Maybe AI can put us out of this misery? Humanity on its own seems incapable of solving cross-calendar data format compatibility

#Calendar #Format #ics #iCal

New year, new sector: Targeting India's startup ecosystem

Transparent Tribe, also known as APT36, has expanded its targeting to include India's startup ecosystem, particularly those in the cybersecurity domain. The group is using startup-oriented themed lure material delivered via ISO container-based files to deploy Crimson RAT. This campaign deviates from their typical government and defense targets, suggesting a shift in strategy towards companies providing open-source intelligence services and collaborating with law enforcement agencies. The attack chain involves spear-phishing emails, malicious LNK files, and batch scripts to execute the Crimson RAT payload. The malware employs extensive obfuscation techniques and uses a custom TCP protocol for command and control communications. This activity demonstrates the group's adaptation of proven tooling for new victim profiles while maintaining its core behavioral tactics, techniques, and procedures.

Pulse ID: 69836c616757ccfa9dcad92c
Pulse Link: https://otx.alienvault.com/pulse/69836c616757ccfa9dcad92c
Pulse Author: AlienVault
Created: 2026-02-04 15:57:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Government #ICS #India #InfoSec #LNK #LawEnforcement #Malware #OTX #OpenThreatExchange #Phishing #RAT #RCE #SpearPhishing #TCP #TransparentTribe #bot #AlienVault

Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia

A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.

Pulse ID: 69836c632ca6c16f064a97d5
Pulse Link: https://otx.alienvault.com/pulse/69836c632ca6c16f064a97d5
Pulse Author: AlienVault
Created: 2026-02-04 15:57:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Chinese #CyberSecurity #Espionage #Government #ICS #InfoSec #LawEnforcement #OTX #OpenThreatExchange #RAT #RCE #RemoteAccessTrojan #Telegram #Trojan #Vulnerability #WinRAR #bot #cyberespionage #AlienVault

Leveraging of CVE-2026-21509 in Operation Neusploit

A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.

Pulse ID: 698128e65e8a9984e3ff5b7e
Pulse Link: https://otx.alienvault.com/pulse/698128e65e8a9984e3ff5b7e
Pulse Author: AlienVault
Created: 2026-02-02 22:44:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #BackDoor #CyberSecurity #EasternEurope #Europe #ICS #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RTF #Russia #SMS #SocialEngineering #Steganography #bot #AlienVault

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit

Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.

Pulse ID: 6981aff0acbb318f992ed03e
Pulse Link: https://otx.alienvault.com/pulse/6981aff0acbb318f992ed03e
Pulse Author: AlienVault
Created: 2026-02-03 08:21:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #ELF #ICS #InfoSec #Microsoft #Notepad #OTX #OpenThreatExchange #RAT #Rapid7 #RemoteCommandExecution #bot #AlienVault

Threat Intelligence Dossier: TOXICSNAKE

Pulse ID: 69819ebe61336e46e2473242
Pulse Link: https://otx.alienvault.com/pulse/69819ebe61336e46e2473242
Pulse Author: Tr1sa111
Created: 2026-02-03 07:07:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DoS #ICS #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

Fake Dropbox Phishing Campaign via PDF and Cloud Storage

A sophisticated phishing campaign has been detected that utilizes a multi-stage approach to evade detection. The attack begins with a procurement-themed email containing a PDF attachment. This PDF redirects victims to another PDF hosted on trusted cloud storage, which then leads to a fake Dropbox login page. The attackers exploit trusted platforms and harmless file formats to bypass security measures. The campaign uses social engineering tactics to harvest credentials, which are then exfiltrated to attacker-controlled infrastructure via Telegram. This method proves effective by leveraging legitimate business processes, trusted file types, and reputable cloud services to appear authentic and bypass automated security checks.

Pulse ID: 6980ed6ccc717599f536d820
Pulse Link: https://otx.alienvault.com/pulse/6980ed6ccc717599f536d820
Pulse Author: AlienVault
Created: 2026-02-02 18:31:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Dropbox #Email #ICS #InfoSec #OTX #OpenThreatExchange #PDF #Phishing #RAT #Rust #SocialEngineering #Telegram #Troll #bot #AlienVault

DynoWiper update: Technical analysis

ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.

Pulse ID: 697cfb85ac8b88be3162c26c
Pulse Link: https://otx.alienvault.com/pulse/697cfb85ac8b88be3162c26c
Pulse Author: AlienVault
Created: 2026-01-30 18:42:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #ESET #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Poland #Proxy #RAT #Russia #Sandworm #UK #Ukr #Ukraine #Worm #bot #socks5 #AlienVault

Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Threat actors associated with ShinyHunters-branded extortion operations are expanding their tactics, targeting cloud-based SaaS applications for data theft and extortion. The attackers use sophisticated voice phishing and credential harvesting to gain initial access, then exfiltrate sensitive data from various platforms. They employ aggressive extortion tactics, including harassment and DDoS attacks. The activity involves multiple threat clusters (UNC6661, UNC6671, UNC6240) and targets a growing number of cloud platforms. The attackers leverage social engineering to bypass MFA and use tools like ToogleBox Recall to cover their tracks. This activity highlights the effectiveness of social engineering and the importance of phishing-resistant MFA methods.

Pulse ID: 697dc01e979a31197f296e38
Pulse Link: https://otx.alienvault.com/pulse/697dc01e979a31197f296e38
Pulse Author: AlienVault
Created: 2026-01-31 08:41:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CyberSecurity #DDoS #DataTheft #DoS #Extortion #ICS #InfoSec #MFA #OTX #OpenThreatExchange #Phishing #RAT #SocialEngineering #bot #AlienVault

🤔 - https://www.thealgorithmicbridge.com/p/leaked-the-truth-behind-moltbook #ICS #SCADA

CERT.PL's report on the coordinated attacks against Polish infrastructure. Adversaries used all manner of destructive techniques: firmware corruption, wipers, SSH commands, FTP deletes, factory resets, even booted Tiny Core Linux on KVM to DD-wipe servers.

They targeted a grid connection point, CHP plant, and a manufacturing site. The forensic reconstruction and malware analysis is excellent. Worth a read for the technical depth.

https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/

#ICS #OTSecurity

Gli sgomberi al Porto Vecchio di Trieste e la falsa “emergenza migranti” costruita a tavolino https://altreconomia.it/gli-sgomberi-al-porto-vecchio-di-trieste-e-la-falsa-emergenza-migranti-costruita-a-tavolino/ #rottabalcanica #accoglienza #migrazioni #Reportage #migranti #trieste #silos #ics

Threat Intelligence Dossier: TOXICSNAKE

A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.

Pulse ID: 697c6f532a93bb12de9eaa83
Pulse Link: https://otx.alienvault.com/pulse/697c6f532a93bb12de9eaa83
Pulse Author: AlienVault
Created: 2026-01-30 08:44:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberCrime #CyberSecurity #DNS #DoS #ICS #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

LABYRINTH CHOLLIMA Evolves into Three Adversaries

The LABYRINTH CHOLLIMA threat group has split into three distinct adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and core LABYRINTH CHOLLIMA. Each subgroup has specialized malware, objectives, and tradecraft. GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities, while core LABYRINTH CHOLLIMA continues espionage operations targeting industrial, logistics, and defense companies. Despite operating independently, these groups share tools and infrastructure, indicating coordinated resource allocation within North Korea's cyber ecosystem. The evolution stems from the KorDLL malware framework, which spawned several malware families. Recent operations demonstrate cloud-focused tradecraft and the use of zero-day vulnerabilities to deliver malware.

Pulse ID: 697c706415974488f8933c8c
Pulse Link: https://otx.alienvault.com/pulse/697c706415974488f8933c8c
Pulse Author: AlienVault
Created: 2026-01-30 08:48:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Espionage #ICS #InfoSec #Korea #Malware #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #ZeroDay #bot #cryptocurrency #AlienVault

Dissecting UAT-8099: New persistence mechanisms and regional focus

UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.

Pulse ID: 697b96e2955f456977e00c46
Pulse Link: https://otx.alienvault.com/pulse/697b96e2955f456977e00c46
Pulse Author: AlienVault
Created: 2026-01-29 17:20:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberSecurity #HTTP #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #Rootkit #SMS #Thailand #Vietnam #bot #AlienVault

Malicious Software Distribution via SEO-Poisoned Repositories

This campaign leverages SEO poisoning to redirect users searching for legitimate software toward malicious download infrastructure that mimics trusted repositories.

Pulse ID: 697bb72e046d954b7195c53d
Pulse Link: https://otx.alienvault.com/pulse/697bb72e046d954b7195c53d
Pulse Author: cryptocti
Created: 2026-01-29 19:38:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Mimic #OTX #OpenThreatExchange #Rust #SEOPoisoning #bot #cryptocti

I am looking for a script to merge two ics files.

Given two ics files I need a new one that contains a semantically 'Ok' merge.

e.g. I don't care about fields like PRODID, just choose one.
Did it ACKNOWLEDGED changed? -> Use the data from the newer one ... and so on.

It gladly may ask user feedback if it is not trivial to merge.

#ics #ical #icalendar

Dissecting UAT-8099: New persistence mechanisms and regional focus

UAT-8099's latest campaign from August 2025 to early 2026 targets vulnerable IIS servers across Asia, focusing on Thailand and Vietnam. The threat actor employs web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New BadIIS variants are customized for specific regions, with enhanced persistence mechanisms and SEO fraud tactics. The malware now includes features like hardcoded target regions, exclusive file extensions, and the ability to load HTML templates. A Linux ELF variant of BadIIS was also identified. The campaign shows significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.

Pulse ID: 697b57759a314f33d84f3b73
Pulse Link: https://otx.alienvault.com/pulse/697b57759a314f33d84f3b73
Pulse Author: AlienVault
Created: 2026-01-29 12:49:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CyberSecurity #ELF #HTML #HTTP #ICS #InfoSec #Linux #Malware #OTX #OpenThreatExchange #PowerShell #RAT #SMS #Thailand #Vietnam #bot #AlienVault

Dragos reports a cyberattack affecting OT control and communications at ~30 distributed energy facilities tied to Poland’s power grid.

No transmission impact or outages occurred, but adversaries reportedly accessed operational systems and disabled some equipment. The case highlights growing risk across decentralized energy assets that depend heavily on remote access and often receive limited OT security investment.

Source: https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

What controls matter most for distributed grid resilience?

Share insights and follow @technadu

#OTSecurity #ICS #CriticalInfrastructure #EnergyCyber #ThreatActors #GridSecurity #CyberDefense

Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan

A sophisticated Android spyware campaign targeting individuals in Pakistan has been uncovered, using romance scam tactics as a lure. The malicious app, named GhostChat, poses as a chat platform with fake female profiles, requiring hardcoded passcodes to access. Once installed, it enables covert surveillance and data exfiltration. The campaign is part of a broader spy operation, including a ClickFix attack compromising victims' computers and a WhatsApp device-linking attack gaining access to victims' accounts. These related attacks used websites impersonating Pakistani governmental organizations. The threat actor employs multiple tactics across mobile and desktop platforms, blending social engineering, malware delivery, and espionage techniques.

Pulse ID: 697a54c83114b3a03ef8a8cd
Pulse Link: https://otx.alienvault.com/pulse/697a54c83114b3a03ef8a8cd
Pulse Author: AlienVault
Created: 2026-01-28 18:26:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Espionage #Government #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Pakistan #RAT #Romance #SocialEngineering #SpyWare #WhatsApp #bot #AlienVault