Intel-Ops

🚨New Partnership Announcement!🚨 All students will receive enhanced access to @Validin providing improved hunting capabilities. Upcoming training on Validin and real-life use cases tracking threat actors are on the way! inc. dedicated Discord channel for Validin. 🔥🔥🔥

Infrastructure predominantly distributed across Flyservers S.A. hosting, but the following also used: HOSTKEY-USA, Global Layer B.V. Bunea TELECOM SRL, DATAHOME S.A, Krez 999 Eood, Fbw Networks SAS.

Activity: Chaos Remote Administration Tool. Hijack Loader delivers StealC, Danabot. FakeUpdates delivers Rhadamanthys. PowerShell to retrieve payloads. Historical use of Cobalt Strike and Metasploit Cerber and Xorist ransomware samples identified.

We're tracking an interesting cluster linked to ShadowSyndicate that suggests that the operators are involved in various initial access campaigns, leverage multiple post-exploitation techniques, tools and ransomware.

microsoft.com/en-us/security…. redcanary.com/blog/threat-in…

New impersonation domains for @anydesk and @NotionHQ delivering malicious MSI packages, likely via SEO poisoning: 45.93.20[.]93 - AS 57523 (Chang Way Tech Co. Ltd) amydlesk[.]com (0/93) notlilon[.]co (1/93) notliion[.]com (8/93)

Interesting recently created (2024-05-22) domain impersonating @GEHealthCare. Resolving to 46.101.212[.]131, running #CobaltStrike server. Using @Huntio we can see: ➡️the DNS record, ➡️Hoster: @digitalocean, ➡️Watermark: 987654321 (cracked version).

APT43/Kimsuky (Black Banshee)🇰🇵 /141.11.95.135 /67.217.60.68 /67.217.62.219 /185.141.171.31 /185.203.119.14 /note.iiiii.info /share-defence.uberlingen.com /imagedownload.ignorelist.com /signin-ym.quest /mnlp.quest /oso-usps.com /drives.youramys.com /www.uidlogin.o-r.kr /wilsoncenter.port0.org /drive.wilsoncenter.port0.org /wilsoncenter.0rg.us /drive.wilsoncenter.0rg.us /naververify.p-e.kr /uidlogin.o-r.kr /atlanticcouncil.youramys.com /atlanticacouncil.org.youramys.com H/T @1ZRR4H

Hunting Cobalt Strike C2 with @ValidinLLC🎯 Initial node acquired by @Intel_Ops_io 213.148.25.161 (0/90 VT)

We are pleased to announce a new partnership between @Intel_Ops_io and @Huntio🤝 This partnership will provide all current and new IntelOps students with access to the Hunt.io platform. Students will learn to use the platform effectively for exploring new pivoting methods and hunting for malicious infrastructure, including new C2s🥷, APTs 🇮🇷 🇰🇵 🇷🇺 🇨🇳 and ransomware groups 🔐 hunt.io academy.intel-ops.io/courses/huntin…

Cybersecurity "experts" be like... APTs in 2024 will be using Artificial Intelligence to create undetectable malware, payloads, zero-day exploits, cyber weapons, and probably some cyber nuclear bombs too🥱 Meanwhile, APTs (Muddy Water 🇮🇷)in 2024 🙃

This one is a good example how infrastructure is reused by different actors. 216.189.159[.]34 - BianLian Ransomware💰 216.189.159[.]34 - North Korean APT 🇰🇵 @Intel_Ops_io

New feature now available to premium AND community users! Per popular request, Validin now supports pivoting of certificate SHA256 hashes in addition to SHA1. This pivot makes it easier to continue searches from or on other platforms that favor SHA256.

Coming soon, students will also be able to have access to the @Huntio platform to use for Threat Hunting!

To conduct similar analysis and track threats such as these, we offer students a "Hunting Adversary Infrastructure" course: academy.intel-ops.io - students gain special Intel-Ops accounts for the @ValidinLLC platform (additional query and API credits) to help with learning.

🚨Hunting Black Basta's Cobalt Strike🧵 Intel-Ops is actively tracking #CobaltStrike servers in the wild, including those deployed by #BlackBasta. In this post, we’ll cover some findings from our analysis of #C2 servers included in the FBI/CISA advisory. @Intel_Ops/hunting-black-bastas-cobalt-strike-96a81a6ea781" target="_blank" rel="nofollow noopener">medium.com/@Intel_Ops/hun…