emt Technology Distribution<p>Are you ready to outsmart cyber threats with advanced adversary simulation? 🤖</p><p>It's time to master the art of Adversary Simulation with @Fortra Cobalt Strike!</p><p>Simulate advanced adversary tactics, collaborate on realistic red team engagements, and elevate your operations with a flexible and innovative framework. </p><p>👉Request a Demo with <span class="h-card" translate="no"><a href="https://mastodon.social/@emt" class="u-url mention">@<span>emt</span></a></span> Distribution META: <a href="https://zurl.co/4PRzL" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">zurl.co/4PRzL</span><span class="invisible"></span></a> </p><p><a href="https://mastodon.social/tags/CobaltStrike" class="mention hashtag" rel="tag">#<span>CobaltStrike</span></a> <a href="https://mastodon.social/tags/RedTeaming" class="mention hashtag" rel="tag">#<span>RedTeaming</span></a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="tag">#<span>CyberSecurity</span></a> <a href="https://mastodon.social/tags/AdversarySimulation" class="mention hashtag" rel="tag">#<span>AdversarySimulation</span></a> <a href="https://mastodon.social/tags/emtDisti" class="mention hashtag" rel="tag">#<span>emtDisti</span></a></p>
mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit
Administered by:
Server stats:
355Kactive users
mastodon.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-nightly.2025-03-25
#cobaltstrike
3 posts · 3 participants · 0 posts today
Sajid Nawaz Khan :donor:<p>For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.</p><p>When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).</p><p>While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.</p><p>Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.</p><p>A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.</p><p><a href="https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cobaltstrike.com/blog/cobalt-s</span><span class="invisible">trike-411-shh-beacon-is-sleeping</span></a></p><p><a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malwareanalysis</span></a> <a href="https://infosec.exchange/tags/forensics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>forensics</span></a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a></p>
Red-Team News<p>New analysis: <a href="https://infosec.exchange/tags/TrojanW97M" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TrojanW97M</span></a> exploits <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a>-2021-40444 in Office docs to run remote code, dropping <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> beacons. Patch now and watch for suspicious CAB/DLL files. Details: <a href="https://redteamnews.com/exploit/cve/trojan-w97m-cve202140444-a-analyzing-the-microsoft-office-exploit-that-enables-remote-code-execution/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">redteamnews.com/exploit/cve/tr</span><span class="invisible">ojan-w97m-cve202140444-a-analyzing-the-microsoft-office-exploit-that-enables-remote-code-execution/</span></a></p>
The Threat Codex<p>Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping....<br><a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <br><a href="https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cobaltstrike.com/blog/cobalt-s</span><span class="invisible">trike-411-shh-beacon-is-sleeping</span></a></p>
Sajid Nawaz Khan :donor:<p>If you're not already blocking DoH services through your proxy, now might be a good time to re-evaluate:</p><p>"Cobalt Strike 4.11 introduces a DNS over HTTPS (DoH) Beacon, which provides another stealthy network egress option for Cobalt Strike users. Assuming DNS C2 infrastructure has already been configured, using the DoH Beacon is as simple as enabling it on payload generation, as demonstrated below, and it will run out-of-the-box with all the default options.</p><p>By default, Beacon will use mozilla.cloudflare-dns.com,cloudflare-dns.com as its target DoH-compatible DNS server. However, you can configure Beacon’s DoH settings via Malleable C2”:</p><p><a href="https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cobaltstrike.com/blog/cobalt-s</span><span class="invisible">trike-411-shh-beacon-is-sleeping</span></a> </p><p><a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a></p>
OTX Bot<p>South Korean Organizations Targeted by Cobalt Strike 'Cat' Delivered by a Rust Beacon</p><p>An exposed web server containing tools for an intrusion campaign targeting South Korean organizations was identified. The server hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat, along with SQLMap, Web-SurvivalScan, and dirsearch. The threat actor used these tools to identify and exploit vulnerable web applications, targeting government and commercial entities. The campaign utilized a Rust-compiled loader with a modified version of Cobalt Strike, providing insight into the actor's malware delivery and post-exploitation techniques. Analysis revealed reconnaissance tools, SQL injection exploitation, and malware delivery components, with logs confirming beacon activity from compromised hosts. The attackers used MinGW- and Rust-compiled loaders to deploy Cobalt Strike Cat and Marte shellcode.</p><p>Pulse ID: 67d9dea6c8851b91e47b9b5e<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67d9dea6c8851b91e47b9b5e" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67d9d</span><span class="invisible">ea6c8851b91e47b9b5e</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-18 20:59:18</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Government</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Korea" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Korea</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> <a href="https://social.raytec.co/tags/SQL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SQL</span></a> <a href="https://social.raytec.co/tags/ShellCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ShellCode</span></a> <a href="https://social.raytec.co/tags/SouthKorea" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SouthKorea</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>Unmasking the new persistent attacks on Japan</p><p>An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.</p><p>Pulse ID: 67c9f6c4232a8b4665784c45<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67c9f6c4232a8b4665784c45" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67c9f</span><span class="invisible">6c4232a8b4665784c45</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-06 19:25:56</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cloud</span></a> <a href="https://social.raytec.co/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Education" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Education</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Japan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Japan</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/PHP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHP</span></a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PowerShell</span></a> <a href="https://social.raytec.co/tags/RCE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RCE</span></a> <a href="https://social.raytec.co/tags/RemoteCodeExecution" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RemoteCodeExecution</span></a> <a href="https://social.raytec.co/tags/Telecom" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telecom</span></a> <a href="https://social.raytec.co/tags/Telecommunication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telecommunication</span></a> <a href="https://social.raytec.co/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.raytec.co/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
OTX Bot<p>2024 Malicious Infrastructure Insights: Key Trends and Threats</p><p>The report highlights significant trends in malicious infrastructure for 2024, including the rise of malware-as-a-service infostealers, continued dominance of Cobalt Strike among offensive security tools, and increased use of legitimate services by threat actors. Key findings include LummaC2's dominance in command-and-control servers, AsyncRAT and Quasar RAT remaining top remote access tools, and Android being the primary target for mobile malware. The US and China were the top malicious hosting locations, while traffic distribution systems enhanced cybercrime efficiency. Chinese state-sponsored groups expanded their use of relay networks, and Russian groups increasingly relied on legitimate services to evade detection. The report suggests defenders should prioritize top malware and infrastructure techniques, enhance network monitoring, and balance blocking high-risk services based on criticality and risk level.</p><p>Pulse ID: 67c200b060cf2c2afc6913f0<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67c200b060cf2c2afc6913f0" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67c20</span><span class="invisible">0b060cf2c2afc6913f0</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-02-28 18:30:08</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://social.raytec.co/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncRAT</span></a> <a href="https://social.raytec.co/tags/China" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>China</span></a> <a href="https://social.raytec.co/tags/Chinese" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chinese</span></a> <a href="https://social.raytec.co/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://social.raytec.co/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberCrime</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/InfoStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoStealer</span></a> <a href="https://social.raytec.co/tags/LummaC2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LummaC2</span></a> <a href="https://social.raytec.co/tags/Mac" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mac</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/MalwareAsAService" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MalwareAsAService</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>
Inferior Being 🔞⚛️<p>Because the infosec community is too beholden to the corporations and are afraid of sharing information, here's the BlackBasta chat logs: </p><p><a href="https://drive.proton.me/urls/6QXMTA2M8C#YbYBbPXiE7eJ" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">drive.proton.me/urls/6QXMTA2M8</span><span class="invisible">C#YbYBbPXiE7eJ</span></a></p><p><a href="https://mastodon.social/tags/blackbasta" class="mention hashtag" rel="tag">#<span>blackbasta</span></a> <a href="https://mastodon.social/tags/theratintel" class="mention hashtag" rel="tag">#<span>theratintel</span></a> <a href="https://mastodon.social/tags/cti" class="mention hashtag" rel="tag">#<span>cti</span></a> <a href="https://mastodon.social/tags/BlackBasta" class="mention hashtag" rel="tag">#<span>BlackBasta</span></a> <a href="https://mastodon.social/tags/CobaltStrike" class="mention hashtag" rel="tag">#<span>CobaltStrike</span></a></p>
Saltmyhash<p>BlackBasta Data Leak Analysis: CobaltStrike Team Servers</p><p>Retrohunt for outbound connections to these addresses. Validate your own CTI findings as a result of any potential hits in your environment. I’m just a person on the internet sharing information.</p><p>91[.]191[.]209[.]70<br>88[.]119[.]170[.]162<br>78[.]128[.]113[.]102<br>70[.]34[.]211[.]31<br>51[.]89[.]62[.]218<br>51[.]222[.]194[.]208<br>5[.]78[.]41[.]126<br>5[.]188[.]206[.]50<br>5[.]161[.]227[.]233<br>47[.]250[.]58[.]195<br>45[.]227[.]254[.]7<br>216[.]146[.]25[.]72<br>206[.]71[.]148[.]41<br>206[.]189[.]62[.]224<br>203[.]23[.]128[.]72<br>198[.]27[.]121[.]195<br>194[.]32[.]77[.]162<br>194[.]165[.]17[.]9<br>194[.]165[.]16[.]19<br>193[.]149[.]176[.]38<br>192[.]153[.]57[.]252<br>179[.]60[.]149[.]10<br>172[.]86[.]98[.]173<br>168[.]119[.]110[.]217<br>167[.]114[.]199[.]75<br>165[.]22[.]8[.]91<br>151[.]80[.]52[.]32<br>15[.]204[.]170[.]49<br>147[.]182[.]231[.]59<br>142[.]93[.]146[.]149<br>141[.]98[.]9[.]152<br>141[.]98[.]81[.]48<br>128[.]140[.]36[.]37<br>104[.]248[.]175[.]193<br>104[.]156[.]59[.]220</p><p><a href="https://infosec.exchange/tags/cti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cti</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/BlackBasta" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlackBasta</span></a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a></p>
Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:<p>Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access. <a href="https://kolektiva.social/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://kolektiva.social/tags/haking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>haking</span></a> <a href="https://www.bleepingcomputer.com/news/security/hackers-exploit-cityworks-rce-bug-to-breach-microsoft-iis-servers/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hackers-exploit-cityworks-rce-bug-to-breach-microsoft-iis-servers/</span></a></p>
dritsec<p><a href="https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thedfirreport.com/2025/01/27/c</span><span class="invisible">obalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/</span></a></p><p>Interesting Case Study by dfirreport</p><p><a href="https://social.tchncs.de/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfir</span></a> <a href="https://social.tchncs.de/tags/blueteam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blueteam</span></a> <a href="https://social.tchncs.de/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://social.tchncs.de/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a> <a href="https://social.tchncs.de/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ransomware</span></a> <a href="https://social.tchncs.de/tags/LockBitRansomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LockBitRansomware</span></a></p>
emt Technology Distribution<p>Are you ready to outsmart cyber threats with advanced adversary simulation? 🤖</p><p>It's time to master the art of Adversary Simulation with @Fortra Cobalt Strike!</p><p>Simulate advanced adversary tactics, collaborate on realistic red team engagements, and elevate your operations with a flexible and innovative framework. </p><p>👉Request a DEMO with <span class="h-card" translate="no"><a href="https://mastodon.social/@emt" class="u-url mention">@<span>emt</span></a></span> Distribution META : <a href="https://zurl.co/yxekb" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">zurl.co/yxekb</span><span class="invisible"></span></a> </p><p><a href="https://mastodon.social/tags/CobaltStrike" class="mention hashtag" rel="tag">#<span>CobaltStrike</span></a> <a href="https://mastodon.social/tags/RedTeaming" class="mention hashtag" rel="tag">#<span>RedTeaming</span></a> <a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="tag">#<span>CyberSecurity</span></a> <a href="https://mastodon.social/tags/AdversarySimulation" class="mention hashtag" rel="tag">#<span>AdversarySimulation</span></a> <a href="https://mastodon.social/tags/emtDisti" class="mention hashtag" rel="tag">#<span>emtDisti</span></a></p>
The DFIR Report<p>Stolen Images Campaign Ends in Conti Ransomware</p><p>➡️Initial Access: Stolen Images IcedID Campaign<br>➡️Discovery: net, ipconfig, Invoke-ShareFinder, chcp, etc.<br>➡️Persistence: Scheduled Task & Atera Agent<br>➡️C2: <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> & Atera<br>➡️Impact: Conti Ransomware</p><p><a href="https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thedfirreport.com/2022/04/04/s</span><span class="invisible">tolen-images-campaign-ends-in-conti-ransomware/</span></a></p>
Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:<p>🚨 New red team tool Splinter discovered by Palo Alto's Unit 42. Not as advanced as <a href="https://kolektiva.social/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a>, but still a threat if misused. Built with Rust, it enables process injection & C2 communication.</p><p><a href="https://thehackernews.com/2024/09/cybersecurity-researchers-warn-of-new.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2024/09/cybe</span><span class="invisible">rsecurity-researchers-warn-of-new.html</span></a></p><p>Cyber pros, stay alert!</p><p><a href="https://kolektiva.social/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Just Another Blue Teamer<p>Happy Monday everyone!</p><p>The researchers at Trend Micro witnessed a threat group named <a href="https://ioc.exchange/tags/EarthBaxia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EarthBaxia</span></a> conducting spear-phishing campaigns and exploiting a vulnerability in the open source geospatial data sharing server, GeoServer. </p><p>Something interesting to note, and there is a lot here, is that the adversary utilized a tool commonly seen in attacks, which is <a href="https://ioc.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a>. The thing to note here is that they customized the version they had which removed the MZ header, which is most likely a defense-evasion technique to get around security tools. </p><p>This technique goes to show that while adversaries may continue to use off-the-shelf and publicly available tools, some will go as far as taking the time and effort to modify them to become undetectable. Enjoy and Happy Hunting!</p><p>Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC<br><a href="https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">trendmicro.com/en_us/research/</span><span class="invisible">24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html</span></a></p><p>Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HappyHunting</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>readoftheday</span></a> Cyborg Security, Now Part of Intel 471</p>
Malwar3Ninja | Threatview.io<p>[Threatview.io] Detection Tip: </p><p>If you see IP/domain getting blocked with reason - “ET Threatview.io High Confidence Cobalt Strike C2” in your suricata rules. You have blocked and detected <a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a> in your network. Please do host analysis to 7nderstand the impact. </p><p><a href="https://infosec.exchange/tags/threatfeeds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatfeeds</span></a> <br><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfir</span></a></p>
Malwar3Ninja | Threatview.io<p>[Threatview.io]⚡️Glad to see <a href="https://infosec.exchange/tags/cobaltstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cobaltstrike</span></a> detections based on ioc’s detected by our scanner present in Suricata Signatures - “ET Threatview.io High Confidence Cobalt Strike C2”</p><p>🚀 More new detection rules updated for c2 & <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a></p><p><a href="https://infosec.exchange/tags/dfirreport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dfirreport</span></a></p><p><a href="https://thedfirreport.com/2024/08/26/blacksuit-ransomware/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thedfirreport.com/2024/08/26/b</span><span class="invisible">lacksuit-ransomware/</span></a></p>
Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af:<p><a href="https://kolektiva.social/tags/APT32" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APT32</span></a> has been exploiting spear-phishing to infiltrate and compromise a Vietnamese human rights organization for over four years. They deployed <a href="https://kolektiva.social/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> Beacons to steal sensitive data, including Google Chrome cookies and personal information. <a href="https://thehackernews.com/2024/08/vietnamese-human-rights-group-targeted.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2024/08/viet</span><span class="invisible">namese-human-rights-group-targeted.html</span></a></p>
The Threat Codex<p>BlackSuit Ransomware<br><a href="https://infosec.exchange/tags/BlackSuitRansomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BlackSuitRansomware</span></a> <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CobaltStrike</span></a> <a href="https://infosec.exchange/tags/BloodHound" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BloodHound</span></a> <a href="https://infosec.exchange/tags/SystemBC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SystemBC</span></a> <br><a href="https://thedfirreport.com/2024/08/26/blacksuit-ransomware/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thedfirreport.com/2024/08/26/b</span><span class="invisible">lacksuit-ransomware/</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload