GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations gbhackers.com/gru-linked-apt…

Intel Report [HIGH] - APT28 (Fancy Bear/Forest Blizzard), attributed to the GRU's Unit 26165, has repurposed the MooBot criminal botnet and compromised Ubiquiti EdgeRouter devices as distributed infrastructure for cyber espionage operations. According... enigma-global.com/og/report/…

#threatreport #MediumCompleteness APT28, an evolution of tradecraft | 11-06-2026 Source: blog.sekoia.io/apt28-an-evol… Key details below ↓ 🧑‍💻Actors/Campaigns: Fancy_bear (🧠motivation: sabotage, hacktivism) Phantom_net_voxel Cyberberkut (🧠motivation: sabotage) Roundpress Frostarmada Cybercaliphate Apt29 Double_tap 💀Threats: Polyglot_ransomware, Credential_harvesting_technique, Spypress, Moobot, Aitm_technique, Xagent, Spear-phishing_technique, Sedkit_tool, Sedup_loader, Sedreco, Xtunnel, Screen_shotting_technique, Mimikatz_tool, Zebrocy, Gooseegg_tool, Headlace, Credomap, Masepie_tool, Oceanmap, Steelhook, Dns_hijacking_technique, Incontroller_tool, Bitm_technique, Covenant_c2_tool, Beardshell_tool, Slimagent_tool, Lamehug_tool, 🎯Victims: Government, Defense, Diplomatic entities, Critical infrastructure, Political organizations, Civil society, Military, Foreign ministries, Embassies, Law enforcement, ... 🏭Industry: Healthcare, Energy, Logistic, Transport, Critical_infrastructure, Education, Ngo, Government, Military 🌐Geo: Crimea, Romania, Russian, Ukraine, Ukrainian, America, Germany, American, French, Russia, Africa, Asia, Polish, Bulgaria, German 🔓CVEs: CVE-2023-23397 \[[Vulners](vulners.com/cve/CVE-2023-233…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - microsoft 365_apps (-) - microsoft office (2019) - microsoft office_long_term_servicing_channel (2021) - microsoft outlook (2013, 2016) ... CVE-2022-38028 \[[Vulners](vulners.com/cve/CVE-2022-380…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - microsoft windows_10_1507 (<10.0.10240.19507) - microsoft windows_10_1607 (<10.0.14393.5427) - microsoft windows_10_1809 (<10.0.17763.3532) - microsoft windows_10_20h2 (<10.0.19042.2130) ... 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1003, T1005, T1041, T1056.001, T1059.001, T1059.003, T1059.005, T1059.006, T1059.007, T1068, ... 💽Software: Outlook, Mistral, Windows Print Spooler, Microsoft Exchange, Roundcube, MDaemon, Zimbra, icedrive, Qwen, Hugging Face, ... 🔢Algorithms: base64 🗂️Win API: NET 📜Programming Languages: javascript, python, powershell #threatreport: APT28, also known as Fancy Bear, has displayed significant evolution in its cyber operations over the years, particularly focusing on government, defense, and critical infrastructure targets related to NATO and Ukraine. The group has been tracked extensively since its inception, with a particular emphasis on major operations like the TV5Monde sabotage and the 2016 breaches of the Democratic Party. Historically, APT28 utilized a signature implant toolkit that defined its operational fingerprint during notable attacks. This included spear-phishing campaigns deploying the Seduploader first stage malware, later upgraded to the X-Agent backdoor, paired with additional tools for persistence and exfiltration. The hack-and-leak playbook, pioneered by the group, involved releasing stolen documents to maximize political impact, a strategy successfully employed during the US elections. A significant shift occurred after the 2019 Mueller Report, which brought extensive scrutiny to APT28, resulting in a notable decrease in its publicly tracked activities. However, reports indicate that the group remained active, deploying a custom privilege escalation tool named GooseEgg against various targets, with the exploit of CVE-2022-38028 allowing execution at a system level. In recent years, APT28 has fragmented its operations into short-lived, single-purpose malware components, utilizing styles of attack that include zero-click exploits against Microsoft Outlook to harvest credentials. Attackers have weaponized vulnerabilities like CVE-2023-23397 to relay captured hashes for credential harvesting, frequently targeting Ukrainian civil society and military sectors. The operational infrastructure has shifted towards edge devices, moving away from traditional VPS setups. This includes campaigns that leverage compromised routers as part of its network, facilitating the relay of hashed credentials and hosting phishing sites to bypass more stringent defenses. Reports show a wide-scale collection of credentials from users of the popular Ukrainian webmail service, UKR.NET, utilizing both client-side phishing and server-side webmail exploits based on cross-site scripting (XSS). Furthermore, APT28 has integrated cutting-edge techniques, including the potential use of a large language model (LLM) in a malware variant named LameHug, demonstrating a novel approach in operational logic delegation. This adaptation toward utilizing AI capabilities reflects ongoing innovation within the group's tactics. While the group has returned to a more traditional implant methodology in certain recent operations, pairing the new layers of their toolkit with legacy systems like X-Agent, the overall consolidation of varying techniques indicates APT28's responsive adaptation in a rapidly evolving cyber threat landscape. Continued monitoring and public reporting on APT28's activities remain critical for understanding and mitigating their impacts in the cybersecurity domain.

Added some more indicators for: XWorm ( 2), MooBot ( 1), DarkComet ( 1), NetSupportManager RAT ( 1), Nanocore RAT ( 1), SectopRAT ( 2) and ShadowPad ( 1). vuldb.com/actor #apt #cti #ioc

It's nice to have someone to say hi to besides Moobot. 🙂

Ça pleure pour moobot la? Et ça parle de rancunier ? 😹😹😹

¿No creo que los de Otp lol tengan al moobot diciendo ésto cuando les pones "!match koi"?

If you mod the bot enough you could like woth nightbot or moobot unless there's was custom.

🚨 UPDATE — UniFi OS RCE: Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints — the majority in the U.S. No confirmed in-the-wild exploitation yet, but Ubiquiti has NOT disclosed whether these flaws were exploited before disclosure. History matters here: Russia's GRU previously hijacked Ubiquiti routers to build the Moobot botnet for cyberespionage against the U.S. and allies. CISA added a prior Ubiquiti RCE to KEV in 2022. These devices are a proven target for nation-states. If you haven't patched to 5.0.8, assume you're in someone's crosshairs. 👇 bleepingcomputer.com/news/se…

Something to know when you start streaming : When streaming a game where you want to listen to music in the background, or have Moobot etc. setup for viewers to request music, you should set up a VOD audio track in OBS settings to avoid getting copyright smacked

調べて出てきたのが 『MOOBOT ARTVZ』 自動追尾するスマートスーツケース。 ・自動追尾機能 ・リモコン操作 ・乗れる機能付き メルカリの完品相場は 64,000円。 キングファミリーの値段 1,600円。 ただ今回の商品は ・リモコン欠品 ・配線欠品 ・動作確認不可 普通ならスルーする状態。 正直めっちゃ仕入れするの悩んだ(笑)

Twitch chat timers can now pin their messages to the top of chat. This lets you auto-rotate pinned messages, set non-invasive durations on pins, and Moobot can even restore your previous pin in case you have something important you want to keep pinned💜

An update for Twitch VIPs is now live for Moobot. - Add temp VIPs and Moobot will auto remove them for you - New !AddVIP chat command for your mods - New permissions for your editors to view and manage VIPs from your dashboard

So due to the StreamElements News, I have been scrambling around😬 But I have managed to figure out alternatives and a few extra things on the side that I have seen going around twitter!💜 ~~~~~~~~~~~~~~ Twitch - Alert Studio, it is such an easy way to set up Alerts! OBS Studio - Go into Docks, you can set up Chat and Activity Feed! Tip - I had the StreamElements on set up for Tipping/Dono, but now I have just stayed with Kofi! Makes it easier and fast to set up! Commands - Other than MixItUp, Moobot is a perfect and easy way to move your commands into! (Of course, Im still struggling with any duel and leaderboard commands, but there are so many more fun commands you can add in to replace them, like !catfacts) Ads - Just an extra tip set it up to 3 minutes, it stops pre-rolls and it helps keep people around, they wont leave at the first Ad they see, when they pop into your stream! Security - Incase of any Hate Raids, I do have a Stream Deck with buttons set to refresh chat and to turn it into Subscribers only, until the case is resolved! I also have Sery_Bot! Stream Bots - There is many like Mixitup Bot and Streamer Bot, but I am sticking with Sery_Bot and Moobot plus "mild" MixItUp integration (honestly I dont know what more to set up for it other than some Mild commands and some Channel points set there, Im also trying to not toast my pc more by downloading more stuff to it, So im using my current resources that have been installed a long time ago) Chat Overlay Widget - Now for this one, I am still in the works of finding an Alternative, I have found MixItUp and Squonk! (From - @proller_art ) that could be of help! If not, Ill cave in and try out StreamLabs just for that! ~~~~~~~~~~~~~~ Im no expert and Im no tech person! But this is what I have tried as I have been quite overwhelmed with setting all of these up especially with my Adhd making me get overstimulated and I hope it is quick and easy for others too!🥹

This StreamElements situation is why I made Moobot sustainable from day 1: 1. Moobot is 100% community supported (expenses dev) 2. No ads to streamers nor viewers 3. No selling your data 4. No investors looking for ROI 5. No shady business practices For 18 years now

If you're leaving StreamElements, options exist but nothing matches how easy and all-in-one it is. For self-hosted bots, check out Firebot, Mix It Up, or Streamerbot (Firebot and Mix It Up are easiest). Prefer hosted? Try Fossabot, Nightbot, or Moobot. All are great!

alerts: twitch itself or roll your own w streamerbot overlays: dunno, roll your own with streamerbot or sammi or mixitup chatbot: streamerbot/mixitup/sammi (software) or moobot, nightbot tipping service: idfk, i use kofi but stripe is very annoying to setup and paypal sux