Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.

Pulse ID: 67efc6e712b49d46c1423ca9
Pulse Link: https://otx.alienvault.com/pulse/67efc6e712b49d46c1423ca9
Pulse Author: AlienVault
Created: 2025-04-04 11:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.

Pulse ID: 67efc6ed5285702a3440969a
Pulse Link: https://otx.alienvault.com/pulse/67efc6ed5285702a3440969a
Pulse Author: AlienVault
Created: 2025-04-04 11:47:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Not sure if the American Gestapo cares about bad publicity, but here's one detainee story that's getting coverage.

https://www.npr.org/2025/04/02/nx-s1-5341465/jasmine-mooney-canadian-actress-ice-detention
#ICS #Trump #Fascism

Pour une semaine d’événement, un agenda sur NextCloud a été créé et c’est super.

Par contre pour en faire une version imprimée c’est moche et peu lisible…

Est‑ce que vous connaissez des outils qui convertissent des .ics en un visuel lisible et beau ?

#agenda #calendrier #ics

More Solar System Vulnerabilities Expose Power Grids to Hacking https://www.securityweek.com/more-solar-system-vulnerabilities-expose-power-grids-to-hacking/ #Vulnerabilities #vulnerability #Featured #ICS/OT #energy #solar #ICS

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The attackers used implants like ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors. The operation involved sophisticated tactics including lateral movement, credential theft, and custom malware deployment. Seven victims were identified across various countries and sectors. The analysis provides technical details on the malware used, initial access methods, and command and control infrastructure.

Pulse ID: 67dd406f6ba9eecd280aa95e
Pulse Link: https://otx.alienvault.com/pulse/67dd406f6ba9eecd280aa95e
Pulse Author: AlienVault
Created: 2025-03-21 10:33:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Thanks to the funding by @nlnet, I added #event sign up via email to the #OpenWebCalendar. In this tutorial, I show how to enable others to sign up to your events on your @nextcloud #calendar.

Video: https://youtu.be/RnMz23p7UP0

Blog Post: https://open-web-calendar.quelltext.eu/news/2025-03-17-caldav-nextcloud-sign-up/

Water utilities would get cybersecurity boost under bipartisan Senate bill:
The Cybersecurity for Rural Water Systems Act would expand USDA’s Circuit Rider Program.

https://cyberscoop.com/rural-water-utilities-cybersecurity-senate-bill/

Searching for an #OT #Advisory?
Want it machine readable?
Have a look at our #csaf aggregator https://aggregator.certvde.com for advisories of 35+ OT and #ICS vendors that partner with CERT@VDE.

See https://certvde.com/en/more/csaf/ for a full list of the trusted providers used on the aggregator.

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticated phishing campaign aims to exploit the trust associated with legitimate recruitment processes to gather confidential data from unsuspecting employees. The operation demonstrates the evolving tactics of cyber espionage groups, blending social engineering with financial incentives to compromise organizational security.

Pulse ID: 67d1758164fe4b799677296c
Pulse Link: https://otx.alienvault.com/pulse/67d1758164fe4b799677296c
Pulse Author: AlienVault
Created: 2025-03-12 11:52:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Light tunneling and squiggles.

Sprites & sinusoidal waves.

Walking near I-80 last night so decided to head up to a nearby walking bridge that crosses it. Haven't done one of these in a few yrs. Don't have a cityscape as a backdrop to my traffic pics so I "liven" them up.

Highway Robbery 2.0: How Attackers Are Exploiting Toll Systems in Phishing Scams

A massive SMS phishing campaign targeting U.S. drivers exploits various toll systems, including E-ZPass, SunPass, and TxTag. The scam uses fake payment alerts sent via iMessage and SMS from foreign numbers to lure victims to fraudulent websites. Analysis reveals a pattern in domain names and infrastructure, with most phishing sites hosted on Chinese ASNs like Tencent and Alibaba Cloud. The campaign employs nginx web servers and constantly shifts tactics to evade detection. Over 2,000 complaints have been filed with the FBI's Internet Crime Complaint Center, prompting warnings from the FTC and toll authorities. The scam's effectiveness stems from the inconsistency in legitimate toll collection domain names, making it challenging for users to distinguish between real and fake websites.

Pulse ID: 67cee3481de685393015d1b3
Pulse Link: https://otx.alienvault.com/pulse/67cee3481de685393015d1b3
Pulse Author: AlienVault
Created: 2025-03-10 13:04:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russian State Actors: Development in Group Attributions

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in global espionage, sabotage, and influence operations. The report details their targets, which include government organizations, critical infrastructure, and diplomatic entities across multiple countries. It also describes the groups' adaptation to new security measures and their use of advanced techniques such as zero-day exploits, social engineering, and living off the land tactics. The analysis emphasizes the importance of understanding these actors' methods for improving global cybersecurity resilience.

Pulse ID: 67cc2ca27d4672d04ef4eb01
Pulse Link: https://otx.alienvault.com/pulse/67cc2ca27d4672d04ef4eb01
Pulse Author: AlienVault
Created: 2025-03-08 11:40:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.

Pulse ID: 67cebdf90f3d662d90cb0701
Pulse Link: https://otx.alienvault.com/pulse/67cebdf90f3d662d90cb0701
Pulse Author: AlienVault
Created: 2025-03-10 10:24:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

The #OpenWebCalendar has a new #UI!

You can head over to https://open-web-calendar.hosted.quelltext.eu and try it out:

- #edit the #calendar AND see it updating
- #encryption protects #private calendars and the #password
- #CalDAV support
- Change the size to see how it works on other screens

In the picture, the URL to the Personal CalDAV calendar is encrypted and the events show up.

Technically, I really enjoyed #flexbox and #CSS variables i.e. for the dynamic resizing.