#happyhunting — Public Fediverse posts

Happy Monday Everyone!

I usually use this space to share workshops, articles, or insights from the community but today is a little different. I was humbled to see my name listed alongside so many amazing professionals as a nominee for the SANS Institute Difference Makers Award.

This recognition isn’t about me, though. It’s about celebrating the people who push our field forward, make an impact, and inspire others. If someone has made a difference in your journey, I encourage you to take a moment to recognize them.

Nomination form:
https://lnkd.in/dNNeTQKJ

Have a wonderful day, and as always Happy Hunting!

Original Post from Rob T. Lee:
https://www.linkedin.com/posts/leerob_our-core-mission-in-sans-institute-dfir-classes-activity-7372981624734576640-zrwN?utm_source=share&utm_medium=member_desktop&rcm=ACoAABd7OUoBVN750zcbzPTXBcB9nFZcxIiKpRc

Intel 471 Cyborg Security, Now Part of Intel 471
#ThreatIntel #ThreatHunting #ThreatDetection #DFIR #HappyHunting

Happy Monday everyone!

CrowdStrike is reminding us that just because some of us use Macs, doesn't mean we are malware proof! In this case the cybercriminal group dubbed #COOKIESPIDER was deploying their stealer known as #SHAMOS.

Using a combination of malvertising and the #ClickFix technique, the group would trick their victim's into installing the Shamos stealer which leads to it running "host reconnaissance and data collection tasks, including searching for known cryptocurrency-related wallet files and sensitive credential-based files on disk".

As always, take a read for yourself to see all the details I left out! Enjoy and Happy Hunting!

Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.

Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!

GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting

Happy Monday everyone!

Cisco Talos researchers report on a "malvertising campaign" that involved the #PS1Bot, which is modular and has "several modules delivered to perform a variety of malicious activities on infected systems." It has the capability to capture keystrokes from their victim, conduct reconnaissance and establish persistence.

This campaign involved Search Engine Optimization (SEO) poisoning and/or malvertising where the file name matched the keywords used in this target. The victim received a compressed archive that had a single file named "FULL DOCUMENT" which functioned as the downloader and retrieved the next stage. Powershell modules cam into play later that had the capability to detect which antivirus was being used by the victim, capture screen shots and key strokes, collect wallet information, and gain persistence, which is a pretty creative way of achieving it! But I won't spoil it! Find out for yourself and discover all the other details I left out! Enjoy and Happy Hunting!

Malvertising campaign leads to PS1Bot, a multi-stage malware framework
https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #inteldriventhreathunting

Happy Friday everyone!

Really thankful for the opportunity to join Arun Warikoo at the SANS Digital Forensics and Incident Response Summit to talk about my passion, Threat Hunting. We focused on how to prioritize a structured-hunt (hypothesis driven) and when to conduct an unstructured, or a data-structured hunt.

A big thank you to Heather Barnhart and Phil Hagen for hosting and providing us the opportunity to speak at the event, it truly was an honor and an unforgettable experience! If you missed it in person or virtually during the event, here it is! Enjoy and Happy Hunting!

Making Sense of the Chaos: When to Conduct Structured and Unstructured Threat Hunts
https://www.youtube.com/watch?v=VAVj1JE6dG0

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Somehow I missed this article when it first dropped but at least I found it! The DFIR Report published another great article that involved the #Bumblebee malware as the initial access vector that was installed after a user fell victim to an SEO poisoning campaign. The report states that "the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client." The adversary also created two new domain accounts and used one to connect to a domain controller via RDP and dumped the NTDS.dit file using wbadmin.exe.

There are more technical details along with some great queries to use to aid your threat hunting and detection engineering efforts! As always, thank you to the authors for a great report! Happy Hunting!

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #IntelDrivenThreatHunting #HappyHunting #readoftheday

Happy Friday everyone!

Researchers from the FortiCNAPP team, part of FortiGuard Labs identified a new variant of the #Lcryx ransomware called #Lcrypt0rx. The report states that it "is a relatively new VBScript-based ransomware strain first observed in November 2024" and "exhibits several unusual characteristics that suggest it may have been generated using AI." According to the researchers, it currently only targets Windows machines.

