We saw Earth Estries, an advanced #APT group, sharing its access to Earth Naga (Flax Typhoon). We introduce the term "Premier Pass" to describe this behavior, and propose a four-tier classification framework for collaboration types among advanced groups https://t.co/JVlnE9dP1S

We investigated an #APT with links to Void Rabisu that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine https://t.co/8YgYC1o8wb

Orange Cyberdefense saw the same threat and named the ransomware "NailaoLocker". https://t.co/v9JjTfwdm5. They share interesting thoughts on the motivations of the ransomware deployment, although they don't have the final answer. We also saw no financial gain for the threat actor

For incident responders out there, remember to retrieve the volume serial number where #Shadowpad was deployed, since it is used to encrypt the payload in the registry. Those serial numbers can also be found in LNK and prefetch files in case you don't have live access to the host

We released a report on a threat actor using an updated version of #Shadowpad including anti-debugging features, that in some cases deploy a custom ransomware family. We have mainly seen the manufacturing industry being targeted in Europe and Asia https://t.co/dZsevM8wLr #APT

Intelligence Online links the Moonshine framework that we discussed in our Earth Minotaur report https://t.co/cWcCIRQhEZ to a Chinese company. Happy new year UPSEC ! 🥳

Ever wonder how attackers use advanced tools to evade detection? Mandiant analyzes #ScatterBrain, an obfuscator in the POISONPLUG.SHADOW backdoor, which is used by China-nexus actors. Learn how we’re unmasking these sophisticated threats. Read more: https://t.co/5vwYoEBwjz

Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android described in 2019 by @citizenlab leveraging vulnerabilities in applications embedding old versions of Chrome https://t.co/cWcCIRQhEZ

Nous recrutons dans notre équipe. Si vous avez des compétences en RE, souhaitez travailler au profit de la Gendarmerie en tant qu'expert judiciaire et manager une équipe de passionnés : https://t.co/60oviiU04V (rt apprécié)

Excellent malware analysis from Checkpoint that describes the Linux version of Xdealer/DinodasRAT that we listed but did not described in our Earth Krahang #APT report https://t.co/aHc6v1Sn2c Kudos for referencing all the related reports 👏

It’s been a minute since the last i-SOON blog 🇨🇳@RecordedFuture is releasing further research exploring infrastructure, tooling, victimology, and personnel overlap between I-SOON & multiple Chinese state-sponsored groups: RedAlpha, RedHotel, & POISON CARP https://t.co/eN0J4DEw0M

Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.

Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://t.co/2ZQfIZHzv5

The slides https://t.co/zXrXoU378A and paper https://t.co/Px4D0Iezjb are also available. In addition to what we published in July in our blog, the paper details our failed attempts to attribute this attack based on custom malware families and their links to other #APT groups

VB released my talk on a #Shadowpad sample delivered by a Pakistan gov application. It contains an analysis of the modified MSI installer, some tricks to pivot on old and new Shadowpad samples, an overview of the #APT campaign, and attribution discussion

The blogpost is live again with an update to reflect the possibility that the MSI installer could have been modified and then redistributed. However, as it was not publicly available, that would imply that the threat actor retrieved it from a PK gov entity before weaponizing it

We found a probable supply chain attack on eOffice application developed by Pakistan government. It delivers #Shadowpad with an updated obfuscation and encryption scheme. The threat actor carefully chose the C&C to blend in legitimate network traffic https://t.co/xbzRqFisEU #APT

If you missed it yesterday, Microsoft released an advisory concerning the CVE-2023-36884: https://t.co/TmGL6SX5DU. This RCE is currently used by a TA and there is no patch. You should apply the mitigation described in the advisory. 1/4

#désinformation #Ukraine La Ministre @MinColonna et le SGDSN ont rendu public aujourd’hui le versant français d’une campagne de désinformation massive que nous pouvons avec certitude attribuer à des acteurs russes : https://t.co/af7lZXm8Ii