Sigh, I mean the use of steganography is pretty sweet but the backdooring aspect sucks: blog.phylum.io/malicious-go-b…

Targeting macOS users, and calling ioreg -d2 -c IOPlatformExpertDevice which tells me this is super specific and one wonders exactly what.

Incident response analyst report 2023
github.com/blackorbird/AP…

#ESETresearch has released its latest APT Activity Report covering October 2023 to March 2024 (Q4 2023 - Q1 2024). During this period, we observed a sharp increase in activity of 🇮🇷 Iran-aligned threat groups, which shifted their focus to more disruptive operations. 1/2

Hello,

Exciting news.

In case you missed it, earlier today an individual requested a refund via PayPal for a vx-underground harddrive. They failed to read the e-mails we sent them. The PayPal inquiry hurt our wallet, because we don't have a lot of money.

In an extreme act of

🚨Hunting Black Basta's Cobalt Strike🧵

Intel-Ops is actively tracking #CobaltStrike servers in the wild, including those deployed by #BlackBasta . In this post, we’ll cover some findings from our analysis of #C2 servers included in the FBI/CISA advisory.

medium.com/@Intel_Ops/hun…

Kimsuky + Facebook + .msc
genians.co.kr/blog/threat_in…

Hey if it works

cert.pl/en/posts/2024/…

In-depth examination of the Sliver C2 framework.

I highly recommend reading this series for every BlueTeamer to understand the internals and building blocks of a (modern) C2 framework.

dominicbreuker.com/post/learning_…

Lockbit has been the leading ransomware threat to the UK and globally for nearly two years.

Today’s action will help disrupt the ransom payment model at the core of the operation.

A leader of what was once the world’s most harmful cyber crime group has been unmasked and sanctioned by the UK, US and Australia, following an NCA-led international disruption campaign.

#Cronos FBI Europol

Full story ➡️ nationalcrimeagency.gov.uk/news/lockbit-l…

Today the United States Department of Treasury announced sanctions against Dmitry Yuryevich Khoroshev a/k/a LockbitSupp, the individual believed to be the leader behind Lockbit ransomware group

home.treasury.gov/news/press-rel…

New blog: Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes.
Some tips and tricks on abusing TAPs for Windows Hello persistence and NT hash recovery over Cloud Kerberos Trust. dirkjanm.io/lateral-moveme…

Well my bank holiday weekend was eventful.... response incident drops on Friday and what was originally tagged as a basic cred capture alert, with some digging, turned out to be full domain dominance with dwell time exceeding 9 months 😬 I love supporting our blue functions (it

#Germany #APT28 #FancyBear
'APT28: From Initial Damage to Domain Controller Threats in an Hour' is now updated and has some additional sources with the latest IOCs including own research (at the end of the article as threat hunting opportunities).
link.medium.com/xfX7eNU7mJb

Kapeka: A new toolkit in Arsenal of SandStorm
github.com/blackorbird/AP…

Charming Kitten Update to APT42
cloud.google.com/blog/topics/th…
iocs
virustotal.com/gui/collection…

An unknown Threat Actor(s) claims to have compromised International Baccalaureate Organization (IBO), a nonprofit foundation headquartered in Geneva, Switzerland.

We have briefly reviewed the data and from a high-level overview this breach looks legitimate and like they've got

The following thread is entirely my own thoughts, and while I reference CrowdStrike, this not reflective of my employer or their policies.

Sorry for the length. (1/21)