L²
@lgde.bsky.social
DFIR. Ex-Lead intelligence. Ex @ANSSI_FR. PhD in intl law. Mostly working on Chinese #APT but also on russian and cybercrime actors #ThreatIntel #Malware #DFIR https://linktr.ee/l_lgde
Pinned
L²
@lgde.bsky.social
· Feb 27
How Long Can a Vulnerable Server Stay Clean on the Internet? A Honeypot Tale – Securite360
securite360.net
How long can a vulnerable server stay clean on the internet? A honeypot tale. #malware #miner #redtail
🔗 securite360.net/how-long-can...
🔗 securite360.net/how-long-can...
Reposted by L²
🚨Active Exploitation Alert: Critical Apache Tomcat RCE (CVE-2025-24813). Majority of traffic targeting U.S.-based systems. Full analysis & attacker IPs⬇️
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
GreyNoise Observes Active Exploitation of Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813)
Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813. If successfully exploited it could enable remote code execution. GreyNoise has identified multiple IPs engaging in...
greynoise.io
March 20, 2025 at 7:31 PM
🚨Active Exploitation Alert: Critical Apache Tomcat RCE (CVE-2025-24813). Majority of traffic targeting U.S.-based systems. Full analysis & attacker IPs⬇️
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
Reposted by L²
Trump administration does not believe Russia represents a cyber threat against US national security or critical infrastructure? www.theguardian.com/us-news/2025...
February 28, 2025 at 8:34 PM
Trump administration does not believe Russia represents a cyber threat against US national security or critical infrastructure? www.theguardian.com/us-news/2025...
How long can a vulnerable server stay clean on the internet? A honeypot tale. #malware #miner #redtail
🔗 securite360.net/how-long-can...
🔗 securite360.net/how-long-can...
How Long Can a Vulnerable Server Stay Clean on the Internet? A Honeypot Tale – Securite360
securite360.net
February 27, 2025 at 11:51 AM
How long can a vulnerable server stay clean on the internet? A honeypot tale. #malware #miner #redtail
🔗 securite360.net/how-long-can...
🔗 securite360.net/how-long-can...
Reposted by L²
A lire absolument, pour ceux qui souhaitent comprendre l'ampleur de ce que les #databrokers obtiennent comme info sur les internautes.
#adint #cybercriminalité #sensibilisation
Merci #LeMonde pour cet excellent article.
www.lemonde.fr/pixels/artic...
#adint #cybercriminalité #sensibilisation
Merci #LeMonde pour cet excellent article.
www.lemonde.fr/pixels/artic...
February 12, 2025 at 4:45 PM
A lire absolument, pour ceux qui souhaitent comprendre l'ampleur de ce que les #databrokers obtiennent comme info sur les internautes.
#adint #cybercriminalité #sensibilisation
Merci #LeMonde pour cet excellent article.
www.lemonde.fr/pixels/artic...
#adint #cybercriminalité #sensibilisation
Merci #LeMonde pour cet excellent article.
www.lemonde.fr/pixels/artic...
Reposted by L²
The blog feels like a retro FLARE blog from the good old FireEye days!
Shout out to Nino Isakovic, @qutluch.bsky.social and @lukejenx.bsky.social
cloud.google.com/blog/topics/...
Shout out to Nino Isakovic, @qutluch.bsky.social and @lukejenx.bsky.social
cloud.google.com/blog/topics/...
ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator | Google Cloud Blog
We been tracking multiple espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW malware.
cloud.google.com
January 29, 2025 at 8:46 AM
The blog feels like a retro FLARE blog from the good old FireEye days!
Shout out to Nino Isakovic, @qutluch.bsky.social and @lukejenx.bsky.social
cloud.google.com/blog/topics/...
Shout out to Nino Isakovic, @qutluch.bsky.social and @lukejenx.bsky.social
cloud.google.com/blog/topics/...
Reposted by L²
Deobfuscation of Lumma Stealer
ryan-weil.github.io/posts/LUMMA-...
#malware #infosec #stealer #writeup
ryan-weil.github.io/posts/LUMMA-...
#malware #infosec #stealer #writeup
Deobfuscation of Lumma Stealer
Introduction
ryan-weil.github.io
December 23, 2024 at 7:23 AM
Deobfuscation of Lumma Stealer
ryan-weil.github.io/posts/LUMMA-...
#malware #infosec #stealer #writeup
ryan-weil.github.io/posts/LUMMA-...
#malware #infosec #stealer #writeup
Reposted by L²
ReversingLabs researchers have identified 18 malicious VSCode extensions available through the official VSCode Marketplace.
As soon as the extensions were removed from the VSCode Marketplace, the attacker uploaded similar malicious projects on the npm portal.
www.reversinglabs.com/blog/a-new-p...
As soon as the extensions were removed from the VSCode Marketplace, the attacker uploaded similar malicious projects on the npm portal.
www.reversinglabs.com/blog/a-new-p...
December 18, 2024 at 11:30 PM
ReversingLabs researchers have identified 18 malicious VSCode extensions available through the official VSCode Marketplace.
As soon as the extensions were removed from the VSCode Marketplace, the attacker uploaded similar malicious projects on the npm portal.
www.reversinglabs.com/blog/a-new-p...
As soon as the extensions were removed from the VSCode Marketplace, the attacker uploaded similar malicious projects on the npm portal.
www.reversinglabs.com/blog/a-new-p...
Spotting PLA activity is rare - every opportunity to investigate matters. Dive in #Nomadpanda #RedFoxtrot #Quickheal #malware securite360.net/a-painful-qu...
December 13, 2024 at 9:08 PM
Spotting PLA activity is rare - every opportunity to investigate matters. Dive in #Nomadpanda #RedFoxtrot #Quickheal #malware securite360.net/a-painful-qu...
Reposted by L²
In relation to the RDP phish campaign detailed below: Not sure it's been mentioned, but apparently both the Swedish and Norwegian governments were at least on the target list, judging by these phish domains.
regeringskansliet-se[.]cloud
dep-no[.]cloud
#infosec #apt
microsoft.com/en-us/security/b…
regeringskansliet-se[.]cloud
dep-no[.]cloud
#infosec #apt
microsoft.com/en-us/security/b…
December 5, 2024 at 2:28 PM
In relation to the RDP phish campaign detailed below: Not sure it's been mentioned, but apparently both the Swedish and Norwegian governments were at least on the target list, judging by these phish domains.
regeringskansliet-se[.]cloud
dep-no[.]cloud
#infosec #apt
microsoft.com/en-us/security/b…
regeringskansliet-se[.]cloud
dep-no[.]cloud
#infosec #apt
microsoft.com/en-us/security/b…
Reposted by L²
An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
krebsonsecurity.com/2024/05/star...
krebsonsecurity.com/2024/05/star...
Stark Industries Solutions: An Iron Hammer in the Cloud
Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distr...
krebsonsecurity.com
December 1, 2024 at 8:19 AM
An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.
krebsonsecurity.com/2024/05/star...
krebsonsecurity.com/2024/05/star...
Reposted by L²
Why is a Chinese ship suspect in the damage to Baltic Sea cables? @lemonde.fr has reconstructed the itinerary of the Yi Peng 3, revealing that this merchant ship, now idle between Sweden and Denmark, was precisely sailing above the cables at the time they broke—sometimes down to the exact second.
Damage to Baltic Sea submarine cables: Why suspicion is focusing on a Chinese vessel
Le Monde has reconstructed the itinerary of the Yi-Peng 3, revealing why this merchant ship, currently immobilized between Sweden and Denmark, is the number one suspect in the damage caused to two sub...
www.lemonde.fr
November 22, 2024 at 9:26 AM
Why is a Chinese ship suspect in the damage to Baltic Sea cables? @lemonde.fr has reconstructed the itinerary of the Yi Peng 3, revealing that this merchant ship, now idle between Sweden and Denmark, was precisely sailing above the cables at the time they broke—sometimes down to the exact second.
Reposted by L²
Russian spies—likely Russia's GRU intelligence agency—used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...
Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack
In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.
www.wired.com
November 22, 2024 at 12:06 PM
Russian spies—likely Russia's GRU intelligence agency—used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...
Reposted by L²
If you're part of civil society and received an Apple notification. The Amnesty Security Lab would be happy to test your phone!
The Apple notification looks like this: support.apple.com/en-us/102174
The Security Lab can be contacted here: securitylab.amnesty.org/get-help/
The Apple notification looks like this: support.apple.com/en-us/102174
The Security Lab can be contacted here: securitylab.amnesty.org/get-help/
About Apple threat notifications and protecting against mercenary spyware - Apple Support
Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware.
support.apple.com
November 20, 2024 at 12:50 PM
If you're part of civil society and received an Apple notification. The Amnesty Security Lab would be happy to test your phone!
The Apple notification looks like this: support.apple.com/en-us/102174
The Security Lab can be contacted here: securitylab.amnesty.org/get-help/
The Apple notification looks like this: support.apple.com/en-us/102174
The Security Lab can be contacted here: securitylab.amnesty.org/get-help/
Reposted by L²
An Infostealer Searching for « BIP-0039 » Data isc.sans.edu/diary/31464
An Infostealer Searching for « BIP-0039 » Data - SANS Internet Storm Center
isc.sans.edu
November 22, 2024 at 4:02 AM
An Infostealer Searching for « BIP-0039 » Data isc.sans.edu/diary/31464
Reposted by L²
Podcast: risky.biz/RBNEWS364/
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
November 22, 2024 at 10:40 AM
Podcast: risky.biz/RBNEWS364/
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
Newsletter: news.risky.biz/risky-biz-ne...
-US charges five Scattered Spider members
-Apple fixes macOS zero-days
-T-Mobile finally stops a breach
-US takes down PopeyeTools carding portal
-Thailand throws out NSO lawsuit
-Microsoft develops something dumb, part 9,136
A few months' old post but maybe still relevant securite360.net/unveiling-sh...
November 17, 2024 at 2:18 PM
A few months' old post but maybe still relevant securite360.net/unveiling-sh...
Reposted by L²
Pour nos prochaines rencontres cyber, nous sommes à la recherche de doctorants volontaires pour parler de leurs travaux (cybersecurité ou manipulation de l'information/réseaux sociaux)
Rejoignez nous pour les "têtards" !
contact@m82-project.org
Rejoignez nous pour les "têtards" !
contact@m82-project.org
December 15, 2023 at 7:14 PM
Pour nos prochaines rencontres cyber, nous sommes à la recherche de doctorants volontaires pour parler de leurs travaux (cybersecurité ou manipulation de l'information/réseaux sociaux)
Rejoignez nous pour les "têtards" !
contact@m82-project.org
Rejoignez nous pour les "têtards" !
contact@m82-project.org
Reposted by L²
[CTI insights]
The latest Qakbot payload distributed happened to be packed by the Dave crypter. The DLL decrypts a resource containing Dave's encrypted shellcode and executes it! (cf. securityintelligence.com/x-force/tric...)
The latest Qakbot payload distributed happened to be packed by the Dave crypter. The DLL decrypts a resource containing Dave's encrypted shellcode and executes it! (cf. securityintelligence.com/x-force/tric...)
December 21, 2023 at 10:07 AM
[CTI insights]
The latest Qakbot payload distributed happened to be packed by the Dave crypter. The DLL decrypts a resource containing Dave's encrypted shellcode and executes it! (cf. securityintelligence.com/x-force/tric...)
The latest Qakbot payload distributed happened to be packed by the Dave crypter. The DLL decrypts a resource containing Dave's encrypted shellcode and executes it! (cf. securityintelligence.com/x-force/tric...)
Last piece from our CERT, on Akira this time ✍
Aki-RATs - Command and Control Party
www.intrinsec.com
December 3, 2023 at 12:06 PM
Last piece from our CERT, on Akira this time ✍
Happy to share our new CTI report about Lumma stealer 🕵♂️
1/ Intrinsec’s CTI team recently published a report on Lumma Stealer, the most active stealer of the last months
October 18, 2023 at 8:46 AM
Happy to share our new CTI report about Lumma stealer 🕵♂️
Last friday, we published a report on GuLoader targeting the energy sector in 🇫🇷 and elsewhere.
This report, initially drafted in July for our client, has been recently updated to include new victims we identified.
www.intrinsec.com/wp-content/u...
This report, initially drafted in July for our client, has been recently updated to include new victims we identified.
www.intrinsec.com/wp-content/u...
October 5, 2023 at 5:28 AM
Last friday, we published a report on GuLoader targeting the energy sector in 🇫🇷 and elsewhere.
This report, initially drafted in July for our client, has been recently updated to include new victims we identified.
www.intrinsec.com/wp-content/u...
This report, initially drafted in July for our client, has been recently updated to include new victims we identified.
www.intrinsec.com/wp-content/u...
Reposted by L²
New #Bumblebee campaign leveraging CVE-2023-38831
Botnet ID : is0210
RC4 key : NEW_BLACK
C2 : g7qf7ew5c[.]life
TTPs : .RAR -> .EXE
Botnet ID : is0210
RC4 key : NEW_BLACK
C2 : g7qf7ew5c[.]life
TTPs : .RAR -> .EXE
October 4, 2023 at 4:43 PM
New #Bumblebee campaign leveraging CVE-2023-38831
Botnet ID : is0210
RC4 key : NEW_BLACK
C2 : g7qf7ew5c[.]life
TTPs : .RAR -> .EXE
Botnet ID : is0210
RC4 key : NEW_BLACK
C2 : g7qf7ew5c[.]life
TTPs : .RAR -> .EXE