RE: https://infosec.exchange/@briankrebs/116780029181293028

Heads up, Gizmodo has been compromised by some #ErrTraffic affiliate to. Inject is in main response.
ErrTraffic C2 cdnpro-987[.]xyz (Resoved via #EtherHiding)
PS Payload domain cdnportal-us[.]xyz (dynamic PowerShell command URI path)
PowerShell downloads a 16MB encrypted 7z file, checks if 7z is installed and otherwise downloads it to unpack the file and run the contained EXE. The EXE will do some profiling (including refresh rate) and if passes, will drop #NetSupportRAT and run it.
NetSupport C2 178[.]16[.]55[.]191.

TA also has a Mac payload configured, but it seems broken at the moment and ask for a password of some zip file when executed 🤷

Note: ErrTraffic is a ClickFIx-as-a-Service, so other compromised sites can lead to other malware from other affiliates.

📢 WeedHack : campagne MaaS ciblant Minecraft via SEO poisoning et YouTube
📝 ## 🔍 Contexte

Publié le 2 juin 2026 par McAfee Labs (auteur : Aayush Tyagi), cet article présente une analyse technique...
📖 cyberveille : https://cyberveille.ch/posts/2026-06-04-weedhack-campagne-maas-ciblant-minecraft-via-seo-poisoning-et-youtube/
🌐 source : https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/
#EtherHiding #IOC #Cyberveille

📢 EtherRAT et TukTuk mènent au déploiement du ransomware The Gentleman via blockchain C2
📝 ## 🔍 Contexte

Rapport d'incident publié le 11 mai 2026 par The DFIR Report, documen...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-11-etherrat-et-tuktuk-menent-au-deploiement-du-ransomware-the-gentleman-via-blockchain-c2/
🌐 source : https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
#CVE_2025_55182 #EtherHiding #Cyberveille

Une méthode inédite, baptisée « #EtherHiding », transforme la #blockchain de #cryptomonnaies #Ethereum en arsenal offensif. Les #chercheurs en #cybersécurité de #Google tirent la sonnette d' #alarme face à cette escalade #technologique

https://www.futura-sciences.com/tech/actualites/cybersecurite-blockchain-nest-plus-sure-ce-piratage-venu-coree-nord-inquiete-k2m6-131599/

EtherHiding emerges as a malware delivery mechanism!

Google threat intelligence is reporting North Korean nation-state actor "UNC5342" is leveraging transactions on public blockchains to store and retrieve malicious payloads.

EtherHiding executes a social engineering campaign (fake job interviews, crypto games) as the initial compromise to lure developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

Once a target opens the file, a malicious script connects to a public blockchain like BNB Smart Chain or Ethereum, to retrieve encrypted code from a smart contract. That code installs a JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding #Security #CyberSecurity #Hackers #CyberAttack #UNC5342 #Google #Malware #SmartContracts #Crypto #CryptoCurrency #EtherHiding #SocialEngineering #BlockChain