Big update!!

#Mirai elf new detection d96035d2b1eac911d417fb4f750cf21e4695ec9cef476bf5eff94a6539060be6

SandGuard v2.16.0 Linux support is now here. We’ve added a full ELF analysis module with deep inspection capabilities, including: – ELF structure parsing – Packing detection – Embedded payload detection – Entropy analysis – Section & segment inspection

Also, VBScript, SMBv1, WINS Server, and others are being removed in Windows Server 2028 👀

⚠️ La inteligencia de amenazas no sirve de nada si llegas tarde. Ese es el verdadero problema. No la falta de información. La falta de contexto operativo. Cada día aparecen: • Nuevas víctimas de ransomware publicadas en DLS (Data Leak Sites) • CVEs explotadas activamente antes incluso de aplicar mitigaciones • IOCs distribuidos entre múltiples fuentes sin correlación • Infraestructura maliciosa rotando constantemente en TOR • Malware reutilizado por distintos actores con pequeñas variaciones • Negociaciones y filtraciones evolucionando en tiempo real Y mientras tanto, muchos equipos siguen consumiendo inteligencia de amenazas de forma fragmentada. Por eso he creado junto a mi compañero Javier Marti Sanz la plataforma My Threat Intel. 👉 mythreatintel.com/ Una plataforma CTI desarrollada para centralizar, correlacionar y operacionalizar inteligencia de amenazas desde un único entorno. El objetivo no era crear otro dashboard más. Era construir una plataforma realmente útil para analistas, SOCs, DFIR, Threat Hunters y equipos de respuesta a incidentes. Actualmente My Threat Intel permite: • Monitorización de grupos de ransomware y leak sites • Seguimiento de negociaciones y actividad de actores • Repositorio de vulnerabilidades y CVEs explotadas activamente • Correlación y telemetría de IOCs • Vigilancia de infraestructura TOR y mercados darknet • Repositorio histórico de filtraciones y exposición de organizaciones • Análisis y clasificación de muestras de malware • Estadísticas operativas y tendencias en tiempo real Toda la información en un único entorno visual, accesible y orientado a análisis. Sin ruido. Sin datos aislados. Sin perder tiempo correlacionando manualmente decenas de fuentes. Porque en ciberseguridad la velocidad importa. Pero la capacidad de entender el contexto antes que el atacante importa todavía más. Feedback y sugerencias son más que bienvenidos 🤝 #CyberSecurity #ThreatIntelligence #CTI #Ransomware #ThreatHunting #BlueTeam #SOC #DFIR #OSINT #Malware #DarkWeb #IOC #IncidentResponse #CyberDefense #InfoSec #ThreatIntel #SecurityOperations #DigitalForensics #MyThreatIntel

Interesting!

SandGuard v2.9.0 just got a lot more practical. We’ve added a new IOC Pivot module: when an analysis extracts indicators like IPs, domains or hashes, they now appear with ready-to-use links to platforms such as VirusTotal, GreyNoise, AbuseIPDB, Shodan and others.

Microsoft Threat Intelligence has attributed the Axios npm supply chain attack to North Korean state actor Sapphire Sleet. Malicious npm packages for updated versions of Axios (1.14.1 and 0.30.4) downloaded payloads from command and control attributed to Sapphire Sleet.msft.it/6018QLPF6 Organizations affected by this attack are urged to roll back to safe versions (1.14.0 or 0.30.3 or earlier), rotate secrets and credentials that are exposed to compromised systems, and disable auto-updates. Our latest blog has our analysis of the attack, additional mitigation recommendations, and Microsoft Defender detection and hunting guidance:

CTI Research: Sandworm / APT44 ift.tt/SXM19Tq Evidence-Labeled Threat Intelligence Assessment and SOC Defensive Guidance (2009 — March 2026) Table of Contents Report Metadata Methodology & Evidence Labels Confidence & What Changes Confidence Executive Summary Ac…

🚨 CRITICAL THREAT ALERT: NUCLEAR SCADA SYSTEM COMPROMISE 🚨 🏢 Victim: Golfech Nuclear Power Plant (NPP) - Unit 2 👤 Threat Actor: Apollon / MONARCH (Russian-affiliated) 🗓️ Date: 2026-03-12 🇫🇷 Country: France The threat organization "MONARCH" has released visual evidence of unauthorized access to the Golfech Nuclear Power Plant in France. The actor, "Apollon," claims they have bypassed security to gain full control over the secondary coolant loop. Screenshots show a SIEMENS HMI (Human-Machine Interface) panel for Unit 2, as well as evidence of lateral movement within the SCADA-02 operator network and the execution of PowerShell scripts on internal systems. The visual proof includes internal IP addresses and server logs from GOLFECH-SCADA-02. Infrastructure security teams must immediately audit all SIEMENS HMI interfaces and monitor for unauthorized logins in ICS/SCADA environments. Monitor: analyzer.vecert.io #ThreatIntel #CyberSecurity #France #NuclearSecurity #Golfech #SCADA #ICS #InfoSec #CriticalInfrastructure #MonarchAttack

The cybercriminal threat actor tracked by Microsoft Threat Intelligence as Storm-2561 is running an SEO-poisoning campaign that redirects people searching for enterprise VPN software to spoofed sites and malicious ZIP downloads leading to credential theft. msft.it/6019Qlydd The ZIP file contains a malicious, digitally signed installer that masquerade as a trusted VPN client. The attack chain ultimately loads a variant of Hyrax infostealer that captures VPN sign-in credentials and VPN configuration data, and exfiltrates it to attacker infrastructure. Read the full Microsoft Defender Experts analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise of this Storm-2561 campaign, and get protection, detection, and hunting guidance:

How to invest malicious IP Methodology medium.com/@DamagedRoot/how-…

How to invest malicious IP ? medium.com/@DamagedRoot/how-…

This is really cool. I like this code, proof-of-concept, and paper A LOT. Basically he is modifying the raw bytes of .LNK files (Windows shortcuts) to make them perform malicious actions while also operating correctly as a .LNK file. When examined from the user they will appear completely legitimate, but it's not. This is really, really, really cool. This is a great malware technique. I can't recall the last time I read anything on .LNK files being abused in this manner. Historically they're "hijacked", not modified at the byte level. My only criticism is he wrote this proof-of-concept in Python (not C or C , like a gangster). Excellent work.

Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.

Endpoint Evasion Techniques (2020–2025): The Evolution of Attacks Bypassing EDR | Code Before Breach windshock.github.io/en/post/…

ClearFake gets more evasive with new living off the land (LOTL) techniques expel.com/blog/clearfake-new…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

🔴 New #Anubis stealer detected by generic hunting rules Sample: virustotal.com/gui/file/a0e2… 🎯 Steals: - Browser creds (Chrome v127 bypass via COM) - 20 crypto wallets - Telegram/Discord sessions Rules: 🔹 valhalla.nextron-systems.com… 🔹 valhalla.nextron-systems.com…