ICYMI: DomainTools Investigations released new research this week!

Skeleton Spider (aka FIN6) is leveraging trusted cloud services like AWS to deliver malware through fake job applications and resume-themed phishing campaigns.

Learn how this financially motivated group is:

Exploiting cloud infrastructure to evade detection
Using social engineering to lure victims
Building resilient, scalable malware delivery systems

Read the full analysis here: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

Scammers scamming other scammers so they can scam you? We’ve reached peak scam inception!

Sites like ScamAdviser are helpful for checking if a website is shady — but guess what? The scammers lurk there too.

They’re leaving negative reviews against other scam sites (because, of course, there is no honor among thieves), as well as legit sites, pretending to be victims. Why? All so they can drop Telegram or WhatsApp contacts for so-called “crypto recovery services” that supposedly helped them get their stolen money back.

Spoiler Alert: These are just more scams!

They’ll say they’ve recovered your lost crypto - then demand a “release fee” or cut to release it. You’ll pay... and never hear from them again.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam

CISOs call for operational threat intelligence integration https://www.helpnetsecurity.com/2025/06/12/cisos-operational-threat-intelligence/ #threatintelligence #cybersecurity #strategy #Trellix #report #News #CISO

MISP 2.4.211 & 2.5.13 Released - A Double Dose of Security, Search, and Stability.

These releases are packed with critical security patches, a major overhaul of the search functionality, and a host of improvements and bug fixes to enhance your threat intelligence experience.

#opensource #threatintelligence #threatintel #cti

https://www.misp-project.org/2025/06/06/misp.2.5.13.and.2.4.211.html/

CIRCL - Virtual Summer School (VSS) 2025

From 7 July to 18 July 2025, CIRCL will host a two-week online training event featuring hands-on sessions on various tools developed and maintained by CIRCL, as well as training in digital forensics and incident response (DFIR) techniques.

#opensource #dfir #training #cybersecurity #threatintelligence

@ail_project
@misp
@vulnerability_lookup
@gcve

https://www.circl.lu/pub/vss-2025/

I set up a few honeypots in Europe this weekend mdr.

My servers found russian unreported, so I guess it works fine. So I feed a list + self-report to AbuseIP every day.

It's downloadable for everyone for free

PS : Some attacking IPs are shared, remember to qualify well before any integration.

https://github.com/DXC-0/Malicious-Robots.txt

DomainTools Investigations’ (DTI) latest analysis uncovers a technically sophisticated malware campaign that uses fake CAPTCHAs and spoofed document verification pages (like Docusign) to trick users into self-infecting their machines with the NetSupport RAT.

Key tactics include:

Clipboard poisoning via fake CAPTCHA pages
Multi-stage PowerShell downloaders
Spoofed Gitcodes and Docusign domains
Infrastructure overlap with known threat groups like SocGholish, FIN7 and STORM-0408

Read the full breakdown including security recommendations here: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Prove-You-Are-Human

Martyn Williams (Stimson Center’s Korea Program and 38 North) and Nick Roy (Silent Push) presented an interesting talk at THOTCON 0xD on a misconfigured DPRK server and the data they found. Cool to see everything that goes into getting online in DPRK and the tools used to do so. They posted their THOTCON slide deck at silibank.com/thotcon, which Nick apparently purchased after the domain was allowed to expire by DPRK entities.

Their NK Tech Lab site is a new center for investigation and analysis into how North Korea uses technology to serve and suppress its citizens.

Nktechlab.org
Silibank.com/thotcon

FTC Orders GoDaddy to Bolster its Security After Years of Attacks – Source: securityboulevard.com https://ciso2ciso.com/ftc-orders-godaddy-to-bolster-its-security-after-years-of-attacks-source-securityboulevard-com/ #FederalTradeCommission(FTC) #SecurityBoulevard(Original) #rssfeedpostgeneratorecho #ApplicationSecurity #ThreatIntelligence #CyberSecurityNews #SecurityBoulevard #Threats&Breaches #NetworkSecurity #Risk&Compliance #SocialFacebook #SocialLinkedIn #CloudSecurity #Cybersecurity #News

AIL 6.2 released - Smarter Analysis, Search and Enhanced User Experience

We’re excited to release AIL Framework v6.2, a major update with new features and improved performance. This version makes analysis easier and the overall experience faster and more user-friendly.

Among the highlights are a fully revamped search engine powered by MeiliSearch, improved language detection for short text, local AI-driven image descriptions, and a yara-hunting editor tool.

https://www.ail-project.org/blog/2025/05/28/AIL-v6.2.released/

Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.

Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.

Here are some examples of the RDGA domains:
2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my

These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (https://infosec.exchange/@InfobloxThreatIntel/114027715851469775) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.


#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #infostealer #lummastealer #stealc #tds #tracker #cloaker #rdga

CVE-2024-4367 (PDF.js) is gaining traction in some exploitation-focused Telegram channels...

https://vulnerability.circl.lu/cve/CVE-2024-4367

seen via @ail_project

Growing intersection of geopolitical conflicts and financial cybersecurity https://www.byteseu.com/1041346/ #cybersecurity #FinancialCrime #fintech #GeopoliticalCyberRisksToFinance #Geopolitics #ThreatIntelligence

Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

UK and allies expose Russian cyber campaign targeting Ukraine support operations https://www.byteseu.com/1033896/ #Cybercrime #cybersecurity #GreatBritain #hacking #Russia #ThreatIntelligence #UKGovernment #UKNCSC #Ukraine #UnitedKingdom

We implemented a major new feature in the AIL Project that addresses a long-standing issue related to the collection of images or screenshots that may be harmful to analysts (e.g., violent content, CSAM, etc.). The feature allows users to trigger the description of an image before actually viewing it.

The feature will be included in the upcoming release of AIL (version 6.2).

This work is co-funded in the AIPITCH project. We would like to thank Qwen for the open source Qwen2-VL vision-language models which provide an excellent basis for image detection and description while allowing local inferences.

@aipitch @circl @ail_project

What good threat intelligence looks like in practice https://www.helpnetsecurity.com/2025/05/21/anuj-goel-cyware-good-threat-intelligence/ #threatintelligence #cybersecurity #Don'tmiss #Features #Hotstuff #strategy #opinion #Cyware #News #CISO #tips