Damag3dRoot

CTI Research: Sandworm / APT44 ift.tt/SXM19Tq Evidence-Labeled Threat Intelligence Assessment and SOC Defensive Guidance (2009 — March 2026) Table of Contents Report Metadata Methodology & Evidence Labels Confidence & What Changes Confidence Executive Summary Ac…

🚨 CRITICAL THREAT ALERT: NUCLEAR SCADA SYSTEM COMPROMISE 🚨 🏢 Victim: Golfech Nuclear Power Plant (NPP) - Unit 2 👤 Threat Actor: Apollon / MONARCH (Russian-affiliated) 🗓️ Date: 2026-03-12 🇫🇷 Country: France The threat organization "MONARCH" has released visual evidence of unauthorized access to the Golfech Nuclear Power Plant in France. The actor, "Apollon," claims they have bypassed security to gain full control over the secondary coolant loop. Screenshots show a SIEMENS HMI (Human-Machine Interface) panel for Unit 2, as well as evidence of lateral movement within the SCADA-02 operator network and the execution of PowerShell scripts on internal systems. The visual proof includes internal IP addresses and server logs from GOLFECH-SCADA-02. Infrastructure security teams must immediately audit all SIEMENS HMI interfaces and monitor for unauthorized logins in ICS/SCADA environments. Monitor: analyzer.vecert.io #ThreatIntel #CyberSecurity #France #NuclearSecurity #Golfech #SCADA #ICS #InfoSec #CriticalInfrastructure #MonarchAttack

The cybercriminal threat actor tracked by Microsoft Threat Intelligence as Storm-2561 is running an SEO-poisoning campaign that redirects people searching for enterprise VPN software to spoofed sites and malicious ZIP downloads leading to credential theft. msft.it/6019Qlydd The ZIP file contains a malicious, digitally signed installer that masquerade as a trusted VPN client. The attack chain ultimately loads a variant of Hyrax infostealer that captures VPN sign-in credentials and VPN configuration data, and exfiltrates it to attacker infrastructure. Read the full Microsoft Defender Experts analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise of this Storm-2561 campaign, and get protection, detection, and hunting guidance:

How to invest malicious IP Methodology @DamagedRoot/how-to-malicious-ip-investigation-complete-methodology-part2-95cba8cb93c1" target="_blank" rel="nofollow noopener">medium.com/@DamagedRoot/h…

How to invest malicious IP ? @DamagedRoot/how-to-malicious-ip-investigation-complete-methodology-phase-1-b0033cdb2340" target="_blank" rel="nofollow noopener">medium.com/@DamagedRoot/h…

This is really cool. I like this code, proof-of-concept, and paper A LOT. Basically he is modifying the raw bytes of .LNK files (Windows shortcuts) to make them perform malicious actions while also operating correctly as a .LNK file. When examined from the user they will appear completely legitimate, but it's not. This is really, really, really cool. This is a great malware technique. I can't recall the last time I read anything on .LNK files being abused in this manner. Historically they're "hijacked", not modified at the byte level. My only criticism is he wrote this proof-of-concept in Python (not C or C++, like a gangster). Excellent work.

Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.

Endpoint Evasion Techniques (2020–2025): The Evolution of Attacks Bypassing EDR | Code Before Breach windshock.github.io/en/post/2025-0…

ClearFake gets more evasive with new living off the land (LOTL) techniques expel.com/blog/clearfake…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

🔴 New #Anubis stealer detected by generic hunting rules Sample: virustotal.com/gui/file/a0e2e… 🎯 Steals: - Browser creds (Chrome v127+ bypass via COM) - 20+ crypto wallets - Telegram/Discord sessions Rules: 🔹 valhalla.nextron-systems.com/info/rule/SUSP… 🔹 valhalla.nextron-systems.com/info/rule/SUSP…

Blog post about wbemtest saulpanders.github.io/2025/01/20/lol… by @saul_panders It’s also has a LOLBIN/LOLBAS entry: lolbas-project.github.io/lolbas/Binarie…

Pushed a script that lists the browser extensions of Chrome, Edge and Firefox. If you do not have TVM premium you know the struggle. Recommended to use in Live Response to speed up your browser based investigations. github.com/Bert-JanP/Inci…

New Orion #Ransomware Leak Site👀 13 Victims cjfntkj5qeizxowuy3srceg7zo6namc3kfeor7pfn6bpdkl3w265ooid[.]onion

NEW BLOG: The Great VM Escape 💕 We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀 If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺 Full technical breakdown 👇 huntress.com/blog/esxi-vm-e…

GitHub - yogeshHax/ZeroPoint-Intel: ZeroPoint Intel is a full-stack Threat Intelligence system that autonomously scans global feeds for critical CVEs and Zero-Day exploits. It features real-time risk scoring, strict asset monitoring, and instant github.com/yogeshHax/Zero…

GitHub - rubenformation/ms-photos_NTLM_Leak: New 0 day vulnerability allowing to leak NTLM hashes from browsers with one click github.com/rubenformation…

I created a new GitHub repo for tracking daily hunting findings: exposed servers, open ports, and infrastructure linked to threat activity. I will format what I have already added in the coming days. github.com/DarkWebInforme…

🚶‍➡️🚶‍➡️🚶‍➡️👨‍🦯‍➡️PoC Implementation combining Stack Moonwalking and Memory Encryption. 🌕 github.com/klezVirus/Moon…

Our first Lab about #Kimsuky APT campaign. 🧪 Operation Silent Serpent (7-stage chain lab) 🔗 malops.io/chain-challeng… Each stage unlocks the next just like real-world investigations. 💬 Discord: discord.gg/k8zTFhQg 👤 Creator: linkedin.com/in/abish-g