CTI Academy

🌟 CTI Academy's new interactive platform is online: Cyber Underground Academy! 🌟 CTI Academy students go into the field as a threat intelligence analyst. In this special simulation platform, our students will act as a CTI analyst to monitor threat actors, gather intelligence and improve their skills with realistic HUMINT experiences. 💡 What's in this Simulation? 🔍 Analysing the strategies of threat actors 🌐 Tracking in a real underground forum environment 📂 Transforming the obtained information into operational intelligence With Cyber Underground Academy, our students will not only learn, but also prove themselves by applying what they have learnt in real world simulations. #cti #threatintel #humint #osint #threatintelligence

🦉 Research, Intelligence, Surveillance & Monitoring... The PRISM Certification Program is launching with 20+ hours of comprehensive training content, delivered by expert instructors in the field of Cyber Threat Intelligence! Participants will benefit from the following through the training program: - Live Sessions - Hands-on Labs - 1-on-1 Feedback - Recordings Details for: ctiacademy.io/prism-certific… Training Dates: April 13–30, 2026 Training Time: Starts at 20:00 Language: Turkish Contact: info@ctiacademy.io

🔗 Supply Chain Attacks: Where the Chain Breaks Tedarik zincirinizde bir güvenlik ihlali var mı? SolarWinds, Kaseya, 3CX, NPM... Bu saldırılar bize gösterdi ki, bazen en güvenilir tedarikçileriniz bile bir tehdit vektörü olabiliyor. 📅 Tarih: 2 Aralık 2025, Salı ⏰ Saat: 20:00 (GMT+3) 🌐 Platform: Online 💰 Katılım: ÜCRETSİZ 🎯 Bu Webinarda Neler Ele Alınacak? ✅ Modern tedarik zinciri saldırı vektörlerinin derinlemesine analizi ✅ Tedarik zinciri ihlallerinin teknik perspektiften incelenmesi ✅ Kuruluşların tedarik zinciri saldırılarına karşı uygulayabileceği koruma stratejileri 🎙Yusuf Can Çakır - CTI Academy Co-Founder 🎙Furkan Öztürk - CTI Academy Co-Founder Gerçek dünya örnekleri ve vaka analizleri üzerinden, bu saldırıların nasıl gerçekleştirildiğini, hangi tekniklerin kullanıldığını ve organizasyonların savunma mekanizmalarını nasıl güçlendirebileceğini tartışacağız. ⚠️ Not: Etkinliğe katılım, yalnızca kurumsal e-posta adresiyle gerçekleştirilen kayıtlar için geçerlidir. 🔗 Hemen kaydolun: event.ctiacademy.org/webinar-regist…

CTI Academy Siber Tehdit İstihbaratı Aralık 2025 Bootcamp Programı Başladı! Siber tehdit istihbaratı alanında uzmanlaşmak ve kariyerinizi bir üst seviyeye taşımak için tasarlanmış kapsamlı eğitim programımız sizi bekliyor. 1️⃣ Program 1 - Temellerden İleri Düzeye 👉 Sıfırdan başlayanlar için ideal 👉 9 kapsamlı modül 👉 Vakalar üzerinde pratik uygulama 2️⃣ Program 2 - Derinlemesine Uzmanlık 👉 İleri seviye profesyoneller ve derinlemesine uzmanlık isteyenler için 👉 18 kapsamlı modül 👉 Derinlemesine teknik içerik 👉 Vakalar üzerinde pratik uygulama 💥 Size uygun programı belirlemek ve eğitim programına başvuru yapmak için: event.ctiacademy.org/events/6/ ❗ Eğitim Süresi 3 Haftadır. ❗ Eğitimimiz kontenjanla sınırlıdır. Eğitim detayları, ücretler ve diğer sorularınız için info@ctiacademy.org üzerinden iletişime geçebilirsiniz.

