Ricardo Monreal

A critical 9.8 CVSS zero-click flaw (ZDI-CAN-30207) hits Telegram, affecting 1 billion users. No interaction needed for full system hijack. Patching now! #Telegram #CyberSecurity #ZeroClick #InfoSec #ZDI #Vulnerability #Privacy #ZeroDay #DigitalPrivacy securityonline.info/telegram-criti…

🚨 FINANCIAL INTELLIGENCE ALERT: Agrobanco (Peru) Database Leak 🇵🇪🏦 Our Analyzer platform has detected a new data exfiltration targeting the Peruvian banking sector. Threat actor injectioninferno2 has published a database belonging to Agrobanco (agrobanco.com.pe), the country's leading development bank for the agricultural sector. Victim: Banco Agropecuario - Agrobanco (Peru) 🏛️. Threat Actor: injectioninferno2 🎭. Volume: 50,000 records (Lines). Date: March 26, 2026 🗓️. Analysis of Exfiltrated Data (Identified Fields) The sample provided by the threat actor reveals a data structure that enables precise geographic and personal identification of customers: 🔹 Identity: Full names of account holders. 🔹 Documentation: National Identity Document (DNI) numbers. 🔹 Contact: Mobile phone numbers and personal email addresses (e.g., Gmail). 🔹 Detailed Geolocalization: Region, Province, and District of customer residence (national coverage: Loreto, Piura, Puno, Junín, Lima, etc.). Monitor: analyzer.vecert.io #CyberSecurity #Peru #Agrobanco #DataBreach #InjectionInferno #FinancialFraud #InfoSec #CyberAlert #HackingNews #DNI #BancaPeru #SafeBanking

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

♦️ Exposed #opendir on 187.77.173[.]118 port 8080 hosting AI-generated tools to analyze CVE-2025-6218 and test bypass variants against the official patch for WinRAR(?). The environment includes progress tracking and references to a business model aligned with 0-day development 👁️ On port 9999: multiple .bin files and "loaders" flagged as possible Meterpreter. [+] bazaar.abuse.ch/sample/3404b9e… / @malwrhunterteam @HackingLZ @UK_Daniel_Card

→ POC: Magento Unauthenticated File Upload 🔥 🚨 Ataques masivos contra Magento explotan subida arbitraria de archivos vinculada a SessionReaper (CVE-2025-54236) / cronup.com/ataques-masivo…. + REF: x.com/1ZRR4H/status/…

Roban datos desde el sistema del GORE Araucanía el atacante” ingresó desde una cuenta administrativa que tenía la contraseña vencida y que para lograr su objetivo, cambió la clave y se autoasignó “privilegios de alto nivel extrayendo 21,4 MB de información".

‼️ China's biggest cybersecurity company, Qihoo 360 (461M users), just leaked their own wildcard SSL private key inside the public installer for their new AI assistant "360 Security Claw." The private key for *.myclaw.360.cn was bundled directly in the download package under /namiclaw/components/OpenClaw/openclaw.7z/credentials. The cert is valid until April 2027. Attackers can now impersonate their servers, intercept user traffic, and forge login pages. Fun fact: the founder promised the product would "never leak passwords."

🚨 Atención #CHILE Detectada campaña de #phishing que suplanta a @MovistarChile, promocionando un “iPhone 17 Pro Max 256GB” como parte de una supuesta portabilidad. 🔍 IOC movistarchileportabilidad[.]com movistaronechile[.]com movistaroneportabilidad[.]com movistaroneportabilidad[.]lat IP: 104.207.138.189 📡 Exfiltración Uso de Socket[.]IO sobre WebSocket 📂 Estructura del kit de phishing /index.html /login.html /admin.html /private/ /success.html /datos.html /tusdatos.html /confirmacion.html /webpay.html #Ciberseguridad #Phishing #ThreatIntel #Infosec #Chile

Don't forget to secure Security Admins, who should also be treated like GA. For those that dont know, there are privilege escalation paths from Security Admin to GA too. :) learn.microsoft.com/en-us/intune/i… I would argue: if your Security Admins don't know what the role can do, they shouldnt have it. :)

@malwrhunterteam @joy_dragon Google Merch and Microsoft China... 🤔😂 - hxxps://your.merch[.]google/media/customer_address/T/I/TIS.txt - hxxps://microsoftstore[.]com[.]cn/media/customer_address/G/O/GOD.txt

⚠️ Multiple well-known websites are also being compromised (UNICEF, ASUS, TOYOTA, FIAT, etc.). Some include messages referencing the geopolitical conflict in the Middle East 🌐

@1ZRR4H @tial_cl @chum1ng0 Son cientos de dominios potencialmente afectados. Es impresionante lo que lograron.

🚨 Mientras tanto, una ola de ataques contra tiendas Magento compromete múltiples sitios web en Chile 🇨🇱 Entre los afectados hay sitios de Entel, Bice Vida, Colun, A3D, CasaIdeas, Volcom, Everlast, Anticipa, Tiendas PF, Maui&Sons, Fila, RipCurl, Stone Center, etc 🤷‍♂️ Por ahora, solo se ve "subida de archivos" TXT, pero... H/T @joy_dragon 🦾

🚨 GRACIAS IA!!! 🤦🏻‍♂️ → Resultados de Google están recomendando recuperar la ClaveÚnica desde el sitio "oficial" claveunica[.]online. El problema es que ese dominio forma parte de una campaña activa de fraude orientada al robo de identidades digitales en Chile, la cual identificamos y alertamos en diciembre del año pasado desde @Cronup_CyberSec: cronup.com/alerta-de-segu… ⚠️ Adicionalmente, ahora se observa la suplantación de AFP Modelo, algo que no habíamos visto en etapas anteriores de la operación. Esto no es solo un error de indexación, es un riesgo real para miles de personas que confían en los primeros resultados de búsqueda. H/T @Huntr3ssX @goangaar 🎯 / @ANCIChile @AFPModelo

Acronis Threat Research Unit (TRU) Update: LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems. ➡️ acronis.com/en/tru/posts/l… Key highlights: 🔹The Windows sample has most defense evasion and anti-analysis techniques applied across all analyzed samples. This includes packing, DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions and clearing all available logs in the system. 🔹Linux and ESXI versions are very similar, except for functions that target virtualization. Neither of these versions is packed, but almost all strings are encrypted. 🔹All versions have the same ransom note, append a random extension to each encrypted file, and the same encryption routine that involves XChaCha20 and Curve25519. 🔹The LockBit site was hosted on infrastructure with historical ties to SmokeLoader, indicating possible infrastructure reuse or cooperation. For MSPs and IT teams, speed matters. Threat research provides the intelligence to update protections quickly, manage efficiently, and automate defenses, so teams can stay protected without adding complexity.

LevelBlue SpiderLabs analyses a ClickFix attack chain. The flow moves from shellcode to a PE downloader, then injects StealC into legitimate Windows processes to steal credentials, cryptocurrency wallets and screenshots. levelblue.com/blogs/spiderla…

LAB52 reports Operation MacroMaze, an APT28-linked spear-phishing campaign targeting Western & Central Europe since Sep 2025. Spear-phishing docs are used with macro droppers & an embedded INCLUDEPICTURE field that gives attackers a document opened signal. lab52.io/blog/operation…

🔴🇨🇱El grupo de ransomware The Gentlemen publica al Instituto Nacional de Derechos Humanos (INDH) en su sitio DarkWeb. #ciberseguridad #ransomware #infosec #Chile #DarkWeb #TheGentlemen #INDH #ciberataque cc:@1ZRR4H @tial_cl @huichalaf @V3n0mStrike @H4ckmanac @ANCIChile @CSIRTGob @inddhh

0apt ransomware is a potential scam op. 💀 We analyzed 230+ victim claims, the majority were fake, with no samples or proof, and they even report companies that don’t exist. First alert by @alvieriD. Now claiming hits on 4 major UAE entities using manufactured screenshots. AI hype fuels the noise.

New Ransomware group 0APT is a fraud Created fake AI generated companies to post while adding a few real companies in between to quantify their legitimacy No ransomware No samples No nothing 0APT is now even recruiting new black hat hackers to steal Bitcoin from them