Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
helvede.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Velkommen til Helvede, fediversets hotteste instance! Vi er en queerfeministisk server, der shitposter i den 9. cirkel. Welcome to Hell, We’re a DK-based queerfeminist server. Read our server rules!

Administered by:

Server stats:

166
active users

helvede.net: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#threatintel

12 posts11 participants1 post today
Public *
Brian Greenberg

🕵️ Prodaft is taking an aggressive new approach to threat intelligence:
They’re buying access to major dark web forums — including admin and moderator accounts — in exchange for cryptocurrency.

Here’s what they’re offering:
💸 Crypto payments, no questions asked
🔐 Full anonymity for sellers
📊 Access to five top-tier forums
🎯 Prioritized payouts for higher access levels

The move aims to give security teams unprecedented visibility into cybercriminal operations — but it also pushes ethical and operational boundaries.

Would your team use intel gathered this way?

#Cybersecurity #ThreatIntel #DarkWeb #InfoSec #Ethics

darkreading.com/threat-intelli

Public
cR0w :cascadia:

Do you run F5 BIG-IP? If so, here's a list of a little over 7000 IPs that I've recently seen performing brute force and low-and-slow password sprays recently. The only intel I can share is that among the noise, it appears to be at least four distinct campaigns, two of which were tailored to the target orgs. Many of the IPs are already on block lists and known bad ASNs, but not all.

cascadiacrow.com/f5passwordAtt

#threatIntel#VIBINT#GAYINT
Public
Ian Campbell

Good MORNING, folks!

I am caffeinated, and I also have brand new shiny things for you.

@DomainTools Investigations published a report this morning detailing a campaign of newly-registered domains impersonating the Google Play store and leading to deployment of the SpyNote Android RAT. No attribution available, but significant Chinese-language connections.

#infosec #threatintel #cybersecurity

dti.domaintools.com/newly-regi

DomainTools Investigations | DTI · Newly Registered Domains Distributing SpyNote Malware - DomainTools Investigations | DTIDeceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store.
Public
Infoblox Threat Intel

Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.

Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.

blogs.infoblox.com/threat-inte
infoblox.com/resources/webinar
infoblox.com/resources/webinar
infoblox.com/resources/webinar

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #RSAC #RSAC25

Infoblox Blog · Click Bait and Switch: Malicious Traffic Distribution Systems | InfobloxCybercriminals are using traffic distribution systems to redirect victims through massive networks filled with scams and malware. While they do their best to hide in the shadows, DNS can shine a light on these hidden networks and how they work.
Public
Infoblox Threat Intel

Online gambling operators are sponsoring charities?? If only :(

We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations.

Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.

Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.

teampiersma[.]org (screenshots below)
americankayak[.]org
getelevateapp[.]com
hotshotsarena[.]com
nehilp[.]org
questionner-le-numerique[.]org
sip-events[.]co[.]uk
studentlendinganalytics[.]com
thegallatincountynews[.]com

Comparison content:
2018: web.archive.org/web/2018011904
2025: web.archive.org/web/2025040109

image of gambling actor purchased domain advertising gambling sponsors. the domain was originally for a non-profit.
original content of non-profit website which was purchased by gambling actors.
#dns#threatintel#threatintelligence
Public
The DFIR Report

“In this specific case, thanks to the capabilities of Sysmon, and particularly Event ID 22, we can easily gain insight into the subdomains that were used. For this case we observed TXT records being utilized for C2 communication rather than MX records. This can be identified by the "type: 16" in the Sysmon logs seen above.

Below is a sample list that, while not exhaustive, provides a clear example of the traffic patterns:”

The above is from a recent Private Threat Brief: "A MadMXShell Encore"

Services: thedfirreport.com/services/

Contact Us: thedfirreport.com/contact/

#dfir#IncidentResponse#BlueTeam
Public
Christoffer S.

(gdatasoftware.com) Analysis of Vidar Stealer Masquerading as Microsoft's BGInfo Tool

gdatasoftware.com/blog/2025/04

Credential stealers are all the rage, and have been for the last few years. They are continuously pushing small iterative innovation steps towards obfuscation and increasing their chances of remaining undetected just long enough for them to do their thing.

G Data analyzed a recent sample of Vidar that appears to have "infected" a legitimate Microsoft sysinternals tool called BGInfo. Expired digital signatures and other tell-tell signs, but nonetheless a very low level of detection on VT, only 5 at the time of analysis.

A man in tactical gear with glowing red accents is inspecting gold coins under a spotlight, with a holographic display in the background. The text reads: “Vidar Stealer: Exposing new deception strategy” and the bottom left corner shows the G DATA CyberDefense logo.
www.gdatasoftware.comVidar Stealer: Revealing A New Deception StrategyVidar Stealer, an infamous information-stealing malware, first appeared in 2018 and has since been used by cybercriminals to harvest sensitive data via browser cookies, stored credentials and others. We discovered a variant of it inside a game that is available on Steam
#Cybersecurity#ThreatIntel#Vidar
Public
Just Another Blue Teamer

Happy Monday everyone!

Just got done reading an incredible article from ESET researchers describing an APT group that was long thought to be inactive alive in well! #FamousSparrow is a China-aligned APT group that has had no publicly documented activity since 2022 and was found using two previously undocumented versions of their backdoor, SparrowDoor. They used a mix of publicly available and custom tools for their attack ultimately leading to the deployment of SparrowDoor and ShadowPad (a privately sold backdoor). This report gets more and more interesting as you go so please go take the time to read it! Enjoy and Happy Hunting!

You will always remember this as the day you finally caught FamousSparrow
welivesecurity.com/en/eset-res

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

www.welivesecurity.comYou will always remember this as the day you finally caught FamousSparrowESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor.
Public
Christoffer S.

(google.com / Mandiant) Windows Remote Desktop Protocol: Remote to Rogue - Analysis of Novel Russian APT Campaign

cloud.google.com/blog/topics/t

As always a very good write-up and detailed analysis of some novel use of RDP by Russian APTs. Involves signed RDP, and interesting proxy-behaviour.

Worth reading (as always!)

#Cybersecurity #ThreatIntel #Russia #APT #RDP #

Google Cloud BlogWindows Remote Desktop Protocol: Remote to Rogue | Google Cloud BlogA novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
Public
Kevin Beaumont

LFTD Partners Inc. filed an 8K with the SEC for a cyber incident.

They purchased $350k in cryptocurrency.. and immediately had it stolen.

“On April 1, 2025, the Company converted $350,000 of its cash into USD Coin (USDC), a digital stablecoin pegged to the U.S. dollar. Shortly thereafter, the digital wallet containing the USDC was compromised by an unauthorized and unknown third party, resulting in the theft of the full amount.”

sec.gov/ix?doc=/Archives/edgar

#threatintel
ExploreLive feeds
About