CIRCLE WITH A DOT

THREAT INTEL | Gorey Community School🟢 Actor "payload" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-05-14-gorey-community-school-ransomware-by-payload-may-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(socket.dev) Malicious Activity Detected in New Versions of node-ipc npm Package: Stealer and Backdoor Behavior IdentifiedNewly published versions of the node-ipc npm package (9.1.6, 9.2.3, 12.0.1) identified as malware with stealer/backdoor capabilities. Host fingerprinting, file enumeration, and encrypted data exfiltration detected. Immediate blocking and auditing of affected versions advised.In brief - Critical supply chain compromise in node-ipc npm package (versions 9.1.6, 9.2.3, 12.0.1) introduces stealer/backdoor functionality, enabling data exfiltration and system compromise. Historical malicious activity (e.g., geo-targeted destructive payloads in 10.1.1/10.1.2) underscores persistent risks in JavaScript dependencies.Technically - Malicious node-ipc versions employ host environment fingerprinting, local file enumeration, and data compression before exfiltrating payloads via encrypted envelopes. Network endpoints dynamically selected via DNS or hardcoded logic. Prior incidents include CVE-less destructive malware (10.1.1/10.1.2) and peacenotwar dependency abuse (11.0.0/11.1.0). Socket’s AI scanner flagged these as malware within minutes of publication.Source: https://socket.dev/blog/node-ipc-package-compromised#Cybersecurity #ThreatIntel

New.Microsoft: Kazuar: Anatomy of a nation-state botnet https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/ #Microsoft #infosec #botnet #threatintel #threatintelligence #malware

(lab52.io) Geopolitical Tensions in the Radio Frequency Spectrum: State-Sponsored Interference and Influence OperationsState-sponsored RF spectrum interference escalates as Russia, China, Iran, and DPRK deploy adaptive jamming, GPS spoofing (ICAO-documented), and FIMI ops. Critical infrastructure at risk—civil aviation, broadcasting, and SIGINT disrupted.In brief - State actors are weaponizing the radio frequency spectrum for information control, signal suppression, and covert C2. Adaptive jamming, GPS spoofing, and numbers stations (e.g., V32, UVB-76) reflect coordinated policies, not opportunistic attacks. Grey-zone threats demand enhanced SIGINT and countermeasures.Technically - Iran’s real-time frequency reassignment counters opposition broadcasts, while China’s Firedrake system (9–10 kHz bandwidth) blocks BBC/Taiwanese stations with programmed carriers. DPRK’s GPS spoofing disrupted civil aviation, and numbers stations transmit encoded C2 traffic. These ops merge EW with cyber-physical threats, requiring advanced spectrum monitoring to mitigate kinetic risks.Source: https://lab52.io/blog/trends-in-radio-frequency-spectrum-activity-and-its-impact-on-the-geopolitical-landscape/#Cybersecurity #ThreatIntel

Iran-linked MuddyWater APT reportedly breached organizations across 9 countries in Q1 2026 using DLL sideloading, PowerShell implants, Chromium credential theft, and SOCKS5 tunneling.Researchers say signed Fortemedia & SentinelOne binaries were abused for stealth.https://www.technadu.com/iran-linked-muddywater-group-breached-organizations-in-9-countries-in-q1-2026-including-major-electronics-maker/627875/#CyberSecurity #ThreatIntel #APT #InfoSec

Wave-2 Pterodo beacon URL pattern (n=14 samples since 2026-02): /(Svvr|SSsr|Akad|Akk|Gpps|Mouuds)(Htm|Ua|U)?-DD-MM → 212.193.20.1105 of 6 verbs carry double-letter alliteration (vv/Ss/kk/pp/uu) — same operator habit as the 2022-23 `j-j-j` URL generator + the alliterative *orious.ru / *mucoris.ru apex naming Talos/Symantec documented years ago. Three years later, same fingerprint.Bare-IP + plain HTTP + no TLS = SNI inspection won't catch it. Block 212.193.20.110 directly.Suricata draft rules: github.com/palianytsia-200/U-OB-KY/blob/main/rules/pterodo-wave2-beacon.rules#Pterodo #UAC0010 #Gamaredon #ThreatIntel

(praetorian.com) Exposing the Hidden Risks of Single-Page Applications: How Frontend Code Reveals Backend VulnerabilitiesSPAs expose full frontend code—including API endpoints, auth logic, and hardcoded secrets—to unauthenticated users, creating a critical attack surface. AI-assisted tools now automate extraction of this data to uncover IDORs, unauthenticated endpoints, and misconfigured backend services.In brief - SPAs inadvertently leak sensitive backend details via JavaScript bundles, enabling attackers to map APIs, fuzz endpoints, and exploit vulnerabilities like IDOR (CWE-639) or unauthenticated access. Hardcoded secrets in frontend code, exacerbated by AI-assisted development, further compound risks. Treat frontend code as public and enforce backend security controls.Technically - SPAs built with React/Vue/Angular ship minified but readable JavaScript bundles (webpack/Vite/Rollup) containing route definitions, API URLs, and auth flows. AI tools like Claude Code deconstruct these bundles to map backend services, fuzz APIs for IDORs (e.g., CVE-2023-XXXX), or identify misconfigured serverless components (e.g., Lambda functions bypassing API Gateway auth). Error handling (e.g., 500 responses) may expose direct Lambda access. Hardcoded secrets in frontend code, detected via tools like Titus, enable credential harvesting. Mitigations: enforce authZ at all backend layers, avoid client-side secrets, and design for public frontend code.Source: https://www.praetorian.com/blog/spa-frontend-security/#Cybersecurity #ThreatIntel

(datadoghq.com) Analysis of the Shai-Hulud Offensive Framework: TeamPCP's Modular TypeScript Toolkit for Supply Chain and Credential Harvesting AttacksTeamPCP's Shai-Hulud framework, a modular TypeScript/Bun toolkit, was exposed—revealing advanced supply chain and credential harvesting TTPs targeting CI/CD pipelines and dev environments.In brief - TeamPCP’s Shai-Hulud framework leverages GitHub Actions exploitation, OIDC token abuse, and sigstore provenance forgery to poison npm packages and harvest credentials. Features include memory extraction from CI runners, hybrid encryption for exfiltration, and a coercive deadman switch for persistence. The framework avoids CIS countries, aligning with TeamPCP’s known targeting patterns.Technically - Shai-Hulud is a production-grade offensive framework written in TypeScript for the Bun runtime. It employs:- **Credential Harvesting**: Memory extraction from GitHub Actions runners (bypassing secret masking), environment variable scraping, and scanning of 100+ sensitive file paths.- **Exfiltration**: Hybrid encryption (AES-256-GCM + RSA-4096-OAEP) for C2 or GitHub dead-drop exfiltration.- **Persistence**: macOS LaunchAgents, Linux systemd services, and a deadman switch threatening data destruction.- **Supply Chain Poisoning**: OIDC-based trusted publishing and sigstore provenance forgery to legitimize malicious npm packages.- **Obfuscation**: Polyalphabetic substitution and control flow flattening to evade signature-based detection. Russian locale check confirms TeamPCP’s operational scope.Source: https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/#Cybersecurity #ThreatIntel

Fake Claude Code installers are deploying PowerShell stealers that abuse Chrome’s IElevator2 interface to extract browser credentials, cookies & payment data from developers.AI tooling ecosystems are quickly becoming a major attack surface.Source: https://www.ontinue.com/resource/blog-behind-a-fake-claude-code-installer/Follow @technadu for more threat intelligence updates.#Infosec #CyberSecurity #AI #Malware #ThreatIntel

(wiz.io) Fragnesia: New DirtyFrag Variant Exploits Linux Kernel XFRM ESP-in-TCP for Local Privilege EscalationNew DirtyFrag variant *Fragnesia* exploits Linux kernel XFRM ESP-in-TCP (CVE pending) for local privilege escalation via page cache corruption. Unprivileged attackers can overwrite read-only files (e.g., /usr/bin/su) to gain root without disk modification.In brief - A logic flaw in Linux kernel's XFRM ESP-in-TCP handling enables unprivileged local attackers to corrupt page cache contents and escalate privileges. Exploits AES-GCM keystream manipulation; partial mitigations exist but patching is critical.Technically - Fragnesia abuses skb coalescing in the XFRM ESP-in-TCP subsystem by splicing file-backed pages into a TCP receive queue before ESP processing. Attackers use CAP_NET_ADMIN (via user/network namespaces), NETLINK_XFRM to install crafted ESP SAs, and trigger in-place decryption to corrupt cached file pages. Demonstrated by overwriting /usr/bin/su with an ELF payload executing setresuid(0,0,0). AppArmor restrictions on unprivileged user namespaces may mitigate, but kernel patches are required.Source: https://www.wiz.io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp#Cybersecurity #ThreatIntel

(jamf.com) MobiDash: Evolution from Adware to a Sophisticated Android Fraud Platform with Ghost Clicks and Proxy InfrastructureMobiDash has evolved from adware into a sophisticated Android fraud platform, combining click injection, phantom ad rendering, and residential proxy infrastructure orchestrated by a dynamic C2 server.In brief - MobiDash is a modular Android fraud platform embedded in repackaged apps, using advanced ad fraud and proxy monetization. It fabricates user interactions via VirtualDisplay and synthetic touch events, while its C2 server enables live code updates, posing risks to users and advertisers.Technically - MobiDash injects malicious payloads into legitimate APKs via an automated patcher, using SQLCipher for encrypted storage and emulator checks for evasion. It employs reflection to replace base contexts, spoofs ad SDKs via PackageManager interception, and renders phantom ads using VirtualDisplay. The C2 server delivers interaction scripts, JavaScript injections, and synthetic touch sequences. Proxy infrastructure (Hopmon SDK, SOCKS5 with SSH tunnels) enables bandwidth monetization and geographic fraud.Source: https://www.jamf.com/blog/mobidash-android-ad-fraud-click-injection-analysis/#Cybersecurity #ThreatIntel

(nozominetworks.com) Sandworm Unmasked: Operational Patterns, Escalation Tactics, and Defensive Strategies Against Russia's Most Disruptive Cyber Threat ActorSandworm (APT44/GRU Unit 74455) remains a premier cyber-physical threat, prioritizing ICS/OT disruption over financial gain. New analysis of 29 confirmed events (Jul 2025-Jan 2026) reveals structured operational patterns and escalatory post-detection behavior.In brief - Sandworm’s Moscow-aligned activity targets critical infrastructure with weeks of advance warnings. Detection triggers aggressive lateral movement toward OT assets, demanding proactive hygiene and segmentation.Technically - Sandworm leverages EternalBlue, DoublePulsar, and Log4Shell for lateral spread, averaging 43 days of precursor alerts. Post-detection, it escalates across MITRE ATT&CK tactics, increasing alert volume and ICS focus (e.g., HMIs, field controllers). Containment requires rapid vulnerability remediation and ICS-adjacent monitoring.Source: https://www.nozominetworks.com/blog/sandworm-activity-in-industrial-environments-what-the-data-reveals#Cybersecurity #ThreatIntel

(talosintelligence.com) Demystifying Ethical Hacking: A Conversation with Vulnerability Researcher Philippe LaulheretNew insights from Talos Intelligence’s Philippe Laulheret on proactive vulnerability research and ethical hacking—biometric bypasses and zero-day hunting in focus.In brief - Senior Vulnerability Researcher Philippe Laulheret discusses his role in identifying flaws in software, hardware, and physical systems before exploitation. His work includes bypassing biometric fingerprint readers using unconventional methods, emphasizing the need for proactive threat mitigation. CTF challenges and reverse engineering are key to skill development in this field.Technically - Laulheret’s approach involves autonomous reverse engineering to uncover vulnerabilities, contrasting with traditional consulting. His background in electrical/computer engineering and CTF participation sharpens exploit development and system analysis. Experiments like biometric bypasses (e.g., using organic materials) highlight creative attack vectors. Detection rules derived from this research help preemptively secure customers against zero-day threats.Source: https://blog.talosintelligence.com/breaking-things-to-keep-them-safe-with-philippe-laulheret/#Cybersecurity #ThreatIntel

We are tracking the new Nightmare Eclipse exploits, and we even have some listed IoCs from the code/repo files for you.https://discourse.ifin.network/t/chaotic-eclipse-nightmare-eclipse-drops-two-windows-0days/437#ThreatIntel #ThreatIntelligence #IFIN

PhantomGraph proof of detecting phishing and redirects. Upgrade your email analysis game at app.phantomgraph.io#infosec#PhantomGraph #threatintel #phishing#cybersecurity

@ifin @misp No worries! That's what I figured it was

THREAT INTEL | Jozef Stefan Institute (IJS)🟢 Actor "coinbasecartel" claims UndisclosedAllegedly exposed• NDA documents• Project files️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-05-12-jozef-stefan-institute-ransomware-attack-by-coinbasecartel-may-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(netcraft.com) Exploitation of Webflow Platform for Large-Scale Booking.com Brand Impersonation and SEO PoisoningThreat actors are abusing Webflow’s platform to host large-scale Booking.com brand impersonation via SEO poisoning, leveraging HTTPS-enabled lookalike subdomains for credibility.In brief - Cybercriminals exploit Webflow’s infrastructure to deploy fraudulent Booking.com lookalikes, using keyword-stuffed subdomains (e.g., bookinggcomdubaflighttickets[.]webflow[.]io) and static image-based pages to manipulate search rankings. The campaign targets high-intent travel queries, particularly Dubai-related, during peak seasons, eroding user trust and brand integrity.Technically - The operation combines visual mimicry with SEO poisoning, embedding keyword-dense HTML to deceive search engines while presenting static, full-page replicas of Booking.com. Subdomains feature deliberate misspellings and travel-related terms to capture organic traffic. The abuse of Webflow’s HTTPS certificates complicates detection, while the scalable infrastructure suggests potential redirection to credential harvesting or monetization endpoints. Monitor for lookalike domains and seasonal keyword trends.Source: https://www.netcraft.com/blog/booking-dot-com-lookalike-pages-hosted-on-webflow-subdomains#Cybersecurity #ThreatIntel

(guardz.com) Mini Shai-Hulud: Self-Propagating Worm Compromises npm Ecosystem via CI/CD Pipeline HijackingMini Shai-Hulud worm (TeamPCP) compromised 200+ npm packages via CI/CD hijacking, targeting TanStack, Mistral AI, and others. Attack executed at install time, bypassing SLSA provenance and harvesting credentials from dev workstations/cloud environments. Destructive persistence triggered on token revocation.In brief - A self-propagating npm worm attributed to TeamPCP leveraged stolen tokens and GitHub Actions abuse to compromise 200+ packages, exfiltrating credentials via dead-drops and threatening system wipes. Critical gaps in SLSA provenance and package signing enabled the attack.Technically - Mini Shai-Hulud exploited `pull_request_target` workflows, cache poisoning, and OIDC token extraction to inject malicious `router_init.js` payloads at install time. The 2.xMB obfuscated JS targeted 100+ credential paths (GitHub/npm tokens, cloud creds, Kubernetes configs) across macOS/Linux/Windows. Exfiltration used Session Protocol, GitHub GraphQL dead-drops, and a typosquatted domain (`git-tanstack.com`). Persistence via systemd/LaunchAgents and IDE hooks, with destructive triggers tied to token revocation. Propagation scaled by infecting all packages owned by compromised maintainers.Source: https://guardz.com/blog/shai-hulud-strikes-again/#Cybersecurity #ThreatIntel

TanStack, a popular web UI framework has had its NPM packages compromised by another installment of Mini Shai-Hulud.https://discourse.ifin.network/t/mini-shai-hulud-strikes-again-tanstack-npm-packages-compromised/428#ThreatIntel #ThreatIntelligence #IFIN