stage1. This script conducts environmental checks to determine if it is in a sandbox before establishing persistence by modifying registry keys and creating a scheduled task to run a second stage script. Stage2 acts as a downloader, fetching an encrypted payload from GitHub and utilizing AES-CBC for decryption, subsequently populating the DLL file with the malicious payload which is designated to run on each user session. The payload functions as a Remote Access Trojan (RAT) with a default command and control (C2) server, initially at https://t.co/neMQzTQC9n and later changing to https://t.co/u32fdZz1mm, both pointing to an IP address of 186.158.223.35. The payload facilitates various functions, allowing the attackers to execute commands that range from managing system operations—such as rebooting or shutting down the machine—to file manipulation and taking screenshots. The malware communicates over UDP to the C2 server, transmitting heartbeats containing critical system information and awaiting further commands. Moreover, researchers identified alternative delivery methods employed by the attackers, such as embedding the payload in game libraries or distributing a malicious DLL disguised as cheats on gaming forums, indicating a level of sophistication in their distribution tactics. Victimology indicates that the malware primarily affected individuals in Russia, Brazil, Germany, and Vietnam. Attribution efforts suggest that the threat actors potentially speak Spanish, as evidenced by the language used in the code comments and variable names.
rst_cloud's tweet photo. #threatreport #HighCompleteness Argamal: Malware hidden in hentai games | 03-06-2026 Source: https://t.co/s9gAtC2Hpq Key details below ↓ 💀Threats: Argamal, Com_hijacking_technique, Trojan.win32.termixia, Trojan.win32.agent, 🎯Victims: Gaming, Adult entertainment, Individuals, Russia, Brazil, Germany, Vietnam 🏭Industry: Entertainment 🌐Geo: Germany, Spanish, Russia, Brazil, Vietnam, Chinese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1012, T1016, T1027, T1033, T1036, T1036.005, T1041, T1053.005, T1057, T1059.001, ... 🧨IOCs: - Hash: 20 - File: 6 - Registry: 2 - Path: 1 - Domain: 3 - IP: 1 - Url: 3 💽Software: RenPy, PixelDrain, Google Chrome, Microsoft Excel 🔢Algorithms: xor, base64, sha1, aes-cbc 🗂️Win API: DllGetClassObject, ShellExecuteW, WinExec, CreateProcessW 📜Programming Languages: python, javascript, powershell #threatreport: In April 2026, a sophisticated malware campaign named Argamal emerged, specifically targeting players of hentai games. This campaign involves the use of compromised games that, once executed, install a malicious implant capable of downloading and executing a Trojan, leading to extensive system compromise and remote control for the attackers. The technical workings of Argamal include a method called COM hijacking, where the malware modifies the InprocServer32 entry for the Windows Color System Calibration Loader DLL to ensure persistence on the infected machine through user logins. The malware is detected by various Kaspersky solutions, classified under several Trojan identifiers. Analysis revealed that the infected games originated from various sources, predominantly hentai game developers utilizing platforms like RenPy and RPG Maker MV. These games were distributed through websites and torrent trackers, redirecting users to file-sharing services like PixelDrain. A critical component of the malware is the natives2_blob.bin file, which executes a Base64-encoded PowerShell script referred to as Stage1. This script conducts environmental checks to determine if it is in a sandbox before establishing persistence by modifying registry keys and creating a scheduled task to run a second stage script. Stage2 acts as a downloader, fetching an encrypted payload from GitHub and utilizing AES-CBC for decryption, subsequently populating the DLL file with the malicious payload which is designated to run on each user session. The payload functions as a Remote Access Trojan (RAT) with a default command and control (C2) server, initially at https://t.co/neMQzTQC9n and later changing to https://t.co/u32fdZz1mm, both pointing to an IP address of 186.158.223.35. The payload facilitates various functions, allowing the attackers to execute commands that range from managing system operations—such as rebooting or shutting down the machine—to file manipulation and taking screenshots. The malware communicates over UDP to the C2 server, transmitting heartbeats containing critical system information and awaiting further commands. Moreover, researchers identified alternative delivery methods employed by the attackers, such as embedding the payload in game libraries or distributing a malicious DLL disguised as cheats on gaming forums, indicating a level of sophistication in their distribution tactics. Victimology indicates that the malware primarily affected individuals in Russia, Brazil, Germany, and Vietnam. Attribution efforts suggest that the threat actors potentially speak Spanish, as evidenced by the language used in the code comments and variable names.
0
0
0
0
137
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 3, code: 1, windows: 1
rst_cloud's tweet photo. #tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 3, code: 1, windows: 1 https://t.co/4owEhk23v2
0
0
0
0
13
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad | 03-06-2026 Source: https://t.co/eIQd8lJEkH Key details below ↓ 🧑‍💻Actors/Campaigns: Gamaredon (🧠motivation: cyber_espionage) 💀Threats: Gammaload, Gammaphish, Gammaworm, Gammasteel, Pteranodon, Gammawipe, Dead_drop_technique, Bitsadmin_tool, 🎯Victims: Government, Military, Critical infrastructure 🏭Industry: Military, Government, Critical_infrastructure 🌐Geo: Russian, Russia, Ukrainian, Ukraine 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1012, T1027, T1036.004, T1053.005, T1059.001, T1059.005, T1071.001, T1082, T1091, T1102.001, ... 🧨IOCs: - Registry: 3 - Hash: 3 - Url: 8 - IP: 2 - Domain: 1 - File: 1 - Command: 1 - Email: 1 💽Software: Telegram, Windows registry 🔢Algorithms: base64, xor, md5 🔠Functions: ExecuteGlobal 📜Programming Languages: powershell #threatreport: Gamaredon is a cyber espionage group linked to Russia's FSB, known for conducting prolonged and persistent intrusion operations mainly focused on Ukrainian government, military, and critical infrastructure. At present, it remains active and continues to evolve its malware arsenal. Their operations are characterized by the use of background mechanisms that obscure their activities, such as utilizing legitimate Windows features and trusted platforms like Telegram, which minimises detection while enabling malware to spread across air-gapped networks via infected USB drives. Additionally, the malware is capable of intercepting documents in various states—whether stored, being transferred, or actively edited. This capability is aided by a backdoor structure that not only permits command and control but also enables the deployment of additional payloads. Recent analysis by https://t.co/WdmZshwK2S’s Threat Detection & Research (TDR) team has focused on a particular malware component called GammaLoad, which represents a series of VBScript loaders that facilitate the delivery and execution of the final payload, GammaSteel. GammaLoad operates through a multi-layered infection process where loaders stage additional loaders, reinforcing its stealth and persistence. The first stage performs host fingerprinting and employs a failover method to connect to a command and control (C2) server, checking previously cached URLs before falling back on legitimate services to retrieve subsequent payloads. During exploration, it became evident that GammaLoad maintains its C2 configuration within the Windows registry, allowing it to resume communication post-execution. The identified first stage creates a comprehensive HTTP request structure designed to emulate legitimate traffic, further obscuring its presence. If successful, it executes the next stage in-memory, or, upon failure, searches for new C2 URLs, updating registry values as needed. The second stage operates as a dropper that relies on Base64 encoding and injects payloads into Alternate Data Streams (ADS) within the system's temporary files. This dropper further includes a task scheduler that ensures the payload executes periodically, reinforcing the infection's persistence and capability to remain undetected. The third stage, which has been identified as a PowerShell loader, executes obfuscated commands through hidden processes, allowing for the final payload GammaSteel to be executed in-memory, further exfiltrating information as a stealer.
rst_cloud's tweet photo. #threatreport #HighCompleteness FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad | 03-06-2026 Source: https://t.co/eIQd8lJEkH Key details below ↓ 🧑‍💻Actors/Campaigns: Gamaredon (🧠motivation: cyber_espionage) 💀Threats: Gammaload, Gammaphish, Gammaworm, Gammasteel, Pteranodon, Gammawipe, Dead_drop_technique, Bitsadmin_tool, 🎯Victims: Government, Military, Critical infrastructure 🏭Industry: Military, Government, Critical_infrastructure 🌐Geo: Russian, Russia, Ukrainian, Ukraine 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1012, T1027, T1036.004, T1053.005, T1059.001, T1059.005, T1071.001, T1082, T1091, T1102.001, ... 🧨IOCs: - Registry: 3 - Hash: 3 - Url: 8 - IP: 2 - Domain: 1 - File: 1 - Command: 1 - Email: 1 💽Software: Telegram, Windows registry 🔢Algorithms: base64, xor, md5 🔠Functions: ExecuteGlobal 📜Programming Languages: powershell #threatreport: Gamaredon is a cyber espionage group linked to Russia's FSB, known for conducting prolonged and persistent intrusion operations mainly focused on Ukrainian government, military, and critical infrastructure. At present, it remains active and continues to evolve its malware arsenal. Their operations are characterized by the use of background mechanisms that obscure their activities, such as utilizing legitimate Windows features and trusted platforms like Telegram, which minimises detection while enabling malware to spread across air-gapped networks via infected USB drives. Additionally, the malware is capable of intercepting documents in various states—whether stored, being transferred, or actively edited. This capability is aided by a backdoor structure that not only permits command and control but also enables the deployment of additional payloads. Recent analysis by https://t.co/WdmZshwK2S’s Threat Detection & Research (TDR) team has focused on a particular malware component called GammaLoad, which represents a series of VBScript loaders that facilitate the delivery and execution of the final payload, GammaSteel. GammaLoad operates through a multi-layered infection process where loaders stage additional loaders, reinforcing its stealth and persistence. The first stage performs host fingerprinting and employs a failover method to connect to a command and control (C2) server, checking previously cached URLs before falling back on legitimate services to retrieve subsequent payloads. During exploration, it became evident that GammaLoad maintains its C2 configuration within the Windows registry, allowing it to resume communication post-execution. The identified first stage creates a comprehensive HTTP request structure designed to emulate legitimate traffic, further obscuring its presence. If successful, it executes the next stage in-memory, or, upon failure, searches for new C2 URLs, updating registry values as needed. The second stage operates as a dropper that relies on Base64 encoding and injects payloads into Alternate Data Streams (ADS) within the system's temporary files. This dropper further includes a task scheduler that ensures the payload executes periodically, reinforcing the infection's persistence and capability to remain undetected. The third stage, which has been identified as a PowerShell loader, executes obfuscated commands through hidden processes, allowing for the final payload GammaSteel to be executed in-memory, further exfiltrating information as a stealer.
