CYBCRIME

1/8 A North Korean recruiter just tried to pay me $300/month to launder his Upwork identity. Here is how the pitch works: 🧵

Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments. The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran. To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.

Update_251001 ACM Sakesan Kantha.pdf.lnk 22180919f562fb9f6e50d7f20b2eb3f94eb009c212b74b45cf77659fe8274d5b #APT #Kimsuky

New research reveals detailed analysis of DPRK VPN infrastructure used by North Korean operatives abroad. According to technical analysis published by NK Internet Watch, "Hangro" appears to be a specialized VPN client that enables North Koreans overseas to establish secure connectivity back to domestic networks, potentially including the Kwangmyong intranet. 📍 Infrastructure spans multiple countries with servers in Russia (188.43.136.115/116) and North Korea (175.45.176.21/22) 📍 Requires mutual TLS authentication with certificates signed by internal CA "hrra2024" 📍 Uses embedded GOST cipher references suggesting Russian cryptographic influence The research traces connections through Jo Myong Chol, a sanctioned DPRK national who registered supporting domains using the email support@silibank.com. This same email was used for other regime-affiliated sites including ournation-school.com and uriminzogkiri.com. 1️⃣ Radio Free Asia reported North Korean trading companies pay $350 to the Shenyang consulate for Hangro access 2️⃣ Technical analysis reveals the client is derived from SoftEther VPN with custom authentication mechanisms 3️⃣ The service recently appeared on DPRK-affiliated websites as "service for visitors away from home" before disappearing in July 2025 This infrastructure represents a sophisticated method for maintaining regime connectivity with overseas operatives and commercial entities. Source: nkinternet.wordpress.com/2025/01/06/han…

The value of losses in crypto thefts has soared this year to more than $2 billion over the first six months, the blockchain analytics company Chainalysis says therecord.media/chainalysis-cr…

@dystopiangf I think it's because we switched to a management era. Instead of leading to build and create new things inspired by a great vision, the "elite" now just manage stuff so that everything doesn't fall apart

Civilizations used to dream. Even communists wanted to go to the stars. At some point, the future died; we all silently decided that the purpose of a civilization is not to dream, but to just scrape by, to cut corners, to be as close to bare minimum functionality as possible

How tf did the FBI / NSA get a picture of North Korean IT workers working

A recent report reveals that Pakistani freelancers are creating cracking websites linked to stealer malware, using a pay-per-install model, while exploiting SEO tactics to promote these sites amidst low prosecution risks. #cybersecurity #malware ift.tt/bOGhQW7

💸 From dirty crypto to clean money: how Russophone cybercriminals launder illicit crypto profits? Fake inheritances, shady casinos, fake businesses, and shell companies. The real bottleneck? Legalization. 🔗 Link in comments #CTI #CryptoLaundering #DarkWeb

🔎 [THREAD] – New analysis by Intrinsec Cyber Threat Intelligence on the latest operations by Russian-aligned intrusion sets #UAC0050 & #UAC0006📢 🔗 Our Report: intrinsec.com/wp-content/upl…

🔎 [THREAD] – Doppelgänger: A New Disinformation Campaign Spreading on Social Media 📢 📄 A newly released report sheds light on the tactics used by this Russian-linked network to target multiple Western countries. ⬇️

Fake #installers bundled with #infostealers are a constant threat, compromising user credentials and data integrity. These malicious programs often appear in search results and GitHub comments. Find out more in our blog:⬇️ research.trendmicro.com/427R3LB

🚨 [New Report Alert!] Our CTI team just published: "Premium Panel: phishing tool used in longstanding campaigns worldwide." 👉 This report reveals insights into a phishing kit used in campaigns for over two years! 📅Read the full report here: intrinsec.com/premium-panel-…

Researcher turns insecure license plate cameras into open source surveillance tool Privacy advocate draws attention to the fact that hundreds of police surveillance cameras are streaming directly to the open internet. 🔗 404media.co/researcher-tur…

Earth Koshchei’s rogue Remote Desktop Protocol campaign targets government, military, and academia via spear-phishing, with alleged ties to Russia’s intelligence. Learn more about this new threat actor’s tactic:⬇️ research.trendmicro.com/3DhR710

Fake LDAPNightmware exploit on GitHub spreads infostealer malware - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies. They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe. It's OSINT time! 👇

🎉 Happy New Year! Our CTI team has just published a new report: "CryptBot: Hunting for Initial Access Vectors." Here’s what we’ve uncovered about the malware’s spreading methods, originally shared privately with our clients in September. 🧵

🚨 New Report Alert! 🚨 Our CTI team has just released a new report: "Prospero & Proton66: Uncovering the links between bulletproof networks." Here's what we've uncovered about these two Russian Autonomous Systems and their malicious connections. 🧵

🚨 Mandiant observed #LummaC2 stealers leveraging a new obfuscation technique to thwart analysis tools and stifle reverse engineering efforts. Read about this tactic, and how we developed an automated method for removing this protection layer → bit.ly/47IImbK