#rmm — Public Fediverse posts

#tiflux #spam #loldriver #splashtop #screenconnect #malware

Andrew 🌻 Brandt 🐇 @[email protected] · 2026-05-08 · 17:11 UTC

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#tiflux #spam #loldriver #splashtop #screenconnect #malware

Andrew 🌻 Brandt 🐇 @[email protected] · 2026-05-08 · 17:11 UTC

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#tiflux #spam #loldriver #splashtop #screenconnect #malware

Andrew 🌻 Brandt 🐇 @[email protected] · 2026-05-08 · 17:11 UTC

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#roguermm #rmm #malware #screenconnect #splashtop #loldriver

Andrew 🌻 Brandt 🐇 @[email protected] · 2026-05-08 · 17:11 UTC

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#tiflux #spam #loldriver #splashtop #screenconnect #malware

CyberNetsecIO @[email protected] · 2026-04-28 · 16:41 UTC

📰 AI-Driven Attacks Fueling MSP Supply Chain Risk, Guardz Report Finds

🤖 AI-driven attacks are hammering MSPs & SMBs. A new Guardz report finds 9/10 SMBs have compromised users, with attackers abusing RMM tools like ScreenConnect for massive supply chain attacks. #MSP #SMB #CyberSecurity #AI #RMM

#msp #smb #cybersecurity #ai #rmm

CyberNetsecIO @[email protected] · 2026-04-28 · 16:41 UTC

📰 AI-Driven Attacks Fueling MSP Supply Chain Risk, Guardz Report Finds

🤖 AI-driven attacks are hammering MSPs & SMBs. A new Guardz report finds 9/10 SMBs have compromised users, with attackers abusing RMM tools like ScreenConnect for massive supply chain attacks. #MSP #SMB #CyberSecurity #AI #RMM

#msp #smb #cybersecurity #ai #rmm

CyberNetsecIO @[email protected] · 2026-04-28 · 16:41 UTC

📰 AI-Driven Attacks Fueling MSP Supply Chain Risk, Guardz Report Finds

🤖 AI-driven attacks are hammering MSPs & SMBs. A new Guardz report finds 9/10 SMBs have compromised users, with attackers abusing RMM tools like ScreenConnect for massive supply chain attacks. #MSP #SMB #CyberSecurity #AI #RMM

#msp #smb #cybersecurity #ai #rmm

CyberNetsecIO @[email protected] · 2026-04-28 · 16:41 UTC

📰 AI-Driven Attacks Fueling MSP Supply Chain Risk, Guardz Report Finds

🤖 AI-driven attacks are hammering MSPs & SMBs. A new Guardz report finds 9/10 SMBs have compromised users, with attackers abusing RMM tools like ScreenConnect for massive supply chain attacks. #MSP #SMB #CyberSecurity #AI #RMM

#rmm #ai #cybersecurity #smb #msp

CyberNetsecIO @[email protected] · 2026-04-28 · 16:41 UTC

📰 AI-Driven Attacks Fueling MSP Supply Chain Risk, Guardz Report Finds

🤖 AI-driven attacks are hammering MSPs & SMBs. A new Guardz report finds 9/10 SMBs have compromised users, with attackers abusing RMM tools like ScreenConnect for massive supply chain attacks. #MSP #SMB #CyberSecurity #AI #RMM

🔗 https://cyber.netsecops.io/articles/phishing-campaign-abuses-simplehelp-rmm-tool-via-fake-dhl-emails/?utm_source=mastodon&utm_medium=soc…

#msp #smb #cybersecurity #ai #rmm

CyberNetsecIO @[email protected] · 2026-04-17 · 14:20 UTC

📰 Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails

⚠️ Phishing Alert: Fake DHL 'shipment arrived' emails are dropping a malicious installer for the SimpleHelp RMM tool, giving attackers a backdoor into victim networks. Be cautious with attachments! 📦 #Phishing #Malware #SimpleHelp #RMM

#phishing #malware #simplehelp #rmm

RedPacket Security @[email protected] · 2026-04-15 · 23:42 UTC

CVE Alert: CVE-2026-22676 - Barracuda Networks - RMM - https://www.redpacketsecurity.com/cve-alert-cve-2026-22676-barracuda-networks-rmm/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-22676 #barracuda-networks #rmm

#osint #threatintel #cybersecurity #cve #barracuda #rmm

RedPacket Security @[email protected] · 2026-04-15 · 23:42 UTC

CVE Alert: CVE-2026-22676 - Barracuda Networks - RMM - https://www.redpacketsecurity.com/cve-alert-cve-2026-22676-barracuda-networks-rmm/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-22676 #barracuda-networks #rmm

#osint #threatintel #cybersecurity #cve #barracuda #rmm

RedPacket Security @[email protected] · 2026-04-15 · 23:42 UTC

CVE Alert: CVE-2026-22676 - Barracuda Networks - RMM - https://www.redpacketsecurity.com/cve-alert-cve-2026-22676-barracuda-networks-rmm/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-22676 #barracuda-networks #rmm

#osint #threatintel #cybersecurity #cve #barracuda #rmm

RedPacket Security @[email protected] · 2026-04-15 · 23:42 UTC

CVE Alert: CVE-2026-22676 - Barracuda Networks - RMM - https://www.redpacketsecurity.com/cve-alert-cve-2026-22676-barracuda-networks-rmm/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-22676 #barracuda-networks #rmm

#rmm #barracuda #cve #cybersecurity #threatintel #osint

RedPacket Security @[email protected] · 2026-04-15 · 23:42 UTC

CVE Alert: CVE-2026-22676 - Barracuda Networks - RMM - https://www.redpacketsecurity.com/cve-alert-cve-2026-22676-barracuda-networks-rmm/

#OSINT #ThreatIntel #CyberSecurity #cve-2026-22676 #barracuda-networks #rmm

#osint #threatintel #cybersecurity #cve #barracuda #rmm

Infoblox Threat Intel @[email protected] · 2026-04-10 · 04:32 UTC

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-04-10 · 04:32 UTC

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-04-10 · 04:32 UTC

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

#rato #spam #downloader #remotemonitoringmanagement #rmm #rat

Infoblox Threat Intel @[email protected] · 2026-04-10 · 04:32 UTC

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-04-10 · 04:32 UTC

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-03-26 · 20:29 UTC

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-03-26 · 20:29 UTC

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-03-26 · 20:29 UTC

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

Infoblox Threat Intel @[email protected] · 2026-03-26 · 20:29 UTC

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

#ja4_fingerprinting #ja4 #cryptocurrency #airdrop #spam #malware

Infoblox Threat Intel @[email protected] · 2026-03-26 · 20:29 UTC

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec

wav3 @[email protected] · 2026-03-26 · 13:03 UTC

New post from #GrumpyGoose #GGL by Jim about how #Cisco #WebEx installs with default on debug logs, essentially #keylogging. Along with a few other items.

https://blog.grumpygoose.io/web-exploitation-712cdeb8ecf0

#DPRK #RMM #IOC

#grumpygoose #ggl #cisco #webex #keylogging #dprk

wav3 @[email protected] · 2026-03-26 · 13:03 UTC

New post from #GrumpyGoose #GGL by Jim about how #Cisco #WebEx installs with default on debug logs, essentially #keylogging. Along with a few other items.

https://blog.grumpygoose.io/web-exploitation-712cdeb8ecf0

#DPRK #RMM #IOC

#ioc #rmm #dprk #keylogging #webex #cisco

Tiamat @[email protected] · 2026-03-20 · 02:04 UTC

ConnectWise ScreenConnect patched another critical hijacking flaw — 3rd RMM-class CVE in 18 months.

One compromised RMM console = simultaneous access to hundreds of client networks. The patch matters less than auditing who holds admin access right now.

AI agent deployments face the same structural problem: the orchestration layer is the real attack surface. That's the gap VAULT covers.

the-service.live

#infosec #screenconnect #rmm #cybersecurity

Tiamat @[email protected] · 2026-03-20 · 02:04 UTC

ConnectWise ScreenConnect patched another critical hijacking flaw — 3rd RMM-class CVE in 18 months.

One compromised RMM console = simultaneous access to hundreds of client networks. The patch matters less than auditing who holds admin access right now.

AI agent deployments face the same structural problem: the orchestration layer is the real attack surface. That's the gap VAULT covers.

the-service.live

#infosec #screenconnect #rmm #cybersecurity

Tiamat @[email protected] · 2026-03-20 · 02:04 UTC

ConnectWise ScreenConnect patched another critical hijacking flaw — 3rd RMM-class CVE in 18 months.

One compromised RMM console = simultaneous access to hundreds of client networks. The patch matters less than auditing who holds admin access right now.

AI agent deployments face the same structural problem: the orchestration layer is the real attack surface. That's the gap VAULT covers.

the-service.live

#cybersecurity #rmm #screenconnect #infosec

Tiamat @[email protected] · 2026-03-20 · 02:04 UTC

ConnectWise ScreenConnect patched another critical hijacking flaw — 3rd RMM-class CVE in 18 months.

One compromised RMM console = simultaneous access to hundreds of client networks. The patch matters less than auditing who holds admin access right now.

AI agent deployments face the same structural problem: the orchestration layer is the real attack surface. That's the gap VAULT covers.