CIRCLE WITH A DOT

️ Heads up #infosec communityFound a malicious GitHub repo posing as a curated list of cybersecurity Telegram channels.Every link in the README (download, "official website", "Twitter") points to the same ZIP payload. Classic trojanized repo targeting security folks. https://github.com/simplefastfunnels254/tg-cybersecVT 0/91 on the URL for now, likely evasion. Reported to GitHub (Active Malware/DSA).#CyberSecurity #ThreatIntel #OSINT #Malware #GitHub

🧠 Agent Tesla Daily Report️ Trend: stable (12%) 23 new samples 0 C2 serversFull analysis, IOCs, and hashes:https://www.yazoul.net/malware/agent-tesla/reports/2026-04-17#Malware #ThreatIntel #Infosec

THREAT INTEL | Gruppo ICM SPA Actor "qilin" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-16-gruppo-icm-spa-ransomware-claim-by-qilin-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

Cyber Attack incidents spiked 151% to 88 cases this week while Ransomware jumped 44% to 98 operations. Coordinated offensive activity across multiple threat groups. #CyberAttack #Ransomware #ThreatIntel

(talosintelligence.com) Cisco Talos Threat Source: Q1 2026 Vulnerability Trends, Supply Chain Compromises, and AI-Enabled Attack CapabilitiesQ1 2026 threat landscape reveals escalating supply chain risks, AI-driven exploitation, and persistent KEV threats. Networking gear accounts for 20% of Known Exploited Vulnerabilities, while 25% of tracked CVEs predate 2025.In brief - Cisco Talos reports surging CVE volumes, active abuse of n8n automation platforms for phishing/RAT delivery, and AI models autonomously exploiting zero-days. Adobe Acrobat zero-day (CVE undisclosed) patched after 4 months of exploitation. Russian APTs targeted Swedish critical infrastructure, while PlugX RAT spread via fake AI sites.Technically - n8n webhooks abused for device fingerprinting and malware delivery via trusted infrastructure. Supply chain attacks compromised Trivy, LiteLLM, telnyx, and axios npm packages. Anthropic's Mythos Preview demonstrated autonomous zero-day exploitation across OSes/browsers. Prevalent malware: Win.Worm.Coinminer, W32.Injector:Gen, Win.Dropper.Miner. Mitigations include behavioral detection for automation platforms and AI-driven semantic email analysis.Source: https://blog.talosintelligence.com/the-q1-vulnerability-pulse/#Cybersecurity #ThreatIntel

(wordfence.com) Critical Arbitrary File Upload Vulnerability in Ninja Forms – File Upload Plugin Under Active ExploitationCritical unauthenticated arbitrary file upload vulnerability in Ninja Forms – File Upload WordPress plugin (CVE pending) actively exploited in the wild. ~50K sites at risk of RCE via path traversal and .htaccess manipulation. Update to 3.3.27+ immediately.In brief - A severe flaw in the Ninja Forms plugin allows unauthenticated attackers to upload malicious PHP files and .htaccess configurations, leading to full site compromise. Exploitation began on disclosure day, with 118.6K+ blocked attempts. Patch now.Technically - The vulnerability (no CVE yet) enables unauthenticated attackers to bypass file validation via path traversal in the `nf_fu_upload` AJAX action. Exploits observed include: (1) PDF-disguised PHP webshells with `php_uname()` recon, (2) GIF-header-spoofed minimal shells using `shell_exec()`, and (3) malicious .htaccess files (e.g., `%2ehtaccess`) to execute .txt as PHP. Endpoint: POST `/wp-admin/admin-ajax.php?action=nf_fu_upload`.Source: https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critical-vulnerability-in-ninja-forms-file-upload-plugin/#Cybersecurity #ThreatIntel

(microsoft.com) Sapphire Sleet macOS Campaign: Social Engineering, Credential Harvesting, and Multi-Stage Payload Delivery Targeting Cryptocurrency SectorsNorth Korean APT Sapphire Sleet (aka BlueNoroff) is actively targeting macOS users in cryptocurrency, finance, and blockchain sectors via a multi-stage social engineering campaign. No CVEs—just deception.In brief - Sapphire Sleet lures targets with fake recruiter profiles and Zoom SDK update lures, harvesting credentials via fake macOS dialogs, bypassing TCC/Gatekeeper, and exfiltrating wallets, browser creds, Telegram sessions, and keychain data. Apple has deployed mitigations following coordinated disclosure.Technically - The attack begins with a compiled AppleScript lure (Zoom SDK Update.scpt) hiding malicious logic under blank lines. Execution triggers a curl-to-osascript chain (mac-cur1–5 UAs) deploying com.apple.cli, services backdoor, and icloudz (reflective loader via NSCreateObjectFileImageFromMemory). Persistence is achieved via LaunchDaemon (com.google.chromes.updaters). Credential harvesting uses systemupdate.app (dscl -authonly validation) and Telegram Bot API exfil. TCC bypass involves Finder-assisted TCC.db manipulation to grant osascript AppleEvents permissions. A 575-line AppleScript exfiltrates 7 data categories (wallets, SSH keys, Notes) over port 8443.Source: https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/#Cybersecurity #ThreatIntel

(picussecurity.com) CVE-2026-3055 'CitrixBleed 3': Critical Unauthenticated Memory Overread in Citrix NetScaler SAML IdP PathCritical unauthenticated memory overread vulnerability CVE-2026-3055 ('CitrixBleed 3') actively exploited in Citrix NetScaler ADC/Gateway SAML IdP deployments. CVSS v4.0 9.3 flaw leaks session tokens, SAML assertions, and LDAP credentials via NSC_TASS cookie. Patch immediately.In brief - CVE-2026-3055 enables pre-authentication memory disclosure in NetScaler SAML IdP paths, exposing sensitive credentials and session material. Actively exploited; CISA KEV-listed. Patch to 14.1-66.59/13.1-62.23/13.1-FIPS 13.1-37.262 and rotate all credentials on exposed systems.Technically - Two exploitation primitives: (1) malformed SAMLRequest to /saml/login omitting AssertionConsumerServiceURL triggers CWE-125 out-of-bounds read, leaking heap memory in NSC_TASS; (2) valueless wctx parameter to /wsfed/passive dereferences uninitialized buffer. Companion CVE-2026-4368 (CWE-362) race condition enables cross-user session hijacking on 14.1-66.54. Detect via anomalous NSC_TASS sizes, malformed SAMLRequest payloads, and /wsfed/passive?wctx URI patterns.Source: https://www.picussecurity.com/resource/blog/cve-2026-3055-cve-2026-4368-inside-the-netscaler-citrixbleed-3-memory-overread#Cybersecurity #ThreatIntel

THREAT INTEL | Limkon Actor "qilin" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-16-limkon-ransomware-claim-by-qilin-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(talosintelligence.com) PowMix Botnet: Cisco Talos Uncovers Previously Undocumented PowerShell Botnet Targeting Czech WorkforceNewly documented PowMix PowerShell botnet targets Czech orgs in HR, legal, IT, and finance via phishing lures impersonating EDEKA. Active since Dec 2025, shares ZipLine TTPs including Heroku C2 abuse and ZIP/LNK delivery.In brief - Cisco Talos uncovered PowMix, a previously unknown PowerShell botnet using phishing emails with malicious ZIPs to compromise Czech organizations. The campaign leverages compliance-themed lures and supports remote access, reconnaissance, and dynamic C2 migration.Technically - PowMix uses LNK-triggered PowerShell loaders with AMSI bypass (reflective AmsiUtils patching) to execute in-memory payloads. XOR-encrypted C2 domains, CRC32-based Bot IDs, and Scheduled Task persistence (hex-named tasks) enable stealthy operations. C2 beaconing employs REST API mimicry, randomized jitter (0–261s/1,075–1,450s), and Chrome User-Agent headers. Commands include #KILL and #HOST for dynamic C2 updates. Detect via ClamAV/Snort SID 66118.Source: https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/#Cybersecurity #ThreatIntel

After working on it a bit, we have a fix for a recent #ClickFix attack against #macOS that leverages AppleScript. Here's the writeup, and a link to the forum thread!https://ifin-intel.org/blog/applescript/#ThreatIntel ThreatIntelligence #IFIN

An article written by my colleague, Marine Pichon, I think it is worth a read if your interested by the Qilin ransomware operation.https://research.cert.orangecyberdefense.com/smokedham/smoking_out_an_affiliate.pdf#qilin #cti #UNC2465 #ThreatIntel #smokedham

@mttaggart @ifin can you share the URLs that were involved?