RT @InvictusIR: 💙Microsoft Extractor Suite v4 is here. 𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦. Learn more about the new features in….

Pivoting on #UNC6148 infra (low confidence finds):. 149.248.76./220.195.85.115./143 -- takesurvey./online, carlads./online.168.100.9./181 -- wg-aff./website. The reverse shell IP (64.52.80./80) has some historical indicators of likely being used for EvilProxy phishing.

Join millions who have switched to Grok.

RT @InvictusIR: 🚨 Volume 3 | Profiling TradeTraitor (DPRK) 🚨 . Our latest and greatest blog in our series on Cloud Threat Actors. This one….

RT @ArmsControlWonk: Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nucle….

🔍 Detect.Query Entra ID logs for Teams/1.3.00.30866 agent.Spot device-app mismatch & targeted app ID access. 🕵️ Investigate.Correlate w/ AWS IPs & spray patterns.Check post-comp activity (e.g. mailbox rules). 🛡️ Respond.Block IPs, revoke tokens, reset creds. #DFIR #ThreatHunting.

Great writeup from Sekoia! @InvictusIR agrees: AiTM drives initial & credential access, fueling BEC 👉 🔎For IR, check Entra ID Sign-In, Identity Protection, & Unified Audit Logs. 🛡️Harden with passkeys & MFA for identity security. #DFIR #cloudsecurity.

PowerLess backdoor's functionality includes:. Get file or directory information.Command Execution.Screenshots.Audio Capture.Browser Information Discovery.Input Capture: Keylogging.Download Files.Upload Files.Update Configurations.

#CharmingKitten #APT42 #TA453 analysis & pivots. C2:.Telegram Bot used for error messages and auto-start messaging to the operator.computerlearning.ddns./net. Pivots:.bookstoragestore./com.lastfilterfile/.info.78.159.117./177.78.159.117./175.185.132.176./241.154.44.186./106.

RT @InvictusIR: Allright let's do this, a thread on Laundry Bear aka Void Blizzard. This group compromised the Dutch National Police. Let's….

Cool to see this reporting and supports my previous assessment.

108.69.148[.]100 .128.92.80[.]210.184.153.42[.]129.108.6.189[.]53.154.223.17[.]243.159.242.42[.]20.

Low confidence that this is likely a China-nexus threat actor. However, it's highly likely that the threat actor blended consumer (Linksys), industrial (Niagara 4), enterprise (Check Point Spark) assets to form covert infrastructure for staging and anonymizing their operations.

This isn’t recycled noise. It surfaces the often-overlooked details responders and CTI analysts actually need. Practical takeaways include:.✔️ Mapped TTPs.✔️ IR checklist.✔️ Actor context & relevancy. #CTI #CloudSecurity #AWS #DFIR #JavaGhost

Call-back Proxy Network: 103.131.213[.]89 | 182.185.156[.]45 – likely a mix of anonymous activity and normal activity. Mass SMTP Tester: 134.199.148[.]132 – banner previously responded with Mass SMTP Tester header.

🚨 New blog from @datadoghq on fresh AWS TTPs! Me and Team @InvictusIR pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester. 🔗 #CloudSecurity #ThreatIntel #CTI.

🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud. Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness. 👉 #DFIR #Cloud #CTI.

🔍 New Blog: Essential Cloud Logs for Incident Response. 🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud. 🔗 #dfir #aws #microsoft #google.

🚨 New Blog: Forensic Analysis of eM Client 🚨. If you investigate BEC incidents, you've likely seen eM Client pop up. We did a forensic deep dive to uncover the traces it leaves behind. #CyberSecurity #DFIR #BEC #ThreatIntel.

We’ve mapped the TTPs and shared actionable IOCs on our GitHub. 🛡️. 👉

RT @InvictusIR: If you're wondering how you can prepare for an incident in the cloud, our new blog is for you 🫵.