Last week, our International CyberSOC team detected a wave of #phishing emails sent to several customers in Germany 🇩🇪. Designed for Microsoft 365 credentials harvesting, the campaign relies on #bubbleapps subdomains spoofing company names.

Bubble[.]io is a no-code platform that lets users build full web applications through a visual editor instead of writing code. This platform has been regularly abused by threat actors to host phishing content 👾since at least 2020.

Upon investigation, the campaign also also targets English-speaking 🇬🇧 and Italian-speaking users 🇮🇹, with emails sent from compromised accounts.

🔎By pivoting on @urlscanio
, we suspect the campaign has been ongoing since at least 6 months.

A second stage URL redirects victims into a fake Microsoft sign-in page. This second URL' structure typically is:

online-app.*.info
login.*.it.com
processing.*.info
A search on Censys provides several IPs likely linked to this phishing cluster, all associated to AS199785.

🔗IoCs related to this campaign are available on our on our Datalake platform for our Managed Threat Intelligence clients:
https://datalake.cert.orangecyberdefense.com/gui/search?query_hash=fbf90e049b33f37bf6e259153e151034
🔗They are also available on our GitHub: https://github.com/cert-orangecyberdefense/cti/blob/main/bubbleapps%20phishing/iocs

#phishing

🔎Our CERT is releasing a new technical report on 🇰🇵 Operation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970.

Our analysis covers updated #BURNBOOK and #MISTPEN variants, that feature slight changes in their main routines and C2 loop.
UNC2970 relied on compromised infrastructure on SharePoint and WordPress, aligning with previous findings.

➡️Full blog: https://ow.ly/V4mr50Xug1l

🎣🧀 Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".

✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns. https://x.com/i/web/status/1965024327268766078 https://ravenmail.io/blog/appsheet-phishing-scam https://blog.knowbe4.com/impersonating-meta-powered-by-appsheet-a-rising-phishing-campaign-exploits-trusted-platforms-to-evade-detection

✉ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.

☣ The main lure deploys a full Python environment and runs a Python script to fetch the next stage from a remote C2. Then it opens a decoy file in Word. C2's are now inactive, but have been likewise tied to Pure malware family.

🔗 Related IoCs could be found on GitHub:
https://github.com/cert-orangecyberdefense/cti/blob/main/Metappenzeller/20250922-InitialReport.md

#metappenzeller #threatintel #cti

MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.

A new version has been around at least since early-June 2025.

Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from the book Andrew Melville by William Morison: https://archive.org/details/cu31924029479098

The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs.

These detection opportunities were presented during the Botconf 2025: https://www.botconf.eu/wp-content/uploads/formidable/2/BOTCONF2025LT13-Simon-Vernin-Mintsloader.pdf

The new version has removed these notable behaviours and is seen in campaign with fake invoices lures.

New indicators of compromise (IoCs) are available on our GitHub : https://github.com/cert-orangecyberdefense/cti/blob/main/mintsloader/2025-07-04-IoCs.md

#MintsLoader #threatintel #cti

MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.

A new version has been around at least since early-June 2025.

Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from the book Andrew Melville by William Morison: https://archive.org/details/cu31924029479098

The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs.

These detection opportunities were presented during the Botconf 2025: https://www.botconf.eu/wp-content/uploads/formidable/2/BOTCONF2025LT13-Simon-Vernin-Mintsloader.pdf

The new version has removed these notable behaviours and is seen in campaign with fake invoices lures.

New indicators of compromise (IoCs) are available on our GitHub : https://github.com/cert-orangecyberdefense/cti/blob/main/mintsloader/2025-07-04-IoCs.md

#MintsLoader #threatintel #cti

New Threat Intelligence Research Report: Malicious Campaign Impacting European Organizations 🚨

Orange Cyberdefense CERT just documented a sophisticated campaign distributing Sorillus RAT, likely operated by Brazilian threat actors. This cluster actively targets multiple European countries. The campaign employs invoice-themed phishing emails and leverages legitimate services like OneDrive and Ngrok to evade detection.

Stay informed and protect your organization.
👉 Learn more in our blog: https://www.orangecyberdefense.com/global/blog/cert-news/from-sambaspy-to-sorillus-dancing-through-a-multi-language-phishing-campaign-in-europe

#ThreatIntelligence #Malware #RAT #Phishing #Sorillus #CTI

✈👨‍💻 A massive scam campaign impersonating worldwide airline customer service has been running since at least mid-March 2025. Scammers are posting numerous comments or creating various profiles on highly ranked websites with fake customer support numbers to call to book flights.

☎🔎 The goal is likely to get the fake support number to appear in Google's summary answer. This technique is not new and has been documented before.

The creation process appears to be manual, as entries are generally created every minute or so, possibly by copy-pasting, and some profiles contain junk text similar to that generated by sliding fingers across a keyboard.

📖 Dozens of websites are implicated in this scheme, including big ones like: AlienVault or GoodReads.

Other abused websites include:
- Tidal: A music streaming platform where messages are displayed in the playlist description.
- Anime-Planet: A platform to share reviews on manga, where messages are pasted in the review section.

Some examples:
AienVaultOTX: https://otx.alienvault.com/user/rizbiliza/pulses
GoodReads: https://www.goodreads.com/quotes/tag/airlines-customer-phone

#cti #threatintel #airline #scam

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳.

➡️The full article on the Green Nailao cluster is available here: https://orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

➡️IOCs and Yara can be found on our GitHub: https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao

✈👨‍💻 A massive scam campaign impersonating worldwide airline customer service has been running since at least mid-March 2025. Scammers are posting numerous comments or creating various profiles on highly ranked websites with fake customer support numbers to call to book flights.

☎🔎 The goal is likely to get the fake support number to appear in Google's summary answer. This technique is not new and has been documented before.

The creation process appears to be manual, as entries are generally created every minute or so, possibly by copy-pasting, and some profiles contain junk text similar to that generated by sliding fingers across a keyboard.

📖 Dozens of websites are implicated in this scheme, including big ones like: AlienVault or GoodReads.

Other abused websites include:
- Tidal: A music streaming platform where messages are displayed in the playlist description.
- Anime-Planet: A platform to share reviews on manga, where messages are pasted in the review section.

Some examples:
AienVaultOTX: https://otx.alienvault.com/user/rizbiliza/pulses
GoodReads: https://www.goodreads.com/quotes/tag/airlines-customer-phone

#cti #threatintel #airline #scam

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳.

➡️The full article on the Green Nailao cluster is available here: https://orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

➡️IOCs and Yara can be found on our GitHub: https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao

Anyone watching our research outputs over the last while, you'll note that we've been thinking a lot about taxonomies or network diagrams.

Take a look at our Cybercrime Now ecosystem graph for example -

https://research.orangecyberdefense.com/now/

-

or explore our interactive report on how China unites state, corporate, and academic assets for cyber offensive campaigns -

https://research.cert.orangecyberdefense.com/hidden-network/map.html

We hope that both these outputs will educate and benefit you in your own work, but they also represent a milestone in our ongoing effort to understand and communicate the environments in which our adversaries, whether state-backed or criminal, operate.

With this in mind, I'm very interested to hear about any other research or outputs that have succeeding in creating or discussing useful taxonomies, ontologies or network graphs of crime or cybercrime ecosystems.

From conversations with the WEF ATLAS team, it's become apparent that we don't have the full view of relevant taxonomies or ontologies that might already be defined for this purpose, or indeed already be "out there" somewhere.

So... if you've seen other work like this somewhere else, or you know of standards for these kinds of taxonomies, or research on how they should be approached, we'd love to hear about it!

#CyberSecurity #CyberCrime #ThreatIntelligence #network