Ilias Bakatsis

🚨 APT28 Turns EdgeRouters Into Attack Infrastructure https://t.co/yqtqJTQzjO Russia-linked APT28, also known as Fancy Bear, is shifting more of its operations onto compromised SOHO routers and edge devices. At the peak of the activity, more than 18,000 unique IPs across 120 countries were seen communicating with APT28-controlled servers. The group abused Ubiquiti EdgeRouters, targeted MikroTik and TP-Link routers, and routed malware traffic through trusted cloud services. Instead of using obvious C2 servers, Fancy Bear is hiding behind compromised routers and trusted cloud services. #ThreatIntelligence #FancyBear #APT28 #CyberSecurity

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. https://t.co/z2GjRIAyYS A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

Secret Blizzard’s Kazuar malware has evolved from a traditional backdoor into a modular botnet optimized for stealth and persistence. This upgrade aligns with the Russian state actor’s espionage-focused operations. https://t.co/KRnrTZRIqJ While many threat actors rely on increasing usage of native tools (living-off-the-land binaries (LOLBins)) to avoid detection, Kazuar’s evolution highlights how Secret Blizzard is engineering resilience and stealth directly into their tooling. Our latest blog breaks down Kazuar’s architecture and botnet operations, and provides protection and detection guidance for defenders:

🆕 Tracking ShinyHunters just got easier. 🚀We launched a free, unified intelligence timeline for the ShinyHunters threat group — all their activity in one place, in real time. 3 categories, all in one view: 🔶 Ransomware — direct victim claims from their darknet leak site 🔴 Group Forum Activity — forum posts published under their own identity 🟣 Intel Reports — third-party mentions & intelligence about the group. All events are AI-classified and risk-scored by DarkFeed's monitoring engine. Free & open to everyone 👇 https://t.co/ryQtWBdqKU #ThreatIntelligence #Ransomware #ShinyHunters #CTI #Cybersecurit

At least 300 Germans are confirmed victims, including a senior CDU foreign policy MP and the former deputy head of German foreign intelligence (BND). The BfV's own internal warning says the real number is "significantly higher" and that numerous Signal groups in the parliamentary sphere are likely being read in real time, right now. The FBI and CISA put the international count in the thousands. The BfV sent a 20-page warning to parliamentary party leaders last week. Klöckner, for her part, had previously warned publicly about the growing threat of cyberattacks on the Bundestag. More reliable story link: https://t.co/8GZ6h6nsUa

The Russian military intelligence actor Forest Blizzard has conducted large-scale exploitation of vulnerable small office/home office (SOHO) devices to hijack DNS requests and enable persistent, passive visibility and reconnaissance at scale. https://t.co/6oONFAtP20 By compromising edge devices that are upstream of larger targets, threat actors could take advantage of less closely monitored assets to pivot into enterprise environments. We have identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure. Microsoft Threat Intelligence is publishing this research to increase awareness of the risks associated with insecure home and small-office internet devices and to give users and organizations tools to mitigate, detect, and hunt for these threats where they might be impacted.