🔒 CRITICAL: CVE-2025-36751 in Growatt ShineLan-X/MIC 3300TL-X (v3.6.0.0) — config interface lacks encryption, enabling network attackers to intercept & alter comms. Patch unavailable; mitigate ASAP! https://radar.offseq.com/threat/cve-2025-36751-cwe-311-missing-encryption-of-sensi-f552bd97 #OffSeq #ICS #CVE #infosec

🌐 CVE-2025-36754: CRITICAL auth bypass in Growatt ShineLan-X v3.6.0.0. No session tokens—attackers can redirect DNS, enabling MitM attacks on solar infra. Restrict web access & monitor configs. No patch yet. https://radar.offseq.com/threat/cve-2025-36754-cwe-290-authentication-bypass-by-sp-a4d6b30d #OffSeq #ICS #Vulnerability #SolarSecurity

CVE-2025-36752 (CRITICAL, CVSS 9.4): Growatt ShineLan-X v3.6.0.0 has a hard-coded backup account—effectively a backdoor. No patch yet. Isolate affected devices, monitor for access, and consult vendor for updates. https://radar.offseq.com/threat/cve-2025-36752-cwe-798-use-of-hard-coded-credentia-6ed12f6d #OffSeq #ICS #IoTSecurity

yearly reminder, wenn ihr im #homeassisstant einen Abfallkalender via #ics eingerichtet habt, wäre bald der Moment, die Datei für das kommende Jahr einzubinden…

#smarthome #selfhosting

🚨 CVE-2025-36747 (CRITICAL, CVSS 9.4): Hard-coded FTP creds in Growatt ShineLan-X 3.6.0.0 allow file tampering—no signature checks! Patch, restrict FTP, and monitor for abuse. https://radar.offseq.com/threat/cve-2025-36747-cwe-798-use-of-hard-coded-credentia-55cb0be8 #OffSeq #CVE202536747 #ICS #Infosec

Best OT/ICS Cybersecurity Training in Delhi NCR and in India
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

Working on planning a state level exercise which involves a volcano eruption scenario. The exercise team asked if I thought it was a good idea, I said yes, especially the chance of lahard (typo) and debris flows. The working title shared with me this week: Lahar'd Times 😆

Not my first choice but lolol

#ics #DisasterResponse #DisasterRecovery #exercise #preparedness

GOLD SALEM tradecraft for deploying Warlock ransomware

This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used Warlock, LockBit, and Babuk ransomware variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.

Pulse ID: 693ab3bf9609b5d5e8ecb906
Pulse Link: https://otx.alienvault.com/pulse/693ab3bf9609b5d5e8ecb906
Pulse Author: AlienVault
Created: 2025-12-11 12:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #Cloud #CyberCrime #CyberSecurity #ICS #InfoSec #LockBit #OTX #OpenThreatExchange #RAT #RansomWare #UK #ZeroDay #bot #AlienVault

Best OT/ICS Cybersecurity Training in Delhi NCR and in India
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

A new joint advisory from global cyber agencies highlights a shift: certain pro-Russia hacktivist groups are moving beyond DDoS toward opportunistic intrusions into OT/ICS systems via exposed VNC interfaces.

The activity remains low-sophistication but can still trigger operational disruption in water, energy, and agriculture environments.

Recommended actions: reduce OT internet exposure, map asset flows, and enforce robust authentication.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a?utm_source=https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a&

What OT controls do you consider non-negotiable today?
Follow for more independent cybersecurity insights.

#CyberSecurity #OTSecurity #ICS #CriticalInfrastructure #ThreatIntel #InfoSec

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.

Pulse ID: 69393ab7f0d78ccb11a14d9a
Pulse Link: https://otx.alienvault.com/pulse/69393ab7f0d78ccb11a14d9a
Pulse Author: AlienVault
Created: 2025-12-10 09:17:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RansomWare #RansomwareAsAService #Rust #SentinelOne #SideLoading #bot #AlienVault

Best OT/ICS Cybersecurity Training in Delhi NCR and In INDIA
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics

The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulnerability stems from improper input deserialization in RSC payloads, allowing arbitrary code execution. Exploitation has been observed across various cloud platforms, targeting containerized workloads. The exploit's mechanics involve crafting a malicious payload with self-referencing gadgets to bypass security checks during deserialization. Other frameworks using RSC, such as Waku and Vite, are also vulnerable. Urgent patching and comprehensive detection measures are crucial for affected systems.

