Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packaged executable. This payload injects into mstsc.exe and deploys Stealerium, an information-stealing malware that exfiltrates sensitive data from browsers, cryptocurrency wallets, and popular applications. The malware employs anti-analysis techniques, creates a hidden directory, and registers with a command and control server. It steals credentials from various sources, including browsers, gaming platforms, and messaging apps, while also capturing webcam images and Wi-Fi passwords.

Pulse ID: 68125c60e131717220211bb5
Pulse Link: https://otx.alienvault.com/pulse/68125c60e131717220211bb5
Pulse Author: AlienVault
Created: 2025-04-30 17:22:40

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Email #ICS #InfoSec #InfoStealer #LNK #Malware #OTX #OpenThreatExchange #Password #Passwords #Phishing #PowerShell #RAT #RCE #Word #bot #cryptocurrency #AlienVault

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

This intelligence report analyzes common techniques, tactics, and procedures (TTPs) used by threat actors in investment scams, particularly focusing on the abuse of DNS mechanisms. The actors often use registered domain generation algorithms (RDGAs) to create large numbers of domains, embed similar web forms to collect user data, hide activity through traffic distribution systems (TDS), and leverage fake news with celebrity endorsements. The report details two specific actors, Reckless Rabbit and Ruthless Rabbit, examining their distinct RDGA patterns and campaign strategies. It highlights the importance of DNS in detecting and blocking these scams at scale, as actors exploit DNS to build and maintain their infrastructure.

Pulse ID: 68114334e4803d326e4dd5fd
Pulse Link: https://otx.alienvault.com/pulse/68114334e4803d326e4dd5fd
Pulse Author: AlienVault
Created: 2025-04-29 21:23:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DNS #ICS #InfoSec #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Smishing Attacks Rise: How to Spot and Stop SMS Phishing

SMS-based phishing attacks, known as smishing, are on the rise, targeting businesses with sophisticated social engineering tactics. These attacks often begin with urgent text messages containing disguised links, redirecting victims to fake login pages. Attackers exploit human emotions and create a false sense of security by using legitimate domains like Google as intermediaries. The process typically involves a deceptive SMS, followed by redirects to a phishing page impersonating trusted platforms like ServiceNow. Victims are then prompted to enter login credentials and fake multifactor authentication, potentially leading to unauthorized access and data breaches. The report emphasizes the importance of employee education and vigilance in recognizing and preventing these evolving threats.

Pulse ID: 680fac68ed0e03b794f6de39
Pulse Link: https://otx.alienvault.com/pulse/680fac68ed0e03b794f6de39
Pulse Author: AlienVault
Created: 2025-04-28 16:27:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataBreach #Education #Google #ICS #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #Rust #SMS #Smishing #SocialEngineering #bot #AlienVault

The Return of Pharmacy-Themed Spam

Pharmaceutical-themed spam campaigns continue to target individuals and organizations, particularly in the healthcare and pharmaceutical sectors. Recent observations reveal a bulk spam campaign using spoofed identities and compromised infrastructure to send deceptive emails. The attackers employ tactics such as domain spoofing, DKIM signature manipulation, and the use of compromised servers running malicious PHP scripts. The emails contain links that redirect users to fraudulent websites posing as legitimate Canadian pharmacies, often including a fake security verification step. These campaigns aim to trick recipients into revealing sensitive information or potentially installing malware. The persistence of pharmacy-themed spam highlights the need for continued vigilance and awareness of common scam tactics.

Pulse ID: 680cb26edefa55cafa886d51
Pulse Link: https://otx.alienvault.com/pulse/680cb26edefa55cafa886d51
Pulse Author: AlienVault
Created: 2025-04-26 10:16:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Canadian #CyberSecurity #Email #Healthcare #ICS #InfoSec #Mac #Malware #OTX #OpenThreatExchange #PHP #Pharmacy #Spam #bot #AlienVault

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aiming to steal cryptocurrency and potentially engage in espionage. Their tactics involve using VPNs, proxies, and RDP connections to obscure their origins. Instruction videos suggest the involvement of less-skilled foreign conspirators. The primary focus remains cryptocurrency theft, but there's potential for expanded espionage activities and possible cooperation between North Korean and Russian entities.

Pulse ID: 680a7c9533e918e31ba0c246
Pulse Link: https://otx.alienvault.com/pulse/680a7c9533e918e31ba0c246
Pulse Author: AlienVault
Created: 2025-04-24 18:01:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #Espionage #ICS #InfoSec #Korea #NorthKorea #OTX #OpenThreatExchange #RAT #RDP #Russia #VPN #bot #cryptocurrency #AlienVault

Threat Infrastructure Uncovered Before Activation

Between November 2024 and April 2025, a set of domains and servers impersonating an Iraqi academic organization and fictitious UK tech firms were tracked. The infrastructure, while dormant, exhibited characteristics similar to APT34 (OilRig), including shared SSH keys, structured websites, and decoy HTTP behavior on M247-hosted servers. Key observations include the use of port 8080 for fake 404 responses, consistent SSH fingerprint reuse, and domains registered through P.D.R. Solutions with regway.com nameservers. The setup suggests deliberate pre-operational staging, offering defenders an early warning opportunity. Detection strategies include monitoring SSH fingerprints, HTTP response patterns, and domain registration behaviors.

Pulse ID: 68082a17ee5771aa012e93c3
Pulse Link: https://otx.alienvault.com/pulse/68082a17ee5771aa012e93c3
Pulse Author: AlienVault
Created: 2025-04-22 23:45:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT34 #CyberSecurity #HTTP #ICS #InfoSec #OTX #OilRig #OpenThreatExchange #RAT #SSH #UK #bot #AlienVault

Sophisticated backdoor mimicking secure networking software updates

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that deploys a versatile backdoor. This backdoor can connect to a C2 server, steal files, and launch additional malicious components. The attack highlights the increasing complexity of APT group tactics and emphasizes the need for multi-layered security defenses to protect against such sophisticated threats.

Pulse ID: 6807d9bd776ee82a5a8a7112
Pulse Link: https://otx.alienvault.com/pulse/6807d9bd776ee82a5a8a7112
Pulse Author: AlienVault
Created: 2025-04-22 18:02:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Government #ICS #InfoSec #Malware #Mimic #OTX #OpenThreatExchange #Russia #bot #AlienVault

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques such as phishing, impersonation, fake customer support, QR code scams, and malware-laden attachments to collect personal data for identity theft or future scams. The article provides red flags to watch for, including vague claims, lack of contact information, and unrealistic promises. To protect against these scams, individuals should verify sources, avoid sharing personal information on unverified websites, report suspicious sites, and educate others about these fraudulent schemes.

Pulse ID: 6802cb9dcd152b0f855adc5b
Pulse Link: https://otx.alienvault.com/pulse/6802cb9dcd152b0f855adc5b
Pulse Author: AlienVault
Created: 2025-04-18 22:01:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RCE #bot #AlienVault

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infrastructure patterns. Key findings include the use of zero-day exploits, complex malware development, and long-term persistence strategies. The report details the groups' use of multi-layered encryption in their loaders, custom obfuscation techniques, and various malware tools like Trinper backdoor and Cobalt Strike. The combined group, now referred to as Team46, demonstrates sophisticated capabilities in targeted attacks against protected infrastructures.

Pulse ID: 6802c8019d40fa74671e9c6c
Pulse Link: https://otx.alienvault.com/pulse/6802c8019d40fa74671e9c6c
Pulse Author: AlienVault
Created: 2025-04-18 21:45:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CobaltStrike #CyberSecurity #Encryption #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #ZeroDay #bot #AlienVault