DSLRoot, Proxies, and the Threat of ‘Legal Botnets’
https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal-botnets/
#prepaidsolutions@yahoo.com #InternetofThings(IoT) #ConstellaIntelligence #incorptoday@gmail.com #ryzhik777@gmail.com #ALittleSunshine #AliaksandrHolas #DomainTools.com #GlobalSolutions #LatestWarnings #WebHostingTalk #BlackHatWorld #Breadcrumbs #AndreiHolas #Incorptoday #LloydDavies #USProxyKing #Sacapoopie #RevEng.ai #Intel471 #DSLRoot #Reddit
DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ - The cybersecurity community on Reddit responded in disbelief this month when a sel... https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal-botnets/ #prepaidsolutions@yahoo.com #internetofthings(iot) #constellaintelligence #incorptoday@gmail.com #ryzhik777@gmail.com #alittlesunshine #aliaksandrholas #domaintools.com #globalsolutions #latestwarnings #webhostingtalk #blackhatworld #breadcrumbs #andreiholas #intel471
Who Got Arrested in the Raid on the XSS Crime Forum?
https://krebsonsecurity.com/2025/08/who-got-arrested-in-the-raid-on-the-xss-crime-forum/
#AntonGannadievichMedvedovskiy #AntonViktorovichAvdeev #ConstellaIntelligence #toschka2003@yandex.ru #Ne'er-Do-WellNews #DomainTools.com #paranoidlab.com #SergeiiVovnenko #TheComingStorm #Breadcrumbs #LockBitSupp #Ransomware #exploit.in #Flycracker #DaMaGeLaB #Hack-All #Intel471 #xss[.]is #9588693 #Europol #LockBit #N0klos #Qiliin #Conti #rEvil #Sonic
Oops: DanaBot Malware Devs Infected Their Own PCs - The U.S. government today unsealed criminal charges against 16 individuals accused... https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/ #defensecriminalinvestigativeservice #artemaleksandrovichkalinkin #u.s.departmentofjustice #russiaswaronukraine #aleksandrstepanov #neer-do-wellnews #alittlesunshine #lummastealer #flashpoint #proofpoint #microsoft #teamcyrmu #intel471 #maffiozi #danabot #jimmbee #dcis
Oops: DanaBot Malware Devs Infected Their Own PCs
https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs/
#DefenseCriminalInvestigativeService #ArtemAleksandrovichKalinkin #U.S.DepartmentofJustice #Russia'sWaronUkraine #Ne'er-Do-WellNews #AleksandrStepanov #ALittleSunshine #LummaStealer #Flashpoint #proofpoint #microsoft #teamcyrmu #Intel471 #Maffiozi #DanaBot #JimmBee #Zscaler #google #Paypal #Lumen #DCIS #ESET #Onix #fbi
Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’?
https://krebsonsecurity.com/2025/02/whos-behind-the-seized-forums-cracked-nulled/
#olivia.messla@outlook.de #ConstellaIntelligence #FinnAlexanderGrimpe #ShoppyEcommerceLtd #1337ServicesGmbh #ALittleSunshine #OperationTalent #DreamDriveGmbH #finn@shoppy.gg #FlorianMarzahl #Northdata.com #Breadcrumbs #domaintools #HRB164175 #LucasSohn #AS210558 #Intel471 #StarkRDP #Cracked #finndev #floriaN #Nulled #Sellix
U.S. Offered $10M for Hacker Just Arrested by Russia
https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/
#Ne'er-Do-WellNews #AleksandrErmakov #DarynaAntoniuk #MikhailMatveev #MikhailShefel #MikhailLenin #Sugarlocker #Boriselcin #Shtazi-IT #Intel471 #rescator #Wazawaka
U.S. Offered $10M for Hacker Just Arrested by Russia - In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as... https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/ #neer-do-wellnews #aleksandrermakov #darynaantoniuk #mikhailmatveev #mikhailshefel #mikhaillenin #sugarlocker #boriselcin #shtazi-it #intel471 #rescator #wazawaka
Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach
https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infragard-breach/
#NationalPublicData #Ne'er-Do-WellNews #ALittleSunshine #DataBreaches #EquationCorp #CrowdStrike #RaidForums #InfraGard #Hackread #Intel471 #Tecmundo #TVGlobo #NetSec #USDoD #fbi
Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach - Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of b... https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infragard-breach/ #nationalpublicdata #neer-do-wellnews #alittlesunshine #databreaches #equationcorp #crowdstrike #raidforums #infragard #hackread #intel471 #tecmundo #tvglobo #netsec #usdod #fbi
Happy Tuesday everyone!
Just your weekly reminder that Regular Registration is closing this Friday, July 19th! So you still have some time to get the regular pricing when you register for Cyborg Security's and Intel 471's Threat Hunter training at Black Hat USA in Las Vegas!
You will you learn:
What a threat hunt looks like from start to finish.
What tools and resources we can leverage to research and communicate with shareholders.
How to navigate through an investigation following process chains, finding correlating information, and how to find related events that help you better tell the story!
If any of this sounds fun, come join me at Black Hat in Vegas this year for a fun time! I can't wait to meet everyone there, but until then, Happy Hunting!
Registration Links:
Aug 3rd - 4th:
https://www.blackhat.com/us-24/training/schedule/#a-beginners-guide-to-threat-hunting-how-to-shift-focus-from-iocs-to-behaviors-and-ttps-36528
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel
#ThreatHunting #ThreatDetection #HappyHunting #Intel471 #BlackHat
Happy Monday everyone!
We are going to start this week off with a nice resource in our #readoftheday! If you have yet to hear about Wazuh, now is your chance! It is a free, open-source security platform that protects data assets from threats [2]. In this article, the researchers cover what abusing Living-off-the-Land binaries (LOLBINs) looks like from the perspective of an Ubuntu and Kali Linux endpoint and focus on the #DirtyPipe exploit and the DDexec utility. After walking readers through the emulation they then discuss how Wazuh helps detect these techniques. It is a good read and a resource I want to get into my own lab to start playing with!
As always, check out the full article and others by Wazuh researchers on their blog and stay tuned for the threat hunting tip of the day! Enjoy and Happy Hunting!
Detecting Living Off the Land attacks with Wazuh
https://wazuh.com/blog/detecting-living-off-the-land-attacks-with-wazuh/
Other reference:
https://github.com/wazuh/wazuh [2]
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471
Happy Friday Everyone!
The Check Point Software researchers help us into the weekend with the #readoftheday, and ironically it covers some things that we have been researching as of late!
In this article, the researchers detail how a threat actor used an Internet Shortcut (.url) file to open up the attacker website in Internet Explorer (a more vulnerable brower) instead of Chrome or Edge. This is accomplished through the use of a specially crafted .url file that contains the values "mhtml" and also "!x-usc". These tactics were last when threat actors were exploiting CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability)[2] and are seen again.
As you wait for the Threat Hunting Tip of the day, go read the entire article yourself and see what I missed! Enjoy and Happy Hunting!
RESURRECTING INTERNET EXPLORER: THREAT ACTORS USING ZERO-DAY TRICKS IN INTERNET SHORTCUT FILE TO LURE VICTIMS (CVE-2024-38112)
https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/
Additional resource:
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
Happy Wednesday, everyone!
I’m honored and proud to invite all my connections to join me at Cyborg Security & Intel 471’s Black Hat USA training for the second year in a row!
We cover everything from resources to use for research and models to use for communicating to your stakeholders to operationalizing intel to create a hypothesis to start a threat hunt. If you are a data junkie (like me) who loves diving into data, sifting through it, then this is the training for you! If any of this sounds fun, join my Black Hat USA training, titled “A Beginner’s Guide to Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs”! You may have missed the early registration discount, but the regular registration discount is still available until July 19th!
I will be teaching two 2-day sessions. You can pick which one works with your schedule best and register here:
I can't wait to meet everyone there. Until then, happy hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #BlackHat
Happy Wednesday everyone!
This is the second #readoftheday this week that involves eBooks being used as the lure for victims and in this case Trellix reveals that this eBook delivers a malware known as #ViperSoftX.
Once the victim downloads the archive file, they are presented with an eBook cover page, a hidden folder, shortcut file and three JPGs. These files are not what they seem, as you all may have guessed. One is an AutoIT script, one the AutoIT executable, and the last a PowerShell script. The shortcut file leads to the execution of the PowerShell code that unhides the hidden folder, checks the disk size of all drives, moves the AutoIT files to the AppData\Microsoft\Windows directory and deletes the LNK files in the current directory.
A notable MITRE ATT&CK TTP here is the use of PowerShell encoded commands or T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File. This is a common technique that adversaries use to hide the true nature of the commands or communication with their C2 server.
