Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse tunnels. BladedFeline maintains persistent access to high-ranking officials in both the Kurdistan Regional Government and Iraqi government, likely for espionage purposes. The group's toolset includes sophisticated backdoors, webshells, and custom tunneling applications. ESET assesses with medium confidence that BladedFeline is a subgroup of OilRig, based on shared code, targets, and tactics. The campaign also extended to a telecommunications provider in Uzbekistan.

Pulse ID: 684874c7cbe4dbef4d0ff749
Pulse Link: https://otx.alienvault.com/pulse/684874c7cbe4dbef4d0ff749
Pulse Author: AlienVault
Created: 2025-06-10 18:09:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

APT 41: Threat Intelligence Report and Malware Analysis

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanese government website. Their attack chain involves spear-phishing emails, malicious ZIP archives, and a three-module malware system called ToughProgress. This malware uses stealthy techniques like in-memory execution, encryption, and process hollowing to evade detection. The unique aspect of ToughProgress is its use of Google Calendar events for covert data exchange, creating a stealthy communication channel for remote command execution and data exfiltration.

Pulse ID: 68480e89dbe1f2bc0746a80c
Pulse Link: https://otx.alienvault.com/pulse/68480e89dbe1f2bc0746a80c
Pulse Author: AlienVault
Created: 2025-06-10 10:52:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

BladedFeline: Whispering in the dark

ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a malicious IIS module. Key malware includes the Whisper backdoor, which communicates via compromised email accounts, and PrimeCache, a malicious IIS module with similarities to OilRig's RDAT backdoor. The campaign also targeted a telecommunications provider in Uzbekistan. BladedFeline's sophisticated tactics and tools indicate a focus on maintaining strategic access to high-ranking officials for espionage purposes.

Pulse ID: 6842cae058bebf5552345481
Pulse Link: https://otx.alienvault.com/pulse/6842cae058bebf5552345481
Pulse Author: AlienVault
Created: 2025-06-06 11:02:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Gotta admit, 35,000 solar panels would make a baaaaadass botnet.

https://www.securityweek.com/35000-solar-power-systems-exposed-to-internet/

Hey smart people, I'm currently working on continuing my degoogling (as much as possible)...My current calendar/todo app syncs with Google Calendar and I'd like to find an alternative that supports local ICS files so I can export stuff from emacs org. Anybody done similar and if so, with what?

#emacs
#ics
#calendar
#DeGoogle

Serieus, #ANWB #ICS? Een wijziging van betaalrekening door een formulier te printen en in te vullen?
Welkom in 2025...

Mark Your Calendar: APT41 Innovative Tactics

In late October 2024, a government website was discovered hosting malware targeting multiple government entities. The malware, dubbed TOUGHPROGRESS, utilized Google Calendar for command and control. Attributed to APT41, a PRC-based actor, the campaign targeted global organizations in various sectors. The malware infection chain involved three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS, employing stealth and evasion techniques. TOUGHPROGRESS used encrypted Calendar events for communication. Google Threat Intelligence Group disrupted the campaign by developing custom fingerprints, terminating attacker-controlled infrastructure, and updating Safe Browsing. APT41 has been observed using free web hosting tools and URL shorteners for malware distribution since August 2024. The blog post provides indicators of compromise and YARA rules to aid in detection and defense against similar attacks.

Pulse ID: 68377205c4ac88a8a30ee232
Pulse Link: https://otx.alienvault.com/pulse/68377205c4ac88a8a30ee232
Pulse Author: AlienVault
Created: 2025-05-28 20:28:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Mark Your Calendar: APT41 Innovative Tactics

In late October 2024, a government website was discovered hosting malware targeting multiple government entities. The malware, dubbed TOUGHPROGRESS, utilized Google Calendar for command and control. Attributed to APT41, a PRC-based actor, the campaign targeted global organizations in various sectors. The malware infection chain involved three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS, employing stealth and evasion techniques. TOUGHPROGRESS used encrypted Calendar events for communication. Google Threat Intelligence Group disrupted the campaign by developing custom fingerprints, terminating attacker-controlled infrastructure, and updating Safe Browsing. APT41 has been observed using free web hosting tools and URL shorteners for malware distribution since August 2024. The blog post provides indicators of compromise and YARA rules to aid in detection and defense against similar attacks.

Pulse ID: 683772062a024a03b3ed3e6c
Pulse Link: https://otx.alienvault.com/pulse/683772062a024a03b3ed3e6c
Pulse Author: AlienVault
Created: 2025-05-28 20:28:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media, NGOs, and healthcare. The group employs tactics such as using stolen credentials, likely obtained from commodity infostealer ecosystems, and recently evolved to include targeted spear phishing for credential theft. Despite using unsophisticated techniques, Void Blizzard has been effective in gaining access and collecting large volumes of emails and files from compromised organizations. Their activities pose a significant risk to NATO member states and allies of Ukraine.

Pulse ID: 6835955789329a0d9f2f521c
Pulse Link: https://otx.alienvault.com/pulse/6835955789329a0d9f2f521c
Pulse Author: AlienVault
Created: 2025-05-27 10:35:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and BypassBoss for privilege escalation. Earth Lamia's targets have shifted over time, initially focusing on financial services, then logistics and online retail, and recently IT companies, universities, and government organizations. The group employs various techniques including DLL sideloading, use of legitimate binaries, and development of modular backdoors. Earth Lamia's activities have been linked to other reported campaigns, suggesting a complex and evolving threat landscape.

