Cybercriminal VPN Dismantled in Crackdown

A coordinated law enforcement operation led by France and the Netherlands has successfully taken down First VPN, a service extensively used by ransomware operators, fraudsters, and data thieves to conceal their criminal activities. The operation, which took place from May 19-20, resulted in the dismantling of 33 servers, seizure of three domains, and a house search of the administrator in Ukraine. The VPN service had been advertised on Russian-language cybercrime forums for years, accepting anonymous payments and providing infrastructure specifically designed for illicit use. Investigators gained access to the user database, generating 83 intelligence packages shared internationally, information on 506 users distributed globally, and advancing 21 investigations. The service had appeared in almost every major cybercrime investigation supported by Europol in recent years.

Pulse ID: 6a0f8f33ccaf530ec98bd8ae
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f33ccaf530ec98bd8ae
Pulse Author: AlienVault
Created: 2026-05-21 23:03:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #France #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Russia #TheNetherlands #UK #Ukr #Ukraine #VPN #bot #AlienVault

Fresh mischief and digital shenanigans

FrostyNeighbor, a cyberespionage group allegedly operating from Belarus and active since at least 2016, continues targeting governmental, military, and key sectors in Eastern Europe, particularly Ukraine, Poland, and Lithuania. Recent activities detected since March 2026 show the group targeting Ukrainian governmental organizations using evolved compromise chains. The attacks utilize spearphishing with malicious PDF lures impersonating legitimate entities, delivering JavaScript variants of PicassoLoader downloader. The group employs server-side victim validation based on geolocation and fingerprinting before manually delivering Cobalt Strike beacons. FrostyNeighbor demonstrates high operational maturity through diverse delivery mechanisms, exploitation of legitimate services, and regular toolset updates to evade detection, while maintaining focus on credential harvesting and establishing persistent access to compromised systems.

Pulse ID: 6a0e803c81c123ee6cf7066a
Pulse Link: https://otx.alienvault.com/pulse/6a0e803c81c123ee6cf7066a
Pulse Author: AlienVault
Created: 2026-05-21 03:47:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Belarus #CobaltStrike #CredentialHarvesting #CyberSecurity #Cyberespionage #EasternEurope #Espionage #Europe #Government #InfoSec #Java #JavaScript #Military #OTX #OpenThreatExchange #PDF #Phishing #Poland #RAT #SMS #SpearPhishing #UK #Ukr #Ukraine #Ukrainian #bot #AlienVault

Tracking TamperedChef Clusters via Certificate and Code Reuse

Multiple threat clusters designated as CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110 have been distributing trojanized productivity software through malicious advertising campaigns since 2023. These applications, including PDF editors, calendars, and compression tools, appear legitimate but contain remote access capabilities enabling deployment of information stealers, proxy tooling, and RATs. The campaigns leverage code-signing certificates, remain dormant for weeks to months before activation, and affect organizations globally with over 4,000 samples identified across 100 variants. CL-CRI-1089 operations utilize Ukrainian, Malaysian, and British infrastructure with 34 unique code-signing entities, while CL-UNK-1090 demonstrates vertical integration between advertising agencies and malware creation using primarily Israeli infrastructure with 39 corporations involved. Distribution occurs through sophisticated malvertising employing professional websites, CDN delivery, and search engine optimization techniques.

Pulse ID: 6a0dae41682ec38e55d1aa12
Pulse Link: https://otx.alienvault.com/pulse/6a0dae41682ec38e55d1aa12
Pulse Author: AlienVault
Created: 2026-05-20 12:51:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CDN #CyberSecurity #InfoSec #Israel #Malvertising #Malware #OTX #OpenThreatExchange #PDF #Proxy #RAT #Trojan #UK #Ukr #Ukrainian #bot #AlienVault

Meine besten in Reihenfolge der Sendung. Siegerlieder sind auch dabei.

#ukr
#mal
#bul
#pol
#swe
#nor
#rom

#Eurovision #esc #esc2026