Intel 471

Clop ransomware has listed Sam’s Club on its leak site following a string of attacks tied to Cleo file transfer vulnerabilities. While no data has been exposed, Sam’s Club confirmed they are investigating the claim. Intel 471 identified the retailer among several organizations potentially impacted. The activity appears linked to Clop’s broader campaign leveraging zero-day flaws in Cleo software to enable unauthenticated remote code execution, consistent with the group’s focus on data extortion. Read the full story on Cybersecurity Dive: https://hubs.la/Q03fLcP20 #clopransomware #threatintelligence #cybersecurity #cyberthreat

🥁 The countdown to RSA Conference has begun! Swing by booth #4215 (North Hall) to meet with our experts and learn about how Intel 471's threat intelligence and threat hunting helps teams strengthen their defenses with real-time insights into adversaries and attack patterns. 🗓 Book time here -- > https://hubs.la/Q03fPFM70 Also kick back with us over drinks, appetizers, and some good old-fashioned networking at our Happy Hour on Wednesday, April 30th at The Woodbury with Replica Cyber & Tidal Cyber! 🥂 Register here ---> https://hubs.la/Q03fPGnm0 We look forward to connecting in San Francisco! 🌉 #Intel471 #RSAC2025 #CTI #ThreatHunting #HappyHour

Climbing geopolitical tensions are making it harder to identify where cybercrime ends and state-sponsored activity begins, creating new challenges for defenders. Intel 471's Chief Intelligence Officer Michael DeBolt spoke with Help Net Security about how threat actor motivations are shifting, how attribution is becoming more complex, and why existing security frameworks are struggling to keep up. "A primary practical issue organizations are facing is threat attribution, with a follow-on issue being maintaining an effective security posture against these hybrid threats," he explains. Read more to explore how geopolitical instability is reshaping threat actor behavior, targeting strategies, and what it means for organizations preparing to defend against hybrid threats: https://hubs.la/Q03fKMG50 #geopolitical #cyberthreats #threatintelligence #cybersecurity

Intel 471’s latest Cyber Threat Update takes a closer look at six significant cyber threats making waves right now: *VanHelsing Ransomware: A new RaaS linked to Eastern European actors, targeting healthcare, finance, and government via phishing. Features include RDP access, data exfiltration, and shadow copy deletion. *Medusa Ransomware: Highlighted in a CISA advisory, Medusa targets critical infrastructure using known vulnerabilities, PowerShell, WMI, and Mimikatz to deploy AES-encrypted ransomware. *Betrüger Backdoor: Deployed by RansomHub since Feb 2025, this backdoor enables remote access, credential theft, and exfiltration, delivered via spear-phishing. *Lumma Stealer: Delivered through fake CAPTCHA prompts, Lumma targets U.S. SLTT organizations to steal credentials and banking data. Sold as MaaS. *Weaver Ant (APT10): Chinese APT targeting telecoms in Asia with malware like Quasar RAT, exploiting VPN and Exchange flaws for access and data theft. *MirrorFace (APT Mirror): Uses phishing tied to the 2025 European Expo to target government and media with Anel and AsyncRAT, enabling persistence and remote access. Sign up for your HUNTER community account today and tackle these threats head-on: https://hubs.la/Q03fKRM40 Read the full report below, or download it here ⬇️ https://hubs.la/Q03fKPr90 #threathunting #cyberthreatupdate #cyberthreats #threatintelligence #cybersecurity

Building an in-house behavioral threat hunting program is half the challenge. Proving its value is the other, and that’s where many teams are struggling. According to the 2025 SANS Threat Hunting Survey, the number of organizations formally measuring the effectiveness of their threat hunting programs has dropped to 51% from 64% in 2024. Manual tracking is now the most common approach at 61%, and 38% of organizations aren’t measuring success at all. Without measuring metrics of success, it becomes difficult to demonstrate ROI, justify continued investment, or guide a threat hunting strategy. Structured threat hunting proactively stalks threats that have evaded detection. It also identifies blindspots where threats can hide. Measuring what your hunt team finds, disrupts, and fixes is crucial to your hunt program’s future. To show impact, leaders need to consistently measure these metrics of success, and that’s difficult to maintain without the right tools — especially when you’re building a hunt program from the ground up. The survey results highlight a growing need to operationalize threat hunting, not just in how teams hunt but in how they measure and communicate outcomes. A dedicated system to track progress can be the difference between a promising effort and a sustainable capability. Read more key takeaways from the 2025 SANS Threat Hunting Survey: https://hubs.la/Q03fDZlR0 #threathunting #cybersecurity #threatintelligence #threathuntingprogram #informationsecurity

Attackers are not sitting on stolen credentials for long. Intel 471 found that in 2022, there was an average of 79 days between credentials being sold and a breach. That gap is closing. Brett Winterford of Okta and Intel 471’s Jeremy Kirk break down how authentication is evolving and what defenders can do to make it harder for attackers to move quickly. Tune in to watch the rest of the episode: https://hubs.la/Q03fl8PR0 #Intel471 #Studio471 #CTI

🚨 EMERGING THREAT: VANHELSING RANSOMWARE 🚨 A new ransomware-as-a-service program named VanHelsing surfaced in March 2025 and is already proving effective, compromising three victims in its first two weeks. With ransom demands set at $500,000 in Bitcoin, affiliates keep 80% of the profits after a $5,000 buy-in. VanHelsing is cross-platform, targeting Windows, Linux, BSD, ARM, and ESXi systems, and includes a control panel for managing attacks, while explicitly avoiding CIS-based targets. Intel 471 threat hunters are tracking this evolving threat closely. Its rapid development and early success suggest we’ll see even more capable variants in the near future. 🔗 Hunt Collection: https://hubs.la/Q03fwLYq0) 🔗 Full Report: https://hubs.la/Q03fwScp0 Get free access to HUNTER Community Edition, including TTP-based hunt packages for SIEM, EDR, NDR, and XDR platforms, threat emulation & validation, analyst-focused runbooks, and transparent threat intelligence. Sign up here: https://hubs.la/Q03fwS6H0 #emergingthreat #threathunting #cybersecurity #infosec #threatintelligence #cyberthreats #vanhelsing #ransomware

Intrusion detection systems can flood SOCs with noisy alerts if the rules behind them aren't carefully written. In this episode of Studio 471, Jeremy Kirk speaks with Luca Allodi and Koen Teuwen from Eindhoven University of Technology about an academic study they co-authored on improving IDS rule quality. The study introduces six design principles that balance specificity with coverage, helping analysts reduce noise and better understand what’s happening in their networks. The research also resulted in the development of a command-line tool, Suricata-check, which gives feedback on how a rule written for the Suricata open-source IDS can be improved. Watch the full episode to hear how their research can help strengthen detection and support more focused SOC operations: https://hubs.la/Q03f6Yxs0 #Intrusiondetectionsystems #cybersecurity #threatintelligence

Join us at FIRST CTI in Berlin April 21st-23rd! Intel 471’s Garrett Carstens and Kevin Williams will be presenting “Intelligence Collection Planning Workshop: How to create a plan that synchronizes collection with your stakeholders needs.” The conference provides a gathering place for experts in the field to share knowledge, contribute ideas, and learn the latest in proactive approaches in relation to threat intelligence. We would love to see you there! Register here: https://hubs.la/Q03f6t6q0 #FIRSTCTI #Intel471 #CTI

What a way to kick off 2025. Q1 was the best Q1 in Intel 471 history! I attribute much of that success to the growing global momentum behind intelligence-driven threat hunting. Cyber Threat Intelligence and Threat Hunting teams are working hand-in-hand to support the hunt mission. This collaboration, or in some cases, even the merging of the two missions, enables faster detection, deeper context and a more proactive response to emerging threats, ultimately helping folks stay ahead of adversaries. If your threat hunting efforts are limited to IOC-based hunting, you're missing out. You need to get your CTI and Threat Hunting teams working together asap. #threathunting #threatintelligence #cybersecurity #informationsecurity