#cobaltstrike — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cobaltstrike, aggregated by home.social.
-
CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON
Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione. -
CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON
Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione. -
CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON
Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione. -
CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON
Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione. -
CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON
Mandiant ha pubblicato i dettagli dell'exploitation attiva di CVE-2026-5426, zero-day nel LMS KnowledgeDeliver causato da chiavi ASP.NET machineKey hardcoded e condivise tra tutte le installazioni. L'attacco ha portato al deployment della web shell in-memory BLUEBEAM e, tramite social engineering degli utenti, alla distribuzione di Cobalt Strike BEACON personalizzato per organizzazione. -
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
In late 2025, an unknown threat actor exploited a critical zero-day vulnerability in KnowledgeDeliver, a Learning Management System widely used in Japan. The vulnerability, tracked as CVE-2026-5426, allowed unauthenticated remote code execution through ViewState deserialization attacks. The issue stemmed from identical hardcoded ASP.NET machine keys distributed across multiple customer deployments in the vendor's configuration files. Attackers obtained these keys from one deployment and used them to compromise other internet-facing instances. Following initial access, threat actors deployed the BLUEBEAM in-memory web shell, modified JavaScript files to display fake security alerts, and tricked users into installing malicious software that delivered Cobalt Strike BEACON backdoors. The attack demonstrates the severe risks of shared secrets in deployment templates and highlights the importance of unique cryptographic keys per installation.
Pulse ID: 6a140384686e44f07358066d
Pulse Link: https://otx.alienvault.com/pulse/6a140384686e44f07358066d
Pulse Author: AlienVault
Created: 2026-05-25 08:08:36Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CobaltStrike #CyberSecurity #Edge #InfoSec #Japan #Java #JavaScript #Mac #NET #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Vulnerability #ZeroDay #bot #AlienVault
-
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault
-
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault
-
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault
-
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault
-
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.
Pulse ID: 6a0db1f45208b8cf1b2b1571
Pulse Link: https://otx.alienvault.com/pulse/6a0db1f45208b8cf1b2b1571
Pulse Author: AlienVault
Created: 2026-05-20 13:07:00Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault
-
DATE: May 18, 2026 at 05:57PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
@HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
https://t.co/Xlw9xxlQwj #QuestDiagnostics #AnthropicHere are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 18, 2026 at 05:57PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
@HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
https://t.co/Xlw9xxlQwj #QuestDiagnostics #AnthropicHere are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 18, 2026 at 05:57PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
@HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
https://t.co/Xlw9xxlQwj #QuestDiagnostics #AnthropicHere are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
DATE: May 18, 2026 at 05:57PM
SOURCE: HEALTHCARE INFO SECURITYDirect article link at end of text block below.
@HealthISAC Report: #Claude #Mythos-Like #AI Tools Raising #Healthcare #Cyber Stakes:
Déjà Vu: Is Mythos in Hands of Bad Actors Akin to #CobaltStrike, #BruteRatel Abuse?
https://t.co/Xlw9xxlQwj #QuestDiagnostics #AnthropicHere are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
-
Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike
Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript. -
Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike
Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript. -
Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike
Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript. -
Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike
Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript. -
Ghostwriter colpisce il governo ucraino con PDF georeferenziati, PicassoLoader e Cobalt Strike
Il gruppo bielorusso Ghostwriter (FrostyNeighbor) ha lanciato una nuova campagna di spear-phishing contro enti governativi e militari ucraini, utilizzando PDF-esca che impersonano Ukrtelecom con geofencing per eludere il rilevamento e distribuire Cobalt Strike tramite PicassoLoader JavaScript. -
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault
-
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault
-
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault
-
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault
-
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF
On March 12, 2026, a sophisticated attack campaign was identified targeting Chinese-speaking individuals using military-themed document lures distributed through a malicious ZIP archive. The operation employed a trojanized SumatraPDF binary as the initial vector to deploy an AdaptixC2 Beacon and Visual Studio Code on victim systems. The shellcode loader demonstrated significant similarities to the TOSHIS loader previously linked to TAOTH campaigns. Attackers established a custom AdaptixC2 Beacon listener utilizing GitHub for command-and-control infrastructure. The staging server infrastructure additionally hosted CobaltStrike Beacon and EntryShell backdoor, both previously associated with this threat group. The campaign infrastructure included multiple compromised domains and IP addresses for malware distribution and C2 communications.
Pulse ID: 69e9d8ba4c0b0df25b764711
Pulse Link: https://otx.alienvault.com/pulse/69e9d8ba4c0b0df25b764711
Pulse Author: AlienVault
Created: 2026-04-23 08:30:50Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Chinese #CobaltStrike #CyberSecurity #GitHub #InfoSec #Malware #Military #OTX #OpenThreatExchange #PDF #RAT #ShellCode #Trojan #ZIP #bot #AlienVault
-
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault
-
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault
-
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault
-
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault
-
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault
-
Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say
New research from Proofpoint shows that escalating tensions involving Iran have coincided with a surge in cyber espionage…
#Israel #News #APT42 #CharmingKitten #CheckPoint #CobaltStrike #CyberEspionage #cyberoperations #cybercrime #espionage #HandalaHack #MintSandstorm #MuddyWater #phishing #proofpoint #TA453 #VoidManticore
https://www.europesays.com/2840087/ -
Держим руку на Pulse. Кибератаки группировки Mythic Likho на критическую инфраструктуру России
Привет, Хабр! Хотим поделиться новым расследованием. На этот раз в поле зрения нашего экспертного центра безопасности (PT ESC) попала хакерская группировка Mythic Likho, атакующая крупные (читайте — платежеспособные) объекты инфраструктуры: неудивительно, ведь целью злоумышленников было вымогательство за расшифровку украденной информации. В рамках данного исследования мы объединили экспертизу департаментов киберразведки (Threat Intelligence) и комплексного реагирования на киберугрозы (Incident Response) экспертного центра безопасности PositiveTechnologies, соединили разрозненные следы активности группировки Mythic Likho в единый кластер и провели его комплексное исследование. Наша цель — сформировать исчерпывающее понимание тактик, техник, средств нападения группировки. Подробности ищите под катом.
https://habr.com/ru/companies/pt/articles/1005466/
#критическая_инфраструктура #кибератаки #группировка #хакеры #расследование_инцидентов_иб #бэкдор #loki #cobaltstrike
-
A convoluted Lotus Blossom infection chain leads to an otherwise unremarkable Cobalt Strike configuration:
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
-
A convoluted Lotus Blossom infection chain leads to an otherwise unremarkable Cobalt Strike configuration:
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
-
A convoluted Lotus Blossom infection chain leads to an otherwise unremarkable Cobalt Strike configuration:
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
-
New post looking through > 500 Cobalt Strike beacon configurations.
#CobaltStrike
https://blog.axelarator.net/cobalt-strike-beacon-analysis/ -
Sharing for those doing computer things over the holidays.
#cobaltstrike
https://beaconbeagle.com/ -
Some unusual #CobaltStrike activity we observed at Censys before the holiday. At the start of December, we saw a spike in CobaltStrike in AS138415 followed by a matching spike two days after on AS133199.
Report: https://censys.com/blog/recap-of-a-suspicious-surge-in-cobalt-strike
-
Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить
В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.
https://habr.com/ru/companies/angarasecurity/articles/962088/
#фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы
-
Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить
В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.
https://habr.com/ru/companies/angarasecurity/articles/962088/
#фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы
-
Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить
В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.
https://habr.com/ru/companies/angarasecurity/articles/962088/
#фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы
-
Не Cobalt Strike и не Brute Ratel: почему злоумышленники выбрали AdaptixC2 и как его обнаружить
В сентябре 2025 года исследователи из Angara MTDR обнаружили, что фреймворк AdaptixC2 стал использоваться в атаках на организации в Российской Федерации. Сегодня мы, Лада Антипова и Александр Гантимуров, расскажем, что представляет собой фреймворк постэксплуатации AdaptixC2, как выявлять следы его использования и чем отличается выявленный способ эксплуатации фреймворка от всех описанных публично ранее. В результате расследования компьютерного инцидента был выявлен инструмент злоумышленников, который использовался для закрепления в скомпрометированной системе. Он выгодно отличался от других видов типового и самописного ВПО, которые эти же злоумышленники использовали в ходе атаки. Образец обладал обширным набором команд, был хорошо спроектирован, а также имел широкие возможности по конфигурации. После непродолжительного исследования стало ясно, что перед нами агент Beacon от фреймворка постэксплуатации AdaptixC2. AdaptixC2 — это фреймворк для постэксплуатации, который часто сравнивают с такими известными инструментами, как Cobalt Strike и Brute Ratel. В отличие от них, AdaptixC2 полностью бесплатен и доступен на GitHub . Ранее о его применении в кибератаках на другие страны сообщали Symantec , Palo Alto и « Лаборатория Касперского ». Поэтому появление AdaptixC2 в арсенале злоумышленников, атакующих организации в России, было лишь вопросом времени.
https://habr.com/ru/companies/angarasecurity/articles/962088/
#фреймфорк #впо #cobaltstrike #кибератаки #автоматизация #вредоносы
-
Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks https://hackread.com/russian-hackers-adaptix-pentest-ransomware/ #Cybersecurity #CobaltStrike #CountLoader #CyberAttack #SilentPush #Pentesing #Security #Telegram #Malware #Adaptix #Ukraine #Russia #Scam
-
Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks https://hackread.com/russian-hackers-adaptix-pentest-ransomware/ #Cybersecurity #CobaltStrike #CountLoader #CyberAttack #SilentPush #Pentesing #Security #Telegram #Malware #Adaptix #Ukraine #Russia #Scam