#ukr — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #ukr, aggregated by home.social.
-
https://www.europesays.com/be-fr/117787/ Roland-Garros: très émue, l’Ukrainienne Kostyuk se promène au 1er tour: « Un missile s’est abattu à 100 mètres du domicile de mes parents » #2026 #Actualités #AlexanderZverev #ArthurGéa #BE #BEFr #Belgique #Belgium #BenjaminBonzi #ClaraBurel #FionaFerro #GiovanniMpetshiPerricard #KarenKhachanov #KatieVolynets #MartaKostyuk #MirraAndreeva #News #NovakDjokovic #OksanaSelekhmeteva #roland #SimonneMathieu #SuzanneLenglen #tennis #UKR
-
Cybercriminal VPN Dismantled in Crackdown
A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.
Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault
-
Cybercriminal VPN Dismantled in Crackdown
A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.
Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault
-
Cybercriminal VPN Dismantled in Crackdown
A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.
Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault
-
Cybercriminal VPN Dismantled in Crackdown
A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.
Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault
-
Cybercriminal VPN Dismantled in Crackdown
A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.
Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Fresh mischief and digital shenanigans
FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.
Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Tracking TamperedChef Clusters via Certificate and Code Reuse
Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.
Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault
-
Hm, #UKR macht das generische Powerballädchen, aber in Landessprache mit kleinem Etno-Exkurs. Und singen kannse, nicht nur Power-Belting. Beim Kampf um die Generik-Punkte wahrscheinlich ziemlich weit vorn. Hab ich erwähnt, dass #GER einen Fehler gemacht hat, einen generischen Song zu schicken? Da ist die Konkurrenz groß. Und wie hier, auch besser.
-
Hm, #UKR macht das generische Powerballädchen, aber in Landessprache mit kleinem Etno-Exkurs. Und singen kannse, nicht nur Power-Belting. Beim Kampf um die Generik-Punkte wahrscheinlich ziemlich weit vorn. Hab ich erwähnt, dass #GER einen Fehler gemacht hat, einen generischen Song zu schicken? Da ist die Konkurrenz groß. Und wie hier, auch besser.
-
Hm, #UKR macht das generische Powerballädchen, aber in Landessprache mit kleinem Etno-Exkurs. Und singen kannse, nicht nur Power-Belting. Beim Kampf um die Generik-Punkte wahrscheinlich ziemlich weit vorn. Hab ich erwähnt, dass #GER einen Fehler gemacht hat, einen generischen Song zu schicken? Da ist die Konkurrenz groß. Und wie hier, auch besser.
-
Hm, #UKR macht das generische Powerballädchen, aber in Landessprache mit kleinem Etno-Exkurs. Und singen kannse, nicht nur Power-Belting. Beim Kampf um die Generik-Punkte wahrscheinlich ziemlich weit vorn. Hab ich erwähnt, dass #GER einen Fehler gemacht hat, einen generischen Song zu schicken? Da ist die Konkurrenz groß. Und wie hier, auch besser.
-
Hm, #UKR macht das generische Powerballädchen, aber in Landessprache mit kleinem Etno-Exkurs. Und singen kannse, nicht nur Power-Belting. Beim Kampf um die Generik-Punkte wahrscheinlich ziemlich weit vorn. Hab ich erwähnt, dass #GER einen Fehler gemacht hat, einen generischen Song zu schicken? Da ist die Konkurrenz groß. Und wie hier, auch besser.
-
#ukr hat ein schönes Lied. Und sie kann singen. Aber doch eher Celine Dioné auf Wish bestellt? #Eurovision #esc #esc2026
-
A lovely song, slightly ruined by my dog deciding to sit next to me a licking his nuts half way through.
-
-
Kazuar: Anatomy of a nation-state botnet
Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.
Pulse ID: 6a062c383bdae760fc221b6f
Pulse Link: https://otx.alienvault.com/pulse/6a062c383bdae760fc221b6f
Pulse Author: AlienVault
Created: 2026-05-14 20:10:32Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CentralAsia #CyberSecurity #Europe #Government #HTTP #InfoSec #Kazuar #Malware #Military #NATO #OTX #OpenThreatExchange #RAT #Russia #SMS #UK #Ukr #Ukraine #bot #botnet #AlienVault
-
Kazuar: Anatomy of a nation-state botnet
Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.
