This is the first known attack on DERs. Attackers compromised RTUs at 30 different sites. The report has an overview, defensive guidance, and a comparison to past ELECTRUM ops.
Hats off to CERT Polska for leading the charge, and kudos to our Intel team for the hard work.

https://hubs.la/Q040Bwpg0

#ICS #otsecurity

Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada

This investigation exposes a complex fraud ecosystem targeting Canadians through impersonation of government services and trusted brands. Attackers exploit digital dependencies for transportation, taxation, parcel delivery, and travel using convincing campaigns. The activity is linked to the 'PayTool' phishing framework, specializing in traffic violation scams. Additional infrastructure impersonates Canada Revenue Agency, Air Canada, and Canada Post. Threat actors commercialize these campaigns on underground forums, selling phishing kits mimicking official services. Victims are lured via SMS and malicious ads, using high-pressure tactics. The infrastructure employs fake validation phases and fraudulent payment gateways to harvest personal and financial data. The campaign's scope spans multiple provinces, utilizing shared hosting and domain generation patterns for scalability.

Pulse ID: 6978b796c0f9d8f3a59e0a34
Pulse Link: https://otx.alienvault.com/pulse/6978b796c0f9d8f3a59e0a34
Pulse Author: AlienVault
Created: 2026-01-27 13:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Canada #Canadian #CyberSecurity #FinancialData #Government #ICS #InfoSec #MaliciousAds #Mimic #OTX #OpenThreatExchange #Phishing #RAT #RCE #Rust #SMS #bot #AlienVault

📰 Nation-State Actor 'SteelHydra' (APT47) Deploys 'GeoShifter' ICS Malware to Spy on Geothermal Energy Firms

Nation-state actor 'SteelHydra' (APT47) targets geothermal energy firms with new 'GeoShifter' ICS malware. The campaign uses spear-phishing to steal sensitive operational technology data from companies in the US, Canada, and Iceland. 🏭 #APT #ICS #C...

🔗 https://cyber.netsecops.io/articles/apt-steelhydra-targets-geothermal-energy-sector-with-novel-ics-malware/?…

Chrome Extensions: Are you getting more than you bargained for?

This analysis reveals the hidden dangers of certain Chrome extensions available on the Google Chrome Web Store. Despite the store's vetting process, some malicious extensions have slipped through, compromising user security. The study examines four examples of extensions with combined user bases exceeding 100,000, showcasing various security risks. These include undisclosed clipboard access to remote domains, data exfiltration, remote code execution capabilities, search hijacking, and cross-site scripting vulnerabilities. The extensions employ tactics such as command-and-control infrastructure with domain generation algorithms, user tracking, and brand impersonation. The research emphasizes the importance of caution when installing browser extensions, even from trusted sources, and recommends immediate uninstallation of the identified malicious extensions.

Pulse ID: 69778aef872cffc134e67ace
Pulse Link: https://otx.alienvault.com/pulse/69778aef872cffc134e67ace
Pulse Author: AlienVault
Created: 2026-01-26 15:40:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #ChromeExtension #Clipboard #CyberSecurity #Google #ICS #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #bot #AlienVault

Hackers Use ‘rn’ Typo Trick to Impersonate Microsoft and Marriott in New Phishing Attack

A sophisticated phishing campaign is targeting customers of Marriott International and Microsoft, using a typo trick that mimics the company’s official logo and layout, according to security firm Netcraft.

Pulse ID: 69776bd5e5c5a64b0cbddf28
Pulse Link: https://otx.alienvault.com/pulse/69776bd5e5c5a64b0cbddf28
Pulse Author: CyberHunter_NL
Created: 2026-01-26 13:27:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #IoT #Microsoft #Mimic #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL

MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users

An active infostealer campaign is targeting macOS and Windows users across various sectors. The threat actors are using SEO poisoning to direct victims to fake GitHub repositories impersonating legitimate tools like PagerDuty. The campaign involves over 20 malicious repositories active since September 2025. The attack flow begins with a Google search, leading to a fraudulent GitHub repository, then to a GitHub Pages site with a deceptive command. This command deploys the MacSync stealer in three stages: a loader, a dropper, and the final payload. MacSync aggressively harvests credentials from browsers, cloud services, and cryptocurrency wallets. The campaign's scale includes 39 identified malicious repositories, with 24 still active as of January 2026. Evasion tactics include using 'readme-only' repositories and distributed identities.

Pulse ID: 69772ba9dd9a67872ce009f7
Pulse Link: https://otx.alienvault.com/pulse/69772ba9dd9a67872ce009f7
Pulse Author: AlienVault
Created: 2026-01-26 08:54:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #GitHub #Google #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #SEOPoisoning #Windows #bot #cryptocurrency #AlienVault

SSH over USB on a Raspberry Pi https://hackaday.com/2026/01/25/ssh-over-usb-on-a-raspberry-pi/
#RaspberryPi #Ics #Networkadapter #Raspberrypi #Ssh

Sandworm behind cyberattack on Poland's power grid in late 2025

In late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned APT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected as Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing coincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to target critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive cyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of this latest incident to Sandworm.

Pulse ID: 6973fa6df457081a422f550e
Pulse Link: https://otx.alienvault.com/pulse/6973fa6df457081a422f550e
Pulse Author: AlienVault
Created: 2026-01-23 22:47:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #ESET #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Poland #RAT #Russia #Sandworm #UK #Ukr #Ukraine #Worm #bot #AlienVault

December 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats and security issues in the financial industry, both in Korea and globally. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. Key issues on the deep and dark web are highlighted, including a major database leak from Indonesia's largest bank, exposing sensitive financial data of approximately 3 million customers. A ransomware attack on a leading African financial services company by INC Ransom group is also detailed, with 100GB of data reportedly stolen. The report emphasizes the potential for widespread damage and chain attacks, urging proactive measures among financial institutions and related companies.

Pulse ID: 697222dd78fee9a83bbaf37d
Pulse Link: https://otx.alienvault.com/pulse/697222dd78fee9a83bbaf37d
Pulse Author: AlienVault
Created: 2026-01-22 13:15:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Bank #CyberSecurity #FinancialData #ICS #Indonesia #InfoSec #Korea #Malware #OTX #OpenThreatExchange #Phishing #RansomWare #bot #AlienVault

KONNI Adopts AI to Generate PowerShell Backdoors

A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.

Pulse ID: 69726ae65cfcf0a192c03c35
Pulse Link: https://otx.alienvault.com/pulse/69726ae65cfcf0a192c03c35
Pulse Author: AlienVault
Created: 2026-01-22 18:22:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #BackDoor #BlockChain #CyberSecurity #Discord #ICS #InfoSec #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #PDF #Phishing #PowerShell #RAT #ZIP #bot #developers #AlienVault

Threat Actors Expand Abuse of Microsoft Visual Studio Code

North Korean threat actors have evolved their techniques in the Contagious Interview campaign, now abusing Microsoft Visual Studio Code task configuration files. The infection chain begins when a victim opens a malicious Git repository, often disguised as part of a recruitment process. If trust is granted, arbitrary commands are executed on the system. The malware uses JavaScript payloads hosted on vercel.app to implement backdoor logic, including remote code execution, system fingerprinting, and persistent command-and-control communication. The backdoor collects host information and beacons to a C2 server every five seconds. Recent observations show further execution of similar payloads, indicating ongoing development of these tactics.

Pulse ID: 6970c8be406455823a3d9652
Pulse Link: https://otx.alienvault.com/pulse/6970c8be406455823a3d9652
Pulse Author: AlienVault
Created: 2026-01-21 12:38:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #ICS #InfoSec #Java #JavaScript #Korea #Malware #Microsoft #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #bot #AlienVault

PurpleBravo’s Targeting of the IT Software Supply Chain

PurpleBravo, a North Korean state-sponsored threat group, targets software developers through fake recruitment efforts, particularly in cryptocurrency and software development sectors. Their toolkit includes BeaverTail, PyLangGhost, and GolangGhost, designed for stealing browser credentials and cryptocurrency information. The group has affected 3,136 IP addresses, mainly in South Asia and North America, compromising 20 organizations across various industries. PurpleBravo's tactics include using fictitious personas, malicious GitHub repositories, and sophisticated malware to infiltrate IT services companies, posing a significant supply-chain risk. The group shows overlap with PurpleDelta, another North Korean threat actor, sharing infrastructure and operational patterns. PurpleBravo's focus on the IT sector in South Asia presents an overlooked threat to organizations outsourcing IT services.

