Lmst

Warlock Ransomware: Old Actor, New Tricks?

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C framework called ak47c2. Warlock is likely a rebrand of the older Anylock ransomware and may have connections to the retired Black Basta operation. The actors behind Warlock have been involved in diverse activities, including espionage and cybercrime, suggesting they may be contractors. Their toolset includes defense evasion tools and the use of stolen digital certificates, linking them to earlier attacks by groups like CamoFei and ChamelGang.

Pulse ID: 68fa481ef76460d342e4d0c5
Pulse Link: https://otx.alienvault.com/pulse/68fa481ef76460d342e4d0c5
Pulse Author: AlienVault
Created: 2025-10-23 15:22:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlackBasta #CandC #China #CyberCrime #CyberSecurity #Espionage #InfoSec #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #Vulnerability #bot #AlienVault

Group 78 #europe #europol #eurojust #usa #fbi #intel #blackbasta [ https://www.lemagit.fr/tribune/Enquete-Tramp-Black-Basta-la-source-qui-en-savait-trop ] [ https://www.lemonde.fr/en/pixels/article/2025/10/16/revelations-on-group-78-the-secret-us-task-force-that-fights-cybercriminals_6746474_13.html ] [ https://www.zeit.de/digital/2025-10/ransomware-blackbasta-fbi-bka ]

📢 ICO inflige 14 M£ à Capita après l’attaque BlackBasta: 6+ M de dossiers compromis
📝 Selon le blog BushidoToken (référence fournie), l’ICO a sanctionné Capita d’une amende de 14 M£ à la suite d’une attaque BlackBasta...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-19-ico-inflige-14-mps-a-capita-apres-lattaque-blackbasta-6-m-de-dossiers-compromis/
🌐 source : https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html
#BlackBasta #Capita #Cyberveille

Des nouvelles de la lutte contre le #CyberCrime par le #FBI : "Révélations sur le « Group 78 », une unité secrète américaine chargée de la lutte contre les cybercriminels" #Group78 #CyberSécurité #BlackBasta ...

https://www.lemonde.fr/pixels/article/2025/10/16/revelations-sur-le-group-78-une-unite-secrete-americaine-chargee-de-la-lutte-contre-les-cybercriminels_6647096_4408996.html

Different Tinker.

#tinker #blackBasta #infoSec #hacking

Screenshot of LinkedIn post that states: The leader of the Black Basta ransomware group employed a trusted, experienced cybercriminal actor who went by the nickname Tinker. Tinker, who worked for the infamous Conti ransomware group, could quickly drum up phishing content aimed at stealing VPN creds and analyze stolen data to figure out how much an organisation might pay in ransom. Tinker knew how to run criminal call centers to social engineer victims into installing remote access software.

Akira, le ransomware

Depuis son apparition en mars 2023, le Ransomware-as-a-Service Akira ne cesse de produire des victimes. Pratiquant la double extorsion, il affiche ainsi 808 entreprises.

Peu de temps après ses premiers actes, une clé de déchiffrement est trouvée. Mais depuis, le groupe de cybercriminels monte en puissance. Les attaques produisent la chute d'entreprise. En 2023, la britannique KNP Logistics Group subit les foudres d'Akira ; en mai 2025, après 160 années d'existence, elle disparaît.

https://librexpression.fr/akira-ransomware-aux-allures-retro

#Akira #blackbasta #chiffrement #conti #cyberattack #databreaches #europe #France #informatique #librexpression #raas #ransomware #Russie #RUST #threats #USA

(Crédits : Ylanite Koppens/Pexels)

Deux clés anciennes se trouvent posées sur un papier aussi ancien. Des écritures presque indéchiffrables sont calquées sur le papier. Entre légende et carte au trésor.

“We never drop tools. We use yours.” — #BlackBasta ransomware.

A new Bitdefender analysis of 700,000 incidents reveals this chilling truth: 84% of major cyberattacks use Living Off the Land tools like netsh.exe, powershell.exe, wmic.exe.
#RansomwareAttacks
https://thehackernews.com/expert-insights/2025/05/living-off-land-what-we-learned-from.html

@deepthoughts10 @BleepingComputer Agreed, AVCheck was used by BlackBasta to check their malware creations. Would be awesome to see scanner[.]to taken down soon as well. Lots of malicious binaries and scripts scanned on scanner[.]to in the Basta chat logs. The screenshot is one of their sample's results pages.

#BlackBasta #Ransomware #CTI #threatintelligence

Scanner.to results for a BlackBasta binary to determine whether EDR tools flag for malicious indicators.

Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter | Security https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-und-43-Millionen-Passwoerter-10396199.html #HaveIBeenPwned #Malware #Ransomware #Hacking #CyberCrime #Bumblebee #Latrodectus #Qakbot #DanaBot #HijackLoader #Warmcookie #Trickbot #Prolock #Doppelpaymer #REvil #Conti #BlackBasta #Cactus #OperationEndgame2

Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt | Security https://www.heise.de/news/Operation-Endgame-2-0-20-Haftbefehle-Hunderte-Server-ausser-Gefecht-gesetzt-10394215.html #OperationEndgame #OperationEndgame2 #Malware #Ranswomware #Hacking #CyberCrime #Bumblebee #Latrodectus #Qakbot #DanaBot #HijackLoader #Warmcookie #Trickbot #Prolock #Doppelpaymer #REvil #Conti #BlackBasta #Cactus

Une campagne de malware très avancée a détourné KeePass, un gestionnaire de mots de passe open source populaire.
⬇️
Des cybercriminels ont modifié le code source de KeePass, l’ont recompilé avec un certificat numérique valide et diffusé via de la pub malveillante (malvertising) sur des moteurs de recherche. (merci-pas-merci Google)

Résultat : une version piégée de KeePass était distribuée à des victimes pensant télécharger l’original. Cette fausse version :

Exfiltrait les bases de données KeePass avec les mots de passe en clair

Déployait un malware furtif (Cobalt Strike) servant à prendre le contrôle de l’ordi et propager une attaque (type ransomware).

Le malware se cachait sous des fichiers normaux, utilisait le nom “KeeLoader” et évitait d’être détecté par les antivirus. Il restait discret jusqu’à l’ouverture d’un fichier de mot de passe.

4️⃣ Technique d’infection :

Faux site KeePass (ex: keeppaswrd.com)
Téléchargement infecté
Déploiement du malware + vol des mots de passe
Prise de contrôle du réseau (RDP, SSH, etc.)
Chiffrement des données (ransomware)

Des indices montrent des liens avec des groupes comme Black Basta et l’utilisation de services criminels "as-a-service" (certificats, infra, etc.).

N’abandonnons pas les gestionnaires de mots de passe…
Mais téléchargeons-les uniquement depuis les sites officiels

"KeePass trojanised in advanced malware campaign

In 2025, WithSecure discovered a trojanised, and signed version of the open-source password manager KeePass, used to deliver malware and exfiltrate credentials. Named KeeLoader, this modified installer was signed with trusted certificates and distributed via malvertising and typo-squat domains to victims across Europe."
👇
https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign
👇📄
https://labs.withsecure.com/content/dam/labs/docs/W_Intel_Research_KeePass_Trojanised_Malware_Campaign.pdf

#CyberVeille #KeePass #BlackBasta

Skitnet is shaking up the cybercrime scene—this stealthy ransomware tool is now powering high-stakes attacks by notorious groups. Ever wonder how hackers pull off such seamless heists? Dive into the story behind the tool that's rewriting the rules.

https://thedefendopsdiaries.com/skitnet-a-new-era-in-ransomware-tools/

#skitnet
#ransomware
#cybersecurity
#postexploitation
#blackbasta

Skitnet is shaking up the ransomware scene with stealthy tactics and jaw-dropping capabilities—already in use by notorious gangs. What does this mean for our digital defenses? Dive into the details.

https://thedefendopsdiaries.com/skitnet-a-new-era-in-ransomware-tools/

#skitnet
#ransomware
#cybersecurity
#postexploitation
#blackbasta

#BlackBasta : The Fallen #Ransomware Gang That Lives On

After a series of setbacks, the notorious Black Basta ransomware gang went underground. Researchers are bracing for its probable return in a new form.
#scammer #security #privacy

https://www.wired.com/story/black-basta-ransomware-gang/

A massive leak of internal chat logs from the notorious Black Basta ransomware-as-a-service (RaaS) group has exposed potential ties to Russian authorities, extensive use of artificial intelligence in its operations and plans for a complete rebranding.

https://www.computing.co.uk/news/2025/security/black-basta-ransomware-leak-reveals-potential-kremlin-ties

#technews #ransomware #blackbasta #raas #infosec #cybersecurity #russia

🔥 Russia’s Role in Cybercrime Just Got Exposed!

200,000+ leaked messages expose direct ties between the ransomware gang & Russian officials.

🔹 AI-powered fraud & malware dev
🔹 Leader escaped via a "green corridor" #BlackBasta #Ransomware https://thehackernews.com/2025/03/leaked-black-basta-chats-suggest.html

📦 Our latest investigation of Black Basta's leaked chats shows how they were plotting to exploit open source package registries to deploy ransomware, plus our analysis of #ransomware & wiperware packages already in the wild.

https://socket.dev/blog/black-basta-dependency-confusion-ambitions-and-ransomware-in-open-source-ecosystems #BlackBasta #CyberSecurity