Infoblox Threat Intel<p>This week, we encountered a new phishing campaign utilizing the Tycoon 2FA Phishing-as-a-Service (PhaaS) to bypass multifactor authentication (MFA).</p><p>The RDGA domains have Russian TLDs but are hosted on CloudFlare infrastructure. We have been seeing them use shared infrastructure for a few months now, definitely trying to make detection more challenging. They continue to obfuscate every piece of code but have updated their verification page. Previously, we always saw their custom Cloudflare Turnstile page, but now they also use a new captcha challenge, as shown below.(You can also check it here <a href="https://urlscan.io/result/0195ed8b-7a48-7348-a814-0a058571b51e/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/0195ed8b-7a4</span><span class="invisible">8-7348-a814-0a058571b51e/</span></a> )<br> <br>Their old Cloudflare Turnstile page seems to still be their favorite, even though they now change their message more frequently: "Checking response before request" or "Tracking security across platform" are some of the new messages they use.<br> <br>Here is a sample of the hundreds of domains we are detecting:<br> womivor[.]ru <br> nthecatepi[.]ru <br> toimlqdo[.]ru <br> dantherevin[.]ru <br> xptdieemy[.]ru</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/domains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>domains</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhaaS</span></a> <a href="https://infosec.exchange/tags/tycoon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tycoon</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/2MFABypass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2MFABypass</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
ruby.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
If you are interested in the Ruby programming language, come join us! Tell us about yourself when signing up.
If you just want to join Mastodon, another server will be a better place for you.
Administered by:
Server stats:
1.1Kactive users
ruby.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#threatintelligence
3 posts · 3 participants · 0 posts today
Infoblox Threat Intel<p>One of our researchers recently received a text from an unknown number saying they were eligible to receive a full refund for an Amazon order. The message contained a link to a URL on t[.]co, Twitter/X's link shortener. Clicking the link led to the domain 267536[.]cc, which hosted an Amazon phishing page.</p><p>From this lead, we were able to find many more domains hosting the same content. The actor registering the domains seems to like .cc, the country code TLD for the Cocos Islands.</p><p>Sample of the domains:<br> 236564[.]cc<br> 267536[.]cc<br> 671624[.]cc<br> 687127[.]cc<br> 319632[.]cc</p><p><a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/sms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sms</span></a> <a href="https://infosec.exchange/tags/smishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>smishing</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a></p>
Laurent Cheylus<p>How to build a a Threat Intelligence GenAI Reporter using MCP (Model Context Protocol) and ORKL Database - Article by Thomas Roccia <span class="h-card"><a href="https://infosec.exchange/@fr0gger" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>fr0gger</span></a></span> <a href="https://bsd.network/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://bsd.network/tags/GenAI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GenAI</span></a> <a href="https://blog.securitybreak.io/building-a-threat-intelligence-genai-reporter-with-orkl-and-claude-a0ae2e969693" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.securitybreak.io/building</span><span class="invisible">-a-threat-intelligence-genai-reporter-with-orkl-and-claude-a0ae2e969693</span></a></p>
Alexandre Dulaunoy<p>A new release of the AIL project is coming soon, featuring a significant improvement in language detection.</p><p>A lot of work has been done on LexiLang by <span class="h-card" translate="no"><a href="https://infosec.exchange/@terrtia" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>terrtia</span></a></span> to clean up dictionaries and improve support for localized languages and slang.</p><p>In the example below, you can see a user active in different Telegram channels, using both Russian and Ukrainian.</p><p>🔗 <a href="https://www.ail-project.org/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">ail-project.org/</span><span class="invisible"></span></a></p><p>If you're interested in the topic, join us at a 2-day hackathon in Luxembourg on April 8–9, 2025, focused on open-source security tools. The developers of the AIL project will be there in person!</p><p>🔗 <a href="https://hackathon.lu/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">hackathon.lu/</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> <a href="https://infosec.exchange/tags/ail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ail</span></a> <a href="https://infosec.exchange/tags/intelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intelligence</span></a> </p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@ail_project" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>ail_project</span></a></span> <br><span class="h-card" translate="no"><a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>circl</span></a></span></p>
