Nexus Threat Intel

They thought they were hiding. 🤡 ​On solemark[.]cfd, everything seemed offline. I dug, simulated an iPhone, and... BINGO! Cloaking broken: phishing 🇯🇵 discovered. ​Report sent, @Cloudflare shut everything down (403). 🚫 ​#NexusThreatIntel #Phishing #OSINT #Cloudflare

BlueVision infrastructure breach confirmed. I've successfully dumped the operator's local database and private C2 logs from the Muscat gateway. ​Full internal data leak available here: 🔗 nti633.github.io/dossier-oman/ ​ #Oman #BlueVision #DataLeak #CyberSecurity #Nexus

Finally cracked the obfuscation on the Alibaba-hosted C2 for the Revolut campaign. Found hardcoded backend credentials and session handlers. Full technical dump here: bit.ly/4cMDshZ #Infosec #OSINT #AlibabaCloud #Phishing

Shame on @AlibabaCloud: they claim "no violations" for bluevision[.]com while it steals @RevolutApp credentials. Their automated bots are fooled by cloaking. Absolute negligence. 🤡 @lastknight @DDay_it @revolutapp

Proof of Cloaking: The server returns 403 Forbidden only when it detects analysis. It hides the phishing from providers but hits victims. Why is @Netcraft blind to this? 🕵️‍♂️ @lastknight @revolutapp

Shaming @AlibabaCloud: they claim "no violations" for bluevision[.]com while it steals @RevolutApp credentials. Their bots are fooled by cloaking. Negligence at its finest. 🤡 @lastknight @DDay_it

Hey @VirusTotal, look: for 1 YEAR you flagged bluevision[.]com "Clean" without a scan. 🦖 ​Now, even after a fresh check, your vendors are STILL blind to the #Revolut mobile redirect. ​1 year of negligence + total tech failure today. 🤡 #CyberSecurity #Infosec #Fail #Scam

.@AlibabaCloud @Google @Netcraft @RevolutApp: You were notified at 17:11 CET w/ forensic proof. ​From now on, every @RevolutApp account drained via bluevision[.]com is YOUR legal & moral responsibility. No excuses: I gave you the smoking gun. ​#CyberSecurity #Revolut #Phishing

I sent professional PDF reports with forensic evidence. Results? ​Alibaba: "Address not found" ​Google: "Address not found" ​You are protecting scammers by being unreachable. Fix your abuse channels. [Screenshot of the delivery failure] @alibaba_cloud @Google

Why do your bots say "Clean"? SERVER-SIDE CLOAKING. 🕵️‍♂️ ​They check from Desktop. If you use curl -A "iPhone", the server triggers an immediate 302 Redirect to a credential harvester. ​I analyzed the UmiJS code: patchRoutes is the smoking gun. Cc: @briankrebs @gcluley

.@AlibabaCloud @Google @Netcraft: your security is a PR stunt 🤡 ​I found a sophisticated #phishing scam on bluevision[.]com targeting @RevolutApp. Your bots are too "lazy" to see it. ​A thread on how one researcher exposed your failure. 🧵👇 #Infosec #CyberSecurity #Scam

Hey @Netcraft @Alibaba_Cloud, you're wrong. ​bluevision[.]com (43.130.4.82) uses MOBILE CLOAKING. Desktop = Clean. Mobile = Malicious Redirect. ​Check the code, not the facade! 🖼️🛡️🆘 #CyberSecurity #Phishing #AlibabaCloud

Hey @Alibaba_Cloud @AlibabaGroup @Netcraft, I've reported a malicious phishing gateway on IP 43.130.4.82 (bluevision[.]com). It uses mobile-cloaking to scam users. Report sent to abuse team. Why is it still live? Time to act! 🛡️ #CyberSecurity #Phishing #AlibabaCloud"

@Unit42_Intel Incredible analysis on WebSocket backdoors. I've been tracking similar obfuscation patterns on .cfd infrastructures lately—mostly hiding phishing lures behind mobile-only cloaking. The level of sophistication is rising. Great work team! 🛡️ #NexusThreatIntel

Obfuscated #WebSocket backdoors are injecting credit card skimmers into hundreds of compromised websites. The payload sends stolen card information back to attacker's C2 domains. Details at: bit.ly/42HyNb3

@GroupIB Great insights on insider threats. On the external front, I'm seeing a massive surge in cloaking techniques on .cfd infrastructures to hide phishing landing pages. Just neutralized a cluster today. The battle is on every front! 🛡️ #NexusThreatIntel

This Labor Day, the most dangerous hire isn't the one who failed the background check. It's the one who passed it. DPRK-linked IT workers are infiltrating companies through legitimate hiring pipelines, earning salaries, and exfiltrating data from the inside. Group-IB researchers have mapped exactly how it works. The numbers tell the story. Read the full blog here: bit.ly/4d3XzXX #ThreatIntelligence #DPRK #InsiderThreat #Infosec #LaborDay #GroupIB

🚨 PHISHING TAKEDOWN 🚨 ​Target: Japan 🇯🇵 (Rakuten) Status: NEUTRALIZED (403) 🚫 Domain: solemark[.]cfd Tactics: Mobile-only cloaking ​Infra: @Cloudflare @TencentCloud Ref: PhishTank 9411882 ​Great work! 🏴‍☠️ ​#CyberSecurity #ThreatIntel #NexusThreatIntel

🚨 PHISHING ALERT 🚨 ​Target: @Allegro_Group 🌐 …egrolokalnie.wzbogacsiedomain140.shop ​🛡️ Active Cloaking (302 redirects) to evade scanners. ​CC: @Cloudflare @Wix @cert_polska @GMORegistry ​Immediate suspension needed! 🛑 ​#Phishing #CyberSecurity #Allegro #ScamAlert

New Phishing Campaign 🚨 ​Targeting #Allegro & #Crypto wallets via @Wix Studio. ​🚩 Target: …egrolokalnie.wzbogacsiedomain140.shop 🚩 Cluster: Multiple Wix malicious subdomains. ​Evidence attached. Reports filed. 🛡️ ​#ThreatIntel #Phishing #OSINT #CyberSecurity #NexusThreatIntel

🎯 Takedown #10: Mission accomplished. Neutralized: 1️⃣ Allegro.pl Clone (Fraud) 2️⃣ .es Wallet Drainer (Crypto) ​Sites offline thanks to targeted reports. Web security also extends to mobile. 🛡️💻 ​#CyberSecurity #OSINT #Termux #Takedown @Cloudflare

TAKEDOWN COMPLETE 🎯 ​akk-seller[.]com is OFFLINE. 🛡️ ​Found 10k+ stolen accounts & 2FA bypass tokens. Tracked move to @Cloudflare & reported to @Namecheap. ​Thanks @NamecheapHelp for the clientHold. Users are safer! 🔥 ​#CyberSecurity #OSINT #Fraud