#PlaneAlert ICAO: #AE0454 Tail: #162166
Owner: #UnitedStatesNavy
Aircraft: #Grumman C-2A Greyhound
2025-09-27 13:32:53 CEST
#C2 #CarrierOnboardDelivery #HighPriorityCargo #MailCall https://w.wiki/5CqE
https://globe.adsbexchange.com/?icao=AE0454&zoom=7&lat=54.216971&lon=6.975187&timestamp=1758972773&showTrace=2025-09-27

#adsb #planefence #planealert by kx1t - https://sdr-e.com/docker-planefence

#PlaneAlert ICAO: #AE0451 Tail: #162157 Flt: #RG04
Owner: #UnitedStatesNavy
Aircraft: #Grumman C-2A Greyhound
2025-09-27 13:12:56 CEST
#C2 #CarrierOnboardDelivery #HighPriorityCargo #MailCall https://w.wiki/5CqE
https://globe.adsbexchange.com/?icao=AE0451&zoom=7&lat=54.542496&lon=7.268829&timestamp=1758971576&showTrace=2025-09-27

#adsb #planefence #planealert by kx1t - https://sdr-e.com/docker-planefence

🦠 Malware Analysis
===================

🎯 Threat Intelligence

Executive summary: Exposed command-and-control (C2) panels remain a
high-value reconnaissance target for defenders. Recent tracking
approaches focus on fingerprinting Supershell, HookBot, Chaos RAT,
UnamWebPanel, Metasploit web panels and Mythic deployments using URL
paths, page titles, favicon hashes, repository links and TLS
artifacts.

Technical details:

• Datasets used: httpv2 provides HTTP response bodies and headers;
urlx provides broad URL indexing for reconnaissance; crawler stores
page snapshots, scripts and favicons. These datasets enable pivoting
from a candidate URL to certificates, page artifacts and related
hosts.

• Fingerprints observed: predictable admin/login paths (default paths
and titles), identical favicons across domains, repo/hash references
(for Chaos RAT), and default panel titles (Supershell, UnamWebPanel).
Reused TLS certificates and exposed open directories are common
staging indicators.

Analysis:

• Attack surface: Publicly reachable panels give operators full
situational awareness over victims, credential dumps, wallets and
payload distribution. Trojans like AsyncRAT have been observed behind
trojanized ScreenConnect installers and exposed staging directories
that reveal panel artifacts.

• Correlation value: Matching favicon hashes and identical static
assets is an effective way to cluster infrastructure when X.509 or IP
overlap is insufficient.

Detection:

• Practical queries: search for common admin/login URL path patterns,
compare title strings for known panel names, compute and match favicon
hashes across domains, and query certificate reuse across urlx/httpv2.

• Sample detection approach:

SELECT url FROM httpv2 WHERE title LIKE '%Supershell%' OR path LIKE
'/admin' OR favicon_hash IN (known_hashes);

Mitigation:

• Defensive controls: block or take down exposed panels via abuse
channels, revoke reused certificates, and patch exposed staging
systems. Harden remote access installers (ScreenConnect) and validate
upstream artifacts to prevent trojanization.

References & limitations:

• Evidence-based correlation is effective but contingent on dataset
coverage; absence of a fingerprint is not proof of safety. Attribution
requires further telemetry.

🔹 ThreatIntel #C2 #AsyncRAT #HuntSQL #OSINT

🔗 Source: https://hunt.io/blog/hunting-c2-panels-beginners-guide

#PlaneAlert ICAO: #AE0454 Tail: #162166
Owner: #UnitedStatesNavy
Aircraft: #Grumman C-2A Greyhound
2025-09-26 08:30:17 CEST
#C2 #CarrierOnboardDelivery #HighPriorityCargo #MailCall https://w.wiki/5CqE
https://globe.adsbexchange.com/?icao=AE0454&zoom=7&lat=53.601013&lon=3.017081&timestamp=1758868217&showTrace=2025-09-26

#adsb #planefence #planealert by kx1t - https://sdr-e.com/docker-planefence

#PlaneAlert ICAO: #AE0451 Tail: #162157 Flt: #RG04
Owner: #UnitedStatesNavy
Aircraft: #Grumman C-2A Greyhound
2025-09-25 15:49:22 CEST
#C2 #CarrierOnboardDelivery #HighPriorityCargo #MailCall https://w.wiki/5CqE
https://globe.adsbexchange.com/?icao=AE0451&zoom=7&lat=55.418484&lon=5.184715&timestamp=1758808162&showTrace=2025-09-25

#adsb #planefence #planealert by kx1t - https://sdr-e.com/docker-planefence

#PlaneAlert ICAO: #AE0454 Tail: #162166 Flt: #RG03
Owner: #UnitedStatesNavy
Aircraft: #Grumman C-2A Greyhound
2025-09-25 15:48:56 CEST
#C2 #CarrierOnboardDelivery #HighPriorityCargo #MailCall https://w.wiki/5CqE
https://globe.adsbexchange.com/?icao=AE0454&zoom=7&lat=55.304757&lon=5.043557&timestamp=1758808136&showTrace=2025-09-25

#adsb #planefence #planealert by kx1t - https://sdr-e.com/docker-planefence

Kampania APT28 “Phantom Net Voxel” – połączenie steganografii z C2 w chmurze, a wszystko aby uniknąć wykrycia

Badacze bezpieczeństwa z zespołu ds. wykrywania i reagowania na zagrożenia (Threat Detection and Response) w Sekoia.io’s  wykryli nową kampanię prowadzoną przez grupę APT-28 (znaną jako Fancy Bear, Sofacy, BlueDelta, Forest Blizzard), w której atakujący zastosowali szereg technik umożliwiających ominięcie standardowych metod wykrywania. Kampania została nazwana “Phantom Net Voxel” i stanowi...

#WBiegu #Apt28 #Bearshell #C2 #Koofr #Phantomnetvoxel

https://sekurak.pl/kampania-apt28-phantom-net-voxel-polaczenie-steganografii-z-c2-w-chmurze-a-wszystko-aby-uniknac-wykrycia/

Ever wanted to truly understand how a Command & Control (C2) server works? I built one in Python to find out. Introducing Glycon, my open-source, lightweight C2 framework designed for learning and customization. It's a hands-on playground for students, pentesters, and anyone curious about infosec.

https://github.com/4ndr34z/glycon

#infosec #C2

🦠 Malware Analysis
===================

🎯 Threat Intelligence

Executive summary: Recent investigations reveal a repeatable campaign where attackers abuse ConnectWise ScreenConnect installers hosted in open directories to distribute AsyncRAT and a custom PowerShell RAT.
The campaign combines trusted RMM footprints, ClickOnce pivots and payload containers that evade signature-based detection.

Technical details:
• Observed payloads include AsyncRAT and a bespoke PowerShell RAT delivered alongside trojanized ScreenConnect installers.
• Infrastructure enumeration identified multiple hosts (examples:
176.65.139.119, 45.74.16.71, 164.68.120.30) and repeated file names such as logs.ldk, logs.idk, logs.idr ranging from ~60 KB to 3 MB.
• Execution techniques show two distinct code paths: in-memory .NET Assembly.Load for AV‑guarded environments and native injection via libPK.dll::Execute otherwise.
• Persistence mechanisms include scheduled tasks named SystemInstallTask and 3losh with aggressive intervals (every 2–10 minutes).
• Network/C2 tradecraft spans common ports (21/80/111/443) and high ephemeral ranges (30,000–60,000), often wrapped in TLS.

🔹 Attack Chain Analysis
• Initial Access / Phishing: ClickOnce pivots (e.g., police.html → galusa.ac.mz → dual.saltuta.com) delivering a launcher from /Bin/ paths.
• Download: Trojanized ScreenConnect installer retrieved from open directory hosting.
• Execution: Dual paths — Assembly.Load into memory or libPK.dll native injection.
• Persistence: Creation of scheduled tasks with short recurrence.
• C2 / Telemetry: AsyncRAT beaconing over standard and ephemeral ports with TLS.

Impact & analysis: Abusing legitimate RMM installers introduces supply‑chain‑like risk; trusted installer footprints lower detection fidelity and enable long dwell times. Fresh or repackaged containers missing from VirusTotal indicate active re‑use and rapid churn.

Detection guidance:
• Monitor for creation of scheduled tasks named SystemInstallTask/3losh and unusual recurrence intervals.
• Alert on processes performing .NET Assembly.Load from nonstandard locations and on native DLLs named libPK.dll performing injection-like behaviors.
• Hunt for open directory listings exposing logs.ldk|logs.idk|logs.idr and ClickOnce /Bin/ URL patterns.

Mitigations:
• Harden RMM deployment processes, restrict installer hosting and validate installer hashes.
• Block or monitor suspicious open directory access and implement strict egress controls for ephemeral port ranges.
• Enforce application allowlisting and endpoint behavioral detections for in-memory assembly loads and DLL injection.

🔹 AsyncRAT #ScreenConnect #ClickOnce #RMM #C2

🔗 Source: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns

Interesting usage of nuclei

https://blog.axelarator.net/hunting-c2s-with-nuclei/

#c2 #commandandcontrol #threathunting