📢 Incident Notepad++ : IOCs publiés par l'ancien hébergeur suite à une mise à jour malveillante
📝 ## 🔍 Contexte

Document publié le 02/04/2026 sur le site officiel de Notepad++ (notepad-plus-plus.org), émanant de l'ancie...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-incident-notepad-iocs-publies-par-l-ancien-hebergeur-suite-a-une-mise-a-jour-malveillante/
🌐 source : https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt
#IOC #IOCs #Cyberveille

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

🚨 𝗺𝗮𝗰𝗢𝗦-𝗦𝗽𝗲𝗰𝗶𝗳𝗶𝗰 #𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗧𝗮𝗿𝗴𝗲𝘁𝗶𝗻𝗴 𝗖𝗹𝗮𝘂𝗱𝗲 𝗖𝗼𝗱𝗲 𝗨𝘀𝗲𝗿𝘀: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
⚠️ We identified a campaign targeting users of AI platforms such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor with AMOS Stealer. As macOS adoption grows in enterprise environments, these attacks exploit gaps in visibility and make early-stage detection harder.

🎯 In this case, attackers use a redirect from Google ads to a fake Claude Code documentation page and a ClickFix flow to deliver a payload. A terminal command downloads an encoded script, which installs AMOS Stealer, collects browser data, credentials, Keychain contents, and sensitive files, then deploys a backdoor.

The backdoor module (~/.mainhelper) was first described by Moonlock Lab in July 2025. Our analysis shows that it has since evolved. While the original version supported only a limited set of commands via periodic HTTP polling, the updated variant significantly expands functionality and introduces a 𝗳𝘂𝗹𝗹𝘆 𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗿𝗲𝘃𝗲𝗿𝘀𝗲 𝘀𝗵𝗲𝗹𝗹 𝗼𝘃𝗲𝗿 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝘄𝗶𝘁𝗵 𝗣𝗧𝗬 𝘀𝘂𝗽𝗽𝗼𝗿𝘁.

❗️ This turns the infection from data theft into 𝗽𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝘁, 𝗵𝗮𝗻𝗱𝘀-𝗼𝗻 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗶𝗻𝗳𝗲𝗰𝘁𝗲𝗱 𝗠𝗮𝗰, giving the attacker real-time control over the system.

Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components break visibility into fragmented signals. Triage slows down, and escalation decisions take longer, leading to credential theft and data exfiltration.

⚡️ #ANYRUN Sandbox lets security teams analyze macOS, Windows, Linux, and Android threats with full visibility into execution, attacker behavior, and artifacts, helping detect threats early, attribute activity, and build stronger detection logic, while reducing MTTD and MTTR.

See sample execution in a live analysis session: https://app.any.run/tasks/74f5000d-aa91-4745-9fc7-fdd95549874b/?utm_source=mastodon&utm_medium=post&utm_campaign=macOS_clickfix&utm_term=250326&utm_content=linktoservice

💬 𝗙𝗶𝗻𝗱 #𝗜𝗢𝗖𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 𝗮𝗻𝗱 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗲 𝘆𝗼𝘂𝗿 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗰𝗼𝘃𝗲𝗿𝗮𝗴𝗲. We’ve broken down the attack chain in detail — let us know if you’d like to see the full analysis!

👨‍💻 Expand your SOC’s cross-platform threat visibility. Learn how to boost performance and business security with #ANYRUN: https://any.run/cybersecurity-blog/anyrun-macos-sandbox/?utm_source=mastodon&utm_medium=post&utm_campaign=macOS_clickfix&utm_term=250326&utm_content=linktoblog

#cybersecurity #infosec

🚨 𝗦𝗽𝗼𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆: 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗧𝗵𝗲𝗳𝘁 𝗕𝗲𝗵𝗶𝗻𝗱 𝗙𝗮𝗸𝗲 𝗣𝗗𝗙𝘀
Attackers disguise #phishing HTM/HTML email attachments as PDF files. In the observed case, pdf.htm displays a fake login page and sends entered credentials in JSON via HTTP POST to the Telegram Bot API, enabling account takeover and access to internal systems.

Some samples use obfuscated scripts, making the exfiltration logic harder to spot ❗️

⚡️ #ANYRUN Sandbox exposed phishing behavior in under 60 seconds, revealing the outbound network activity, loaded scripts, and file contents, helping analysts accelerate triage and reduce unnecessary escalations.

