There is someone exposing IRGC (Islamic Revolutionary Guard Corps) stuff on GitHub. I'm not a IRGC geopolitical nerd, so I can't assess the value of the content. However, if you know what the fuck is going on, maybe you'll find it interesting: github.com/KittenBusters/Cha…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…

🚨 Same Threat Actor is now delivering Windows Payload through the ~2800 compromised sites using ClickFix It dinamycally changes depending on platform (user-agent) Mac/Win 1: https://e.overallwobbly[.]ru/au1 (Dropper1: era-stau1.a) → PowerShell → Stage 1 Script (AutoIT) 2: https://e.overallwobbly[.]ru/era-std → PowerShell → Stage 2 Code 3: https://nc1.overallwobbly[.]ru/googlerestricted.ide → Final Payload (heavily obfuscated) Probably using LOLBin. Hash era-stau: d2465b8f9b36fa3139bcdcacab54591490753cc7f8843f8dddb0831094ef53ac Hash of dropped Zloader: 4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187 Thoughts? @malwrhunterteam @RussianPanda9xx @500mk500 @ViriBack @Big_Bad_W0lf_ @DaveLikesMalwre @g0njxa @JohnHultquist #ThreatIntel #ClickFix

Based on the intel report screenshot below from Microsoft. I had added detection rules to my KQL repo github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… github.com/0xAnalyst/Defende… Same queries can be found in kqlsearch.com see screenshot #ATP #ThreatHunting #KQL #SOC

Sample is now on VT! 🚩Hash: fbd5e3eb17ef62f2ecf7890108a3af9bcc229aaa51820a6e5ec08a56864d864d 🎯Actor name: Lazarus 🔹Comment: The Safe{Wallet} JavaScript used by Lazarus in the ByBit hack that was deployed Feb 19, 2025 17:29:05 and replaced with the original clean version within 2 minutes of the hack. 🌐URL: docsend.com/view/s/rmdi832mp… 🔎OnVT: virustotal.com/gui/file/fbd5…