#spear-phishing — Public Fediverse posts

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

📬 Stalkerware-GAU: 86.859 private Screenshots lagen offen im Netz
#Cyberangriffe #Datenschutz #CloudRepository #Cocospy #KontrollApp #SpearPhishing #Spyic #Spyzie #StalkerwareGAU https://sc.tarnkappe.info/ecf82b

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.

Pulse ID: 69f06b1eeeb1fca735cb0bb8
Pulse Link: https://otx.alienvault.com/pulse/69f06b1eeeb1fca735cb0bb8
Pulse Author: AlienVault
Created: 2026-04-28 08:09:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dropbox #Email #Espionage #Government #InfoSec #LNK #Malware #OTX #Onion #OpenThreatExchange #Opera #PDF #Phishing #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #bot #AlienVault

#Signal reagiert auf deutsche Probleme | heise online https://www.heise.de/news/Signal-Angriffe-Signal-raet-zu-Obacht-und-Registrierungssperre-11274258.html #phishing #SocialEngineering #SpearPhishing #CyberCrime @signalapp

Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

A highly sophisticated multi-stage post-exploitation framework targeting organizations in the Middle East and EMEA financial sectors exploits legitimate digitally signed Intel utilities through .NET AppDomainManager mechanism abuse. The attack leverages trusted binary proxy execution, bypassing EDR and antivirus solutions through JIT-based memory execution and sandbox evasion using computational delays and cryptographic key derivation loops. Initial access occurs via spear-phishing with Arabic-language decoys impersonating Saudi government documents. Once executed, the framework establishes command-and-control communication through Amazon CloudFront CDN domain fronting, employing reflective DLL loading, direct syscall usage, and anti-forensic memory cleanup techniques. The modular plugin-based architecture demonstrates capabilities consistent with advanced persistent threat actors, featuring sophisticated evasion mechanisms including PEB-based API resolution, custom PE export walking, and heap-walking cont...

Pulse ID: 69e389bd5760ef67b7f37472
Pulse Link: https://otx.alienvault.com/pulse/69e389bd5760ef67b7f37472
Pulse Author: AlienVault
Created: 2026-04-18 13:40:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Amazon #Arabic #CDN #Cloud #CyberSecurity #EDR #Government #InfoSec #MiddleEast #NET #OTX #OpenThreatExchange #Phishing #Proxy #RAT #Rust #SMS #SpearPhishing #bot #AlienVault

Фейковый грант от NED: анатомия таргетированного фишинга

18 февраля 2026 года сотрудник НКО получил таргетированное фишинговое письмо якобы от National Endowment for Democracy — американского фонда поддержки демократии. Обращение по полному имени, ссылка на «предыдущую заявку на грант» (которой никогда не было), и упоминание документа, которого физически нет в письме — классическая техника «фантомного вложения», при которой первое письмо устанавливает доверие, а вредоносный файл приходит уже в ответ на реакцию жертвы. В этой статье — разбор атаки по заголовкам, инфраструктуре и социальной инженерии. Материал будет полезен аналитикам SOC и сотрудникам НКО: в конце — IOC, kill chain и рекомендации для администраторов почты.

https://habr.com/ru/articles/1004156/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фишинг под видом Meta: SPF pass, DKIM pass, входящие Gmail

2 марта 2026 года я получил на анализ фишинговое письмо. Отправитель - «M e t a», тема - «[Требуется действие] Завершите проверку, чтобы восстановить показ объявлений». SPF pass, DKIM pass, ARC pass - письмо прошло все проверки и лежало во входящих Gmail. Ключ - цепочка Resend.com → Amazon SES → Gmail, где каждый элемент легитимен. Разбираю, как атакующие этого добились и почему это работает.

https://habr.com/ru/articles/1005750/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Krasser Scheiß: Pine64 (ein Lieferant von uns) hat mich grad darüber informiert, dass anscheinend eine #spearPhishing attacke auf uns vorbereitet worden ist (zumindest stellt es sich mir so dar).

