Sekoia.io
@sekoia.io
A #SOCplatform boosted by #AI and #threatintelligence, combining #SIEM, #SOAR, #Automation in a single solution. Used by End-users, MSSP and APIs
In the third part of our series “Advent of Configuration Extraction”, we dissect #SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on #Linux systems.
buff.ly/Crz8rDh
buff.ly/Crz8rDh
December 15, 2025 at 1:54 PM
In the third part of our series “Advent of Configuration Extraction”, we dissect #SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on #Linux systems.
buff.ly/Crz8rDh
buff.ly/Crz8rDh
In the second part, we unwrap #QuasarRAT, a popular .NET remote access trojan, and show how to extract its encrypted configuration out of the binary.
buff.ly/agWWCnp
buff.ly/agWWCnp
December 15, 2025 at 1:54 PM
In the second part, we unwrap #QuasarRAT, a popular .NET remote access trojan, and show how to extract its encrypted configuration out of the binary.
buff.ly/agWWCnp
buff.ly/agWWCnp
The first part introduces #Assemblyline, the analysis pipeline used by #TDR and more specifically, the configextractor service.
buff.ly/mpEzALh
buff.ly/mpEzALh
December 15, 2025 at 1:54 PM
The first part introduces #Assemblyline, the analysis pipeline used by #TDR and more specifically, the configextractor service.
buff.ly/mpEzALh
buff.ly/mpEzALh
🎅 Check out the first three episodes of our special Advent of Configuration Extraction
Part 1: buff.ly/mpEzALh
Part 2: buff.ly/agWWCnp
Part3: buff.ly/Crz8rDh
🎄 Last part following Monday! 🎄
Part 1: buff.ly/mpEzALh
Part 2: buff.ly/agWWCnp
Part3: buff.ly/Crz8rDh
🎄 Last part following Monday! 🎄
December 15, 2025 at 1:54 PM
🎅 Check out the first three episodes of our special Advent of Configuration Extraction
Part 1: buff.ly/mpEzALh
Part 2: buff.ly/agWWCnp
Part3: buff.ly/Crz8rDh
🎄 Last part following Monday! 🎄
Part 1: buff.ly/mpEzALh
Part 2: buff.ly/agWWCnp
Part3: buff.ly/Crz8rDh
🎄 Last part following Monday! 🎄
🇷🇺 French NGO Reporters Without Borders targeted by #Calisto in recent campaign
Sekoia #TDR analysed a recent #Calisto (aka #ColdRiver #Star Blizzard) spear-phishing campaign aimed at Reporters sans frontières and other #Ukraine-supporting organisations.
blog.sekoia.io/ngo-reporter...
Sekoia #TDR analysed a recent #Calisto (aka #ColdRiver #Star Blizzard) spear-phishing campaign aimed at Reporters sans frontières and other #Ukraine-supporting organisations.
blog.sekoia.io/ngo-reporter...
December 4, 2025 at 8:26 AM
🇷🇺 French NGO Reporters Without Borders targeted by #Calisto in recent campaign
Sekoia #TDR analysed a recent #Calisto (aka #ColdRiver #Star Blizzard) spear-phishing campaign aimed at Reporters sans frontières and other #Ukraine-supporting organisations.
blog.sekoia.io/ngo-reporter...
Sekoia #TDR analysed a recent #Calisto (aka #ColdRiver #Star Blizzard) spear-phishing campaign aimed at Reporters sans frontières and other #Ukraine-supporting organisations.
blog.sekoia.io/ngo-reporter...
Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.
November 6, 2025 at 10:27 AM
Our blog post provides an overview of the services facilitating this modus operandi and the market for infostealer logs tied to booking platforms, including underground activities around Booking[.]com data on Russian-speaking cybercrime forums.
In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.
We also detailed the fraud scheme targeting hotel customers.
We also detailed the fraud scheme targeting hotel customers.
November 6, 2025 at 10:27 AM
In this report, we analysed a widespread, persistent campaign distributing the PureRAT malware via the #ClickFix social engineering tactic and emails impersonating Booking[.]com.
We also detailed the fraud scheme targeting hotel customers.
We also detailed the fraud scheme targeting hotel customers.
#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.
blog.sekoia.io/phishing-cam...
blog.sekoia.io/phishing-cam...
November 6, 2025 at 10:27 AM
#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.
blog.sekoia.io/phishing-cam...
blog.sekoia.io/phishing-cam...
