Found 38 bookmarks
Newest
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware. This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent. Additionally, Insikt Group has found a connection between high-tier Predator infrastructure and a Czech entity previously associated with the Intellexa Consortium. Insikt Group has identified new infrastructure associated with Predator, indicating continued operations despite public exposure, international sanctions, and policy interventions. The newly identified infrastructure includes both victim-facing Tier 1 servers as well as high-tier components that likely link back to Predator operators in various countries. Although much of Predator’s infrastructure remains consistent with previous reporting, its operators have introduced changes designed to further evade detection — a pattern Insikt Group noted in earlier reporting. Insikt Group has detected Predator-related activity in several countries throughout the last twelve months and is the first to report a suspected Predator operator presence in Mozambique. * Insikt Group also connected components of Predator’s infrastructure to a Czech entity previously linked with the Intellexa Consortium by a Czech investigative outlet.
#recordedfuture#EN#2025#Predator#Spyware#Resurgence#Infrastructure#report
·recordedfuture.com·
Predator Spyware Resurgence: Insikt Group Exposes New Global Infrastructure
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
  • Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima. The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea. Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others. Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges. Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators. IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.
#trendmicro#EN#2025#Russia#North-Korea#network#research#infrastructure#IoCs
·trendmicro.com·
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Backdooring Your Backdoors - Another $20 Domain, More Governments
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
#watchtowr#EN#2025#backdoor#infrastructure#abandoned#access#analysis#hack#research#hackback
·labs.watchtowr.com·
Backdooring Your Backdoors - Another $20 Domain, More Governments
Russian Military Cyber Actors Target US and Global Critical Infrastructure
Russian Military Cyber Actors Target US and Global Critical Infrastructure
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
#cisa#EN#2024#FBI#CISA#GRU#Global#Critical#Infrastructure#Unit29155#GRU-affiliated
·cisa.gov·
Russian Military Cyber Actors Target US and Global Critical Infrastructure
Visualizing QakBot Infrastructure
Visualizing QakBot Infrastructure
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
#team-cymru#EN#2023#QakBot#Infrastructure#research#C2
·team-cymru.com·
Visualizing QakBot Infrastructure
Growing cyberattacks on Canada's food system threaten disaster
Growing cyberattacks on Canada's food system threaten disaster
Canada's domestic food production system may actually be one of the most glaring cracks in Canada's national defences. ... Attacking agricultural infrastructure has proven to be an effective part of the Russian playbook so far in its invasion of Ukraine. In June 2022, EU trade counsellor Maud Labat said Moscow has figured out how to wield food as a “geopolitical weapon.”
#financialpost#EN#2023#cyberattacks#food#agricultural#infrastructure
·financialpost.com·
Growing cyberattacks on Canada's food system threaten disaster
Growing cyberattacks on Canada's food system threaten disaster
Growing cyberattacks on Canada's food system threaten disaster
Canada's domestic food production system may actually be one of the most glaring cracks in Canada's national defences. ... Attacking agricultural infrastructure has proven to be an effective part of the Russian playbook so far in its invasion of Ukraine. In June 2022, EU trade counsellor Maud Labat said Moscow has figured out how to wield food as a “geopolitical weapon.”
#financialpost#EN#2023#cyberattacks#food#agricultural#infrastructure
·financialpost.com·
Growing cyberattacks on Canada's food system threaten disaster
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor. Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks
#team-cymru#EN#2023#Vidar#infostealer#analysis#threat#infrastructure#VPN
·team-cymru.com·
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor. Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights. We expect a new wave of customers and as a result, an increase of campaigns in the upcoming weeks
#team-cymru#EN#2023#Vidar#infostealer#analysis#threat#infrastructure#VPN
·team-cymru.com·
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
U.S. targeted adversary cyber infrastructure to safeguard midterm vote
U.S. targeted adversary cyber infrastructure to safeguard midterm vote
The U.S. military's Cyber Command hunted down foreign adversaries overseas ahead of this year's mid-term elections, taking down their infrastructure before they could strike, the head of U.S. Cyber Command said. U.S. Army General Paul Nakasone said the cyber effort to secure the vote began before the Nov. 8 vote and carried through until the elections were certified. "We did conduct operations persistently to make sure that our foreign adversaries couldn't utilize infrastructure to impact us," Nakasone, who is also the director of the U.S. National Security Agency, told reporters.
#reuters#EN#2022#safeguard#midterm#vote#cyber#infrastructure#operations#US
·reuters.com·
U.S. targeted adversary cyber infrastructure to safeguard midterm vote
U.S. targeted adversary cyber infrastructure to safeguard midterm vote
U.S. targeted adversary cyber infrastructure to safeguard midterm vote
The U.S. military's Cyber Command hunted down foreign adversaries overseas ahead of this year's mid-term elections, taking down their infrastructure before they could strike, the head of U.S. Cyber Command said. U.S. Army General Paul Nakasone said the cyber effort to secure the vote began before the Nov. 8 vote and carried through until the elections were certified. "We did conduct operations persistently to make sure that our foreign adversaries couldn't utilize infrastructure to impact us," Nakasone, who is also the director of the U.S. National Security Agency, told reporters.
#reuters#EN#2022#safeguard#midterm#vote#cyber#infrastructure#operations#US
·reuters.com·
U.S. targeted adversary cyber infrastructure to safeguard midterm vote