Lmst

Salty2FA & Tycoon2FA: Hybrid Phishing Threat

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2FA infrastructure failure, forcing a fallback to Tycoon-based hosting and payload delivery. This overlap complicates attribution and weakens kit-specific detection rules. The emergence of this hybrid suggests a possible connection to Storm-1747, known operators of Tycoon2FA. Defenders are advised to update detection logic, expect more cross-kit overlap, and prepare for campaigns with increased flexibility and resilience to infrastructure failures.

Pulse ID: 692f56875686d63e093cc378
Pulse Link: https://otx.alienvault.com/pulse/692f56875686d63e093cc378
Pulse Author: AlienVault
Created: 2025-12-02 21:13:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

Shai-Hulud V2 Poses Risk to NPM Supply Chain

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advancements such as pre-install phase execution, persistent backdoor access via self-hosted GitHub Actions runners, cross-victim credential recycling, and a destructive failsafe mechanism. The malware harvests credentials from various sources, exfiltrates data via GitHub, and propagates across the npm ecosystem. It also features a GitHub Actions backdoor for persistent remote code execution and includes specialized logic for exploiting Azure DevOps build agents.

Pulse ID: 692ff914980b448aea448537
Pulse Link: https://otx.alienvault.com/pulse/692ff914980b448aea448537
Pulse Author: AlienVault
Created: 2025-12-03 08:47:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #BackDoor #CyberSecurity #DevOps #ELF #GitHub #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #SupplyChain #bot #AlienVault

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, including obfuscation through nested directories and execution via DLL sideloading. Once activated, ValleyRAT can lead to system control, activity monitoring, and data theft. The campaign's success is evident from a spike in ValleyRAT detections. It demonstrates the integration of social engineering, legitimate software abuse, and advanced malware techniques to exploit vulnerabilities in both systems and human psychology.

Pulse ID: 693003144213e15e12b947d5
Pulse Link: https://otx.alienvault.com/pulse/693003144213e15e12b947d5
Pulse Author: AlienVault
Created: 2025-12-03 09:29:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #ELF #Email #InfoSec #Malware #OTX #OpenThreatExchange #PDF #RAT #SideLoading #SocialEngineering #bot #AlienVault

Technical Analysis of Matanbuchus 3.0

Matanbuchus, a C++ malicious downloader offered as Malware-as-a-Service since 2020, has evolved to version 3.0. It comprises a downloader and main module, utilizing obfuscation techniques like junk code, encrypted strings, and API hashing. The malware implements anti-analysis features, including an expiration date and persistence via scheduled tasks. It communicates using encrypted Protobufs over HTTP(S), supporting various commands for payload execution, data collection, and system manipulation. Matanbuchus has been associated with ransomware operations and used to distribute other malware like Rhadamanthys and NetSupport RAT.

Pulse ID: 692ff91584de642b1a8cbd3b
Pulse Link: https://otx.alienvault.com/pulse/692ff91584de642b1a8cbd3b
Pulse Author: AlienVault
Created: 2025-12-03 08:47:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #HTTP #InfoSec #Malware #MalwareAsAService #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RansomWare #Rhadamanthys #bot #AlienVault

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack involved multiple stages, including phishing, malware deployment, and reconnaissance activities. An infostealer named 'updater.exe' was downloaded and executed during the process. The incident highlights the evolving tactics of cybercriminals exploiting legitimate collaboration platforms for malicious purposes. Organizations are advised to implement strict security measures, including disabling the feature through Teams Messaging Policies and adopting two-factor authentication and Zero Trust models.

Pulse ID: 69300315433acdc939544543
Pulse Link: https://otx.alienvault.com/pulse/69300315433acdc939544543
Pulse Author: AlienVault
Created: 2025-12-03 09:29:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #InfoStealer #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #Phishing #RAT #Rust #SocialEngineering #ZeroTrust #bot #AlienVault

Fake Investment Platform Reputation Laundering: Felix Markets

Felix Markets, purporting to be a regulated forex broker, has been observed presenting false regulatory information and legitimizing its operations through sports sponsorship. The entity has impersonated other companies, repackaged legal materials, and made claims of geographic relevance to Australia, the UK, and Comoros. Their registration relies on a fake financial authority linked to other investment scams. Felix Markets has become the official sponsor of Levante U.D., a Spanish football team, for the 2025-26 season. The actor behind felixmarkets[.]com appears to be exploiting the legitimacy of a registered Australian company. The site's hosting and document metadata suggest possible Turkish involvement. This case highlights the evolving methods of faking legitimacy and the need for due diligence in areas susceptible to reputation laundering, such as sports sponsorships.

