Ctrl-Alt-Intel

63 posts

Ctrl-Alt-Intel

@ctrlaltintel

Threat Research

Katılım Mart 2026

19 Takip Edilen592 Takipçiler

Sabitlenmiş Tweet

Ctrl-Alt-Intel@ctrlaltintel·4d

Over 7 a month period, a Qilin affiliate exposed 5 C2 servers -> OPSEC L -> Sliver C2 / SOCKS running on WatchGuard devices -> Initial access primarily via WG/Fortinet exploitation -> 3 real victims found via Qilin blog -> 🇺🇸 & 🇩🇪 targeting -> 7+ CVEs used Link to blog below👇

English

5.5K

Ctrl-Alt-Intel@ctrlaltintel·1h

Panel was previously hosted on 38.]127.8.48 which is now down

English

154

Ctrl-Alt-Intel@ctrlaltintel·1h

In April, our team found a vibe-coded dashboard guessing FedEx tracking numbers. With 4M+ records and 498 proxies, the scale was impressive, though the adversary's goal remains unknown. Any idea what the adversary was trying to accomplish?

English

855

Ctrl-Alt-Intel@ctrlaltintel·2h

Links to our blogs are getting blocked :(

English

700

Ctrl-Alt-Intel@ctrlaltintel·3d

Ctrl-Alt-Intel has exposed a threat actor leveraging CPanel/CVE-2026-41940 to: - Target Government/Military entities in South-East Asia - Target a small set of MSPs / hosting providers Separately, they exploited novel vulnerabilities against a SEA defense sector victim and:

English

113

12.7K

Ctrl-Alt-Intel@ctrlaltintel·4d

x.com/ctrlaltintel/s…

Ctrl-Alt-Intel@ctrlaltintel

ZXX

359

Ctrl-Alt-Intel@ctrlaltintel·27 Nis

When a Qilin affiliate makes many big #oopsies over 7 months... not knowing they are silently being tracked by us🤩 Ctrl-Alt-Intel blog coming later this week🤪

GIF

English

1.8K

Ctrl-Alt-Intel@ctrlaltintel·4d

The watchTowr PoC is a simple exploitation verifier This threat actor has took it further to: -> Auto-identify cPanel owner -> Creates a cPanel user session -> Deploy webshell to "/public_html/wp-cache.php"

English

476

Ctrl-Alt-Intel@ctrlaltintel·4d

⚠️Targeted cPanel/WHM CVE-2026-41940 exploitation seen in the wild 🇧🇩 Bangladesh education sector targeted 154.18.187[.239 hXXp://windowsupdate[.sh:18888/sub_shell.py This appears to build upon & weaponise the POC provided by watchTowr - github.com/watchtowrlabs/… (1/n)

English

1.7K

Ctrl-Alt-Intel@ctrlaltintel·4d

FBI advisory on cargo theft via phishing, initially reported by @beensquatted & us! haveibeensquatted.com/blog/diesel-vo… Some actors involved in the phishing op are linked to Russian LLCs within logistics sector, taking over $180 million in reported revenue: ctrlaltintel.com/research/Diese…

FBI Cyber Division@FBICyberDiv

Cyber threat actors are using sophisticated, cyber-enabled tactics to impersonate legitimate businesses to hijack freight, steal high-value shipments, and reroute deliveries, resulting in a surge in strategic cargo theft. The threat actors target US transportation and logistics

English

1.2K

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

@Max44434 @TGIFridays Should be open now if you want to give ago!

English

Max@Max44434·22 Nis

@ctrlaltintel @TGIFridays your inbox is locked so I can't DM you.

English

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

The KongTuke C2 domain from this morning has been rotated for @TGIFridays Now points to wintseiser[.com -> threatfox.abuse.ch/ioc/1796104/

English

2.6K

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

@Max44434 @TGIFridays 😩If you can drop us a DM with any more details/paylods/IOC we would be super grateful 🙏

English

Max@Max44434·22 Nis

@ctrlaltintel @TGIFridays A user within my org feel for this clickfix attack lmao

English

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

x.com/ctrlaltintel/s…

ZXX

575

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

⚠️The @TGIFridays (tgifridays.com) website is compromised (for at least over a month) 🚨 Attempting to load malicious ClickFix lure -> potential KongTuke campaign (per Abuse.ch) Cloudflare is blocking atm. Anyone have security contacts @TGIFridays?

English

4.2K

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

@TGIFridays "Compromised for at least over a month" -> This incorrect, I don't know what month I'm in From at least 9th April -> today (22nd April)

GIF

English

420

Ctrl-Alt-Intel@ctrlaltintel·22 Nis

Ctrl-Alt-Intel analysis on this whole campaign coming today. We have had access to the TAs C2. 4k+ commands recovered. We will break down: -> How they are deploying malicious Wordpress plugins -> Botnets being deployed by this threat actor -> Other MaaS this TA is attacking

English

755

Keşfet

@beensquatted @Max44434 @TGIFridays @elonmusk @BarackObama @taylorswift13 @cristiano @BillGates