OTX Bot1d ago

Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088

A campaign exploiting the WinRAR path-traversal vulnerability CVE-2025-8088 has been actively targeting Ukraine since February 2026, with ongoing activity through June 2026. The operation uses Ukrainian military and conscription-themed documents as lures, distributed as RAR archives. The malicious archives contain NTFS alternate data streams with path-traversal sequences that automatically place LNK files into the Windows Startup folder upon extraction. These shortcuts execute hidden PowerShell stagers incorporating anti-analysis techniques including debugger checks, disk-space verification, and sleep delays to evade sandbox detection. The persistent nature of the attacks demonstrates continuous targeting of Ukrainian entities over a four-month period using social engineering focused on military documentation themes.

Pulse ID: 6a34c6344468a941c924c02c
Pulse Link: https://otx.alienvault.com/pulse/6a34c6344468a941c924c02c
Pulse Author: AlienVault
Created: 2026-06-19 04:31:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #LNK #Military #OTX #OpenThreatExchange #PowerShell #RAT #SocialEngineering #UK #Ukr #Ukraine #Ukrainian #Vulnerability #WinRAR #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Denise G2d ago

Health officials urge Lancaster County, Nebraska residents to protect themselves from mosquitoes after positive West Nile virus case

*Be aware, Lincoln friends!

#WestNileVirus #mosquito #LNK #Nebraska

https://www.ketv.com/article/lancaster-county-west-nile-case/71631945

OTX Bot2d ago

Twitter Feed - nextronresearch - 17-06-2026

SideCopy, also tracked as APT36 or Transparent Tribe, has launched a new attack campaign targeting Indian defense personnel using a fake 'Minutes Of Meeting' document as lure. The attack employs an identical playbook to previous operations: a double-extension Minutes Of Meeting.docx.lnk file executes a PowerShell stager (pdfdocs.bat) from a nested pdfdocs folder while displaying a clean decoy document. The chain deploys a Remote Access Trojan (pdfdocs) that establishes persistence through the HKCU Run key. The staged components demonstrate low detection rates at initial delivery, with the decoy document scoring 0/66, the stager 1/61, and only the final executable reaching 35/71 detections.

Pulse ID: 6a3363abf0061625f1a7b54a
Pulse Link: https://otx.alienvault.com/pulse/6a3363abf0061625f1a7b54a
Pulse Author: AlienVault
Created: 2026-06-18 03:19:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #India #InfoSec #LNK #OTX #OpenThreatExchange #PDF #PowerShell #RAT #RemoteAccessTrojan #SideCopy #TransparentTribe #Trojan #Twitter #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Stylus3d ago

This is Maena D'Luxian's last craft brunch for a while bc theyre moving to the UK.

It would be awesome if we could get some presales going and get a great crowd to send them off on a high note. We're doing bingo, too, so a little different but still. good food, great drag, a fun craft and a game!

tickets here https://makittakit.com/products/crafty-queens-drag-brunch?fbclid=Iwb21leASekG9jbGNrBJ6QZ2V4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHkAa89isau5giYLWtm_cV4J6w4c9cG_0FN00E-aTdE4XqQqEXqLj-1b4Xvf-_aem_2RgYAkTf1NlrbS2T-3trog

#LNK #Drag

OTX Bot5d ago

Threat Actors Weaponize AI Hype to Deliver AsyncRAT

A sophisticated malware campaign exploits growing interest in artificial intelligence by distributing malicious files disguised as AI-related learning resources and technical guides. The attack employs an exceptionally complex multi-stage infection chain beginning with compressed archives containing LNK shortcuts and hidden PDF files. Through multiple layers of obfuscation involving PowerShell scripts, batch files, and AutoHotkey loaders, the campaign establishes persistent access and deploys two distinct .NET Remote Access Trojans including AsyncRAT. The intermediate scripts extensively use Simplified Chinese variable names and exhibit coding patterns suggesting AI-assisted development, with cultural references to Chinese mythology used as symbolic aliases for Windows API calls. The attack implements advanced techniques including process hollowing, reflective DLL injection, and scheduled task persistence while actively disabling Windows Defender exclusions to facilitate execution.

Pulse ID: 6a2ae2fc2f480b5e67ea0de5
Pulse Link: https://otx.alienvault.com/pulse/6a2ae2fc2f480b5e67ea0de5
Pulse Author: AlienVault
Created: 2026-06-11 16:31:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #Chinese #CyberSecurity #InfoSec #LNK #Malware #NET #OTX #OpenThreatExchange #PDF #PowerShell #RAT #RCE #RemoteAccessTrojan #Trojan #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX Bot5d ago

Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

A sophisticated Python-based RAT targeting Korean users through spear phishing emails disguised as Microsoft security alerts. The attack chain employs LNK files embedded in ZIP archives, BAT-based obfuscation, and multi-stage loaders culminating in NarwhalRAT deployment. This advanced malware features keylogging, screen capture, microphone recording, and USB data collection capabilities. It utilizes a dual C2 infrastructure combining Korean relay servers (daehoat.com, novel21.co.kr) with pCloud API as a dead-drop resolver. The malware creates encrypted configuration files, implements anti-VM techniques, and establishes persistence through scheduled tasks. It operates as a manually-controlled RAT with selective function activation via C2 commands, employing in-memory execution to evade file-based detection.

Pulse ID: 6a30130ad416e33ebf9e9417
Pulse Link: https://otx.alienvault.com/pulse/6a30130ad416e33ebf9e9417
Pulse Author: AlienVault
Created: 2026-06-15 14:58:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Cloud #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #Python #RAT #SpearPhishing #Troll #USB #ZIP #bot #pCloud #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Mr. WilsonJun 14
For the few of you in #LNK who aren't at Memorial Stadium to watch the Bananas take on the Firefighters tonight: https://www.youtube.com/live/9OiifgilVpY
The Savannah Bananas vs The Firefighters in Memorial Stadium at University of Nebraska!

YouTube
Dionysus ๐Ÿ‡Jun 13

Soon...

#SavannahBananas #BananaBall #LNK

Darth OslerJun 11

Zipline is closing?!?!

#lnk

Karin DalzielJun 11
Woke up to roof leaking ๐Ÿ˜ฉ #LNK