Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Just Another Blue Teamer

Good day everyone, new Blizzard has dropped!

Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed ! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include , , and .

Behavior Summary (With MITRE ATT&CK):
Initial Access - TA0001:
Exploit Public-Facing Application - T1190
Seashell Blizzard commonly exploited vulnerable public facing infrastructure.

Persistence - TA0003:
Create or Modify System Process: Windows Service - T1543.003 -
Among other means of persistence, Seashell Blizzard created a system service.

Execution - TA0002:
Command and Scripting Interpreter: PowerShell - T1059.001
Command and Scripting Interpreter: Windows Command Shell - T1059.003
Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters.

As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
microsoft.com/en-us/security/b

Intel 471 Cyborg Security, Now Part of Intel 471

Microsoft Security Blog · The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security BlogMicrosoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations.
Feb 13, 2025, 04:56 PM·Public·Web
3boosts·1favorite
Public
Just Another Blue Teamer

And, if you are taking this wonderful intel and using it to threat hunt, why not let us help you! Check out this Community Hunt Package that helps identify when AnyDesk is executed from an abnormal folder. Yes it wasn't mentioned in the article, but there are PLENTY of examples of this abuse in many other articles! Enjoy and Happy Hunting!

AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
hunter.cyborgsecurity.io/resea

hunter.cyborgsecurity.ioIntel 471 | HUNTER
#huntoftheday#gethunting
ExploreLive feeds
About