🧀🎣Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and PayPal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller" #CTI #ThreatIntel #Metappenzeller

The new version has removed these notable behaviours and is seen in campaign with fake invoice lures. New indicators of compromise (IoCs) are available on our GitHub: https://t.co/8vig1nADhD

The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs. These detection opportunities were presented during the Botconf 2025:

⛪🔎Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from the book Andrew Melville by William Morison. https://t.co/eL9GkIMf0l

🧀 Update on MintsLoader: a thread 🔽 MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024. A new version has been around at least since early-June 2025. #cti #ThreatIntel #mintsloader

🆕 Just released a blogpost on a #Sorillus RAT campaign our @CERTCyberdef observed in March. Likely 🇧🇷 threat actors, use of numerous tunneling services like ngrok[.]app, ngrok[.]dev, ngrok[.]pro, localto[.]net, ply[.]gg, campaign still active… ➡️ https://t.co/oHoufcOcfF

Today Craft announces a RCE vulnerability affecting CMS - known as #CVE-2025-32432. This vulnerability has been reported by Orange Cyberdefense a month ago after our CSIRT investigated a case where two 0-day vulnerabilities have been exploited 1/6 https://t.co/ndHdjHFyYj

Happy to join the 2025-2026 @VirtualRoutes European Cybersecurity Fellowship 🇪🇺☺️

🔎In recent campaigns, TAs create new #GitHub repositories populated with an AI-generated README and filled with fake backdated commits. We also observed similar distributions via inactive repositories typically forked with a new release containing #SmartLoader ultimately added.

🆕New version of our #ransomware mapping is out on our GitHub! ➡️ https://t.co/M9vmt1UZzj V28 (!) includes latest newcomers and recent ecosystem evolutions.🔍 As always, feedback is welcome! #cti #threatintel #blackbasta #ransomhub #lockbit

🧵/ Over the last months, our CyberSOC & CERT teams have been tracking a malicious cluster leveraging #WsgiDAV servers to distribute commodity #RATs, including in Europe🇪🇺. ⛓️Multistage infection chain: LNK>VBS>BAT>Powershell>ZIP>Python We track this activity as Blue Stylthon🧀

Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker". https://t.co/v9JjTfwdm5. They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

New NailaoLocker ransomware used against EU healthcare orgs - @billtoulas https://t.co/D5k56aMRMb https://t.co/D5k56aMRMb

🆕We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker. This campaign targeted 🇪🇺 organizations during S2 2024 and is tied to Chinese TA 🇨🇳. /🧵

In the realm of #cybersecurity, false positives can often be viewed as mere nuisances.🔬🚩 Yet, a recent incident observed by our CSIRT highlights their potential to trigger significant alarm. Explore the insights shared by CERT! #IncidentResponse 📲 https://t.co/WmjxOejVpl

New variant of #Emmenhtal loader actively distributed since early December and leading to #Lumma #DarkGate and/or #SectopRAT. 🚩#Emmenhtalv2 adopts new obfuscation features and is currently not well detected by AV solutions. Initial access: fake CAPTCHA, #ClickFix, phishing.

While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster 🇪🇺, strongly differing from usual financially motivated Emmenhtal distribs. This cluster drops another malware we dubbed #Edam Dropper🧀 🔗

📣Shout-out to Piotr Malachiński & @Mar_Pich for this extensive mapping of over +315 state and non-state organizations spanning government, industry, and academia. +400 detailed relationships are now available (including for download), building on OSINT & #CTI literature.

Several weeks ago, our #CERT analysts @Mar_Pich @vhinderer and @_alexb___ investigated a malicious ongoing campaign targeting one of our client and leveraging a little documented multistage #loader we dubbed #MintsLoader🥬🧀. https://t.co/eTiNSFkX8M ⬇️

Biiiig changelog for our #ransomware cartography! 🤠New version (v27) available on our CERT GitHub: https://t.co/l6LgNIgA4s 💡Entities are clickable for our World Watch clients to read more about threat groups and malware strains. #cyberthreatintelligence #cti @orangecyberdef