Craig Casburn
@r0kthecasbah.bsky.social
Cyber Threat Intelligencer
Interested in all things cybercrime, nation-state, disinformation, and anything else emerging.
Interested in all things cybercrime, nation-state, disinformation, and anything else emerging.
Recently discovered a webinar hosting platform actively scraping and redistributing public and private Zoom webinars without knowledge or consent of organizers.
Full details, recommendations, and detection opportunities here: cyberalberta.ca/zooming-out-...
#CTI #ThreatIntelligence #InfoSec
Full details, recommendations, and detection opportunities here: cyberalberta.ca/zooming-out-...
#CTI #ThreatIntelligence #InfoSec
October 10, 2025 at 1:17 PM
Recently discovered a webinar hosting platform actively scraping and redistributing public and private Zoom webinars without knowledge or consent of organizers.
Full details, recommendations, and detection opportunities here: cyberalberta.ca/zooming-out-...
#CTI #ThreatIntelligence #InfoSec
Full details, recommendations, and detection opportunities here: cyberalberta.ca/zooming-out-...
#CTI #ThreatIntelligence #InfoSec
CyberAlberta's meta-analysis of the Shai-Hulud worm malware, and how it propagated throughout the npm ecosystem, pieces together the attack chain, detection opportunities, and guidance for maintainers and dependents of OSS packages.
cyberalberta.ca/the-scatteri...
#CTI #ThreatIntelligence #InfoSec
cyberalberta.ca/the-scatteri...
#CTI #ThreatIntelligence #InfoSec
October 3, 2025 at 8:10 PM
CyberAlberta's meta-analysis of the Shai-Hulud worm malware, and how it propagated throughout the npm ecosystem, pieces together the attack chain, detection opportunities, and guidance for maintainers and dependents of OSS packages.
cyberalberta.ca/the-scatteri...
#CTI #ThreatIntelligence #InfoSec
cyberalberta.ca/the-scatteri...
#CTI #ThreatIntelligence #InfoSec
CyberAlberta’s latest strategic report covers the threat of #ElectionInterference, providing new findings of inauthentic accounts and news sites exploiting issues relevant to Alberta to antagonise the federal government.
cyberalberta.ca/system/files...
#CTI #ThreatIntelligence #InfoSec
cyberalberta.ca/system/files...
#CTI #ThreatIntelligence #InfoSec
cyberalberta.ca
August 5, 2025 at 12:03 PM
CyberAlberta’s latest strategic report covers the threat of #ElectionInterference, providing new findings of inauthentic accounts and news sites exploiting issues relevant to Alberta to antagonise the federal government.
cyberalberta.ca/system/files...
#CTI #ThreatIntelligence #InfoSec
cyberalberta.ca/system/files...
#CTI #ThreatIntelligence #InfoSec
CyberAlberta recently observed an attempted Vendor Email Compromise (VEC).
This highly convincing attack has been observed by the Irish Government, and researchers at Abnormal AI, who note high user engagement with this tactic.
cyberalberta.ca/the-evolving...
#CTI #ThreatIntel #InfoSec
This highly convincing attack has been observed by the Irish Government, and researchers at Abnormal AI, who note high user engagement with this tactic.
cyberalberta.ca/the-evolving...
#CTI #ThreatIntel #InfoSec
The Evolving Threat of Vendor Email Compromise
The Evolving Threat of Vendor Email Compromise and a recent incident targeting an Alberta Organization
cyberalberta.ca
August 4, 2025 at 8:37 PM
CyberAlberta recently observed an attempted Vendor Email Compromise (VEC).
This highly convincing attack has been observed by the Irish Government, and researchers at Abnormal AI, who note high user engagement with this tactic.
cyberalberta.ca/the-evolving...
#CTI #ThreatIntel #InfoSec
This highly convincing attack has been observed by the Irish Government, and researchers at Abnormal AI, who note high user engagement with this tactic.
cyberalberta.ca/the-evolving...
#CTI #ThreatIntel #InfoSec
🎣 Latest observed Tycoon 2FA campaign
At least 2 US based education organizations are spoofed to send HTML files masquerading as voicemail or invoices, directing targets to a pre-filled credential harvesting page hosted on DGA .es domains.
#ThreatIntelligence #CTI #InfoSec
At least 2 US based education organizations are spoofed to send HTML files masquerading as voicemail or invoices, directing targets to a pre-filled credential harvesting page hosted on DGA .es domains.
#ThreatIntelligence #CTI #InfoSec
June 4, 2025 at 9:57 PM
🎣 Latest observed Tycoon 2FA campaign
At least 2 US based education organizations are spoofed to send HTML files masquerading as voicemail or invoices, directing targets to a pre-filled credential harvesting page hosted on DGA .es domains.
#ThreatIntelligence #CTI #InfoSec
At least 2 US based education organizations are spoofed to send HTML files masquerading as voicemail or invoices, directing targets to a pre-filled credential harvesting page hosted on DGA .es domains.
#ThreatIntelligence #CTI #InfoSec
Interlock hard-coded C2 domains
playiro[.]net
basiclock[.]cc
cluders[.]org
Show the following characteristics
Registrar: PDR
Registrant Name: "Brenda Esparon", or "REDACTED", or "None"
Created around: 1330 27/04/25
Pivoting on these data points in @silentpush.bsky.social reveals more 👇
playiro[.]net
basiclock[.]cc
cluders[.]org
Show the following characteristics
Registrar: PDR
Registrant Name: "Brenda Esparon", or "REDACTED", or "None"
Created around: 1330 27/04/25
Pivoting on these data points in @silentpush.bsky.social reveals more 👇
June 3, 2025 at 5:58 PM
Interlock hard-coded C2 domains
playiro[.]net
basiclock[.]cc
cluders[.]org
Show the following characteristics
Registrar: PDR
Registrant Name: "Brenda Esparon", or "REDACTED", or "None"
Created around: 1330 27/04/25
Pivoting on these data points in @silentpush.bsky.social reveals more 👇
playiro[.]net
basiclock[.]cc
cluders[.]org
Show the following characteristics
Registrar: PDR
Registrant Name: "Brenda Esparon", or "REDACTED", or "None"
Created around: 1330 27/04/25
Pivoting on these data points in @silentpush.bsky.social reveals more 👇
A recent spear phishing campaign leveraged Google Workspace to provide DKIM authentication to a maliciously crafted subdomain. This technique, combined with a misconfigured DMARC policy on the root domain increased delivery rates.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/spear-phishi...
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/spear-phishi...
Spear Phishing Campaign Targets Alberta’s Insurance Industry
Spear Phishing Campaign Targets Alberta’s Insurance Industry
cyberalberta.ca
May 7, 2025 at 10:37 PM
A recent spear phishing campaign leveraged Google Workspace to provide DKIM authentication to a maliciously crafted subdomain. This technique, combined with a misconfigured DMARC policy on the root domain increased delivery rates.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/spear-phishi...
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/spear-phishi...
Reposted by Craig Casburn
Bots are already at the ballot box 🗳️ 🤖
Ahead of the #2025CanadaElection, the DFRLab uncovered bot-like accounts on X spamming political content—mainly targeting the Liberal Party with recycled, false claims & signs of AI-driven amplification.
🔗 bit.ly/3YgjSD9
Ahead of the #2025CanadaElection, the DFRLab uncovered bot-like accounts on X spamming political content—mainly targeting the Liberal Party with recycled, false claims & signs of AI-driven amplification.
🔗 bit.ly/3YgjSD9
Bot-like activity targets Canadian political parties and their leaders ahead of election
Canadian federal election subject to spam messaging from automated X accounts.
bit.ly
April 25, 2025 at 9:26 PM
Bots are already at the ballot box 🗳️ 🤖
Ahead of the #2025CanadaElection, the DFRLab uncovered bot-like accounts on X spamming political content—mainly targeting the Liberal Party with recycled, false claims & signs of AI-driven amplification.
🔗 bit.ly/3YgjSD9
Ahead of the #2025CanadaElection, the DFRLab uncovered bot-like accounts on X spamming political content—mainly targeting the Liberal Party with recycled, false claims & signs of AI-driven amplification.
🔗 bit.ly/3YgjSD9
CyberAlberta’s latest report analyzes recent #ClickFix infrastructure observed in the wild, and the subsequent attack chain, offerinf examples of what to look out for, and how to mitigate the impacts.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/human-verifi...
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/human-verifi...
Human Verification Required: Copy & Paste Your Malware Here
Human Verification Required: Copy & Paste Your Malware Here
cyberalberta.ca
April 8, 2025 at 12:44 AM
CyberAlberta’s latest report analyzes recent #ClickFix infrastructure observed in the wild, and the subsequent attack chain, offerinf examples of what to look out for, and how to mitigate the impacts.
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/human-verifi...
#ThreatIntelligence #CTI #InfoSec
cyberalberta.ca/human-verifi...
LotL isn’t going anywhere. Our latest report highlights how these techniques were recently used to facilitate a recent ransomware deployment, including guidance on detecting and mitigating these all-too-common techniques
cyberalberta.ca/ransomware-t...
#ThreatIntelligence #CTI #InfoSec #Ransomware
cyberalberta.ca/ransomware-t...
#ThreatIntelligence #CTI #InfoSec #Ransomware
Ransomware Targets CyberAlberta Community of Interest Member
Ransomware Targets CyberAlberta Community of Interest Member
cyberalberta.ca
March 31, 2025 at 6:25 PM
LotL isn’t going anywhere. Our latest report highlights how these techniques were recently used to facilitate a recent ransomware deployment, including guidance on detecting and mitigating these all-too-common techniques
cyberalberta.ca/ransomware-t...
