@ctrlaltintel profile picture
Ctrl-Alt-Intel @ctrlaltintel

Threat Research

Joined March 2026
  • Tweets 102
  • Following 21
  • Followers 796
66 Photos and videos
Pinned Tweet
Ctrl-Alt-Intel@ctrlaltintel
May 1
Over 7 a month period, a Qilin affiliate exposed 5 C2 servers -> OPSEC L -> Sliver C2 / SOCKS running on WatchGuard devices -> Initial access primarily via WG/Fortinet exploitation -> 3 real victims found via Qilin blog -> 🇺🇸 & 🇩🇪 targeting -> 7 CVEs used Link to blog below👇
4
16
59
6,944
Ctrl-Alt-Intel retweeted
ice-wzl@ice_wzl_cyber
12h
Replying to @jabarprovgoid
@jabarprovgoid Your network has been compromised by a threat actor. Please contact myself or @ctrlaltintel and we will help you resolve this intrusion free of charge. Compromised hostname: crm They have persistence and root
1
1
2
62
Incredible reporting on logistics sector targeting (likely linked to cargo theft gangs) @beensquatted haveibeensquatted.com/blog/t… http://23[.]94[.]252[.]241/share/new_agreement_timo_MAY27.exe 3 RMMs deployed from the initial dropper 🤯
1
5
15
1,423
Ctrl-Alt-Intel retweeted
ContinuumCon
@_ContinuumCon_
Jun 9
🚨 Workshop Spotlight # 14 👉 "Offensive Threat Intel: Tracking & Disrupting Adversaries for Fun" by Josh Allman (@xorJosh) & Ben Folland (@polygonben), of CtrlAltIntel 📝 Description You don't need access to private telemetry or a job at a major security firm to hunt down threat actors in the wild and impose costs. Josh and Ben are proof. A couple of friends having fun built CtrlAltIntel and ended up making an impact on a global scale, supporting governments, military organizations, law enforcement, and more, all from analyzing public data. This workshop walks through how they did it, and how you can too. You'll learn their methodology for tracking adversaries using platforms like Hunt.io, Censys, and Shodan, complete with specific queries and real-world examples. Then, get in the driver's seat: - In The Hunt, you'll practice querying and pivoting from a single data point to identify and report active threat actor infrastructure. - In Mining Gold from Open Directories, you'll work with safe data from their previous hunts and run your own analysis. Their goal is simple: inspire you to give this a go and start taking down cybercriminals yourself. 🎟️ Only at ContinuumCon 2026 Work through it live, or revisit the lab on your own time. Own it forever. The workshop doesn't end when the conference does. Got your ticket yet? 👉 continuumcon.com/ Hosted by @_JohnHammond , @JustHackingHQ , @AnthonyBendas , and @Level_Effect !
7
10
670
RT @BushidoToken: Please look into this @virginmedia you’re blocking legitimate security researchers:
7
Ctrl-Alt-Intel retweeted
ice-wzl@ice_wzl_cyber
May 24
Replying to @AWEGroupe
@AWEGroupe Your network has been compromised by a threat actor. Please contact myself or @ctrlaltintel and we will help you get rid of their malware (completely free of charge, of course). Compromised machine hostname: cineyglpi Malware process name: [mm_percpu_wq]
1
8
379
👀😬
FBI Cyber Division
@FBICyberDiv
May 21
Today the FBI released a #PSA warning the public about Kali365—an emerging Phishing-as-a-Service (PhaaS) platform. Kali365, first seen in April 2026, enables cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials. The platform allows less-skilled attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities. Learn more about how the scam works and review recommendations on how to protect yourself: ic3.gov/PSA/2026/PSA260521
Public Service Announcement dated May 21, 2026, warning about Kali365 phishing kit hijacking Microsoft 365 access tokens.

ALT Public Service Announcement dated May 21, 2026, warning about Kali365 phishing kit hijacking Microsoft 365 access tokens.
6
674
A Ctrl-Alt-Intel researcher, based out of HK 🇭🇰, tried to download @signalapp via Chrome.... but noticed something odd The top 2 sponsored results were advertising likely malicious "Chinese versions" of Signal....
2
9
19
1,956
more replies
Sponsored Google ADs -> signal518.onepage[.me -> www.cq2nnlqm[.top -> s3.ap-east-1.amazonaws[.com/mazida3x/WPp3p/singalSutpes_5.18_owsrc.msi (47b403e220447f4205dd14bb69ecb9f9) This .MSI contains signed Spotify/Google binaries suspicious DLL, ant.dll (6f3ac069f5f95665259b09149fd1d240)
1
7
462
^ Above have been translated We haven't analyzed the files any further as we are too busy, but wanted to share the suspicious findings with the community regardless! If anyone has the time to dig into the payloads, we'd love to see what you find 👀
1
4
272
A little thread exposing screenshots comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups. Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak We even discovered in March they attempted to send flowers to a UK-based victim.... On 28th Feb, they recognise they're "top 2" on ransomware.live Devman has gone ;)🚓 Translation of zeta88's first message: "In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared. And we're top 2 on RansomLive based on statistics, but not based on profit, I think." We can see a @GangExposed tweet shared by The Gentlemen, alongside the ransomware.live stats
1
13
59
5,120
more replies
On the 25th March, "zeta88" attempted to get fraudulent CC info in order to buy a bunch of flowers to send to a victim This victim was apparently taking time to begin negotiations
1
4
512
In total, over 3.7k messages were analysed from multiple channels in their Rocket[.Chat We are not finished, some more interesting tradecraft to discuss. Blog maybe coming soon 😅
8
406
Load more