Maverits

🧬 The SAFEPAY ransomware is showing a significant uptick in activity — accounting for nearly 20% of all ransomware incidents over the past week. SAFEPAY is delivered as a 32-bit DLL and executed using the regsvr32 service with password to avoid detections: regsvr32 /n /i:"-pass=XXXXXXXXXXXXXXXXXXXXX -enc=1 -uac" locker.dll Indicators of Compromise: 📁 Filenames & Hashes: locker.dll – 48db685ee0a34dba779a84d454b317aa locker.dll – 4b4b1a7e4fbb3357b62e86da706c5997 abc.dll – a60d6cfee59a52de25a47f8630ce71fc locker.dll – e49ab917e87697835852c81c3954010c filename – d1f621b82822b544153f6b531e51a611 🌐 Network: 45.91.201[.]247 77.37.49[.]40 80.78.28[.]63 #threatintelligence #threathunting #cybersecurity #SAFEPAY #TTPS

🌐Discover how cybercriminals are evolving their tactics to steal cryptocurrencies using crypto drainers. Our latest report dives into how scammers are exploiting trending topics—like the recent surge around Trump and Melania meme coins—to launch sophisticated theft schemes. 🚨Key Highlights: ➤ Following the launch of Trump-themed coins on January 17, 2025, malicious actors launched a new wave of crypto drainers designed to exploit eager investors. ➤ New drainer variants now steal public keys and wallet seed phrases, giving attackers full control. ➤ Leading Drainer-as-a-Service (DaaS) operators are expanding their toolkit with advanced evasion techniques (Blockaid, anti-DDoS, anti-Bot) and broadening their target crypto assets. ➤ A shift from mass phishing to precision attacks on high-profile targets. ➤ Cybercriminals are increasingly exploiting mobile vulnerabilities as more users manage their crypto assets on mobile devices. 📥 Read the full report here:  https://lnkd.in/d8qcRxsp

#Gamaredon targeting Ukrainian entities, using TryCloudflare tunnel service to mask their activities. While TryCloudflare is intended for legitimate use, groups like Gamaredon, are abusing it to hide malicious activities and evade detection. 📄 Indicators of Compromise: Host: 498-803-24_11.10.2024.xhtml (24).html MD5 95b1949364d0ec795bfbc08ab0152260  SHA-1 f7c0b84b0f346988c5b487bdeaff260209b64424 SHA-256 44e39caf8c3f1225d761ab6e520d26250d6de5c855241d69b662cdfedb797fc1 498-803-24_11.10.2024.rar (copy) MD5 72b200e3ce51870c2b10f5b39ddb2b27 SHA-1 51453212f947bf39e296209678a4022fcb2c01d3 SHA-256 830e1eb7faa369116a6bcc55aaa5694767b64592ebf18e2904d70f0049280624 По справі 498-803-24 (провадження 2-498-277-24) надійшов документ Судова повістка про виклик в xn--d1azg.hta MD5 B70E6AC1055C5B7B0B089AB14E850778 SHA1 F03546CD7D5BA594B4EB5F313B0937D2C4AB6256 SHA-256 096bcb29a54b33877182139a760726ac8ab7e0e8835e77f7fe49ae414708cfdb Network: https://voters-george-trailers-harbor[.]trycloudflare[.]com/ssu/based/regards[.]epub https://voters-user-trailers-harbor[.]trycloudflare[.]com/ssu/based/regards[.]epub https://voters-george-trailers-harbor[.]trycloudflare[.]com/ssu/relax/deceive[.]epub http://194[.]58[.]45[.]81/ssu

