PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network

PCPJack operators compromised 230 cloud Linux servers across AWS, GCP, and Azure to build a covert SMTP relay network for email-based attacks. Researchers discovered exposed directories on infrastructure at 213.136.80[.]73 containing complete deployment toolkits including Chisel binaries, Python deployers, and operational state files. The campaign deployed Sliver C2 beacons and established reverse SOCKS5 tunnels on compromised hosts, testing each for SMTP relay capability. Three deployment versions showed operational evolution from 50 to 230 nodes, with verified proxies synchronized every five minutes to a downstream aggregation server. The operation targeted cloud-hosted web applications, exploiting them to gain initial access, then establishing persistence through systemd services and cron jobs disguised as system utilities. Victims included small to medium businesses across multiple regions running containerized and traditional workloads.

Pulse ID: 6a2067cbef8cf15f958711ce
Pulse Link: https://otx.alienvault.com/pulse/6a2067cbef8cf15f958711ce
Pulse Author: AlienVault
Created: 2026-06-03 17:43:39

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #Cloud #CyberSecurity #Email #InfoSec #Linux #OTX #OpenThreatExchange #Python #RAT #Sliver #bot #socks5 #AlienVault

Ever wanted to experience Paris without buying a plane ticket?

Now you can at least browse the internet like you’re there 🇫🇷

New residential IPs added in Paris from a certain very-orange French telecom provider.

Dedicated.
Static.
Ready for long sessions.

#Paris #Networking #SOCKS5

Quick networking tip:

SOCKS4 = older + limited.
SOCKS5 = modern + flexible.

SOCKS5 adds:
- username/password auth
- UDP support
- IPv6 compatibility
- broader app support

That’s why most serious workflows moved to SOCKS5 years ago.

#SOCKS5 #ProxyTips #Networking

ClickFix Evolves with PySoxy Proxying

A sophisticated ClickFix campaign was observed in April 2026 deploying PySoxy, a decade-old open-source Python SOCKS5 proxy tool, to establish encrypted proxy access on compromised hosts. The attack chain begins with social engineering that tricks users into executing obfuscated PowerShell commands, which then establishes scheduled task persistence and deploys an in-memory PowerShell-based command-and-control agent. Following domain reconnaissance activities, attackers deploy PySoxy to create a redundant encrypted access channel. The persistence mechanism continues attempting re-execution even after initial connections are blocked, demonstrating how single ClickFix executions can evolve into modular post-exploitation chains. This development represents a significant evolution from simple one-time execution to durable access with multiple redundant pathways, requiring comprehensive remediation beyond blocking initial callbacks.

Pulse ID: 6a04a9a171b2ad5ef57d9993
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a171b2ad5ef57d9993
Pulse Author: AlienVault
Created: 2026-05-13 16:41:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PowerShell #Proxy #Python #RAT #RCE #SocialEngineering #bot #socks5 #AlienVault

Production MTProto user-бот на FastAPI + Telethon: WARP для обхода DPI и 5 граблей с Telegram

В большинстве туториалов по Telegram-ботам всё начинается с одного куска кода: получили токен у @BotFather, поставили python-telegram-bot или aiogram , написали хендлер, deploy. Это Bot API. И в 90% задач этого хватает. А потом приходит задача которую Bot API не закрывает в принципе: программно создать супергруппу под конкретный проект и добавить туда нужных людей по @username , и сделать это десятки раз в день . Bot API такое не умеет даже теоретически - метода «создать группу» там нет, метода «добавить юзера в группу» тоже. Лезете в полную документацию Telegram API искать обход, упираетесь в раздел channels.createChannel / channels.inviteToChannel под MTProto, и начинается совсем другая история - не Bot API, а user-бот через telethon . В этой статье разбираю как мы сделали production MTProto user-бот на FastAPI + Telethon. Под капотом: Cloudflare WARP для обхода DPI (без него с российского VPS просто не подключиться), Singleton-клиент с keepalive, in-memory cache resolve-юзеров, и 5 ограничений Telegram которые знают только те кто лез туда ногами . Реальный production-сервис у клиента в нише строительства/монтажа, обслуживает связку Planfix → Telegram-группы под каждый проект. Сервис написан на Python 3.11. Стек: Telethon 1.43.2, FastAPI 0.136.1, Uvicorn 0.46.0, Pydantic 2.13.4. На VPS под systemd , наружу через Cloudflare Tunnel. Вызывается из n8n через HTTP-ноду.

https://habr.com/ru/articles/1034612/

#telethon #mtproto #telegram #python #fastapi #cloudflare #warp #n8n #socks5 #planfix

Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America

Two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, have been identified targeting government entities and financial organizations across Latin America using agentic artificial intelligence to conduct cyber intrusions. SHADOW-AETHER-040, a Spanish-speaking group, compromised six government entities in Mexico between December 2025 and January 2026, while SHADOW-AETHER-064, operating in Portuguese, targeted Brazilian financial institutions starting in April 2026. Both campaigns established SOCKS5 tunnels via ProxyChains and SSH, enabling AI agents to execute commands directly within victim networks. The AI agents dynamically generated hacking tools and scripts on-demand, reducing detection by signature-based security solutions. Despite tactical similarities including shared toolsets like Chisel, Neo-reGeorg, CrackMapExec, and Impacket, the campaigns appear to be separate entities distinguished primarily by language. These operations represent emerging cases of AI agents executing complete...

Pulse ID: 6a02ea171e7005022d5c8a6f
Pulse Link: https://otx.alienvault.com/pulse/6a02ea171e7005022d5c8a6f
Pulse Author: AlienVault
Created: 2026-05-12 08:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Government #InfoSec #LatinAmerica #Mexico #OTX #OpenThreatExchange #Proxy #RAT #SSH #bot #socks5 #AlienVault

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

A new variant of the TrickMo Android banking trojan was identified between January and February 2026, representing a substantial platform redesign rather than new capabilities. The malware has migrated its command-and-control infrastructure entirely onto The Open Network (TON) using .adnl endpoints, moving away from conventional internet infrastructure. Active campaigns have targeted banking and wallet users in France, Italy, and Austria. Once accessibility permissions are granted, operators gain real-time device control including credential phishing, keylogging, screen recording, SMS interception, and bidirectional remote control. New features include network reconnaissance capabilities and SSH tunnelling that transform infected devices into programmable network pivots and SOCKS5 proxy exit nodes, enabling operators to bypass IP-based fraud detection systems while accessing victim networks.

Pulse ID: 6a019c5f0a3344d92c4302a3
Pulse Link: https://otx.alienvault.com/pulse/6a019c5f0a3344d92c4302a3
Pulse Author: AlienVault
Created: 2026-05-11 09:07:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #CyberSecurity #Endpoint #France #InfoSec #Italy #Malware #OTX #OpenThreatExchange #Phishing #Proxy #RAT #RCE #SMS #SSH #Trojan #bot #socks5 #AlienVault

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Have the practice of bookmarking content for future processing and currently working on a script that uses various services to hijack endpoints via #curl. The content is hosted on #Instagram as reels.

One service downloads the reel while the other transcribes it.

Now that the transcription service has a daily limit, I am wondering which approach I will take to overcome this obstacle.

Either one can #SOCKS5 through curl onto the #Tor network to create a new connection after hitting the daily limit again.

Or one can #whisperCpp over the downloaded reel.

Как запустить VLESS + Reality на старом Intel iMac с macOS Catalina 10.15.8

На старых Intel Mac установка proxy-клиента часто превращается в странный квест: если приложение ставится, подписка импортируется, серверы вроде бы появляются, но рабочего подключения всё равно нет. На macOS Catalina 10.15.8 эта проблема ощущается особенно остро: часть современных клиентов уже не поддерживает систему, часть формально запускается, но ломается на встроенном core, а автоматический импорт VLESS/Reality-конфигов может создавать пустую заглушку вместо рабочего профиля. Эта инструкция написана не экспертом по сетям, а обычным пользователем для таких же обычных пользователей. Я собрал в одном месте весь путь, который реально сработал у меня на старом Intel iMac: как понять, какая версия клиента вообще подходит для Catalina, где брать старые релизы, как распознать сломанный импорт, как вручную собрать рабочий config и почему Telegram Desktop может не заработать, даже когда браузер уже работает.

https://habr.com/ru/articles/1027620/

#macOS_Catalina #Intel_iMac #V2RayXS #VLESS #Reality #Xray #proxy #Telegram_Desktop #SOCKS5 #JSON