Likely state-sponsored TA still targeting orgs with WhatsApp🤳 mail 📩 phishing in 🇪🇺 in December. Goal is to get access to the MS account of high value targets. TA is particularly interested in people or organisations that run activities in 🇺🇦

Up to now we identified tgts in NGOs and think-tanks. In december, threat actor notably leveraged an online profile using "Janis Cerny" name, who pretends to be a diplomat working with the EU. Mail is janiscerny[@]seznam[.]cz, and WhatsApp profile/number is [ 42]0 735 596 5[65]

Late summer our stuff stopped an infection chain involving a driver, a previously undocumented malicious IIS module, and ASP .NET viewstate abuse.

All tools speak CN, operators leveraged a CN RMM service, domains are registered in CN and some infra is at Alibaba Cloud - it's likely way more CN-language and specifics than an actual CN operator would need...

Documents 📃 about alleged IRGC 🇮🇷cyber ops are being disclosed since last week (#KittenBusters). 2nd batch of data includes a reference to our work @HarfangLab: "see reports on publicly available tools (such as BellaCiao and CYCLOPS) – these are malware tools used"

"ea3e059ca58eec16a98691bcae372170d83b97c0_Shell failed[.]txt" contains WebShell filenames which match those dropped by some BellaCiao samples. Several IPs and domains that are listed as "targets" in Episodes 1 and 2 indeed match targets of BellaCiao malware that I know of.

We @aridjourney @ArielJT at HarfangLab had a look at archives containing weaponized XLS spreadsheets dropping C# and C downloaders, likely intended for targets in Ukraine and Poland

We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter