I just published the source code for my very naive #Python implementation for generating a node network based on MITRE Intrusion Sets and Techniques. It will output linked #Markdown files linking intrusion sets to their used techniques.

Perhaps someone finds it useful or interesting to experiment with.

Source code: https://github.com/cstromblad/markdown_node

I hinted at this in a thread started by @Viss where he asked for input on a few very likely malicious domains. Me @Viss @cR0w @neurovagrant and others did some OSINT fun work with a couple of the original domains.

It was this thread: https://mastodon.social/@Viss/114145122623079635

Now I posted a picture of a node network rendered in Obsidian and I hinted that perhaps Obsidian could be used as a poor mans version of performing threat intelligence work.

There is a new #Fediverse bot that facilitates web forensic analysis of websites.

You can submit a domain for crawling by messaging @lookyloo, and it will respond with the analysis results.

#cybersecurity #threatintel #dfir

services is provided by @circl

https://lookyloo.circl.lu

Thanks to @rafi0t for the new bot.

3 different VMware zero days, under active exploitation by ransomware group

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

(Exploitation actually ESXi)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

Lumma Stealer is currently one of the most popular malware. Campaigns involving this info stealer have a notable presence in DNS. We’ve been tracking a threat actor that deploys large number of domains to advertise file share links dropping Lumma Stealer. These campaigns are interesting because the actor uses traffic distribution system (TDS), cloaking, and web tracking technology (e.g. Matomo, Bablosoft) to hide and protect the malicious content. Here are recent examples of the TDS and landing page domains.

:::TDS + Cloaking:::
am4[.]myidmcrack[.]site
bjnhuy[.]shop
filefetch[.]click
mplopop[.]shop
oyoclean[.]sbs
psldi3z[.]com
readyf1[.]click
volopi[.]cfd

:::Landing Page:::
14redirect[.]cfd
downf[.]lol
fbfgsnew[.]com
icjvueszx[.]com
lkjpoisjnil[.]site
sikoip[.]cfd
zulmie[.]cfd


An attack that we investigated today showed a new Lumma Stealer payload and C2 domain that is only a day old.

:::Lumma Stealer executable SHA256::: df148680db17e221e6c4e8aed89b4d3623f4a8ad86a3a4d43c64d6b1768c5406

:::Text sites containing Lumma Stealer configuration details:::
hXXps://rentry[.]co/feouewe5/raw
hXXps://pastebin[.]com/raw/uh1GCpxx

:::Newly created Lumma Stealer C2:::
hXXps://urbjanjungle[.]tech/api

The hack that turned the US government website of the Center for Disease Control into a porn site turns out to be more interesting than I originally thought. And that's not just because the CDC has not done anything to fix the problem 24 hours later...
 
Yesterday we found that a number of universities, enterprises and other government sites have been hacked by the same actor. Visiting the specific URLs takes you into a malicious adtech traffic distribution system (TDS). Depending on your device and location, you might get the pornography. bud, you also might get other scams like scareware. From my sacrificial phone, I was able to trigger a bunch of push notification requests.
 
Bottom Line: malicious adtech pays, their TDS allow actors to hide, and hackers are quite happy to compromise well known websites to get that money. But it's not just about scams, these types of techniques are frequently used for delivering information stealers, which lead to breaches.
 
Here's a few notes about the attack:
* The site is modified to add pages which attempt to load a specific image name. If that isn't there, then it redirects to the actor controlled malicious domain which funnels into the TDS
* The actor seems to be using blogspot for this now, but previously used a tiny URL. From here they will go to adtech TDS.
* There were what seemed possible to be dangling CNAME records in many cases, but in some of them didn't appear to be any issues with the DNS records. I suspect combo of accesses.
* In cases where there's no apparent DNS record issue, the legit site seems to be hosting in GitHub. Perhaps they have a credential compromised.
* I saw at least two adtech companies used, Adsterra and Roller Ads. these are checking for VPN and anonymous proxies before serving the final landing page.
* This image redirect actor seems to be riding off of a different actor who originally hacked the site, uses SEO poisoning techniques, and hacked universities to host porn content.
 
I put a bunch of images in imgur.
 
Thanks Krebs for the lead.
 
#dns #cybercrime #cybersecurity #infosec #adtech #malware #scam #threatintel #tds #InfobloxThreatIntel

https://imgur.com/a/cdc-website-hijack-leads-to-malicious-adtech-XfguIcN

Yesterday, we sent out an email version of my LinkedIn Newsletter - DT Investigations News. We did this to give people the option to get the information without requiring them to be on LI.

I have said from the start that we will not gate DTI content, so offering an alternative that doesn't require an account is in line with DTI's "community-first" mission.

Today I noticed that we did not include an unsubscribe option in the email. That was an oversight, but it doesn't make it acceptable, and I take full responsibility for it.

If you received the newsletter, but would like to be removed, please email me and I'll take care of it. Future editions will include an unsubscribe option.

Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.

We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.

There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.

For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.

#malware #stealer #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #fakeaccounts #c2