Ben

🚨Recent MuddyWater APT campaign, linked to Iranian intelligence, exposed by Ctrl-Alt-Intel 😬 - 10+ CVEs used - Custom-developed C2s - EtherHiding malware - Sensitive data stolen ctrlaltintel.com/threat%20resea… Super fun collab-ing with @ice_wzl_cyber to get this published 🔥

How Threat Actors Abuse Legal Processes 🔥 A deep dive look at fraudulent subpoenas, warrants, EDR and the shinyhunters domain seizure intelops.st/how-threat-act…

A Ctrl-Alt-Intel researcher, based out of HK 🇭🇰, tried to download @signalapp via Chrome.... but noticed something odd The top 2 sponsored results were advertising likely malicious "Chinese versions" of Signal....

@ctrlaltintel @socradar ctrlaltintel[.com is not bad @socradar

@socradar please stop bullying us 😢

😭

im real i promise 🥲

👀👀

On January 15th, after discussing PC specs, the conversation turns personal - giving us insight into "quant" and his life "zeta88" brings Devman back into the conversation. We also look forward to speaking about him in the future too ;)

A little thread exposing screenshots + comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups. Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak We even discovered in March they attempted to send flowers to a UK-based victim.... On 28th Feb, they recognise they're "top 2" on ransomware.live + Devman has gone ;)🚓 Translation of zeta88's first message: "In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared. And we're top 2 on RansomLive based on statistics, but not based on profit, I think." We can see a @GangExposed tweet shared by The Gentlemen, alongside the ransomware.live stats

There's enough money involved that if people would stop being soft, the right talent would go largely solve the ransomware problem.

Now do cyber extortionists please.

My new research on the Jenkins threat landscape 🔍☁️ Exposed instances, deprecated plugins, CI/CD attack paths… and based on TeamPCP’s recent activity, I think they read it too 👀 wiz.io/blog/jenkins-t…

🧵 CATCHING THREAT ACTORS IN PROD: The "Mihók-Dev" Files A Hungarian cryptomining operator left their entire working directory publicly accessible on a Python HTTP server. One zip file. Full toolkit, bash history, compiled binary, scan logs all of it. Here is the technical breakdown of NOVA SYMBIO NETWORK v1.0 Actor: Mihók-Dev / "Mihók Dániel" Contact hardcoded across every file: Mihokdaniel84[@]gmail.com Selling price: €1,000 BTC/XMR/ETH Active since: First artifact timestamps to 2022-04-22 19:48 UTC This is not a ground breaking or complex toolkit by any means. We were unable to find this advertised publicly anywhere yet; based on the code, it had strong signs it was made using an LLM, which is increasingly becoming more common. When hunting on @Huntio, you can catch these threat actors early by leveraging Hunt.io data

Someone deployed a phishing platform + remote access trojan across 14 servers then left every single one wide open. Same image. Same live credentials. Same RAT binaries. All publicly readable across the entire subnet. Found on @Huntio Here's what was running 🧵

@Fortinet Please stop flagging our domain as malicious 🥹

We’re not malicious @virginmedia 🥺 ctrlaltintel[.]com is for sharing intel, we’re only a threat to cybercriminals 🙏

Recent find by our team using @Huntio🕵️‍♂️ Akia: Exploiting CVE-2025-55182/66478, this French Claude-coded pipeline is a massive secret harvester: 🔹13 Git/8 SMTP APIs 🔹3k+ AWS Keys 🔹250M JS URLs 🔹EVM/BTC/SOL 🔹250+ ENV types 🔹1k+ Cloud paths 🔹300+ Configs 🔹20+ Code exts

In April, our team found a vibe-coded dashboard guessing FedEx tracking numbers. With 4M+ records and 498 proxies, the scale was impressive, though the adversary's goal remains unknown. Any idea what the adversary was trying to accomplish?

Links to our blogs are getting blocked :(

🎱 years is a few iterations of lifetimes in computer security (𝒂𝒑𝒑𝒂𝒓𝒆𝒏𝒕𝒍𝒚).