1
0
0
0
38
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness TA4922: The Suspected Chinese Crime Group is Going Global | 03-06-2026 Source: https://t.co/OLankp38NO Key details below ↓ 🧑‍💻Actors/Campaigns: Ta4922 (🧠motivation: information_theft, cyber_criminal, financially_motivated, cyber_espionage) Silver_fox 💀Threats: Atlas_rat, Romulusloader, Silentrunloader, Valleyrat, Winos, Gh0st_rat, Anydesk_tool, Syncfuture_tool, Holdinghands, Dll_sideloading_technique, Vulkan_loader, Process_hollowing_technique, Syswhispers_tool, Dll_injection_technique, Bloat_technique, 🎯Victims: Organizations, Companies 🏭Industry: Financial, Government 🌐Geo: Singapore, Italian, Germany, Africa, German, Korea, United kingdom, Japan, South africa, Malaysia, India, Italy, Taiwan, Indonesia, Asia, Chinese 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1027.016, T1036, T1041, T1055, T1055.012, T1056.001, T1071.001, T1082, ... 🧨IOCs: - IP: 5 - Domain: 1 - File: 5 - Hash: 14 - Url: 3 💽Software: WhatsApp, Microsoft Teams, LimeWire, Google Chrome, Chrome, Microsoft Defender, Windows service, Hyper-V, Windows Defender, WeChat, ... 🔢Algorithms: zip, xor, chacha20, ror13, sha256, rc4 🔠Functions: Send, AtlasInfo 🗂️Win API: ZwAllocateVirtualMemory, OpenProcess, WSAStartup, GetLastInputInfo 📜Programming Languages: python 💻Platforms: cross-platform #threatreport: TA4922 is a notable Chinese-speaking cybercriminal group exhibiting advanced operational capabilities and a broad range of malware. Their activities have expanded to include regions in Europe and Africa, moving beyond their initial focus on East Asia. The group employs various malware families, prominently including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0). Each campaign by TA4922 is marked by localized social engineering tactics, leveraging themes that resonate with the target cultures, such as HR, payroll, and invoicing. In recent months, TA4922 has displayed a markedly increased operational tempo, often using malicious emails containing links to downloadable ZIP files. Analysis of their campaigns has shown the group primarily aims to gain unauthorized access to victim environments for financial gain, employing both credential phishing and malware distribution. The malware landscape utilized by TA4922 is noteworthy for its dynamism, with an evolving toolkit that has significantly expanded following their campaigns. A few detailed instances of their attacks illustrate their techniques. For example, the Atlas RAT campaigns involved lures crafted around HR-related messages sent to organizations in Japan and the UK. Emails included links to ZIP files, which, upon execution, installed Atlas RAT using DLL sideloading techniques configured to communicate over specific TCP ports with command and control (C2) servers. Similarly, RomulusLoader was observed in campaigns where the malware was bundled within legitimate executables designed to trick users into executing them. This loader is noteworthy due to its capabilities to stage additional payloads, including legitimate remote management tools, thus complicating detection efforts. SilentRunLoader is another loader used by TA4922 designed to harvest sensitive data from web browsers, particularly targeting Chrome for credentials and personal data, and exfiltrating this data to C2 servers. This particular malware is written in Python and showcases the group's adaptation to using programming tools that streamline their malware development process. Each observed campaign reveals distinct payload methods and infrastructure but shares common traits like specific communication channels and evasion tactics aimed at bypassing security detections. TA4922 has meticulously crafted their social engineering strategies, shifting conversation channels from secured email communications to more vulnerable messaging platforms to maintain engagement during phishing attempts. The group’s operational strategies indicate a high degree of planning and execution, with campaigns specifically tailored for organizational functions and cultural nuances, making TA4922 one of the more formidable threat actors in the current landscape. Their financial motivations coupled with capabilities similar to espionage actors pose considerable threats to a wide range of targets, suggesting an adeptness at blending criminal tactics with advanced malware techniques.
rst_cloud's tweet photo. #threatreport #HighCompleteness TA4922: The Suspected Chinese Crime Group is Going Global | 03-06-2026 Source: https://t.co/OLankp38NO Key details below ↓ 🧑‍💻Actors/Campaigns: Ta4922 (🧠motivation: information_theft, cyber_criminal, financially_motivated, cyber_espionage) Silver_fox 💀Threats: Atlas_rat, Romulusloader, Silentrunloader, Valleyrat, Winos, Gh0st_rat, Anydesk_tool, Syncfuture_tool, Holdinghands, Dll_sideloading_technique, Vulkan_loader, Process_hollowing_technique, Syswhispers_tool, Dll_injection_technique, Bloat_technique, 🎯Victims: Organizations, Companies 🏭Industry: Financial, Government 🌐Geo: Singapore, Italian, Germany, Africa, German, Korea, United kingdom, Japan, South africa, Malaysia, India, Italy, Taiwan, Indonesia, Asia, Chinese 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1027.016, T1036, T1041, T1055, T1055.012, T1056.001, T1071.001, T1082, ... 🧨IOCs: - IP: 5 - Domain: 1 - File: 5 - Hash: 14 - Url: 3 💽Software: WhatsApp, Microsoft Teams, LimeWire, Google Chrome, Chrome, Microsoft Defender, Windows service, Hyper-V, Windows Defender, WeChat, ... 🔢Algorithms: zip, xor, chacha20, ror13, sha256, rc4 🔠Functions: Send, AtlasInfo 🗂️Win API: ZwAllocateVirtualMemory, OpenProcess, WSAStartup, GetLastInputInfo 📜Programming Languages: python 💻Platforms: cross-platform #threatreport: TA4922 is a notable Chinese-speaking cybercriminal group exhibiting advanced operational capabilities and a broad range of malware. Their activities have expanded to include regions in Europe and Africa, moving beyond their initial focus on East Asia. The group employs various malware families, prominently including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0). Each campaign by TA4922 is marked by localized social engineering tactics, leveraging themes that resonate with the target cultures, such as HR, payroll, and invoicing. In recent months, TA4922 has displayed a markedly increased operational tempo, often using malicious emails containing links to downloadable ZIP files. Analysis of their campaigns has shown the group primarily aims to gain unauthorized access to victim environments for financial gain, employing both credential phishing and malware distribution. The malware landscape utilized by TA4922 is noteworthy for its dynamism, with an evolving toolkit that has significantly expanded following their campaigns. A few detailed instances of their attacks illustrate their techniques. For example, the Atlas RAT campaigns involved lures crafted around HR-related messages sent to organizations in Japan and the UK. Emails included links to ZIP files, which, upon execution, installed Atlas RAT using DLL sideloading techniques configured to communicate over specific TCP ports with command and control (C2) servers. Similarly, RomulusLoader was observed in campaigns where the malware was bundled within legitimate executables designed to trick users into executing them. This loader is noteworthy due to its capabilities to stage additional payloads, including legitimate remote management tools, thus complicating detection efforts. SilentRunLoader is another loader used by TA4922 designed to harvest sensitive data from web browsers, particularly targeting Chrome for credentials and personal data, and exfiltrating this data to C2 servers. This particular malware is written in Python and showcases the group's adaptation to using programming tools that streamline their malware development process. Each observed campaign reveals distinct payload methods and infrastructure but shares common traits like specific communication channels and evasion tactics aimed at bypassing security detections. TA4922 has meticulously crafted their social engineering strategies, shifting conversation channels from secured email communications to more vulnerable messaging platforms to maintain engagement during phishing attempts. The group’s operational strategies indicate a high degree of planning and execution, with campaigns specifically tailored for organizational functions and cultural nuances, making TA4922 one of the more formidable threat actors in the current landscape. Their financial motivations coupled with capabilities similar to espionage actors pose considerable threats to a wide range of targets, suggesting an adeptness at blending criminal tactics with advanced malware techniques.
