Tag: infrastructure

15 Attack Reports | 0 Vulnerabilities

Attack reports

Threat Infrastructure Uncovered Before Activation

Between November 2024 and April 2025, a set of domains and servers impersonating an Iraqi academic organization and fictitious UK tech firms were tracked. The infrastructure, while dormant, exhibited characteristics similar to APT34 (OilRig), including shared SSH keys, structured websites, and deco…
oilrig
infrastructure
apt34
domain impersonation
2025-04-22
ssh keys
pre-operational staging
http decoys
m247
Published: April 22, 2025
Downloadable IOCs: 15

Ransomware Initial Access Brokers Exposed

An investigation into a brute force attack on an exposed Remote Desktop server led to the discovery of a larger ransomware ecosystem, particularly initial access brokers. The attack began with domain enumeration and successful compromise of an account from multiple IP addresses. The threat actor's …
ransomware
credential harvesting
rdp
vpn
blacksuit
infrastructure
brute force
initial access brokers
2025-04-11
hive
domain enumeration
Published: April 11, 2025
Downloadable IOCs: 0

Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new 'Lighthouse' phishing kit focusi…
banking
phishing kit
infrastructure
sms phishing
chinese threat actors
2025-04-10
ecrime
global campaign
Published: April 10, 2025
Downloadable IOCs: 93

JSPSpy and 'Filebroser': A Custom File Management Tool in Webshell Infrastructure

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-ba…
remote access
infrastructure
web shell
detection
2025-03-12
jspspy
file management
filebroser
http headers
Published: March 12, 2025
Downloadable IOCs: 4

Astrill VPN and DPRK Remote Worker Fraud

Spur Engineering is releasing a comprehensive list of IP addresses associated with the Astrill VPN service to help companies protect against fraud and abuse from the Democratic Republic of Korea (DPRK) in the future.
north korea
fraud
vpn
dprk
infrastructure
astrill vpn
2025-03-05
Published: March 5, 2025
Downloadable IOCs: 2360

LightSpy Malware Now Targets Facebook & Instagram Data

LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 c…
malware
surveillance
lightspy
plugins
infrastructure
command and control
facebook
2025-02-21
instagram
Published: February 21, 2025
Downloadable IOCs: 27

Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activiti…
vulnerability
ivanti
exploitation
webshell
infrastructure
remote code execution
CVE-2024-8190
CVE-2024-8963
CVE-2024-9379
CVE-2024-9381
2025-02-11
reversessh
nhas reverse_ssh
csa
Published: February 11, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2020-1472, CVE-2022-1388, CVE-2023-3519, CVE-2021-4034, CVE-2021-44529
Downloadable IOCs: 19

Inside Iran's Cyber Playbook: AI, Fake Hosting, and Psychological Warfare

Iranian cyber group Emennet Pasargad, operating as Aria Sepehr Ayandehsazan (ASA), has been linked to targeting the 2024 Summer Olympics and compromising a French display provider. The group, part of Iran's Islamic Revolutionary Guard Corps, used AI software, fictitious hosting resellers, and psych…
iran
ai
olympics
infrastructure
cyber operations
2024-11-01
propaganda
psychological tactics
information warfare
Published: November 1, 2024
Downloadable IOCs: 0

Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

The advisory warns of Iranian cyber actors employing brute force techniques like password spraying and MFA 'push bombing' to compromise user accounts across critical sectors. After gaining access, they gather additional credentials, move laterally, and collect data potentially to sell on cybercrimi…
CVE-2020-1472
malicious
credential
lateral
infrastructure
2024-10-17
access
Published: October 17, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Technical Analysis of a Novel IMEEX Framework

The IMEEX framework is a newly discovered, custom-built malware targeting Windows systems. Delivered as a 64-bit DLL, it offers extensive control over compromised machines, featuring execution of additional modules, file manipulation, process management, registry modification, and remote command ex…
malware
windows
persistence
infrastructure
stealth
2024-10-14
imeex
Published: October 14, 2024
Downloadable IOCs: 9

Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis

Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
backdoor
ransomware
seo poisoning
extortion
multi-tiered
infrastructure
2024-10-10
rhysida
chrgetpdsi
portstarter
cleanuploader
early detection
Published: October 10, 2024
Downloadable IOCs: 106

CHARMING KITTEN

Since June 2024, the Iran-nexus actor CHARMING KITTEN has been creating new network infrastructure for credential phishing, targeting individuals perceived as threats to the Iranian regime. The actor's infrastructure, known as Cluster B, uses domains with specific characteristics like similar TLDs,…
iran
infrastructure
domain registration
2024-10-04
spear-phishing
credential phishing
mint sandstorm
ta453
apt42
Published: October 4, 2024
Downloadable IOCs: 11

Targeted Iranian Attacks Against Iraqi Government Infrastructure

Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
backdoor
iran
government
dns tunneling
infrastructure
2024-09-12
spearal
email c2
veaty
cachehttp
iis module
iraq
Published: September 12, 2024
Downloadable IOCs: 16

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47
Click here to see more Attack Reports