@StrikeReadyLabs profile picture
StrikeReady Labs @StrikeReadyLabs

strikeready.com/blog.html

Joined May 2024
  • Tweets 572
  • Following 195
  • Followers 1,522
348 Photos and videos
An interesting challenge that trips up analysts is determining whether something is a phish, or a pentest/phish test. Today we give you applic[.]center and webinfo[.]company. A good day to hone your intuition using osint and knowledge of how folks set up infra. 1860ac0e7f841425dd64d98569143116f017523e7aabc1b7d7e8b74be1d8fede
2
2
13
8,493
MoD_09-01-2025.chm #apt e85d1e95fa10fcddd7c1e4a095c41744b5aa3952e31c77b8a6c29b8384426e58 -> d259aaa5d49dc2bd00baf4418343d8665afa7a87ed3a4d06736271d4f3b38d90 -> 158.255.215[.]45:8899/nina/anotherLife
1
9
25
9,579
DPRK puts out one of the cleanest malicious bash scripts youll ever see. readability 7a45e4614662081bf300c897b5e4de212e41bf8ed53762a5e4d455eaee983a6a
9
19
81
12,805
Interesting phish against a Bangladesh bank from a compromised BD GOV sender. RAR -> LNK, cluster leads to targeted activity against Bangladesh, Pakistan, and China Decoy content looks like OCR/image translate. c2 vrms.bangladeshbaank-gov-bd.workers[.]dev 136dd864f5772a6567aff34fcbe6f0665b7cc04b2d486004c370f410bee259b1 github.com/StrikeReady-Inc/s…
1
6
15
5,801
more replies
one more, susp targeting "Bangladesh Telecommunication Regulatory Commission" CyberNet2025.lnk wandering-pond-e7f4.foxiproxi.workers[.]dev eebf4a5104d75f8f6536e592d4c7945d56f8431059f2cab980756d9b9e96f0fc
1
1
2
3,694
same group targeting BD: "Strengthening of Government Video Conferencing Platform Project (1st Revised) (1).pdf.searchConnector-ms " 1ca3de5b90d293c3ac0f36da128b513037dda0223096e1026315e97c2793766e
2
2,868
#dailyphish it's 10pm, do you know how your gateway handles ".searchConnector-ms" extensions? "Mechanism of data sharing with IBD Offices.pdf.searchConnector-ms" -> ebbausersupport[.]com b6e77578cb4aeaedabc0fa3a465a50a0b18e4c8b9bcffc9d2e24752eab02a1da
1
6
12
5,733
It's kind of strange how long theyve been able to use this api.camera-drive[.]org for hosting these mac and windows payloads --- going on a month but at a very high volume for a targeted attacker. @namecheap able to take camera-drive[.]org down?
StrikeReady Labs@StrikeReadyLabs
13 Jan 2025
#dprk still running strong with the fake interview sites digitptalent[.]com
2
1
6
3,396
thanks, @Namecheap !
2,594
NDC65-Updated-Schedule. zip 97e9fc3d3bbbcbdea3b3ea57953db9aad5e6f4f9d7f9d71e9309989ce26a8563 same lnk name (desktop-ey8nc5b) Just hit VT, but looks like perhaps from 2023 based on timestamps and lack of c2 responsiveness -> modspaceinterior[.]com/wp-content/upgrade/01/
Sathwik Ram Prakki@PrakkiSathwik
8 Nov 2023
Replying to @PrakkiSathwik
#SideCopy JS Army (Strat) .zip 87c0e81c2f0495b2174fdc8a12d9be3d Army_Strat .lnk --> desktop-ey8nc5b 7460b5ba1628e9be5afe773a247ecb61 01048 .hta --> inniaromas[.]com c07f421d3a3ba5e78f55c234ccaaa908 Same C2, decoy, FetaRAT and ActionRAT
3
7
4,391
One of our favorite dprk hunts is to watch for content containing oft-targeted institutions in content, be it spears or c2 artifacts. Although they aren't the original APT, they do put the "P" in APT 97bc3dd9fc2cb82d31377a716eea60b64635fff1e65bf6f30832a2a2d65729f8
5
14
9,878
People laugh about attribution some times, but in the careers of people in labs here, exactly zero times has this tool ever been used by anyone who wasnt connected to CN sponsored espionage (including moonlighting), with a rare exception of a joker on VT. zero crimeware uses.
Steve YARA Synapse Miller@stvemillertime
15 Jan 2025
TWENTY years of SOGU / PlugX
2
10
3,521
#dailyphish #crimeware 5b964166035f3a8509b8e78c49a9c53dadbd788624899dfa9b7709c198f88852 -> fixecondfirbook[.]info
1
2
1
2,771
b7257d22edcfd71816d8d692c19070eec24b65f61811063da539929a469b3f81
1
1
2,556
running powershell via "ssh.exe -o proxycommand" ... is that stealthy? seems to me it would be the opposite of stealthy ... SBB_Fahrplan_5274147.pdf.lnk db791160ec45c955a79be8361055c256e5fc6c3850fa1fa2298205f2ff0cf1f0
6
13
3,948
20250114_27263.docx.lnk (desktop-0jpcpit) -> www.dropbox[.]com/scl/fi/lpgj7eek9jczsx2ey83tk/zzG.zip?rlkey=lngmcnnjatzijm02oex219ffy&e=1&st=lwe8 f4c4f68f8b27279b00b718b02392d5dfe1766c342a189a51e0e2a6f6412e1ce0
2
4
9
2,927
found first: x.com/JangPr0/status/1879054…

JangPro@JangPr0
14 Jan 2025
#APT f4c4f68f8b27279b00b718b02392d5dfe1766c342a189a51e0e2a6f6412e1ce0 74.50.94[.]175:9992 74.50.94[.]175:7032 hxxps://www.dropbox[.]com/scl/fi/lpgj7eek9jczsx2ey83tk/zzG[.]zip
2
2
2,568
Back from vacation it appears; campaigns starting back up after a brief respite 2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51 linkcuts[.]com/5xu034g2 -> doads[.]org -> mocky -> jkbfgkjdffghh.linkpc[.]net
StrikeReady Labs@StrikeReadyLabs
13 Jan 2025
"info.pdf" #russia #apt #phishing 53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031 -> linkcuts[.]com/gumcrr51 -> doads[.]org/gumcrr51 -> run.mocky[.]io/v3/22a2a2d8-84b9-4619-b8ba-359beb386cf9 -> jkbfgkjdffghh.linkpc[.]net
2
7
3,627
same filename today (오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk) but different payload --- and only 1MB this time a1b67cfb080f4d1e4cbb0019a30259cb291f56c0ada02e2ca1028f675b187727 raleighice[.]com/wp-includes/js/inc/get.php fantasiasognorealta[.]com/wp-includes/js/src/list.php
StrikeReady Labs@StrikeReadyLabs
7 Jan 2025
LNK inflation is even higher than real inflation! 오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk 355MB! (Guide to requesting submission of error discovery correction report (National Tax Collection Act Enforcement Regulations).hwp.lnk) 4cd7e92ac6a3d068683d41beabd82d82267d97aa89603c708c0dd4af637d6d67
1
3
702
Another one of these hit VT, same chain, uploaded from Indonesia Kelengkapan Dokumen Marlina Novriana.pdf.lnk 07bfae70b30398d86b306f2c29ddfc335e6276239909468a7e10993131370f09
This tweet is unavailable
4
824
#phishing spoofing India's "Bhabha Atomic Research Centre" secure-barc-gov-in.weebly[.]com
2
945
Load more