Indicators that led the researchers to believe it is AI generated include:
- Function Duplication
- Incorrect Persistence Mechanisms
- Nonexistent Target Paths
- Invalid Ransom Note URL
- Ineffective AV Disabling

These are just a few indicators and the article provides more details about each indicator, but I am not going to spoil the fun! Go and check it out for yourself! Enjoy and Happy Hunting!

Old Miner, New Tricks: H2miner Resurfaces with Lcrypt0rx Ransomware
https://www.fortinet.com/blog/threat-research/old-miner-new-tricks

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #ransomware #AI #artificialintelligence

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Cisco Talos researchers report on a malware-as-a-service (MaaS) operation that was targeting Ukrainian entities and involved the #Amadey trojan, known for "collecting system information and downloading secondary payloads" and the #Emmenhtal downloader.

Behaviors that are observed in this attack include a BUNCH of powershell activity with obfuscation and dropping a legitimate copy of PuTTY.exe. Looking at the technical details, they also us some URLs that may look legitimate to their targets in Ukraine as they add the value "ukraine2" in the URL. Finally, the attack involved multiple variants of the Emmenhtal downloader that were masquerading as MP4 files.

As usual, I glossed over many of the technical details so you can go enjoy the article without me spoiling it! Thanks to the researchers and authors and Happy Hunting!

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
https://lnkd.in/gUisprru

Intel 471 Cyborg Security, Now Part of Intel 471#ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

News broke that #SaltTyphoon gained access to the U.S. National Guard's network "and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units."

I am posting this as situational awareness and I never try to strike fear in the community, so I want to remind everyone of the great resources that exist out there when you want to threat hunt or you are trying to detect activity related to different #APT groups or malware! Check out the article posted below and check the comments for resources I would recommend using to supplement your threat hunting or blue team efforts! Enjoy and Happy Hunting!

DHS Salt Typhoon
https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Morphisec released an insightful report covering Iranian Cyber Warfare that is targeting the West and other enemies of Iran. The APT involved is #Pay2Key, "an Iranian-backed ransomware-as-as-service (RaaS) operation" that is linked to the Fox Kitten APT group and "closely tied to the well-known #Mimic ransomware."

Normally I call out behaviors and TTPs related but for this report I want to call out the completeness of the report. Not only does it provide more than enough technical details to make actionable in any environment but it also provides a TON of threat intel to support their claims giving the readers and audience an idea if they would be a target or not. It is a great report and I encourage you all to read it! Enjoy and Happy Hunting!

Pay2Key’s Resurgence: Iranian Cyber Warfare Targets the West
https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

Elastic Security Labs researchers found a bunch of infostealers being spread by adversaries. In the past we have seen other tools like Brute Ratel and CobaltStrike but this time they decided to use a cracked version of #SHELLTER, another offensive security tool (OST). There are TONS of technical details about the tools they used during the investigation into the tool and what artifacts they found. Interestingly they are also releasing a "dynamic unpacker for binaries protected by SHELLTER. This tool leverages a combination of dynamic and static analysis techniques to automatically extract multiple payload stages from a SHELLTER-protected binary." Thought that was a pretty cool add!

Take a read and get all the important details! Enjoy and Happy Hunting!

Taking SHELLTER: a commercial evasion framework abused in- the- wild
https://www.elastic.co/security-labs/taking-shellter

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday everyone and what a way to start it!

I encourage you to read the latest report from The DFIR Report where they document an attack that started with a "password spray attack against an exposed RDP server" and ended in the #RansomHub ransomware strain being deployed in the victim's environment and spread over SMB.

I am going to forgo the brief summary because I truly believe these reports need to be read by you! But a bunch of LOLBINs were leveraged, including PowerShell and Windows Command Shell, of course RDP connections, MimiKatz, the Advanced IP Scanner, and many more! One behavior I will point out is that Persistence was gained by the actors deploying the legitimate RMM tools AteraAgent and Splashtop and then created services to run them!

This is another great example of an extremely thorough report and I hope you enjoy it as much as I do! Enjoy and Happy Hunting!