Infoblox Threat Intel<p>Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware. </p><p>Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments. <br> <br>One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.</p><p>Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.<br> <br>Block these:</p><p>user2ilogon[.]es<br>viewer-ssa-gov[.]es <br>wellsffrago[.]com<br>nf-prime[.]com<br>deilvery-us[.]com<br>wllesfrarqo-home[.]com<br>nahud[.]com. <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookalikes</span></a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookalikeDomain</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pdns</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/ssa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ssa</span></a></p>
Infoblox Threat Intel<p>We published a blog yesterday about a PhaaS and phishing kit that employs DoH and DNS MX records to dynamically serve personalized phishing content. It also uses adtech infrastructure to bypass email security and sends stolen credentials to various data collection spaces, such as Telegram, Discord, and email. <a href="https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/a-phishing-tale-of-doh-and-dns-mx-abuse/</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/doh" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>doh</span></a> <a href="https://infosec.exchange/tags/mx" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mx</span></a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>adtech</span></a> <a href="https://infosec.exchange/tags/obfuscation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>obfuscation</span></a> <a href="https://infosec.exchange/tags/phaas" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phaas</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/phishingkit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishingkit</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/wordpress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>wordpress</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/telegram" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>telegram</span></a> <a href="https://infosec.exchange/tags/discord" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>discord</span></a> <a href="https://infosec.exchange/tags/morphingmeerkat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>morphingmeerkat</span></a></p>
Infoblox Threat Intel<p>Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.<br> <br>Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.<br> <br>Here are a few samples of the domains:</p><p>- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.<br>- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.<br>- admiralsmetal[.]com Lookalike for US based metals provider.<br>- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.<br>- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookalikes</span></a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookalikeDomain</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pdns</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/dod" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dod</span></a></p>
Infoblox Threat Intel<p>For one reason or another, some domain registrars seem to attract threat actors. This leads to domains registered through these registrars having higher associated risk. Unlike TLD reputation scores, which are fairly consistent from month to month, registrar reputation scores can vary quite a bit month to month. In fact, this month's riskiest registrar, Dominit (HK) Ltd., increased from a score of 7 to 9 and jumped a whopping 29 spots to reach #1.</p><p>An explanation and minimum-working-example of our reputation algorithm can be found here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/reliable-reputation-scoring/</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
SecuritySnacks<p>DomainTools Investigations (DTI) shares its latest analysis: “Phishing Campaign Targets Defense and Aerospace Firms Linked to Ukraine Conflict.” </p><p>The infrastructure comprises a small number of mail servers, each supporting a set of domains designed to spoof that of a specific organization. These domains currently host webmail login pages likely intended to harvest credentials from targeted entities.</p><p>🔹The phishing infrastructure targets defense and aerospace entities linked to the Ukraine conflict.<br>🔹Infrastructure comprises a small number of mail servers supporting domains designed to spoof specific organizations.<br>🔹Likely intended to harvest credentials from targeted entities.<br>🔹Motivated by cyber espionage, focusing on intelligence related to the Ukraine/Russia conflict.</p><p>Stay informed and help us combat these threats - read the full article and join the discussion. </p><p><a href="https://dti.domaintools.com/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/?utm_source=Mastodon&utm_medium=Social&utm_campaign=PhishingInfra-UAConflict" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dti.domaintools.com/phishing-c</span><span class="invisible">ampaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/?utm_source=Mastodon&utm_medium=Social&utm_campaign=PhishingInfra-UAConflict</span></a> </p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/Ukraine" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ukraine</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/CyberEspionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberEspionage</span></a></p>
CTI.FYI<p>🚨New ransom group blog post!🚨</p><p>Group name: ransomhub<br>Post title: cisd.org<br>Info: <a href="https://cti.fyi/groups/ransomhub.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">cti.fyi/groups/ransomhub.html</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a> <a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cti</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
