Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mindly.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mindly.Social is an English speaking, friendly Mastodon instance created for people who want to use their brains and their hearts to make social networking more social. 🧠💖

Administered by:

Server stats:

1.3K
active users

mindly.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#infosec

581 posts208 participants78 posts today
Public
OTX Bot

Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.

Pulse ID: 67efc6e712b49d46c1423ca9
Pulse Link: otx.alienvault.com/pulse/67efc
Pulse Author: AlienVault
Created: 2025-04-04 11:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#APT28#Asia#CentralAsia
Public
OTX Bot

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.

Pulse ID: 67efc6ed5285702a3440969a
Pulse Link: otx.alienvault.com/pulse/67efc
Pulse Author: AlienVault
Created: 2025-04-04 11:47:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
#Cloud#CyberSecurity#ICS
ExploreLive feeds
About