Discover how #TransparentTribe (#APT36) uses a disguised DESKTOP dropper to deploy #DeskRAT, a Golang RAT, on BOSS Linux endpoints in India.
Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .
Read more 👉 blog.sekoia.io/transparentt...
Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .
Read more 👉 blog.sekoia.io/transparentt...
October 23, 2025 at 7:49 AM
Discover how #TransparentTribe (#APT36) uses a disguised DESKTOP dropper to deploy #DeskRAT, a Golang RAT, on BOSS Linux endpoints in India.
Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .
Read more 👉 blog.sekoia.io/transparentt...
Our Sekoia #TDR report breaks down the full infection chain and stealthy WebSocket C2 communications .
Read more 👉 blog.sekoia.io/transparentt...
Our latest technical deep-dive unravels the mystery behind the opaque numeric codes (16, 272, 33554432, etc.) you see in #Microsoft365 audit logs.
blog.sekoia.io/userauthenti...
blog.sekoia.io/userauthenti...
October 21, 2025 at 9:14 AM
Our latest technical deep-dive unravels the mystery behind the opaque numeric codes (16, 272, 33554432, etc.) you see in #Microsoft365 audit logs.
blog.sekoia.io/userauthenti...
blog.sekoia.io/userauthenti...
After our initial #PolarEdge #botnet write-up, we’re happy to announce the second part: “Defrosting PolarEdge’s Backdoor,” a full technical deep-dive into its TLS-based implant.
blog.sekoia.io/polaredge-ba...
blog.sekoia.io/polaredge-ba...
October 14, 2025 at 1:35 PM
After our initial #PolarEdge #botnet write-up, we’re happy to announce the second part: “Defrosting PolarEdge’s Backdoor,” a full technical deep-dive into its TLS-based implant.
blog.sekoia.io/polaredge-ba...
blog.sekoia.io/polaredge-ba...
Key takeaways:
✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable
✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable
October 2, 2025 at 1:56 PM
Key takeaways:
✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable
✉️ API exploitation: attackers leverage an exposed /cgi endpoint to push malicious SMS without authentication
🌐 Scale of exposure: over 18,000 routers accessible on the internet; 572 confirmed vulnerable
📱 Silent Smishing: The Hidden Abuse of Cellular Router APIs
Our latest #CTI investigation from Sekoia #TDR team uncovers a novel #smishing vector abusing Milesight industrial cellular router APIs to send phishing #SMS at scale.
blog.sekoia.io/silent-smish...
Our latest #CTI investigation from Sekoia #TDR team uncovers a novel #smishing vector abusing Milesight industrial cellular router APIs to send phishing #SMS at scale.
blog.sekoia.io/silent-smish...
October 2, 2025 at 1:56 PM
📱 Silent Smishing: The Hidden Abuse of Cellular Router APIs
Our latest #CTI investigation from Sekoia #TDR team uncovers a novel #smishing vector abusing Milesight industrial cellular router APIs to send phishing #SMS at scale.
blog.sekoia.io/silent-smish...
Our latest #CTI investigation from Sekoia #TDR team uncovers a novel #smishing vector abusing Milesight industrial cellular router APIs to send phishing #SMS at scale.
blog.sekoia.io/silent-smish...
🌐 As usual, APT28 uses legitimate third-party services in its execution chain, such as Koofr or icedrive, or more recently Filen.
🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.
🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.
September 16, 2025 at 12:59 PM
🌐 As usual, APT28 uses legitimate third-party services in its execution chain, such as Koofr or icedrive, or more recently Filen.
🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.
🎯 The campaign’s goal is to gather cyber intelligence on frontline combatants by targeting administrative and logistics personnel.
📃 APT28 distributed weaponised Office documents masquerading as Ukrainian military admin forms to harvest cyber-military intelligence.
🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.
🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.
September 16, 2025 at 12:59 PM
📃 APT28 distributed weaponised Office documents masquerading as Ukrainian military admin forms to harvest cyber-military intelligence.
🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.
🕷️ Attackers deploy a custom backdoor dubbed BeardShell using a modified Covenant Grunt stager.
🐻 #APT28 – Operation Phantom Net Voxel: deep-dive into the latest spear-phishing campaign targeting Ukrainian military administrative staff.
blog.sekoia.io/apt28-operat...
blog.sekoia.io/apt28-operat...
