Simon Kenin
@k3yp0d.bsky.social
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
4/4
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
Handala attempts a supply chain hack via ReutOne
During the week, Handala — a group painfully in love with Israel, tried a forward supply chain attack.
doublepulsar.com
November 16, 2025 at 3:36 PM
4/4
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
3/4
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
November 16, 2025 at 3:36 PM
3/4
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
November 16, 2025 at 3:36 PM
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
2/5
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research
Nimbus Manticore continuously attacks defense, manufacturing, telecommunications, and aviation targets aligned with the IRGC
research.checkpoint.com
November 7, 2025 at 9:34 PM
2/5
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
4/4
Iranian Kittens go O_o
Iranian Kittens go O_o
a close up of a cat 's face with its mouth open
ALT: a close up of a cat 's face with its mouth open
media.tenor.com
October 28, 2025 at 5:23 PM
4/4
Iranian Kittens go O_o
Iranian Kittens go O_o
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
October 25, 2025 at 9:19 AM
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
October 25, 2025 at 9:19 AM
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
2/5
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
October 25, 2025 at 9:19 AM
2/5
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
Example PDF ebb7c92f4d38510f8efab00eb8e2d9ad
Платіжне_доручення_22.10.2025_00684096792.pdf
PDF contains link to 2nd payload.
2nd stage payload is distributed among different hosting providers:
Dropbox
MS OneDrive
4sync
4/8
PDQ downloads ScreenConnect... 🤦♂️
microsoft_update000918u388.exe
0e99bfef05215614aafd6b9ea0e9f21b
9b04dadbb0a50d98d26abdccd27fb1696d78058e
77350a45d7d90766c03d690d7fd5178ba72af442e2ada60d9bdbb011c98189be
PDQ downloads ScreenConnect... 🤦♂️
microsoft_update000918u388.exe
0e99bfef05215614aafd6b9ea0e9f21b
9b04dadbb0a50d98d26abdccd27fb1696d78058e
77350a45d7d90766c03d690d7fd5178ba72af442e2ada60d9bdbb011c98189be
October 5, 2025 at 12:44 PM
3/4
ScreenConnect C2: gripsmonga[.]sbs / 144.172.95.60
Hosted at: RouterHosting / Cloudzy 🤢🤮🤢
ScreenConnect C2: gripsmonga[.]sbs / 144.172.95.60
Hosted at: RouterHosting / Cloudzy 🤢🤮🤢
October 5, 2025 at 12:44 PM
3/4
ScreenConnect C2: gripsmonga[.]sbs / 144.172.95.60
Hosted at: RouterHosting / Cloudzy 🤢🤮🤢
ScreenConnect C2: gripsmonga[.]sbs / 144.172.95.60
Hosted at: RouterHosting / Cloudzy 🤢🤮🤢