0
0
0
0
55
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): code: 19, dump: 2, schema: 1
rst_cloud's tweet photo. #tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): code: 19, dump: 2, schema: 1 https://t.co/Ti3UKMVPIE
0
0
0
0
12
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | 03-06-2026 Source: https://t.co/dOoQVGBj7C Key details below ↓ 💀Threats: Bashlite, C0xmo, Tcpflood_technique, Udpflood_technique, Tcpsynflood_technique, Synflood_technique, Icmpflood_technique, Httpflood_technique, 🎯Victims: Technology 🏭Industry: Iot 🌐Geo: Japanese, Germany 🔓CVEs: CVE-2022-35914 \[[Vulners](https://t.co/SP8qobV9yI)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - glpi-project glpi (le10.0.2) CVE-2021-27137 \[[Vulners](https://t.co/N63sfdztkk)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2015-2051 \[[Vulners](https://t.co/3H7vdFRNCw)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - dlink dir-645_firmware (<1.05b01) CVE-2025-34054 \[[Vulners](https://t.co/0pnfuffAvG)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True CVE-2016-15047 \[[Vulners](https://t.co/e2Wh5aqflt)] - CVSS V3.1: *8.7*, - Vulners: Exploitation: Unknown 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 3 - IP: 3 - Url: 1 - Hash: 15 💽Software: Linux, crontab, Discord, FiveM, Zyxel, Android 🔢Algorithms: exhibit 📜Programming Languages: python 💻Platforms: intel, amd64, mips, cross-platform, arm #threatreport: In March 2023, a new variant of the Gafgyt botnet, named C0XMO, was discovered by FortiGuard Labs, which effectively propagates across multiple Linux architectures by exploiting the stack buffer overflow vulnerability designated as CVE-2021-27137. This security flaw exists within the UPnP service of certain DD-WRT router firmware when oversized ST:uuid values are mishandled in crafted M-SEARCH requests over UDP port 1900. Notably, while the initial delivery targeted a company in Japan, the source IP address originated from Germany. Once compromised, the host retrieves the malware and stores it in the /tmp/.cache directory, with multiple compilations available for various system architectures, demonstrating adaptability in its target range. C0XMO is characterized by behaviors typical of previous Gafgyt variants, combining weak credential brute-force attempts aimed at Telnet and SSH interfaces alongside command-injection vulnerabilities, and various DDoS attack mechanisms. Upon execution, C0XMO implements a sophisticated persistence strategy that involves copying itself to concealed directories, configuring cron jobs for repeated execution, and altering essential shell profiles to ensure continuous operation. The malware further examines running processes to eliminate competitors, terminating processes that match an internal blacklist and deleting corresponding binaries and persistence mechanisms. Upon overlaying its local persistence setup, C0XMO establishes communication with a command-and-control (C2) server located at 85.215.131.70, initiating a unique handshake involving a predefined string and a shared secret. This connection enables C0XMO to identify itself as part of the botnet, concluding the handshake with a server acknowledgment. The malware’s command handler facilitates the execution of diverse commands, particularly for executing 19 distinct DDoS attack methods. Notably, C0XMO isolates its scanning mechanism within a separate Python script, which it retrieves from another IP address. This script performs random IP scanning and includes criteria for ignoring known honeypots and previously ineffective targets. Furthermore, it can exploit the Android Debug Bridge (ADB) vulnerabilities to seize control of exposed Android devices.
rst_cloud's tweet photo. #threatreport #HighCompleteness Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO | 03-06-2026 Source: https://t.co/dOoQVGBj7C Key details below ↓ 💀Threats: Bashlite, C0xmo, Tcpflood_technique, Udpflood_technique, Tcpsynflood_technique, Synflood_technique, Icmpflood_technique, Httpflood_technique, 🎯Victims: Technology 🏭Industry: Iot 🌐Geo: Japanese, Germany 🔓CVEs: CVE-2022-35914 \[[Vulners](https://t.co/SP8qobV9yI)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - glpi-project glpi (le10.0.2) CVE-2021-27137 \[[Vulners](https://t.co/N63sfdztkk)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2015-2051 \[[Vulners](https://t.co/3H7vdFRNCw)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - dlink dir-645_firmware (<1.05b01) CVE-2025-34054 \[[Vulners](https://t.co/0pnfuffAvG)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True CVE-2016-15047 \[[Vulners](https://t.co/e2Wh5aqflt)] - CVSS V3.1: *8.7*, - Vulners: Exploitation: Unknown 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 3 - IP: 3 - Url: 1 - Hash: 15 💽Software: Linux, crontab, Discord, FiveM, Zyxel, Android 🔢Algorithms: exhibit 📜Programming Languages: python 💻Platforms: intel, amd64, mips, cross-platform, arm #threatreport: In March 2023, a new variant of the Gafgyt botnet, named C0XMO, was discovered by FortiGuard Labs, which effectively propagates across multiple Linux architectures by exploiting the stack buffer overflow vulnerability designated as CVE-2021-27137. This security flaw exists within the UPnP service of certain DD-WRT router firmware when oversized ST:uuid values are mishandled in crafted M-SEARCH requests over UDP port 1900. Notably, while the initial delivery targeted a company in Japan, the source IP address originated from Germany. Once compromised, the host retrieves the malware and stores it in the /tmp/.cache directory, with multiple compilations available for various system architectures, demonstrating adaptability in its target range. C0XMO is characterized by behaviors typical of previous Gafgyt variants, combining weak credential brute-force attempts aimed at Telnet and SSH interfaces alongside command-injection vulnerabilities, and various DDoS attack mechanisms. Upon execution, C0XMO implements a sophisticated persistence strategy that involves copying itself to concealed directories, configuring cron jobs for repeated execution, and altering essential shell profiles to ensure continuous operation. The malware further examines running processes to eliminate competitors, terminating processes that match an internal blacklist and deleting corresponding binaries and persistence mechanisms. Upon overlaying its local persistence setup, C0XMO establishes communication with a command-and-control (C2) server located at 85.215.131.70, initiating a unique handshake involving a predefined string and a shared secret. This connection enables C0XMO to identify itself as part of the botnet, concluding the handshake with a server acknowledgment. The malware’s command handler facilitates the execution of diverse commands, particularly for executing 19 distinct DDoS attack methods. Notably, C0XMO isolates its scanning mechanism within a separate Python script, which it retrieves from another IP address. This script performs random IP scanning and includes criteria for ignoring known honeypots and previously ineffective targets. Furthermore, it can exploit the Android Debug Bridge (ADB) vulnerabilities to seize control of exposed Android devices.
1
0
0
0
97
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages | 03-06-2026 Source: https://t.co/GjcLWe2pFh Key details below ↓ 🧑‍💻Actors/Campaigns: Error524 💀Threats: Smishing_technique, Credential_harvesting_technique, Spear-phishing_technique, 🎯Victims: Telecommunications, Financial services, Consumer rewards programs, Government, Logistics 🏭Industry: Financial, Telco, Government, Retail, Education, Logistic 🌐Geo: Mexico, Apac, Chile, Germany, American, Latin america, America, Colombia, Australia, Chinese, Netherlands, Latam, Asian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 11 🧨IOCs: - IP: 7 - File: 2 💽Software: Caddy, Telegram 🔢Algorithms: exhibit, aes-256, base64 📜Programming Languages: javascript, php #threatreport: Group-IB researchers have uncovered a sophisticated smishing and phishing operation that has been active since mid-2025, primarily targeting Latin America but extending to 72 countries. This campaign impersonates over 260 brands across several sectors, primarily telecommunications and financial services, utilizing fake Cloudflare error pages to disguise its malicious activities. The operation focuses on exploiting regions with weak SMS anti-spoofing controls, particularly in countries like Mexico, Chile, and Colombia, which account for a significant number of phishing domains. The attackers employ a complex, layered anti-analysis evasion architecture that hinges on the appearance of legitimate Cloudflare error pages—specifically the Error 524 timeout message. This decoy tactic is strategically designed; only victims who meet specific geolocation and mobile device criteria are revealed the actual phishing content. The phishing infrastructure includes many obfuscated Single Page Applications (SPAs) and uses real-time data exfiltration via encrypted WebSocket channels. Group-IB identified 4,389 phishing domains, with approximately 30% of the infrastructure hosted on Tencent Cloud and Alibaba servers, masked by Cloudflare's services to complicate takedown efforts. Upon accessing a phishing link, non-target users encounter a fake error page devoid of malicious elements, thereby evading detection by security systems. In contrast, eligible users are redirected to a streamlined SPA that collects credit card information, such as the card number, expiration date, and CVV, under minimal validation checks. This method maximizes the number of successful submissions without engaging in time-consuming bank authorizations. The campaign leverages a combination of behavioral analytics and sophisticated web technologies, employing frameworks like Vue.js for frontend functionality and obfuscating code to thwart analysis. Its operational infrastructure is characterized by rapid domain cycling, utilizing low-cost top-level domains (TLDs) that mimic brand names, which allows attackers to swiftly replace taken-down domains. As this operation evolves and persists, it poses significant threats, especially in environments where consumer trust is paramount. To counteract such threats, organizations are urged to adopt proactive measures, including integrating threat intelligence for early warning of newly registered phishing domains matching established patterns and enforcing robust Digital Risk Protection strategies. In light of the factors that allow such smishing campaigns to thrive, heightened awareness and user education remain crucial in mitigating risks associated with phishing and smishing attacks.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages | 03-06-2026 Source: https://t.co/GjcLWe2pFh Key details below ↓ 🧑‍💻Actors/Campaigns: Error524 💀Threats: Smishing_technique, Credential_harvesting_technique, Spear-phishing_technique, 🎯Victims: Telecommunications, Financial services, Consumer rewards programs, Government, Logistics 🏭Industry: Financial, Telco, Government, Retail, Education, Logistic 🌐Geo: Mexico, Apac, Chile, Germany, American, Latin america, America, Colombia, Australia, Chinese, Netherlands, Latam, Asian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 11 🧨IOCs: - IP: 7 - File: 2 💽Software: Caddy, Telegram 🔢Algorithms: exhibit, aes-256, base64 📜Programming Languages: javascript, php #threatreport: Group-IB researchers have uncovered a sophisticated smishing and phishing operation that has been active since mid-2025, primarily targeting Latin America but extending to 72 countries. This campaign impersonates over 260 brands across several sectors, primarily telecommunications and financial services, utilizing fake Cloudflare error pages to disguise its malicious activities. The operation focuses on exploiting regions with weak SMS anti-spoofing controls, particularly in countries like Mexico, Chile, and Colombia, which account for a significant number of phishing domains. The attackers employ a complex, layered anti-analysis evasion architecture that hinges on the appearance of legitimate Cloudflare error pages—specifically the Error 524 timeout message. This decoy tactic is strategically designed; only victims who meet specific geolocation and mobile device criteria are revealed the actual phishing content. The phishing infrastructure includes many obfuscated Single Page Applications (SPAs) and uses real-time data exfiltration via encrypted WebSocket channels. Group-IB identified 4,389 phishing domains, with approximately 30% of the infrastructure hosted on Tencent Cloud and Alibaba servers, masked by Cloudflare's services to complicate takedown efforts. Upon accessing a phishing link, non-target users encounter a fake error page devoid of malicious elements, thereby evading detection by security systems. In contrast, eligible users are redirected to a streamlined SPA that collects credit card information, such as the card number, expiration date, and CVV, under minimal validation checks. This method maximizes the number of successful submissions without engaging in time-consuming bank authorizations. The campaign leverages a combination of behavioral analytics and sophisticated web technologies, employing frameworks like Vue.js for frontend functionality and obfuscating code to thwart analysis. Its operational infrastructure is characterized by rapid domain cycling, utilizing low-cost top-level domains (TLDs) that mimic brand names, which allows attackers to swiftly replace taken-down domains. As this operation evolves and persists, it poses significant threats, especially in environments where consumer trust is paramount. To counteract such threats, organizations are urged to adopt proactive measures, including integrating threat intelligence for early warning of newly registered phishing domains matching established patterns and enforcing robust Digital Risk Protection strategies. In light of the factors that allow such smishing campaigns to thrive, heightened awareness and user education remain crucial in mitigating risks associated with phishing and smishing attacks.
0
1
0
0
41
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign | 03-06-2026 Source: https://t.co/tTAeTLYMl6 Key details below ↓ 🧑‍💻Actors/Campaigns: Bluenoroff Cryptocore 💀Threats: Mac-cur_tool, 🎯Victims: Financial sector, Venture capital, Web3, Cryptocurrency organizations 🌐Geo: North korean 🤖LLM extracted TTPs:` T1005, T1027, T1036, T1041, T1059.002, T1059.004, T1071.001, T1074.001, T1105, T1204.002, ... 🧨IOCs: - File: 1 - Hash: 7 - Domain: 9 - IP: 5 💽Software: macOS, Zoom, Telegram, l → sh, curl, Ledger Live, l), TC 📲Wallets: exodus_wallet 🔢Algorithms: sha256 📜Programming Languages: objective_c, applescript 💻Platforms: apple #threatreport: Sapphire Sleet, a North Korean state-sponsored threat actor, has been observed engaging in a multi-stage intrusion campaign specifically targeting macOS systems within high-value sectors such as venture capital, Web3 development, and cryptocurrency organizations. Since its early activity in 2020, the group's tactics, techniques, and procedures (TTPs) have evolved from basic malicious macros to advanced native macOS components designed to extract cryptographic keys and operational identities from compromised endpoints. This campaign illustrates a notable shift towards trust abuse over conventional technical exploitation methods. The initial access phase of the attack utilizes targeted social engineering strategies. The actors impersonate recruiters or business contacts to establish communication with victims, directing them to run a fraudulent Zoom SDK update component. This execution triggers a malicious AppleScript file that operates through the macOS Script Editor, circumventing typical security measures. The underlying logic is cleverly obscured using whitespace padding, which complicates detection. Once the malicious script runs, it orchestrates a series of commands involving `curl` and `osascript`, utilizing various hardcoded user agents for clean operational check-ins. A seemingly legitimate application named `https://t.co/sqATbR98UT` is then deployed to harvest user credentials, presenting a deceptive password prompt that resembles standard login requests. A critical component of the attack includes the abuse of macOS's privacy database, TCC.db. By leveraging the Finder application, the malware gains unimpeded access to system permissions, allowing it to copy and manipulate sensitive data autonomously without user notification. This access facilitates the establishment of a persistent backdoor through an administrative boot configuration in the system's LaunchDaemons directory, ensuring a malicious component named `icloudz` is executed on startup. This component reflects the core backdoor agent into memory, maintaining consistent outbound communication with external servers. The exfiltration of sensitive data involves profiling and archiving critical corporate assets, including cryptocurrency wallets and SSH keys, and uploading these via `curl` to designated remote ports. Reports indicate a possible mitigation of the campaign's infrastructure due to collaborative efforts between Microsoft and Apple, leading to enhanced detection protocols. Nonetheless, the fundamental exploitation techniques that exploit native binaries and TCC.db abuse remain relevant, underscoring the necessity for ongoing vigilance as the threat actors could quickly adapt to new operational strategies. Indicators of compromise (IoCs) from the attack suggest monitoring of file paths such as `~/Library/Application Support/Authorization/auth.db` and `/Library/LaunchDaemons/com.google.webkit.service.plist`, which are associated with the backdoor's implementation and persistence mechanisms.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign | 03-06-2026 Source: https://t.co/tTAeTLYMl6 Key details below ↓ 🧑‍💻Actors/Campaigns: Bluenoroff Cryptocore 💀Threats: Mac-cur_tool, 🎯Victims: Financial sector, Venture capital, Web3, Cryptocurrency organizations 🌐Geo: North korean 🤖LLM extracted TTPs:` T1005, T1027, T1036, T1041, T1059.002, T1059.004, T1071.001, T1074.001, T1105, T1204.002, ... 🧨IOCs: - File: 1 - Hash: 7 - Domain: 9 - IP: 5 💽Software: macOS, Zoom, Telegram, l → sh, curl, Ledger Live, l), TC 📲Wallets: exodus_wallet 🔢Algorithms: sha256 📜Programming Languages: objective_c, applescript 💻Platforms: apple #threatreport: Sapphire Sleet, a North Korean state-sponsored threat actor, has been observed engaging in a multi-stage intrusion campaign specifically targeting macOS systems within high-value sectors such as venture capital, Web3 development, and cryptocurrency organizations. Since its early activity in 2020, the group's tactics, techniques, and procedures (TTPs) have evolved from basic malicious macros to advanced native macOS components designed to extract cryptographic keys and operational identities from compromised endpoints. This campaign illustrates a notable shift towards trust abuse over conventional technical exploitation methods. The initial access phase of the attack utilizes targeted social engineering strategies. The actors impersonate recruiters or business contacts to establish communication with victims, directing them to run a fraudulent Zoom SDK update component. This execution triggers a malicious AppleScript file that operates through the macOS Script Editor, circumventing typical security measures. The underlying logic is cleverly obscured using whitespace padding, which complicates detection. Once the malicious script runs, it orchestrates a series of commands involving `curl` and `osascript`, utilizing various hardcoded user agents for clean operational check-ins. A seemingly legitimate application named `https://t.co/sqATbR98UT` is then deployed to harvest user credentials, presenting a deceptive password prompt that resembles standard login requests. A critical component of the attack includes the abuse of macOS's privacy database, TCC.db. By leveraging the Finder application, the malware gains unimpeded access to system permissions, allowing it to copy and manipulate sensitive data autonomously without user notification. This access facilitates the establishment of a persistent backdoor through an administrative boot configuration in the system's LaunchDaemons directory, ensuring a malicious component named `icloudz` is executed on startup. This component reflects the core backdoor agent into memory, maintaining consistent outbound communication with external servers. The exfiltration of sensitive data involves profiling and archiving critical corporate assets, including cryptocurrency wallets and SSH keys, and uploading these via `curl` to designated remote ports. Reports indicate a possible mitigation of the campaign's infrastructure due to collaborative efforts between Microsoft and Apple, leading to enhanced detection protocols. Nonetheless, the fundamental exploitation techniques that exploit native binaries and TCC.db abuse remain relevant, underscoring the necessity for ongoing vigilance as the threat actors could quickly adapt to new operational strategies. Indicators of compromise (IoCs) from the attack suggest monitoring of file paths such as `~/Library/Application Support/Authorization/auth.db` and `/Library/LaunchDaemons/com.google.webkit.service.plist`, which are associated with the backdoor's implementation and persistence mechanisms.
0
0
0
0
53
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
@skocherhan Thanks for stopping by the booth and sharing the photo, @skocherhan! Great to connect with you at #infosec2026. Enjoy the rest of the conference!
