Bernard SB

⚠️ #MalspamAlert: Shipment-themed campaign impersonating a logistics company delivering STRRAT via JAR loader. The lure references shipping documents and a Bill of Lading to pressure recipients into opening the attachment. The attached JAR file acts as a loader, pulling a second-stage JAR from a remote staging server that deploys the STRRAT RAT. Persistence is established through Run registry keys and scheduled tasks. STRRAT enables credential theft, keylogging, and remote access. IOCs: JAR Loader (00192910302FCL.jar) 4898b9c79f4c7fe2abaf251167fe2c3ede4e6e4493d2e15ec8ca9f06ba231339fb1e28d37d5c8cfa78440aa299a33876 STTRAT 67299adbcb422b3bb5191206af392a563dc85de237521ccd780df7ed8236de0c07b3f30bfa5704d24c745b2d424ad166 Staging URL: hxxp[://]45[.]153[.]34[.]209:5001/storage/06d00e3f266343c0.jar C2: strigsfrommarch26.myddns[.]com:7888, update-service.dynssl[.]com:7881

#MalspamAlert: An ongoing spam campaign distributes PDF documents that tricks users into visiting fake Adobe Acrobat download page. Instead of legitimate software, victims install remote monitoring and management (RMM) tools that provide threat actors persistent remote access to their systems. Abusing trusted RMM tools helps threat actors blend in as normal IT activity while bypassing security controls. #ThreatIntel #RMMAbuse #MailMarshal #LevelBlue #IoCs: Redirect URL hxxps[://]99d04a7a-345a-487c-8ea3-a9a626aa773e-00-3qpe7rminty[.]com/e/WlppNUlubg Download page hxxps[://]adb-pro[.]design/Adobe/landing[.]php scanned_document.pdf 0432f2e433bf42aaff0f078d500dd6f47c2500a8c8560601d8eadd0d9b365861 Adobe_Reader_Installer.exe (TrustConnect) edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0 Adobe_Reader_Installer.exe (Datto RMM) ae42e874b598cce517c40f9314bdef94828ba20f15bb7f8026187573f26fff9f

Exam Voucher Giveaway Prize: CISSP How to enter: - Follow me - Retweet this post Picking a winner in 7 days. Good luck! (Please make sure your DMs are open)

@ineesdv Excellent write-up and a strong technical breakdown!

Tangled is a social engineering platform that weaponizes calendar event processing in Outlook and Gmail to deliver spoofed meeting invites that are automatically added to a user's calendar without interaction. github.com/ineesdv/Tangled Technical breakdown: tarlogic.com/blog/abusing-c…

#MalwareAlert: A new "Executive Award" campaign delivers a two-stage hit. First, a polished HTML phish steals credentials straight to Telegram C2. Then, a malicious SVG triggers a PowerShell #ClickFix chain that installs the #Stealerium infostealer via multi-stage loaders. One lure = stolen credentials + malware infection. #cybersecurity #malware #mailmarshal #IoCs: Virtual-Gift-Card-Claim.html 4db5c047a1cfd9ee5f8da8611c30889b 7cb2fa5762cb71120e16e9a778c5a1f1c3649aa02e06f837bf142885b98ee58c account-verification-form.svg 5ed74724b45d28825d93f21097dc2475 2f5973d9515b15273dbf64ad0542b27d752814d794752b41c912d18db747993e Stealerium DLL 602ac35cc1e49320493eb54bde62b760 88feadbb2f9548d3c0cb9c6519bcea476acf9ac2a3eeccde5655457cbba29db4 Telegram Exfil (Phish) Bot: 6926474815:AAHMa86FvgJGailNJ2EzmIgA8hk_nzb5KvA Chat ID: 875787587 Telegram Exfil (Stealerium) Bot: 6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM Chat ID: -4224073938 Download URLs hxxp[://]31[.]57[.]147[.]77:6464/getcmd hxxp[://]31[.]57[.]147[.]77:6464/gethta hxxp[://]31[.]57[.]147[.]77:6464/getexe hxxp[://]31[.]57[.]147[.]77:6464/getdll hxxp[://]31[.]57[.]147[.]77:6464/getps hxxp[://]31[.]57[.]147[.]77:6464/getbatch Stealerium C2 URL: hxxp[://]31[.]57[.]147[.]77:6464 Key: StealeriumC2SecretKey123