🎣 See the analysis session and collect #IOCs to speed up detection and cut MTTR: https://app.any.run/tasks/3a6af151-cf57-461f-b600-19c39fdfcce6?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_content=linktoservice&utm_term=110326

🔍 Find similar cases and pivot from IOCs using this TI Lookup search query: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_content=linktotilookup&utm_term=110326#%7B%2522query%2522:%2522filePath:%255C%2522.pdf.html$%255C%2522%2520OR%2520filePath:%255C%2522.pdf.htm$%255C%2522%2522,%2522dateRange%2522:180%7D

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_term=110326&utm_content=linktosandboxlanding

#cybersecurity #infosec

#malware on Vulkan Loader

#IOCs

72a8eb805e026accc0a5805847db978f (세무 감사.exe)

0a580815e4dbedecafd88b207eca8c8f (vulkan-1.bin)

55b624a0b0423a337b804fe8e305a386 (vulkan-1.dll)

Command-and-control IPv4 map, 2026-02-22 to 2026-03-07 #IOCs
https://abjuri5t.github.io/SarlackLab/

43.249.172[.]0/22
23.248.208[.]0/21
178.16.52[.]0/22
23.226.58[.]0/23
156.234.56[.]0/23
158.94.208[.]0/22
43.240.239[.]0/24
103.39.16[.]0/22
185.213.60[.]0/23
23.226.48[.]0/23

⚠️ 𝗡𝗲𝘄 𝗦𝘁𝗮𝗴𝗲𝗿 𝗟𝗲𝗮𝗱𝗶𝗻𝗴 𝘁𝗼 𝗥𝗔𝗧 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We caught #RUTSSTAGER, a malware that stores a DLL in the Windows registry in hexadecimal form, hiding the payload and delaying detection. In the observed chain, the stager delivered #OrcusRAT, followed by a supporting binary that maintains persistence, uses PowerShell for system checks, and restarts the RAT process.

✅ In the #ANYRUN Sandbox, behavioral analysis and file system monitoring exposed the full execution chain. Process synchronization events revealed coordination between the stager and its payload, helping confirm multi-stage malware activity early.

👾 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/b357aa61-29d5-4c7f-87f8-359281319a72/?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_term=050326&utm_content=linktoservice

🔍 Pivot from indicators and subscribe to Query Updates to proactively track evolving attacks: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_content=linktotilookup&utm_term=050326#%7B%2522query%2522:%2522registryName:%255C%2522%5Erutsdll32$%255C%2522%2522,%2522dateRange%2522:180%7D

👨‍💻 Learn how #ANYRUN Sandbox helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_term=050326&utm_content=linktosandboxlanding

🚨 𝗠𝟯𝟲𝟱 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗧𝗮𝗸𝗲𝗼𝘃𝗲𝗿 𝗪𝗶𝘁𝗵𝗼𝘂𝘁 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗧𝗵𝗲𝗳𝘁: 𝗦𝘂𝗿𝗴𝗲 𝗶𝗻 𝗢𝗔𝘂𝘁𝗵 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴
We’re seeing a spike in activity from a #phishing campaign abusing Microsoft’s OAuth Device Code flow, with 180+ phishing URLs detected in just one week ⚠️

Attackers display a verification code and ask the victim to enter it on microsoft[.]com/devicelogin. Microsoft then issues OAuth tokens directly to the attacker, granting access to M365 resources without compromising credentials on the phishing page.

❗️ This shifts the risk from credential harvesting to token abuse. Because it runs over encrypted HTTPS, the activity blends into normal web traffic, delaying detection, extending investigations, and increasing escalation pressure. The window for early response keeps shrinking.

⚡️ #ANYRUN Sandbox now automatically decrypts HTTPS traffic by extracting SSL keys directly from process memory, without certificate substitution. This gives SOC teams wider phishing coverage, faster confirmation by Tier 2 and Tier 3 analysts, and improved MTTD & MTTR.

✅ In this case, SSL decryption exposed hidden JavaScript and revealed high-confidence tool-specific network #IOCs such as /api/device/start, /api/device/status/*, and the X-Antibot-Token header, which become high-signal when observed in HTTP requests to non-legitimate hosts.

👨‍💻 ‍See analysis session: https://app.any.run/tasks/885afc1c-b616-46d7-9bc3-81185ee07fe3?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktoservice&utm_term=040326

🔍 Use this TI Lookup query to review related activity and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktotilookup&utm_term=040326#%7B%22query%22:%22threatName:%5C%22oauth-ms-phish%5C%22%22,%22dateRange%22:7%7D

🎯 Find the IOCs in the comments. A full breakdown of this campaign is coming soon, stay tuned.

⚡️ Encrypted traffic is no longer a blind spot. Learn how SSL decryption expands phishing detection and reduces risk: https://any.run/cybersecurity-blog/automatic-ssl-decryption/?utm_source=mastodon&utm_medium=post&utm_campaign=oauth_phishing_surge&utm_content=linktoblog&utm_term=040326

#cybersecurity #infosec