Ben

🚨Recent MuddyWater APT campaign, linked to Iranian intelligence, exposed by Ctrl-Alt-Intel 😬 - 10+ CVEs used - Custom-developed C2s - EtherHiding malware - Sensitive data stolen ctrlaltintel.com/threat%20resea… Super fun collab-ing with @ice_wzl_cyber to get this published 🔥

Prompt "Don't expose this entire directory to the internet make no mistakes"

New Research! Operation #GhostMail #APT28 (FancyBear) targets the Ukrainian State Hydrology Agency, exploiting a stored XSS vulnerability (CVE-2025-66376) in Zimbra Classic UI to deploy a browser-resident stealer similar to #SpyPress, that exfiltrates data over both DNS & HTTPS

@techspence One has been publicly documented - although I’m not aware anyone has shared the TAs prompts or details in how this data was stolen, yet

@polygonben links?

Any red teamers out there using AI platforms for initial access with any level of success? I’m talking like some kind of prompt injection to code execution on a host

@techspence I’m yet to share this research publicly - if you want full dumps from the TAs servers - let me know some interesting victims, in one case can see over 1k of the TAs prompts that led to the compromise

Most SOC reports and write-ups are punchy, to-the-point, polished reports. After all, every investigation (regardless of vertical) starts out as a chaotic mix of different threads that we corral into order like a tired sheepdog dreaming of making it as an internet meme and retiring on the royalties. Unfortunately, these polished reports don't capture how we actually form our suspicions, the pivots, the dead ends, the moment it all starts to make some semblance of sense. If you've ever wondered what that process actually looks like, I've spun up a blog series that breaks down real MDR incidents to capture what it's like riding the investigation roller-coaster, so those new to the industry can see how we progress from start to end within the context of a SOC investigation. Please enjoy this breakdown of a threat actor's attempt to enumerate and pivot further into the victim's environment — made with 100% organic human analyst tears! jevonang.com/Investigations…

Researchers at @ctrlaltintel once again yanked an APT into the spotlight due to sloppy trade craft. Today its FancyBear! Check out the full write up. As always, none of this is possible without @polygonben and others @ctrlaltintel ctrlaltintel.com/threat%20resea…

Who is Pryx? 👀 Our latest cybercrime intelligence report examines a threat actor tied to data breaches, Hellcat / SLSH, and claims of access to infrastructure leading to a fatal incident ⬇️ See full report #CyberCrime #OSINT #ThreatIntel #Ransomware