Pulse ID: 6971529d93b2db0678d1b8cc
Pulse Link: https://otx.alienvault.com/pulse/6971529d93b2db0678d1b8cc
Pulse Author: AlienVault
Created: 2026-01-21 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Browser #CyberSecurity #GitHub #Golang #ICS #InfoSec #Korea #Malware #NorthAmerica #NorthKorea #OTX #OpenThreatExchange #RAT #SouthAsia #SupplyChain #bot #cryptocurrency #developers #AlienVault

📰 Threat Landscape Converges as Attackers Target ICS and AI Systems

New research from Cyble shows a dangerous convergence: hacktivists and cybercriminals are now targeting both ICS/OT and enterprise AI systems. Attackers are using AI to create more complex, adaptive threats. 🤖🏭 #ThreatIntel #ICS #AI #Cybersecurity

🔗 https://cyber.netsecops.io/articles/hacktivists-and-cybercriminals-expand-attacks-on-ics-and-ai-systems/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

#1 OT/ICS CYBERSECURITY TRAINING IN DELHI NCR AND IN INDIA
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #MakeADifference #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

Dissecting CrashFix: A New Toy

KongTuke, a threat actor tracked since 2025, has launched a new campaign using a malicious browser extension called NexShield that impersonates uBlock Origin Lite. The extension causes browser crashes and displays fake security warnings to trick users into executing malicious commands. The campaign targets both home and corporate users, with domain-joined machines receiving a more sophisticated Python-based RAT named ModeloRAT. The attack chain involves multiple stages of obfuscation, anti-analysis techniques, and a Domain Generation Algorithm (DGA) for C2 communication. KongTuke employs extensive fingerprinting to avoid detection in analysis environments. The campaign demonstrates evolving social engineering tactics and a focus on infiltrating enterprise networks for potential lateral movement and data exfiltration.

Pulse ID: 696b8bd510774c3939103737
Pulse Link: https://otx.alienvault.com/pulse/696b8bd510774c3939103737
Pulse Author: AlienVault
Created: 2026-01-17 13:17:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ICS #InfoSec #Mac #OTX #OpenThreatExchange #Python #RAT #SocialEngineering #UK #bot #AlienVault

Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms

Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.

Pulse ID: 696d289962926b96a6584416
Pulse Link: https://otx.alienvault.com/pulse/696d289962926b96a6584416
Pulse Author: AlienVault
Created: 2026-01-18 18:38:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #DRat #Email #Google #GoogleAds #ICS #InfoSec #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #PDF #Phishing #RAT #RDP #SMS #SocialEngineering #SpearPhishing #Word #Wordpress #bot #AlienVault

PDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion

PDFSIDER is a newly identified malware variant that utilizes DLL side-loading to deploy a covert backdoor with encrypted command-and-control capabilities. It exploits vulnerabilities in legitimate software like PDF24 Creator to bypass endpoint detection mechanisms. The malware operates primarily in memory, minimizing disk artifacts, and employs advanced anti-VM technology to evade sandboxes and analysis labs. PDFSIDER features a robust cryptographic implementation using the Botan library for secure communications. It gathers system information and provides attackers with an interactive, hidden command shell for remote execution. The malware's characteristics align with APT tradecraft, suggesting its use in cyber-espionage operations. Distribution occurs through spear-phishing emails containing ZIP archives with legitimate-looking executables.

Pulse ID: 696d289a872523c04861cbfa
Pulse Link: https://otx.alienvault.com/pulse/696d289a872523c04861cbfa
Pulse Author: AlienVault
Created: 2026-01-18 18:38:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #EDR #Email #Endpoint #Espionage #ICS #InfoSec #Malware #Nim #OTX #OpenThreatExchange #PDF #Phishing #RAT #SMS #SpearPhishing #ZIP #bot #cyberespionage #AlienVault

#1 OT/ICS CYBERSECURITY TRAINING IN DELHI NCR AND IN INDIA
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #MakeADifference #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

Die Schützenfesttermine 2026 im Grevenbroicher Stadtgebiet - mit jeweiligen ICS-Dateien.
https://www.hoetchesjonge.de/schuetzenfesttermine-2026/
#schützenfest
#grevenbroich
#ics #kalender
#hoetchesjonge