Stephan - ObiWan666 - Gerling

We analyzed the Coruna exploit kit and found intriguing code overlaps with Operation Triangulation. Full analysis on our blog: link below.

MuddyWater’s 2026 campaign uses the novel Deno-based "Dindoor" backdoor to haunt US and Israeli networks. Discover how they hide in the "blind spot" of defense. #MuddyWater #CyberEspionage #Dindoor #Fakeset #Infosec2026 #Deno #ThreatHunting #APT meterpreter.org/the-silent-sie…

#Sandworm Targeted RDP Backdoor Campaign (2024-2026) The group has fully evolved its operational strategy from high-impact instantaneous system destruction to intelligence-driven, long-term stealthy persistence. The campaign leverages a highly modular, iterated attack framework (Tambur/Sumbur/Kalambur/DemiMur) targeting global defense industry, critical infrastructure, and government entities. mp.weixin.qq.com/s/QWe2m4qdp45u…

📌 Looking Back: Iranian APT Infrastructure in Focus hunt.io/blog/iranian-a… Two weeks ago, we analyzed infrastructure linked to several Iranian-aligned threat groups. Pivoting across IPs, hashes, ASNs, and TLS certificates revealed clusters tied to actors like MuddyWater and APT35. In one case, a single IP exposed attacker tooling, additional servers in the same hosting network, and a short-lived Sliver C2 instance. Infrastructure patterns like these often appear weeks before campaigns become widely reported. #ThreatIntelligence #ThreatHunting #CyberSecurity

Two full iOS exploit kits in one month, deployed via watering holes on public websites, potentially affecting hundreds of millions of devices. Will Apple acknowledge that this no longer fits the "very small number of highly targeted individuals" narrative?

❗️Meet Hellcat ransomware group operator 'Pryx' — responsible for high-profile hacks like Jaguar Land Rover, Telefonica, Schneider Electric and many more. He started doing cybercrime as a kid. He got 4 people killed and 27 injured after starting a fire by hacking into the SCADA network of Telecom Egypt. An OSINT researcher just revealed who he is and how he tracked him down.

Thank you for uploading the Coruna samples from the Google blogpost! Available on @virustotal here ->

🚨An interesting #ELF sample da2e396baf23de1881d06dd3377f84a6 on VT, packed by modified upx, appears to be a #PLC program for traffic light control, but why does it contain an embedded XOR code to establish a reverse shell to 173.180.247[.]200🤔? #IOC Happy hunting 🍷@Xlab_qax

🚨 ALERT: Alleged Escalation in the Israel-Iran Cyberwar 🇮🇱🇮🇷 A series of alleged high-impact cyber intrusions against critical Israeli infrastructure have been reported, attributed to hacktivist groups claiming ties to Russian entities. These operations are part of the growing conflict of cyber espionage and cyberattacks affecting the region. Dimona Nuclear Power Plant: The group "Cardinal" has published evidence of an alleged intrusion into the systems of the Israeli nuclear power plant, explicitly declaring its affiliation with Russia. Intelligence and Emergencies: The actor "cardinalhackers" claims to have compromised Mossad documents and operating systems of the National Emergency Management Authority (RAHEL). It is important to note that these incidents are alleged and remain under technical investigation. The apparent involvement of actors with likely Russian origins suggests a growing complexity and escalation of the digital theater of operations in the regional conflict. Monitor: analyzer.vecert.io #CyberSecurity #ThreatIntel #CyberWar #Israel #Iran #Dimona #InfoSec #CyberAlert

BREAKING: powerful iPhone hacking tools used by Chinese criminals originated from US defense giant L3 Harris. The $LHX zero-click exploits went to Russian spies too. Unbelievable harm to our collective security. Scoop by @lorenzofb, here's why this matters 1/

After 5 months of development, I'm releasing EvilWAF v2.4 - a MITM proxy that makes ANY tool bypass WAFs github.com/matrixleons/ev…

Kaspersky recently produced a podcast on Operation Triangulation, basically a story of the investigation Things that I haven't seen mentioned elsewhere: — Triangulation malware existed for >10 years — Some technical details similar to the Equation Group youtube.com/watch?v=j4pCKh…

Amazing find by Google and iVerify, but a vulnerability isn’t a component. An exploit or implant may be a component, not the vulnerability itself. Both CVEs now have public implementations. I see no evidence of code reuse in the technical reports to support that attribution.

Lands of Packets TTL exceeded. I would like to collect texts from the scene about FX in his memory. A collection of obituaries that will then be posted on phenoelit.de. If anyone would like to contribute, please contact me. Mail: joernchen@phenoelit.de Signal: jrn.07

Lars is ruling out a Suicide in the Kurt Cobain case. I have personally spoken with Lars before, he is an actual, not "youtube internets", firearms and forensics expert.

Cartoons are real.

In the renewable energy sector, an attack targeted at least 30 wind and solar farms in Poland. The attack resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongo‑ing electricity generation. #IOCs #APT #Wiper CERT Polska Energy Sector Incident Report 2025 github.com/blackorbird/AP… #Sandworm DynoWiper update: Technical analysis and attribution welivesecurity.com/en/eset-resear… dragos 2025 poland attack report github.com/blackorbird/AP…

Imagine your #antivirus starts deploying malware after an update. This is exactly what happened with the eScan solution last week - the supply chain attack was discovered by @morphisec. We have analyzed the #malware used in this attack - and found lots of cool stuff! [1/7]

Beer distribution system