RT @sekoia_io: These sheets aim to assist SOC analysts in detecting and investigating #AitM #phishing compromises by offering context, tech….

RT @sekoia_io: A few weeks ago, we published our global analysis of Adversary-in-the-Middle #phishing threats, providing actionable intelli….

As usual, your feedback is greatly appreciated. Enjoy the read and happy hunting!.

This comprehensive report gives analysts actionable intelligence on AitM phishing attacks. It reflects months of work monitoring AitM phishing campaigns, analysing a dozen of kit, tracking their infrastructures, and infiltrating the surrounding ecosystem.

We are excited to share our latest blogpost on AitM phishing threats - covering common TTPs, the PhaaS ecosystem, the most widespread kits, and multiple detection opportunities!. w/ @gregclermont.

RT @sekoia_io: We hope SOC, CERT and CTI teams find our global analysis of AitM phishing threats both insightful and actionable. Dive in h….

RT @sekoia_io: 📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Micr….

RT @sekoia_io: 🪤 Sekoia #TDR's new exclusive research uncovers the #ViciousTrap, a honeypot network deployed on compromised edge devices.….

RT @felixaime: Excited to see this paper finally published! Meet #ViciousTrap, a threat actor compromising and turning edge devices into ho….

RT @sekoia_io: Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunne….

As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub:

By the way, @MsftSecIntel published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?) ⬇️.

Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group!. It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️. ✍️ @KSeznec.

RT @sekoia_io: Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their too….

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:.

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page. e.g. hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/.hxxps://xau.kolivax.]ru/ckYHFJN/.hxxps://ffqt.lzirleg.]es/VajlR/. ⬇️

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!. As usual, feedback is greatly appreciated!.

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures. ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar. ⬇️.

RT @sekoia_io: TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malic….

RT @virusbtn: Sekoia's TDR reseachers provide a technical analysis of ClearFake’s recent variant, focusing primarily on the interactions wi….