marktsec
@marktsec.bsky.social
💫Threat Intel💫 Automation💫 Threat Analysis 💫OSINT💫 Testing 💫Network Security💫
https://github.com/marktsec
https://github.com/marktsec
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It
specterops.io/blog/2025/12...
specterops.io/blog/2025/12...
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It - SpecterOps
The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
specterops.io
December 15, 2025 at 11:19 AM
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It
specterops.io/blog/2025/12...
specterops.io/blog/2025/12...
PowerShell 5.1: Preventing script execution from web content.
Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters.
support.microsoft.com/en-us/topic/...
Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters.
support.microsoft.com/en-us/topic/...
PowerShell 5.1: Preventing script execution from web content - Microsoft Support
support.microsoft.com
December 15, 2025 at 10:50 AM
PowerShell 5.1: Preventing script execution from web content.
Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters.
support.microsoft.com/en-us/topic/...
Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters.
support.microsoft.com/en-us/topic/...
Browser Hijacking: Three Technique Studies
www.gdatasoftware.com/blog/2025/11...
www.gdatasoftware.com/blog/2025/11...
Browser Hijacking: Three Technique Studies
If you are searching for technical information on how browser hijacking works, there does not seem to be much out there apart from generic removal instructions. This might be an educational gap we sho...
www.gdatasoftware.com
December 15, 2025 at 10:46 AM
Browser Hijacking: Three Technique Studies
www.gdatasoftware.com/blog/2025/11...
www.gdatasoftware.com/blog/2025/11...
Thousands of Exposed Secrets Found on Docker Hub, Putting Organizations at Risk
flare.io/learn/resour...
flare.io/learn/resour...
Thousands of Exposed Secrets Found on Docker Hub - Flare
In a month, we found Docker Hub images that contained leaked secrets (including live credentials to production systems) from over 100 companies.
flare.io
December 12, 2025 at 8:17 PM
Thousands of Exposed Secrets Found on Docker Hub, Putting Organizations at Risk
flare.io/learn/resour...
flare.io/learn/resour...
Ransomware group posts a “shutdown” notice, claiming they’ve gone silent since a recent event and now plan to disappear from forums. They offer free decryption only to hospitals & schools.
December 10, 2025 at 7:04 PM
Ransomware group posts a “shutdown” notice, claiming they’ve gone silent since a recent event and now plan to disappear from forums. They offer free decryption only to hospitals & schools.
Compromising Developers with Malicious Extensions - VS Code, Cursor AI, and the Backdoor You Didn't See Coming
mazinahmed.net/blog/publish...
mazinahmed.net/blog/publish...
Compromising Developers with Malicious Extensions - VS Code, Cursor AI, and the Backdoor You Didn't See Coming
Compromising Developers with Malicious Extensions - VS Code, Cursor AI, and the Backdoor You Didn't See Coming.
mazinahmed.net
December 10, 2025 at 6:53 AM
Compromising Developers with Malicious Extensions - VS Code, Cursor AI, and the Backdoor You Didn't See Coming
mazinahmed.net/blog/publish...
mazinahmed.net/blog/publish...
🚨 Nova Ransomware Update:
Nova operators announced locker rewritten in ADA/SPARK and targeting Windows, Linux, and ESXi.
The group boasts Rust-like techniques, enhanced evasion, and even a so-called “safe mode.”
#ThreatIntel #Ransomware #MalwareAnalysis
Nova operators announced locker rewritten in ADA/SPARK and targeting Windows, Linux, and ESXi.
The group boasts Rust-like techniques, enhanced evasion, and even a so-called “safe mode.”
#ThreatIntel #Ransomware #MalwareAnalysis
December 8, 2025 at 6:09 PM
🚨 Nova Ransomware Update:
Nova operators announced locker rewritten in ADA/SPARK and targeting Windows, Linux, and ESXi.
The group boasts Rust-like techniques, enhanced evasion, and even a so-called “safe mode.”
#ThreatIntel #Ransomware #MalwareAnalysis
Nova operators announced locker rewritten in ADA/SPARK and targeting Windows, Linux, and ESXi.
The group boasts Rust-like techniques, enhanced evasion, and even a so-called “safe mode.”
#ThreatIntel #Ransomware #MalwareAnalysis
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
www.greynoise.io/blog/cve-202...
www.greynoise.io/blog/cve-202...
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as...
www.greynoise.io
December 7, 2025 at 5:56 AM
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
www.greynoise.io/blog/cve-202...
www.greynoise.io/blog/cve-202...
Living Off the Land: Windows Post-Exploitation Without Tools
xbz0n.sh/blog/living-...
xbz0n.sh/blog/living-...
Living Off the Land: Windows Post-Exploitation Without Tools
I'll never forget one of my first red team engagements where I learned this lesson the hard way. I'd spent two days carefully phishing my way into a financia...
xbz0n.sh
December 6, 2025 at 9:45 AM
Living Off the Land: Windows Post-Exploitation Without Tools
xbz0n.sh/blog/living-...
xbz0n.sh/blog/living-...
🚨 Update for Stealc v2.9.0:
• Steam token collection restored, now pulled directly from local files (no process injection), enabling multi-account token harvesting.
• New data targets: Perplexity “Comet” browser & IndexedDB for all MetaMask versions.
#infosec #threatintel
• Steam token collection restored, now pulled directly from local files (no process injection), enabling multi-account token harvesting.
• New data targets: Perplexity “Comet” browser & IndexedDB for all MetaMask versions.
#infosec #threatintel
December 6, 2025 at 9:02 AM
🚨 Update for Stealc v2.9.0:
• Steam token collection restored, now pulled directly from local files (no process injection), enabling multi-account token harvesting.
• New data targets: Perplexity “Comet” browser & IndexedDB for all MetaMask versions.
#infosec #threatintel
• Steam token collection restored, now pulled directly from local files (no process injection), enabling multi-account token harvesting.
• New data targets: Perplexity “Comet” browser & IndexedDB for all MetaMask versions.
#infosec #threatintel
Hide the threat – GPO lateral movement
www.intrinsec.com/hide-the-thr...
www.intrinsec.com/hide-the-thr...
Hide the threat - GPO lateral movement
Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.
www.intrinsec.com
November 28, 2025 at 10:31 AM
Hide the threat – GPO lateral movement
www.intrinsec.com/hide-the-thr...
www.intrinsec.com/hide-the-thr...
Sophisticated Water Gamayun APT Group Attack
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered
Zscaler Threat Hunting team analyzes Water Gamayun APT’s multi-stage attack exploiting MMC, fake PDFs, and obfuscation to deliver hidden malware.
www.zscaler.com
November 28, 2025 at 7:38 AM
Sophisticated Water Gamayun APT Group Attack
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
You’re invited: Four phishing lures in campaigns dropping RMM tools
redcanary.com/blog/threat-...
redcanary.com/blog/threat-...
You’re invited: Four phishing lures in campaigns dropping RMM tools | Red Canary
Joint research from Red Canary Intelligence and Zscaler threat hunters spotlights phishing campaigns dropping RMM tools
redcanary.com
November 28, 2025 at 7:36 AM
You’re invited: Four phishing lures in campaigns dropping RMM tools
redcanary.com/blog/threat-...
redcanary.com/blog/threat-...
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’
krebsonsecurity.com/2025/11/meet...
krebsonsecurity.com/2025/11/meet...
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’
A prolific cybercriminal group that calls itself "Scattered LAPSUS$ Hunters" made headlines regularly this year by stealing data from and publicly mass extorting dozens of major corporations. But the ...
krebsonsecurity.com
November 27, 2025 at 1:27 PM
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’
krebsonsecurity.com/2025/11/meet...
krebsonsecurity.com/2025/11/meet...
Inside DPRK’s Fake Job Platform Targeting U.S. AI Talent
www.validin.com/blog/inside_...
www.validin.com/blog/inside_...
Inside DPRK’s Fake Job Platform Targeting U.S. AI Talent | Validin
Inside DPRK’s Fake Job Platform Targeting U.S. AI Talent
www.validin.com
November 26, 2025 at 7:23 AM
Inside DPRK’s Fake Job Platform Targeting U.S. AI Talent
www.validin.com/blog/inside_...
www.validin.com/blog/inside_...
APT41 Cyber Attacks: History, Operations, and Full TTP Analysis
www.picussecurity.com/resource/blo...
www.picussecurity.com/resource/blo...
APT41 Cyber Attacks: History, Operations, and Full TTP Analysis
Discover APT41's campaigns and TTPs. See how Picus helps simulate and defend against APT41 attacks.
www.picussecurity.com
November 25, 2025 at 2:24 PM
APT41 Cyber Attacks: History, Operations, and Full TTP Analysis
www.picussecurity.com/resource/blo...
www.picussecurity.com/resource/blo...
Deep scan for bad NPM packages nested across projects - DFIR for Shai-Hulud cyberattack
gist.github.com/alexgreenlan...
gist.github.com/alexgreenlan...