September 16, 2025 at 12:59 PM
🐻 #APT28 – Operation Phantom Net Voxel: deep-dive into the latest spear-phishing campaign targeting Ukrainian military administrative staff.
blog.sekoia.io/apt28-operat...
blog.sekoia.io/apt28-operat...
[Threat investigation alert 🚨] Predators for Hire: A Global Overview of Commercial Surveillance Vendors
➡️ blog.sekoia.io/predators-fo...
➡️ blog.sekoia.io/predators-fo...
September 2, 2025 at 9:55 AM
[Threat investigation alert 🚨] Predators for Hire: A Global Overview of Commercial Surveillance Vendors
➡️ blog.sekoia.io/predators-fo...
➡️ blog.sekoia.io/predators-fo...
No OS left behind. It happily infects Windows, macOS, and Linux systems.
Unlike before, they're not impersonating a real crypto company. Instead, they have built a completely #fake brand from scratch: https://waventic[.]com.
Unlike before, they're not impersonating a real crypto company. Instead, they have built a completely #fake brand from scratch: https://waventic[.]com.
July 21, 2025 at 2:40 PM
No OS left behind. It happily infects Windows, macOS, and Linux systems.
Unlike before, they're not impersonating a real crypto company. Instead, they have built a completely #fake brand from scratch: https://waventic[.]com.
Unlike before, they're not impersonating a real crypto company. Instead, they have built a completely #fake brand from scratch: https://waventic[.]com.
🔥 Hot summer, sizzling crypto... and scammers turning up the heat 🔥
Back in March, Sekoia #TDR team published a deep-dive report on a #Lazarus cluster we dubbed #ClickFake Interview, leveraging the #ClickFix technique in their #ContagiousInterview campaign.
Back in March, Sekoia #TDR team published a deep-dive report on a #Lazarus cluster we dubbed #ClickFake Interview, leveraging the #ClickFix technique in their #ContagiousInterview campaign.
July 21, 2025 at 2:40 PM
🔥 Hot summer, sizzling crypto... and scammers turning up the heat 🔥
Back in March, Sekoia #TDR team published a deep-dive report on a #Lazarus cluster we dubbed #ClickFake Interview, leveraging the #ClickFix technique in their #ContagiousInterview campaign.
Back in March, Sekoia #TDR team published a deep-dive report on a #Lazarus cluster we dubbed #ClickFake Interview, leveraging the #ClickFix technique in their #ContagiousInterview campaign.
🕵️ We also highlight multiple detection opportunities for AitM attacks in Microsoft Entra environments.
All technical details are available on our community GitHub: buff.ly/v5Y6amN
All technical details are available on our community GitHub: buff.ly/v5Y6amN
June 11, 2025 at 8:32 AM
🕵️ We also highlight multiple detection opportunities for AitM attacks in Microsoft Entra environments.
All technical details are available on our community GitHub: buff.ly/v5Y6amN
All technical details are available on our community GitHub: buff.ly/v5Y6amN
🎣 Leveraging our telemetry and proactive hunting, we ranked the most widespread AitM phishing kits - #Tycoon2FA, #Storm1167, #NakedPages, #Sneaky2FA, and more.
Additionally, the article includes summary sheets covering 11 AitM phishing kits.
Additionally, the article includes summary sheets covering 11 AitM phishing kits.
June 11, 2025 at 8:32 AM
🎣 Leveraging our telemetry and proactive hunting, we ranked the most widespread AitM phishing kits - #Tycoon2FA, #Storm1167, #NakedPages, #Sneaky2FA, and more.
Additionally, the article includes summary sheets covering 11 AitM phishing kits.
Additionally, the article includes summary sheets covering 11 AitM phishing kits.
🔍 Phishing-as-a-Service (#PhaaS) is driving a wave of large-scale, sophisticated attacks against organisations.
In our new blogpost, we provide an overview of the key techniques, tactics and social engineering schemes that cybercriminals use in AitM phishing attacks.
In our new blogpost, we provide an overview of the key techniques, tactics and social engineering schemes that cybercriminals use in AitM phishing attacks.
June 11, 2025 at 8:32 AM
🔍 Phishing-as-a-Service (#PhaaS) is driving a wave of large-scale, sophisticated attacks against organisations.
In our new blogpost, we provide an overview of the key techniques, tactics and social engineering schemes that cybercriminals use in AitM phishing attacks.
In our new blogpost, we provide an overview of the key techniques, tactics and social engineering schemes that cybercriminals use in AitM phishing attacks.
