Olivia
Online
Josh Allman
@xorJosh
just joshing around
UK
Joined September 2022
1.4K Following
1.3K Followers
542 Posts
@socradar please stop bullying us 😢
A little thread exposing screenshots + comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups.
Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak
We even discovered in March they attempted to send flowers to a UK-based victim....
On 28th Feb, they recognise they're "top 2" on https://t.co/hpPlgsz0wo + Devman has gone ;)🚓
Translation of zeta88's first message:
"In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared.
And we're top 2 on RansomLive based on statistics, but not based on profit, I think."
We can see a @GangExposed tweet shared by The Gentlemen, alongside the https://t.co/hpPlgsz0wo stats
Super fun and Interesting read from @tmctmt
Mullvad exit IPs are surprisingly identifying
https://t.co/JJzrTTG7Uc
Who to follow
Chris Duggan
@TLP_R3D
Full-Time Explorer | MDS Legendary Finisher | Ultra Endurance | From Cyber Intel to the Desert | Author- The Intent Model
Matthew 
@embee_research
Security Researcher, Creating and Sharing Educational Content.
Kostas
@Kostastsale
I like building things that solve real problems, working across cybersecurity, product, and research | 🇬🇷🇨🇦
@tmctmt 10/10 blog 🔥
We are having a great time looking at the Gentlemen Ransomware leaks
We are still analysing the data and finding more...
@dancho_danchev /media/<file name>
🧵 CATCHING THREAT ACTORS IN PROD: The "Mihók-Dev" Files
A Hungarian cryptomining operator left their entire working directory publicly accessible on a Python HTTP server. One zip file. Full toolkit, bash history, compiled binary, scan logs all of it.
Here is the technical breakdown of NOVA SYMBIO NETWORK v1.0
Actor: Mihók-Dev / "Mihók Dániel" Contact hardcoded across every
file: Mihokdaniel84[@]https://t.co/mlURZdRSTq Selling price: €1,000 BTC/XMR/ETH
Active since: First artifact timestamps to 2022-04-22 19:48 UTC
This is not a ground breaking or complex toolkit by any means. We were unable to find this advertised publicly anywhere yet; based on the code, it had strong signs it was made using an LLM, which is increasingly becoming more common. When hunting on @Huntio, you can catch these threat actors early by leveraging https://t.co/TRdBlR7K5z data
![ctrlaltintel's tweet photo. 🧵 CATCHING THREAT ACTORS IN PROD: The "Mihók-Dev" Files
A Hungarian cryptomining operator left their entire working directory publicly accessible on a Python HTTP server. One zip file. Full toolkit, bash history, compiled binary, scan logs all of it.
Here is the technical breakdown of NOVA SYMBIO NETWORK v1.0
Actor: Mihók-Dev / "Mihók Dániel" Contact hardcoded across every
file: Mihokdaniel84[@]https://t.co/mlURZdRSTq Selling price: €1,000 BTC/XMR/ETH
Active since: First artifact timestamps to 2022-04-22 19:48 UTC
This is not a ground breaking or complex toolkit by any means. We were unable to find this advertised publicly anywhere yet; based on the code, it had strong signs it was made using an LLM, which is increasingly becoming more common. When hunting on @Huntio, you can catch these threat actors early by leveraging https://t.co/TRdBlR7K5z data](https://pbs.twimg.com/media/HIBwe7PXcAEX1lu.jpg)
The RAT is called Sonic. The .NET dropper's own method names describe exactly what it does:
IsJavaInstalled → InstallJavaSilently → RunJarSilent → EnsureHostsEntry
Installs Java silently, launches a hidden obfuscated JAR, rewrites the hosts file to route C2 traffic. Can pull additional payloads post-infection via DownloadFile. Window hidden at launch. Operator gets an audio alert when a victim connects.
One confirmed victim check-in: Windows 10 · Turkey · Administrator privileges. (Likely testing)
Someone deployed a phishing platform + remote access trojan across 14 servers then left every single one wide open.
Same image. Same live credentials. Same RAT binaries. All publicly readable across the entire subnet.
Found on @Huntio Here's what was running 🧵
Recent find by our team using @Huntio🕵️♂️
Akia: Exploiting CVE-2025-55182/66478, this French Claude-coded pipeline is a massive secret harvester:
🔹13 Git/8 SMTP APIs
🔹3k+ AWS Keys
🔹250M JS URLs
🔹EVM/BTC/SOL
🔹250+ ENV types
🔹1k+ Cloud paths
🔹300+ Configs
🔹20+ Code exts
In April, our team found a vibe-coded dashboard guessing FedEx tracking numbers. With 4M+ records and 498 proxies, the scale was impressive, though the adversary's goal remains unknown. Any idea what the adversary was trying to accomplish?
Links to our blogs are getting blocked :(
Ctrl-Alt-Intel has exposed a threat actor leveraging CPanel/CVE-2026-41940 to:
- Target Government/Military entities in South-East Asia
- Target a small set of MSPs / hosting providers
Separately, they exploited novel vulnerabilities against a SEA defense sector victim and:
⚠️Targeted cPanel/WHM CVE-2026-41940 exploitation seen in the wild
🇧🇩 Bangladesh education sector targeted
154.18.187[.239
hXXp://windowsupdate[.sh:18888/sub_shell.py
This appears to build upon & weaponise the POC provided by watchTowr - https://t.co/v3Tt5bozuJ (1/n)
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers