I have never heard about the "XDSpy" threat actor 👾 before, but it turns out I tripped over a Windows shortcut in March and. 🤷‍♂️ we had to "take a look".

I like a vulnerability analysis 🔬 as I like a scotch 🥃: old enough to order its own scotch. Ivanti CVE-2024-8963 vuln analysis + unique report of malicious activities after exploitation:

Everyone be looking for #CharmingKitten these days. Here, previously undocumented #Cyclops Golang implant, likely replacement for #BellaCiao. With @JusticeRage @ArielJT

Did our bit on #Doppelgänger: standalone paper w/ new infra, ongoing activity inc. Paris #Olympics, tech details, content analysis, links to grey SEO. BTW we're a 3-people show @ArielJT @JusticeRage

Turns out it is now explicitly detected as #FrostyGoop by some vendors, so might actually be it.

Not sure it's any of them though. They all contain the "/CleintTCP" typo string, which does not appear to belong to the modbus library repository, and that I could only find in 7 Golang binaries. 4/4.

Searching for those strings in public files repositories, maybe using #Yara , you would find 5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb and a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c 3/4.

From reference Page 4 ("use a Go Modbus library") + logs screenshot Page 5, one could infer some strings that should be FrostyGoop: "/rolfl/modbus", "proc.go", "executeCommand" and "TaskList" 2/4.

You went through marketing form to read about #FrostyGoop ( from @DragosInc, then are disappointed to find ZERO IOC, like @craiu and me? 1/4.

closermag[.]eu.conspiracywatch[.]in.mensjournal[.]day.mynaszlaku[.]in.dzieckowpodrozy[.]in.bibelbund[.]cfd. Also, new Doppelgänger tracker (July 15) we got from our monitoring: gatoogeef[.]info - 2/2.

6 suspicious domains impersonating 🇺🇲, 🇩🇪, 🇵🇱 and 🇫🇷 websites, found while hunting for #Doppelgänger activities, registered in July. I believe they are made ready for ongoing (but not retrieved) or future fabricated content publication - 1/2.

RT @JusticeRage: .@securechicken and I just released a major update on Tomiris, with some important implications for attribution. https://t….

RT @jeffespo: A look at how #SOC analysts can use the IOC that are commonly shared in #infosec Twitter and also TI reports from @securechic….

RT @Kaspersky_Gov: JOIN us virtually to discuss the cross-border cooperation to protect critical infrastructure at @igf_2021 ➡️ https://t.….

RT @vkamluk: @TheSAScon sets new standards every year. This time it’s a new standard of remote participation in a conference: bring your co….

RT @vkamluk: @r00tbsd @TheSAScon Welcome to Fabulous Las Vegas! 😄

RT @e_kaspersky: Planning for #TheSAS2021. ☑️ Agenda.🛫 nope. next year.☑️APT research.☑️ Sign up. I feel like something is missing. ….

Verifying myself: I am securechicken on dsx0C_AIGAvAV0YsWMSkWy07JWo-1lUk-XqS /

Pff, I don’t need no SIEM, I have checklogs :D Humble effort at making Pi-hole logs grep a bit easier, to search for IOCs. #Pihole #IOC #DNS