🚨 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝘃𝗶𝗮 𝗚𝗼𝗼𝗴𝗹𝗲 𝗦𝘁𝗼𝗿𝗮𝗴𝗲 𝗔𝗯𝘂𝘀𝗲 𝗟𝗲𝗮𝗱𝗶𝗻𝗴 𝘁𝗼 𝗥𝗔𝗧 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We identified a multi-stage #phishing campaign using a Google Drive-themed lure and delivering #Remcos RAT. Attackers place the HTML on storage[.]googleapis[.]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain.

❗️ 𝗧𝗵𝗲 𝗰𝗵𝗮𝗶𝗻 𝗹𝗲𝘃𝗲𝗿𝗮𝗴𝗲𝘀 𝗥𝗲𝗴𝗦𝘃𝗰𝘀.𝗲𝘅𝗲, 𝗮 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗶𝗴𝗻𝗲𝗱 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁/.𝗡𝗘𝗧 𝗯𝗶𝗻𝗮𝗿𝘆 𝘄𝗶𝘁𝗵 𝗮 𝗰𝗹𝗲𝗮𝗻 𝗩𝗶𝗿𝘂𝘀𝗧𝗼𝘁𝗮𝗹 𝗵𝗮𝘀𝗵. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing.

⚠️ The page mimics a Google Drive login form, collecting email, password, and OTP. After a “successful login,” the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain:

JS (WSH launcher + time-based evasion) ➡️ VBS Stage 1 (download + hidden execution) ➡️ VBS Stage 2 (%APPDATA%\WindowsUpdate + Startup persistence) ➡️ DYHVQ.ps1 (loader orchestration) ➡️ ZIFDG.tmp (obfuscated PE / Remcos payload) ➡️ Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) ➡️ %TEMP%\RegSvcs.exe hollowing/injection ➡️ Partially fileless Remcos + C2 🚨

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktoservice

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_content=linktotilookup&utm_term=08042026#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D

⚡️ Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktophishingpage

#cybersecurity #infosec

📢 Incident Notepad++ : IOCs publiés par l'ancien hébergeur suite à une mise à jour malveillante
📝 ## 🔍 Contexte

Document publié le 02/04/2026 sur le site officiel de Notepad++ (notepad-plus-plus.org), émanant de l'ancie...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-incident-notepad-iocs-publies-par-l-ancien-hebergeur-suite-a-une-mise-a-jour-malveillante/
🌐 source : https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt
#IOC #IOCs #Cyberveille

⚠️ #𝗦𝘁𝗲𝗮𝗹𝗖 𝗶𝘀 𝗻𝗼𝘄 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝗲𝗱 𝘃𝗶𝗮 𝗮 𝗖𝗹𝗼𝘂𝗱𝗳𝗹𝗮𝗿𝗲 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗳𝗹𝗼𝘄, masking malicious activity behind trusted services. Behavioral analysis exposed a PowerShell-based execution chain used to download and run the payload while attempting to evade detection.

👾 The Process Tree reveals the payload chain: powershell.exe ➡️ powershell.exe ➡️ y3gag2iu.3wq.exe (StealC 🚨)

Multi-stage PowerShell execution and hidden payload delivery make early confirmation harder, slowing triage. #ANYRUN Sandbox helps analysts quickly validate the attack and reduce investigation time.

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/48e6b68d-dfa2-423e-8e7c-24cf8a6ef85b/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktoservice

⚡️ Learn how #ANYRUN helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=cloudflare_clickfix&utm_term=010426&utm_content=linktosandboxlanding

⚙️ Technical details:
ClickFix flow on diddyparty[.]click triggers PowerShell via Win+X ➡️ I. A hidden command (-NoProfile -WindowStyle Hidden) enforces TLS 1.2, stages a random EXE in %TEMP%, pulls the payload via Invoke-WebRequest, executes it, and attempts cleanup. Full execution details are available in the Script Tracer tab.

🔍 IOCs:
diddyparty[.]click
3f0fe92c0e1c4663dcb851ce0fc97ddaed25b559be1d6e2cc0f66304ac652e38

#cybersecurity #infosec

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

🚨 𝗺𝗮𝗰𝗢𝗦-𝗦𝗽𝗲𝗰𝗶𝗳𝗶𝗰 #𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗧𝗮𝗿𝗴𝗲𝘁𝗶𝗻𝗴 𝗖𝗹𝗮𝘂𝗱𝗲 𝗖𝗼𝗱𝗲 𝗨𝘀𝗲𝗿𝘀: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
⚠️ We identified a campaign targeting users of AI platforms such as Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor with AMOS Stealer. As macOS adoption grows in enterprise environments, these attacks exploit gaps in visibility and make early-stage detection harder.

🎯 In this case, attackers use a redirect from Google ads to a fake Claude Code documentation page and a ClickFix flow to deliver a payload. A terminal command downloads an encoded script, which installs AMOS Stealer, collects browser data, credentials, Keychain contents, and sensitive files, then deploys a backdoor.

The backdoor module (~/.mainhelper) was first described by Moonlock Lab in July 2025. Our analysis shows that it has since evolved. While the original version supported only a limited set of commands via periodic HTTP polling, the updated variant significantly expands functionality and introduces a 𝗳𝘂𝗹𝗹𝘆 𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗿𝗲𝘃𝗲𝗿𝘀𝗲 𝘀𝗵𝗲𝗹𝗹 𝗼𝘃𝗲𝗿 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 𝘄𝗶𝘁𝗵 𝗣𝗧𝗬 𝘀𝘂𝗽𝗽𝗼𝗿𝘁.

❗️ This turns the infection from data theft into 𝗽𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝘁, 𝗵𝗮𝗻𝗱𝘀-𝗼𝗻 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝘁𝗵𝗲 𝗶𝗻𝗳𝗲𝗰𝘁𝗲𝗱 𝗠𝗮𝗰, giving the attacker real-time control over the system.

Multi-stage delivery, obfuscated scripts, and abuse of legitimate macOS components break visibility into fragmented signals. Triage slows down, and escalation decisions take longer, leading to credential theft and data exfiltration.

⚡️ #ANYRUN Sandbox lets security teams analyze macOS, Windows, Linux, and Android threats with full visibility into execution, attacker behavior, and artifacts, helping detect threats early, attribute activity, and build stronger detection logic, while reducing MTTD and MTTR.

See sample execution in a live analysis session: https://app.any.run/tasks/74f5000d-aa91-4745-9fc7-fdd95549874b/?utm_source=mastodon&utm_medium=post&utm_campaign=macOS_clickfix&utm_term=250326&utm_content=linktoservice

💬 𝗙𝗶𝗻𝗱 #𝗜𝗢𝗖𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 𝗮𝗻𝗱 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗲 𝘆𝗼𝘂𝗿 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗰𝗼𝘃𝗲𝗿𝗮𝗴𝗲. We’ve broken down the attack chain in detail — let us know if you’d like to see the full analysis!

👨‍💻 Expand your SOC’s cross-platform threat visibility. Learn how to boost performance and business security with #ANYRUN: https://any.run/cybersecurity-blog/anyrun-macos-sandbox/?utm_source=mastodon&utm_medium=post&utm_campaign=macOS_clickfix&utm_term=250326&utm_content=linktoblog

#cybersecurity #infosec

🚨 𝗦𝗽𝗼𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆: 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗧𝗵𝗲𝗳𝘁 𝗕𝗲𝗵𝗶𝗻𝗱 𝗙𝗮𝗸𝗲 𝗣𝗗𝗙𝘀
Attackers disguise #phishing HTM/HTML email attachments as PDF files. In the observed case, pdf.htm displays a fake login page and sends entered credentials in JSON via HTTP POST to the Telegram Bot API, enabling account takeover and access to internal systems.

Some samples use obfuscated scripts, making the exfiltration logic harder to spot ❗️

⚡️ #ANYRUN Sandbox exposed phishing behavior in under 60 seconds, revealing the outbound network activity, loaded scripts, and file contents, helping analysts accelerate triage and reduce unnecessary escalations.

🎣 See the analysis session and collect #IOCs to speed up detection and cut MTTR: https://app.any.run/tasks/3a6af151-cf57-461f-b600-19c39fdfcce6?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_content=linktoservice&utm_term=110326

🔍 Find similar cases and pivot from IOCs using this TI Lookup search query: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_content=linktotilookup&utm_term=110326#%7B%2522query%2522:%2522filePath:%255C%2522.pdf.html$%255C%2522%2520OR%2520filePath:%255C%2522.pdf.htm$%255C%2522%2522,%2522dateRange%2522:180%7D

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=html_pdf_phishing&utm_term=110326&utm_content=linktosandboxlanding

#cybersecurity #infosec

#malware on Vulkan Loader

#IOCs

72a8eb805e026accc0a5805847db978f (세무 감사.exe)

0a580815e4dbedecafd88b207eca8c8f (vulkan-1.bin)

55b624a0b0423a337b804fe8e305a386 (vulkan-1.dll)

Command-and-control IPv4 map, 2026-02-22 to 2026-03-07 #IOCs
https://abjuri5t.github.io/SarlackLab/

43.249.172[.]0/22
23.248.208[.]0/21
178.16.52[.]0/22
23.226.58[.]0/23
156.234.56[.]0/23
158.94.208[.]0/22
43.240.239[.]0/24
103.39.16[.]0/22
185.213.60[.]0/23
23.226.48[.]0/23

⚠️ 𝗡𝗲𝘄 𝗦𝘁𝗮𝗴𝗲𝗿 𝗟𝗲𝗮𝗱𝗶𝗻𝗴 𝘁𝗼 𝗥𝗔𝗧 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We caught #RUTSSTAGER, a malware that stores a DLL in the Windows registry in hexadecimal form, hiding the payload and delaying detection. In the observed chain, the stager delivered #OrcusRAT, followed by a supporting binary that maintains persistence, uses PowerShell for system checks, and restarts the RAT process.

✅ In the #ANYRUN Sandbox, behavioral analysis and file system monitoring exposed the full execution chain. Process synchronization events revealed coordination between the stager and its payload, helping confirm multi-stage malware activity early.

👾 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/b357aa61-29d5-4c7f-87f8-359281319a72/?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_term=050326&utm_content=linktoservice

🔍 Pivot from indicators and subscribe to Query Updates to proactively track evolving attacks: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_content=linktotilookup&utm_term=050326#%7B%2522query%2522:%2522registryName:%255C%2522%5Erutsdll32$%255C%2522%2522,%2522dateRange%2522:180%7D

👨‍💻 Learn how #ANYRUN Sandbox helps SOCs detect complex threats and contain incidents faster: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=rutsstager&utm_term=050326&utm_content=linktosandboxlanding