ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

#ics

18 posts9 participants2 posts today
OTX Bot<p>Global Botnet Targets Outdated VoIP Devices With Telnet</p><p>Security researchers have uncovered a global botnet campaign targeting VoIP-<br>enabled routers that are configured with default or weak Telnet passwords. This</p><p>botnet exhibits characteristics similar to the Mirai botnet. It was initially detected<br>in rural New Mexico and later traced to over 500 infected systems worldwide.<br>The threat highlights how exposed and poorly secured VoIP infrastructure is being<br>exploited to power large-scale botnets. Organizations that rely on VoIP technology<br>especially utilities and ISPs face an immediate risk if their devices are internet<br>facing and not properly secured.</p><p>Pulse ID: 68849f774a7bb224bf2cf18c<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/68849f774a7bb224bf2cf18c" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68849</span><span class="invisible">f774a7bb224bf2cf18c</span></a> <br>Pulse Author: cryptocti<br>Created: 2025-07-26 09:27:19</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Mexico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mexico</span></a> <a href="https://social.raytec.co/tags/Mirai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mirai</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> <a href="https://social.raytec.co/tags/Passwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passwords</span></a> <a href="https://social.raytec.co/tags/Telnet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Telnet</span></a> <a href="https://social.raytec.co/tags/Word" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Word</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/botnet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>botnet</span></a> <a href="https://social.raytec.co/tags/cryptocti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocti</span></a></p>
Pyrzout :vm:<p>New York Seeking Public Opinion on Water Systems Cyber Regulations – Source: www.securityweek.com <a href="https://ciso2ciso.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations-source-www-securityweek-com/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ciso2ciso.com/new-york-seeking</span><span class="invisible">-public-opinion-on-water-systems-cyber-regulations-source-www-securityweek-com/</span></a> <a href="https://social.skynetcloud.site/tags/rssfeedpostgeneratorecho" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rssfeedpostgeneratorecho</span></a> <a href="https://social.skynetcloud.site/tags/CyberSecurityNews" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurityNews</span></a> <a href="https://social.skynetcloud.site/tags/GovernmentPolicy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GovernmentPolicy</span></a> <a href="https://social.skynetcloud.site/tags/securityweekcom" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityweekcom</span></a> <a href="https://social.skynetcloud.site/tags/securityweek" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityweek</span></a> <a href="https://social.skynetcloud.site/tags/NewYork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NewYork</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a>/OT <a href="https://social.skynetcloud.site/tags/Water" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Water</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.skynetcloud.site/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a></p>
OTX Bot<p>Gunra Ransomware Emerges with Streamlined Attacks and Time Pressured Extortion</p><p>Gunra is a recently emerged ransomware group first observed in April 2025, known for establishing its own Dedicated Leak Site (DLS) and employing sophisticated extortion tactics</p><p>Pulse ID: 6883b3109e67f4ec5e7762a4<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/6883b3109e67f4ec5e7762a4" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/6883b</span><span class="invisible">3109e67f4ec5e7762a4</span></a> <br>Pulse Author: cryptocti<br>Created: 2025-07-25 16:38:40</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Extortion" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Extortion</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RansomWare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomWare</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocti</span></a></p>
OTX Bot<p>Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware</p><p>A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files via ActiveX. This method leads to silent payload downloads and ransomware deployment. The campaign uses a Clickfix-themed malware delivery site, urging victims to visit a secondary page where malicious shell commands are executed. The attackers also impersonate various streaming services and use romance-themed lures. Epsilon Red, first observed in 2021, shows some similarities to REvil ransomware in its ransom note styling but appears distinct in its tactics and infrastructure.</p><p>Pulse ID: 68835c6e2b2796aec0bd0a60<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/68835c6e2b2796aec0bd0a60" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68835</span><span class="invisible">c6e2b2796aec0bd0a60</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-25 10:29:02</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Discord" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Discord</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/REvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>REvil</span></a> <a href="https://social.raytec.co/tags/RansomWare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomWare</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Android Malware Posing As Indian Bank Apps</p><p>This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It employs Firebase for command and control, phishing pages to mimic banking interfaces, and techniques like call forwarding abuse. The malware's modular architecture, evasion tactics, and persistence mechanisms pose significant threats to mobile banking security. Distribution methods include smishing, fake websites, and malvertising. The report provides detailed static and dynamic analysis, highlighting the malware's capabilities in data exfiltration, debit card harvesting, and remote command execution.