"Tom Milton" hat sich bei dem Lieferanten als neuer "Lead Accountant" vorgestellt.

ich gehe davon aus, dass der liebe Tom dann gefälschte Rechnungen an uns geschickt hätte....

Was denkt ihr?

#hacking #phishing #krasserScheiß #security

A five-month spearphishing operation discovered by Socket has transformed the npm registry into a durable hosting layer for AiTM credential theft, specifically targeting sales teams in the manufacturing and healthcare industries.

Read More: https://www.security.land/npm-registry-weaponized-in-spearphishing-campaign-against-critical-infrastructure/

#SecurityLand #Cybersecurity #Research #NPM #Phishing #CriticalInfrastructure #AiTM #Spearphishing #Dev

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

🚨 The OpenAI/Mixpanel breach is not just a "vendor issue"—it's a systemic failure. We analyzed 3 years of security incidents at OpenAI and compared them to the fortified architectures of Google Gemini and Anthropic Claude.

#SecurityLand #ExpertDecode #AI #SecurityBreach #Cyberattack #OpenAI #ChatGPT #Claude #Gemini #SpearPhishing #Business #Enterprise #Mixpanel

Read More: https://www.security.land/openai-mixpanel-breach-security-analysis-2025/

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec

Alerta: Hackers chineses exploram falha grave do Windows para espiar diplomatas na Europa
🔗 https://tugatech.com.pt/t73692-alerta-hackers-chineses-exploram-falha-grave-do-windows-para-espiar-diplomatas-na-europa

#ataque #ciberespionagem #cve #grave #hackers #microsoft #segurança #sem #spearphishing #trojan #vulnerabilidade #windows 

Attackers target retailers’ gift card systems using cloud-only techniques https://www.helpnetsecurity.com/2025/10/22/cloud-based-techniques-gift-card-fraud/ #PaloAltoNetworks #cloudsecurity #spearphishing #Microsoft365 #Don'tmiss #Hotstuff #retail #News

PhantomCaptcha: O ataque que usou um falso CAPTCHA para espiar o governo ucraniano
🔗 https://tugatech.com.pt/t73269-phantomcaptcha-o-ataque-que-usou-um-falso-captcha-para-espiar-o-governo-ucraniano

#android #ataque #ciberataque #ciberespionagem #cloudflare #computador #gabinete #google #hackers #json #localização #navegador #payload #segurança #servidor #spearphishing #spyware #trojan #web #windows #zoom 

Iran vs. EU Defense and Telecom

Check Point Research has uncovered a campaign by Iranian threat actor Nimbus Manticore targeting European defense and telecom sectors. Using spear-phishing and fake HR portals, the group deploys a DLL side-loading chain and obfuscated malware like MiniJunk and MiniBrowse. The tools employ valid signatures and advanced evasion, indicating nation-state capabilities.

https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/

#CheckPoint #spearphishing #phishing

New Spear-Phishing Attack Deploys DarkCloud Malware to Steal Keystrokes and Credentials https://gbhackers.com/spear-phishing-attack-2/ #CyberSecurityNews #cybersecurity #spearPhishing #Malware

Stellenanzeigen im #Darknet: Cyberkriminelle rekrutieren vermehrt #SocialEngineering-Experten | t3n https://t3n.de/news/social-engineering-ki-darknet-jobs-1706963 #CyberCrime #Phishing #SpearPhishing #ArtificialIntelligence

Großer Angriff auf node.js | heise online https://www.heise.de/news/Grosser-Angriff-auf-node-js-10637088.html #Malware #Phishing #SpearPhishing #CyberCrime #cryptocurrency #cryptocurrency

Großer Angriff auf node.js | heise online
https://heise.de/-10637088 #JavascriptLaufzeitumgebung #NodeJS #npm #Spearphishing