Shakedown Social

11 posts9 participants0 posts today

Brian ClarkDNSFilter, a <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> vendor I'm not very familiar with, published their Q1 2025 Threat Report. I think it's always good to review these reports from a <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> perspective. Here's their list of TLD's with domains most likely to be malicious: .tf .pw .sx .ax .liHere's a link to the report (not sure if it'll work for you or not as it is behind a registration-wall).<a href="https://www.dnsfilter.com/hubfs/2025-Content-Downloads/Q1-2025-Security-Report.pdf?_gl=1*1yqax4z*_gcl_au*MTExMDUyODI2NS4xNzQ4ODA5NDM1LjEyMjE0NTIzNDUuMTc0ODgwOTY5MC4xNzQ4ODA5Njkw" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.dnsfilter.com/hubfs/2025-Content-Downloads/Q1-2025-Security-Report.pdf?_gl=1*1yqax4z*_gcl_au*MTExMDUyODI2NS4xNzQ4ODA5NDM1LjEyMjE0NTIzNDUuMTc0ODgwOTY5MC4xNzQ4ODA5Njkw</a>

Ian Campbellapp-hybridge[.]finance (transferred out to registrar.eu Friday, back into ddos-guard Sunday) app-usualmcney[.]com, app-usuclmoney[.]com (usualmoney platform, note the c in the domain. multiple examples in and out of DDoS-Guard)Gaming: csmoney[.]to (CounterStrike skin trading bot)<a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Ian CampbellSubdomain-specific:com-more[.]com (Ripple subdomain) communitygethelp[.]com (defisaver subdomain) xyzcomcom[.]com (subdomain targeting Felix stablecoin)More cryptocurrency-targeting domains over the past 4 days:coindase[.]to apps-defisaver[.]com apps-odos[.]fi app--odos[.]com app-odos[.]fi swap-odos[.]com hyqerunit[.]xyz (hyperunit) yicldnest[.]finance com-ripple-finance[.]com ssi-sosovalue[.]xyz<a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Ian CampbellIn my usual monitoring of nameservers for Russian bulletproof host DDoS-Guard the past few days, quite a few new or transferred-in domains are targeting cryptocurrency.However, we can also see a new domain of com-worldfinance[.]com - a financial industry magazine boasting a readership of 120,000. A subdomain of "finance-reports" indicates the likelihood that these actors are likely targeting the readership.Registrar: GMO Internet NS: DDoS-Guard<a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

Kevin BeaumontMainStreet Bancshares, a bank also known as MainStreet Bank, has filed a Friday night 8-K with the SEC saying 5% of its customers PII was stolen in March, but they failed to inform customers or file an 8-K until this week. <a href="https://www.sec.gov/ix?doc=/Archives/edgar/data/1693577/000143774925019008/main20250328_8k.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.sec.gov/ix?doc=/Archives/edgar/data/1693577/000143774925019008/main20250328_8k.htm</a><a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

cR0w :cascadia:Free <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatIntel</a> Friday.Here's a list of observed password spray addresses against some M365 tenants from IPs acknowledged by Microsoft as being known to be malicious:<a href="https://cascadiacrow.com/20250530_m365_acknowledged.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://cascadiacrow.com/20250530_m365_acknowledged.txt</a>Here's a list of recently observed password spray addresses against some M365 tenants:<a href="https://cascadiacrow.com/20250530_m365_observed.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://cascadiacrow.com/20250530_m365_observed.txt</a>Here's a list of recently observed password spray addresses against some PAN GlobalProtect portals:<a href="https://cascadiacrow.com/20250530_pan_observed.txt" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://cascadiacrow.com/20250530_pan_observed.txt</a>

Eddie.SANS Ransomware Summit is a one day event running right now. Keynote is of great value. Register even if you can’t attend today to go back and watch the videos. It’s free. <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a>

DomainToolsPakistani authorities have arrested 21 individuals tied to HeartSender, a long-running phishing and malware-as-a-service operation. The group is linked to global BEC scams and phishing attacks targeting Microsoft 365, iCloud, and more—causing tens of millions in losses.This takedown highlights the growing international cooperation in cybercrime investigations and the importance of strong digital defenses.🔗 Read more via <a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@briankrebs</a> (KrebsOnSecurity): <a href="https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/</a><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/BEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BEC</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a>

AIL ProjectAIL 6.2 released - Smarter Analysis, Search and Enhanced User ExperienceWe’re excited to release AIL Framework v6.2, a major update with new features and improved performance. This version makes analysis easier and the overall experience faster and more user-friendly.Among the highlights are a fully revamped search engine powered by MeiliSearch, improved language detection for short text, local AI-driven image descriptions, and a yara-hunting editor tool.🔗 <a href="https://www.ail-project.org/blog/2025/05/28/AIL-v6.2.released/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.ail-project.org/blog/2025/05/28/AIL-v6.2.released/</a><a href="https://infosec.exchange/tags/darkweb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#darkweb</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cti</a> <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#opensource</a> <a href="https://infosec.exchange/tags/osint" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#osint</a>

Brian ClarkEver hear of the legitimate file sharing service files.catbox[.]moe? It’s really uncommon and you should probably block it in your environment. Read Palo Alto’s overview of a DarkCloud Steamer campaign that makes use of a catbox.moe file share to distribute its payload here. <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> From: <a href="https://infosec.exchange/@VirusBulletin" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@VirusBulletin</a> <a href="https://infosec.exchange/@VirusBulletin/114579078874978016" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@VirusBulletin/114579078874978016</a>

Kevin BeaumontAdidas have a third party supplier breach incident ongoing, of their customer helpdesk provider. Was tucked away on their corporate website, posted on May 23rd but flew under the radar. <a href="https://www.adidas-group.com/en/data-security-information" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.adidas-group.com/en/data-security-information</a><a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a>

SecuritySnacks🔥 Hot off the presses!DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.🔎 We traced the infrastructure, payloads, and attacker tactics.Full breakdown: <a href="https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT</a><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/MalwareAnalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MalwareAnalysis</a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Infosec</a>

Taylor ParizoYou can't be serious in this field. What's next? Charmin Bear? <a href="https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a>

Ian CampbellRussian bulletproof host DDoS-Guard nameserver activity over the weekend (non-exhaustive):-cryptocurrency-targeting app-hyperlend[.]com app-yei[.]com (Yei Finance) en-ledger[.]to trezor-wallet[.]to metamack[.]to (metamask) rabby-wallet[.]to app-defisaver[.]co app-dragonswap[.]com app-yei[.]financial yel[.]financial appdragonclient[.]com sailor[.]financial (seilor)-general malice com-updates[.]com privnotea[.]com xyzdotcom[.]com<a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

RedPacket Security[PLAY] - Ransomware Victim: South Atlantic Federal Credit Union - <a href="https://www.redpacketsecurity.com/play-ransomware-victim-south-atlantic-federal-credit-union/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.redpacketsecurity.com/play-ransomware-victim-south-atlantic-federal-credit-union/</a><a href="https://mastodon.social/tags/play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#play</a> <a href="https://mastodon.social/tags/dark_web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dark_web</a> <a href="https://mastodon.social/tags/data_breach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data_breach</a> <a href="https://mastodon.social/tags/OSINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OSINT</a> <a href="https://mastodon.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> <a href="https://mastodon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://mastodon.social/tags/tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tor</a>

RedPacket Security[SILENTRANSOMGROUP] - Ransomware Victim: Liberty Tax (d) - <a href="https://www.redpacketsecurity.com/silentransomgroup-ransomware-victim-liberty-tax-d/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.redpacketsecurity.com/silentransomgroup-ransomware-victim-liberty-tax-d/</a><a href="https://mastodon.social/tags/silentransomgroup" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#silentransomgroup</a> <a href="https://mastodon.social/tags/dark_web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dark_web</a> <a href="https://mastodon.social/tags/data_breach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data_breach</a> <a href="https://mastodon.social/tags/OSINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OSINT</a> <a href="https://mastodon.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> <a href="https://mastodon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://mastodon.social/tags/tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tor</a>

RedPacket Security[PLAY] - Ransomware Victim: AKJ Energiteknik - <a href="https://www.redpacketsecurity.com/play-ransomware-victim-akj-energiteknik/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.redpacketsecurity.com/play-ransomware-victim-akj-energiteknik/</a><a href="https://mastodon.social/tags/play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#play</a> <a href="https://mastodon.social/tags/dark_web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dark_web</a> <a href="https://mastodon.social/tags/data_breach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data_breach</a> <a href="https://mastodon.social/tags/OSINT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OSINT</a> <a href="https://mastodon.social/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> <a href="https://mastodon.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://mastodon.social/tags/tor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tor</a>

Infoblox Threat IntelOur latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources. This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong. We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.<a href="https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/HazyHawk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HazyHawk</a>

k3ym𖺀<blockquote>"Coinbase, the largest cryptocurrency exchange platform in the U.S., refused to pay a $20 million ransom and instead offered the same amount as a bounty for information leading to the arrest of the hackers."</blockquote><a href="https://www.secureworld.io/industry-news/coinbase-flips-script-ransomware" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.secureworld.io/industry-news/coinbase-flips-script-ransomware</a><a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ransomware</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a>

Risotto Biasare you in any other cybersecurity communities? discord? slack? matrix? IRC? carrier pigeons? let me know!<a href="https://toot.risottobias.org/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://toot.risottobias.org/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://toot.risottobias.org/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://toot.risottobias.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a>

Recent searches

Search options

Administered by:

Server stats:

#threatintel