How Adversary Telegram Bots Help to Reveal Threats: Case Study

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.

Pulse ID: 682e044167e773f503da5a37
Pulse Link: https://otx.alienvault.com/pulse/682e044167e773f503da5a37
Pulse Author: AlienVault
Created: 2025-05-21 16:50:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CyberSecurity #ELF #ICS #InfoSec #Italian #Italy #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #RCE #Telegram #bot #AlienVault

Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure shares operational fingerprints, including reused SSH authentication keys and consistent ASN usage, allowing related assets to be linked. The campaign primarily targets the National Fishing Company of Kuwait, automotive insurance sector, and Zain telecommunications. The actors use brand-inspired domain names and transliterations rather than direct typosquatting. Mobile payment lures targeting Zain customers have also been observed, potentially enabling further social engineering attacks.

Pulse ID: 682768bd8d85a5422eb7c475
Pulse Link: https://otx.alienvault.com/pulse/682768bd8d85a5422eb7c475
Pulse Author: AlienVault
Created: 2025-05-16 16:33:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #SSH #SocialEngineering #Telecom #Telecommunication #TypoSquatting #bot #AlienVault

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.

Pulse ID: 6823b32f1fad0a568539c4c1
Pulse Link: https://otx.alienvault.com/pulse/6823b32f1fad0a568539c4c1
Pulse Author: AlienVault
Created: 2025-05-13 21:01:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Email #Government #HTML #ICS #InfoSec #Korea #Malware #Microsoft #NorthKorea #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #Russia #UK #Ukr #Ukrainian #bot #AlienVault

Legitimate employee tracking software is being twisted into a spyware tool by cybercriminals. Imagine keystrokes and screenshots fueling elaborate ransomware attacks—how safe is your data?

https://thedefendopsdiaries.com/the-misuse-of-kickidler-in-ransomware-attacks-a-growing-cybersecurity-concern/

#ransomware
#kickidler
#cybersecurity
#infosec
#credentialharvesting

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.

Pulse ID: 681a66fd8309a0fad22d97ae
Pulse Link: https://otx.alienvault.com/pulse/681a66fd8309a0fad22d97ae
Pulse Author: AlienVault
Created: 2025-05-06 19:46:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #EDR #ICS #InfoSec #Iran #Malware #MiddleEast #OTX #OpenThreatExchange #OperationalTechnology #RAT #bot #AlienVault

Attackers are harvesting credentials from compromised systems. Here's how some commonly used tools can enable this.. https://www.darkreading.com/dr-tech/extracting-encrypted-credentials-from-common-tools #CredentialHarvesting #CompromisedSystems #CommonTools #CyberSecurity

APT28 Mounts Rapid, Large-Scale Theft of Office 365 Logins - The Russia-linked threat group is harvesting credentials for Microsoft's cloud offering, and targe... https://threatpost.com/apt28-theft-office365-logins/159195/ #2020presidentialelection #credentialharvesting #passwordspraying #cloudsecurity #bruteforcing #websecurity #government #fancybear #microsoft #office365 #strontium #russia #sofacy #hacks #apt28

AWS Cryptojacking Worm Spreads Through the Cloud - The malware harvests AWS credentials and installs Monero cryptominers. https://threatpost.com/aws-cryptojacking-worm-cloud/158427/ #credentialharvesting #amazonwebservices #cloudsecurity #cryptojacking #cadosecurity #cryptomining #malware #teamtnt #monero #worm #aws

Crooks Tap Google Firebase in Fresh Phishing Tactic - Cybercriminals are taking advantage of the Google name and the cloud to convince victims into hand... more: https://threatpost.com/crooks-tap-google-firebase-in-fresh-phishing-tactic/155967/ #credentialharvesting #phishingcampaign #googlefirebase #cloudsecurity #websecurity #office365 #trustwave #cloud #email

U.N. Weathers Storm of Emotet-TrickBot Malware - A concerted, targeted phishing campaign took aim at 600 different staffers and officials, using No... more: https://threatpost.com/un-weathers-emotet-trickbot-malware/151894/ #credentialharvesting #phishingattack #unitednations #websecurity #cyberattack #ransomware #trickbot #malware #cofense #emotet #norway #ryuk

Back-to-School Scams Target Students with Library-Themed Emails - Students should keep their eyes peeled for phishing emails purporting to be from their colleges, a... more: https://threatpost.com/back-to-school-scams-students-library-emails/148077/ #mediagettorrentapplicationdownloader #win32.agent.ifdxmalwaredownloader #winlnk.agent.gendownloader #credentialharvesting #educationcyberattack #universityportals #fakeloginpages #libraryportals #backtoschool #websecurity #phishing #students