World Watch CTI team from @CERTcyberdef (@OrangeCyberDef)
Joined March 2021
- Tweets 60
- Following 433
- Followers 101
- Likes 151
2 Photos and videos
🧵 Since March 2026, Orange Cyberdefense has been tracking a malware delivery cluster linking a fake FileZilla campaign with other software-themed lures, including LibreOffice and Google Drive Setup, as well as a ClickFix-based one.
#CTI #ThreatIntel #STXRAT
@asma_lansari
ALT Scheme showing overlaps between payloads and infrastructure elements.
1
4
5
740
Notably, credential theft is only activated after successful C2 interaction.
1
1
66
Bottom line: different lures, similar staging, same malware outcome. We published a full advisory for our customers on the infection chain, overlaps, and malware analysis. Related IoCs are also available in our public GitHub repository:
github.com/cert-orangecyberd…
1
84
World Watch (OCD) retweeted
21 Nov 2025
These guys published a great report on Operation DreamJob by the DPRK threat actor, and I can relate to how hard it is to build that malware relationship table. Kudos to the team!
20 Nov 2025
🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970.
➡️Full blog: ow.ly/V4mr50Xug1l
16
58
8,665
World Watch (OCD) retweeted
20 Nov 2025
🔎Our CERT is releasing a new technical report on 🇰🇵Operation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970.
➡️Full blog: ow.ly/V4mr50Xug1l
1
51
191
23,451
World Watch (OCD) retweeted
24 Nov 2025
Last week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany🇩🇪. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.
1
5
12
2,145
World Watch (OCD) retweeted
23 Sep 2025
🧀🎣Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and PayPal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller" #CTI #ThreatIntel #Metappenzeller
1
10
10
3,161
3 Jul 2025
🧀 Update on MintsLoader: a thread 🔽
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.
#cti #ThreatIntel #mintsloader
1
4
9
1,263
3 Jul 2025
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs. These detection opportunities were presented during the Botconf 2025: botconf.eu/wp-content/upload…
1
144
3 Jul 2025
The new version has removed these notable behaviours and is seen in campaign with fake invoice lures. New indicators of compromise (IoCs) are available on our GitHub:
github.com/cert-orangecyberd…
1
101