Lucy @lucy

Christoffer S.(securelist.com) New Arcane Stealer Distributed via YouTube Game Cheat Videos <a href="https://securelist.com/arcane-stealer/115919/" rel="nofollow noopener" translate="no" target="_blank">https://securelist.com/arcane-stealer/115919/</a>It's no secret that stealer logs on criminal markets often appear to also have "gamer" connections. It's thus no wonder that yet another stealer is targeting gamers.SecureList researchers discovered a new stealer malware named Arcane being distributed through YouTube videos promoting game cheats. The campaign initially used a Phemedrone Trojan variant branded as 'VGS' before switching to Arcane in late 2024. The distribution method involves YouTube videos with links to password-protected archives containing batch files that disable Windows SmartScreen and download additional malware. Later in the campaign, the threat actors began promoting ArcanaLoader, a tool supposedly for downloading game cheats but actually delivering the Arcane stealer. The malware primarily targets Russian-speaking users in Russia, Belarus, and Kazakhstan.<a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://swecyb.com/tags/Gaming" class="mention hashtag" rel="nofollow noopener" target="_blank">#Gaming</a> <a href="https://swecyb.com/tags/YouTube" class="mention hashtag" rel="nofollow noopener" target="_blank">#YouTube</a> <a href="https://swecyb.com/tags/Stealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#Stealer</a> <a href="https://swecyb.com/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://swecyb.com/tags/ArcaneStealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#ArcaneStealer</a>

Xavier «X» Santolaria :verified_paw: :donor:<a href="https://infosec.exchange/@vulncheck" class="u-url mention" rel="nofollow noopener" target="_blank">@vulncheck</a> has raised $12 million in a Series A funding round to enhance its vulnerability intelligence platform. The funding, led by Ten Eleven Ventures, will help the company grow and expand internationally 🥳 <a href="https://vulncheck.com/press/series-a" rel="nofollow noopener" translate="no" target="_blank">https://vulncheck.com/press/series-a</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>

Renée BurtonSome great work from Denis Sinegubko yesterday on a VexTrio affiliate who has been compromising websites for years. This is complex research coming in three parts and aligns with some of our own. A few highlights for me...sprinkling in some of our Infoblox work: * The DollyWorld actor is a VexTrio (specifically a Los Pollos) affiliate since 2016. Given that Los Pollos dates to 2015, this is an old partner. * Around November 20th, 2024, Los Pollos announced to their customers they would stop push monetization. I've written a lot on push monetization as a source of lingering evil. Whatever caused this change, it disrupted their affiliates. * DollyWorld actor and the DNS C2 TXT systems we have been tracking carefully (after all, it's DNS) both switched to Monetizer TDS at that point. Coincidence? * From Monetizer, both led to Propeller and delivered a variety of malicious content. * I had originally used germannautica[.]com to get the VexTrio hook and then later was able to trigger participates[.]cfd (Monetizer) through the same site. * Where VexTrio was just scams, the new TDS pattern also gave me malwareMost importantly -- scams pay! These affiliate actors are running for years on compromised sites and constantly updating their techniques. Why else would they keep going? <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#vextrio</a> <a href="https://www.godaddy.com/resources/news/dollyway-world-domination" rel="nofollow noopener" translate="no" target="_blank">https://www.godaddy.com/resources/news/dollyway-world-domination</a>

GreyNoise🚨 Resurgence of in-the-wild activity targeting critical ServiceNow vulns. Overwhelming majority of traffic hitting Israel. Full analysis ⬇️ <a href="https://www.greynoise.io/blog/in-the-wild-activity-targeting-critical-servicenow-vulnerabilities" rel="nofollow noopener" translate="no" target="_blank">https://www.greynoise.io/blog/in-the-wild-activity-targeting-critical-servicenow-vulnerabilities</a> <a href="https://infosec.exchange/tags/ServiceNow" class="mention hashtag" rel="nofollow noopener" target="_blank">#ServiceNow</a> <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVE</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a>

cR0w :cascadia:EITW 0day? Sure, Happy Tuesday. This one is worth reading.<a href="https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html" rel="nofollow noopener" translate="no" target="_blank">https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html</a><blockquote>Trend Zero Day Initiative™ (ZDI) identified nearly 1,000 malicious .lnk files abusing ZDI-CAN-25373, a vulnerability that allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.The attacks leverage hidden command line arguments within .lnk files to execute malicious payloads, complicating detection. The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage.The vulnerability has been exploited by state-sponsored APT groups from North Korea, Iran, Russia, and China. Organizations across the government, financial, telecommunications, military, and energy sectors have been affected in North America, Europe, Asia, South America, and Australia.Organizations should immediately scan and ensure security mitigations for ZDI-CAN-25373, maintain vigilance against suspicious .lnk files, and ensure comprehensive endpoint and network protection measures are in place to detect and respond to this threat. Trend Micro customers are protected from possible attempts to exploit the vulnerability via rules and filters that were released in October 2024 and January 2025.</blockquote><a href="https://www.zerodayinitiative.com/advisories/ZDI-25-148/" rel="nofollow noopener" translate="no" target="_blank">https://www.zerodayinitiative.com/advisories/ZDI-25-148/</a><blockquote>This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user.</blockquote>Edit to add <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatIntel</a>