0
1
1
0
56
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns | 02-06-2026 Source: https://t.co/VzpdTma2Jc Key details below ↓ 🧑‍💻Actors/Campaigns: Raspberry_typhoon 💀Threats: Weedhack, Seo_poisoning_technique, Etherhiding_technique, Lumma_stealer, Xworm_rat, Residential_proxy_technique, Uac_bypass_technique, 🎯Victims: Minecraft users, Teenagers, Young adults, Gaming, Cryptocurrency 🏭Industry: Entertainment, Financial 🌐Geo: Germany, Sweden, America, Finland, Norway, Italy, Vietnam, India, Spain, Canada, United kingdom 🤖LLM extracted TTPs:` T1016, T1027, T1033, T1036, T1041, T1053.005, T1056.001, T1059.003, T1082, T1083, ... 🧨IOCs: - File: 51 - Command: 1 - Url: 29 💽Software: inecraft Ma, Minecraft, iscord ac, inecraft cl, Telegram, Discord, Steam, iscord se, windows defender, Apache Maven, ... 🪙Crypto: ethereum, bitcoin, litecoin 🔢Algorithms: lzma 📜Programming Languages: java 💻Platforms: x86 #threatreport: The 'Weedhack' campaign is a significant Malware-as-a-Service (MaaS) operation targeting Minecraft players, enabling threat actors to perform extensive surveillance and data theft via a user-friendly dashboard. Active since January 2026, the campaign has been documented to distribute over 3,820 unique malicious JAR files through various channels, particularly using SEO poisoning and YouTube to attract victims. The malware masquerades as legitimate Minecraft clients and mods, drawing significant traffic—averaging 2,000 to 3,000 hits daily—by employing deceptive techniques to create a sense of legitimacy. The campaign allows customers, who are primarily teenagers, to access a free tier that includes comprehensive infostealers capturing Minecraft session IDs, browser cookies, and credentials from various services such as Discord and Steam. For a subscription fee starting at $5, users can unlock additional functionalities, including remote access to webcams, file management, keylogging, and screen sharing. The operation promotes cyberbullying, with users reportedly utilizing the malware to harass and threaten their peers. Weedhack uses sophisticated technical methods to maintain its operations, including a command-and-control (C2) infrastructure that utilizes Ethereum blockchain for communication. This approach ensures the operational stability of the malware, as it can dynamically update its C2 domains against potential takedowns. The malware's payload operates through a multi-stage structure: an initial payload retrieves subsequent payloads from remote servers, employing obfuscation techniques and various methods to bypass security measures like UAC (User Account Control) on Windows systems. The final payloads provide capabilities for remote control, including webcam access and file manipulation features. Various components, such as 'RuntimeBroker.exe', act as backdoors, ensuring the malware can re-establish itself after deletion attempts and maintain persistence on victim devices. Communication for the campaign is mainly conducted through a dedicated Telegram channel, which has become a hub for discussions and operational instructions among users.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns | 02-06-2026 Source: https://t.co/VzpdTma2Jc Key details below ↓ 🧑‍💻Actors/Campaigns: Raspberry_typhoon 💀Threats: Weedhack, Seo_poisoning_technique, Etherhiding_technique, Lumma_stealer, Xworm_rat, Residential_proxy_technique, Uac_bypass_technique, 🎯Victims: Minecraft users, Teenagers, Young adults, Gaming, Cryptocurrency 🏭Industry: Entertainment, Financial 🌐Geo: Germany, Sweden, America, Finland, Norway, Italy, Vietnam, India, Spain, Canada, United kingdom 🤖LLM extracted TTPs:` T1016, T1027, T1033, T1036, T1041, T1053.005, T1056.001, T1059.003, T1082, T1083, ... 🧨IOCs: - File: 51 - Command: 1 - Url: 29 💽Software: inecraft Ma, Minecraft, iscord ac, inecraft cl, Telegram, Discord, Steam, iscord se, windows defender, Apache Maven, ... 🪙Crypto: ethereum, bitcoin, litecoin 🔢Algorithms: lzma 📜Programming Languages: java 💻Platforms: x86 #threatreport: The 'Weedhack' campaign is a significant Malware-as-a-Service (MaaS) operation targeting Minecraft players, enabling threat actors to perform extensive surveillance and data theft via a user-friendly dashboard. Active since January 2026, the campaign has been documented to distribute over 3,820 unique malicious JAR files through various channels, particularly using SEO poisoning and YouTube to attract victims. The malware masquerades as legitimate Minecraft clients and mods, drawing significant traffic—averaging 2,000 to 3,000 hits daily—by employing deceptive techniques to create a sense of legitimacy. The campaign allows customers, who are primarily teenagers, to access a free tier that includes comprehensive infostealers capturing Minecraft session IDs, browser cookies, and credentials from various services such as Discord and Steam. For a subscription fee starting at $5, users can unlock additional functionalities, including remote access to webcams, file management, keylogging, and screen sharing. The operation promotes cyberbullying, with users reportedly utilizing the malware to harass and threaten their peers. Weedhack uses sophisticated technical methods to maintain its operations, including a command-and-control (C2) infrastructure that utilizes Ethereum blockchain for communication. This approach ensures the operational stability of the malware, as it can dynamically update its C2 domains against potential takedowns. The malware's payload operates through a multi-stage structure: an initial payload retrieves subsequent payloads from remote servers, employing obfuscation techniques and various methods to bypass security measures like UAC (User Account Control) on Windows systems. The final payloads provide capabilities for remote control, including webcam access and file manipulation features. Various components, such as 'RuntimeBroker.exe', act as backdoors, ensuring the malware can re-establish itself after deletion attempts and maintain persistence on victim devices. Communication for the campaign is mainly conducted through a dedicated Telegram channel, which has become a hub for discussions and operational instructions among users.
0
0
1
0
239
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages | 01-06-2026 Source: https://t.co/A0pTrwoIvv Key details below ↓ 🧑‍💻Actors/Campaigns: Mini_shai-hulud Teampcp 💀Threats: Supply_chain_technique, Credential_harvesting_technique, Shai-hulud, Blight_botnet, 🎯Victims: Cloud services, Software development, Ci cd systems, Developers 🌐Geo: Russian 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 9 - Registry: 3 - Url: 1 - Domain: 1 - Hash: 5 💽Software: Kubernetes, anthropic, curl, Docker, sudo 🔢Algorithms: aes-gcm, aes-256-gcm, zip, sha256 🗂️Win API: lockfile 📜Programming Languages: javascript, python #threatreport: The recent Mini Shai-Hulud campaign has targeted npm packages within the Red Hat Cloud Services namespace, compromising them to steal sensitive developer information and CI/CD secrets during the installation process. This campaign employs similar tactics to previous threats, particularly focusing on execution at install time, credential harvesting, and downstream propagation, enabled by newly available open-source attack tools. The affected npm packages employ an obfuscated payload that activates through a preinstall hook, allowing malware to execute during the npm install process prior to any developer interaction with the package. The payload's analysis reveals its design to collect various high-value secrets, including GitHub Actions tokens, npm tokens, cloud credentials, and SSH keys. The payload is also equipped with encrypted exfiltration capabilities and a fallback mechanism to use GitHub for further propagation, indicating the threat actor's intent to maximize credential theft and maintain access. Specifically, the malicious packages, once installed, utilize a JavaScript loader that decrypts embedded payloads with AES-128-GCM and executes the code dynamically from an obfuscated index.js file. This method obscures the malicious functionalities from static analysis and stages additional credential theft and reconnaissance actions. The loader operates automatically prior to the completion of the installation, misleading users by appearing as legitimate Red Hat Cloud Services functionality. The malware incorporates sophisticated persistence techniques and environment checks, including evaluations for CI/CD system variables and security tools, mitigating detection risks. Notable operational features include the capability to extract container images, clone repositories, and access various cloud provider metadata and secret management services. It also attempts to modify GitHub workflows, thereby furthering its embedded presence. Organizations are advised to closely monitor their environments for any installation of the affected packages, especially in CI/CD systems, due to the malware's targeting of critical automation secrets. In cases of exposure, containment actions should go beyond merely uninstalling packages, emphasizing the need to rotate all compromised credentials, isolate affected systems, and review logs for traces of the attack. Enhancing CI/CD and dependency management controls are paramount to mitigating such risks in the future. Best practices recommended include employing dependency allowlisting, enforcing lockfile integrity, and generating Software Bill of Materials (SBOM) to monitor for suspicious package modifications. Vigilance in runtime behavior analysis is crucial for detecting any malicious activity stemming from these compromised packages.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages | 01-06-2026 Source: https://t.co/A0pTrwoIvv Key details below ↓ 🧑‍💻Actors/Campaigns: Mini_shai-hulud Teampcp 💀Threats: Supply_chain_technique, Credential_harvesting_technique, Shai-hulud, Blight_botnet, 🎯Victims: Cloud services, Software development, Ci cd systems, Developers 🌐Geo: Russian 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 9 - Registry: 3 - Url: 1 - Domain: 1 - Hash: 5 💽Software: Kubernetes, anthropic, curl, Docker, sudo 🔢Algorithms: aes-gcm, aes-256-gcm, zip, sha256 🗂️Win API: lockfile 📜Programming Languages: javascript, python #threatreport: The recent Mini Shai-Hulud campaign has targeted npm packages within the Red Hat Cloud Services namespace, compromising them to steal sensitive developer information and CI/CD secrets during the installation process. This campaign employs similar tactics to previous threats, particularly focusing on execution at install time, credential harvesting, and downstream propagation, enabled by newly available open-source attack tools. The affected npm packages employ an obfuscated payload that activates through a preinstall hook, allowing malware to execute during the npm install process prior to any developer interaction with the package. The payload's analysis reveals its design to collect various high-value secrets, including GitHub Actions tokens, npm tokens, cloud credentials, and SSH keys. The payload is also equipped with encrypted exfiltration capabilities and a fallback mechanism to use GitHub for further propagation, indicating the threat actor's intent to maximize credential theft and maintain access. Specifically, the malicious packages, once installed, utilize a JavaScript loader that decrypts embedded payloads with AES-128-GCM and executes the code dynamically from an obfuscated index.js file. This method obscures the malicious functionalities from static analysis and stages additional credential theft and reconnaissance actions. The loader operates automatically prior to the completion of the installation, misleading users by appearing as legitimate Red Hat Cloud Services functionality. The malware incorporates sophisticated persistence techniques and environment checks, including evaluations for CI/CD system variables and security tools, mitigating detection risks. Notable operational features include the capability to extract container images, clone repositories, and access various cloud provider metadata and secret management services. It also attempts to modify GitHub workflows, thereby furthering its embedded presence. Organizations are advised to closely monitor their environments for any installation of the affected packages, especially in CI/CD systems, due to the malware's targeting of critical automation secrets. In cases of exposure, containment actions should go beyond merely uninstalling packages, emphasizing the need to rotate all compromised credentials, isolate affected systems, and review logs for traces of the attack. Enhancing CI/CD and dependency management controls are paramount to mitigating such risks in the future. Best practices recommended include employing dependency allowlisting, enforcing lockfile integrity, and generating Software Bill of Materials (SBOM) to monitor for suspicious package modifications. Vigilance in runtime behavior analysis is crucial for detecting any malicious activity stemming from these compromised packages.