Taggart :donor:<p>Fine that H-ISAC is publishing this out of "an abundance of caution," but the originating account looks like total crap. I do not think ISIS-K is planning car bombings of hospitals, nor has any evidence been presented that they are.</p><p><a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a></p><p><a href="https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/tlpwhite-aa319249-potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threa.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dd80b675424c132b90b3-e48385e38</span><span class="invisible">2d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/tlpwhite-aa319249-potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threa.pdf</span></a></p>
Infoblox Threat Intel<p>Fake support scammers, regardless of the initial ruse, typically trick victims into installing remote access tools, often describing it as a security or verification check.<br> <br>Many use ConnectWise ScreenConnect, a legitimate tool, hosted on their own domains. They may even jazz things up with custom branding, sometimes changing the brand during the lifetime of the domain, though they really need to avoid heavily compressed images - that fake Apple support site looks janky!<br> <br>Helpfully these scammers seem to follow a standard process for the DNS, allowing us to identify their consistencies:<br> <br>- Registration through NameSilo<br>- Protection provided by Cloudflare<br>- Alphanumeric RDGA domains favouring TLDs '.cfd', '.sbs', '.top' and '.xyz'*<br>- Keyword RDGA domains, using words like 'care', 'help' and 'support', with TLDs '.help', '.live' and '.online'<br> <br>Recent examples:<br>- 'cmonline[.]help'<br>- 'jxcr-ui1[.]top'<br>- 'jdsfrw-11[.]top'<br>- 'ntfre-8e[.]xyz'<br>- 'wlop10[.]top'<br> <br>* We're working with our friends at XYZ.com to take down offending domains using TLDs under their control.<br> <br><a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/supportscam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>supportscam</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a></p>
Infoblox Threat Intel<p>Last week, we discussed the riskiest TLDs of March. Our reputation algorithm is generic, meaning it can be applied to virtually *any* type of data (read more here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/reliable-reputation-scoring/</span></a>). This time, we'll take a look at the riskiest mail servers we've identified this month. Top of the list? all-harmless[.]domains -- the irony isn't lost on anyone.<br> <br>These mail servers attract phishing actors like honey does flies -- serving such lovely domains as bbva-web-soporte[.]com and kutxabank-movil-app[.]com. Additionally, we've identified one FunNull / Polyfill domain (69558[.]vip) using both baidu[.]com and shifen[.]com mail servers.</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
SecuritySnacks<p>Dive into DomainTools Investigations’ latest analysis: "The Domain Registrars Powering Russian Disinformation: A Deep Dive into Tactics and Trends."</p><p>Russian state-sponsored actors are leveraging low-cost, privacy-protected, and anonymous domain services to launch sophisticated disinformation campaigns.</p><p>Key Highlights:<br>🔸Fake news portals mimicking legitimate media<br>🔸Typosquatting and homoglyph attacks<br>🔸Bulletproof hosting and Fast Flux networks<br>🔸Preferred registrars<br>🔸Emerging trends in domain registration tactics</p><p>Stay informed and help us combat these threats - read the full article and join the discussion: <a href="https://dti.domaintools.com/domain-registrars-powering-russian-disinformation/?utm_source=Mastodon&utm_medium=Social&utm_campaign=disinformation" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dti.domaintools.com/domain-reg</span><span class="invisible">istrars-powering-russian-disinformation/?utm_source=Mastodon&utm_medium=Social&utm_campaign=disinformation</span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/Disinformation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Disinformation</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/CyberThreats" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberThreats</span></a></p>
Christoffer S.<p>I just published the source code for my very naive <a href="https://swecyb.com/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked <a href="https://swecyb.com/tags/Markdown" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Markdown</span></a> files linking intrusion sets to their used techniques.</p><p>Perhaps someone finds it useful or interesting to experiment with.</p><p>Source code: <a href="https://github.com/cstromblad/markdown_node" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/cstromblad/markdown</span><span class="invisible">_node</span></a></p><p>I hinted at this in a thread started by <span class="h-card" translate="no"><a href="https://mastodon.social/@Viss" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Viss</span></a></span> where he asked for input on a few very likely malicious domains. Me <span class="h-card" translate="no"><a href="https://mastodon.social/@Viss" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Viss</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@cR0w" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>cR0w</span></a></span> <span class="h-card" translate="no"><a href="https://masto.deoan.org/@neurovagrant" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>neurovagrant</span></a></span> and others did some OSINT fun work with a couple of the original domains.</p><p>It was this thread: <a href="https://mastodon.social/@Viss/114145122623079635" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@Viss/11414512</span><span class="invisible">2623079635</span></a></p><p>Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.</p><p><a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://swecyb.com/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://swecyb.com/tags/Obsidian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Obsidian</span></a></p>
Phillemon CEH | CTH<p>🎭💻 Think Like a Black Hat, Act Like a White Hat! </p><p>👁️🗨️ Let's Face-It ! -> 🕵♂️ To Outsmart cybercriminals, you must think like one—but use your skills for defense, not destruction. Learn the mindset of hackers and the strategies ethical hackers use to strengthen cybersecurity. 🔍🔐</p><p>📖 Read more: <a href="https://wardenshield.com/think-like-a-black-hat-and-act-like-a-white-hat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">wardenshield.com/think-like-a-</span><span class="invisible">black-hat-and-act-like-a-white-hat</span></a></p><p><a href="https://mastodon.social/tags/EthicalHacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EthicalHacking</span></a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://mastodon.social/tags/WhiteHat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WhiteHat</span></a> <a href="https://mastodon.social/tags/BlackHat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BlackHat</span></a> <a href="https://mastodon.social/tags/PenTesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PenTesting</span></a> <a href="https://mastodon.social/tags/CyberDefense" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberDefense</span></a> <a href="https://mastodon.social/tags/WardenShield" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WardenShield</span></a> <a href="https://mastodon.social/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a></p>
Infoblox Threat Intel<p>Threat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?</p><p>An explanation and minimum-working-example of our reputation algorithm can be found here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/reliable-reputation-scoring/</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
CTI.FYI<p>🚨New ransom group blog posts!🚨</p><p>Group name: arcusmedia<br>Post title: HYPERNOVA TELECOM<br>Info: <a href="https://cti.fyi/groups/arcusmedia.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">cti.fyi/groups/arcusmedia.html</span><span class="invisible"></span></a></p><p>Group name: arcusmedia<br>Post title: HYPONAMIRU<br>Info: <a href="https://cti.fyi/groups/arcusmedia.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">cti.fyi/groups/arcusmedia.html</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a> <a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cti</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
MISP<p>The MISP project maintains and offers a comprehensive knowledge base covering threat actors, ransomware groups, malware, and more. </p><p>Even if you don't use MISP, you can now easily search across all MISP Project knowledge bases, including galaxies, taxonomies, and MISP object templates.</p><p><a href="https://search.misp-community.org" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">search.misp-community.org</span><span class="invisible"></span></a></p><p><a href="https://misp-community.org/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> <a href="https://misp-community.org/tags/opendata" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opendata</span></a> <a href="https://misp-community.org/tags/misp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>misp</span></a> <a href="https://misp-community.org/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintelligence</span></a> <a href="https://misp-community.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://misp-community.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://misp-community.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://misp-community.org/tags/threatactor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatactor</span></a> <a href="https://misp-community.org/tags/intelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intelligence</span></a></p>
LMG Security<p>China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains</p><p>The Silk Typhoon hacking group, linked to China and previously behind Microsoft Exchange zero-day attacks, is now targeting IT supply chains, abusing stolen API keys, remote management tools, and cloud applications to infiltrate corporate networks.</p><p>The group is exploiting stolen API keys and credentials from IT service providers, launching zero-day attacks on Ivanti VPN, Palo Alto Networks, and Citrix NetScaler, and shifting from on-prem environments to cloud applications like Microsoft 365, OneDrive, and SharePoint to exfiltrate data.</p><p>Organizations must strengthen API security, enforce least privilege access, and monitor cloud environments to mitigate these growing supply chain threats.</p><p>Read more: <a href="https://thehackernews.com/2025/03/china-linked-silk-typhoon-expands-cyber.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/03/chin</span><span class="invisible">a-linked-silk-typhoon-expands-cyber.html</span></a></p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/SupplyChainSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SupplyChainSecurity</span></a> <a href="https://infosec.exchange/tags/CloudSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudSecurity</span></a> <a href="https://infosec.exchange/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://infosec.exchange/tags/ChinaAPT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ChinaAPT</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/databreach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>databreach</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/APIsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>APIsecurity</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload