Simon Kenin

How We Caught Lazarus's IT Workers Scheme Live on Camera See how Lazarus Group's IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN’s sandbox.

If you are hiring full remote, you must read this.
DPRK IT workers is a much bigger problem than you think, those are today's spies that infiltrate multiple organizations simultaneously without the risk of being caught.

any.run/cybersecurit...

4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog

2/2
410f5add77c00714d1e214495c406dc2
6dadafaa55728ef8bd27a0e802dfeebb
ref: www.koi.ai/blog/4-milli...

1/2
ShadyPanda extension samples:
e9975e39b87a0369dba21dcc7a4dcd56
b4a828b6ea8f0faaf9a2cdbc5b7a8241
5c56346e09de3aef10d8df6b292df9b3
491518101c265a7a79040ea148bc7ae7
6619beef592118fa90dc67b103eb6d58
58a6c9a2125858e828191e51d9f30e4f

MuddyWater: Snakes by the riverbank MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook.

#ESETresearch discovered a new #MuddyWater campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools www.welivesecurity.com/en/eset-rese... 1/7

UNC5203

govextra.gov.il/national-dig...
credit where credit is due, part 2

שם טוב האבי 2 | הסרט המלא ⭐ YouTube video by כאן | דיגיטל - תאגיד השידור הישראלי

www.youtube.com/watch?v=4iYA...

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Google Cloud Blog Tactics, techniques and procedures we discovered during incident response investigations into UNC1549 activity.

cloud.google.com/blog/topics/...

Handala attempts a supply chain hack via ReutOne During the week, Handala — a group painfully in love with Israel, tried a forward supply chain attack.

4/4
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...

I don't need to reverse this shit to know... 🤡

3/4
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b

This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...

2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...

1/4
O_o
help.pdf
02e3a2cc825b7ac3e1bad50d4088a74f
2d49a02c6e77d7ebcff87e62ab14d826f4281cba
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df

PDF in Hebrew contains a link to a password protected RAR archive hosted in @dropbox.com

Analysis https://docspace-mpv1y2.onlyoffice.com/rooms/share?folder=1634939&searchArea=3&key=YWgzSkorMWJIMHFlcFpSd2VXQ25FRjR5aUFid2dNeG90MDhXc1lSY0dHRT0_IjgzMmIzNGMzLTJlODktNDQwNC05YzNhLTQ1NjQw... Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

5/5

Sample: app.any.run/tasks/530fdd...

4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused

3/5
However, Check Point did not mention OnlyOffice.
The missing link is available at any.run

Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research Nimbus Manticore continuously attacks defense, manufacturing, telecommunications, and aviation targets aligned with the IRGC

2/5
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...

two men are standing next to each other in a room . ALT: two men are standing next to each other in a room .

1/5
IRGC + MOIS
Very interesting analysis from @proofpoint.com @saffronsec.bsky.social
www.proofpoint.com/us/blog/thre...

a close up of a cat 's face with its mouth open ALT: a close up of a cat 's face with its mouth open

4/4
Iranian Kittens go O_o

3/4
Additional "Hacktivism" hosted on PRQ[.]SE:
x.com/k3yp0d/statu...

2/4 Evidence
www.secureworks.com/blog/abraham...

1/4
Hacktivism demystified.
Leak:
github.com/KittenBuster...

5/5
Samples:
app.any.run/tasks/191467...
app.any.run/tasks/3a1761...
app.any.run/tasks/3a1761...
app.any.run/tasks/e3ac5b...
app.any.run/tasks/1f26a7...
app.any.run/tasks/6693a8...
app.any.run/tasks/e4cd4f...

4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39

3/5

Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload

2/5
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync

1/5
🇺🇦
Ongoing campaign targeting Ukrainians:
EML->PDF->URL->ZIP->JS->NetSupport RAT

Email 55ffcf6f4df8ab3f11a405794aa5f4d8

Catch One YouTube video by Juche - Topic

www.youtube.com/watch?v=mSJr...

In the labyrinth of circuits and wires
An electronic maze where the signal fires
Neon pathways gleam with cold and light
In the realm of data, we take our flight

4/4
Another example of PDQ + ScreenConnect
bsky.app/profile/k3yp...

3/4
ScreenConnect C2: gripsmonga[.]sbs / 144.172.95.60
Hosted at: RouterHosting / Cloudzy 🤢🤮🤢