Pro-Iranian Nasir Security is Targeting The Energy Sector in the Middle East

A new cybercriminal group, Nasir Security, believed to be associated with Iran, is targeting energy organizations in the Middle East. They focus on attacking supply chain vendors involved in engineering, safety, and construction. The group emerged in October 2025 and has claimed attacks on various energy sector companies, including Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company. However, their claims are likely exaggerated, and the actual breaches appear to be of third-party contractors. The group's tactics include business email compromise, spear phishing, and exploiting public-facing applications. Their activities are seen as part of a broader Iranian strategy to conduct cyberattacks and spread misinformation during ongoing geopolitical conflicts.

Pulse ID: 69c18827a9d99fd60dad6b8c
Pulse Link: https://otx.alienvault.com/pulse/69c18827a9d99fd60dad6b8c
Pulse Author: AlienVault
Created: 2026-03-23 18:36:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #Email #ICS #InfoSec #Iran #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #SpearPhishing #SupplyChain #bot #AlienVault

GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.

Pulse ID: 69c10792a24c3b8eec93ad9c
Pulse Link: https://otx.alienvault.com/pulse/69c10792a24c3b8eec93ad9c
Pulse Author: AlienVault
Created: 2026-03-23 09:27:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #ICS #InfoSec #InfoStealer #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #bot #developers #AlienVault

MacSync Stealer Campaign Exploiting SEO Poisoning and ClickFix Tactics

Pulse ID: 69c0f421289bb224d216ece3
Pulse Link: https://otx.alienvault.com/pulse/69c0f421289bb224d216ece3
Pulse Author: cryptocti
Created: 2026-03-23 08:04:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Mac #OTX #OpenThreatExchange #SEOPoisoning #bot #cryptocti

I just realized that so many people in the company simply don’t understand, or don’t want to understand, the Purdue Model!

The Purdue Model is a functional model. Its origins have nothing to do with cybersecurity. It was adopted for cybersecurity, but not as a “zone” model. Its purpose is to define the functional layers at which different methods and tools are used. You don’t simply use typical IT tools at the lower levels!

The DMZ was added much later, as the model evolved into a cybersecurity model. “Additional segmentation can be performed using the concept of zones and conduits described in ISA 62443.” The layers are not intended to define a zone per se. Anyone who does not divide the layers into discrete security zones based on an analysis should not even attempt to work in this (OT) area!

Furthermore, individuals have the flexibility to design their own separation, segmentation, and zone configuration within each architecture, taking into account specific functional and application-related requirements. This approach enables the creation of a robust defense in depth, with the Purdue model serving as a guide while allowing for customization as needed, without rigid requirements.

I will not show these guys how the ISA62443 and the Purde model match. Because I expect that experts can do it and those who can't do it have to learn.

#OTSecurity #Cybersecurity #ICS #Purdue

Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation

The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.

Pulse ID: 69bc06c6867cdad6f8a94d99
Pulse Link: https://otx.alienvault.com/pulse/69bc06c6867cdad6f8a94d99
Pulse Author: AlienVault
Created: 2026-03-19 14:23:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #Spam #bot #AlienVault

When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures

During tax season, threat actors exploit the urgency of time-sensitive tax-related emails to trick targets into opening malicious attachments, scanning QR codes, or following link chains. Recent campaigns identified by Microsoft Threat Intelligence use lures around W-2 forms, tax forms, and impersonation of government tax agencies and financial institutions. These campaigns aim to harvest credentials or deliver malware, often using phishing-as-a-service platforms for convincing credential theft and MFA bypass. Notable tactics include using legitimate remote monitoring tools, targeting specific industries and roles like accountants, and employing sophisticated social engineering techniques. The campaigns leverage various file formats, legitimate infrastructure, and multiple user interactions to complicate detection.

Pulse ID: 69bc161bd79aba8d7aaa1eed
Pulse Link: https://otx.alienvault.com/pulse/69bc161bd79aba8d7aaa1eed
Pulse Author: AlienVault
Created: 2026-03-19 15:28:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberSecurity #Email #Government #ICS #InfoSec #MFA #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #bot #AlienVault

An Overview of The Gentlemen's TTPs

This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.

Pulse ID: 69bd045137b178c16714dcf6
Pulse Link: https://otx.alienvault.com/pulse/69bd045137b178c16714dcf6
Pulse Author: AlienVault
Created: 2026-03-20 08:24:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RansomWare #bot #iOS #AlienVault

Thanks to @PeskyPotato, #icalendar now has its first #tutorial!

🎉

Learn about how to create a #calendar #event, invite attendees and save it in an #ics file here:

https://icalendar.readthedocs.io/en/latest/tutorials/create-event-with-attendees.html

#rfc5545 #Python