Casting a Wider Net: Scaling Threat

LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation playbook remains consistent, involving jli.dll side-loading, PsExec-based lateral movement, and S3 bucket payload staging. The Deno loader executes base64-encoded payloads in memory, making detection challenging for traditional security tools. Defenders are advised to focus on behavioral signals and implement measures such as blocking newly registered domains, restricting Win-R access, and limiting PsExec usage to authorized administrators.

Pulse ID: 69ba8419321e1d3c9be7c4cc
Pulse Link: https://otx.alienvault.com/pulse/69ba8419321e1d3c9be7c4cc
Pulse Author: AlienVault
Created: 2026-03-18 10:53:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PsExec #RAT #RansomWare #bot #AlienVault

Data Exfiltration and Threat Actor Infrastructure Exposed

Huntress SOC analysts have uncovered sophisticated data exfiltration techniques employed by threat actors. The analysis reveals the use of various tools for data staging, including WinZip, 7Zip, and Windows' native tar.exe. Exfiltration methods observed include the use of finger.exe and backup utilities like restic, BackBlaze, and s5cmd. A specific incident on February 25, 2026, involved INC ransomware deployment, with the threat actor using PSEXEC for privilege escalation and creating a scheduled task to run a malicious PowerShell script. The actor utilized the Restic backup utility, renamed as winupdate.exe, to exfiltrate data. Similar tactics were observed in a previous incident on February 9, suggesting a pattern in the threat actor's methodology.

Pulse ID: 69b3f245c5cf9fd0fee7a16a
Pulse Link: https://otx.alienvault.com/pulse/69b3f245c5cf9fd0fee7a16a
Pulse Author: AlienVault
Created: 2026-03-13 11:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RansomWare #Windows #ZIP #bot #AlienVault

Nefilim Ransomware

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim uses tools like PsExec, Mimikatz, and LaZagne for lateral movement and credential theft. It employs AES-128 encryption and drops a ransom note named 'NEFILIM-DECRYPT.txt'. The ransomware has attacked high-profile targets like Toll Group. Mitigation strategies include strong passwords, disabling RDP, regular backups, software updates, and monitoring for lateral movement and data exfiltration.

Pulse ID: 699dd914e2e8434b78e71749
Pulse Link: https://otx.alienvault.com/pulse/699dd914e2e8434b78e71749
Pulse Author: AlienVault
Created: 2026-02-24 17:00:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Citrix #CyberSecurity #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #Password #Passwords #PsExec #RAT #RDP #RansomWare #Word #bot #AlienVault

Testing SIEM Detections Against Ransomware Using PsExec: https://osintteam.blog/testing-siem-detections-against-ransomware-using-psexec-1963bcb0cf3b

#siem #psexec #ransomware #cybersecurity

Wprowadzenie do Sysinternals – PSTools/PsExec

W pracy z systemami Windows kluczowy jest dostęp do narzędzi umożliwiających zdalną administrację. Choć nowoczesne rozwiązania, takie jak PowerShell Remoting, dobrze spełniają te funkcje, ich wykorzystanie często jest ograniczone przez polityki bezpieczeństwa lub rozwiązania EDR (Endpoint Detection & Response – wykrywanie i reagowanie w punktach końcowych). W takich sytuacjach można...

#Narzędzia #Teksty #Narzędzia #Psexec #Pstools #Sysinternals #Windows

https://sekurak.pl/wprowadzenie-do-sysinternals-pstools-psexec/

#dfir #knowledgedrop

#psexec can be detected by .key files:

"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]

[1] https://aboutdfir.com/the-key-to-identify-psexec/

Pass The Hash? Да легко! + артефакты

🔥 Атака Pass The Hash позволяет злоумышленнику повторно использовать NT хэш для входа систему, избегая ввода пароля и используя протокол NTLM для авторизации, вместо базового Kerberos. Но как она делается и, самое главное, детектится в домене?...

https://habr.com/ru/articles/829972/

#pass_the_hash #pth #domain #active_directory #impacket #psexec

Detecting PSExec Usage https://youtu.be/oVM1nQhDZQc

#Detection #PSExec #BlueTeam #Defense #13cubed

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

Well isn't that helpful.

#windows #psexec #ntp #irony