Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.

Pulse ID: 69f06b1eeeb1fca735cb0bb8
Pulse Link: https://otx.alienvault.com/pulse/69f06b1eeeb1fca735cb0bb8
Pulse Author: AlienVault
Created: 2026-04-28 08:09:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dropbox #Email #Espionage #Government #InfoSec #LNK #Malware #OTX #Onion #OpenThreatExchange #Opera #PDF #Phishing #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #bot #AlienVault

North Korean Hackers Exploit Crypto Firms with AI-Driven Zoom Lures

North Korean hackers launched a massive spear-phishing campaign, targeting over 100 crypto organizations worldwide with cleverly crafted Zoom lures and AI-generated deepfakes. They used fake calendar invites and typosquatted meeting links to gain access and exfiltrate sensitive data in a matter of minutes.

https://osintsights.com/north-korean-hackers-exploit-crypto-firms-with-ai-driven-zoom-lures?utm_source=mastodon&utm_medium=social

#NorthKoreanHackers #Cryptocurrency #AidrivenAttacks #Spearphishing #ZoomExploits

Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

A highly sophisticated multi-stage post-exploitation framework targeting organizations in the Middle East and EMEA financial sectors exploits legitimate digitally signed Intel utilities through .NET AppDomainManager mechanism abuse. The attack leverages trusted binary proxy execution, bypassing EDR and antivirus solutions through JIT-based memory execution and sandbox evasion using computational delays and cryptographic key derivation loops. Initial access occurs via spear-phishing with Arabic-language decoys impersonating Saudi government documents. Once executed, the framework establishes command-and-control communication through Amazon CloudFront CDN domain fronting, employing reflective DLL loading, direct syscall usage, and anti-forensic memory cleanup techniques. The modular plugin-based architecture demonstrates capabilities consistent with advanced persistent threat actors, featuring sophisticated evasion mechanisms including PEB-based API resolution, custom PE export walking, and heap-walking cont...

Pulse ID: 69e389bd5760ef67b7f37472
Pulse Link: https://otx.alienvault.com/pulse/69e389bd5760ef67b7f37472
Pulse Author: AlienVault
Created: 2026-04-18 13:40:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Amazon #Arabic #CDN #Cloud #CyberSecurity #EDR #Government #InfoSec #MiddleEast #NET #OTX #OpenThreatExchange #Phishing #Proxy #RAT #Rust #SMS #SpearPhishing #bot #AlienVault

Tracking MiniDionis: CozyCar's New Ride Is Related to Seaduke

A new campaign attributed to CozyDuke threat actors has been identified, utilizing malware called MiniDionis that appears related to Seaduke. The campaign began on July 7, 2015, targeting government organizations and think-tanks in democratic countries through spear phishing emails containing malicious links or attachments. The attack chain involves multi-stage droppers that deliver decoy media files while executing malicious payloads in the background. MiniDionis uses compromised legitimate websites for command and control, employs JSON-based configuration, and communicates over HTTPS using RC4 and AES encryption. The malware includes comprehensive command capabilities for system reconnaissance, file operations, and remote execution. The attackers demonstrate sophisticated techniques including manual HTTP redirection handling and cleanup mechanisms to evade forensic analysis.

Pulse ID: 69dcac5193a4767db4efdb48
Pulse Link: https://otx.alienvault.com/pulse/69dcac5193a4767db4efdb48
Pulse Author: AlienVault
Created: 2026-04-13 08:41:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Encryption #Government #HTTP #HTTPS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #SMS #SpearPhishing #UK #bot #AlienVault

⚡ 𝗙𝗿𝗲𝘀𝗵 𝗧𝗮𝗹𝗸 𝗔𝗹𝗲𝗿𝘁 𝗳𝗼𝗿 𝗕𝗦𝗶𝗱𝗲𝘀 𝗟𝘂𝘅𝗲𝗺𝗯𝗼𝘂𝗿𝗴 2026!

🎣🧠 𝗦𝗣𝗢𝗧 - 𝗦𝗣𝗘𝗔𝗥-𝗣𝗛𝗜𝗦𝗛𝗜𝗡𝗚 𝗢𝗩𝗘𝗥𝗪𝗔𝗧𝗖𝗛𝗜𝗡𝗚 𝗧𝗢𝗢𝗟 – @paulinebourmeau (Cookie), Thibaut Diels, Mathieu Fourcroy, William Robinet (@wr)🔍📧

Mass phishing is easy to detect. Targeted spear-phishing? That’s where things get dangerous.

SPOT takes on this challenge by combining NLP, machine learning, and LLMs to detect highly targeted phishing attempts that exploit real organizational context. Instead of relying only on shared IOCs, this approach focuses on how attackers craft believable, personalized lures—making detection smarter and more adaptive.

Developed as part of Luxembourg’s LU-CID initiative, this open-source project showcases how AI can be used to fight back against increasingly sophisticated social engineering attacks.

Pauline Bourmeau (Cookie) is an independent security researcher working at the intersection of AI, cognitive psychology, and threat intelligence. Founder of DEFCON Paris and contributor to MISP, she has led NLP and deep learning initiatives and previously worked as a Threat Intelligence Analyst focusing on OSINT, HUMINT, and SOCINT.

Mathieu Fourcroy is Tech nerd and gamer, living in the past (on purpose). He is the main developer behind the SPOT project. He works as a dev engineer at Conostix S.A.

Thibaut Diels is a Systems/Infrastructure Developer at Conostix S.A. by day and Game Developer by night, with interests spanning Linux customization, gaming, and creative tech.

William Robinet manages the technical team at Conostix S.A. in Luxembourg and brings over 25 years of experience in cybersecurity using open-source technologies. He has presented at conferences like Nullcon and Hack.lu and contributes to tooling and research in areas like SSL/TLS and emerging ML systems.

📱 Want to easily navigate all talks, villages, and stages?
Check out the official schedule on Hacker Tracker: https://hackertracker.app/schedule?conf=BSIDESLUX2026

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets
📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

#BSidesLuxembourg2026 #Phishing #SpearPhishing #ThreatIntelligence #OSINT #NLP #MachineLearning #CyberSecurity

Fuites de données : la fracture numérique s’élargit

Les fuites de données ne relèvent plus de l’accident isolé. Elles se multiplient, touchent des secteurs de plus en plus variés et installent l’idée d’une vulnérabilité devenue ordinaire.
Services publics, loisirs, sport, culture... Plus un seul espace numérique ne semble désormais épargné.
À chaque incident, ce sont des informations personnelles qui circulent, s’exposent, se monnayent parfois. Derrière la répétition de ces affaires, une même question demeure : avons-nous réellement pris la mesure de la fragilité de nos environnements numériques ?
Car ces brèches à répétition dessinent une faille plus profonde qu’il n’y paraît.

https://librexpression.fr/les-nouvelles-lignes-de-faille-du-numerique-2-4

(Crédits : Rendan Catipay/Pexels)

#Chine #Cyberattack #Databreaches #France #informatique #Librexpression #Phishing #RansomHouse #ransomware #Russie #spearphishing #supplychain #threats #UNC1069 #USA #warfare

LucidRook Malware Targets NGOs, Universities in Taiwan

A sneaky new malware called LucidRook has set its sights on non-governmental organizations and universities in Taiwan, using spear-phishing to catch its victims off guard. This Lua-based threat is the latest cyber attacker to target these vulnerable sectors.

https://osintsights.com/lucidrook-malware-targets-ngos-universities-in-taiwan?utm_source=mastodon&utm_medium=social

#LucidrookMalware #Spearphishing #Ngos #Universities #Taiwan

Lua-based LucidRook Malware Targets Taiwanese Organizations

A new Lua-based malware called “LucidRook” have been identified to conduct spear-phishing campaign against Taiwanese Non-Government Organisations and universities launching phishing emails that deploys malicious LNK or EXE files.

Pulse ID: 69d7ff9f101a0ff82412d8ab
Pulse Link: https://otx.alienvault.com/pulse/69d7ff9f101a0ff82412d8ab
Pulse Author: cryptocti
Created: 2026-04-09 19:35:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Government #InfoSec #LNK #LUA #Malware #OTX #OpenThreatExchange #Phishing #SpearPhishing #bot #cryptocti