Pulse ID: 68359559953d95d9c98f6268
Pulse Link: https://otx.alienvault.com/pulse/68359559953d95d9c98f6268
Pulse Author: AlienVault
Created: 2025-05-27 10:35:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

“Investors suing NHS-embedded UnitedHealth for authorising TOO MUCH treatment”

by Skwawkbox @skwawkbox @UKLabour

“Health insurer that says its role is to avoid healthcare spending and paid nursing homes not to send old people to hospital relaxed refusals policy slightly after CEO shot in street”

https://skwawkbox.org/2025/05/23/investors-suing-nhs-embedded-unitedhealth-for-authorising-too-much-treatment/

Targets Tajikistan: New Macro Word Documents Phishing Tactics

From January to February 2025, a phishing campaign targeting Tajikistan was detected and attributed to TAG-110, a Russia-aligned threat actor. The campaign used Tajikistan government-themed documents as lures, shifting from previous tactics to macro-enabled Word template files for initial payload delivery. This change in approach demonstrates TAG-110's evolving tactics. The group's persistent targeting of Tajik government, educational, and research institutions aligns with Russia's strategy to maintain influence in Central Asia. The campaign likely aims to gather intelligence for influencing regional politics or security, particularly during sensitive events like elections or geopolitical tensions.

Pulse ID: 682f9d0236a68becaaf72d79
Pulse Link: https://otx.alienvault.com/pulse/682f9d0236a68becaaf72d79
Pulse Author: AlienVault
Created: 2025-05-22 21:54:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Attackers are more regularly targeting industrial control systems (ICS) on Operational Technology (OT), which have led to devistating real world consequences

Trace attack paths in ICS with Gilberto "Gil" Garcia's #BSidesBoulder25 talk "Attack Path Modeling for Securing ICS/OT Systems"! Attendees will learn how to visualize adversary movements, focus on crown jewels, and turn free tools and threat intel into actionable defense strategies through understanding attacker workflows.
Garcia's session will also delve into frameworks, modeling techniques, and the integration of intelligence-driven security measures to strengthen ICS/OT resilience - because in critical infrastructure, guesswork isn’t a good option! #BSides #BSidesBoulder #ICS #CyberSecurity #OTSecurity #ThreatModeling

Tickets are available for purchase for our 13 June event here: https://www.eventbrite.com/e/bsides-boulder-2025-registration-1290129274389

Habt ihr ne schöne Quelle für Ferien-/Feiertags-Kalender(feeds) im iCal-Format? Ich hätte gern

• alle bundesweiten und regionalen Feiertage für Deutschland, inklusive der Info (im Beschreibungstext), in welchen Bundesländer der Tag gesetzlicher Feiertag ist (ein Feed mit allem)
• Schulferien für einzelne Bundesländer (ein Feed pro Bundesland)

Einmalige Downloads sind okay, Feed-URLs wären fast besser.

Geez, TWENTY-TWO ICS advisories from CISA today? Is that as awful as it sounds?

https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-releases-twenty-two-industrial-control-systems-advisories

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.

Pulse ID: 6823b32f1fad0a568539c4c1
Pulse Link: https://otx.alienvault.com/pulse/6823b32f1fad0a568539c4c1
Pulse Author: AlienVault
Created: 2025-05-13 21:01:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in the U.S. alone. The third impersonates the Government of Singapore to steal personal identity numbers and Telegram account details. These scams exploit economic factors and the rise of gig work, often using task-based schemes to extract money and free labor from victims. The scams typically involve unsolicited messages, fake websites, and promises of high-paying, flexible jobs. Victims are coerced into making upfront payments or providing personal information. The sophistication and scale of these operations highlight the growing threat to job seekers in the digital age.

Pulse ID: 68220ed2e06f82cae4fa7bef
Pulse Link: https://otx.alienvault.com/pulse/68220ed2e06f82cae4fa7bef
Pulse Author: AlienVault
Created: 2025-05-12 15:08:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO governments, NGOs, and former intelligence officers. The malware exfiltrates specific files, harvests system information, and targets individuals linked to Ukraine or Western governments. COLDRIVER's primary goal appears to be intelligence collection aligned with Russia's interests. The infection chain involves a complex multi-stage process, beginning with a fake CAPTCHA and employing various evasion tactics. Google has implemented countermeasures and recommends enhanced security measures for users.

Pulse ID: 681efa85136c18a881af2661
Pulse Link: https://otx.alienvault.com/pulse/681efa85136c18a881af2661
Pulse Author: AlienVault
Created: 2025-05-10 07:04:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

We found unauthenticated remote code execution on an industrial PLC without ever touching the hardware.
 
By unpacking publicly available firmware for the KUNBUS Revolution Pi, our Adam Bromiley discovered four vulnerabilities. Two of them allowed RCE with no authentication required.
 
We dug into a misconfigured Node-RED instance, bypassed authentication in PiCtory, and chained bugs together to gain full control. This could affect safety-critical systems in the real world.
 
The upside? Disclosure was handled properly. KUNBUS and CISA coordinated the response well, and advisories and fixes for all four CVEs are now live.
 
Get the full breakdown and links to the advisories here: https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-gmbh-revolution-pi-plc/