Pulse ID: 6a062c383bdae760fc221b6f
Pulse Link: https://otx.alienvault.com/pulse/6a062c383bdae760fc221b6f
Pulse Author: AlienVault
Created: 2026-05-14 20:10:32Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CentralAsia #CyberSecurity #Europe #Government #HTTP #InfoSec #Kazuar #Malware #Military #NATO #OTX #OpenThreatExchange #RAT #Russia #SMS #UK #Ukr #Ukraine #bot #botnet #AlienVault
-
Kazuar: Anatomy of a nation-state botnet
Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.
Pulse ID: 6a062c383bdae760fc221b6f
Pulse Link: https://otx.alienvault.com/pulse/6a062c383bdae760fc221b6f
Pulse Author: AlienVault
Created: 2026-05-14 20:10:32Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CentralAsia #CyberSecurity #Europe #Government #HTTP #InfoSec #Kazuar #Malware #Military #NATO #OTX #OpenThreatExchange #RAT #Russia #SMS #UK #Ukr #Ukraine #bot #botnet #AlienVault
-
Kazuar: Anatomy of a nation-state botnet
Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.
Pulse ID: 6a062c383bdae760fc221b6f
Pulse Link: https://otx.alienvault.com/pulse/6a062c383bdae760fc221b6f
Pulse Author: AlienVault
Created: 2026-05-14 20:10:32Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CentralAsia #CyberSecurity #Europe #Government #HTTP #InfoSec #Kazuar #Malware #Military #NATO #OTX #OpenThreatExchange #RAT #Russia #SMS #UK #Ukr #Ukraine #bot #botnet #AlienVault
-
Kazuar: Anatomy of a nation-state botnet
Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types—Kernel, Bridge, and Worker—that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks.
Pulse ID: 6a062c383bdae760fc221b6f
Pulse Link: https://otx.alienvault.com/pulse/6a062c383bdae760fc221b6f
Pulse Author: AlienVault
Created: 2026-05-14 20:10:32Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Asia #BackDoor #CentralAsia #CyberSecurity #Europe #Government #HTTP #InfoSec #Kazuar #Malware #Military #NATO #OTX #OpenThreatExchange #RAT #Russia #SMS #UK #Ukr #Ukraine #bot #botnet #AlienVault
-
#Ukraine! Another ballad, but more emotional, and WAY more engaging than e.g. the Azeri one. But no matter what, they deserve EVERY support, also @ #Eurovision! Unlike one other country... #Eurowizja #UKR
-
Foxit Impersonation: Fake PDF Installer Deploys VNC
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
Pulse ID: 69e9e0346967ec306d0a2e2d
Pulse Link: https://otx.alienvault.com/pulse/69e9e0346967ec306d0a2e2d
Pulse Author: AlienVault
Created: 2026-04-23 09:02:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Germany #InfoSec #OTX #OpenThreatExchange #PDF #RAT #Rust #SocialEngineering #Troll #UK #Ukr #Ukraine #UnitedKingdom #UnitedStates #VNC #bot #AlienVault
-
Foxit Impersonation: Fake PDF Installer Deploys VNC
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
Pulse ID: 69e9e0346967ec306d0a2e2d
Pulse Link: https://otx.alienvault.com/pulse/69e9e0346967ec306d0a2e2d
Pulse Author: AlienVault
Created: 2026-04-23 09:02:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Germany #InfoSec #OTX #OpenThreatExchange #PDF #RAT #Rust #SocialEngineering #Troll #UK #Ukr #Ukraine #UnitedKingdom #UnitedStates #VNC #bot #AlienVault
-
Foxit Impersonation: Fake PDF Installer Deploys VNC
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
Pulse ID: 69e9e0346967ec306d0a2e2d
Pulse Link: https://otx.alienvault.com/pulse/69e9e0346967ec306d0a2e2d
Pulse Author: AlienVault
Created: 2026-04-23 09:02:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Germany #InfoSec #OTX #OpenThreatExchange #PDF #RAT #Rust #SocialEngineering #Troll #UK #Ukr #Ukraine #UnitedKingdom #UnitedStates #VNC #bot #AlienVault
-
Foxit Impersonation: Fake PDF Installer Deploys VNC
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
Pulse ID: 69e9e0346967ec306d0a2e2d
Pulse Link: https://otx.alienvault.com/pulse/69e9e0346967ec306d0a2e2d
Pulse Author: AlienVault
Created: 2026-04-23 09:02:44Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Germany #InfoSec #OTX #OpenThreatExchange #PDF #RAT #Rust #SocialEngineering #Troll #UK #Ukr #Ukraine #UnitedKingdom #UnitedStates #VNC #bot #AlienVault