New tunneling services timeline:.🗓️ 2025-04-24: lhr[.]life.🗓️ 2025-05-06: serveo[.]net, workers[.]dev.🗓️ 2025-06-11: euw.devtunnels[.]ms. Updated Yara rule alongside IoCs: For more information about PteroLNK, please refer to:

New Infrastructure scripts:.:URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry.:IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry.

The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2.The LNK dropper maintains core functionality with tweaked execution command.

The new modular malware structure: 4 VBS payloads written to ADS:.:SRV - Updated downloader.:LNK - LNK dropper.:URLS - DDR C2 URL retrieval.:IPS - DDR C2 IP retrieval/resolution.:GTR - Main orchestrator (self)

Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes:.- NTFS Alternative Data Streams (ADS) storage.- Randomized HTTP headers breaking network sigs.- Expanded tunneling services.- More robust DDR approach

Full technical report with IoCs and Yara rules below:.

Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation

Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns

Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities

Full report includes actionable detection rules, hashes, and infrastructure indicators:.

#PteroLNK is a heavily obfuscated VBScript that dynamically constructs two additional payloads during execution: a downloader and an LNK dropper that propagates through connected drives 3/4

The new PteroLNK samples date back to December 2024, using DDRs that are still updated daily, pointing to new Cloudflare quick tunnels 2/4

We published a new report, covering #Gamaredon's #PteroLNK malware, used in a recent campaign. The Russian APT group continues active operations against Ukrainian targets through April 2025 1/4.

We made a full circle from dial-up.

Check out our latest report covering Ivanti CSA vulnerability with complete root cause analysis, detailed breakdown of ITW exploitation, overview of worldwide targets alongside comprehensive IoCs & detection rules 👇🏻.

Full report:

We gave it a good shake, and our Magic 8 Ball revealed 2025's threats: .🎱 Internet fracturing & digital borders rising.🎱 Agentic AI going rogue.🎱 Truth drowning in AI bias.🎱 "meh" malware used strategically.🎱 Civil/Private cyber proxies taking center stage. and more 👇🏻.

thisisfine.bmp.

RT @unpacker: According to German media, North Korean-linked #Kimsuky hackers targeted Diehl Defense, a German arms company, to steal sensi….

RT @ryanaraine: 💔 This week's show is the full keynote day remarks from Juan Andres Guerrero-Saade at #LABScon24. In this talk, Juanito a….