One thing to know with DragonForce - for the last two victim orgs, they've posted the payment negotiation chat. e.g.
Recent searches
Search options
#threatintel
6 posts6 participants0 posts today
Legogpt Is Here To Make Your Blocky Dreams Come True - https://www.redpacketsecurity.com/legogpt-is-here-to-make-your-blocky-dreams-come-true/
RedPacket Security · Legogpt Is Here To Make Your Blocky Dreams Come True - RedPacket SecurityAt last, an AI model we can really get behind: LegoGPT takes a text prompt and spits out a physically stable design.
With a +61% 
increase, 
US-based "charter.com" is #1 for hosting IPs associated with exploited devices: 193, 782 detections over the last 30 days....
....as well as 167 Spamhaus Blocklist (SBL) listings.
Spamhaus reputation statistics:
https://www.spamhaus.org/reputation-statistics/networks/exploit/
SBL listings: https://check.spamhaus.org/sbl/listings/charter.com/
Huntress had a good educational post on why including ASN information in your analysis of IP addresses as IOCs is important and useful.
https://www.huntress.com/blog/utilizing-asns-for-hunting-and-response
www.huntress.comUtilizing ASNs for Hunting & Response | HuntressAutonomous system numbers are like the address book of the internet, and not every IP address belongs to a “friendly” address. Learn more about how the Huntress Hunt & Response teams utilize ASNs.
Here's about 1300 IPs doing password sprays and brute forces against a few PAN GlobalProtect portals the past few days. None of the ASNs are surprising but they all geolocate to US, for those of you that geoblock. I would simply share the ASNs but since none of the vendors seem to give a shit about functional features, that won't do many orgs much good.
We've talked before about abuse issues with .top domains, and sadly, things aren’t getting better. In fact, we’re now seeing a rise in "toll scams" you might have spotted hitting the headlines in recent weeks. 
But, why is this happening? What do we actually know about .
? And more importantly, what can be done to stop it? 
Learn more in the latest Domain Reputation Spotlight 
https://www.spamhaus.org/resource-hub/service-providers/abuse-takes-its-toll-on-top/
Continued thread
Somebody has hacked LockBit. I’m going to guess DragonForce. They’ve dumped their victim payment chats and backend SQL. #threatintel #ransomware
URLScan now has a research blog:
https://urlscan.io/blog/2025/05/06/oriental-gudgeon/
#phishing #threatintel
urlscan.ioRise of Oriental Gudgeon - Phishing kit targets over 40 Japanese financial services entities - Blog - urlscan.io This is the first ever research-oriented post on the urlscan blog. Our goalwith these posts is to cover malicious activity we have not seen covered byother...
Masimo, the e-watch maker, has filed an 8-K with the SEC for a ransomware incident.
They don’t say ransomware, but it is.
Their website was down for 5 days, including investor relations, along with all their customer support numbers and online systems. They quietly fixed the website, then filed with the SEC. https://www.sec.gov/ix?doc=/Archives/edgar/data/937556/000110465925045035/tm2514064d1_8k.htm
Continued thread
NoName continue UK targeting.
Botnet config: https://witha.name/data/2025-05-06_07-10-03_DDoSia-target-list.csv
Good aggregation by Bushido, as always. Worth spending a few moments reviewing if you are trying to keep up with the latest ransomware groups.
https://blog.bushidotoken.net/2025/05/ransomware-tool-matrix-project-updates.html
@infosec #Cybersecurity #ThreatIntel #Ransomware @bushidotoken
blog.bushidotoken.netRansomware Tool Matrix Project Updates: May 2025CTI, threat intelligence, OSINT, malware, APT, threat hunting, threat analysis, CTF, cybersecurity, security
App security alert: TM SGNL — a custom Signal fork used by high-level U.S. officials — was reportedly hacked 
Key findings via researchers:
Hardcoded credentials found in the app’s source code
Hacker claims to have breached TeleMessage (creator of TM SGNL) in minutes
Archive server may store unencrypted copies of sensitive messages
Leaked data includes government contacts, messages, and backend access
Why it matters:
TM SGNL modifies Signal to support message archiving — possibly before encryption That’s a potential plaintext vulnerability — even if E2EE is in place
Raises urgent questions about how U.S. officials handle sensitive digital comms
Security leaders should: Vet third-party forks of secure messaging apps rigorously
Avoid using unofficial tools for sensitive communication
Align secure messaging practices with compliance and cybersecurity
This incident isn’t just a breach — it’s a wake-up call about assuming encryption = security.
#CyberSecurity #MessagingApps #Signal #DataBreach #GovernmentSecurity #ThreatIntel #security #privacy #cloud #infosec
CSO Online · Company behind modified Signal app used by Mike Waltz allegedly hacked
#NoName are back targeting UK councils. Same config as prior UK runs.
Botnet config: https://witha.name/data/2025-05-05_08-20-03_DDoSia-target-list.csv
The #cybersecurity firm Binary Defense has an informative blog out on one of the FakeCAPTCHA / ClickFix campaigns. What's most useful is they link to their Github repo where they published detections for Defender for Endpoint, Crowdstrike and SentinelOne.
#threatintel #detectionengineering
https://www.binarydefense.com/resources/blog/analyzing-lummastealers-fakecaptcha-delivery-tactics/
Binary Defense · Analyzing LummaStealer’s FakeCAPTCHA Delivery Tactics | Binary DefensePaste, Click, Compromised
Worth a listen: This Week in Machine Learning podcast’s most recent episode is on CTIBench, a benchmark framework for LLMs in cyber threat intelligence. Interesting conversation, have not dived into the paper yet.
https://twimlai.com/podcast/twimlai/ctibench-evaluating-llms-in-cyber-threat-intelligence/
TWIML · CTIBench: Evaluating LLMs in Cyber Threat Intelligence with Nidhi Rastogi | The TWIML AI Podcast
So you said it couldn’t get any worse? 
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
"Here's the source code for the unofficial Signal app used by Trump officials"
"The source code contains hardcoded credentials and other vulnerabilities."
micahflee · Here's the source code for the unofficial Signal app used by Trump officialsYesterday, I published an analysis of what I could publicly find about TM SGNL, the obscure and unofficial Signal app used by Mike Waltz, and presumably also by Pete Hegseth, JD Vance, Tulsi Gabbard, and other fascists in Trump's government. Afterwards, someone privately sent me the URL https://www.telemessage.
The legitimate consumer-oriented “mywire” DDNS service is unfortunately frequently abused. I recommend blocking and/or hunting for this traffic as it is not likely legit in a corporate network.
#threatintel #cybersecurity @threatintel
From: @ScumBots
https://infosec.exchange/@ScumBots/114446276050798866
Infosec ExchangeScumBots (@ScumBots@infosec.exchange)#StagedC2 config observed at Sat May 3 22:00:08 2025 UTC, located at hXXps://pastebin[.]com/raw/H9980u7Q C2: Rxrzee[.]mywire[.]org:693 (IP: 108.181.218.58)
Continued thread
One of M&S’ biggest suppliers have said they have reverted to pen and paper for orders due to M&S lacking IT.
Additionally, M&S staff are raising concern about how they will be paid due to lack of IT systems.
M&S are over a week into a ransomware incident and still don’t have their online store working.
www.bbc.comM&S supplier back to pen and paper after cyber attackWhat's going on behind the scenes in the aftermath of the cyber attack on M&S.
Continued thread
Bleeping Computer have more on the Co-op breach https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/
