J.A.

@joinedserver @krzywix @iBSparkes @i41nbeer @_bazad @ProjectZeroBugs It's not known how it was leaked to be fair. Watering hole sites were scrubbed and delivery domains were inop by working with CERTs. Both DS and Coruna were deployed at a previously unforeseen scale when discovered. Opa334 handled this responsibly, the leaker not so much.

@krzywix @iBSparkes @i41nbeer @_bazad @ProjectZeroBugs while on it, may I ask why did you (google, iVerify, lookout) let it being repurposed publicly while mentioning there're still a big number of users on vulnerable versions? every kid can just change the C2 IP and host their full 1-click chain - this is something unexpected.

I feel like there has been a crazy [negative] response to the "DarkSword" chain, the bugs going public, and hence being publcily exploited. I don't rememebr a time in the iOS scene where this has ever previously been the case. It's been a long standing tradition for bugs to be/

Now that the DarkSword exploit chain has been leaked on GitHub, things are getting serious. I'd love to know how the researcher found it (if you read this hit me up), as it possibly came from some unknown UNC6353 infrastructure. Update your iOS18 device or try Lockdown mode gang.

@Shorouk_News I may have evidence of someone impersonating Shorouk News to deliver malware. Please contact me, as I could not reach you via the email address on your website.

If you're seeing APT efforts blend and not make sense...those looking at some of the more APT43 (Kimsuky), The former covid centric element, APT37, and groups that look like 37...then this might make some sense dailynk.com/english/north-… Terrific piece @The_Daily_NK

🚨We're thrilled to announce a new partnership between IntelOps and Validin🚨 All our students will receive at least 3 months of complimentary access to Validin accounts, blending features from personal and professional plans🤝 Plus, we're developing a new series of lessons, ranging from beginner-friendly tutorials on utilizing Validin to advanced modules with case studies on hunting APTs🎯 Including a module on the Nation-State Actor - Muddy Water 🇮🇷 and many others 🇷🇺 🇰🇵 🇨🇳 Stay tuned for more details coming next week! @Intel_Ops_io @ValidinLLC

@PunishedK19753 @Cyber_O51NT Basically, TA runs a uAdmin Live Panel while on the call with victim walking them through each step, and manually choosing the prompts (OTP, driver's license, etc). The social engineering portion seems to be what makes it most effective.

@Cyber_O51NT So it's like AiTM phishing kits, except not automated?

CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack lookout.com/threat-intelli…

@aptwhatnow @tiresearch1 Same, I think all three of us are linking this to another well known APT on a different continent.

@tiresearch1 any additional info on why theyre related to laz...i have a small piece saying it may be from another country but im curious

#Lazarus related: ushrt[.us home-continue[.online continue-meeting[.site drive-access[.site #APT

@tiresearch1 I think one of these may be APT42 instead, would be interested in chatting.

#Lazarus related: ovcloud[.online online-processing[.online meeting-online[.site #APT

@ThreatFabric Kudos to your research team and thank you for citing us! Very impressed with the connection to LightSpy, and this answered some questions I've had.

Check out our research here threatfabric.com/blogs/lightspy…

@LukasStefanko Nice work!

Trojanized #Signal and #Telegram apps discovered on Google Play and Galaxy Store. Espionage malware belongs to BadBazaar family It is the first case of spying on victim’s Signal communication by secretly autolinking compromised device to attacker’s Signal welivesecurity.com/en/eset-resear…

@CyfirmaR @bellingcat performed the initial research on Bahamut, they're not an alias for the TA as stated in the article, just an FYI...

#CYFIRMA Research uncovered a dangerous #malicious #Android #malware targeting individuals in #SouthAsia. Disguised as a harmless chatting app; #SafeChat, it can be linked to #APT Bahamut & identifies similar tactics used by DoNot APT. #CISO #Threatintel cyfirma.com/outofband/apt-…

@ViriBack Like @saridzawa2 said, it's Dendroid, a commodity malware. Looks like a small Naver focused campaign: shopnaver[.]online, navor[.]fun, navor[.]tech, etc. Only seeing Dendroid samples, no ties to Lazarus or Kimsuky that I can see besides Naver lures which isn't exclusive.

unknown #apk C2 panel ? #malware 122.128.107.]243/cc/Panel/ MD5: a4a94ff3823d2300fb0295625f185273 any ideas ?

@PJ47596176 Bad look for a company founded with forced labor.

VW operates a factory in Xinjiang – where China brutally oppresses the Uyghur minority. The group states that it has no evidence of human rights violations in the factory environment. Many fund companies doubt. 🇨🇦 just signed a large deal with VW!

@PJ47596176 Np!

@Jalbrec4 Thanks!!!

BouldSpy, attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

@Cyber_O51NT Here's the real blog: lookout.com/blog/iranian-s…

BouldSpy: A New Android Surveillance Tool zimperium.com/blog/bouldspy-…

We released our public findings on #bouldspy last week @LookoutThreats. This malware was reported on in the news as ransomware called Daam, however we've confirmed that it's actually spyware used by FARAJA to target Iranians after they're arrested. lookout.com/blog/iranian-s…

@CyfirmaR I believe you've incorrectly tied Bahamut to Iran in your investigation. Bahamut is a merc group, and though they've reused Iranian APT resources, there's research from Lookout, TrendMicro, PaloAlto, etc. that they're more closely tied to other APTs like Patchwork & Confucius.

#CYFIRMA observed #threatactor leveraging a strategic social engineering attack to deliver and install the .APK on the victim’s mobile. #cyberattack #cyberintelligence #CISO #cyberthreat cyfirma.com/outofband/apt-…

@virusbtn I'm not sure why they've defined Bahamut as an Iranian APT since they're widely considered to be hack-for-hire.

CYFIRMA analysts analyse an Android malware file from an attack attributed to Bahamut APT. cyfirma.com/outofband/apt-…

#Stalkerware developers, such as the D3VL & ETECHD devs in England behind L3MON, should stop and think about where their #spyware ends up. Congratulations for being on the wrong side of history. #MahsaAmini