Anyway, we wanted to tell a bit later, but we had to rush it now, as fellows did publish about the same toolset today (as "TOLLBOOTH"). We're fewer guys but we may still have found a bit more. IOCs & Yaras:

Documents 📃 about alleged IRGC 🇮🇷cyber ops are being disclosed since last week (#KittenBusters). 2nd batch of data includes a reference to our work @HarfangLab: "see reports on publicly available tools (such as BellaCiao and CYCLOPS) – these are malware tools used"

New threat report is live! Get it while it’s hot 🔥

New tunneling services timeline: 🗓️ 2025-04-24: lhr[.]life 🗓️ 2025-05-06: serveo[.]net, workers[.]dev 🗓️ 2025-06-11: euw.devtunnels[.]ms Updated Yara rule alongside IoCs: https://t.co/gSDLHphCTy For more information about PteroLNK, please refer to:

New Infrastructure scripts: :URLS → Scrapes Telegraph/Telegram for tunnel URLs → Appends .trycloudflare.com → stores in :URL ADS & registry :IPS → Fetches IPs via Telegram, check-host[.]net, or ping to hardcoded C2 → stores in :IP ADS & registry

The updated downloader now features an improved multi-tier fallback: Registry keys → ADS → Telegraph/Teletype DDRs → hardcoded C2 The LNK dropper maintains core functionality with tweaked execution command.

The new modular malware structure: 4 VBS payloads written to ADS: :SRV - Updated downloader :LNK - LNK dropper :URLS - DDR C2 URL retrieval :IPS - DDR C2 IP retrieval/resolution :GTR - Main orchestrator (self)

Following our recent #Gamaredon publication, the actor upgraded their PteroLNK malware and expanded infrastructure. Key changes: - NTFS Alternative Data Streams (ADS) storage - Randomized HTTP headers breaking network sigs - Expanded tunneling services - More robust DDR approach

Full technical report with IoCs and Yara rules below: https://t.co/ycRyLK34H5

Our analysis covers the LNK parsing vulnerabilities, detailed XDigo malware analysis, comprehensive infrastructure overview, and attribution linking current activity to historical XDSpy activities including a previously unattributed 2023 operation

Through hunting and pivoting, we identified the likely payload: XDigo, XDSpy's Go based malware deployed against a governmental target in Belarus. We also mapped additional infrastructure showing multiple connections and ties across past campaigns

Dropping new research - this time on recent #XDSpy operations. Out of hundreds of LNK files leveraging ZDI-CAN-25373, we isolated a tiny cluster using an additional LNK parsing trick, leading us to uncover a multi-stage infection chain actively targeting government entities

Full report includes actionable detection rules, hashes, and infrastructure indicators: https://t.co/BrOpeshI6d

#PteroLNK is a heavily obfuscated VBScript that dynamically constructs two additional payloads during execution: a downloader and an LNK dropper that propagates through connected drives 3/4

The new PteroLNK samples date back to December 2024, using DDRs that are still updated daily, pointing to new Cloudflare quick tunnels 2/4

We published a new report, covering #Gamaredon's #PteroLNK malware, used in a recent campaign. The Russian APT group continues active operations against Ukrainian targets through April 2025 1/4

We made a full circle from dial-up

Check out our latest report covering Ivanti CSA vulnerability with complete root cause analysis, detailed breakdown of ITW exploitation, overview of worldwide targets alongside comprehensive IoCs & detection rules 👇🏻 https://t.co/Ng41t7inNK

Full report:

We gave it a good shake, and our Magic 8 Ball revealed 2025's threats: 🎱 Internet fracturing & digital borders rising 🎱 Agentic AI going rogue 🎱 Truth drowning in AI bias 🎱 "meh" malware used strategically 🎱 Civil/Private cyber proxies taking center stage ...and more 👇🏻