مگاهرتز
نشریه نیولاینز این هفته گزارش داده است که یک نرمافزار #جاسوسی موبایلی که بر روی دستگاههای شخصی سربازان ارتش #سوریه نصب شده بود، نقش مهمی در فروپاشی ناگهانی حکومت #اسد در ماههای پایانی سال ۲۰۲۴ داشته است. در این گزارش، این برنامه بهعنوان نمونهای برجسته…
Note for our Iranian followers :
One of the current campaigns against Syrian army & people is formed in noscript of "Livelihood Assistance" , Probably this TA ( likely linked to Israel ) will perform such campaign against Iran civilians too
So plz be careful to such noscripts these days :
"کمک معیشتی"
"سامانه حمایت"
"کمک های حلال احمر"
و ...
Previous campaign IoC :
To other admins of popular cyber sec community if you see this message plz spread it in any form you like and can , this likely prevent massive INT collection if you need more I formation check the source
One of the current campaigns against Syrian army & people is formed in noscript of "Livelihood Assistance" , Probably this TA ( likely linked to Israel ) will perform such campaign against Iran civilians too
So plz be careful to such noscripts these days :
"کمک معیشتی"
"سامانه حمایت"
"کمک های حلال احمر"
و ...
Previous campaign IoC :
Files :
d83204a01d3c6f14096f6fe1b59e3f11e8f2c6fb2736792febffb1701fe9a5bc
c82aa80d45022ae7f009e82586e34f990288625c1c876c85e07df74ab3136450
28fef58c7817926cf7dc0f44e92c1e6716d125b2675e753d415dafe8e7094b37
60ca970a774c5ff1ada52170857989721158064b932e999714bff7f4bd8b570c
2c1aa8139f55b6566ff8fcb88efccd169040b8cff932683e8d4e1401f9c64644
db041da97c1f30a6fc7765994b556839f8550774af1662ae0ab105e2fc324487
Network :
syr1[.]store
syr1[.]online
west2[.]shop
🔥6❤4🤔2
Source Byte
Note for our Iranian followers : One of the current campaigns against Syrian army & people is formed in noscript of "Livelihood Assistance" , Probably this TA ( likely linked to Israel ) will perform such campaign against Iran civilians too So plz be careful…
To CyberSec community
If you observed such campaign plz share IoC here :
https://news.1rj.ru/str/Sourc3_Byte_Chat/10
If you observed such campaign plz share IoC here :
https://news.1rj.ru/str/Sourc3_Byte_Chat/10
❤2👍1
who is "saeed" and what's it's connection to "Edaalate Ali"
related google account :
related google account :
ACg8ocJGEs3seqjfj1p5fb0YIof2OjbvMqvpRK6saWzC6Lbpx658Fg
👍8👏3❤1🗿1
i share some anti-Iranian TAs in CTI Sources topic in group , i hope by monitoring their activities we got better understanding of their moments and planning better strategies .
i will update the list as long as i can
planning to add previous IoCs / TTPs etc ....
i will update the list as long as i can
planning to add previous IoCs / TTPs etc ....
❤7👍1🗿1
We observed new Iran linked TA named "IGC ( Iran Cyber Net )" targetting IS Financial & Health sector
They announced they developed new variant of Ransom in their attacks
They announced they developed new variant of Ransom in their attacks
🔥22❤3
Signature Kid is a header only tool that st.eal.s a signature from a file and copy it to whathever file you want.
Beyond St.ea.ling, Signature Kid goes a step further by Windows Internal to trick the system to treat the copied signature as valid.
https://github.com/dslee2022/SignatureKid
Beyond St.ea.ling, Signature Kid goes a step further by Windows Internal to trick the system to treat the copied signature as valid.
https://github.com/dslee2022/SignatureKid
❤6
Source Byte
i share some anti-Iranian TAs in CTI Sources topic in group , i hope by monitoring their activities we got better understanding of their moments and planning better strategies . i will update the list as long as i can planning to add previous IoCs / TTPs…
updated
[ ] new Indra TA social medias
[ ] wallet addresses added
[ ] new Indra TA social medias
[ ] wallet addresses added
❤3
Source Byte
تحلیل_فنی_حمله_سایبری_به_بانک_سپه_۲۷_خرداد_۱۴۰۴_1.pdf
it said : "technical analysis"
it's only me that see no "technical" ?
it's only me that see no "technical" ?
😁6🗿3👍2❤1
Untill now We shared :
[ 00 ] Attack Against Iran’s State Broadcaster (done by Ghyam Sarnegouni TA )
[ 01 ] Indra (گنجشگ درنده) samples related to attacks on Iran Railway Company & some Companies on syria ( related to I.R.G.C )
find them on Samples Topic on Group
Plz share us your IoCs related to current attacks against Iran it will help everyone prepping for Threat Actors as currently we don't have any global CTI
[ 00 ] Attack Against Iran’s State Broadcaster (done by Ghyam Sarnegouni TA )
[ 01 ] Indra (گنجشگ درنده) samples related to attacks on Iran Railway Company & some Companies on syria ( related to I.R.G.C )
find them on Samples Topic on Group
Plz share us your IoCs related to current attacks against Iran it will help everyone prepping for Threat Actors as currently we don't have any global CTI
🔥4❤1
sepah bank.png
349.1 KB
According to Israeli sources (who obtained a copy of the AFTA report on the recent Sepah Bank attack by Indra):
[00] The attacker gained access through an old Windows Server 2003 machine used for email services. This server was running MDaemon.
Note: The source stated that the specific mail server was server[.]ictops[.]ir, but we found no public records of this domain. It is likely a local/internal domain used by the bank, which reduces the likelihood that this server was the initial entry point in this attack.
[01] The attacker moved Lateral to other servers (no evidence on how this was done).
[02] They reached the targeted server and deployed their C2 (NjRat) via a PowerShell noscript.
Note : The C2 server was hosted in Canada.
that's all we know :(
i created a chart for better understanding
wish it helps
PDF version :
[00] The attacker gained access through an old Windows Server 2003 machine used for email services. This server was running MDaemon.
Note: The source stated that the specific mail server was server[.]ictops[.]ir, but we found no public records of this domain. It is likely a local/internal domain used by the bank, which reduces the likelihood that this server was the initial entry point in this attack.
[01] The attacker moved Lateral to other servers (no evidence on how this was done).
[02] They reached the targeted server and deployed their C2 (NjRat) via a PowerShell noscript.
Note : The C2 server was hosted in Canada.
that's all we know :(
i created a chart for better understanding
wish it helps
PDF version :
❤8😁2👍1🗿1
Nobitex Breach: Infostealers Expose Critical Employee Credentials in Latest Crypto Exchange Hack
https://www.infostealers.com/article/nobitex-breach-infostealers-expose-critical-employee-credentials-in-latest-crypto-exchange-hack/
https://www.infostealers.com/article/nobitex-breach-infostealers-expose-critical-employee-credentials-in-latest-crypto-exchange-hack/
❤3
APT IRAN مرکز تحقیقاتی
در این عکس مشاهده میکنید اطلاعات کارمندان Nobitex به مدت طولانی در اختیار مهاجمان بوده. همانطور که گفتیم متاسفانه تمام سیستم آلوده بوده و این مربوط به امروز یا دیروز نیست و این یک زنجیره حملات به بخش مالی در کشور هستند.
you were right
i can't believe this
same scenario as snappfood !!!!!!!
again stealc WTF !!!!!!!!!!!
i can't believe this
same scenario as snappfood !!!!!!!
again stealc WTF !!!!!!!!!!!
👍5❤3👎3🤯1😱1