🔎Our CERT is releasing a new technical report on 🇰🇵 Operation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in 🇪🇺, we investigated artefacts we attribute to #UNC2970.

Our analysis covers updated #BURNBOOK and #MISTPEN variants, that feature slight changes in their main routines and C2 loop.
UNC2970 relied on compromised infrastructure on SharePoint and WordPress, aligning with previous findings.

➡️Full blog: https://ow.ly/V4mr50Xug1l

🎣🧀 Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".

✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns. https://x.com/i/web/status/1965024327268766078 https://ravenmail.io/blog/appsheet-phishing-scam https://blog.knowbe4.com/impersonating-meta-powered-by-appsheet-a-rising-phishing-campaign-exploits-trusted-platforms-to-evade-detection

✉ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.

☣ The main lure deploys a full Python environment and runs a Python script to fetch the next stage from a remote C2. Then it opens a decoy file in Word. C2's are now inactive, but have been likewise tied to Pure malware family.

🔗 Related IoCs could be found on GitHub:
https://github.com/cert-orangecyberdefense/cti/blob/main/Metappenzeller/20250922-InitialReport.md

#metappenzeller #threatintel #cti

MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.

A new version has been around at least since early-June 2025.

Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from the book Andrew Melville by William Morison: https://archive.org/details/cu31924029479098

The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs.

These detection opportunities were presented during the Botconf 2025: https://www.botconf.eu/wp-content/uploads/formidable/2/BOTCONF2025LT13-Simon-Vernin-Mintsloader.pdf

The new version has removed these notable behaviours and is seen in campaign with fake invoices lures.

New indicators of compromise (IoCs) are available on our GitHub : https://github.com/cert-orangecyberdefense/cti/blob/main/mintsloader/2025-07-04-IoCs.md

#MintsLoader #threatintel #cti

✈👨‍💻 A massive scam campaign impersonating worldwide airline customer service has been running since at least mid-March 2025. Scammers are posting numerous comments or creating various profiles on highly ranked websites with fake customer support numbers to call to book flights.

☎🔎 The goal is likely to get the fake support number to appear in Google's summary answer. This technique is not new and has been documented before.

The creation process appears to be manual, as entries are generally created every minute or so, possibly by copy-pasting, and some profiles contain junk text similar to that generated by sliding fingers across a keyboard.

📖 Dozens of websites are implicated in this scheme, including big ones like: AlienVault or GoodReads.

Other abused websites include:
- Tidal: A music streaming platform where messages are displayed in the playlist description.
- Anime-Planet: A platform to share reviews on manga, where messages are pasted in the review section.

Some examples:
AienVaultOTX: https://otx.alienvault.com/user/rizbiliza/pulses
GoodReads: https://www.goodreads.com/quotes/tag/airlines-customer-phone

#cti #threatintel #airline #scam

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳.

➡️The full article on the Green Nailao cluster is available here: https://orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

➡️IOCs and Yara can be found on our GitHub: https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao