My job today is beach.

Happy tortured poets society day to everyone!!!

Pivoting on the JDY C2 proxy cert hash in https://t.co/C2j3umgWeI shows an IP, 45.76.67.43, that was not listed in Lumen's IOC list. Though it looks like it was only active for 2 days and has since been recycled back into Vultr.

https://t.co/CGKjxVFmPH I am happy to be an advisor, aka Keeper of Secrets to @ThreatHunter_AI and working with @jmcmurry. Watch for great things to come.

#LABScon23 is here! Sep 20-23, 2023 in Scottsdale, Arizona Head to https://t.co/q1msQScycV for all the details!

https://t.co/HYyKDnSiWu the base for a repo for low power tracker research. Expect more to be added. Great research sponsored by @cybraryIT! #flipperzero #ble #airtag

soon.

New Research -- "Tainted Love" APT Operation ✴️Targeting Middle East telecom. ✴️ Likely connected to a Chinese groups in the nexus of Gallium and APT41. Full Report: https://t.co/SWnqTXiAKk By @milenkowski @juanandres_gs @joeychen @QTrust

https://t.co/UCp7ks6ZYP

Side note: I didn’t actually create this meme. Someone else on the internet did, so I just reposted it because it made me chuckle.

To get all the details check out the blog here https://t.co/qfuUaK9Qgl with IOCs found here

Oh and one more thing that caught my eye, when we looked at the embedded config file the malware identified itself as version 1.5. So while this latest campaign goes back to July 2022. This activity cluster almost certainly preceded that date.

The actor also had some interesting prebuilt functions, two of which that caught our eye were tcp_forward and SOCKS5 which would allow the threat actor to tunnel commands/exfil through the router

A couple interesting tidbits, does the threat actor behind this campaign seemed to have a strong interest in gathering email data as it transmitted through the device. Once the pcap was collected it would periodically get upload to the C2.

Today we’re releasing research on brand new activity cluster we’re calling Hiatus. This actor has an affinity for target routers, to gather pcap and use as covert infrastructure.

New blog dropping at 10am this morning , check it out here https://t.co/vjEt7I9Zvu

Setting up an account on the elephant app, hit me up there dadamitis@infosec.change. Don’t worry I’ll continue to provide the same threat intel, salty comments, and spicy memes as before.

Our latest #podcast is out with an interview with @dadamitis of @BlackLotusLabs about #ZuoRAT #malware targeting SOHO routers and home networks with #APT-style tools. Recorded at #LabsCon22. https://t.co/sRWsiHUD66 #sponsored by @ReversingLabs https://t.co/sRWsiHUD66

Bold strategy to have your campaign outed and then ramp up operations. Let’s see how this one plays out for them.

Love this quote. When talking about paying for an on-going lawsuit to harass the victims, one agent said: "[It] really is a drop in the bucket for a country to spend $1 billion or $0.8 billion to meet the political task assigned by the Central Government." IE. $ is no object.