Digital Voice New Zealand Net - Starts Saturday 20:30 NZT (Saturday 08:30 UTC), all are welcome.

How to access:
DVDU/FreeDMR DMR: TG 530
XLX299 Module B
ASL: 511780
NZSIP: 53299
YSF: #00530 or NXDN/P25: 53035

#hamradio #DVNZ #DigitalVoice #Net

Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

A sophisticated China-aligned cyber espionage campaign targeting India's tax infrastructure was identified between May and June 2026. The operation impersonates the Income Tax Department, Ministry of Finance, exploiting the AY2026-27 ITR filing season to target corporate entities, tax professionals, chartered accountants, and taxpayers. The attack employs spear-phishing emails with malicious attachments mimicking legitimate government utilities. The multi-stage infection chain deploys DcRAT through steganographic payload concealment, fileless .NET execution, AMSI bypass, and Windows service persistence. The threat actor demonstrates operational maturity through active payload rotation achieving 0/66 detection rates, encrypted TLS-based C2 communications, and infrastructure hosted across multiple ASNs linked to China. The campaign shows overlaps with the China-nexus threat actor Silver Fox, featuring screen capture capabilities, data exfiltration, and systematic intelligence collection from high-value India...

Pulse ID: 6a3e75975494e990e7421b4d
Pulse Link: https://otx.alienvault.com/pulse/6a3e75975494e990e7421b4d
Pulse Author: AlienVault
Created: 2026-06-26 12:50:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #CyberSecurity #DCRat #Email #Espionage #Government #India #InfoSec #Mimic #NET #OTX #OpenThreatExchange #Phishing #RAT #SpearPhishing #TLS #Windows #bot #AlienVault

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Since April 2026, a sophisticated multi-stage intrusion campaign has targeted hospitality and hotel organizations across Europe and Asia. The operation uses photo-themed ZIP archives containing malicious shortcut files disguised as images. When executed, these shortcuts initiate an attack chain involving obfuscated PowerShell, Node.js-based implants, and dual registry persistence mechanisms. The threat actor exploits legitimate services like Calendly and Google redirects for phishing delivery, employing authentication laundering to bypass email security controls. The campaign evolved through two waves, introducing .NET DLL compilation, Cloudflare-fronted infrastructure, and refined obfuscation techniques. Post-compromise activities include command-and-control beaconing over non-standard ports, forced shutdowns, and portable executable compilation, suggesting preparation for additional malicious operations.

Pulse ID: 6a3df8979895cc716bfbf931
Pulse Link: https://otx.alienvault.com/pulse/6a3df8979895cc716bfbf931
Pulse Author: AlienVault
Created: 2026-06-26 03:57:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Cloud #CyberSecurity #Email #Europe #Google #Hospital #InfoSec #NET #Nodejs #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #SMS #ZIP #bot #AlienVault

New in .NET 10.0 [29]: Check IP addresses with IPAddress.IsValid()

The new IsValid() method checks faster than older methods in .NET whether an IP address has a valid structure.

https://www.heise.de/en/blog/New-in-NET-10-0-29-Check-IP-addresses-with-IPAddress-IsValid-11345555.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#NET #DerDotnetDoktor #IT #Microsoft #news

Millenium: A RAT Rewritten, A Threat Multiplied

Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone significant architectural changes from .NET to native C++, while continuing to leverage Telegram Bot API for command and control without requiring dedicated server infrastructure. The malware is distributed as Malware-as-a-Service by developer 'ShinyEnigma' for $50-90 USD. Active exploitation campaigns are conducted by threat actor cluster 'Y2K Operators' using social engineering tactics including fraudulent utilities, hacking toolkits, software cracks, gaming lures, and trojanized cybercrime tools. The trojan enables exfiltration of sensitive browser and system data, screenshot and audio capture, keylogging, and arbitrary executable downloads. Over 62,000 compromised endpoints across more than 160 countries have been identified, with 39,730 infections occurring in Q1 2026 alone, demonstrating accelerating infection rates.

Pulse ID: 6a3d76e592eaea08a66ad337
Pulse Link: https://otx.alienvault.com/pulse/6a3d76e592eaea08a66ad337
Pulse Author: AlienVault
Created: 2026-06-25 18:43:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberCrime #CyberSecurity #Endpoint #GroupIB #ICS #InfoSec #Malware #MalwareAsAService #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Telegram #Trojan #bot #AlienVault

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

Throughout 2025, Chinese-speaking threat actors tracked as CL-STA-1062 conducted extensive operations against government entities and critical infrastructure in Southeast Asia, specifically targeting state-owned enterprises in energy and government sectors. Active since March 2022, this cluster was previously identified as UAT-7237 in campaigns against Taiwan's web hosting infrastructure. The attackers employ a hybrid toolkit combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor called TinyRCT. This .NET-based backdoor provides capabilities including arbitrary command execution, file enumeration and exfiltration, screen capture, and self-destruct mechanisms. The infection chain typically begins with web application exploitation deploying ASPX web shells, followed by credential dumping, lateral movement, and data exfiltration. Between October and December 2025, at least ten organizations across Southeast Asia were compromised, demonstrating sustained regio...

Pulse ID: 6a3db58dcad7fa34b60b3689
Pulse Link: https://otx.alienvault.com/pulse/6a3db58dcad7fa34b60b3689
Pulse Author: AlienVault
Created: 2026-06-25 23:11:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Chinese #CyberSecurity #ELF #Government #InfoSec #NET #OTX #OpenThreatExchange #RAT #RCE #SMS #VPN #bot #stateowned #AlienVault

STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus

Google Threat Intelligence Group has identified STOCKSTAY, a .NET backdoor continuously developed and deployed by Russia-linked Turla (FSB Center 16) since December 2022. The multi-component malware communicates via secure WebSocket connections and targets government and military organizations in Ukraine, as well as entities interested in Italian foreign policy. STOCKSTAY shares significant code overlaps with KAZUAR, particularly the K1MORPHER obfuscation mechanism. The threat actor employs academic and diplomatic lures, malicious RDP files, and compromised Ukrainian infrastructure for deployment. STOCKSTAY demonstrates environmental keying for configuration protection and operates at multiple operational stages. The malware's modular architecture separates C2 communication, task orchestration, and execution into distinct components, mirroring KAZUAR's design philosophy and indicating shared development resources within Turla's cyber espionage arsenal.

Pulse ID: 6a3db99d3f27ba984f5154ff
Pulse Link: https://otx.alienvault.com/pulse/6a3db99d3f27ba984f5154ff
Pulse Author: AlienVault
Created: 2026-06-25 23:28:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Espionage #Google #Government #InfoSec #Italian #Kazuar #Malware #Military #NET #OTX #OpenThreatExchange #RAT #RCE #RDP #Russia #Turla #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

Neu in .NET 10.0 [29]: IP-Adressen prüfen mit IPAddress.IsValid()

Die neue Methode IsValid() prüft schneller als ältere Methoden in .NET, ob eine IP-Adresse einen gültigen Aufbau hat.

https://www.heise.de/blog/Neu-in-NET-10-0-29-IP-Adressen-pruefen-mit-IPAddress-IsValid-11345435.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#NET #DerDotnetDoktor #IT #Microsoft #news

LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign

LokiBot, an infostealer first advertised in May 2015, continues to operate after more than a decade with numerous variants. The malware targets credentials from over a hundred software products including browsers, cryptocurrency wallets, password managers, email and FTP clients. A recent campaign delivers LokiBot through malspam with JScript email attachments, executing a multi-stage infection chain involving PowerShell loaders and .NET injectors protected by ConfuserEx. The final payload uses process injection into aspnet_compiler.exe, employing API hashing techniques to evade detection. While LokiBot maintains extensive credential theft capabilities, recent samples exhibit broken persistence mechanisms due to patched decryption subroutines. The malware communicates with C2 servers to exfiltrate compressed stolen data and await further commands, demonstrating continued evolution despite reduced activity in recent years.

Pulse ID: 6a3c6b9416a51c4cdec616c4
Pulse Link: https://otx.alienvault.com/pulse/6a3c6b9416a51c4cdec616c4
Pulse Author: AlienVault
Created: 2026-06-24 23:43:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASPNet #ASPNet_Compiler #Browser #CyberSecurity #Email #InfoSec #InfoStealer #MalSpam #Malware #NET #OTX #OpenThreatExchange #Password #PowerShell #RAT #SMS #Spam #Word #bot #cryptocurrency #AlienVault