Wild to see my Grandoreiro research pop up in Interpol-related security circles lately. Didn’t expect that one 😅

AhnLab Security intelligence Center details campaigns in which attackers deploy LogMeIn Resolve or PDQ Connect from fake utility sites and use them to execute PowerShell and drop PatoRAT on victim hosts. asec.ahnlab.com/en/90968/

ToolShell Mass Exploitation (CVE-2025-53770) Stealing machine keys to maintain persistent access SharePoint -> The exchange server is the next target research.eye.security/sharepoint-und…

🚨 #MalwareAlert: We spotted a malicious campaign abusing #LogMeIn Resolve remote access software to compromise user systems. The attack begins with an invoice-themed spam email that tricks targets into opening a PDF. The document urges an Adobe Acrobat update to view the invoice but silently installs the remote access tool, granting attackers control over the system. Stay vigilant! Avoid installing software from untrusted prompts. IOCs: Download URL hxxps[://]overdue-invoices-distributed[.]netlify[.]app/success[.]html INV-inv002811.exe dbfd65386e28097f2dbe21eadbbdba37 8d50c26c4a9d4325d5febfb6da647fc382dee224db03cee994e6021f9b50941d Attached_Overdue_Statement.exe 366205d586e4ebccca7d18307fb7e051 e3e183ddee889b999564fc7d4c7c29ea7825faee03b775f2fa7c72263605b1c8 LogMeIn Resolve Config: CompanyID 7051889796388834818 2462565644419079679 FleetTemplateName syn-prd-ava-unattended #MailMarshal #Cybersecurity #Malware #iocs

🪝🚨 #Phishing Alert: We've identified Tycoon2FA-linked campaigns targeting #Microsoft 365 users that use malformed URL with backslash character (e.g., https:\\). Despite the malformed format, most browsers still resolve these links, leading victims to credential harvesting pages. Threat actors exploit this behavior to bypass email security filters and evade URL-based detection systems. #Scams #CyberSecurity #MailMarshal #Spiderlabs #Cybercrime #Tycoon #Tycoon2FA #Storm1575 #PhaaS #2FA #phishkit IOCs: •hxxps[://]microsftmailonlinenyukmvdx2t[.]lgotsna[.]es/ •hxxps[://]googleads[.]g[.]doubleclick[.]net/pcs/click?adurl=%68%74%74%70%73%3A%2F%2F%34%38%33%39%37%39%34%33%39%38%33%34%39%33%34%33%2D%67%34%65%79%64%71%64%6B%67%75%68%63%64%76%67%73%2E%7A%30%32%2E%61%7A%75%72%65%66%64%2E%6E%65%74# •hxxps[://]783784387348438743-fkhghccdfzc8e8cd[.]z02[.]azurefd[.]net/ •hxxps[://]4839794398349343-g4eydqdkguhcdvgs[.]z02[.]azurefd[.]net •hxxps[://]sdnxk0t5-q[.]alt-bq-4o27qr9a[.]workers[.]dev •hxxps[://]9kp6wgtaqr[.]cloudflareemail2109399[.]workers[.]dev

🪝 #PhishingAlert: Fraudsters are now faking doctor’s appointments in new Callback Phishing campaign! 🩺   This phishing email is posing as a medical platform, tricking the recipient with a fake appointment to get them to call the bogus hotline to cancel the supposed visit.   #CyberSecurity #MailMarshal #Phishing

🚨 #MalspamAlert: We’ve spotted a campaign delivering #RemcosRAT, using a fake payment SWIFT copy to lure victims. The attached PDF links to an obfuscated JavaScript file that uses ActiveXObject to fetch a second-stage script. This script invokes PowerShell to download and decode an image hosted on archive.org, which appears harmless but conceals the Remcos payload using steganography. #IoCs: URLs hxxps[://]huadongarmouredcable[.]com/pdf/default[.]php hxxp[://]whiteafrica[.]lovestoblog[.]com/arquivo_8c092766561d46738b51ca112074f5d9[.]txt hxxp[://]whiteafrica[.]lovestoblog[.]com/arquivo_ba000f161f624940a1b722da3c40e06b[.]txt hxxps[://]archive[.]org/download/new_image_20250413/new_image[.]jpg C2 server tcp[://]www[.]rickscottflorida[.]com:2404 Swift[0-9]{5}.js 3f83dc5091032487182bba6727eb9b8d 2f12470db4f787de480173d34fd69d78e53f265e229d9ee93cc278d7fe1ecfb9

#Cybercriminals are increasingly weaponizing SVG images in #phishing attacks, embedding malicious scripts within seemingly innocent graphics to bypass traditional security measures. 🪝SVG-borne threats spiked nearly 300% from February to March. 😳 #SpiderLabs explores the intel: the phishing campaigns, the embedded scripts, and provides recommendations to prevent exploitation: hubs.ly/Q03gW4Qk0 Bottom line: don’t fall for pixel-perfect tricks! 🖼️

🚨 #MalwareAlert: #Cybercriminals are using fake legal threats to trick users into installing the DarkCloud infostealer. Fraudulent summons and litigation notices pressure victims to act within 24 hours.   They disguise the payload as a ZIP archive, bundling a Steam Error Reporter executable with a malicious vstdlib_s64.dll to deploy DarkCloud via DLL sideloading. #IoCs:
Notice Letter (26 02 2025) 0349823.exe, Letter of claim (26 02 2025) 0349823.exe [Steam Error Reporter]
a3d33d33f8b10595c252ee8e61a8892c
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875   vstdlib_s64.dll
90991fe4771d47c6d6a0f364417c0cd7
bf0584499aeca44b7bc1562cdf057f3156ad75af   C2
hxxps[://]api[.]telegram[.]org/bot8052153515:AAEy1R0ssCqYRtfr5MLZ5lbcuC9K_RdIieY/sendMessage?chat_id=5022382431 #CyberSecurity #MailMarshal #Malware #DarkCloud

💻🚨 #MalwareAlert: Attackers are distributing a PDF disguised as a Booking.com “complaint.” The link directs users to a suspicious site featuring a fake CAPTCHA in a #pastejacking attack, tricking Windows users into pasting malicious commands. Final payload? #LummaStealer. #IoCs: karagulismerkezi[.]com booking[.]important-confiirm[.]com C2: futurisfticconcepts[.]top Lumma cb4338cf14eb6aca9f3deabd3af20ad3 a9c963f508783e2d5fdf8c96b6e98970a25dca2a #Malware #MailMarshal #CyberSecurity

You pressed the wrong button

🚨 Beware of fake SSA notifications! These lead to fraudulent portals that auto-download of #ConnectWise #ScreenConnect, which attackers abuse to take control of your device. Stay vigilant!🛡️ IoCs: hxxps://statement-certification[.]com/view?token hxxps://statement-certification[.]com/View/re hxxps://bitbucket[.]org/megan12/thankyou/downloads/ CnC: lucaria[.]site:49152 191[.]96[.]207[.]97:49152 Hashes: 9d636e359422652a86bd5ace9e39988318e7b9cf fe6e7c43205076528ecf6a4f24b07fcf07a64c5e f50f5be15273db9b229b3d80b3c20c13669c77b7 #CyberSecurity #Malware #IOC #StaySafeOnline #OnlineSafety #MailMarshal

🚨 New delivery technique spotted! Threat actors abusing Atera RMM now use fake payment emails to lure victims. Leveraging HTML smuggling, they drop the same MSI installer for Atera directly on the target device. #MailMarshal #CyberSecurity #ThreatIntel