As always, I am leaving you hanging and will be back for the Threat Hunting Tip of the day! While you are waiting patiently, go read the rest of the article, it has tons of details I left out! Enjoy and Happy Hunting!
The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution
https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471
Good day everyone!
Kaspersky brings us today's #readoftheday!
A new APT targeting Russian government who has been dubbed CloudSorcer. "It's a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration" (we can start to create hypotheses that include the use of notable TTPs such as Discovery, Command and Control, and Collection). The malware's backdoor module collects information about the victim's machine which includes the hostname, username, windows subversion information, and system uptime. Then a pipe is created ( in this case \\.\PIPE\[1428] [not sure if that is a constant]) that connects to the C2 module process. The researchers state "It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures."
Aaaaaaand this is where I am going to leave you hanging, on a nice cliff! Go and read the article and find out the rest of the details and for your threat hunting tip! Enjoy and Happy Hunting!
CloudSorcerer – A new APT targeting Russian government entities
https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
Happy Monday everyone!
AhnLab, Inc. Security Intelligence Center (ASEC) brings us another technical report, this time on the hashtag#AsyncRAT and how adversaries are disguising them as an E-Book in the hashtag#readoftheday!
When a victim downloads what they think is an e-book, a malicious LNK file contains a PowerShell script, another compressed file masquerading as a video extension, and then a normal e-book file (gotta give the victim what they are expecting or run the risk of being caught). The script that runs modifies the attributes of the PowerShell script to hidden and then scans the machine for security products. These results will determine what the malware does next, but in each of the three methods it leads to some sort of scheduled task being used! There is plenty more details here, but don't take my word for it, read it! Enjoy and Happy Hunting!
AsyncRAT Disguised as an E-Book
https://asec.ahnlab.com/ko/67571/
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting
For your Friday Threat Hunting!
As to not leave you empty handed: Take this Community Hunt Package with you if you are hunting for GootLoader (If you are a customer of Cyborg Security, we have an entire Hunt Package Collection looking for different TTPs and behaviors)!
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. Enjoy and Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
Intel 471 #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting #Intel471
Happy Wednesday, everyone!
I’m honored and proud to invite all my connections to join me at Cyborg Security & Intel 471’s Black Hat USA training for the second year in a row!
Ever wanted to see what a threat hunt looks like from start to finish? Curious about the tools and resources we use to research and communicate with stakeholders? Or maybe you’re just a data junkie (like me) who loves diving into data, sifting through it, and finding valuable insights? If any of this sounds fun, join my Black Hat USA training, titled “A Beginner’s Guide to Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs”!
You may have missed the early registration discount, but the regular registration discount is still available until July 19th!
I will be teaching two 2-day sessions. You can pick which one works with your schedule best and register here:
- Aug 3rd - 4th: https://www.blackhat.com/us-24/training/schedule/#a-beginners-guide-to-threat-hunting-how-to-shift-focus-from-iocs-to-behaviors-and-ttps-36528
- Aug 5th - 6th: https://www.blackhat.com/us-24/training/schedule/index.html#a-beginners-guide-to-threat-hunting-how-to-shift-focus-from-iocs-to-behaviors-and-ttps-365281707151844
I can't wait to meet everyone there. Until then, happy hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #BlackHat
Happy Wednesday everyone!
Today's #readoftheday comes from Fortinet Labs researchers who documented an attacked that was using the spyware #MerkSpy. CVE-2021-40444, a remote code execution vulnerability in MSHTML that affects Microsoft Windows [2]. Like most spyware, it has the capabilities to capture screenshots, log keystrokes, and access the MetaMast extension (an extension designed to allow users to buy/sell crypto). Check out the full article for all the amazing technical details, this is just a small summary!
Threat Hunting Tips:
This spyware gains persistence (TA0003) by using the age-old technique of abusing the functions of the Windows Registry Run key (T1547.001 - Boot or Logon Autostart Execution - Registry Run Keys/Startup Folder). This registry key (*\Software\Microsoft\Windows\CurrentVersion\Run) has the capability to start anything that is stored in the key to execute/start on startup. This could be helpful if there is an application that someone uses every day OR it could be helpful for the adversary to get repeatable access to a victims machine! Either way, this is a location that I would keep my eye on! Enjoy and Happy Hunting!
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems
https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems
Additional resources:
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #Intel471
