Just added ASN Emissions Index (AEI). A leaderboard that ranks networks by how much probes they send to the Honeylabs honeypots.

https://honeylabs.net/asn-index

#ThreatIntel #IOCs #OSINT #BlueTeam #InfoSec #CyberSecurity #MCP #Golang #Python #Automation

🚨 #𝗞𝗮𝗹𝗶𝟯𝟲𝟱 𝗔𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗦𝘂𝗿𝗴𝗲𝘀: 𝗗𝗲𝘃𝗶𝗰𝗲 𝗖𝗼𝗱𝗲 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗜𝘀 𝗦𝗰𝗮𝗹𝗶𝗻𝗴 𝗙𝗮𝘀𝘁
We’re seeing a growing Device Code #phishing activity, with Kali365 emerging as one of the most active PhaaS. In the last 24 hours alone, #ANYRUN recorded 100+ related analysis sessions.

⚠️ The attack abuses legitimate Microsoft device authentication flows. Victims are shown a user code and instructed to enter it into a real Microsoft device auth page, allowing attackers to capture OAuth access tokens instead of passwords. The risk shifts from credential theft to token abuse, while significantly reducing the number of traditional phishing indicators typically used for detection and triage.

❗️ Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/<session_id> for session states such as captured, expired, and declined.

📌 The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow.

⚡️ #ANYRUN lets analysts safely reconstruct the flow, validate suspicious OAuth activity faster, and identify related phishing infrastructure before campaigns scale further, helping SOC teams reduce investigation time, improve detection accuracy, and lower MTTR.

👨‍💻 See the full phishing flow, validate detection logic, and collect #IOCs: https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3?utm_source=mastodon&utm_medium=post&utm_campaign=kali365_activity_surges&utm_content=linktoservice&utm_term=270526

🔍 Track Kali365 activity using this TI Lookup search query: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=kali365_activity_surges&utm_content=linktotilookup&utm_term=270526#%7B%2522query%2522:%2522threatName:%255C%2522kali365%255C%2522%2522,%2522dateRange%2522:7%7D%20

🚀 Scale your SOC’s triage and response with solutions trusted by 74 Fortune 100 companies and detect business risks earlier. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=kali365_activity_surges&utm_content=linktoplans&utm_term=270526

#cybersecurity #infosec

New IOCs observed from breached threat actor logs:

mavpaprokla[.]lat
smackit[.]lat

Recommend:
• Block/sinkhole at DNS and proxy layers
• Hunt across DNS, HTTP/S, EDR, and firewall telemetry
• Check for historical resolutions and outbound connections
• Review related infrastructure, certificates, and passive DNS pivots

If seen in your environment, treat as potentially malicious pending further enrichment.

#ThreatIntel #IOC #IOCs #CyberThreatIntelligence #DFIR #BlueTeam #SOC #ThreatHunting #Malware #Infosec #CyberSecurity #OSINT #DetectionEngineering #IncidentResponse #CTI #NetworkSecurity #DNS #ThreatResearch #CyberDefense #SIEM #EDR #MalwareAnalysis

🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

🚨 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗔𝗯𝘂𝘀𝗲 𝗟𝗲𝗮𝗱𝗶𝗻𝗴 𝘁𝗼 𝗥𝗔𝗧 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We identified a multi-stage #phishing campaign using a Google Drive-themed lure and delivering #Remcos RAT. Attackers place the HTML on storage[.]googleapis[.]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain.

❗️ 𝗧𝗵𝗲 𝗰𝗵𝗮𝗶𝗻 𝗹𝗲𝘃𝗲𝗿𝗮𝗴𝗲𝘀 𝗥𝗲𝗴𝗦𝘃𝗰𝘀.𝗲𝘅𝗲, 𝗮 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗶𝗴𝗻𝗲𝗱 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁/.𝗡𝗘𝗧 𝗯𝗶𝗻𝗮𝗿𝘆 𝘄𝗶𝘁𝗵 𝗮 𝗰𝗹𝗲𝗮𝗻 𝗩𝗶𝗿𝘂𝘀𝗧𝗼𝘁𝗮𝗹 𝗵𝗮𝘀𝗵. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing.

⚠️ The page mimics a Google Drive login form, collecting email, password, and OTP. After a “successful login,” the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain:

JS (WSH launcher + time-based evasion) ➡️ VBS Stage 1 (download + hidden execution) ➡️ VBS Stage 2 (%APPDATA%\WindowsUpdate + Startup persistence) ➡️ DYHVQ.ps1 (loader orchestration) ➡️ ZIFDG.tmp (obfuscated PE / Remcos payload) ➡️ Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) ➡️ %TEMP%\RegSvcs.exe hollowing/injection ➡️ Partially fileless Remcos + C2 🚨

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktoservice

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_content=linktotilookup&utm_term=08042026#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D

⚡️ Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktophishingpage

#cybersecurity #infosec

📢 Incident Notepad++ : IOCs publiés par l'ancien hébergeur suite à une mise à jour malveillante
📝 ## 🔍 Contexte

Document publié le 02/04/2026 sur le site officiel de Notepad++ (notepad-plus-plus.org), émanant de l'ancie...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-incident-notepad-iocs-publies-par-l-ancien-hebergeur-suite-a-une-mise-a-jour-malveillante/
🌐 source : https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt
#IOC #IOCs #Cyberveille

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware