The Attack Capture from @Huntio tracked #APT #Lazarus on an #open #directory. Further, @virustotal analysis shows another parent "update93m" for one of unzipped file drivfixer[.]sh. New C2: avalabs-digital[.]store ~ 10 days ago @500mk500 @MichalKoczwara @malwrhunterteam

#APT36 #TransparentTribe PPT for Breifing at HQ Norther Command(ZIP) bd260bf220b310ebdd9ab0b50114f627 #Crimson #RAT c6409e078bad9094ab4b26dad5219f6c /excel/excel.bat /excel/office.bat PPT for Breifing at HQ Norther Command.pptx.lnk C2: 155.117.45.44 @500mk500 @PrakkiSathwik

#APT #Sidewinder targets #SriLankan #Navy 5th sightings for "mailsserver-lk[.]com" - Another Webpage tracked by @Huntio URL: sdgf9af72f31706769d32bf1ff66cdec1d1gkj5jg95jg5k0hkg95kg0tk[.]pages[.]dev Ref: x.com/volrant136/status/1988… @500mk500 @MichalKoczwara @malwrhunterteam

#APT36 #TransparentTribe DG NIA ppt regarding ongoing issues.ppam b90da532d80f3acc6c2c13f4c3d87cb8 https[:]//nianew.xyz/ @Namecheap download.php?file=mod.pptx download.php?file=PowerToys.zip (Password@2026) #Golang #PowerToys.exe @PrakkiSathwik @500mk500

Observed activity associated with Donot Group (APT). Lure document: • INVITATION FOR THE EID-UL-ADHA IFTAAR RECEPTION .xltm • 54715f6d79797cadc8ccbcd8e8bd22d0 Observed payload: • 2b420e55cacf0a6cdb04f13e6c16c79b Observed C2 infrastructure: • greezupdto[.]info • shadoworkz[.]info #Donot #DonotGroup #APT #IOC

🚨 🌍 New report: Exposing a Global Smishing Operation Across 19 Countries We started hunting after Romania's official payment portal posted a public phishing warning. Here's what we found: - 1,628 malicious URLs across 33 backend IPs and three continents - Targets include government portals, road police, postal services, and telecoms in 19 countries - One 128-character metadata hash present in every single phishing page 👉 Full report: hunt.io/blog/massive-smishin…

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: hunt.io/blog/middle-east-mal… Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 hunt.io/blog/middle-east-mal…

#Impersonation | #CNIC harvesting | Interior Ministry of #Pakistan Interesting, I found interiorgovpk[.]site last year and now a new one identified. 🔗https://www.interiorgovpk[.]life/ Ref: x.com/volrant136/status/1938… cc: @500mk500 @MichalKoczwara @malwrhunterteam

🚨 New research from Joe Security: A spear-phishing campaign targeting Pakistan’s PSCA & PPIC3 abused ⚡ VS Code Remote Tunnels and Discord webhooks for stealthy remote access. Instead of stealing Microsoft accounts, attackers enrolled victim machines into their own VS Code tunnel infrastructure using device-code authentication - a clever twist on classic phishing techniques. 🎯 Key findings: 🔹 Malicious Office macros downloading & executing `code.exe` 🔹 Abuse of legitimate VS Code tunneling workflows 🔹 Discord webhooks used for exfiltration & status reporting 🔹 ClickOnce-based PDF delivery chain impersonating Adobe Reader 🔹 Trusted Microsoft infrastructure leveraged for persistence & stealth This campaign highlights how threat actors increasingly weaponize legitimate developer tooling to blend into normal cloud traffic. ☁️💻 Read the full analysis here 👇 buff.ly/BE5w9Yq #CyberSecurity #ThreatIntelligence #MalwareAnalysis #Phishing #VSCode #Microsoft #BlueTeam #DFIR #JoeSecurity

#APT #Sidewinder Targets #Pakistan 🇵🇰 New ✅ Tracked by @Huntio ⚠️https://www-sbp-org-pk[.]interior-ministry[.]com/53645092/adobe-reader ref: x.com/volrant136/status/2020… cc: @500mk500 @MichalKoczwara @malwrhunterteam

#DocuSign/#Microsoft OAuth #Phishing Attack Targeting #Srilanka 🇱🇰 1 spz2-unv8-sx9a.sc0656-srilankan-com-s-account[.]workers[.]dev Ref: x.com/volrant136/status/2056… cc: @500mk500 @MichalKoczwara @malwrhunterteam

#APT #Sidewinder New Samples 412ad811db5097af62929d88e01c3527 interior-gov-pk[.]direct880[.]net 759703585f0feae8dec679db380fb0ac moha-gov-np[.]direct880[.]net Ref: x.com/Cyberteam008/status/20… cc: @500mk500 @MichalKoczwara @malwrhunterteam