0
1
0
0
125
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #LowCompleteness Unidentified RAT pushes NetSupport RAT | 02-06-2026 Source: https://t.co/MrQYxbknsK Key details below ↓ 🧑‍💻Actors/Campaigns: Smartapesg 💀Threats: Netsupportmanager_rat, Clickfix_technique, 🎯Victims: Windows hosts 🤖LLM extracted TTPs:` T1059.003, T1070.004, T1095, T1105, T1132, T1204 🧨IOCs: - IP: 1 - Url: 8 - Hash: 4 - File: 2 💽Software: Mastodon 🔢Algorithms: zip, sha256 #threatreport: An unidentified Remote Access Trojan (RAT) has been detected in ongoing infections linked to the SmartApeSG ClickFix campaign, with notable activity observed on May 27, 2026. The initial RAT, whose name remains unknown, is generating encoded traffic (not secured by HTTPS/SSL/TLS) directed at a command and control (C2) server with the IP address of 89.110.110.119 over TCP port 443. This communication pattern has been consistently noted since April 2026. The SmartApeSG campaign appears to distribute follow-up payloads, notably the NetSupport Manager RAT, using the initial RAT's communications. During the analyzed incident, several files related to the NetSupport RAT were transmitted through traffic generated by the initial RAT. Specific indicators of this activity include various file types and locations indicative of malicious intent:. A Zip archive (approximately 26.5 MB) hosted at hxxps://silverharvestnetwork.com/check contains the setup for the initial RAT. Upon execution, this leads to the creation of a DOS batch file named token.bat, located in the C:\ProgramData directory. This batch file, measuring around 8.3 KB, is responsible for extracting and launching the NetSupport RAT from a Microsoft Cabinet (CAB) file, located at C:\ProgramData\https://t.co/Ya73jYEKzh, which is approximately 17.3 MB in size. Upon successful installation of the malicious NetSupport RAT, the script deletes itself along with related files (processor.vbs and https://t.co/Ya73jYEKzh) to avoid detection and ensure persistence on the infected system. The current indicators for this activity, such as domains and file hashes, are subject to frequent changes, indicative of the campaign's adaptability and the attackers' attempts to evade analysis. For real-time updates on these indicators related to SmartApeSG and similar threats, monitoring feeds are available, emphasizing the dynamic nature of ongoing cyber threats.
rst_cloud's tweet photo. #threatreport #LowCompleteness Unidentified RAT pushes NetSupport RAT | 02-06-2026 Source: https://t.co/MrQYxbknsK Key details below ↓ 🧑‍💻Actors/Campaigns: Smartapesg 💀Threats: Netsupportmanager_rat, Clickfix_technique, 🎯Victims: Windows hosts 🤖LLM extracted TTPs:` T1059.003, T1070.004, T1095, T1105, T1132, T1204 🧨IOCs: - IP: 1 - Url: 8 - Hash: 4 - File: 2 💽Software: Mastodon 🔢Algorithms: zip, sha256 #threatreport: An unidentified Remote Access Trojan (RAT) has been detected in ongoing infections linked to the SmartApeSG ClickFix campaign, with notable activity observed on May 27, 2026. The initial RAT, whose name remains unknown, is generating encoded traffic (not secured by HTTPS/SSL/TLS) directed at a command and control (C2) server with the IP address of 89.110.110.119 over TCP port 443. This communication pattern has been consistently noted since April 2026. The SmartApeSG campaign appears to distribute follow-up payloads, notably the NetSupport Manager RAT, using the initial RAT's communications. During the analyzed incident, several files related to the NetSupport RAT were transmitted through traffic generated by the initial RAT. Specific indicators of this activity include various file types and locations indicative of malicious intent:. A Zip archive (approximately 26.5 MB) hosted at hxxps://silverharvestnetwork.com/check contains the setup for the initial RAT. Upon execution, this leads to the creation of a DOS batch file named token.bat, located in the C:\ProgramData directory. This batch file, measuring around 8.3 KB, is responsible for extracting and launching the NetSupport RAT from a Microsoft Cabinet (CAB) file, located at C:\ProgramData\https://t.co/Ya73jYEKzh, which is approximately 17.3 MB in size. Upon successful installation of the malicious NetSupport RAT, the script deletes itself along with related files (processor.vbs and https://t.co/Ya73jYEKzh) to avoid detection and ensure persistence on the infected system. The current indicators for this activity, such as domains and file hashes, are subject to frequent changes, indicative of the campaign's adaptability and the attackers' attempts to evade analysis. For real-time updates on these indicators related to SmartApeSG and similar threats, monitoring feeds are available, emphasizing the dynamic nature of ongoing cyber threats.
0
1
0
0
80
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #HighCompleteness PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT | 01-06-2026 Source: https://t.co/QBAXd8mXfn Key details below ↓ 🧑‍💻Actors/Campaigns: Ref6598 Contagious_interview Lazarus Bluenoroff Unc5342 💀Threats: Phantompulse_rat, Phantompull, Process_injection_technique, Dll_injection_technique, Phantominject_tool, Dbgnexum_tool, Apc_injection_technique, Uac_bypass_technique, Trap_flag_technique, Uacme_tool, Dead_drop_technique, Etherhiding_technique, Spear-phishing_technique, Dll_sideloading_technique, 🎯Victims: Cryptocurrency sector 🏭Industry: Financial, Entertainment 🌐Geo: Indian, Dprk, Korean, Chinese 📚TTPs: ⚔️Tactics: 11 🛠️Technics: 0 🧨IOCs: - File: 27 - Domain: 7 - Coin: 2 - Url: 2 - Hash: 3 - IP: 1 💽Software: Obsidian, Windows Defender, winlogon, telegram, discord, viber, slack, whatsapp, outlook, authy, ... 📲Wallets: trezor, bitcoincore, electrum, exodus_wallet, guarda_wallet 🪙Crypto: ethereum 🔢Algorithms: lznt1, xor, sha256 🔠Functions: FindHostProcessEx, MainEntryLogic 🗂️Win API: NtCreateFile, NtWriteFile, AmsiScanBuffer, EtwEventWrite, LoadLibraryA, NtGetContextThread, NtSetContextThread, AddVectoredExceptionHandler, VirtualAlloc, VirtualProtect, ... ⚙️Win Services: MsMpEng 📜Programming Languages: powershell 💻Platforms: x86, cross-platform, x64 YARA: Found #threatreport: PHANTOMPULSE is a sophisticated remote access Trojan (RAT) that poses a significant threat within the crypto sector, delivered through the REF6598 intrusion set. The analysis of this malware reveals several advanced techniques employed in its architecture, indicating a highly organized threat actor possibly linked to North Korean cyber groups such as Lazarus and BlueNoroff. This RAT utilizes three distinct process-injection techniques and resolves its command-and-control (C2) communications through a unique method based on Ethereum blockchain transactions. Notably, the C2 mechanism lacks sender verification, which presents a potential sinkhole opportunity for cybersecurity defenders. PHANTOMPULSE bypasses User Account Control (UAC) via the schuac technique, effectively elevating privileges without arousing suspicion. The implant demonstrates strong evidence of AI-assisted development, with verbose logging and structured operational messages that suggest automated coding practices. The malware employs direct system calls and API wrappers by leveraging the process environment block (PEB) to optimize function resolution. This efficiency allows PHANTOMPULSE to evade detection mechanisms such as the Anti-Malware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), and Event Tracing for Windows (ETW) through a shared hardware breakpoint strategy. This implementation involves sophisticated techniques to intercept API calls seamlessly, effectively spoofing return values without altering the base code, making traditional signature-based detection methodologies ineffective. The execution chain of PHANTOMPULSE commences with an orchestration function that hashes the user and computer names to quickly exit if the process is recognized as a sandbox. The malware’s self-healing capability ensures persistence, with checks every ten iterations to maintain its foothold even against interruptions. In addition, it systematically monitors the system for high-value applications, thereby allowing its operators to tailor follow-up tasks based on the identified software presence. Moreover, PHANTOMPULSE implements several injection techniques, such as PhantomInject for module stomping and DbgNexum to control execution through the Windows debugging API, showcasing advanced obfuscation and evasion mechanisms. The RAT also carries a keylogger and can capture screenshots, further emphasizing its surveillance capabilities tailored for the cryptocurrency landscape. The overall behavior and tactics of PHANTOMPULSE reflect a mature operation featuring an active development cycle. The use of blockchain for C2 resolution parallels strategies attributed to DPRK-affiliated groups, reinforcing targeted efforts against cryptocurrency platforms. This insight provides a clear imperative for organizations engaged in the crypto space to enhance their security measures, focusing on behavioral detection and proactive hunting for transactions associated with PHANTOMPULSE indicators.
rst_cloud's tweet photo. #threatreport #HighCompleteness PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT | 01-06-2026 Source: https://t.co/QBAXd8mXfn Key details below ↓ 🧑‍💻Actors/Campaigns: Ref6598 Contagious_interview Lazarus Bluenoroff Unc5342 💀Threats: Phantompulse_rat, Phantompull, Process_injection_technique, Dll_injection_technique, Phantominject_tool, Dbgnexum_tool, Apc_injection_technique, Uac_bypass_technique, Trap_flag_technique, Uacme_tool, Dead_drop_technique, Etherhiding_technique, Spear-phishing_technique, Dll_sideloading_technique, 🎯Victims: Cryptocurrency sector 🏭Industry: Financial, Entertainment 🌐Geo: Indian, Dprk, Korean, Chinese 📚TTPs: ⚔️Tactics: 11 🛠️Technics: 0 🧨IOCs: - File: 27 - Domain: 7 - Coin: 2 - Url: 2 - Hash: 3 - IP: 1 💽Software: Obsidian, Windows Defender, winlogon, telegram, discord, viber, slack, whatsapp, outlook, authy, ... 📲Wallets: trezor, bitcoincore, electrum, exodus_wallet, guarda_wallet 🪙Crypto: ethereum 🔢Algorithms: lznt1, xor, sha256 🔠Functions: FindHostProcessEx, MainEntryLogic 🗂️Win API: NtCreateFile, NtWriteFile, AmsiScanBuffer, EtwEventWrite, LoadLibraryA, NtGetContextThread, NtSetContextThread, AddVectoredExceptionHandler, VirtualAlloc, VirtualProtect, ... ⚙️Win Services: MsMpEng 📜Programming Languages: powershell 💻Platforms: x86, cross-platform, x64 YARA: Found #threatreport: PHANTOMPULSE is a sophisticated remote access Trojan (RAT) that poses a significant threat within the crypto sector, delivered through the REF6598 intrusion set. The analysis of this malware reveals several advanced techniques employed in its architecture, indicating a highly organized threat actor possibly linked to North Korean cyber groups such as Lazarus and BlueNoroff. This RAT utilizes three distinct process-injection techniques and resolves its command-and-control (C2) communications through a unique method based on Ethereum blockchain transactions. Notably, the C2 mechanism lacks sender verification, which presents a potential sinkhole opportunity for cybersecurity defenders. PHANTOMPULSE bypasses User Account Control (UAC) via the schuac technique, effectively elevating privileges without arousing suspicion. The implant demonstrates strong evidence of AI-assisted development, with verbose logging and structured operational messages that suggest automated coding practices. The malware employs direct system calls and API wrappers by leveraging the process environment block (PEB) to optimize function resolution. This efficiency allows PHANTOMPULSE to evade detection mechanisms such as the Anti-Malware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), and Event Tracing for Windows (ETW) through a shared hardware breakpoint strategy. This implementation involves sophisticated techniques to intercept API calls seamlessly, effectively spoofing return values without altering the base code, making traditional signature-based detection methodologies ineffective. The execution chain of PHANTOMPULSE commences with an orchestration function that hashes the user and computer names to quickly exit if the process is recognized as a sandbox. The malware’s self-healing capability ensures persistence, with checks every ten iterations to maintain its foothold even against interruptions. In addition, it systematically monitors the system for high-value applications, thereby allowing its operators to tailor follow-up tasks based on the identified software presence. Moreover, PHANTOMPULSE implements several injection techniques, such as PhantomInject for module stomping and DbgNexum to control execution through the Windows debugging API, showcasing advanced obfuscation and evasion mechanisms. The RAT also carries a keylogger and can capture screenshots, further emphasizing its surveillance capabilities tailored for the cryptocurrency landscape. The overall behavior and tactics of PHANTOMPULSE reflect a mature operation featuring an active development cycle. The use of blockchain for C2 resolution parallels strategies attributed to DPRK-affiliated groups, reinforcing targeted efforts against cryptocurrency platforms. This insight provides a clear imperative for organizations engaged in the crypto space to enhance their security measures, focusing on behavioral detection and proactive hunting for transactions associated with PHANTOMPULSE indicators.
0
0
0
0
82
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #LowCompleteness Crypto Guest at Dawn Endpoint (Midnight) Ransomware Analysis | 02-06-2026 Source: https://t.co/2CPEjPqkZs Key details below ↓ 💀Threats: Midnight_ransomware, Babuk, Shadow_copies_delete_technique, Trojan/win.generic.c5765109, Ransom/mdp.delete.m2117, Ransom/mdp.command.m2255, Ransom/mdp.decoy.m1171, Ransom/mdp.event.m1946, Ransom/mdp.event.m1875, 🎯Victims: Windows environments, Esxi environments, Nas environments 🌐Geo: North korea, Asia 🤖LLM extracted TTPs:` T1082, T1480.002, T1486, T1489, T1490, T1562.001 🧨IOCs: - File: 3 - Command: 1 💽Software: ESXi 🔢Algorithms: md5, chacha20, sha256 🗂️Win API: FindFirstFileW, MoveFileExW #threatreport: EndPoint, a ransomware variant formerly known as Midnight, is derived from the Babuk ransomware framework and targets Windows environments, along with ESXi and NAS systems. This ransomware employs a double-extortion technique, combining file encryption with threats of data exfiltration to pressure victims into payment. The files encrypted by EndPoint are marked with the .endpoint extension, and the ransom note instructs victims to contact the operators via a uTox ID. Notably, the email account included in the ransom note has been traced back to North Korean-linked attackers, suggesting potential state-sponsored involvement in these cyber extortion efforts. Prior to initiating the encryption process, EndPoint meticulously terminates several critical processes across different applications, specifically targeting database systems, office applications, and email clients. It conducts a thorough cleanup by deleting Windows volume shadow copies using the command "vssadmin.exe delete shadows /all /quiet," thus hindering recovery options for victims. Additionally, it halts backup and security services, including those from Veeam, Sophos, and Acronis, which further complicates the recovery efforts for affected systems. The encryption routine of EndPoint is aggressive and targets a variety of directories and file types, such as Windows system files, Program Files, AppData, boot manager files, and executables. It utilizes a multi-threaded approach to increase encryption speed by leveraging the number of CPU cores available on the infected machine and employs a mutex named Mutexisfunnylocal to avoid re-execution of the malware, thus streamlining its operations. As the ransomware landscape evolves, EndPoint exemplifies the persistent threat posed by sophisticated ransomware variants that exploit known vulnerabilities and established cyberattack methodologies.
rst_cloud's tweet photo. #threatreport #LowCompleteness Crypto Guest at Dawn Endpoint (Midnight) Ransomware Analysis | 02-06-2026 Source: https://t.co/2CPEjPqkZs Key details below ↓ 💀Threats: Midnight_ransomware, Babuk, Shadow_copies_delete_technique, Trojan/win.generic.c5765109, Ransom/mdp.delete.m2117, Ransom/mdp.command.m2255, Ransom/mdp.decoy.m1171, Ransom/mdp.event.m1946, Ransom/mdp.event.m1875, 🎯Victims: Windows environments, Esxi environments, Nas environments 🌐Geo: North korea, Asia 🤖LLM extracted TTPs:` T1082, T1480.002, T1486, T1489, T1490, T1562.001 🧨IOCs: - File: 3 - Command: 1 💽Software: ESXi 🔢Algorithms: md5, chacha20, sha256 🗂️Win API: FindFirstFileW, MoveFileExW #threatreport: EndPoint, a ransomware variant formerly known as Midnight, is derived from the Babuk ransomware framework and targets Windows environments, along with ESXi and NAS systems. This ransomware employs a double-extortion technique, combining file encryption with threats of data exfiltration to pressure victims into payment. The files encrypted by EndPoint are marked with the .endpoint extension, and the ransom note instructs victims to contact the operators via a uTox ID. Notably, the email account included in the ransom note has been traced back to North Korean-linked attackers, suggesting potential state-sponsored involvement in these cyber extortion efforts. Prior to initiating the encryption process, EndPoint meticulously terminates several critical processes across different applications, specifically targeting database systems, office applications, and email clients. It conducts a thorough cleanup by deleting Windows volume shadow copies using the command "vssadmin.exe delete shadows /all /quiet," thus hindering recovery options for victims. Additionally, it halts backup and security services, including those from Veeam, Sophos, and Acronis, which further complicates the recovery efforts for affected systems. The encryption routine of EndPoint is aggressive and targets a variety of directories and file types, such as Windows system files, Program Files, AppData, boot manager files, and executables. It utilizes a multi-threaded approach to increase encryption speed by leveraging the number of CPU cores available on the infected machine and employs a mutex named Mutexisfunnylocal to avoid re-execution of the malware, thus streamlining its operations. As the ransomware landscape evolves, EndPoint exemplifies the persistent threat posed by sophisticated ransomware variants that exploit known vulnerabilities and established cyberattack methodologies.