</p><p>Pulse ID: 68835c6fda683e2a665d5722<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/68835c6fda683e2a665d5722" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68835</span><span class="invisible">c6fda683e2a665d5722</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-25 10:29:03</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> <a href="https://social.raytec.co/tags/Bank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bank</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/India" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>India</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malvertising" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malvertising</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/Mimic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mimic</span></a> <a href="https://social.raytec.co/tags/MobileBanking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MobileBanking</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/RemoteCommandExecution" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RemoteCommandExecution</span></a> <a href="https://social.raytec.co/tags/SMS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SMS</span></a> <a href="https://social.raytec.co/tags/Smishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Smishing</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Gunra Ransomware Emerges with New DLS</p><p>A new ransomware group called Gunra has emerged with a Dedicated Leak Site (DLS) in April 2025. Gunra's code shows similarities to the infamous Conti ransomware, suggesting it may be leveraging Conti's leaked source code. The group employs aggressive tactics, including a time-based pressure technique that forces victims to begin negotiations within five days. Gunra ransomware encrypts files using a combination of RSA and ChaCha20 algorithms, excludes certain folders and file types from encryption, and drops a ransom note named 'R3ADM3.txt'. The ransomware also deletes volume shadow copies to hinder recovery efforts. As the threat of DLS ransomware grows, organizations are advised to implement robust security measures, including regular updates, backups, and user education.</p><p>Pulse ID: 688219586599cc75ec92a318<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688219586599cc75ec92a318" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68821</span><span class="invisible">9586599cc75ec92a318</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-24 11:30:32</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/ChaCha20" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ChaCha20</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/RansomWare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RansomWare</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
Pyrzout :vm:<p>New York Seeking Public Opinion on Water Systems Cyber Regulations <a href="https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/new-york-seek</span><span class="invisible">ing-public-opinion-on-water-systems-cyber-regulations/</span></a> <a href="https://social.skynetcloud.site/tags/GovernmentPolicy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GovernmentPolicy</span></a> <a href="https://social.skynetcloud.site/tags/NewYork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NewYork</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a>/OT <a href="https://social.skynetcloud.site/tags/Water" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Water</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.skynetcloud.site/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a></p>
Pyrzout :vm:<p>New York Seeking Public Opinion on Water Systems Cyber Regulations <a href="https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/new-york-seek</span><span class="invisible">ing-public-opinion-on-water-systems-cyber-regulations/</span></a> <a href="https://social.skynetcloud.site/tags/GovernmentPolicy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GovernmentPolicy</span></a> <a href="https://social.skynetcloud.site/tags/NewYork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NewYork</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a>/OT <a href="https://social.skynetcloud.site/tags/Water" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Water</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.skynetcloud.site/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a></p>
OTX Bot<p>A Special Mission to Nowhere</p><p>A phishing campaign exploiting the aftermath of a military conflict between Israel and Iran has been identified. The scam, using a fake domain 'lineageembraer.online', offers evacuation flights from Tel Aviv to New York on an Embraer Lineage 1000E business jet. The website presents unrealistic pricing and logistical details, aiming to steal personal and financial information from individuals seeking to flee the region. The operation uses fear and urgency tactics, offering seats at $2,166 USD, significantly below market rates for similar flights. The scheme involves a PDF with instructions hosted on a Shopify CDN, raising further suspicions. The campaign demonstrates how threat actors exploit crisis situations to target vulnerable individuals.</p><p>Pulse ID: 688170c858d6ec95b6843096<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688170c858d6ec95b6843096" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68817</span><span class="invisible">0c858d6ec95b6843096</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-23 23:31:20</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CDN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CDN</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Iran" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Iran</span></a> <a href="https://social.raytec.co/tags/Israel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Israel</span></a> <a href="https://social.raytec.co/tags/Military" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Military</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/PDF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PDF</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Operation Cargotalon: Targeting Russian Aerospace Defense Using Eaglet Implant</p><p>UNG0901, a threat group targeting Russian aerospace and defense sectors, has been discovered conducting a spear-phishing campaign against the Voronezh Aircraft Production Association. The operation, dubbed 'CargoTalon', utilizes a custom DLL implant called EAGLET, which is disguised as a ZIP file containing transport documents. The infection chain involves a malicious LNK file that executes the EAGLET implant, which then establishes communication with a command-and-control server for remote access and data exfiltration. The campaign employs sophisticated tactics, including decoy documents related to Russian logistics operations, and shows similarities with another threat group known as Head Mare. The attackers' motivation appears to be espionage against Russian governmental and non-governmental entities.