Hide Your RDP: Password Spray Leads to RansomHub Deployment
https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

I came across this article from Check Point Software's research team where they discuss a malware "prototype" they found that contained prompt injection to trick any LLM that it may be interacting with while it is being analyzed, aptly named Skynet. It attempted to sue the "Ignore all previous instructions" command adding another layer of sandbox evasion but was unsuccessful in this instance. The malware also contained an embedded TOR client which, when executed, can be later used and controlled by accessing the specified ports. After execution the malware component wipes the entire %TEMP%/skynet directory that was created. This was overall a very interesting read and could unfortunately be the first of many malware to attempt this technique. I hope you found this as interesting as I did and Happy Hunting!

In the Wild: Malware Prototype with Embedded Prompt Injection
https://research.checkpoint.com/2025/ai-evasion-prompt-injection/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #llm

Good day everyone!

A little while ago I stumbled across an article from Trend Micro that discussed the #Anubis ransomware and its abilities to act both as a ransomware and a wiper. Now it appears that the group has gained sensitive documents related to Disneyland Paris's plans for new rides and renovations (Anubis X post is in the article). Not trying to fear-monger or anything but it goes to show how these groups will adapt their TTPs and behaviors to get to any organization.

Anubis Ransomware Lists Disneyland Paris as New Victim
https://hackread.com/anubis-ransomware-lists-disneyland-paris-new-victim/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

If this article got you thinking about LOLBINs, take this great information and make it actionable with this Community Hunt Package! It covers the execution of common LOLBINs directly related to discovery activity! Now Get Hunting!

Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://hunter.cyborgsecurity.io/research/hunt-package/6d1c9f13-e43e-4b52-a443-5799465d573b

#huntoftheday #gethunting #HappyHunting

Happy Wednesday all!

Sometimes its good to take it back to the basics! Cisco Talos shares their insights and trends on adversaries using legitimate tools with nefarious intent! They discuss Living-off-the-land binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools and the impact they can have! Enjoy and Happy hunting!

When legitimate tools go rogue
https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Trend Micro provides us insight on a "A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025" named #Anubis. It has been designed to have "more destructive capabilities" that can wipe directories that "severely impact chances of file recovery". Researchers also provide MITRE ATT&CK mapping to help teams make this information actionable, so big thanks to them! Check out the details I missed, enjoy the article, and Happy Hunting!

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday Everyone!

It's that time again! Just pushing this out to the threat hunting community and beyond! If you had a question about threat hunting in the past or currently have one that is burning a hole in your brain, feel free to ask us at Intel 471! We are currently working through the back-log of all the other questions that we have, but feel free to throw yours in the ring and get it featured in a future video! Have a wonderful day and Happy Hunting!

Lee-Git Threat Hunting
https://docs.google.com/forms/d/1fYIKFwNGuwYzl3-ktMa7gRz4Uxl2vOUHbAj2CuiuQ4M/edit

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone!

A "fully undetected #infostealer malware sample written in Rust" was identified by Trellix researchers while conducting a proactive hunt! The distribution should not come as any surprise, fraudulent gaming websites! This is not an old tactic and something that I have read about from many vendors (Remember, downloading cracked or "free" games from sites normally means you just aren't paying with money!). In this case, the "game" files were distributed as password-protected rar files which contained the stealer executable with some legitimate game-related files. This is another tactic that is commonly used to "assure" the user that they downloaded something legitimate.

The researchers also discussed the capabilities of the malware and here are just a few:
- It displayed a fake window to the user to fool them into it being a legitimate application.
- It terminates a list of processes, some that relate to browsers.
- Steals passwords, cookies, autofills, and saved credit card information from applications like Discord and Chrome.
- Drops a copy of itself in the \AppData\Roaming directory and saves a .lnkk file in the startup directory for persistence. The attackers link the executable and the .lnkk through registry keys so it can execute the .exe file properly.

Thanks goes to the researchers (who if you want tagged in here let me know!) for the great report and details! I hope you enjoy the read as much as I did and go check out the details I left out, its worth it! Happy Hunting!

Demystifying Myth Stealer: A Rust Based InfoStealer
https://www.trellix.com/en-in/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.

The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday Everyone!

Researchers at Cisco Talos "observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “#PathWiper”". The article states "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints".

