🧀🎣Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and PayPal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller" #CTI #ThreatIntel #Metappenzeller

🔗Related IOCs could be found on GitHub:

☣ The main lure deploys a full Python environment and runs a Python script responsible for fetching the next stage from a remote C2. Then it opens a decoy file in Word. C2 are now inactive but have been tied to Pure malware family

This Breast Cancer Awareness Month, look into Atossa Therapeutics. We’re advancing an (Z)-endoxifen (investigational) program to address important unmet needs in breast health. Review our science, our team, & our balance sheet. Then decide for yourself. Nasdaq: ATOS

✉ The campaigns are initiated from the legitimate noreply[@]appsheet[.]com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise hunting for emails from this sender

✨AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns. https://t.co/BANyGDfPAH https://t.co/LSp6JR5L5C

Hello @ShortDotDomains There is an error on your online abuse form. "Something went wrong. Please try again." when submitting. Could you check please ? Thank you

🤖 "Les cybercriminels ont intégré l’IA au même titre aujourd’hui que l’ensemble des utilisateurs" @RodrigueLeBayon à la tête du @CERTCyberdef https://t.co/FropibKXOX

🧀 Update on MintsLoader: a thread 🔽 MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024. A new version has been around at least since early-June 2025. #cti #ThreatIntel #mintsloader

🆕 Just released a blogpost on a #Sorillus RAT campaign our @CERTCyberdef observed in March. Likely 🇧🇷 threat actors, use of numerous tunneling services like ngrok[.]app, ngrok[.]dev, ngrok[.]pro, localto[.]net, ply[.]gg, campaign still active… ➡️ https://t.co/oHoufcOcfF

Hello @vercel @vercel_support We are struggling to report phishing websites hosted on https://t.co/D7IigoTlDd since weeks. Except automatic response, no takedown realised. Can you check or contact us for more info ? Thanks

#CVE-2025-32432 #0day #CraftCMS discovered by @CERTCyberdef 💥Unauthenticated Remote Code Execution. No CVSS yet, we suggest to give it a 10 📌40,000 IP addresses representing over 37,000 domain names exposed, 12,168 unique domains vulnerable Blog: https://t.co/sEClo3RSS5

And thanks to @onyphe for their partnership, with their helpful asset database allowing us to perform scans of the vulnerable and compromised Craft CMS instances 6/6

As well as Yii advisory for further details for #CVE-2024-58136 5/6 https://t.co/MZILdXtuTM

You can check Craft blog post https://t.co/pz7VSV6D0o And their security advisory for further information related to #CVE-2025-32432 4/6 https://t.co/9YnT0WRPKx

The blog post explains the situation including full technical analysis, a way to detect/block exploitation attempts, exploit statistics as well as Indicators of Compromise 3/6

We can confirm both issues as massively exploited in the wild. #CVE-2025-32432 for Craft CMS ; #CVE-2024-58136 for Yii framework which is embedded into Craft CMS 2/6

Today Craft announces a RCE vulnerability affecting CMS - known as #CVE-2025-32432. This vulnerability has been reported by Orange Cyberdefense a month ago after our CSIRT investigated a case where two 0-day vulnerabilities have been exploited 1/6 https://t.co/ndHdjHFyYj

This campaign relied on #emailbombing, with the threat actors using Teams chats to contact their victims. This social engineering trick was first observed by @rapid7 and @MsftSecIntel in April 2024. The adversaries then leveraged RMM tools to initiate the rest of the chain.

💡Our colleagues from Orange Cyberdefense CyberSOC 🇩🇪 just published insights on several December 2024 intrusions leveraging #socialengineering tactics to distribute #DarkGate, #BlackBasta, as well as a custom credential harvester. ➡️ https://t.co/9yV2cdgYTa

📖 Dozens of websites are implicated in this scheme, including @AlienVault OTX or @goodreads Other abused websites include: - @TIDAL music streaming platform where messages are displayed in the playlist description. - @AnimePlanet manga platform, in the review section.