.

DHL Receipt_57216218402.rar fedbac4768636be461c284e60f1a44cf stage 2 > hXXp://203.202.232[.]37/img/hiii/cossro[.]hta a33a8261eb76c717275012f0b04577d1 #APT #RemcosRAT bazaar.abuse.ch/sample/db8a4dc…

bank details.tar 8887b47d43df80b63f5802f86a5ed149 ravels[.]in Interesting headers! #APT

NEW ORDER 2026.03.02 KYUNG SUNG.xls c6e8e9266a822905211f3e26def6a3f7 #APT

Internet Outrage at HIT Facilities during Ramadan 2026.pdf hXXps://adobe.updatepdf.workers[.]dev/AdobeUpdate.application #APT CC @Cloudflare x.com/__0XYC__/statu…

@volrant136 @ShadowChasing1 @Huntio @500mk500 @MichalKoczwara @malwrhunterteam icewarp.com is real vendor website, PK Navy shifted from zimbra to Icewarp couple of months ago, interesting that most of the navy accounts have MFA enabled, it seems Sidewinder isn’t well informed, and late in modifying their payloads accordingly!

#APT #Sidewinder Targets #Pakistan #Navy Interesting! Using icewarp[.]com ? Tracked by @Huntio 🔗https://navy-pk-dils-maint213-ifwcnxl4[.]leapcell[.]dev/home/?dgkjshfskdjhghgrehjhvjshdfoerowiuifg=ZG5vMU8wYWtuYXZ5Lmdvdi5waw== cc: @500mk500 @MichalKoczwara @malwrhunterteam

Monthly-Development-Update-Feb-2026.pdf hXXps://pc-gov-pk.download-doc[.]com/44910160/adobe-reader CC @hostinger #APT campaign using mails-pk[.]net CC @spaceship  @Namecheap #APT x.com/__0XYC__/statu…

BPS-1 to BPS-16.pdf hxxps://www-finance-gov-pk[.]filenesthub[.]org/fbb93769/adobe-reader CC @spaceship Phishing campaign using establishment.mails-pk[.]com CC @Namecheap x.com/__0XYC__/statu… #APT

@Namecheap Yes, hope @Dynadot would do the needful.!

@__0XYC__ Hello! It seems the domain name grabfiles[.]net is neither registered nor hosted with us, the report should be forwarded to the current Registrar or hosting provider. Thanks!

Pension Guide 2026.pdf hXXps://swo-gov-pk.grabfiles[.]net/52863484/adobe-reader @Dynadot hope you aren't as dead as your report abuse form! phishing campaign mail-pk[.]org CC @Namecheap #APT

#ESETresearch has uncovered a new #Android spyware campaign using novel romance scam tactics to target individuals in 🇵🇰 Pakistan, with an added social engineering element previously unseen in similar schemes. welivesecurity.com/en/eset-resear… 1/9

ESET Research uncovered GhostChat, an Android spyware campaign using romance-scam tactics to target individuals in Pakistan. The campaign uses fake profiles (likely operated via WhatsApp), while the spyware exfiltrates victim data. welivesecurity.com/en/eset-resear…

hxxps://mzrakq.short[.]gy/A6tpOv redirects to hxxps://zimbra10-nml3wp-max8143-fn1rsf7l.leapcell[.]dev/login.html?gfjdliotrgojnghgherbegrehureert0e0ee #APT #phishing cc @short_io TA IP 203.124.34.84 🥱

hXXps://myworkdrivemanager[.]org/uploads/GSR_Requirements.zip pwd: GSR@71 uses schtasks to download next stage from hXXps://nexnxky[.]info , geofenced targeted campaign #APT #LNK

@Cloudflare @namesilo bazaar.abuse.ch/sample/21cb07f…

Email > pdf > Cloudflare > dl[.]vlc-services[.]cfd > password protected zip > .lnk + hXXps://nadracloudx.pages[.]dev/?0EmMmV2NmhjRyUCZmNmLzV2YpZnclNXLjxmduwGZGJTJGJTJBNTJzBHd0hmO6QWa password: DIA@2025! @Cloudflare  @namesilo #APT

Some #APT hXXps://fileonlinetransfer[.]center/Defence/Requirements.rar pwd:  Xcd@34VFDf

@malwrhunterteam You're right!

Okay, no. Let's explain. So we have this "Brief on National Security 5th November 2025 & Minutes of Meeting\.zip" archive: 436c07ee636be7bd5d98db9612343923cb96e4d5e97ba86586575594f75d6714 Inside there is a "Brief on National Security 5th November 2025.PDF.exe", which is a renamed "pack200.exe", that is legit and signed (this is on the screenshot in his tweet). The actors simply decided to used that to load their malicious "jli.dll" file: 96964582c71caa0e19d06f1634e2324b323f3a45fe8b04227c6074fa36efb335 Payload is Remcos RAT. C2 domain: appsupdate[.]xyz - already has some detections. The IP the domain is currently resolving to: 93.127.132[.]225 - more detections, tagged as Remcos C2 already a few days ago too. 🤷‍♂️