The researchers also provided technical details, some IOCs, capabilities of the wiper, and some hints at behaviors. In this incident a batch (BAT) file was dropped on the compromised machine and ran a command that leveraged WScript.exe to execute a VBScript (uacinstall.vbs) from the C:\Windows\Temp\ directory. After the execution, the PathWiper executable appears in the C:\Windows\Temp\ directory with the name of "sha256sum.exe". So assuming this is how the malware or actor operates, you can hunt for new scripting files or executables in the C:\Windows\Temp directory. Now this is not a fool proof method as behaviors can change, but it could be a great start when hunting for this threat! Thank you to the researchers and I hope you enjoy the article! Happy Hunting!

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
https://blog.talosintelligence.com/pathwiper-targets-ukraine/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:

"June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.

So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!

#StopRansomware: Play Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday

Good day everyone!

If you are interested in Threat Hunting and happen to be at the SANS Institute DFIR Summit in Utah, Arun Warikoo and I will be discussing when to use structured and unstructured hunts and what that would look like! I look forward to it and hope to meet a ton of new people! Have a wonderful day and Happy Hunting!

DFIR Summit & Training 2025
https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2025/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday everyone!

The Google Threat Intel Group (GTIP) discovered that a government website was hosting malware being used to target multiple other government entities and, with high confidence, attributed the activity to hashtag#APT41 (a.k.a. HOODOO). The group used a piece of malware dubbed #Toughprogress which executes on the compromised host and uses the Google Calendar for command-and-control (C2) communications. The initial access vector was a spear-phishing email that contained a link to a ZIP file which held an LNK masquerading as a pdf, and a directory, which all played their part in the attack. This was a great read and I hope you enjoy it too! Happy Hunting!

Mark Your Calendar: APT41 Innovative Tactics
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

I stumbled across this interesting report from Flare that took an in-depth look at the relationship between Session Hijacking and Account Takeovers. The article put into perspective how lucrative and common these attacks are and really helped me understand the threat by providing a bunch of contextual information. I enjoyed it and hope you do too! Happy Hunting!

The Account and Session Takeover Economy
https://flare.io/learn/resources/the-account-and-session-takeover-economy?utm_campaign=11744626-2025%20-%20ASTP&utm_source=Media&utm_medium=HackerNews&utm_content=From%20Infection%20to%20Access%3A%20A%2024-Hour%20Timeline%20of%20a%20Modern%20Stealer%20Campaign

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

If you are in the threat hunting community, want to join, or simply have questions regarding threat hunting, we at Intel 471 want to hear them! Toss us your questions to possibly get featured in our new series "Lee-Git Threat Hunting: Your Questions, Answered"! Simply put your question in the form and add your name if you want! I look forward to seeing them! Enjoy and Happy Hunting!

https://docs.google.com/forms/d/1fYIKFwNGuwYzl3-ktMa7gRz4Uxl2vOUHbAj2CuiuQ4M/edit

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Friday everyone!

With the news breaking that the #DanaBot was disrupted, it got me thinking: How do these pieces of malware function and how do they stay on the victim's machines? And when you think of what a botnet operator really needs is repeated access to the compromised machine which gets me thinking about persistence. So, I poked around my favorite resources, the MITRE ATT&CK Matrix, looked at as many bot malware they have, and looked at what they had in common from a perspective of persistence. Two of the most common techniques used were T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder and T1053.005 - Scheduled Task/Job: Scheduled Task. So, if you are hunting for bots, you may want to start there! Enjoy the read and Happy Hunting!

DanaBot malware disrupted, threat actors named
https://intel471.com/blog/danabot-malware-disrupted-threat-actors-named

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

I don't know how I missed this one but here is your #readoftheday:

The DFIR Report published an article on Monday that details an attack that started with a vulnerable Confluence server and ended with the deployment of the ELPAC-team ransomware. There were multiple tools that were used that are publicly available, including Anydesk.exe, Mimikatz, ProcessHacker, and Impacket Secretsdump. Side note, they mention that this case is featured in one of their labs, so go check it out! Also, go find out all the details that I couldn't post here and read the article! Enjoy and Happy Hunting!

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#impact

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday!

Today's #readoftheday is an article from Sophos researchers provide details on an attack that involved the #3AM ransomware strain. With what started with email-bombing, led to social engineering and Microsoft Quick Assist, and a Windows 7 virtual machine. What I really enjoy about this article is the technical details about the "pre-ransomware" activity which can be seen in the Discovery and Defense Evasion sections. These normally involve some LOLBINs (Living-Off-The-Land Binaries) and use the tools that can help provide the adversary with information about the system. Enjoy and Happy Hunting!

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist
https://news.sophos.com/en-us/2025/05/20/a-familiar-playbook-with-a-twist-3am-ransomware-actors-dropped-virtual-machine-with-vishing-and-quick-assist/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Today's #readoftheday involves Microsoft Office add-ins, masquerading, trojans, and MUCH MORE! Kaspersky researchers share the details about a project on SourceForge that was distributing malware. It appeared to be a project for Microsoft Office add-ins, that were copied from a legitimate project on GitHub, but in reality was a list of Microsoft Office applications that led to an archive that contained an installer file (.msi). Once that is run, a bunch of bad stuff happens (I'm not going to ruin it for you) and then you are left with a miner and the #ClipBanker malware that replaces cryptocurrency wallet addresses in the clipboard with the attacker's own, which is pretty interesting as well! I hope you enjoy it as much as I did! Happy Hunting!

Attackers distributing a miner and the ClipBanker Trojan via SourceForge
https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday everyone!

Just got done reading an incredible article from ESET researchers describing an APT group that was long thought to be inactive alive in well! #FamousSparrow is a China-aligned APT group that has had no publicly documented activity since 2022 and was found using two previously undocumented versions of their backdoor, SparrowDoor. They used a mix of publicly available and custom tools for their attack ultimately leading to the deployment of SparrowDoor and ShadowPad (a privately sold backdoor). This report gets more and more interesting as you go so please go take the time to read it! Enjoy and Happy Hunting!

You will always remember this as the day you finally caught FamousSparrow
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday everyone!

Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

APT PROFILE – VOLT TYPHOON
https://www.cyfirma.com/research/apt-profile-volt-typhoon-2/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday everyone!

Today's #readoftheday is brought to you by Trend Micro and they share their findings related to #BlackBasta and #CactusRansomware adding a piece of malware known as #BackConnect to their toolbox.

The report states "The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial information, and personal files."

Behaviors (MITRE ATT&CK):
Initial Access - TA0001:
Phishing: Spearphishing Voice - T1566.004 - The attackers conducted an email bombing campaign then contacted the victim posing as "IT Support" or "HelpDesk".

Command and Control - TA0011:
Remote Access Software - T1219 -
The attackers used QuickAssist to access the victim's environment once they were successfully social engineered.

Lateral Movement - TA0008:
Remote Services: SMB/ Windows Admin Shares - T1021.002 -
Remote Services: Windows Remote Management - T1021.006
The attackers leveraged both SMB, shared folders, and WinRM for lateral movement.

Go check out the rest of the technical details! Enjoy and Happy Hunting!

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html?&web_view=true

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

https://securelist.com/gitvenom-campaign/115694/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!

Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783

#huntoftheday #gethunting #HappyHunting

Good day everyone!

Forescout Technologies Inc. researchers identified a malware cluster that masqueraded as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer that has been associated with the Chinese APT #SilverFox. When downloaded, these executables led to the deployment of the #ValleyRAT (Remote Access Trojan), a backdoor, keylogger, and a crypto miner on victim computers.

Behaviors (MITRE ATT&CK):
Discovery - TA0007
System Network Configuration Discovery: Internet Connection Discovery - T1016.001: Living-off-the-land binaries are used to check if the system can reach the C2 server.

Persistence - TA0003:
Scheduled Task/Job: Scheduled Task - T1053.003:
The malware creates a scheduled task that will trigger on logon for persistence.

Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers
https://lnkd.in/ghQS3nwv

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #HappyHunting

Happy Monday everyone!

The AhnLab, Inc. Security Intelligence Center (ASEC) has been monitoring infostealer malware that is disguised as illegal software and keygens and found that most of the malware that is distributed in this manner has been the #LummaC2 infostealer BUT there has been an increase in distribution of the #ACRStealer as well. What is pretty interesting is the technique they use for C2. In this case they have used Steam, telegra.ph, Google Docs (Form) and Google Docs (Presentation). Enjoy and Happy Hunting!

ACRStealer Infostealer Exploiting Google Docs as C2
https://asec.ahnlab.com/en/86390/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday