SecuritySnacks25m ago

DomainTools Investigations’ (DTI) latest analysis uncovers a technically sophisticated malware campaign that uses fake CAPTCHAs and spoofed document verification pages (like Docusign) to trick users into self-infecting their machines with the NetSupport RAT.

Key tactics include:

🔹 Clipboard poisoning via fake CAPTCHA pages
🔹Multi-stage PowerShell downloaders
🔹Spoofed Gitcodes and Docusign domains
🔹Infrastructure overlap with known threat groups like SocGholish, FIN7 and STORM-0408

Read the full breakdown including security recommendations here: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Prove-You-Are-Human

#ThreatIntelligence #CyberSecurity #SocGholish #Malware

CTI.FYI49m ago

🚨New ransom group blog post!🚨

Group name: incransom
Post title: Sandhills Medical Foundation
Info: https://cti.fyi/groups/incransom.html

#ransomware #cti #threatintelligence #cybersecurity #infosec

incransom

Infoblox Threat Intel1h ago
Selling your car? Scammers still have it 'VIN' for you!

We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.

While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:

- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.
- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.
- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.

Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.

Here’s what happens next:

- You enter your VIN on the fake site - it teases you with basic info like make and model.
- To get the 'full report' you’re asked to pay $20–$40.
- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.
- At worst, you've just entered your card details into a phishing site.

Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.

Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:

- goldstatevin[.]com
- gulfstatevin[.]com
- kansasvin[.]com
- misissippivin[.]com
- utahvincheck[.]com

These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:

- proregocheck[.]com
- smartcheckvin[.]com
- smartvincheck[.]com
- vincheckzone[.]com

Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam
CTI.FYI2h ago

🚨New ransom group blog posts!🚨

Group name: ransomblog_noname
Post title: Mulia Raya
Info: https://cti.fyi/groups/ransomblog_noname.html

Group name: blacksuit
Post title: http://metromont.com
Info: https://cti.fyi/groups/blacksuit.html

Group name: blacksuit
Post title: http://www.innsofaurora.com
Info: https://cti.fyi/groups/blacksuit.html

Group name: incransom
Post title: Jordan Drug
Info: https://cti.fyi/groups/incransom.html

Group name: embargo
Post title: M&H Electric Fabricators
Info: https://cti.fyi/groups/embargo.html

Group name: ransomblog_noname
Post title: UnigazJordan
Info: https://cti.fyi/groups/ransomblog_noname.html

Group name: lockbit3
Post title: geruestba
Info: https://cti.fyi/groups/lockbit3.html

Group name: arcusmedia
Post title: Acorn Sales
Info: https://cti.fyi/groups/arcusmedia.html

Group name: arcusmedia
Post title: STANDBYTE
Info: https://cti.fyi/groups/arcusmedia.html

Group name: play
Post title: Anchor Industries
Info: https://cti.fyi/groups/play.html

Group name: play
Post title: Tri-Point Solutions
Info: https://cti.fyi/groups/play.html

Group name: play
Post title: W.E. Bowers
Info: https://cti.fyi/groups/play.html

Group name: incransom
Post title: mysfa.org
Info: https://cti.fyi/groups/incransom.html

Group name: incransom
Post title: sitro.com.au
Info: https://cti.fyi/groups/incransom.html

Group name: flocker
Post title: Trustgrp.ae
Info: https://cti.fyi/groups/flocker.html

Group name: flocker
Post title: Dcsdev.org
Info: https://cti.fyi/groups/flocker.html

Group name: incransom
Post title: Universidad Técnica del Norte Ecuador
Info: https://cti.fyi/groups/incransom.html

Group name: incransom
Post title: valuestoreit
Info: https://cti.fyi/groups/incransom.html

Group name: blacksuit
Post title: http://www.kcac.com
Info: https://cti.fyi/groups/blacksuit.html

Group name: ransomhouse
Post title: Vinda Group
Info: https://cti.fyi/groups/ransomhouse.html

Group name: play
Post title: Capital Trade
Info: https://cti.fyi/groups/play.html

Group name: play
Post title: FLOE Internationa
Info: https://cti.fyi/groups/play.html

Group name: kairos
Post title: Jericho Fire Department
Info: https://cti.fyi/groups/kairos.html

#ransomware #cti #threatintelligence #cybersecurity #infosec

ransomblog_noname

CrowdSec3h ago

Set up CrowdSec IPDEX on OPNsense to enhance threat detection, response, and intelligence gathering.

Follow this guide by CrowdSec Ambassador Flaviu to start running CrowdSec IPDEX, a simple CLI tool that gathers insights on IP addresses, on @opnsense, the open source FreeBSD-based firewall.

Get started 👉 https://vlaicu.io/posts/crowdsec-ipdex/

#opensource #opensourcesecurity #threatintelligence #firewall #cybersecurity

Crowdsec IPDEX on OPNsense

IPDEX a simple CLI tool to gather insight about a list of IPs or an IP using the CrowdSec CTI

Flaviu Vlaicu
PUPUWEB Blog8h ago
Microsoft, Google, CrowdStrike, and Palo Alto are launching a public glossary to standardize the names of state-sponsored hacking groups and cybercriminals, aiming to reduce confusion from overlapping aliases and improve threat response. #Cybersecurity #ThreatIntelligence #Microsoft #Google #CrowdStrike #PaloAlto #Infosec
The DefendOps Diaries20h ago

Microsoft and CrowdStrike are merging threat actor names—revealing that Volt Typhoon and VANGUARD PANDA are actually the same. This move could transform how we battle cyber threats. Curious how?

https://thedefendopsdiaries.com/strengthening-cybersecurity-microsoft-and-crowdstrikes-unified-approach/

#cybersecurity
#threatintelligence
#microsoft
#crowdstrike
#cyberdefense

Show threadSaltmyhash3d ago

@deepthoughts10 @BleepingComputer Agreed, AVCheck was used by BlackBasta to check their malware creations. Would be awesome to see scanner[.]to taken down soon as well. Lots of malicious binaries and scripts scanned on scanner[.]to in the Basta chat logs. The screenshot is one of their sample's results pages.

#BlackBasta #Ransomware #CTI #threatintelligence

Saltmyhash3d ago

Martyn Williams (Stimson Center’s Korea Program and 38 North) and Nick Roy (Silent Push) presented an interesting talk at THOTCON 0xD on a misconfigured DPRK server and the data they found. Cool to see everything that goes into getting online in DPRK and the tools used to do so. They posted their THOTCON slide deck at silibank.com/thotcon, which Nick apparently purchased after the domain was allowed to expire by DPRK entities.

Their NK Tech Lab site is a new center for investigation and analysis into how North Korea uses technology to serve and suppress its citizens.

Nktechlab.org
Silibank.com/thotcon

#thotcon #dprk #cti #ThreatIntelligence

Infoblox Threat Intel3d ago

Eat, Sleep, Scam, Repeat?

Losing your life savings to a crypto scam is devastating — but for many victims, the nightmare doesn’t end there.

While recently investigating a network of fake cryptocurrency exchanges, we uncovered something even more twisted: a cluster of scam websites posing as law firms offering 'crypto recovery' services.

Yep, the very same scammers who stole the funds are now posing as lawyers, pretending to help victims recover what they lost… for a fee, of course.

Preying on victim hope and desperation, these scammers have been known to:

- Contact victims directly using details obtained during the original scam
- Advertise openly on social media
- Lurk in public forums, targeting those seeking help from the community

Using a mix of lookalike sites impersonating legit legal firms and entirely fake entities, often with stolen names and photos of legitimate legal professionals, here are some recent examples of what we've encountered:

- Posing as 'Adam & Shawn Law Group'
- adamshawnllp[.]com
- adamshawnlaw[.]com
- Posing as 'Jefferson Caldwell International Law Firm'
- jeffersoncaldwelllawgroup[.]com
- Posing as 'Schlueter & Associates'
- schlueterlawfirm[.]it[.]com
- Posing as 'Zojz & Associates Legal Group'
- zojz[.]com
- zojz[.]cc

Not only do these domains share registration characteristics with fake crypto exchanges, but we've also observed site structures, content and design elements across fake law firms, crypto exchanges and task scam sites.

Aside from avoiding the initial scams, be cautious of any 'law firm' that:

- Sends unsolicited emails or DMs offering crypto recovery help
- Has a website with no verifiable legal credentials
- Pressures you to pay fees upfront, especially to a third-party entity or via crypto
- Uses vague or generic testimonials

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam