It's been a bit quiet over the last 24 hours, so it'll be a short post today, but we do have a significant update on a long-standing Iranian threat actor. Let's dive in:

Iranian Infy APT Resurfaces with Advanced Tradecraft 🇮🇷

- The Iranian APT group Infy, also known as Prince of Persia, has resurfaced with new malware activity and updated tactics after nearly five years of silence, proving it remains active and dangerous.
- This elusive group, one of the oldest APTs dating back to 2004, is now using updated versions of its Foudre downloader and Tonnerre data exfiltrator, distributed via executables embedded in documents, targeting victims across multiple regions including Iran, Iraq, Turkey, India, Canada, and Europe.
- Key updates to their tradecraft include the use of a Domain Generation Algorithm (DGA) for resilient command-and-control (C2) infrastructure, RSA signature validation for C2 authenticity, and a unique mechanism within Tonnerre to communicate with a Telegram group for C2.

📰 The Hacker News | https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

#CyberSecurity #ThreatIntelligence #APT #NationState #Iran #Malware #Infy #PrinceOfPersia #InfoSec #CyberAttack #ThreatActor #TTPs

DeepSec 2025 Talk: How To Breach: From Unconventional Initial Access Vectors To Modern Lateral Movement – Benjamin Floriani & Patrick Pongratz

The perpetual cat-and-mouse game between attackers and defenders has pushed offensive security o

https://blog.deepsec.net/deepsec-2025-talk-how-to-breach-from-unconventional-initial-access-vectors-to-modern-lateral-movement-benjamin-floriani-patrick-pongratz/

#Conference #DeepSec2025 #LowprofileAttackingTechniques #RedTeam #SVG #Talk #TTPs

Qilin highlights a subtle escalation: manual verification of exfil targets using benign Windows apps. Detection priorities:
• Monitor process launches of mspaint.exe & notepad.exe with non-interactive parent processes (e.g., psexec.exe, wmiexec).
• Alert on unusual SMB file open/read patterns (many large-file reads from non-service accounts).
• Watch for usage of Cyberduck or CLI S3/Backblaze clients from non-admin workstations and odd outbound TLS endpoints.
• Audit scheduled tasks (TVInstallRestore) and RUN-key changes; block lateral tools like PsExec or require ACLs.

Comment your favorite Sigma/EDR rule or follow TechNadu for weekly IOCs & remediation playbooks.

#TTPs #ThreatHunting #Ransomware #EDR #Sigma #IR #ThreatIntel #Qilin

Predatory Sparrow’s toolkit and chain-of-execution highlight destructive-sabotage best practices for defenders:
- Multi-stage batch scripts with hostname checks (avoid accidental collateral).
- Scheduled-task detonation (msrun.bat → 23:55) and NIC disable via PowerShell.
- Log wiping (wevtutil) and BCD/shadow-copy removal to prevent recovery.
- XOR-encrypted configs (msconf.conf), encrypted payloads, and precise target enumeration.

Detection & response suggestions: immutable offline backups, firmware-level integrity checks, EDR + OT anomaly telemetry correlation, and scheduled-task auditing. Discuss what telemetry you’d add to catch the staging phase - then follow @technadu for more IOCs and deep dives.

#ThreatIntel #Wiper #IR #EDR #OTSecurity #ICS #TTPs #InfoSec

📢 L’Armée royale néerlandaise déploie des hackers au front avec le 101e bataillon CEMA
📝 Selon nltimes.nl (13 septembre 2025), citant des responsables et De Telegraaf, l’Armée royale néerlandaise a off...
📖 cyberveille : https://cyberveille.ch/posts/2025-09-15-larmee-royale-neerlandaise-deploie-des-hackers-au-front-avec-le-101e-bataillon-cema/
🌐 source : https://nltimes.nl/2025/09/13/dutch-army-deploy-hackers-front-lines-gain-battlefield-advantage
#TTPs #Pays_Bas #Cyberveille

🚨 The wait is over — the full program of briefings for the Honeynet Project Workshop 2025 in Prague is now live! 🎉

We’re proud to present an incredible lineup of speakers from across the globe, sharing cutting-edge work in cyber deception, honeypots, threat intelligence, and more. 🐝🌍

📍 NTK, Prague
🗓 June 2–4, 2025
👉 Register today: https://prague2025.honeynet.org/program/

#Honeynet2025 #cybersecurity #infosec #deception #cyberdeception #TI #TTPs #Malware

🎺 Training alert!

Join Federico Pacheco at #Honeynet2025 in Prague for a hands-on training on Translating Threats into Deception Strategies. This session walks you through a practical 4-phase approach to turning TTPs into deception activities — from behavior extraction to storytelling design.

🛠️ Learn how to extract behaviors, design scenarios, and align deception with real threats.
🪑 Limited seats available – don’t wait!
🔗 Register now: https://prague2025.honeynet.org

#CyberDeception #TTPs #TI

Join Georgy Kucherin at #Honeynet2025 in Prague as he unpacks a real-world campaign where attackers leveraged unpopular software to deceive analysts and spread a never-before-seen Python stealer. Expect live demos, open-source intel techniques, and deep insights into attacker tactics and threat hunting.

🗓️ June 2–4, 2025
🔗 https://prague2025.honeynet.org

#MalwareAnalysis #ThreatHunting #TI #TTPs

Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Based on data from 15,000 companies, #ANYRUN's Q1 '25 Malware Trends Report offers insights into the most widespread #malware families, APTs, phishkits, #TTPs, and more 🚀

Save hours of research and improve your company's threat awareness https://any.run/cybersecurity-blog/malware-trends-q1-2025/?utm_source=twitter&utm_medium=post&utm_campaign=malware_trends_q1_25&utm_content=linktoblog&utm_term=160425

Based on data from 15,000 companies, #ANYRUN's Q1 '25 Malware Trends Report offers insights into the most widespread #malware families, APTs, phishkits, #TTPs, and more 🚀

👨‍💻 Save hours of research and improve your company's threat awareness:
https://any.run/cybersecurity-blog/malware-trends-q1-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_q1_25&utm_content=linktoblog&utm_term=160425

Inside the Mind of a Hacker #CyberSecurity #HackerMindset #DigitalDefense #InfoSec #CyberThreats #TTPs #PhishingAwareness #PrivilegeEscalation #NetworkSecurity #MalwareAnalysis #EthicalHacking #OpSec #BlueTeam #RedTeam #CyberIntel #DeadSwitch #CyberGhost #KnowYourEnemy #SilenceIsTactical #FearTheSwitch

http://tomsitcafe.com/2025/04/08/inside-the-mind-of-a-hacker/

Happy Monday everyone!

Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

APT PROFILE – VOLT TYPHOON
https://www.cyfirma.com/research/apt-profile-volt-typhoon-2/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

📢 New! Threat Intelligence Reports from ANYRUN

Discover detailed research on active cyber threats and #APTs with actionable insights, #IOCs, & #TTPs

Enrich proactive security, report on #APT41 inside ⬇️
https://any.run/cybersecurity-blog/threat-intelligence-reports/?utm_source=mastodon&utm_medium=post&utm_campaign=ti_reports&utm_content=linktoblog&utm_term=130225

#cybersecurity #infosec #threatintel

🚨 The 2024 Cyber Threat Report from ANYRUN is out
📊 Together, we’ve launched 4M sandbox sessions and uncovered 1.8B IOCs

Discover the leading #malware types, families, and #TTPs of the last 12 months ⬇️
https://any.run/cybersecurity-blog/malware-trends-2024/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_trends_2024&utm_content=linktoblog&utm_term=160124

#cybersecurity #infosec

Go beyond technology limits with #Roota, a public-domain language for collective cyber defense.

Cross-platform query translation, correlation, mapping to #TTPs, and more to enable every cyber defender to speak any cybersecurity language.

Learn more: https://roota.io

Country Threat Profile: #Russia

Discover Russia’s cyber threat landscape, including insights into high-profile attacks, Advanced Persistent Threats (#APTs), and their use of Techniques, Tactics, and Procedures (#TTPs) alongside sophisticated attack tools.

Access the full report now through our Members’ Portal: https://www.huntandhackett.com/members/register

https://thehackernews.com/2024/11/5-most-common-malware-techniques-in-2024.html #cybersecurity #TTPs #malware #Windows

Up soon:
"From 0 to millions: Protecting against AitM phishing at scale"

• Jacob Torrey @Jacob

@hack_lu #hacklu2024 #canaries #Thinkst #HoneyEverything #TTPs #AiTM #Deception #DetectionEngineering

Happy Friday everyone!

A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.

According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.

The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.

If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!

Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdf

Mitre source:
https://attack.mitre.org/groups/G0016/

Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471