dougy

#3/3 - Windows malware Windows users get on pwin[.]onelink[.]me/zmFc/dt38769z >> warboardgame[.]com/github-download.html This fake Github download page is serving a ZIP Download (image 1). The same template has been observed in the past serving other Windows stealers. Downloads are managed by warboardgame[.]com/archiveProxy.php, sending download stats to /statProxy.php The build analyzed has been detonated here: app.any.run/tasks/83b9cbfe… ZIP Sample -> 67fcd19f1be87ff47246a5fa40549df24da60eb81c62450efd5254fcb3628c1c Inside ZIP, a .vbs script downloads a build via Powershell from botshield[.]vu/kFcjld. Once b64 decoded -> 15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5 This file loads another file from Stealer C2 hxxp://45.93.20.61:5466/api/CryptoByte (4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997) This file sends a log zip to hxxp://45.93.20.61:5466/api/upload Sandbox log has been saved here -> 4ebbb900e083ccc240a8d354fb6466b339a5c4e7c1711a749ad00b1343bd96eb On the log you can observe infected machine information (copying the format of Rhadamanthys) (image 3), a screenshot of the machine, default user agents used in browsers and a file "browser_decryption.log" that describes the runtime of an additional payload download from: hxxp://45.93.20.61:5466/api/client (751e45828a3ff877ed4add1508b3e54463376cfb11f3171bfac160653ca9813c) This build scans the system looking for Browsers installation folders, decrypting the encryption of the browsers to extract data (such as User Agent in this preliminary log sent to C2), scan for crypto wallet files and extensions (that will also be extracted and send in log if found) and scan and extract Telegram session related files. This file is also responsible to create persistence on the machine with scheduled tasks via CLI and via a XML file (image 3) Additionally and to finish, the build makes requests to hxxp://45.93.20.195:5000 on /api/get_credentials , /api/get_challenge and /api/get_port using a Python client. The client makes the machine to establish and maintain a reverse SSH tunnel, by retrieving SSH login credentials from the server (Request a challenge, send a response, and decrypt credentials). Then the reverse SSH tunnel is established on a free port of the C2 requested previously, attempting to act as a SOCKS5 proxy Thank you to whoever leaked/extracted a related client, we love you <3. It helps much to understand what is going on (image 4) 4893748008f7c2a1508bb1bb4fa16a7a92de658b89fe7cc1e68e05a02a9aa4b4 No further analysis has been done, feel free to play with it 🏁

@banthisguy9349 @whiteintel_io The background has already been used for other photos. The face has therefore been superimposed, but it remains to be seen whether it is real. Emails are present in hibp btw tineye.com/search/b2833e6…

@whiteintel_io Some emails from the North Korean Threat Actor: webmaster0407@gmail.com jamesbingham1212@gmail.com jamesbingham1213@gmail.com devlopersuper1212@gmail.com joseph19970421@outlook.com

OSINT Challenge, two Githubs confirmed to be setup by a North Korean Threat Actor. Now the question is whether this is the North Korean himself pictured or a stolen identity. Github's in question github.com/jamesbingham12… github.com/aitalent1212 Thank you @whiteintel_io :)

amazon's internal A.I. coding assistant decided the engineers' existing code was inadequate so the bot deleted it to start from scratch that resulted in taking down a part of AWS for 13 hours and was not the first time it had happened incredible ft.com/content/00c282…

Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.

Possible interesting "topwebcomicsv1.msi": 5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01 It is using Deno, "the next-generation JavaScript runtime". Seeing malware using Deno is not a common thing, at least yet... 🤷‍♂️

UAC-0001 (aka #APT28 or #FancyBear) exploits CVE-2026-21509 to target Ukraine and EU with COVENANT framework. Details (UA only): cert.gov.ua/article/6287250

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…

These fake Fortinet websites, still present on top browser search engines results, are now delivering a fake FortiClient app, signed "Taiyuan Lihua Near Information Technology Co., Ltd. (Certum-given)" Its a phishing app, that will send credentials to vpn-connection[.]pro Based on other signed files with same EV cert, recently the TA were also spreading applications impersonating Sophos, WatchGuard and Ivanti. Analysis: app.any.run/tasks/e83886f5…

MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB - unauthenticated memory disclosure - public POC, trivial to exploit - leaks creds, tokens, cloud keys straight from RAM - huge exposed surface on the internet Good writeups and technical details here: doublepulsar.com/merry-christma… ox.security/blog/attackers… blog.ecapuano.com/p/hunting-mong… Patch fast, rotate secrets, and assume exposed instances were scanned(!)

We found that the fix to address the DoS vulnerability in React Server Components (CVE-2025-55184) was incomplete and does not prevent an attack in a specific case. This is disclosed as CVE-2025-67779. New patches are available now, please update immediately.

We are excited that we were once again part in the coordinated international operation #OpEndgame 📣, taking action against the notorious information and credential stealer #Rhadamanthys 🕵️ We assisted in the takedown of threat actor infrastructure and share a full list of #Rhadamanthys botnet C2s on ThreatFox 🦊 Full list of Rhadamanthys botnet C2s: 📡threatfox.abuse.ch/browse/tag/OpE… Europol press release: 🚨 europol.europa.eu/media-press/ne…

Possible new leak of internal Conti / Trickbot chats A valuable dataset of internal communications that appears to be missing from public leaks. Some conversations are dated 2019. Not previously published in Conti-Leaks; partially overlaps with Trick-Leaks, but in a different form. #4S9TvMtiCRl-Ra_sR8z6Kmqj-r47HVjBCGpGKI-8Ju0" target="_blank" rel="nofollow noopener">mega.nz/file/hsx0xQxA#…

When you think there’s a new APT in town... Relax, it’s just our Red Team doing their thing (thanks to @Defte_ technique)😅 Want to improve your detections or challenge your team? Contact us!

Proud to support our Law Enforcement partners in another successful cybercrime disruption: Operation SIMCARTEL Great work everyone involved 👏 europol.europa.eu/media-press/ne…

⚠️ Breach Notification from F5 Networks: “In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent access to, and downloaded files from, certain F5 systems.” my.f5.com/manage/s/artic…

Now you know why the China tab in the APT spreadsheet is the biggest one. You can only imagine the scale of damage their industrial espionage caused - and why some believe it’s far worse than anything ransomware groups ever did.

Interesting blog.talosintelligence.com/velociraptor-l…

We are releasing details on BRICKSTORM malware activity, a China-based threat hitting US tech to potentially target downstream customers and hunt for data on vulnerabilities in products. This actor is stealthy, and we've provided a tool to hunt for them. cloud.google.com/blog/topics/th…

Following the @volatility parity release, VolWeb v3.15.0 is now available with some new features like Linux “Explore” support. Checkout the release note here: forensicxlab.com/blog/volweb-3-… Project: github.com/k1nd0ne/VolWeb #DFIR

CyberNews pushed the same fucking story last year. It's even written by the same author. You can't keep fear mongering people every time a Threat Actor assembles a data leak package