Chamindu Pushpika

Hide the threat – GPO lateral movement intrinsec.com/hide-the-threa…

@Namecheap Noted!

@chamindu_x Hello! It seems the domain name reported is neither registered nor hosted with us.

Phishing Commercial Bank Domain: https://combank.dlgltal[.]icu/ CC @Namecheap

@Namecheap @CloudflareAbuse

NEW LAB: NavalTech Defense Contractor ⚓ We emulated a North Korean (DPRK) cyber espionage campaign targeting a submarine contractor’s vessel-tracking systems. Based on CISA’s reporting on DPRK operations to advance military and nuclear programs. Contributors @django88_ @svch0st @XintraOrg Solve it here 👇 xintra.org

@inversecos @django88_ Nicee 💙

💡 𝗛𝗼𝘄 𝘁𝗼 𝗙𝗶𝗻𝗱 𝗢𝗽𝗲𝗻 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝗶𝗲𝘀: 𝗣𝗼𝗿𝘁𝗮𝗹𝘀 𝗳𝗼𝗿 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 hunt.io/glossary/how-t… From a defensive standpoint, open directories represent both a risk and an opportunity. They are often overlooked yet incredibly informative sources of threat intelligence. Misconfigured directories can leak sensitive material that attackers can later exploit, but they also provide threat hunters with a rich source of real artifacts and infrastructure clues when searching for malicious activity. What makes open directories especially valuable is the variety of materials they expose: • DDoS scripts • PowerShell scripts • Custom malware and malicious browser extensions • Backdoors and exploits • .bash_history files • Banking trojans • And much more! For proactive defenders, open directories are an opportunity to understand adversary behavior and intercept attacks earlier than traditional detection would allow. Read more on how to find and approach open directories ⬇️ #CyberSecurity #ThreatHunting #OpenDirectories #ThreatIntel

@P4nd3m1cb0y @_CPResearch_ @censysio @MichalKoczwara New IP #VoidLinkC2

[1/3]🇨🇳#VoidLinkC2 The initial IP address published by @_CPResearch_ in their blog was crucial for #pivoting to a new C2 address. By using @censysio, we can spot those #C2 based on the HTTP headers Www-Authenticate: Basic realm="VoidLink C2", charset=UTF-8" 🔥 159.75.233\.200

#Lumma #Malware 👾8 New Lumma Domains with Low Hits👾 🚨pastebin.com/T4dBPXDF🚨 CC: @banthisguy9349 @NDA0E @BlinkzSec @kddx0178318 @raghav127001 @DaveLikesMalwre @g0njxa @ViriBack @500mk500 @ge0lev @marsomx_ @JAMESWT_MHT @DonPasci

Our latest threat research report is live: UNC2891: ATM Threats Never Die. Since 2022, Group-IB specialists have been tracking this low-profile, financially motivated group targeting financial institutions, compromising infrastructure to execute coordinated ATM cash-outs. Key Highlights: 🔹Ongoing, Silent Threats: Maintained undetected access for years (earliest compromise traced to 2017) across dozens of hosts, including critical ATM switching servers and production servers. 🔹Persistence and Stealth through Advanced Malware: Deployed a bespoke malware arsenal including CAKETAP (a rootkit for HSM manipulation), SLAPSTICK (PAM backdoor with a "magical password"), and LOGBLEACH/MIGLOGCLEANER (log wipers) to evade detection. 🔹Long-Term Compromise & Innovative Infiltration: Physically planted a Raspberry Pi inside a bank's network connected to an ATM switch using a 4G modem for remote access to bypass defenses entirely. 🔹Undocumented Attack Vectors: Leveraged tools like iodine (DNS tunneling) and OpenVPN for covert command-and-control and stealthy lateral movement. 🔹Money Mule Operations: The group ran sophisticated money mule recruitment operations, often via Google ads or Telegram. Mules received cloned card equipment and instructions over TeamViewer. Attackers guided them step-by-step to insert cloned cards into ATMs, enabling large-scale cash-out operations while distancing themselves from direct exposure. This report provides the full kill chain, detailed TTPs, and malware analysis. ATM threats haven’t disappeared; they have evolved into a more sophisticated and stealthy danger. Download the full report to understand how to defend against them: link.group-ib.com/4pm0DmK #CyberSecurity #ThreatIntelligence #ATMThreats #MalwareAnalysis #FinancialSecurity #InfoSec

