gregclermont
@gregclermont.bsky.social
Cybercrime threat intel and detection shenanigans at Sekoia.io
Reposted by gregclermont
Reposted by gregclermont
The future of security operations depends on tools that reflect a deep understanding of investigative work. Unfortunately, many AI-driven products are being built by folks with neither investigative experience nor insight into the cognitive processes underlying effective analysis
June 5, 2025 at 4:01 PM
The future of security operations depends on tools that reflect a deep understanding of investigative work. Unfortunately, many AI-driven products are being built by folks with neither investigative experience nor insight into the cognitive processes underlying effective analysis
Reposted by gregclermont
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
As usual, feedback is greatly appreciated!
March 20, 2025 at 6:50 PM
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
As usual, feedback is greatly appreciated!
Reposted by gregclermont
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
⬇️
bsky.app/profile/seko...
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
⬇️
bsky.app/profile/seko...
TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.
buff.ly/vbiVbsN
buff.ly/vbiVbsN
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.
blog.sekoia.io
March 20, 2025 at 6:50 PM
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
⬇️
bsky.app/profile/seko...
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
⬇️
bsky.app/profile/seko...
Reposted by gregclermont
I recently read the paper "Towards Joint Activity Design Heuristics: Essentials for Human-Machine Teaming" which I loved so much I wanted to make it easier to share. To that end, I've excerpted the Ten Heuristics from the paper here: human-machine.team with anchors for each heuristic.
Ten Machine Requirements To Satisfy Essentials Of Joint Activity
human-machine.team
March 7, 2025 at 2:24 AM
I recently read the paper "Towards Joint Activity Design Heuristics: Essentials for Human-Machine Teaming" which I loved so much I wanted to make it easier to share. To that end, I've excerpted the Ten Heuristics from the paper here: human-machine.team with anchors for each heuristic.
Reposted by gregclermont
For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
⬇️
bsky.app/profile/seko...
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
⬇️
bsky.app/profile/seko...
TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.
https://buff.ly/4auQ0HN
https://buff.ly/4auQ0HN
January 22, 2025 at 2:39 PM
For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
⬇️
bsky.app/profile/seko...
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
⬇️
bsky.app/profile/seko...
Reposted by gregclermont
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
January 20, 2025 at 6:13 PM
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
Reposted by gregclermont
Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
⬇️
bsky.app/profile/seko...
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
⬇️
bsky.app/profile/seko...
🔍 TDR analysts discovered a new Adversary-in-the-Middle (#AiTM) #phishing kit, specifically targeting Microsoft 365 accounts and circumventing 2-step verification: Sneaky 2FA
https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
#detection #sneaky2fa
https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
#detection #sneaky2fa
Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service
In this blog post, learn about Sneaky 2FA, a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts.
blog.sekoia.io
January 16, 2025 at 4:44 PM
Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
⬇️
bsky.app/profile/seko...
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
⬇️
bsky.app/profile/seko...
Reposted by gregclermont
Sekoia investigated a cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of Kazakhstan, docs weaponized and used to collect strategic intelligence in Central Asia.
Here is the Double Tap campaign > blog.sekoia.io/double-tap-c...
Here is the Double Tap campaign > blog.sekoia.io/double-tap-c...
Double-Tap Campaign : Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Uncover the details of UAC-0063 cyberespionage campaign in Kazakhstan and its potential connection to APT28
blog.sekoia.io
January 13, 2025 at 9:00 AM
Sekoia investigated a cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of Kazakhstan, docs weaponized and used to collect strategic intelligence in Central Asia.
Here is the Double Tap campaign > blog.sekoia.io/double-tap-c...
Here is the Double Tap campaign > blog.sekoia.io/double-tap-c...
January 8, 2025 at 2:19 PM
Great post by rmceoin about #Adspect, the shady anti-bot service used by #Mamba2FA
rmceoin.github.io/malware-anal...
rmceoin.github.io/malware-anal...
Anti-bot services used by PhaaS - Part 1
Phishing-as-a-Service (PhaaS) kits will frequently employ one or more techniques to avoid detection by security software. Often they will use a captcha like Cloudflare Turnstile, Google reCAPTCHA, or ...
rmceoin.github.io
December 21, 2024 at 10:43 PM
Great post by rmceoin about #Adspect, the shady anti-bot service used by #Mamba2FA
rmceoin.github.io/malware-anal...
rmceoin.github.io/malware-anal...