[Updated 24 Nov 2025] Deep scan for bad NPM packages nested across projects - DFIR for Shai-Hulud cyberattack, Sep-Nov 2025
[Updated 24 Nov 2025] Deep scan for bad NPM packages nested across projects - DFIR for Shai-Hulud cyberattack, Sep-Nov 2025 - bad-deps.txt
gist.github.com
November 25, 2025 at 11:43 AM
Deep scan for bad NPM packages nested across projects - DFIR for Shai-Hulud cyberattack
gist.github.com/alexgreenlan...
gist.github.com/alexgreenlan...
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)
labs.watchtowr.com/when-the-imp...
labs.watchtowr.com/when-the-imp...
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)
The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!
The first warning of such behaviour came from the great team at Defuse...
labs.watchtowr.com
November 23, 2025 at 9:30 AM
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)
labs.watchtowr.com/when-the-imp...
labs.watchtowr.com/when-the-imp...
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
www.greynoise.io/blog/palo-al...
www.greynoise.io/blog/palo-al...
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved ...
www.greynoise.io
November 22, 2025 at 3:31 PM
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
www.greynoise.io/blog/palo-al...
www.greynoise.io/blog/palo-al...
🚨 Stealc v2.8.0 update observed:
• Updated Edge module to extract the new v20 key
• Expanded crypto-wallet targeting (incl. LTC/Dash Core, Trezor Suite, MEW Desktop, AtomicDEX & more)
• Improved C2 marker parsing + performance fixes
#ThreatIntel #InfoSec
• Updated Edge module to extract the new v20 key
• Expanded crypto-wallet targeting (incl. LTC/Dash Core, Trezor Suite, MEW Desktop, AtomicDEX & more)
• Improved C2 marker parsing + performance fixes
#ThreatIntel #InfoSec
November 21, 2025 at 7:50 PM
🚨 Stealc v2.8.0 update observed:
• Updated Edge module to extract the new v20 key
• Expanded crypto-wallet targeting (incl. LTC/Dash Core, Trezor Suite, MEW Desktop, AtomicDEX & more)
• Improved C2 marker parsing + performance fixes
#ThreatIntel #InfoSec
• Updated Edge module to extract the new v20 key
• Expanded crypto-wallet targeting (incl. LTC/Dash Core, Trezor Suite, MEW Desktop, AtomicDEX & more)
• Improved C2 marker parsing + performance fixes
#ThreatIntel #InfoSec
LSASS Dump – Windows Error Reporting
ipurple.team/2025/11/18/l...
ipurple.team/2025/11/18/l...
LSASS Dump – Windows Error Reporting
The Windows Error Reporting is a feature that is responsible for the collection of information about system and application crashes and reporting this information to Microsoft. Windows are shipped …
ipurple.team
November 21, 2025 at 8:58 AM
LSASS Dump – Windows Error Reporting
ipurple.team/2025/11/18/l...
ipurple.team/2025/11/18/l...
XFiles Spyware Update
November 20, 2025 at 5:43 AM
XFiles Spyware Update
License to Encrypt: “The Gentlemen” Make Their Move
www.cybereason.com/blog/the-gen...
www.cybereason.com/blog/the-gen...
License to Encrypt: “The Gentlemen” Make Their Move
In this Threat Analysis Report, Cybereason explores the new ransomware group, "The Gentlemen", and their latest TTPs.
www.cybereason.com
November 18, 2025 at 3:09 PM
License to Encrypt: “The Gentlemen” Make Their Move
www.cybereason.com/blog/the-gen...
www.cybereason.com/blog/the-gen...
Russian alleged cyber-hacker faces extradition to US after arrest in Thailand.
Denis Obrezko is allegedly part of the notorious group Void Blizzard
edition.cnn.com/2025/11/15/a...
Denis Obrezko is allegedly part of the notorious group Void Blizzard
edition.cnn.com/2025/11/15/a...
Russian alleged cyber-hacker faces extradition to US after arrest in Thailand | CNN
A Russian man wanted for extradition by the United States over cyber-crime allegations has been arrested on the Thai holiday island of Phuket, local police said Friday.
edition.cnn.com
November 18, 2025 at 5:47 AM
Russian alleged cyber-hacker faces extradition to US after arrest in Thailand.
Denis Obrezko is allegedly part of the notorious group Void Blizzard
edition.cnn.com/2025/11/15/a...
Denis Obrezko is allegedly part of the notorious group Void Blizzard
edition.cnn.com/2025/11/15/a...
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
blog.nviso.eu/2025/11/13/c...
blog.nviso.eu/2025/11/13/c...
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
NVISO reports a new development in the Contagious Interview campaign. The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host a…
blog.nviso.eu
November 16, 2025 at 5:26 PM
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
blog.nviso.eu/2025/11/13/c...
blog.nviso.eu/2025/11/13/c...