#ATM Hacking Group UNC2891 Technical Summary: Core Tools / Malware ArsenalCAKETAP → Solaris/Linux kernel rootkit, hooks ATM → HSM traffic, modifies ARQC/ARPC in real time SLAPSTICK → PAM backdoor + per-server unique "magic password" (SSH passwordless login even if keys changed) TINYSHELL → Tiny (~30 KB) asynchronous backdoor, multi-stage chaining STEELCORGI → Custom packer/encryptor (same keys reused across unrelated victims 2022–2024) SUN4ME (2024 new) → All-in-one post-exploitation tool (scanner, brute, SSH brute/private key stealer, proxy, log wiper, exploit modules) WINGHOOK / WINGCRACK → Unix keylogger + offline decoder MIGLOGCLEANER / LOGBLEACH → Professional log eraser (auth.log, wtmp, utmp, lastlog, shell history) iodine / OpenVPN → C2 tunneling github.com/blackorbird/AP…

@5mukx Yes correct

@chamindu_x I think it's not like that. When you have EDRs or XDRs installed. It takes a time gap between 1-2 sec. Telemetry in action... 🐁 Sometimes it doesn't even execute if you have a popular slcodes like Havoc shellcodes. Sometimes it will get caught in behaviour based detections.

ShellExec using msgbox.exe => in my C2 Facility. Bypassing EDR's. a cool new way = ) Actually tg is just an sample, you can use calendar, teams or whatever that can communicate with apis. to uplaod & exec your custom agents !

Added a new tool to: powershellforhackers.com/tools/revshell/ ⚠️Please Use Responsibly⚠️ You can use this to instantly generate an obfuscated reverse shell in powershell that i have personally used to beat EVERY single EDR out there right now. I've added some pretty cool stuff to my website but this is one of my favorite additions. 🛑 Disclaimer: This tool is for educational and authorized security testing only. Misuse could be illegal. Don’t be dumb. Shoutout to the only ones that were actually able to stop it, using something called "ring fencing" @ThreatLocker This is not a sponsored post, just a fan of them #Edr_Is_Not_Enough

Alert: SharePoint CVE-2025-53770 incidents! In collaboration with @eyesecurity & @watchtowrcyber we are notifying compromised parties. Read: research.eye.security/sharepoint-und… ~9300 Sharepoint IPs seen exposed daily (just population, no vulnerability assessment): dashboard.shadowserver.org/statistics/iot…

@Unit42_Intel We observed exploitation as early as 07-17, from IP's 103.186.30[.]186 and 107.191.58[.]76. You can detect this behavior from the IIS process w3wp.exe spawning child processes, at least in our instance.

UNC3944 (Scattered Spider) activity is reportedly rising across global industries, including retail. Act now to stay ahead ⚠️ Learn more: goo.gle/4esbM0Q

@XintraOrg Thanks for this share 😍

New write-ups on our APT Labs 😍 Council of Tropical Affairs Mustang Panda Walkthrough by @chamindu_x cham1ndux.github.io/posts/Mustand-…… Abu Jibal Lab APT34/OilRig Walkthrough @QhtSec/xintra-abu-jibal-lab-walkthrough-10342ec55f78" target="_blank" rel="nofollow noopener">medium.com/@QhtSec/xintra…

🚨#Android #Malware Fake Chat app is sending SMSs, photos, contacts to a Telegram's chat using the bots API 🤖 Distribution: https://vanos.pages[.]dev/assets/Vanos-Messenger.apk Hash: 170abe43fb6f31f601f2493e40b64bb20171e0bc0cae6b88802d0c4faf1c5f3c Trying Matkap it looks like someone just got infected..

@malwrhunterteam @banthisguy9349 @JAMESWT_MHT app.any.run/tasks/b782a3a1…

This seems to be lummaC2 URL: hxxps[://]eu-gangbang24[.]cfd/K4aYwWDvgwCpkJHp[.]html virustotal.com/gui/file/edf93… @malwrhunterteam @banthisguy9349 @JAMESWT_MHT #lummac2 #malware