0
1
0
0
83
rst_cloud's profile image
RST Cloud Verified account @rst_cloud
#threatreport #MediumCompleteness Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor | 02-06-2026 Source: https://t.co/NCXkq6pgOD Key details below ↓ 🧑‍💻Actors/Campaigns: Cl-cri-1089 💀Threats: Flutterbridge, Fluttershell, Jscorerunner, Tamperedchef, Sparkle_tool, 🎯Victims: Macos users, Windows users, Google chrome users 🌐Geo: Canada, Germany, Australia, France, Ukraine, Ukrainian 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1036, T1041, T1059.004, T1059.007, T1071.001, T1082, T1083, T1105, ... 🧨IOCs: - Domain: 8 - Hash: 9 - File: 4 - Url: 3 💽Software: macOS, Flutter, Google Chrome, Flutter's, Chrome, Linux 🔢Algorithms: sha256, base64, exhibit 🔠Functions: exit, setSize 📜Programming Languages: javascript 💻Platforms: apple, intel #threatreport: Operation FlutterBridge is a malvertising campaign targeting macOS systems, evolving from the earlier JSCoreRunner campaign. The principal malware identified in this operation is called FlutterShell. This payload not only functions as adware but also possesses backdoor capabilities, enabling attackers to execute shell commands, manipulate files within the file system, and route data through an attacker-controlled server for exfiltration. FlutterShell's architecture is based on the Flutter framework, allowing attackers to host malicious logic externally and dynamically alter its behavior in real-time without redistributing the application. The campaign employs a sophisticated delivery mechanism utilizing Google Ads, targeting primarily Anglophone and Western European audiences through a network of verified shell companies to bypass vetting processes. Research indicates the attackers have created a broad range of ads designed to deceive users into installing what appear to be legitimate desktop applications. Although recent variants of FlutterShell have been observed functioning primarily as adware, they exhibit much more alarming potential, effectively operating as a backdoor. The malware utilizes a JavaScript-to-native bridge approach, which allows remote attackers to inject and manipulate malicious commands via an integrated WebView component. Upon execution, FlutterShell modifies browser settings, specifically targeting Google Chrome configurations to hijack user traffic and redirect it to an ad-filled site controlled by the attackers. This process includes altering critical JSON settings in the Chrome Secure Preferences file. FlutterShell has numerous variants, including simulated applications like PodcastsLounge and PDF-Brain, which have successfully evaded detection owing to valid Apple Developer ID signatures and notarization from Apple. These apps are full-featured and functional, masking the malicious code that operates in the background. The dynamic hosting of the malicious logic on an external webpage allows attackers flexibility in altering their tactics without needing to push software updates. Distinct behaviors have been noted across variants, with the later models employing various obfuscation techniques to complicate reverse engineering efforts. The integration of an AI summarization feature in some variants also serves as a dual-purpose tool for both data exfiltration and data processing, underpinning the sophistication of this campaign. The dynamics of the campaign capitalized on various shell entities registered with minimal online presence to maintain a façade of legitimacy while utilizing a layered infrastructure for ads distribution. The attackers have demonstrated adaptability, continually repurposing and modifying their operations while maintaining high levels of obfuscation and evasion tactics. This adaptability underlines the persistent threat level embodied by the CL-CRI-1089 cluster and highlights significant implications for security analysis and response strategies in combating such evolved cyber threat architectures.
rst_cloud's tweet photo. #threatreport #MediumCompleteness Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor | 02-06-2026 Source: https://t.co/NCXkq6pgOD Key details below ↓ 🧑‍💻Actors/Campaigns: Cl-cri-1089 💀Threats: Flutterbridge, Fluttershell, Jscorerunner, Tamperedchef, Sparkle_tool, 🎯Victims: Macos users, Windows users, Google chrome users 🌐Geo: Canada, Germany, Australia, France, Ukraine, Ukrainian 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1036, T1041, T1059.004, T1059.007, T1071.001, T1082, T1083, T1105, ... 🧨IOCs: - Domain: 8 - Hash: 9 - File: 4 - Url: 3 💽Software: macOS, Flutter, Google Chrome, Flutter's, Chrome, Linux 🔢Algorithms: sha256, base64, exhibit 🔠Functions: exit, setSize 📜Programming Languages: javascript 💻Platforms: apple, intel #threatreport: Operation FlutterBridge is a malvertising campaign targeting macOS systems, evolving from the earlier JSCoreRunner campaign. The principal malware identified in this operation is called FlutterShell. This payload not only functions as adware but also possesses backdoor capabilities, enabling attackers to execute shell commands, manipulate files within the file system, and route data through an attacker-controlled server for exfiltration. FlutterShell's architecture is based on the Flutter framework, allowing attackers to host malicious logic externally and dynamically alter its behavior in real-time without redistributing the application. The campaign employs a sophisticated delivery mechanism utilizing Google Ads, targeting primarily Anglophone and Western European audiences through a network of verified shell companies to bypass vetting processes. Research indicates the attackers have created a broad range of ads designed to deceive users into installing what appear to be legitimate desktop applications. Although recent variants of FlutterShell have been observed functioning primarily as adware, they exhibit much more alarming potential, effectively operating as a backdoor. The malware utilizes a JavaScript-to-native bridge approach, which allows remote attackers to inject and manipulate malicious commands via an integrated WebView component. Upon execution, FlutterShell modifies browser settings, specifically targeting Google Chrome configurations to hijack user traffic and redirect it to an ad-filled site controlled by the attackers. This process includes altering critical JSON settings in the Chrome Secure Preferences file. FlutterShell has numerous variants, including simulated applications like PodcastsLounge and PDF-Brain, which have successfully evaded detection owing to valid Apple Developer ID signatures and notarization from Apple. These apps are full-featured and functional, masking the malicious code that operates in the background. The dynamic hosting of the malicious logic on an external webpage allows attackers flexibility in altering their tactics without needing to push software updates. Distinct behaviors have been noted across variants, with the later models employing various obfuscation techniques to complicate reverse engineering efforts. The integration of an AI summarization feature in some variants also serves as a dual-purpose tool for both data exfiltration and data processing, underpinning the sophistication of this campaign. The dynamics of the campaign capitalized on various shell entities registered with minimal online presence to maintain a façade of legitimacy while utilizing a layered infrastructure for ads distribution. The attackers have demonstrated adaptability, continually repurposing and modifying their operations while maintaining high levels of obfuscation and evasion tactics. This adaptability underlines the persistent threat level embodied by the CL-CRI-1089 cluster and highlights significant implications for security analysis and response strategies in combating such evolved cyber threat architectures.
1
1
0
0
113

Last Seen Users on Sotwe

pkmaal69's profile image
Pakistani Maal
Seen from Pakistan
yaa69983190's profile image
Ebru Yaşar
Seen from Turkey
CharlyLope42348's profile image
Charly Lopez
Seen from United States
PornExtremist69's profile image
PORN EXTREMIST Verified account
Seen from Turkey
zcantaner4's profile image
Koyu mavi
Seen from Germany
karinaalili's profile image
Karina
Seen from France
ESherance's profile image
Koleksi Gadis Borneo
Seen from Malaysia
sweet_0016's profile image
cow girl🍒
Seen from Singapore
pass1996crb's profile image
couple young 29th
Seen from Singapore
frwq570093's profile image
سواق اجنبي
Seen from Germany

Trends for you

1
Brunson
Under 10K tweets
2
#loveislandusa
Under 10K tweets
3
Kratos
Under 10K tweets
4
God of War
Under 10K tweets
5
California
Under 10K tweets
6
Scott Pelley
Under 10K tweets
7
60 Minutes
Under 10K tweets
8
#82and0
Under 10K tweets
9
Rubio
Under 10K tweets
10
Zach
Under 10K tweets

Most Popular Users

elonmusk's profile image
1
Elon Musk Verified account
@elonmusk
240.1M followers
barackobama's profile image
2
Barack Obama Verified account
@barackobama
119.3M followers
realdonaldtrump's profile image
3
Donald J. Trump Verified account
@realdonaldtrump
111.6M followers
cristiano's profile image
4
Cristiano Ronaldo Verified account
@cristiano
108.8M followers
narendramodi's profile image
5
Narendra Modi Verified account
@narendramodi
106.9M followers
rihanna's profile image
6
Rihanna Verified account
@rihanna
97.2M followers
nasa's profile image
7
NASA Verified account
@nasa
92.1M followers
justinbieber's profile image
8
Justin Bieber Verified account
@justinbieber
90.5M followers
katyperry's profile image
9
KATY PERRY Verified account
@katyperry
86.7M followers
taylorswift13's profile image
10
Taylor Swift Verified account
@taylorswift13
80.5M followers
ladygaga's profile image
11
Lady Gaga Verified account
@ladygaga
72.1M followers
kimkardashian's profile image
12
Kim Kardashian Verified account
@kimkardashian
69.3M followers
youtube's profile image
13
YouTube Verified account
@youtube
68.6M followers
imvkohli's profile image
14
Virat Kohli Verified account
@imvkohli
68.4M followers
billgates's profile image
15
Bill Gates Verified account
@billgates
63.4M followers
theellenshow's profile image
16
The Ellen Show
@theellenshow
62.5M followers
cnn's profile image
17
CNN Verified account
@cnn
61.9M followers
neymarjr's profile image
18
Neymar Jr Verified account
@neymarjr
60.9M followers
x's profile image
19
X Verified account
@x
60.9M followers
cnnbrk's profile image
20
CNN Breaking News Verified account
@cnnbrk
59.9M followers