World Watch OCD
@ocdworldwatch.bsky.social
World Watch CTI team from Orange Cyberdefense
https://www.orangecyberdefense.com/global/offering/managed-services/threat-and-risk-management/world-watch
https://www.orangecyberdefense.com/global/offering/managed-services/threat-and-risk-management/world-watch
🔗 Related IoCs could be found on GitHub:
github.com/cert-orangec...
github.com/cert-orangec...
github.com
September 23, 2025 at 9:38 AM
🔗 Related IoCs could be found on GitHub:
github.com/cert-orangec...
github.com/cert-orangec...
☣ The main lure deploys a full Python environment and runs a Python script responsible for fetching the next stage from a remote C2. Then it opens a decoy file in Word. C2 are now inactive but have been tied to Pure malware family.
September 23, 2025 at 9:38 AM
☣ The main lure deploys a full Python environment and runs a Python script responsible for fetching the next stage from a remote C2. Then it opens a decoy file in Word. C2 are now inactive but have been tied to Pure malware family.
✉ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.
September 23, 2025 at 9:38 AM
✉ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.
✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns.
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...
MalwareHunterTeam on X: ""invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... 🤷♂️ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG" / X
"invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... 🤷♂️ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG
x.com
September 23, 2025 at 9:38 AM
✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns.
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...
The new version has removed these notable behaviours and is seen in campaign with fake invoices lures. New indicators of compromise (IoCs) are available on our GitHub: github.com/cert-orangec...
github.com
July 3, 2025 at 7:43 AM
The new version has removed these notable behaviours and is seen in campaign with fake invoices lures. New indicators of compromise (IoCs) are available on our GitHub: github.com/cert-orangec...
🤖These detection opportunities were presented during the Botconf 2025: www.botconf.eu/wp-content/u...
www.botconf.eu
July 3, 2025 at 7:43 AM
🤖These detection opportunities were presented during the Botconf 2025: www.botconf.eu/wp-content/u...
⛪🔎Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from a book, Andrew Melville by William Morison.
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...
Andrew Melville : Morison, William : Free Download, Borrow, and Streaming : Internet Archive
The metadata below describe the original scanning. Follow the All Files: HTTP link in the View the book box to the left to find XML files that contain more...
archive.org
July 3, 2025 at 7:43 AM
⛪🔎Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from a book, Andrew Melville by William Morison.
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...
Written in C++, #NailaoLocker is relatively unsophisticated and poorly designed. The ransomware uses the “.locked” extension. It is loaded through DLL search-order hijacking.
February 20, 2025 at 8:16 AM
Written in C++, #NailaoLocker is relatively unsophisticated and poorly designed. The ransomware uses the “.locked” extension. It is loaded through DLL search-order hijacking.
➡️The full article on the Green Nailao cluster is available here: orangecyberdefense.com/global/blog/...
➡️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...
➡️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...
orangecyberdefense.com
February 20, 2025 at 8:16 AM
➡️The full article on the Green Nailao cluster is available here: orangecyberdefense.com/global/blog/...
➡️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...
➡️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...
We provide a #Yara Rule to hunt for Edam Dropper, as well as related #Iocs and technical details, available on GitHub.
🤝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to 🇷🇺 #Sandworm APT (low confidence).
strikeready.com/blog/ru-apt-...
🤝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to 🇷🇺 #Sandworm APT (low confidence).
strikeready.com/blog/ru-apt-...
December 5, 2024 at 10:55 AM
We provide a #Yara Rule to hunt for Edam Dropper, as well as related #Iocs and technical details, available on GitHub.
🤝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to 🇷🇺 #Sandworm APT (low confidence).
strikeready.com/blog/ru-apt-...
🤝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to 🇷🇺 #Sandworm APT (low confidence).
strikeready.com/blog/ru-apt-...