🌐 Maverits researchers are releasing a comprehensive special report on APT28, a Russian state-sponsored cyber espionage group linked to the GRU Military Unit 26165. Known for their advanced operations targeting individuals and organizations of strategic interest to the Russian government, APT28 has played a critical role in shaping Russia’s cyber warfare strategy. This report delves into APT28’s activities since the start of the Russian war in Ukraine in 2022, analyzing their major campaigns, shifting tactics, and evolving objectives. By examining APT28, we aim to shed light on Russia’s broader geopolitical and military goals, as reflected in the group’s operations. 🚨 Key highlights from the report: Main Targets. Ukraine accounts for 37% of APT28’s attacks, with Europe, Central Asia and Caucasus in the focus. The group employs custom backdoors and stealers, leveraging legitimate internet services and living-off-the-land binaries (LOLBINs) for stealthy operations. Cooperation with Cybercriminals. APT28 has partnered with non-state actors to exploit compromised network devices, turning them into global espionage platforms. Zero-Day Exploits. APT28 continues to exploit zero-day vulnerabilities, with one major exploit linked to their preparation for the war in Ukraine. Targeted Industries. Government entities, foreign affairs, and security sectors are primary targets, alongside international organizations and think tanks, reflecting APT28’s strategic objectives. Espionage Objectives. Beside phishing campaigns, attacks on webmail servers, and the use of custom malware, their activities have expanded, suggesting an increasing emphasis on influence alongside traditional espionage. Credits: National Security and Defense Council of Ukraine, National Cybersecurity Coordination Center (NCSCC), Institute of Cyber Warfare Research, Women’s Leadership and Strategic Initiatives Foundation (WLSIF). 📥 Read the full report here:  https://lnkd.in/dm5r33N6

🚨 On January 14, the hacker group Belsen leaked configuration data for over 15,000 Fortinet FortiGate firewalls on the dark web. Although the data is over two years old, it’s likely still relevant and poses significant risks to organizations worldwide. Top countries affected by exposed IPs related to CVE-2022-40684: 🇲🇽 Mexico: 1241 🇳🇱 Netherlands: 428 🇦🇹 Austria: 265 🇹🇭 Thailand: 261 🇮🇳 India: 252 🇸🇬 Singapore: 240 🇬🇧 UK: 226 🇭🇰 Hong Kong: 148 🇨🇭 Switzerland: 117 🇨🇴 Colombia: 115 Organizations using Fortinet FortiGate firewalls should assess their systems immediately to ensure security.

A worth noting CVE-2025-0282 critical vulnerability affecting multiple Ivanti network appliances, is being seen actively exploited especially around the Europe. Now with the search queries provided by Censys we can identify exposed Ivanti Connect Secure instances (not all of which are necessarily vulnerable). Censys Search Query for EXPOSED Instances: services.software: (vendor="Ivanti" and product="Connect Secure") and not labels: {honeypot, tarpit} A troubling trend specifies that #Germany, #UnitedKingdom and #France are in top 5 around the world according to the amount of instances: 9,038 United States 3,484 Japan 1,994 Germany 1,624 United Kingdom 1,528 France

Year begins with a new #APT28 campaign targeting #Ukrainian users with urk[.]net phishing. Indicators of Compromise: 2f8e8b2783c8c47da0f265199671f3cae4e31b2a03999fff12aa3090c74c7a51 linkcuts[.]com/5xu034g2 -> doads[.]org/5xu034g2 -> run.mocky[.]io/v3/eb8cef1d-89a7-4b3e-81a7-25aae7cd3698 -> 1b65300d04b3c7d06bdbb666e13ff0678098900e1925f720c988ad3ce7e3abaa -> jkbfgkjdffghh.linkpc[.]net:8564 53142380d75e3f54490f2896b58f308e6b91bec841d09b4e88985cb5b7812031 ->  linkcuts[.]com/gumcrr51 ->  doads[.]org/gumcrr51 ->  run.mocky[.]io/v3/22a2a2d8-84b9-4619-b8ba-359beb386cf9 ->  3c4e5420afb5d91217d53f7cb64a072c3a508630a3d61c5633e356e2357e02ad -> jkbfgkjdffghh.linkpc[.]net:15018

🚨 APT28 Targets European Diplomats with Headlace Malware Our research uncovers a stealthy campaign by APT28, a Russian GRU-linked group, using the Headlace backdoor to infiltrate European diplomatic entities. By exploiting legitimate Windows services and using event tickets as lures, APT28 evaded detection while compromising key institutions across the Vatican, UK, Romania, and EU.

In our report, "Hacktivism Trends H1 2024", we uncover the alarming rise of Russian hacktivism and its ties to military intelligence, GRU (Sandworm, APT28). With more than 2,000 DDoS attacks targeting Europe in just 6 months, state-backed actors are weaponizing hacktivism as a tool of destabilization. From specialized DDoS tools to cryptocurrency payments, discover how these threats are evolving.