Christoffer S.The cybersecurity community is on fire today! There is so much new content being pushed out today, it's quite hard to keep up!But please keep on doing it! 🙂 <a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a>

nemo™ 🇺🇦New stealthy malware alert! 🚨 Microsoft uncovers StilachiRAT, a RAT targeting user data with advanced evasion techniques. It steals credentials, monitors RDP sessions & grabs crypto wallet info. Protect yourself! 🛡️ More info: <a href="https://cyberinsider.com/microsoft-uncovers-new-stealthy-malware-stilachirat-targeting-user-data/" rel="nofollow noopener" translate="no" target="_blank">https://cyberinsider.com/microsoft-uncovers-new-stealthy-malware-stilachirat-targeting-user-data/</a> <a href="https://mas.to/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mas.to/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://mas.to/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://mas.to/tags/newz" class="mention hashtag" rel="nofollow noopener" target="_blank">#newz</a>

Ian CampbellI'm super proud of my employer <a href="https://infosec.exchange/@DomainTools" class="u-url mention" rel="nofollow noopener" target="_blank">@DomainTools</a> and our DT Investigations team under <a href="https://infosec.exchange/@danonsecurity" class="u-url mention" rel="nofollow noopener" target="_blank">@danonsecurity</a> today. Consider this historical analysis piece on Russian disinfo actors the first of many disinformation-related pieces to come!<a href="https://masto.deoan.org/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://masto.deoan.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://masto.deoan.org/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://dti.domaintools.com/domain-registrars-powering-russian-disinformation/?utm_source=Mastodon&utm_medium=Social&utm_campaign=disinformation" rel="nofollow noopener" translate="no" target="_blank">https://dti.domaintools.com/domain-registrars-powering-russian-disinformation/?utm_source=Mastodon&utm_medium=Social&utm_campaign=disinformation</a>

The Spamhaus ProjectWe strongly recommend against providing services to entities whose AS or IP networks are listed in Spamhaus (ASN-)DROP - learn more here 👉 <a href="https://www.spamhaus.org/blocklists/do-not-route-or-peer/" rel="nofollow noopener" translate="no" target="_blank">https://www.spamhaus.org/blocklists/do-not-route-or-peer/</a><a href="https://infosec.exchange/tags/BulletproofHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#BulletproofHosting</a> <a href="https://infosec.exchange/tags/DROP" class="mention hashtag" rel="nofollow noopener" target="_blank">#DROP</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/Botnets" class="mention hashtag" rel="nofollow noopener" target="_blank">#Botnets</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a>

Christoffer S.Sekoia: <a href="https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" rel="nofollow noopener" translate="no" target="_blank">https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/</a>A few days ago Brian Krebs wrote about ClickFix, and now Sekoia has written a technical deep dive of said malicious framework.In the Sekoia report they analyze the evolution of ClearFake, a malicious JavaScript framework that compromises legitimate websites to deliver malware through drive-by downloads. Since its emergence in July 2023, ClearFake has evolved from displaying fake browser updates to using sophisticated social engineering tactics called 'ClickFix' that trick users into executing malicious PowerShell code. The latest variant (December 2024-February 2025) uses fake reCAPTCHA or Cloudflare Turnstile verifications alongside technical issues to deceive users. ClearFake leverages the Binance Smart Chain through a technique called 'EtherHiding' to store malicious code, making it impossible to remove. The framework has infected thousands of websites and is actively distributing Lumma Stealer and Vidar Stealer malware.<a href="https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/" rel="nofollow noopener" translate="no" target="_blank">https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/</a><a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@briankrebs</a> <a href="https://infosec.exchange/@sekoia_io" class="u-url mention" rel="nofollow noopener" target="_blank">@sekoia_io</a> <a href="https://swecyb.com/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://swecyb.com/tags/ClickFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#ClickFix</a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a>

r1cksecAn analysis for the latest variant of LockBit ransomware🕵️‍♂️<a href="https://chuongdong.com/reverse%20engineering/2025/03/15/Lockbit4Ransomware/" rel="nofollow noopener" translate="no" target="_blank">https://chuongdong.com/reverse%20engineering/2025/03/15/Lockbit4Ransomware/</a><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#ransomware</a>

nemo™ 🇺🇦Stay informed on the latest cybersecurity threats! 🚨 This week's recap covers router hacks, PyPI package vulnerabilities, and more. Learn how attackers are evolving and how to stay secure. 🛡️🔗 <a href="https://thehackernews.com/2025/03/thn-weekly-recap-router-hacks-pypi.html" rel="nofollow noopener" translate="no" target="_blank">https://thehackernews.com/2025/03/thn-weekly-recap-router-hacks-pypi.html</a> <a href="https://mas.to/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mas.to/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://mas.to/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://mas.to/tags/newz" class="mention hashtag" rel="nofollow noopener" target="_blank">#newz</a>

cR0w :cascadia:Looks like the yesware dot com free plan is another one getting abused by scammers. Maybe not news to y'all but this is the first one I've seen from them. :-/<code>t.yesware.com</code><a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatIntel</a>

Brian ClarkThe new Abuse.ch hunting platform looks really useful. Another great place to get <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> and enrich your investigations with their data <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> From: <a href="https://ioc.exchange/@abuse_ch" class="u-url mention" rel="nofollow noopener" target="_blank">@abuse_ch</a> <a href="https://ioc.exchange/@abuse_ch/114144366546021640" rel="nofollow noopener" translate="no" target="_blank">https://ioc.exchange/@abuse_ch/114144366546021640</a>

Christoffer S.I just published the source code for my very naive <a href="https://swecyb.com/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#Python</a> implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked <a href="https://swecyb.com/tags/Markdown" class="mention hashtag" rel="nofollow noopener" target="_blank">#Markdown</a> files linking intrusion sets to their used techniques.Perhaps someone finds it useful or interesting to experiment with.Source code: <a href="https://github.com/cstromblad/markdown_node" rel="nofollow noopener" translate="no" target="_blank">https://github.com/cstromblad/markdown_node</a>I hinted at this in a thread started by <a href="https://mastodon.social/@Viss" class="u-url mention" rel="nofollow noopener" target="_blank">@Viss</a> where he asked for input on a few very likely malicious domains. Me <a href="https://mastodon.social/@Viss" class="u-url mention" rel="nofollow noopener" target="_blank">@Viss</a> <a href="https://infosec.exchange/@cR0w" class="u-url mention" rel="nofollow noopener" target="_blank">@cR0w</a> <a href="https://masto.deoan.org/@neurovagrant" class="u-url mention" rel="nofollow noopener" target="_blank">@neurovagrant</a> and others did some OSINT fun work with a couple of the original domains.It was this thread: <a href="https://mastodon.social/@Viss/114145122623079635" rel="nofollow noopener" translate="no" target="_blank">https://mastodon.social/@Viss/114145122623079635</a>Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.<a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://swecyb.com/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntelligence</a> <a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://swecyb.com/tags/Obsidian" class="mention hashtag" rel="nofollow noopener" target="_blank">#Obsidian</a>

Brian ClarkThe free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.<a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> From: <a href="https://infosec.exchange/@ScumBots" class="u-url mention" rel="nofollow noopener" target="_blank">@ScumBots</a> <a href="https://infosec.exchange/@ScumBots/114167879065509347" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ScumBots/114167879065509347</a>

Tim (Wadhwa-)Brown :donor:A decent explanation of the Apache TomCat bug I posted a link to the PoC for earlier:<a href="https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html" rel="nofollow noopener" translate="no" target="_blank">https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html</a><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a>, <a href="https://infosec.exchange/tags/tomcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#tomcat</a>, <a href="https://infosec.exchange/tags/java" class="mention hashtag" rel="nofollow noopener" target="_blank">#java</a>

Brian ClarkI suggest searching your <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#Microsoft</a> EntraID logs for successful sign-ins using one of these user agents identified by Proofpoint. Any successful logins are likely malicious. <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> From: <a href="https://infosec.exchange/@threatinsight" class="u-url mention" rel="nofollow noopener" target="_blank">@threatinsight</a> <a href="https://infosec.exchange/@threatinsight/114162150433883955" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@threatinsight/114162150433883955</a>

Infoblox Threat IntelThreat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?An explanation and minimum-working-example of our reputation algorithm can be found here: <a href="https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/" rel="nofollow noopener" translate="no" target="_blank">https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/</a><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Kevin BeaumontThese have all been shut down. <a href="https://cyberplace.social/tags/noname" class="mention hashtag" rel="nofollow noopener" target="_blank">#noname</a> <a href="https://cyberplace.social/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#threatintel</a> <a href="https://cyberplace.social/@GossiTheDog/113596971515491145" rel="nofollow noopener" translate="no" target="_blank">https://cyberplace.social/@GossiTheDog/113596971515491145</a>

Recent searches

Search options

Administered by:

Server stats:

#ThreatIntel