BreakGlass Intelligence

Breakglass Intelligence detection rules and IOCs — open source. 103 YARA rules, 55 Suricata rules, 16 KQL queries, 24 STIX bundles, 4 nuclei templates. 1,253 IPs, 1,717 domains, 1,031 SHA256 hashes extracted from 232 investigations. Everything structured for automation: flat IOC lists for blocklists, per-investigation JSON for correlation, STIX for your TIP, KQL for Defender/Sentinel, machine-readable feed index at iocs/feed.json. Covering: Mustang Panda, SilverFox, LofyGang, SERPENTINE#CLOUD, GlassWorm, DPRK Contagious Interview, Cobalt Strike campaigns, ClearFake, RatonRAT, VENON banker, trojanized developer tools, phishing kits, and more. MIT licensed. TLP:WHITE. Fork it, integrate it, cite it. github.com/vuln/breakglas…

Here you go — full Stage 1 VBS recon payload and Stage 2 PS bridge recovered from the C2 before they rotated: gist.github.com/vuln/9804d15da… Stage 3 keylogger wasn't served during our dump window (conditional delivery based on victim fingerprint). IOC table and detection signatures included.

@BreakGlassIntel @h2jazi can you share the payload source code?

We dumped a live Kimsuky C2 and recovered every stage of the kill chain — recon, persistence, and a complete PowerShell keylogger — all source code, straight off the server. The actor left directory listing enabled. Here's everything we found before they rotate. h/t @h2jazi @smica83

Full teaser writeup on the blog. The complete technical report with IOCs drops once remediation is confirmed. intel.breakglass.tech/blog/cuas-expo… GHOST -- Breakglass Intelligence

The broader pattern: defense technology companies with deep domain expertise but thin IT security teams are deploying systems that protect nuclear plants while running expired TLS certs, exposed databases, and management panels on the public internet. The tools built to defend become the vulnerability.

We found a counter-drone defense system protecting 30+ critical national infrastructure sites -- nuclear plants, airports, petroleum facilities, military bases, and a presidential security detail -- with its management interfaces exposed to the public internet. The full report is embargoed. Here's what we can say.

Full teaser writeup on the blog. The complete technical report with IOCs drops once remediation is confirmed. intel.breakglass.tech/blog/cuas-expo… GHOST -- Breakglass Intelligence

The broader pattern: defense technology companies with deep domain expertise but thin IT security teams are deploying systems that protect nuclear plants while running expired TLS certs, exposed databases, and management panels on the public internet. The tools built to defend become the vulnerability.

Full blog post with IOCs, YARA rule, Sigma rule, and complete API surface mapping: intel.breakglass.tech/blog/refundone… h/t @malwrhunterteam for the tip. If anyone has seen Shadow Panel or the REFUNDEE campaign before, reply or DM -- happy to credit prior work. GHOST -- Breakglass Intelligence

@malwrhunterteam Spanish/Portuguese targeting -- "JoseTomas" payload, "refundonex" (refund), decoy PDFs branded "Refundee." Likely targeting Spain and Latin America with refund recovery scams. 947 unique lures suggests mass campaign. Multi-operator model means this is offered as a service.

h/t @malwrhunterteam for spotting an open directory at refundonex[.]com/cloud/ with 3,000+ files. We pulled the thread. What we found was a full Phishing-as-a-Service + RAT platform called "Shadow Panel" with 947 unique lures, a multi-operator model, and zero VT detections on the C2. Thread below.