15/16. This was a long rant, but not enough. If a picture is worth a 1000 words, here is a video. @SASSnRaaS

#surprised_pikachu_face

Join millions who have switched to Grok.

RT @SentinelOne: Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve b….

O_o.Ref:

@NCState.

@anyrun_app @X Normal

@anyrun_app @X why u do dis?.posted two links, second one become a thumbnail and only the first link text is visible, so confusing.

7/7. Samples on @anyrun_app .

6/7. msks[.]pics redirect to file-eu-par-1.gofile[.]io/download/direct/47c53557-a472-4ffd-99a5-1de16ce98262/Vistra%20Global.exe.

5/7. CCSD 15 Staff Compensation Statement (Available on Vistra Global).pdf.d989aba36f0268f7d34d278dab90abd9.fbd891af13b5ccf4ff5b292f60492adf30a0649d.573b40d7729c315bf7593f668cd4f4b55532bd5414260e78377b689036bb4221. redirect to msks[.]pics. @D15Schools

4/7. tinyurl[.]com/compensationaugust and compensationstatement[.]pics.redirect to.file-eu-par-2.gofile[.]io/download/direct/47c53557-a472-4ffd-99a5-1de16ce98262/August%20Compensation%20Statement.exe.

3/7. August Compensation Statement.exe is actually @LogMeIn Resolve installer.Same installer used in other variations:

2/7. tinyurl[.]com/mystatement25 -> .file-na-lax-1.gofile[.]io/download/direct/47c53557-a472-4ffd-99a5-1de16ce98262/August%20Compensation%20Statement.exe.4ae9f6bb170e8d42d8e06fb5c455426f39056a76.b201ef91679076e7c6f8393aec3b73cd3d4845158a0121c4d5de4396d310faf3.

1/7. 🎯EDU 🎯..]com/file/d/1KgP4IsEYVV78g8Ofo9GCwmp1ng3kiNlF/view?usp=drive_link ->.Updated 2025 Compensation for NCSU Faculty and Staff.pdf.9db4cccb4745a533ac4c41f8aac2e18bcf7e8198.7158fbc2a796b0c4afe7a2dd63c5c3b76df70ced1c7cd232c570f135b94a9e88.@ncsu

4/4.There is a special place in hell for "cyber" terrorists targeting people with PTSD, right next to the place of the "cyber" terrorists targeting families of kidnapped hostages .Ref 4:

3/4.Ref 2: UNC2428 is also known as INCD's Black Shadow.Ref 3: @Israel_Cyber @CyberTeam360 .Thank you Tony Reshef.

2/4.This sample is using a different C2 than samples from April: 46.30.190.173.DNS resolve at 2025-08-19: members.nefeshhope[.]com -> 46.30.190.173.nefeshhope was a fake website to lure people with PTSD.Ref:

1/4.A.ExE / main.txt.213c7af6fbbe05f9e4f4ed6ee8533a87.6bb092b33f86c0ef2e9d6d0ccb0d1a6f478d3725.f6db77be038980e9dbbf9f11e0f7ae7d2d4d3f1a53199958f1f55137dde5efd3.C:/Users/admin/Desktop/quic-reverse-http-tunnel/cmd/client/main.go.GO tunneler using the QUIC protocol linked to UNC2428.

16/16. Here is a cheat sheet of "Do and Don't" for threat attribution.