Threat actors are teaming up with organized crime to target truckers — stealing identities, placing fraudulent bids on freight, and making off with the cargo. Their entry point? Emails with links delivering Remote Monitoring and Management (RMM) tools. Together with @selenalarson.bsky.social :

🚨 Job seekers, watch out! 🚨 Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.

Today, Proofpoint joins the cybersecurity community and the U.S. and international law enforcement in celebrating the disruption of #DanaBot, a malware-as-a-service used by sophisticated cybercriminals since 2018. brnw.ch/21wSRiZ

Thanks for the shoutout and for recognizing our work at DFIR Report in tracking these threats! 🔗Read the article here: www.proofpoint.com/us/blog/thre...

New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems. This blog details our team's findings: www.proofpoint.com/us/blog/thre.... #malware #ransomware #dataloss

Dropping some new research on TA397/Bitter 🚨 Hidden in Plain Sight | TA397’s New Attack Chain Delivers Espionage RATs Report: www.proofpoint.com/us/blog/thre...

In December 11 and 12, 2024, a spearphishing campaign targeted at least 20 Autonomous System (AS) owners, predominantly Internet Service Providers (ISPs), and purported to come from the Network Operations Center (NOC) of a prominent European ISP. 🧵⤵️

2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...

#BumbleBee malspam using Cisco AnyConnect as a lure. It contains a PDF with a link to a fake AnyConnect installer that opens AnyConnect on the Microsoft App Store to mask the BumbleBee infection 🔥 Payload delivery URLs: 🌐 urlhaus.abuse.ch/host/95.164.... Payload: 📄 bazaar.abuse.ch/sample/b8794...

#BruteRatel - #Latrodectus - url > .js > .msi > .dll wscript.exe Document-v15-51-07.js msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fes.msi rundll32.exe C:\Users\Admin\AppData\Roaming\avutil.dll, DLLMain (1/3)👇 IOC's github.com/pr0xylife/La...

I really like the freedom of BlueSky's API and hope it can be maintained. I will use the API to push more IOCs.

T-Minus 37 days til the next season of #100DaysofYARA kicks off!! Who’s excited and what will you be working on? I can’t believe it but I’m excited to write rules for JavaScript 😬😵‍💫 But also get to show off the new macho module from the one and only @jacoblatonis.me

2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5... Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156... Also runs in my lab just fine

Welcome Brad! @malware-traffic.bsky.social

Very interesting story which in my opinion that shows how the Chinese surveillance state is even "knocking off" on itself when it comes to IP/Data. This is some great research from SpyCloud Labs! Very proud of the Labs Research Team! www.wired.com/story/chines...

For visibility - x0rz now on Blue Sky, so happy :)

New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites. www.proofpoint.com/us/blog/thre...

Reuters also confirms the story about Biden allowing Ukraine to use US arms to strike inside Russia, citing three sources familiar with the matter. Ukraine plans to conduct its first long-range attacks in the coming days. www.reuters.com/world/biden-...

Almost embarrassed to post this, but I've always used Fiddler or Burp for capturing things like this... I didn't have admin rights and was trying to capture network traffic from a pop-up, so Dev Tools wasn't working Apparently this is built into Chrome/Edge! So cool :) edge://net-export/

Two great easy-to-use tools to find new follows - both worked great.

Smokeloader keeps crawling its way back into the limelight. If you want a primer on it, I gave a public talk on it 2 years ago www.youtube.com/watch?v=O69e...

IMO: Storm-0875 (overlaps UNC3944/Scattered Spider) is the most dangerous financial threat actor right now Some recent developments: 1. Now deploying ransomware (had been extorting orgs before) 2. In last few months targeting large/well known enterprises (not just telcos/help desk/crypto orgs)