Pulse ID: 6938577d1df39d03f2dc4345
Pulse Link: https://otx.alienvault.com/pulse/6938577d1df39d03f2dc4345
Pulse Author: AlienVault
Created: 2025-12-09 17:08:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CredentialHarvesting #CryptoMining #CyberSecurity #ELF #ICS #InfoSec #OTX #OpenThreatExchange #RemoteCodeExecution #Vulnerability #bot #AlienVault

How Lazarus's IT Workers Scheme Was Caught Live on Camera

This report details an investigation into a North Korean infiltration operation by the Lazarus Group's Famous Chollima division. The operation aims to deploy remote IT workers in American financial and crypto/Web3 companies for corporate espionage and funding. Researchers posed as potential recruits and used sandboxed environments to monitor the operators' activities in real-time. The investigation revealed the group's tactics, including identity theft, social engineering, and the use of AI tools. The operators displayed poor operational security, sharing infrastructure and making repeated mistakes. The report provides insights into the group's recruitment methods, toolset, and communication patterns, offering a rare inside view of their operations.

Pulse ID: 69381832f6030155b532bf71
Pulse Link: https://otx.alienvault.com/pulse/69381832f6030155b532bf71
Pulse Author: AlienVault
Created: 2025-12-09 12:38:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Espionage #ICS #InfoSec #Korea #Lazarus #NorthKorea #OTX #OpenThreatExchange #RAT #SocialEngineering #Web3 #bot #AlienVault

Sharpening the knife: strategic evolution of GOLD BLADE

GOLD BLADE, a threat group previously focused on cyberespionage, has evolved into a hybrid operation combining data theft with selective ransomware deployment. The group has refined its intrusion methods, shifting from traditional phishing to abusing recruitment platforms for delivering weaponized resumes. Their operations follow cycles of dormancy and sudden activity bursts, introducing new tradecraft in each wave. GOLD BLADE has modified its RedLoader infection chain multiple times, implemented a Bring Your Own Vulnerable Driver approach, and developed a custom ransomware called QWCrypt. The group's targeting has narrowed to focus primarily on Canadian organizations across various sectors. Their sophisticated tactics and continual refinement demonstrate a level of operational maturity uncommon among financially motivated actors.

Pulse ID: 6933dbed9899a12d1dd9ae53
Pulse Link: https://otx.alienvault.com/pulse/6933dbed9899a12d1dd9ae53
Pulse Author: AlienVault
Created: 2025-12-06 07:31:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Canadian #CyberSecurity #Cyberespionage #DataTheft #Espionage #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

CastleLoader Activity Clusters Target Multiple Industries

Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona "Sparja" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.

Pulse ID: 6937b6169bd435b2e3a0787e
Pulse Link: https://otx.alienvault.com/pulse/6937b6169bd435b2e3a0787e
Pulse Author: AlienVault
Created: 2025-12-09 05:39:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to remote HTA execution and deployment of an obfuscated PowerShell loader that decrypts and runs Cobalt Strike shellcode in memory. The campaign targets finance and legal departments of B2B enterprises in logistics, industrial production, construction, and technical supply. It employs phishing emails with Russian-language lures related to contracts, payments, and legal matters. The infrastructure uses multiple Russian-controlled domains as command-and-control servers.

Pulse ID: 693709f10b18abd6b3644445
Pulse Link: https://otx.alienvault.com/pulse/693709f10b18abd6b3644445
Pulse Author: AlienVault
Created: 2025-12-08 17:25:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #Email #ICS #InfoSec #LNK #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Russia #ShellCode #Troll #bot #AlienVault

Best OT/ICS Cybersecurity Training in Delhi NCR and In INDIA
#EvolvedgeTraining #SecureOT #ICS #DCSExpert #CybersecurityJobs #TechTraining #IndustrialAutomation #ProtectTheFuture #getcertified #nozomi
visit-www.theevolvedge.com
mail- info@theevolvedge.com
ph no :- +917982403420
+919311805027

🚨 CVE-2025-34256: CRITICAL (CVSS 10) vuln in Advantech WISE-DeviceOn Server <5.4—remote attackers can forge JWTs & gain full admin access via hard-coded key. Patch to v5.4+ or restrict access now! https://radar.offseq.com/threat/cve-2025-34256-cwe-321-use-of-hard-coded-cryptogra-3c681503 #OffSeq #ICS #IoTSecurity #Vulnerability

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack involved multiple stages, including phishing, malware deployment, and reconnaissance activities. An infostealer named 'updater.exe' was downloaded and executed during the process. The incident highlights the evolving tactics of cybercriminals exploiting legitimate collaboration platforms for malicious purposes. Organizations are advised to implement strict security measures, including disabling the feature through Teams Messaging Policies and adopting two-factor authentication and Zero Trust models.

Pulse ID: 69300315433acdc939544543
Pulse Link: https://otx.alienvault.com/pulse/69300315433acdc939544543
Pulse Author: AlienVault
Created: 2025-12-03 09:29:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #InfoStealer #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #Phishing #RAT #Rust #SocialEngineering #ZeroTrust #bot #AlienVault