#ThreatIntelligence #CTI #InfoSec #Ransomware
cyberalberta.ca/ransomware-t...
#ThreatIntelligence #CTI #InfoSec #Ransomware
1/7 Tracking a #ClickFix cluster mass compromising WordPress sites, injecting code which redirects from a first-stage domain to JavaScript producing fake Cloudflare Turnstiles hosted on caprofklfkzttripwith[.]com
March 27, 2025 at 7:14 AM
1/7 Tracking a #ClickFix cluster mass compromising WordPress sites, injecting code which redirects from a first-stage domain to JavaScript producing fake Cloudflare Turnstiles hosted on caprofklfkzttripwith[.]com
Reposted by Craig Casburn
Turns out, information manipulation is a real problem for Canada too.
Explore @dfrlab.bsky.social's review of Canada’s 2025 Public Inquiry into Foreign Interference as we assess the potential impact of foreign interference on Canada's elections 🇨🇦
🔗 dfrlab.org/2025/03/19/c...
#CanadaElections2025
Explore @dfrlab.bsky.social's review of Canada’s 2025 Public Inquiry into Foreign Interference as we assess the potential impact of foreign interference on Canada's elections 🇨🇦
🔗 dfrlab.org/2025/03/19/c...
#CanadaElections2025
An existential threat: Disinformation ‘single biggest risk’ to Canadian democracy
The DFRLab reviews Canada’s 2025 Public Inquiry into Foreign Interference
dfrlab.org
March 20, 2025 at 8:23 PM
Turns out, information manipulation is a real problem for Canada too.
Explore @dfrlab.bsky.social's review of Canada’s 2025 Public Inquiry into Foreign Interference as we assess the potential impact of foreign interference on Canada's elections 🇨🇦
🔗 dfrlab.org/2025/03/19/c...
#CanadaElections2025
Explore @dfrlab.bsky.social's review of Canada’s 2025 Public Inquiry into Foreign Interference as we assess the potential impact of foreign interference on Canada's elections 🇨🇦
🔗 dfrlab.org/2025/03/19/c...
#CanadaElections2025
Reposted by Craig Casburn
Fake Captcha / #ClickFix campaigns are switching up themes.
We're seeing campaigns beginning to impersonate #GoogleMeet, in addition to the usual fake #Zoom and Booking pages.
Stay safe, and don't paste code from any suspicious sites.
We're seeing campaigns beginning to impersonate #GoogleMeet, in addition to the usual fake #Zoom and Booking pages.
Stay safe, and don't paste code from any suspicious sites.
March 20, 2025 at 2:58 PM
Fake Captcha / #ClickFix campaigns are switching up themes.
We're seeing campaigns beginning to impersonate #GoogleMeet, in addition to the usual fake #Zoom and Booking pages.
Stay safe, and don't paste code from any suspicious sites.
We're seeing campaigns beginning to impersonate #GoogleMeet, in addition to the usual fake #Zoom and Booking pages.
Stay safe, and don't paste code from any suspicious sites.
Reposted by Craig Casburn
The Pravda network flooded the internet with 3.6 million pieces of pro-Kremlin propaganda in 2024 alone. This disinformation has already found its way into Artificial Intelligence, allowing dangerous lies to spread even faster. www.axios.com/2025/03/06/e...
Exclusive: AI chatbots echo Russian disinformation, report warns
Bots from Microsoft, Google, OpenAI and others spew falsehoods.
www.axios.com
March 10, 2025 at 4:02 PM
The Pravda network flooded the internet with 3.6 million pieces of pro-Kremlin propaganda in 2024 alone. This disinformation has already found its way into Artificial Intelligence, allowing dangerous lies to spread even faster. www.axios.com/2025/03/06/e...
‘Pro-Kremlin Disinformation Ecosystem Targets Worldwide Audience’ follows on from great research by @viginum.bsky.social & @dfrlab.bsky.social, analysing the latest iteration of Pravda’s operation undermining the integrity of public opinion with disinformation.
cyberalberta.ca/pro-kremlin-...
cyberalberta.ca/pro-kremlin-...
Pro-Kremlin Disinformation Ecosystem Targets Worldwide Audience
Pro-Kremlin Disinformation Ecosystem Targets Worldwide Audience
cyberalberta.ca
March 8, 2025 at 2:07 AM
‘Pro-Kremlin Disinformation Ecosystem Targets Worldwide Audience’ follows on from great research by @viginum.bsky.social & @dfrlab.bsky.social, analysing the latest iteration of Pravda’s operation undermining the integrity of public opinion with disinformation.
cyberalberta.ca/pro-kremlin-...
cyberalberta.ca/pro-kremlin-...