The China-linked Flax Typhoon APT group achieved over a year of covert access through a sophisticated cyber espionage campaign targeting ESRI (Environmental Systems Research Institute)'s ArcGIS servers. According to ReliaQuest's research, the group infiltrated publicly exposed ArcGIS servers using valid administrator credentials and leveraged them as a bridge to internal networks. They specifically abused the Server Object Extension (SOE) feature to deploy a custom Java-based web shell. This web shell processes Base64-encoded commands via the REST API and is protected by a hardcoded secret key, allowing it to blend seamlessly into ArcGIS's natural HTTPS traffic. Attackers downloaded and installed SoftEther VPN Bridge via the SOE as a Windows service, which automatically activates on system reboot to establish an outbound HTTPS tunnel (port 443) connecting to the C2 server at 172[.]86[.]113[.]142 The campaign's most striking aspect is its difficulty in detection due to "living off the land" tactics. The VPN tunnel mixes with legitimate ArcGIS calls, evading anomalies in SIEM systems; the group employed standard tools for SAM database dumps, LSA secrets extraction, and Active Directory lateral movement. ReliaQuest detected anomalous activities on two IT employee workstations, including credential harvesting attempts via files like pass.txt.lnk. Linked by the FBI to the "Raptor Train" botnet, Flax Typhoon targeted governments, municipalities, and infrastructure operators to exfiltrate data and escalate privileges. While U.S. Treasury Department sanctions have hit the group's infrastructure, this ArcGIS exploitation demonstrates how APTs weaponize legitimate software. Read More: reliaquest.com/blog/threat-sp…

A security vulnerability, identified as CVE-2025-27915, was discovered in the Zimbra Collaboration Suite (ZCS) and exploited in zero-day attacks in January 2025. This flaw stemmed from insufficient sanitization of HTML content in iCalendar (.ICS) files. The zero-day vulnerability, affecting ZCS Classic Web Client versions 9.0, 10.0, and 10.1, was actively exploited in early January 2025 before patches were released. Attackers targeted a Brazilian military organization by sending spearphishing emails impersonating the Libyan Navy’s Protocol Office. These emails contained .ICS files larger than 10KB, embedding Base64-obfuscated JavaScript code. Despite a CVSS score of 5.4, this XSS vulnerability enabled data theft and system manipulation with effects comparable to remote code execution (RCE). The attack involved an asynchronously executed payload that created hidden form fields. It stole credentials from login forms, monitored user activity, collected data via the Zimbra SOAP API, and added a “Correo” filter to forward emails to a ProtonMail address every four hours. Data was exfiltrated to the ffrk[.]net server. StrikeReady detected the attack by monitoring large .ICS files. The attack could not be attributed to a specific group with high confidence, but Russian-linked groups (e.g., Winter Vivern or UNK_HeatSink) were noted for their proficiency in discovering zero-day vulnerabilities. Additionally, similar tactics, techniques, and procedures (TTPs) aligned with those of the Belarus-linked UNC1151 group. The deobfuscated code was shared by @strike_ready on GitHub: github.com/StrikeReady-In… IOC's https://ffr[.]net/apache2_config_default_51_2_1 193[.]29[.]58[.]37 spam_to_junk@proton[.]me ea752b1651ad16bc6bf058c34d6ae795d0b4068c2f48fdd7858f3d4f7c516f37

🔒 History of OPSEC Fails #3: Command Center Pride 🎯 In May 2025, after claiming to have shot down an Indian Rafale fighter jet, the Pakistani military shared a celebratory photo of high-ranking officers inside a command and control center. A nice celebration? Maybe. But it came at a cost: 📸 None of the background screens were blurred. This allowed anyone on social media to zoom in and analyze every visible detail. The screens revealed: ❗ Satellite imagery ❗ Live targeting data ❗ Radar visualizations ❗ Systems analyzing OSINT data gathered from social media and news sources This mistake enabled detailed analysis of the infrastructure, tools, and possible locations displayed on the screens. 🚫 OPSEC Failures: 🛑 Real-time photo sharing from a secure facility 🛑 Exposing strategic tools and maps without obfuscation 🛑 Underestimating the analytical power of open-source communities 🛑 Failure to sanitize and censor content before publication #opsec #threatintelligence #osint #militaryintelligence #security

#Play #Ransomware Group: New Tactics, Growing Threat Sharing critical insights from @CISA's June 4, 2025 update. This group is genuinely running one of the most active ransomware operations of 2024. The Scale of the Problem According to FBI data, the Play group has targeted approximately 900 organizations so far. As of May 2025, they're still conducting active attacks. They've evolved significantly, not just in numbers but in their methods. New Attack Vector: SimpleHelp Vulnerability #CVE-2024-57727 was disclosed on January 16, 2025. Play group and affiliated threat actors immediately began exploiting this vulnerability. SimpleHelp is a remote access and monitoring tool - if you're using it, update immediately. Smart Evasion Tactics They recompile their ransomware binary for each attack. This means every victim gets a different "fingerprint." It's becoming much harder for antivirus software to detect because they're constantly facing a new variant. Phone Threats Begin Email isn't enough for them anymore. They're now directly calling victims, threatening "we'll leak your data." They create custom email addresses with "@gmx.de" or "@web.de" extensions for each victim. They call different numbers from IT departments to customer service. VMware Systems Specially Targeted They've developed a specific ransomware variant for #ESXi hypervisors. They shut down virtual machines, encrypt VM files with AES-256, and even replace the ESXi interface welcome message with their ransom note. It's a pretty systematic approach. #GRIXBA: Their Custom Spy Tools They've developed a custom #infostealer called "GRIXBA." It's a tool that gathers network information and detects antivirus software. It tries to hide under a #Zabbix 2023 identity. What You Should Do In order of priority: Apply the CVE-2024-57727 patch Expand MFA implementation (especially for VPN and email) Review your network segmentation Check your offline backups Update your incident response plan The Play group isn't just "a ransomware group" anymore - it's an organized cybercrime operation. Their ability to quickly exploit new vulnerabilities, follow technical developments, and use psychological pressure tactics shows this evolution. Source: CISA Cybersecurity Advisory AA23-352A (Updated: June 4, 2025) PDF Link: cisa.gov/sites/default/…

🦉 Spokeo: Powerful Data Aggregation as an OSINT Tool 🔎 Known as the "white pages" of the internet, Spokeo stands as a valuable resource for OSINT investigations. This platform efficiently aggregates publicly available information from both online and offline sources into a single, searchable database. 👉 With Spokeo, analysts can: 💠 Access comprehensive contact information 💠 Gather intelligence from connected social media profiles 💠 Analyze address histories and relationship networks 🌐 spokeo.com

🔎 This platform allows you to analyze the Bitcoin blockchain in depth, perfect for tracking crypto crimes and conducting digital forensics. 🦉View full transaction history of Bitcoin addresses 🦉Track suspicious money transfers 🦉Analyze ransomware payments 🦉Discover crypto connections of criminal networks 💠 Especially in ransomware cases, analyzing attackers' Bitcoin addresses on this platform can reveal both payment patterns and other potential victims. 👉 blockchain.info

International law enforcement agencies have successfully concluded Operation Endgame II, resulting in the complete disruption of the DanaBot malware-as-a-service platform. This operation represents a significant milestone in cybercrime enforcement. DanaBot maintained operations for seven years, utilizing an average of 150 command-and-control servers daily across more than 40 countries. The sophistication of their infrastructure is evidenced by the fact that 75% of their C2 servers remained undetected by traditional security tools. The identification of key Russian operators, including JimmBee (Aleksandr Stepanov) and O*nix (Artem Kalinkin), marks a crucial breakthrough. Despite maintaining operational security for over 15 years, these threat actors were ultimately exposed, demonstrating that sustained anonymity in cybercrime is not guaranteed. From a technical perspective, DanaBot's three-tier command-and-control architecture showcased remarkable sophistication. The platform's evolution from banking trojan to initial access broker illustrates the dynamic nature of the current threat landscape. Particularly noteworthy is the dual-use nature of the malware, with separate variants developed for financial cybercrime and state-sponsored espionage activities, exemplifying the documented nexus between Russian cybercriminal organizations and state intelligence operations. The impact metrics are substantial: over 300,000 infected systems globally and documented damages exceeding $50 million, underscoring the significant threat posed by malware-as-a-service platforms. A comprehensive technical analysis is available in the attached document, providing valuable insights for threat hunting and incident response teams. Link: linkedin.com/feed/update/ur… #CyberSecurity #MalwareAnalysis #ThreatIntelligence #OperationEndgame #DanaBot #InfoSec

How do modern threat actors leverage crypto scramblers, DeFi protocols and trade-based methods to launder money? Why do traditional “rules-based” AML systems fail? 👉 As CTI Academy, we have prepared for you “Inside the Machine: How Modern Threat Actors Launder Money and Why Traditional Detection Methods Are Failing": 💥The latest money laundering tactics of cybercriminals 💥Weaknesses and most common pitfalls in classical detection methods 💥New detection approaches based on artificial intelligence and graphical analysis 💥Advocacy tips you can implement immediately in your organization and other critical topics. 🌐 Read More: ctiacademy.org/blog/inside-th…

A threat actor called "Dark Storm Team" announced attacks against certain infrastructure of X/Twitter. check-host.net/check-report/2…

🔎 We've conducted an in-depth analysis of the global takedown of LummaC2, one of the biggest cybersecurity operations in recent days. This unique operation, led by the US Department of Justice and Microsoft, which resulted in the seizure of 2,300+ malicious domains, reveals the dangerous level that modern malware infrastructures have reached. 👉 To access the technical analysis we've prepared at CTI Academy: 🌐ctiacademy.org/blog/lummac2-s… #fbi #europol #cloudflare #microsoft #russian #market #lummac2 #lumma

As a result of coordinated efforts by the US Department of Justice and Microsoft, the infrastructure of the LummaC2 information-stealing tool targeting millions of users has been completely seized 💠 LummaC2 is a sophisticated information-stealing malware that steals sensitive data such as browser data, autofill information, login credentials for email and banking services, and seed phrases that provide access to cryptocurrency wallets. 💠 The FBI has identified that this malware was used in at least 1.7 million cases. 💠 As part of the operation, 5 critical domains were seized by court order, and Microsoft disabled 2,300 domains in parallel. 💠 After the first domains were seized on May 19, 2025, LummaC2 administrators quickly established 3 new domains in an attempt to continue their operations, but security forces managed to seize this new infrastructure on May 21. 💠 These shutdown domains hosted user panels that malicious actors used to access LummaC2. This operation demonstrates how the malicious software ecosystem works. Information stealing tools (infostealers), DDOS-as-a-Service, and other "Malware-as-a-Service" platforms enable even those without technical knowledge to commit cybercrimes.

VanHelsing Ransomware Source Code Leaked After Failed $10K Sale Attempt In a dramatic turn of events, the VanHelsing ransomware-as-a-service (RaaS) operation, which emerged just two months ago, has been rocked by a major leak of its infrastructure. According to BleepingComputer, a former developer, alias "th30c0der," attempted to sell the entire VanHelsing setup—Tor service keys, admin panel, file server, data leak blog, Windows encryptor builder, and databases—for $10,000 on the RAMP cybercrime forum. The plan backfired when VanHelsing operators retaliated by publicly leaking parts of the source code, including the Windows encryptor and affiliate panel, though the Linux builder and some databases were notably absent. Launched in March 2025, VanHelsing had claimed eight victims, including a Texas city and two tech firms, per @RansomwareLive and @BleepinComputer . Despite early traction, this incident exposes deep trust issues within the operation. The operators have vowed to release a "superior" VanHelsing 2.0 and cease hiring external developers to bolster reliability. However, the leaked code could empower other threat actors to craft new ransomware variants, mirroring the fallout from the 2022 LockBit leak. This saga underscores the fragile trust in the cybercrime ecosystem. While VanHelsing’s operators aim to recover, the leaked code poses a broader risk, potentially fueling new attacks. In the high-stakes world of ransomware, VanHelsing’s misstep proves that rewards are never guaranteed. #Cybersecurity #Ransomware #VanHelsing

CONTI LEAKS: Deleted Chats, Recovered Secrets GangExposed uncovers what Conti tried so hard to hide—even from their own team. In the world of cybercrime, erasing traces isn’t just about avoiding law enforcement—it’s often about hiding secrets from within. A new leak published by GangExposed reveals internal conversations from the notorious Conti ransomware group that were intentionally deleted from secure messaging platforms. The Jabber Conversations At the center of the leak is a series of messages exchanged on Jabber between two key members, Stern and Target. The chats show plans to set up independent offices and recruit their own hackers—without the knowledge of their higher-ups. Some of Target’s original messages were deleted, but they were recovered thanks to Stern quoting them in replies. Here’s a recovered snippet: [19:15:27] let’s agree on this [19:15:36] the hackers will be ours [19:15:53] we won’t overload them with other networks [19:17:52] around 50 people will be needed These messages indicate a major internal shift—essentially an attempt to launch a parallel operation, hidden from the rest of the group. The risk was so high that they made efforts to leave absolutely no trace. The RocketChat Wipe Further evidence comes from RocketChat logs, where messages were deleted for other reasons. After November 2020, Target began ramping up operational security: using new aliases, scrubbing activity logs, and demanding total invisibility—even within supposedly secure platforms. In October 2021, Target: • Opened a new office in Dubai • Procured equipment for launching attacks • Relocated his team • Coordinated with Stern’s UAE branch • Launched attacks and split the ransom profits Then, they erased the entire operation’s trace from RocketChat. Some of the remaining lines: 2021-12-22 17:13:14 bloodrush bentley: ask that jaber to delete the account 2021-11-30 15:10:33 stern professor: delete Alex and his team from Rocket This level of paranoia reflects a fear not just of external discovery—but of internal exposure as well. What Did GangExposed Reveal? Despite their efforts to wipe everything clean, metadata, quotes, and log remnants were enough for GangExposed to reconstruct the story. They’ve identified key participants, mapped out operations, and are preparing detailed reports. And that’s not all: GangExposed promises to release names and photos of Target and his team soon. “Everything they tried to erase—will be exposed,” the group says.

🔍 Ready to trace the digital footprints of a cyberattack targeting COVID-19 vaccine research? 💥 Operation Dark Horizon – Threat Actor Profiling Challenge is now live! 🧠 A free, advanced-level cyber threat intelligence challenge from CTI Academy, based on a real-world scenario, awaits you. In this mission, you’ll take on the role of a threat intelligence analyst to: ✅ Analyze TTPs using the MITRE ATT&CK framework ✅ Investigate command & control infrastructure ✅ Examine malware samples to uncover links to known APT groups ✅ Identify the attacker’s identity, motivations, and operational patterns 🎯 Objective: Discover who carried out the attack, why, and how "just like a real CTI analyst." 💡 Start learning now: ctiacademy.io

[EN] On May 7, 2025, LockBit’s “lightweight” admin panel was hacked. According to SlowMist’s detailed report, the leaked data included Bitcoin addresses, private keys and chat logs. The report analyzes the attack’s execution, LockBit’s internal system structure, and its implications for the cybersecurity landscape. Notably, the hackers left a message: “Don’t commit crimes, crime is bad.” [TR] LockBit’in “lightweight” yönetim paneli 7 Mayıs 2025’te hacker’lar tarafından ele geçirildi. SlowMist’in detaylı raporuna göre, sızan veriler arasında Bitcoin adresleri, özel anahtarlar ve sohbet kayıtları bulunuyor. Rapor, saldırının nasıl gerçekleştiğini, LockBit’in iç sistem yapısını ve bu olayın siber güvenlik dünyasındaki etkilerini inceliyor. Hacker’ların panelde bıraktığı “Suç işleme, suç kötüdür” mesajı dikkat çekti. slowmist.medium.com/when-hackers-g…

@FalconFeedsio @DarkWebInformer @AlvieriD @aejleslie @BleepinComputer @vxunderground @vxdb @campuscodi @BleepinComputer @Reuters @LawrenceAbrams @g0njxa @RussianPanda9xx @fastfire @H4ckManac @SOSIntel @banthisguy9349 @Threatlabz @ValeryMarchive @AShukuhi @ddd1ms @3xp0rtblog @Jon__DiMaggio

LockBit, one of the most sought-after ransomware groups in the digital world, has suffered a major blow. The .onion sites used by the group were completely disabled as of May 7. According to initial investigations, the production date of the leak is April 29, 2025. 💥 What Does the Leak Include? 🧠 LockBit Internal Chat 💸 Bitcoin addresses 🏢 Victim profiles 🔐 Encryption keys, tokens, credentials The message placed on the .onion page after LockBit's leaked database is identical to the one used during the hacking of the Everest ransomware group. This strengthens the possibility that the same actor(s) may be behind the operation. An important finding that strengthens the possibility that the hacked .onion address belongs to LockBit is that malicious HTTP requests to this address have been observed in some instances of LockBit ransomware in the past, which can be considered as a technical trace supporting the authenticity of the leak.