</p><p>Pulse ID: 6881c978dd5260be2347dcb4<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/6881c978dd5260be2347dcb4" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/6881c</span><span class="invisible">978dd5260be2347dcb4</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-24 05:49:44</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Espionage</span></a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Government</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LNK</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SpearPhishing</span></a> <a href="https://social.raytec.co/tags/ZIP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ZIP</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Illusory Wishes: China-nexus APT Targets the Tibetan Community</p><p>Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and PhantomNet backdoors. The attackers used social engineering tactics, impersonating legitimate platforms and leveraging culturally significant events to lure victims. Both campaigns employed sophisticated evasion techniques, including code injection and API hook bypassing. The attacks are attributed to China-nexus APT groups based on victimology, malware used, and employed tactics. The campaigns highlight the ongoing cyber threats faced by the Tibetan community and the evolving tactics of state-sponsored threat actors.</p><p>Pulse ID: 688102de8dd7f5be86b60306<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688102de8dd7f5be86b60306" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68810</span><span class="invisible">2de8dd7f5be86b60306</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-23 15:42:22</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackDoor</span></a> <a href="https://social.raytec.co/tags/China" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>China</span></a> <a href="https://social.raytec.co/tags/CodeInjection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CodeInjection</span></a> <a href="https://social.raytec.co/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberAttack</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SideLoading" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SideLoading</span></a> <a href="https://social.raytec.co/tags/SocialEngineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialEngineering</span></a> <a href="https://social.raytec.co/tags/Tibet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tibet</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Back to Business: Lumma Stealer Returns with Stealthier Methods</p><p>Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lumma Stealer can steal sensitive data such as credentials and private files, and is marketed as a malware-as-a-service. Users are lured to download it through fake cracked software, deceptive websites, and social media posts. The malware's infrastructure has been diversified, with a shift towards using Russian-based cloud services. Recent campaigns include fake crack downloads, ClickFix campaigns using fake CAPTCHA pages, GitHub repository abuse, and social media promotions.</p><p>Pulse ID: 688096076e36d7d6fea700fa<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/688096076e36d7d6fea700fa" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68809</span><span class="invisible">6076e36d7d6fea700fa</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-23 07:57:59</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CAPTCHA</span></a> <a href="https://social.raytec.co/tags/Cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloud</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GitHub</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LummaStealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LummaStealer</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/MalwareAsAService" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MalwareAsAService</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocialMedia</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods</p><p>This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They request quotes for specific items and inquire about Net 15/30/45-day financing. Once credit is approved, they provide shipping addresses, often using freight forwarding services or residential addresses. The scammers utilize a network of shipping services, warehouses, and money mules to facilitate their operations. Key characteristics of the scam include urgent financing requests, suspicious delivery addresses, and the use of free email accounts. Mitigation efforts included domain takedowns and intercepting fraudulent shipments.</p><p>Pulse ID: 6880970dcf6caa73c7a79b70<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/6880970dcf6caa73c7a79b70" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/68809</span><span class="invisible">70dcf6caa73c7a79b70</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-07-23 08:02:21</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
Pyrzout :vm:<p>Vulnerabilities Expose Helmholz Industrial Routers to Hacking <a href="https://www.securityweek.com/vulnerabilities-expose-helmholz-industrial-routers-to-hacking/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/vulnerabiliti</span><span class="invisible">es-expose-helmholz-industrial-routers-to-hacking/</span></a> <a href="https://social.skynetcloud.site/tags/industrialrouter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>industrialrouter</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://social.skynetcloud.site/tags/vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerability</span></a> <a href="https://social.skynetcloud.site/tags/Helmholz" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Helmholz</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a>/OT <a href="https://social.skynetcloud.site/tags/router" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>router</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.skynetcloud.site/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a></p>
Pyrzout :vm:<p>Vulnerabilities Expose Helmholz Industrial Routers to Hacking <a href="https://www.securityweek.com/vulnerabilities-expose-helmholz-industrial-routers-to-hacking/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/vulnerabiliti</span><span class="invisible">es-expose-helmholz-industrial-routers-to-hacking/</span></a> <a href="https://social.skynetcloud.site/tags/industrialrouter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>industrialrouter</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://social.skynetcloud.site/tags/vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerability</span></a> <a href="https://social.skynetcloud.site/tags/Helmholz" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Helmholz</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a>/OT <a href="https://social.skynetcloud.site/tags/router" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>router</span></a> <a href="https://social.skynetcloud.site/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://social.skynetcloud.site/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a></p>

Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities

The article details malware and tactics used in attacks targeting Ivanti Connect Secure vulnerabilities from December 2024 to July 2025. It describes MDifyLoader, a loader based on libPeConv, which deploys Cobalt Strike Beacon through DLL side-loading. The attackers also utilized vshell, a multi-platform RAT, and Fscan, a network scanning tool. After gaining initial access, the threat actors performed lateral movement using brute-force attacks, exploited vulnerabilities, and used stolen credentials. They established persistence by creating domain accounts and registering malware as services or scheduled tasks. The attackers employed various evasion techniques, including the use of legitimate files and ETW bypasses.

Pulse ID: 6879f8b560d48aaf15291507
Pulse Link: otx.alienvault.com/pulse/6879f
Pulse Author: AlienVault
Created: 2025-07-18 07:33:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

Chinese Mobile Forensic Tooling Discovered

Lookout Threat Lab has uncovered a mobile forensics application called Massistant, used by Chinese law enforcement to extract extensive data from mobile devices. Believed to be the successor of MFSocket, Massistant requires physical access to install and is not distributed through official app stores. It collects sensitive information including GPS data, SMS messages, images, audio, contacts, and phone services. The tool is associated with Xiamen Meiya Pico Information Co., Ltd., a Chinese technology company controlling a significant portion of China's digital forensics market. Massistant introduces new features like Accessibility Services to bypass device security prompts and support for additional messaging apps. The discovery raises concerns about data privacy for travelers to China, as law enforcement can potentially access and analyze confiscated devices without a warrant.

Pulse ID: 6879f93b6deb93df0f1e6c0c
Pulse Link: otx.alienvault.com/pulse/6879f
Pulse Author: AlienVault
Created: 2025-07-18 07:35:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles

KAWA4096, a new ransomware that emerged in June 2025, has claimed at least 11 victims, primarily targeting the United States and Japan. The malware features a leak site mimicking the Akira ransomware group's style and a ransom note format similar to Qilin's. KAWA4096 employs multithreading, semaphores for synchronization, and can encrypt files on shared network drives. It terminates specific services and processes, deletes shadow copies, and utilizes a configuration loaded from its binary. The ransomware's encryption process involves file scanning, skipping certain files and directories, and using a shared queue for efficient processing. It also changes file icons and can modify the desktop wallpaper. The group's tactics appear to be aimed at boosting visibility and credibility by imitating established ransomware operations.

Pulse ID: 6879f992f53c24606746d8de
Pulse Link: otx.alienvault.com/pulse/6879f
Pulse Author: AlienVault
Created: 2025-07-18 07:36:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.