A Deep Dive into Water Arsenal and Infrastructure

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

Pulse ID: 67e7cba2606bdb8acfedda1c
Pulse Link: https://otx.alienvault.com/pulse/67e7cba2606bdb8acfedda1c
Pulse Author: AlienVault
Created: 2025-03-29 10:29:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

How #technology has transformed private #espionage

https://www.freethink.com/artificial-intelligence/private-intelligence

Today in Labor History March 29, 1951: Julius and Ethel Rosenberg were convicted of conspiracy to commit espionage. They were executed at Sing Sing in 1953. The Rosenberg’s sons, Michael and Robert Meeropol were adopted by Abel Meeropol, the composer of “Strange Fruit,” (made famous by Billie Holiday). The sons maintained their parents’ innocence. However, after the fall of the Soviet Union, decoded Soviet cables showed that their father had, in fact, collaborated, but that their mother was innocent. They continued to fight for the mother’s pardon, but Obama refused to grant it. The Rosenberg’s sons were among the last students to attend the anarchist Modern School, in Lakewood, New Jersey, before it finally shut its doors in 1958.

The Modern School movement began in 1901, in Barcelona, Spain, when Francisco Ferrer opened his Escuela Moderna. It was one of the very first Spanish schools to be fully secular, co-educational, and open to all students, regardless of class. His ideas were so popular that 40 more Modern Schools opened in Barcelona in just a few years, while 80 other schools adopted his textbooks. In 1909, there were mass protests and a General Strike against Spanish intervention in Morocco. The state responded with a week of terror and repression, during which they slaughtered over 600 workers and falsely executed Ferrer as an instigator of the protests. His execution led to worldwide protests. Modern Schools started to pop up outside of Spain, inspired by his original Escuela Moderna, including 20 in the U.S.

For more on the Modern School movement, read my article: https://michaeldunnauthor.com/2022/04/30/the-modern-school-movement/

(talosintelligence.com) Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/

Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine. The attack chain involves LNK files that execute PowerShell code to download a ZIP file containing the Remcos backdoor, which is then executed through DLL side-loading techniques. The attackers use geo-fenced servers in Russia and Germany that restrict access to Ukrainian IP addresses. This represents a continuation of Gamaredon's targeting of Ukrainian entities, though their use of the commercial Remcos backdoor marks a shift from their typical custom tooling.

Trump stole classified and top-secret documents and stored them in a Mar-a-Lago bathroom.

Does anybody truly believe that the Trump appointed clowns who used Signal to discuss military action in Yemen will actually be held accountable?

Not a chance.

There once was a government bold
Spying on refugees, the story's told
Using spyware on the sly
To keep an eye on those who defy
Their actions, immoral and cold

#GuardianLimerick #Italy #Europe #WhatsApp #Hacking #Surveillance #Espionage #Refugees

https://www.theguardian.com/world/2025/mar/27/italian-government-approved-use-of-spyware-on-members-of-refugee-ngo-mps-told

Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads

Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration.

Pulse ID: 67e5c75c2569365ec3ecae21
Pulse Link: https://otx.alienvault.com/pulse/67e5c75c2569365ec3ecae21
Pulse Author: AlienVault
Created: 2025-03-27 21:47:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an update was released to fix the vulnerability (CVE-2025-2783). The campaign targeted media outlets, educational institutions, and government organizations in Russia, disguising itself as invitations to the 'Primakov Readings' forum. The attackers' goal appears to be espionage, and the sophistication of the malware suggests a state-sponsored APT group is behind the operation. The exploit chain involved sandbox escape and remote code execution, though only the former was fully analyzed.

Pulse ID: 67e33790837554926530dc06
Pulse Link: https://otx.alienvault.com/pulse/67e33790837554926530dc06
Pulse Author: AlienVault
Created: 2025-03-25 23:09:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

A network of companies operated by a secretive Chinese tech firm has been trying to recruit recently laid-off U.S. government workers, according to job ads and a researcher who uncovered the campaign.

https://www.reuters.com/world/china/secretive-chinese-network-tries-lure-fired-federal-workers-research-shows-2025-03-25/

Austria says it has uncovered a Russian-steered campaign to spread disinformation https://www.byteseu.com/862346/ #120089269 #Article #Austria #Espionage #GeneralNews #Misinformation #Politics #RussiaUkraineWar #WorldNews

This is obviously THE news of the day (week?):

We can't believe not a single person involved in this chat didn't speak up to say 'this is a bad idea to use Signal for this.'   

But we actually wonder if it was by design- that they feared the DEEP STATE so much they weren't going to use the encrypted tools available to the DOD & our intelligence services. It seemingly doesn't make sense unless viewed from that perspective. 

#DeepState #Espionage #Infosec

https://www.theatlantic.com/politics/archive/2025/03/trump-administration-accidentally-texted-me-its-war-plans/682151/

#Microsoft #espionage
https://www.theregister.com/2025/03/18/microsoft_trend_flaw/?td=keepreading

RCBC Plaza is scrambling to explain how one of the country's biggest Philippine Offshore Gaming Operators (POGOs), Flying Future, was running illegal operations right under its nose before being raided by authorities.

Canadian, Irish, German and Australian embassies are in the building. POGOs are believed to be fronts for spying by the Chnese government.

#Philippines #Asian #Spying #Espionage #Makati #EU #Embassies #Canada #Australia @pinoy

https://bilyonaryo.com/2025/03/21/maling-akala-rcbc-plaza-says-busted-it-firm-had-makati-city-permit-and-wasnt-on-pogo-blacklist/business/

Activist alerts ICC to spyware attack while sharing Libya torture victims’ details https://www.theguardian.com/world/2025/mar/19/italian-activist-david-yambio-alerts-icc-spyware-attack #Internationalcriminalcourt #GiorgiaMeloni #Surveillance #Technology #Worldnews #Espionage #WhatsApp #Hacking #Paragon #Europe #Italy #Libya #Apple

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The attackers used implants like ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors. The operation involved sophisticated tactics including lateral movement, credential theft, and custom malware deployment. Seven victims were identified across various countries and sectors. The analysis provides technical details on the malware used, initial access methods, and command and control infrastructure.

Pulse ID: 67dd406f6ba9eecd280aa95e
Pulse Link: https://otx.alienvault.com/pulse/67dd406f6ba9eecd280aa95e
Pulse Author: AlienVault
Created: 2025-03-21 10:33:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#WaPo headline: "Alexa is getting creepier. Take this one step to improve your privacy. #Amazon is ditching an option to opt out of sending #Alexa voice commands to the company. It highlights the growing hunger for our personal data in the #AI age."

The WaPo solution: Stop your Alexa device from saving your voice recordings.

The better solution: Get rid of Alexa entirely: Amazon will still be spying on you.

In Italy, an activist did warn,
Spyware attack, a concern was born,
Communication so vital,
Alerted the ICC title,
Justice and rights must be sworn.

#GuardianLimerick #Italy #Surveillance #Hacking #Libya #Europe #Technology #Apple #Paragon #WhatsApp #Espionage

https://www.theguardian.com/world/2025/mar/19/italian-activist-david-yambio-alerts-icc-spyware-attack