#Kimsuky #DPRK🇰🇵 ifrdr[.]dns[.]army join86s[.]dynv6[.]net ndocabpass[.]dynv6[.]net ndocfpass[.]dns[.]army ndochpass[.]dns[.]army ndocnpass[.]dns[.]army ndocepass[.]dns[.]army ndocppass[.]dns[.]army dt[.]ndocbpass[.]dns[.]army nid[.]naver[.]desaindigital[.]com elecviews85[.]dynv6[.]net bng0e[.]dns[.]army ndocs2mai1[.]dns[.]army ndocs5mai1[.]dns[.]army ndoc-pass[.]dns[.]army 7ieub[.]dns[.]army link-nid-log[.]oc9bk[.]dynv6[.]net t34r[.]7ieub[.]dns[.]army 43t34t[.]yv3ie[.]dns[.]army g24[.]bng0e[.]dns[.]army umc5a[.]dns[.]army s7ycn[.]dns[.]army rpf9z[.]v6[.]navy dbi0b[.]v6[.]navy 6exkk[.]v6[.]navy 13udm[.]v6[.]navy a7f3q[.]v6[.]navy 3tg8i[.]dns[.]army 2ebq4[.]dns[.]army mhjjh[.]dynv6[.]net nid[.]naver[.]liferod[.]com mail[.]appvpensan[.]com ndocs-verify[.]dns[.]army ndociverify[.]dns[.]army fsmhn[.]v6[.]navy 9jgeb[.]v6[.]navy xvzdn[.]2ebq4[.]dns[.]army ndocpass[.]dns[.]army chatai[.]trcipg[.]top elecviews66[.]dynv6[.]net yv3ie[.]dns[.]army 4ckuc[.]dns[.]army nids13[.]dynv6[.]net l6hlm[.]v6[.]navy jupbc[.]dns[.]army gk5c4[.]v6[.]navy red9c[.]dns[.]army link-nid-log[.]oq7n2[.]dynv6[.]net docviews21[.]dynv6[.]net nid[.]naver[.]adworldlog[.]com gkvnfsdognawiefoiawejofgiahng[.]xyz docviews36[.]dynv6[.]net ndocbpass[.]dns[.]army ndocopass[.]dns[.]army elecviews67[.]dynv6[.]net elecviews68[.]dynv6[.]net elecviews47[.]dynv6[.]net elecviews90[.]dynv6[.]net elecviews73[.]dynv6[.]net elecviews26[.]dynv6[.]net elecviews43[.]dynv6[.]net elecviews62[.]dynv6[.]net elecviews69[.]dynv6[.]net edocview46[.]dynv6[.]net edocview53[.]dynv6[.]net elecviews57[.]dynv6[.]net edocview49[.]dynv6[.]net kakao[.]com-login[.]dns[.]army com-login[.]dns[.]army gen-ker[.]dynv6[.]net fd6we5[.]dns[.]army asdfs432[.]dns[.]navy nids27[.]dynv6[.]net nids33[.]dynv6[.]net nids67[.]dynv6[.]net nids53[.]dynv6[.]net nids30[.]dynv6[.]net nids29[.]dynv6[.]net f23few[.]az62lmb01g[.]dynv6[.]net dsfw4e[.]4lykpex1me[.]dynv6[.]net g4w5wgea[.]97q67g0jlo[.]dynv6[.]net j764rff[.]9vbbpmpkkl[.]dynv6[.]net agdsgw[.]jdtlwcuprq[.]dynv6[.]net rty4he[.]rewy45yw[.]dynv6[.]net dn[.]akdocs-hometax[.]mydns[.]bz nidd[.]ncrecky[.]dynv6[.]net load[.]k-invoice[.]v6[.]navy ip89[.]ip-139-99-86[.]net attach[.]dynv6[.]net cn[.]lwdocs-hometax[.]wjg[.]jp nid[.]naver[.]technoreform[.]com nkdocument-hometax[.]mydns[.]bz nid-login[.]police-notice[.]dns[.]army nid[.]user-line[.]dynv6[.]net invoice[.]efine-police-go[.]p-e[.]kr one[.]userauthoritydoc[.]p-e[.]kr bn[.]nkdoc-hometax[.]mydns[.]bz cn[.]nkdocs-hometax[.]mydns[.]bz an[.]nkdoc-hometax[.]mydns[.]bz an[.]nkdocs-hometax[.]mydns[.]bz nid[.]naverdocs[.]dynv6[.]net support[.]swatsupported[.]dns[.]army nts[.]taxmenu[.]dynv6[.]net xsc[.]elecdocs[.]dynv6[.]net ziz[.]edocuments[.]dynv6[.]net unw[.]elecdocs[.]dynv6[.]net adj[.]elecdocs[.]dynv6[.]net nid[.]casepractice[.]com ycx[.]elecdocs[.]dynv6[.]net hsl[.]elecdocs[.]dynv6[.]net hkc[.]elecdocs[.]dynv6[.]net xno[.]elecdocs[.]dynv6[.]net nid[.]ebookings[.]dynv6[.]net mtdocument-hometax[.]mydns[.]bz nid[.]ebooks[.]mtomtech[.]co[.]kr nid[.]edocs[.]desaindigital[.]com nid[.]edocs[.]fuzzylookups[.]com dn[.]modocument-hometax[.]mydns[.]bz nid[.]eledoc[.]decharacter[.]com nid[.]edocs[.]zigboxs[.]com nid[.]mydocs[.]corporateadworld[.]com nid[.]liferod[.]com direct[.]n-cafe[.]cloud-ip[.]cc nad[.]adworldlog[.]com nbd[.]adworldlog[.]com ndd[.]adworldlog[.]com nwinsinas[.]site ewsadina[.]site dn[.]eodocs-hometax[.]mydns[.]bz dn[.]ewdoc-hometax[.]mydns[.]bz bn[.]ekdocs-hometax[.]mydns[.]bz dn[.]ekdocument-hometax[.]mydns[.]bz an[.]ekdocs-hometax[.]mydns[.]bz cn[.]indoc-hometax[.]mydns[.]bz dn[.]esdocument-hometax[.]mydns[.]bz bn[.]idocument-hometax[.]mydns[.]bz an[.]eidocument-hometax[.]mydns[.]bz an[.]esdoc-hometax[.]mydns[.]bz an[.]esdocument-hometax[.]mydns[.]bz document-hometax[.]mydns[.]bz doc-hometax[.]mydns[.]bz iiailog[.]mydns[.]bz dn[.]nndeeyou[.]mydns[.]bz bn[.]docs-hometax[.]mydns[.]bz dn[.]n1i1link[.]mydns[.]bz wsinwnsi[.]site bn[.]doc-hometax[.]mydns[.]bz bn[.]document-hometax[.]mydns[.]bz bn[.]n1ilink[.]mydns[.]bz bn[.]iiailog[.]mydns[.]bz dn[.]iiablog[.]mydns[.]bz cn[.]inyoiurnfo[.]mydns[.]bz dn[.]icolncfim[.]mydns[.]bz cn[.]nndeeiyou[.]mydns[.]bz cn[.]ciliuicnck[.]mydns[.]bz an[.]ifcolnvfim[.]mydns[.]bz cn[.]sivilverif[.]mydns[.]bz bn[.]icolncfim[.]mydns[.]bz bn[.]ciliuecnck[.]mydns[.]bz bn[.]ciliucnck[.]mydns[.]bz an[.]ciliucnck[.]mydns[.]bz cn[.]siviliverif[.]mydns[.]bz bn[.]siviliverif[.]mydns[.]bz nai[.]virnity[.]mydns[.]bz nbd[.]ligllisyou[.]mydns[.]bz ncd[.]ligllilssyou[.]mydns[.]bz ndd[.]ligllisyou[.]mydns[.]bz nbd[.]ligllilssyou[.]mydns[.]bz icoincfim[.]mydns[.]bz nad[.]ciliteve[.]mydns[.]bz ncd[.]ni11link[.]mydns[.]bz cailiucnck[.]mydns[.]bz ndd[.]ifiailog[.]mydns[.]bz ncd[.]ifillog[.]mydns[.]bz nad[.]ifiailog[.]mydns[.]bz nbd[.]ityoiurnfo[.]mydns[.]bz nad[.]iyoiurnfo[.]mydns[.]bz ndd[.]ityoiurnfo[.]mydns[.]bz whinsnaiun[.]store nad[.]invoices[.]dynv6[.]net nad[.]nldeeyou[.]mydns[.]bz ncd[.]nldeeyou[.]mydns[.]bz dn[.]logllilssyou[.]mydns[.]bz an[.]icoinecfim[.]mydns[.]bz nbd[.]icoincfim[.]mydns[.]bz ndd[.]ifcoinvfim[.]mydns[.]bz nad[.]ifcoinvfim[.]mydns[.]bz cn[.]cailiuecnck[.]mydns[.]bz dn[.]cailiuicnck[.]mydns[.]bz bn[.]cailiuicnck[.]mydns[.]bz bn[.]cailiuecnck[.]mydns[.]bz an[.]verninity[.]mydns[.]bz cn[.]verninty[.]mydns[.]bz an[.]sevilivierif[.]mydns[.]bz bn[.]sevilverif[.]mydns[.]bz an[.]verninty[.]mydns[.]bz cn[.]sevilverif[.]mydns[.]bz an[.]sevilverif[.]mydns[.]bz an[.]vernity[.]mydns[.]bz kakaocorp[.]com-login[.]live-on[.]net cn[.]cailteve[.]mydns[.]bz an[.]logllilssyou[.]mydns[.]bz bn[.]cail1teve[.]mydns[.]bz bn[.]loglli1syou[.]mydns[.]bz dn[.]logllisyou[.]mydns[.]bz cn[.]loglli1syou[.]mydns[.]bz an[.]cailteve[.]mydns[.]bz cn[.]incoinecfim[.]mydns[.]bz cn[.]nideeyou[.]mydns[.]bz cn[.]ntilink[.]mydns[.]bz dn[.]infillog[.]mydns[.]bz bn[.]nideeyou[.]mydns[.]bz bn[.]caliuecnck[.]mydns[.]bz dn[.]incoincfim[.]mydns[.]bz dn[.]incoinecfim[.]mydns[.]bz bn[.]incoincfim[.]mydns[.]bz cn[.]incoincfim[.]mydns[.]bz an[.]sevilrivierif[.]mydns[.]bz an[.]caliuicnck[.]mydns[.]bz cn[.]caliuecnck[.]mydns[.]bz an[.]caliucnck[.]mydns[.]bz cn[.]caliucnck[.]mydns[.]bz cn[.]caliuicnck[.]mydns[.]bz bn[.]veraiity[.]mydns[.]bz dn[.]verality[.]mydns[.]bz bn[.]sevilrverif[.]mydns[.]bz an[.]veraity[.]mydns[.]bz cn[.]sevilrivierif[.]mydns[.]bz cn[.]sevilrverif[.]mydns[.]bz dn[.]veraiity[.]mydns[.]bz cn[.]veraity[.]mydns[.]bz nbd[.]ntolink[.]mydns[.]bz dn[.]veraity[.]mydns[.]bz nad[.]isyournfo[.]mydns[.]bz ndd[.]infellog[.]mydns[.]bz ncd[.]callteve[.]mydns[.]bz ndd[.]isyourinfo[.]mydns[.]bz ncd[.]nto11link[.]mydns[.]bz ncd[.]isyournfo[.]mydns[.]bz ndd[.]ntolink[.]mydns[.]bz nbd[.]calliteve[.]mydns[.]bz nad[.]ntolink[.]mydns[.]bz

New blog! We found an open directory attributed to #MuddyWater Iranian APT and found vulnerabilities/victims they've been targeting, red-team tools, and a loader that deploys a persistent variant of #Tsundere botnet - a MaaS sold by a Russian threat actor that is known for using #EtherHiding to store C2 addresses on the Ethereum blockchain. esentire.com/blog/muddywate…

Smh need to go patch this defense evasion technique 🤦‍♂️

How does this technique have CVE-2026-0866 assigned to it? Is this really a vulnerability?

I could create a script that stores payloads using stego, evading detection This is still not a vulnerability

🖥️ In new research, Censys ARC Principal Security Researcher Andrew Northern examines NetSupport Manager, a legitimate, code-signed remote administration tool frequently repurposed as C2 infrastructure. Exposed Gateways are due to either enterprise exposure or adversary-operated C2 — both of which present risk. Censys sees 25 unique hosts and 74 associated assets exposing active NetSupport Gateway services. Learn more about NetSupport Manager exposures and how to track them in the full blog: hubs.ly/Q046D7rF0. #CensysARC

BBI Logistics didn't just want alerts -- they wanted takedowns before customers ever saw a problem. That's exactly what they're seeing now. Full story → haveibeensquatted.com/customers/bbi-…

@UK_Daniel_Card Truly sickening tbf….

Run by a 13 year old

🚨 🇷🇺 𝗡𝗘𝗪 𝗥𝗘𝗦𝗘𝗔𝗥𝗖𝗛: 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻 𝗥𝗼𝘂𝗻𝗱𝗶𝘀𝗵 - 𝗨𝗻𝗰𝗼𝘃𝗲𝗿𝗶𝗻𝗴 𝗮𝗻 𝗔𝗣𝗧𝟮𝟴 𝗥𝗼𝘂𝗻𝗱𝗰𝘂𝗯𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗧𝗼𝗼𝗹𝗸𝗶𝘁 𝗧𝗮𝗿𝗴𝗲𝘁𝗶𝗻𝗴 𝗨𝗸𝗿𝗮𝗶𝗻𝗲 During infrastructure analysis, we identified an exposed server hosting what appears to be a complete Roundcube exploitation toolkit linked to #APT28 (#FancyBear) operations. Full technical analysis + IOCs here 👇 hunt.io/blog/operation… Key findings: • Open directory exposed 61 files across 36 directories containing payloads, tooling, and operator artifacts • Toolkit targets Roundcube webmail for credential harvesting, mailbox exfiltration, and persistent mail forwarding • 14 TTP overlaps with ESET's documented Operation RoundPress campaign • Infrastructure targeting mail.dmsu(.)gov(.)ua (#Ukraine State Migration Service) • Toolkit includes a Flask C2 server, CSS side-channel module, and a Go Linux implant (httd)

Fellow InfoSec Brits, I do not recommend this chipy, they don't have mushy peas.

#SkyCloak #APT #VortexWerewolf #Phishing Scan_12243_tlg_na_perepodgotovku_dsp.​‌pdf‍​.lnk a787dc837534873327d3cf9e76749bed #ZIP dfb41b91b8022aaa79a5d1155c49e3ab 5daae9c5799c3e66efdacaa4738187b4 @PrakkiSathwik @500mk500 @polygonben @ElementalX2