Pulse ID: 692f568b21e9d2530444837c
Pulse Link: https://otx.alienvault.com/pulse/692f568b21e9d2530444837c
Pulse Author: AlienVault
Created: 2025-12-02 21:13:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Australia #CyberSecurity #InfoSec #Mac #OTX #OpenThreatExchange #RAT #Turkish #UK #bot #AlienVault

Trotz ihrer Abwahl will die AfD Fraktionsvorsitzende in Bad Salzuflen wieder als stellvertretende Bürgermeisterin kandidieren.#WDR #Lokalzeit #Ostwestfalen #Lippe #OWL #wdrde #WestdeutscherRundfunk #StudioBielefeld #Regio-Beitrag #AfD #SabineReinknecht #Kommunalwahl #Bürgermeisterwahl #BadSalzuflen #KreisLippe #Rat #Kommunalpolitik #NRW
Zwei Wochen gab es in Bad Salzuflen eine stellv. AfD-Bürgermeisterin: Jetzt wird neu gewählt

天の鉄槌
古代文明帝国に終焉を・・・

https://note.com/poison_raika/n/nb7bdfb920f48

#zok #set #set #sacred #land #filthy #greed #scatter #stench #murder #plunder #trident #show #mercy #stand #fertile #burn #flies #freeze #elephant #arrow #inevitable #filthy #sewer #rat #leave #only #death #flee #great #hornet #Cossack

Heaven’s Iron Hammer
The end of the ancient civilization empire...

https://note.com/poison_raika/n/n54424a6308b6

Небесний молот
Кінець давній імперії цивілізації…

https://note.com/poison_raika/n/n5355bf4c8ba5

Cyber-Espionage Operation Hanoi Thief Deploys Hidden Payloads

Pulse ID: 692f5d37b586465a39d670c7
Pulse Link: https://otx.alienvault.com/pulse/692f5d37b586465a39d670c7
Pulse Author: cryptocti
Created: 2025-12-02 21:42:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #InfoSec #OTX #OpenThreatExchange #RAT #bot #cyberespionage #cryptocti

わっ！びっくりした〜 #ラット #ファンシーラット #rat #rats #rodents #ratsOfFediverse

Happy Cyber(crime) Monday. Someone is sending out these bogus "e-signature" notifications as #malspam.

They lead to a page on Google Drive that has an interstitial link. When you click it, the page pushes an installer for N-Able Advanced Monitoring Agent, a commercial IT remote management tool. https://www.virustotal.com/gui/file/5ddcff44de366e6693c24e189121011ba664d6e71686e9463bb1574572564909/detection

This is just the latest evolution of the attack I documented on the @Netcraft blog before the holiday break: https://www.netcraft.com/blog/shared-document-spam-delivers-remote-access-tool #spam #malware #RAT

The fake e-signature email uses internationalized homoglyph characters to evade content based detection

The page on Google Drive is a PDF with a link inside.

The installer it pushes down looks like this

The "N-Able" installer is signed and prompts a UAC elevation

New Infostealer grabs Browser Data, Wifi Logins, Cryptowallets

A new information stealer named Arkanix has emerged, likely designed for short-term financial gains. Advertised on Discord, it has rapidly evolved from a Python-based to a C++ version. The malware steals data from various browsers, crypto wallets, VPN accounts, and system information. It employs sophisticated techniques like VMProtect for obfuscation and 'Chrome Elevator' to bypass App Bound Encryption. Arkanix is distributed through Discord and online forums, disguised as legitimate tools. The threat actors offer a web panel with premium features, including VPN and Steam account theft. This case highlights the ease of starting cybercrime businesses for quick profits, with actors demonstrating considerable experience in malware development and distribution.

Pulse ID: 692df2957f5d170436886325
Pulse Link: https://otx.alienvault.com/pulse/692df2957f5d170436886325
Pulse Author: AlienVault
Created: 2025-12-01 19:55:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Chrome #CyberCrime #CyberSecurity #Discord #Encryption #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Python #RAT #Steam #VPN #bot #AlienVault

のび〜〜 #ラット #ファンシーラット #rat #rats #rodents #ratsOfFediverse

Bloody Wolf Targets Central Asia With Deceptive Phishing Attacks

Hashes (SHA-256) are stored in a secure medium, rather than an electronic form, as well as a set of letters and numbers. and their use is based on their location.

Pulse ID: 692df70a98a405ce0305504f
Pulse Link: https://otx.alienvault.com/pulse/692df70a98a405ce0305504f
Pulse Author: cryptocti
Created: 2025-12-01 20:14:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #bot #cryptocti

Here's our new game!

RAT HACK: Snack Attack is a small hacking-game where you orchestrate a rat heist to procure some dino nuggies 🐀✨

https://tollstock.itch.io/rat-hack

#indiedev #gamedev #game #indiegame #rat #hacking

Угон грузовиков: когда хакеры садятся за руль
#киберпреступность #логистика #фишинг #грузоперевозки #киберугон #транспортнаябезопасность #supplychain #инфобез #RAT #MFA #OSINT #CargoNet #Proofpoint
В мире логистики наступила новая эра криминала: классические угонщики больше не полагаются только на ломик и мышечную силу. Теперь они зовут на подмогу киберспецов, которые взламывают системы перевозчиков и превращают цифровой след в реальный грабёж. С 2020 года такие атаки выросли в разы — спасибо пандемии, онлайн-платформам и жадным транснациональным бандам.
Как это работает: от фишинга к фуре
Хакеры мониторят онлайн-базы грузов — площадки, где дальнобойщики ищут заказы. Они маскируются под брокеров, рассылают фишинговые письма с вредоносными ссылками или поддельными офферами. Один клик — и на устройстве жертвы появляется ПО для удалённого доступа.
Дальше схема идёт в полноценный триллер: преступники входят в реальные аккаунты, участвуют в аукционах, перехватывают маршруты, перенаправляют фуры на "теневые" склады. Товар — электроника, гаджеты, mining-оборудование — тут же уходит в розницу и на серый экспорт. Ущерб исчисляется миллионами, а доходы иногда подпитывают экстремистские группы.
Пример: IMC Logistics за прошлый год потеряла 876 грузов (всего 5 в 2021-м). 95% — железная дорога, но авто тоже в зоне риска. Глобальная статистика: за полгода в логистике зарегистрировано 270 тыс. киберугроз. Средняя "стоимость" одной кражи — $336 тысяч.
Почему именно сейчас?
Пандемия вытолкнула отрасль в онлайн: больше заявок, меньше контроля. Хакеры эволюционируют — от простых фишинговых атак к многоступенчатым цепочкам: взлом мелкого аккаунта, боковое движение по сети, повышение привилегий. Proofpoint фиксирует всплеск вредоносных email против перевозчиков, а Verisk CargoNet — удвоение убытков.
Это гибридный криминал: кибер + физический угон. Банды нанимают специалистов, те используют готовые RAT-инструменты. Логистика получает бардак: задержки, потери, рост стоимости страховок.
Что делать: от MFA до паранойи
Компании включаются. IMC вводит многофакторку, мониторинг трафика, защиту эндпоинтов. Proofpoint рекомендует проверку писем, сегментацию сетей, обучение сотрудников. Старые методы — GPS‑трекер и замки — уже не спасают. Логистике нужна киберзащита банковского уровня.
Если вы работаете с грузами — обновляйте защиту и игнорируйте "выгодные" письма от неизвестных. Иначе фура поедет в закат без вас, а хакеры уже выберут следующую цель.

Вот корректная библиография для статьи про угон грузовиков с помощью хакеров (в стиле, который примут и в «сс Бастион», и на Хабре, и в отчёте по кибербезопасности):
1. Proofpoint. Human Factor 2024 Report: Threat Actors Exploit the Transportation Industry at Alarming Rates.
URL: https://www.proofpoint.com/us/threat-reference/transportation-industry-cyberattacks (дата обращения: 01.12.2025)
2. CargoNet. 2024 Cargo Theft Trend Report: Rising Cyber-Enabled Theft in Supply Chain.
URL: https://www.cargonet.com/cargo-theft-data/ (дата обращения: 01.12.2025)
3. Verisk CargoNet & IMC Logistics Joint Press Release.
«IMC Reports 876 Cyber-Facilitated Cargo Thefts in 2023–2024» (январь 2025)
4. Transported Asset Protection Association (TAPA) IIS.
Incident Information Service Annual Report 2024 – EMEA Region (особенно разделы по «cyber-enabled freight crime»)
5. FBI Internet Crime Complaint Center (IC3).
2024 Internet Crime Report – раздел Business Email Compromise & Cargo Fraud
6. Хабр.
«Угонщики грузовиков с товарами начали нанимать хакеров» — оригинальная новость от 28 ноября 2025
URL: https://habr.com/ru/news/971952/ (дата обращения: 01.12.2025)
7. Overland Bound Security Bulletin № 2025-03.
«Hybrid Physical-Cyber Cargo Theft: New TTPs 2023–2025»
Если нужна версия в ГОСТ 7.1-2003 (библиографическая запись для научных статей и отчётов), вот она же в российском формате:
1. Human Factor 2024 Report: Threat Actors Exploit the Transportation Industry at Alarming Rates [Электронный ресурс] // Proofpoint. — URL: https://www.proofpoint.com/us/threat-reference/transportation-industry-cyberattacks (дата обращения: 01.12.2025).
2. Угонщики грузовиков с товарами начали нанимать хакеров // Хабр. — 2025. — 28 ноября. — URL: https://habr.com/ru/news/971952/ (дата обращения: 01.12.2025).
Ставь любую — всё по делу и с живыми ссылками.