Author | Lightnews

Sekoia.io @sekoia.io · 9h

Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.

1

Sekoia.io @sekoia.io · 9h

In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.

We also detailed the fraud scheme targeting hotel customers.

1 1

Sekoia.io @sekoia.io · 9h

Attackers target hotel establishments to harvest credentials that grant access to booking platforms.

Those credentials are used to launch personalised fraud campaigns against hotel guests, impersonating billing services and tricking them into paying twice for their reservation.

1

Sekoia.io @sekoia.io · 9h

#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.

blog.sekoia.io/phishing-cam...

1 2 4

Sekoia.io @sekoia.io · 14d

Discover how #TransparentTribe (#APT36) uses a disguised DESKTOP dropper to deploy #DeskRAT, a Golang RAT, on BOSS Linux endpoints in India.

Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .

Read more 👉 blog.sekoia.io/transparentt...

1 1

Sekoia.io @sekoia.io · 16d

By correlating #Office365 events with Entra ID sign-in logs, we’ve mapped each bit in the UserAuthenticationMethod field to its corresponding authentication factor—Password Hash Sync, Windows Hello for Business, Passkeys, SMS sign-in, and more.

1

Sekoia.io @sekoia.io · 16d

Our latest technical deep-dive unravels the mystery behind the opaque numeric codes (16, 272, 33554432, etc.) you see in #Microsoft365 audit logs.

blog.sekoia.io/userauthenti...

2 1

Sekoia.io @sekoia.io · 23d

🐻❄️ These exploitations led to the deployment of an undocumented TLS backdoor we dubbed the “PolarEdge Backdoor.”
🔬 This follow-up provides a detailed analysis of the backdoor, including the anti-analysis techniques it employs.

1

Sekoia.io @sekoia.io · 23d

🔙 In early 2025, we discovered the PolarEdge botnet through our honeypots.
🎯 This botnet has been active since at least November 2023 and exploits multiple vulnerabilities across a wide range of edge devices, notably Asus, QNAP, and Synology.

1 1

Sekoia.io @sekoia.io · 23d

After our initial #PolarEdge #botnet write-up, we’re happy to announce the second part: “Defrosting PolarEdge’s Backdoor,” a full technical deep-dive into its TLS-based implant.

blog.sekoia.io/polaredge-ba...

1 4 2

Reposted by Sekoia.io

Nicolas Caproni @caproni.fr · Oct 6

Je recherche un Threat Researcher pour l’équipe TDR de @sekoia.io !

Vous aimez faire des règles #Sigma et #Yara ? Vous adorez pivoter et traquer les infrastructures (C2) d’attaques des cybercriminels ?

Alors cette offre d’emploi est faite pour vous !

www.welcometothejungle.com/en/companies...

Technical Threat Researcher – Sekoia.io – Permanent contract – Fully-remote

Sekoia.io is looking for a Technical Threat Researcher!

www.welcometothejungle.com

1 1

Sekoia.io @sekoia.io · Oct 2

🇪🇺 Target profiles: campaigns hit Belgian numbers (+32) heavily and also France, Sweden, Italy and beyond
🕸️ Infrastructure insights: tracking domains and IP clusters reveals a persistent, multi-regional smishing operation

1

Sekoia.io @sekoia.io · Oct 2

Key takeaways:

✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable

1 1 1

Sekoia.io @sekoia.io · Oct 2

📱 Silent Smishing: The Hidden Abuse of Cellular Router APIs

Our latest #CTI investigation from Sekoia #TDR team uncovers a novel #smishing vector abusing Milesight industrial cellular router APIs to send phishing #SMS at scale.

blog.sekoia.io/silent-smish...

1 4 4

Sekoia.io @sekoia.io · Sep 16

This report complements @_CERT_UA’s findings and arms #SOC teams with fresh #IOCs, #YARA rules and detailed behavioural indicators. We thank our trusted partner for his time and insights into this subject.

1

Sekoia.io @sekoia.io · Sep 16

🛠️ The infection chain is sophisticated and highly likely to be reused in the coming years thanks to its robust design.

1 1

Sekoia.io @sekoia.io · Sep 16

🌐 As usual, APT28 uses legitimate third-party services in its execution chain, such as Koofr or icedrive, or more recently Filen.

🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.

1

Sekoia.io @sekoia.io · Sep 16

📃 APT28 distributed weaponised Office documents masquerading as Ukrainian military admin forms to harvest cyber-military intelligence.

🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.

1 1

Sekoia.io @sekoia.io · Sep 16

🇷🇺 The latest report from Sekoia Threat Detection & Research (TDR) team delves into a campaign by #APT28 identified by intelligence services as operated by #GRU. Key takeaways:

1 1

Sekoia.io @sekoia.io · Sep 16

🐻 #APT28 – Operation Phantom Net Voxel: deep-dive into the latest spear-phishing campaign targeting Ukrainian military administrative staff.

blog.sekoia.io/apt28-operat...

1 2 2

Sekoia.io @sekoia.io · Sep 2

Key findings & takeaways:

🗺️ Historic approach of CSV development and industrialisation

🎯 Techniques and infection chain process for commercial spyware

🧲 Tactical recommendations for detection, response & policy

1

Sekoia.io @sekoia.io · Sep 2

In this report, you’ll discover how spyware vendors deploy:

🛠️ Covert infection techniques & stealthy C2 infrastructures

🎯 0-day exploits and 0-click infection methods to evade defenses

🕵️ A broad range of strategies to continue their activity despite scandals

1 1

Sekoia.io @sekoia.io · Sep 2

[Threat investigation alert 🚨] Predators for Hire: A Global Overview of Commercial Surveillance Vendors

➡️ blog.sekoia.io/predators-fo...

1 4 2

Sekoia.io @sekoia.io · Jul 21

💡 Curious how the full infection chain works? We have broken it all down for you here 😈👇

blog.sekoia.io/clickfake-in...

Sekoia.io @sekoia.io · Jul 21

Multiple fake employees are now promoting this bogus company on LinkedIn:
- hxxps://www.linkedin.com/in/serhii-s-723b3435b/
- hxxps://www.linkedin.com/in/vitalii-bilousov-141658341/
- hxxps://www.linkedin.com/in/jose-rincon-61a97521/

Also on Telegram:
- hxxps://t.me/waventic

1