#iocs — Public Fediverse posts

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

A more sane and parseable list of indicators:

Landing page

httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7

Loaders

httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197
https://datasphere.us.com/debug/payload.applescript?build=492f9e58358e8e2bc9e0414fa077e197

Mocked User Agent for curls

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

APIs

httpX://datasphere.us[.]com/api/debug/event     # initial info gathering 
httpX://datasphere.us[.]com/gate                         # stealer upload location 
httpX://datasphere.us[.]com/gate/chunk              # large file uploads 
httpX://datasphere.us[.]com/api/bot/heartbeat   # Persistence heartbeat API 

api key 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f

#osx #stealer #iocs

#malware on Vulkan Loader

#IOCs

72a8eb805e026accc0a5805847db978f (세무 감사.exe)

0a580815e4dbedecafd88b207eca8c8f (vulkan-1.bin)

55b624a0b0423a337b804fe8e305a386 (vulkan-1.dll)

Command-and-control IPv4 map, 2026-02-22 to 2026-03-07 #IOCs
https://abjuri5t.github.io/SarlackLab/

43.249.172[.]0/22
23.248.208[.]0/21
178.16.52[.]0/22
23.226.58[.]0/23
156.234.56[.]0/23
158.94.208[.]0/22
43.240.239[.]0/24
103.39.16[.]0/22
185.213.60[.]0/23
23.226.48[.]0/23

Command-and-control IPv4 map, 2026-02-10 to 2026-02-23 #IOCs
https://abjuri5t.github.io/SarlackLab/

148.178.64[.]0/19
148.178.32[.]0/19
178.16.52[.]0/22
207.56.192[.]0/19
91.92.240[.]0/22
158.94.208[.]0/22
102.117.128[.]0/18
45.114.106[.]0/24
156.234.94[.]0/24
106.52.0[.]0/14

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

Command-and-control domain tree, 2026-02-03 to 2026-02-16 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.bj[.]baidubce[.]com
*.tcp[.]cpolar[.]top
*.dianqi1[.]jiayongdianqi[.]xyz
*.dianqi2[.]jiayongdianqi[.]xyz
*.getupi[.]in[.]net

Pour la chasse et vérification dans les logs réseau notamment pour la période juin ➡️ décembre 2025

👇

https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/

⬇️

🔍 IOC — Validin (Exploring Notepad++ network indicators)

Ces IOC proviennent du rapport d’analyse de l’infrastructure C2 associé à l’attaque Notepad++ (indiqués dans l’article Validin).

• 95.179.213[.]0 (confirmé le même que Rapid7)

• api[.]skycloudcenter[.]com

• 61.4.102[.]97

• api[.]wiresguard[.]com

• 59.110.7[.]32

• 124.222.137[.]114

• 45.32.144[.]255

• 160.250.93[.]48

• cloudtrafficservice[.]com

• api[.]cloudtrafficservice[.]com

• 103.159.133[.]178

👇

https://securelist.com/notepad-supply-chain-attack/118708/

🔍 IOC — Securelist (Notepad supply chain attack)

Cet article donne plusieurs catégories d’indicateurs (machines de mise à jour malicieuses, C2, fichiers, etc.).

⚠️ Malicious Updater URLs

• hxxp://45.76.155[.]202/update/update.exe
  
• hxxp://45.32.144[.]255/update/update.exe
  
• hxxp://95.179.213[.]0/update/update.exe
  
• hxxp://95.179.213[.]0/update/install.exe
  
• hxxp://95.179.213[.]0/update/AutoUpdater.exe
  

📡 System Info Upload / C2

• hxxp://45.76.155[.]202/list
  
• hxxps://self-dns.it[.]com/list
  

⚙️ Metasploit downloader / Cobalt Strike

• hxxps://45.77.31[.]210/users/admin
  
• hxxps://cdncheck.it[.]com/users/admin
  
• hxxps://safe-dns.it[.]com/help/Get-Start
  

💻 Cobalt Strike Beacon / Payload C2

• hxxps://45.77.31[.]210/api/update/v1
  
• hxxps://45.77.31[.]210/api/FileUpload/submit
  
• hxxps://cdncheck.it[.]com/api/update/v1
  
• hxxps://cdncheck.it[.]com/api/Metadata/submit
  
• hxxps://cdncheck.it[.]com/api/getInfo/v1
  
• hxxps://cdncheck.it[.]com/api/FileUpload/submit
  
• hxxps://safe-dns.it[.]com/resolve
  
• hxxps://safe-dns.it[.]com/dns-query
  

#CyberVeille #NotepadPlusPlus #IoCs

aww man, looking around to see if anyone has already done some reversing/modding work on a game that's piqued my interest recently has led me to this itch account using the blog feature to redirect to fake downloads.

httpX://itch[.]io/blog/1318716/hollow-knight-silksong-mod-menu-software-for-pc-control-

Initial landing page: gitcompiler[.]com, appears to call out and test 3 sub domains to redirect to which in turn will send to a landing page. (though 2 of the domains have busted cors rules and don't work anyway)

Interestingly I was only able to download the sample on my linux machine by using the "responsive mode" emulating a mobile device in firefox for the (purpose of User Agent spoofing). Anyrun and virustotal didn't pick anything up, but another user got some signals using the recorded future sandbox under a different download.

As much as I'd love to try and dig at it myself to practice some reversing I don't have the setup here to do anything of the sort safely

reuploaded sample: https://app.any.run/tasks/5ee02578-a655-4559-8dc9-899b40f5ea57
sample from malicious host: https://app.any.run/tasks/eb5dc590-a83a-4a38-afab-6e419ce99686
public sandbox: https://tria.ge/260117-qf18ysat4c

https://www.virustotal.com/gui/file/f6dfc06fb7fa8e733ae7b2541d7b1771cd1b6d11984b97f636a9ac47e23ad811/community

#iocs #itch

// Primary landing page 

*.gitcompiler[.]com

// Redirect mirrors, contains an AES encrypted url in /head/meta[name='token']

httpX://digitalwavesway[.]com

httpX://gametolifeservers[.]com

httpX://techflowtime[.]com

// landing page for digitalwavesway

httpX://mailer.soham-sn[.]com/

// redirects to this anon filehost for applicable UAs

httpX://download.us-east-1.fromsmash[.]co/transfer/o__j34ymsr-et/file/57f99acc7c450b6d46375299cfea313a04b5c9d2?identity=a3aa69c86700fc05b854066a0e9dc0c5-46a18736882df635ff3cb7ed43d39ba05859a992c5ec0d2b7ef47c8d99fc4de6c7884d5fcf7019eafa90291a05c7421c3ef7b7b78d70fbcdced31f8a3b50dec16c04299c9ea69377415fe2a33d26899c&Expires=1768719805&Key-Pair-Id=APKAIM76HR2FWFZRN3HA&Signature=eG9gFcmZF2zZXoRTPyWemG0syj4bEbtNOitCECgcjF-XyQzUb6i9skCN~9pKcSr0n31JPfnCbfSytbNS1MdgsbQH5kpxQQthp4bhK38Xqmbsd~Gc-VgT7M~3ml7K0H1uiPrvd8eu7oWTWEaUJJjyAn-ZbqAVRSD99AjhJ8O~yWD49~nlYowUR0fO7R-gPtNd1BtB278xB3DdW0js1M2os8T5AwIULZKOW3-oDjMhrAXCfqzwGOrH8GxNyJpA09sP8ZBWvDOb73ykYWb47~UZPBLV0T2hnWGkDW5ZHoKhZUwedrankpheTBG51DeSM81OZi3ZPOEbngtGZDvtIYQtEg__

Command-and-control IPv4 map, 2025-12-22 to 2026-01-04 #IOCs
https://abjuri5t.github.io/SarlackLab/

156.234.96[.]0/20
103.48.132[.]0/22
156.234.152[.]0/23
156.234.208[.]0/23
156.234.145[.]0/24
103.41.6[.]0/23
156.234.216[.]0/21
156.234.252[.]0/22
104.140.144[.]0/20

RE: https://chaos.social/@christopherkunz/115615056111216077

potentially pivotal: key indicators of compromise (#IoCs) identified by GitLab's Vulnerability Research team concerning an active, large-scale supply chain attack on the #npm ecosystem.
#DevSecOps

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

Over the past 30 days, our community shared 27,165 new #IOCs on ThreatFox 🦊 — an 18% increase from the previous month.

👏 Huge shoutout to 'juroots', our top contributor with 2,746 IOCs submitted.
💀 The most-shared malware family (or in this case framework)? Clearfake, with 2,817 IOCs reported.

Find the full breakdown here: 👉 https://threatfox.abuse.ch/statistics/

#ThreatFox #CommunityPower #SharingIsCaring #CyberThreatIntel

Command-and-control domain tree, 2025-09-26 to 2025-10-09 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.at[.]ply[.]gg
*.bj[.]baidubce[.]com
*.ap-guangzhou[.]tencentscf[.]com
*.su[.]baidubce[.]com
*.dianqi1[.]jiayongdianqi[.]xyz
*.dianqi2[.]jiayongdianqi[.]xyz

CVE-2025-61882: Cadena pre-auth RCE en Oracle E-Business Suite https://www.hackplayers.com/2025/10/cve-2025-61882-cadena-pre-auth-rce-oracle.html #vulnerabilidades #amenazas #0day #iocs

Over the last 30 days, the community shared 26,575 #IOCs on ThreatFox 🦊. That's a 83% jump on the previous month. 🚀 And topping the charts: XtremeRAT, with 6,640 IOCs 💀

Find more ThreatFox statistics here:
👉 https://threatfox.abuse.ch/statistics

#SharingIsCaring #XtremeRAT #Malware #ThreatIntel

This report complements @_CERT_UA’s findings and arms #SOC teams with fresh #IOCs, #YARA rules and detailed behavioural indicators. We thank our trusted partner for his time and insights into this subject.

Command-and-control IPv4 map, 2025-07-19 to 2025-08-01 #IOCs
https://abjuri5t.github.io/SarlackLab/

124.220.0[.]0/14
43.136.0[.]0/13
38.128.0[.]0/9
101.42.0[.]0/15
1.94.0[.]0/16
106.52.0[.]0/14
38.32.0[.]0/11
196.251.84[.]0/22
101.200.0[.]0/15
39.104.0[.]0/14
1.14.0[.]0/15

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Stay alert! These disinformation campaigns affect all of us, no matter where we are!

Traffic Distribution Systems (TDSs) run by malicious adtech companies are seen delivering disinformation in different languages, tailored to the country the victim accesses from. They utilize subdomains to differentiate their content. The landing pages impersonate well-known brands and celebrities, aiming to deceive users. It's crucial to block these TDS domains and prevent any content they deliver.

Here are some examples of TDS domains that redirect to these disinformation campaigns:

zoograithavaupy[.]net
asjynxon[.]com
phaunaitsi[.]net

And here are some landing page domains associated with this campaign:

cooknove[.]com
healthbrit[.]com
foodleas[.]com
daily-web[.]live

#phishing #dns #scam #fraud #disinformation #threatIntel #cybercrime #threatIntelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #iocs #domains #impersonating

https://urlscan.io/result/ef3f29ea-67df-4010-8a18-4638d401ab67/#summary

🤓 I’ve been using Maltego Graph for a while, and it’s one of the best tools for visualizing investigations and pivoting!

One of the best feature is the use of Machines to automate pivoting and enrichment! 🤖

🔍 For example, you can create a Machine to automatically enrich an IP address with WHOIS info and then pivot through associated email addresses with a single click.

I have created a cheat sheet you can refer to when using Maltego 👇

I’m curious — how many of you have already created Maltego automation with Machines?

@Maltego @maltegohq #threatintel #investigation #malware #IOCS #graphs #maltego

Continued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different #dns trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message.

The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some.

The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking.

#dns #cybersecurity #InfobloxThreatIntel #Infoblox #dropCatchDomains #IOCs #threatIntel #cybercrime #lookalikes

In 2023, the average cost of data breaches surged to $4.45 million, making a 15% increase over three years. To mitigate this impact on your organization, use #Maltego to examine and analyze vulnerabilities, visualizing internal data and #IoCs within a single user interface. Our playbook demonstrates how to efficiently conduct a data breach investigation using Maltego, breaking down the process into five stages with mock-up graphs and detailed explanations. Learn more: https://www.maltego.com/blog/investigating-the-impact-of-potential-data-breaches-with-maltego/?utm_source=mastodon&utm_medium=social&utm_campaign=CSO&utm_content=maltego.com

QQ for my #ITOps crew:

What is the best #conference, #event, #tradeshow to learn about #CloudOps, #AIOps, #Observability, #SRE, #PlatformEngineering, #devOPS, #reliability engineering, and other modern #CloudNative approaches for #IT Ops?

#Reinvent, #IOCS, #DevOpsDays ... and?

QQ for my #ITOps crew:

What is the best #conference, #event, #tradeshow to learn about #CloudOps, #AIOps, #Observability, #SRE, #PlatformEngineering, #devOPS, #reliability engineering, and other modern #CloudNative approaches for #IT Ops?

#Reinvent, #IOCS, #DevOpsDays ... and?

Great blog post by a colleague of mine who asks why "Security through obscurity" is not dead in 2023! How many "#cybersecurity #incidents" is it going to take to finally realize that keeping your #securitycontrols a secret is a good thing? How many times does the #cybercommunity have to demonstrate that sharing of #threatintelligence, #TTPs, #IOCs, #securityconcepts, #AwarenessTraining methods, #zerodays, and everything else that goes along with having a #DefenseInDepth approach to a #HealthySecurityProgram, is ACTUALLY THE GOOD THING 🤨

(ahem)

You want to know about the platform I architected? No problem! 👌🏻
You want to know what Threat Intelligence I gather? Check my GitHub (link on my profile 😁).
You want the keys to my kingdom? 🤣 No, but thanks for playing 👍🏻

I'm NOT saying #compromise yourself or open some dark #backdoor to your systems. Just share the knowledge of how you're protecting stuff! Everyone is more #secure for it, and the next generation will make it better.

https://kalahari.substack.com/p/security-through-obscurity?sd=pf

#FakeSG / #RogueRaticate leading to #netsupportrat

ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).url

ebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.hta

ebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zip

ebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe

#threatintel #IOCs

Some Magecart IOCs. This is the #Kritec skimmer (https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art)

lemodigit[.]online
macsetech[.]online
mopedigit[.]shop
ttewe[.]quest
yalomob[.]pics

yalomob[.]pics/mage-cache-loader-v2-4.min.js
ttewe[.]quest/cleanfeed-loader.js

#Magecart #iocs #threatintel

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

New #SolarMarker malware! 🌞​

Bing SEO poisoning -> fake website impersonating @internetarchive -> .exe malware (298.09 MB) -> walkymanki[.]com

#IOCs #Malware #CTI
https://www.virustotal.com/gui/file/7a8d7d470cf8980a25e25b5de5e121892304ed86b9ab66e39d323637402235e9

I used this script for extracting the C2 value from the sample: https://github.com/RussianPanda95/Configuration_extractors/blob/main/solarmarker_payload_extractor.py

@cisacyber #RedTeam Shares Key Findings to Improve #Monitoring and #Hardening of #Networks - a recommended read for anyone managing a network cyber security team :WeAreNameless:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a

#TechnicalDocumentation #IOCs #TTPs #CyberDefense #CyberWar #CISA

🚨 #RansomwareUpdate #ESXiArgs #Ransomware🚨
If you're looking for #IOCs on that new #VMware ransomware, here's the deets https://blogs.blackberry.com/en/2023/02/esxiargs-ransomware-knocking-out-unpatched-vmware-esxi-linux-servers-worldwide

#threatintelligence #hacking #ProtectYourData

Full write up and #IOCs for #APT15 aka #PlayfulTaurus and their campaign against Iranian targets

"#Turian #malware...we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus."

https://unit42.paloaltonetworks.com/playful-taurus/

#threatintelligence #hacking #ChineseGovernement

Sophos has observed new IcedID #malvertizing campaigns themed around adobe & other popular software packages

🧊​ Infection Chain:

➡️​ Google search for "adobe reader"
↪️​ Google ad click
↪️​ TDS redirect: `likhs299us[.]tech`
🎣​ Fake website: vvw-adobe[.]top
↪️​ Download of malware from firebase (.zip containing a .iso)
🗄️​ Setup_Win_<timestamp>.zip / Setup_Win_<timestamp>.iso

#IcedID C2: plivetrakoy[.]com

#IOCs:
🔗​ https://www.virustotal.com/gui/file/be9ac59a6b2ea2bf55a57aec8a993a9ff77e5f6ad92531ff3cdbb7ac35295cef/content
🔗​ https://www.virustotal.com/gui/ip-address/46.173.218.229/relations
#ThreatIntel #Malware #CTI