home.social

#cobaltstrike — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cobaltstrike, aggregated by home.social.

  1. CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

    Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione.

    insicurezzadigitale.com/cve-20

  2. CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

    Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione.

    insicurezzadigitale.com/cve-20

  3. CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

    Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione.

    insicurezzadigitale.com/cve-20

  4. CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

    Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione.

    insicurezzadigitale.com/cve-20

  5. CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

    Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione.

    insicurezzadigitale.com/cve-20

  6. Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

    In late 2025, an unknown threat actor exploited a critical zero-day vulnerability in KnowledgeDeliver, a Learning Management System widely used in Japan. The vulnerability, tracked as CVE-2026-5426, allowed unauthenticated remote code execution through ViewState deserialization attacks. The issue stemmed from identical hardcoded ASP.NET machine keys distributed across multiple customer deployments in the vendor's configuration files. Attackers obtained these keys from one deployment and used them to compromise other internet-facing instances. Following initial access, threat actors deployed the BLUEBEAM in-memory web shell, modified JavaScript files to display fake security alerts, and tricked users into installing malicious software that delivered Cobalt Strike BEACON backdoors. The attack demonstrates the severe risks of shared secrets in deployment templates and highlights the importance of unique cryptographic keys per installation.

    Pulse ID: 6a140384686e44f07358066d
    Pulse Link: otx.alienvault.com/pulse/6a140
    Pulse Author: AlienVault
    Created: 2026-05-25 08:08:36

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #CobaltStrike #CyberSecurity #Edge #InfoSec #Japan #Java #JavaScript #Mac #NET #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Vulnerability #ZeroDay #bot #AlienVault

  7. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  8. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  9. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  10. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  11. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  12. Fresh mischief and digital shenanigans

    FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

    Pulse ID: 6a0e803c81c123ee6cf7066a
    Pulse Link: otx.alienvault.com/pulse/6a0e8
    Pulse Author: AlienVault
    Created: 2026-05-21 03:47:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

  13. Fresh mischief and digital shenanigans

    FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

    Pulse ID: 6a0e803c81c123ee6cf7066a
    Pulse Link: otx.alienvault.com/pulse/6a0e8
    Pulse Author: AlienVault
    Created: 2026-05-21 03:47:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

  14. Fresh mischief and digital shenanigans

    FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

    Pulse ID: 6a0e803c81c123ee6cf7066a
    Pulse Link: otx.alienvault.com/pulse/6a0e8
    Pulse Author: AlienVault
    Created: 2026-05-21 03:47:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

  15. Fresh mischief and digital shenanigans

    FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

    Pulse ID: 6a0e803c81c123ee6cf7066a
    Pulse Link: otx.alienvault.com/pulse/6a0e8
    Pulse Author: AlienVault
    Created: 2026-05-21 03:47:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

  16. Fresh mischief and digital shenanigans

    FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

    Pulse ID: 6a0e803c81c123ee6cf7066a
    Pulse Link: otx.alienvault.com/pulse/6a0e8
    Pulse Author: AlienVault
    Created: 2026-05-21 03:47:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

  17. Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

    A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

    Pulse ID: 6a0db1f45208b8cf1b2b1571
    Pulse Link: otx.alienvault.com/pulse/6a0db
    Pulse Author: AlienVault
    Created: 2026-05-20 13:07:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

  18. DATE: May 18, 2026 at 05:57PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    @HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
    Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
    t.co/Xlw9xxlQwj #QuestDiagnostics #Anthropic

    Here are any URLs found in the article text:

    t.co/Xlw9xxlQwj

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  19. DATE: May 18, 2026 at 05:57PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    @HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
    Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
    t.co/Xlw9xxlQwj #QuestDiagnostics #Anthropic

    Here are any URLs found in the article text:

    t.co/Xlw9xxlQwj

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  20. DATE: May 18, 2026 at 05:57PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    @HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
    Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
    t.co/Xlw9xxlQwj #QuestDiagnostics #Anthropic

    Here are any URLs found in the article text:

    t.co/Xlw9xxlQwj

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  21. DATE: May 18, 2026 at 05:57PM
    SOURCE: HEALTHCARE INFO SECURITY

    Direct article link at end of text block below.

    @HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
    Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
    t.co/Xlw9xxlQwj #QuestDiagnostics #Anthropic

    Here are any URLs found in the article text:

    t.co/Xlw9xxlQwj

    Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

    -------------------------------------------------

    Private, vetted email list for mental health professionals: clinicians-exchange.org

    Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

    -------------------------------------------------

    #security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

  22. Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike

    Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript.

    insicurezzadigitale.com/ghostw

  23. Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike

    Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript.

    insicurezzadigitale.com/ghostw

  24. Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike

    Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript.

    insicurezzadigitale.com/ghostw

  25. Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike

    Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript.

    insicurezzadigitale.com/ghostw

  26. Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike

    Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript.

    insicurezzadigitale.com/ghostw

  27. Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

    On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

    Pulse ID: 69e9d8ba4c0b0df25b764711
    Pulse Link: otx.alienvault.com/pulse/69e9d
    Pulse Author: AlienVault
    Created: 2026-04-23 08:30:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

  28. Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

    On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

    Pulse ID: 69e9d8ba4c0b0df25b764711
    Pulse Link: otx.alienvault.com/pulse/69e9d
    Pulse Author: AlienVault
    Created: 2026-04-23 08:30:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

  29. Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

    On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

    Pulse ID: 69e9d8ba4c0b0df25b764711
    Pulse Link: otx.alienvault.com/pulse/69e9d
    Pulse Author: AlienVault
    Created: 2026-04-23 08:30:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

  30. Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

    On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

    Pulse ID: 69e9d8ba4c0b0df25b764711
    Pulse Link: otx.alienvault.com/pulse/69e9d
    Pulse Author: AlienVault
    Created: 2026-04-23 08:30:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

  31. Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF

    On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.

    Pulse ID: 69e9d8ba4c0b0df25b764711
    Pulse Link: otx.alienvault.com/pulse/69e9d
    Pulse Author: AlienVault
    Created: 2026-04-23 08:30:50

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault

  32. The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

    The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

    Pulse ID: 69e63f93a0ddbd53fcab3f51
    Pulse Link: otx.alienvault.com/pulse/69e63
    Pulse Author: AlienVault
    Created: 2026-04-20 15:00:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

  33. The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

    The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

    Pulse ID: 69e63f93a0ddbd53fcab3f51
    Pulse Link: otx.alienvault.com/pulse/69e63
    Pulse Author: AlienVault
    Created: 2026-04-20 15:00:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

  34. The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

    The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

    Pulse ID: 69e63f93a0ddbd53fcab3f51
    Pulse Link: otx.alienvault.com/pulse/69e63
    Pulse Author: AlienVault
    Created: 2026-04-20 15:00:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

  35. The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

    The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

    Pulse ID: 69e63f93a0ddbd53fcab3f51
    Pulse Link: otx.alienvault.com/pulse/69e63
    Pulse Author: AlienVault
    Created: 2026-04-20 15:00:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

  36. The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

    The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

    Pulse ID: 69e63f93a0ddbd53fcab3f51
    Pulse Link: otx.alienvault.com/pulse/69e63
    Pulse Author: AlienVault
    Created: 2026-04-20 15:00:35

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

  37. Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say

    New research from Proofpoint shows that escalating tensions involving Iran have coincided with a surge in cyber espionage…
    #Israel #News #APT42 #CharmingKitten #CheckPoint #CobaltStrike #CyberEspionage #cyberoperations #cybercrime #espionage #HandalaHack #MintSandstorm #MuddyWater #phishing #proofpoint #TA453 #VoidManticore
    europesays.com/2840087/

  38. Держим руку на Pulse. Кибератаки группировки Mythic Likho на критическую инфраструктуру России

    Привет, Хабр! Хотим поделиться новым расследованием. На этот раз в поле зрения нашего экспертного центра безопасности (PT ESC) попала хакерская группировка Mythic Likho, атакующая крупные (читайте — платежеспособные) объекты инфраструктуры: неудивительно, ведь целью злоумышленников было вымогательство за расшифровку украденной информации. В рамках данного исследования мы объединили экспертизу департаментов киберразведки (Threat Intelligence) и комплексного реагирования на киберугрозы (Incident Response) экспертного центра безопасности PositiveTechnologies, соединили разрозненные следы активности группировки Mythic Likho в единый кластер и провели его комплексное исследование. Наша цель — сформировать исчерпывающее понимание тактик, техник, средств нападения группировки. Подробности ищите под катом.

    habr.com/ru/companies/pt/artic

    #критическая_инфраструктура #кибератаки #группировка #хакеры #расследование_инцидентов_иб #бэкдор #loki #cobaltstrike

  39. Some unusual #CobaltStrike activity we observed at Censys before the holiday. At the start of December, we saw a spike in CobaltStrike in AS138415 followed by a matching spike two days after on AS133199.

    Report: censys.com/blog/recap-of-a-sus

  40. Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить

    В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.

    habr.com/ru/companies/angarase

    #фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы

  41. Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить

    В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.

    habr.com/ru/companies/angarase

    #фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы

  42. Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить

    В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.

    habr.com/ru/companies/angarase

    #фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы

  43. Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить

    В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.

    habr.com/ru/companies/angarase

    #фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы