OTX Bot6d ago

Leveling Up with NightSpire Ransomware

NightSpire ransomware, first discovered in February 2025, presents a categorization challenge regarding whether it operates as Ransomware-as-a-Service (RaaS). Analysis of two incidents from December 2025 and March 2026 reveals significant variations in tactics, techniques, and procedures between attacks. The March 2026 incident involved threat actors installing Chrome Remoting Desktop and AnyDesk for persistence, using Everything and 7Zip for data staging, MEGASync for exfiltration, and deploying VMWare Workstation and WPS Office. The attacker accessed systems via RDP days before detection. Comparison with the December 2025 incident shows evolution in the ransomware encryptor, including modified ransom note filenames and contents. These variations in TTPs and indicators suggest either operational evolution or involvement of multiple affiliates, demonstrating that ransomware indicators aren't consistent across campaigns.

Pulse ID: 69d61cc749755c1135d6faa9
Pulse Link: https://otx.alienvault.com/pulse/69d61cc749755c1135d6faa9
Pulse Author: AlienVault
Created: 2026-04-08 09:15:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #AnyDesk #Chrome #CyberSecurity #ICS #InfoSec #OTX #Office #OpenThreatExchange #RAT #RDP #RaaS #RansomWare #RansomwareAsAService #VMware #ZIP #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX Bot6d ago

North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.

Pulse ID: 69d61d25c472b8eb580c2996
Pulse Link: https://otx.alienvault.com/pulse/69d61d25c472b8eb580c2996
Pulse Author: AlienVault
Created: 2026-04-08 09:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #Browser #CyberSecurity #GitHub #Golang #Google #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #PyPI #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Troll #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
bbₜᵤₓᵢApr 4
Heute #Rustdesk durch eine #Anydesk Verbindung installiert 😄 nicht ganz ohne. Anydesk spinnt gerade, aber Rustdesk funktioniert jetzt sauber.
Tarnkappe.infoApr 2
📬 Malware per WhatsApp. Der Rest läuft auf Windows
#Cyberangriffe #AnyDesk #BackblazeB2 #MSIPakete #Persistenz #TencentCloud #VBSDatei #WhatsApp https://sc.tarnkappe.info/8a4894
Malware per WhatsApp. Der Rest läuft auf Windows

Malware per WhatsApp, die als VBS-Datei auf Windows-Systeme gelangt. Danach folgen Cloud-Downloads, Persistenz- und MSI-Pakete wie AnyDesk.

TARNKAPPE.INFO
StacesCases2 🇨🇦 📎Mar 26
#American Hacker partnering with #AnyDesk DESTROYS Scammers On Their Own Cameras! (Justice) | British Guy Reacts 🇬🇧 @kabirconsiders, youtube.com youtu.be/CCsfR4GHnF0?...

American Hacker DESTROYS Scamm...
YouTube

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

CyberVeille.chMar 22

📢 The Gentlemen : analyse complète des TTPs du nouveau groupe RaaS issu de Qilin
📝 ## 🔍 Contexte

Publié le 22 mars 2026 par Group-IB, ce rapport analyse en profondeur les tactiques, techniques et procédures (TTPs) du groupe **The Gent...
📖 cyberveille : https://cyberveille.ch/posts/2026-03-22-the-gentlemen-analyse-complete-des-ttps-du-nouveau-groupe-raas-issu-de-qilin/
🌐 source : https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
#AntSword #AnyDesk #Cyberveille

The Gentlemen : analyse complète des TTPs du nouveau groupe RaaS issu de Qilin

🔍 Contexte Publié le 22 mars 2026 par Group-IB, ce rapport analyse en profondeur les tactiques, techniques et procédures (TTPs) du groupe The Gentlemen, une opération Ransomware-as-a-Service (RaaS) émergente composée d’environ 20 membres, anciennement connue sous le nom ArmCorp en tant qu’affilié de Qilin. 🧑‍💻 Origine et historique du groupe L’opération est administrée par un russophone utilisant le pseudonyme hastalamuerte. Le groupe s’est séparé de Qilin suite à un litige financier de 48 000 USD de commission non versée, rendu public le 22 juillet 2025 sur le forum RAMP. Un premier échantillon Windows du ransomware avait déjà été uploadé sur VirusTotal le 17 juillet 2025 (SHA256 : 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2), confirmant que le développement était en cours avant la rupture publique avec Qilin. Le DLS est devenu public début septembre 2025.

CyberVeille
Show threadAlex@rtnVFRmedia Suffolk UKMar 22

some slight strangeness on #LinuxMint 22.3, #XFCE desktop - today #Anydesk let me log in but password entry field unresponsive - checking PC directly showed the num lock was working but keyboard wouldn't type any numbers. PC was also still on network (but no SSH as its not there out of the box and I hadn't installed it yet!)

Had to press power button, PC came back up with lockscreen (not full Linux startup) and password so likely something to do with a power saving / resume setting - clearly the PC hadn't fully crashed as all the photos I had uploaded to Dropbox (from another machine on the network) had been picked up by the client..

I(how do you change this on #XFCE ? )

Show threadAlex@rtnVFRmedia Suffolk UKMar 19

Went to the village shop to get some food and returned to find the PC fully locked up ( needed a power cycle to restart!)

I suspect this is more fault of #browsers with multiple tabs left open (there's an open issue for this on #Firefox) than any flaw with #LinuxMint itself, on top of websites being more bloated and #adtech scripts and #adblockers fighting one another.

Successfully installed #Anydesk on #Linux PC, so can access #XFCE desktop remotely from my Windows laptop (we use Anydesk a lot for remote support)

Adam ♿Mar 4
I don't know how the scammers do it - it just took me 1 hour to help a relative set up #AnyDesk to make future tech support faster and less painful for both of us
Daniel BöhmerFeb 26

Ich bekomme einen Scam-Anruf:

"Ihr Konto mit 1,[…] BTC ist gesperrt. Möchten Sie das Geld abheben?"
"Ja!"
"Wann und bei welcher Bank haben Sie investiert?"
"Ähm, weiß ich gar nicht mehr, ähm, bei der #Sparkasse?"
"Wie viel haben Sie investiert?"
"Fünf."

[Schweigen]

"Haben Sie #AnyDesk auf Ihrem Computer?"

🤣 🤣 🤣

#scam #telefonbetrug #betrüger