Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A phishing campaign exploiting the aftermath of a military conflict between Israel and Iran has been identified. The scam, using a fake domain 'lineageembraer.online', offers evacuation flights from Tel Aviv to New York on an Embraer Lineage 1000E business jet. The website presents unrealistic pricing and logistical details, aiming to steal personal and financial information from individuals seeking to flee the region. The operation uses fear and urgency tactics, offering seats at $2,166 USD, significantly below market rates for similar flights. The scheme involves a PDF with instructions hosted on a Shopify CDN, raising further suspicions. The campaign demonstrates how threat actors exploit crisis situations to target vulnerable individuals.

The threat described is a phishing campaign exploiting the geopolitical tensions and military conflict between Israel and Iran. The attackers have created a fraudulent website using the domain 'lineageembraer.online' that purports to offer evacuation flights from Tel Aviv to New York aboard an Embraer Lineage 1000E business jet. This scam leverages fear and urgency by presenting unrealistically low prices ($2,166 USD per seat) and implausible logistical details to lure individuals desperate to escape the conflict zone. Victims are encouraged to provide personal and financial information under the guise of booking these evacuation flights. The campaign also distributes a PDF hosted on a Shopify content delivery network, which contains instructions likely designed to further manipulate victims or facilitate the theft of sensitive data. The use of a legitimate CDN like Shopify adds a veneer of credibility to the phishing materials, increasing the likelihood of victim engagement. This campaign exemplifies how threat actors exploit crisis situations to target vulnerable populations, combining social engineering with phishing techniques to commit identity theft and financial fraud. The campaign is tagged with multiple MITRE ATT&CK techniques such as T1566 (Phishing), T1583.001 (Acquire Infrastructure: Domains), T1589 (Gather Victim Identity Information), and T1598 (Phishing for Information), indicating a sophisticated approach to infrastructure setup and information harvesting. No known exploits or threat actors are currently linked to this campaign, and it is classified with medium severity due to its targeted nature and potential for significant personal data compromise.

Detailed information about A Special Mission to Nowhere. Get real-time updates, technical details, and mitigation strategies.

A Special Mission to Nowhere - Live Threat Intelligence - Threat Radar | OffSeq.com

A Special Mission to Nowhere

The Iranian threat group Educated Manticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing campaigns targeting Israeli journalists, cyber security experts and computer science professors. The attackers posed as fictitious assistants to technology executives or researchers, directing victims to fake Gmail login pages or Google Meet invitations. This allowed them to intercept passwords and 2FA codes, gaining unauthorized access to victims' accounts. The group used a custom phishing kit implemented as a Single Page Application built with React, supporting various Google authentication flows and enabling 2FA relay attacks. The infrastructure relied on over 130 unique domains resolving to multiple IP addresses. Despite increased exposure, Educated Manticore continues to pose a persistent threat, particularly to individuals in Israel during the Iran-Israel conflict escalation.

Educated Manticore is an Iranian state-sponsored threat group linked to the Islamic Revolutionary Guard Corps (IRGC). This group has been conducting targeted spear-phishing campaigns aimed at Israeli journalists, cybersecurity professionals, and computer science academics. The attackers impersonate fictitious assistants to technology executives or researchers, leveraging social engineering to lure victims into interacting with malicious content. The core attack vector involves directing victims to counterfeit Gmail login pages or fraudulent Google Meet invitations. These phishing pages are crafted as Single Page Applications (SPAs) using React, enabling sophisticated mimicry of legitimate Google authentication flows. This design supports the interception of both passwords and two-factor authentication (2FA) codes through relay attacks, effectively bypassing standard 2FA protections. The infrastructure supporting these campaigns is extensive, utilizing over 130 unique domains that resolve to multiple IP addresses, indicating a robust and resilient command and control setup. Despite increased visibility and exposure of their tactics, Educated Manticore remains an active and persistent threat, particularly in the context of heightened tensions between Iran and Israel. The group’s use of advanced phishing kits and multi-domain infrastructure demonstrates a high level of operational capability and adaptability, targeting high-value individuals in the technology and academic sectors to gain unauthorized access to sensitive accounts and information.

CC=RU ASN=AS210512 internet technologies llc

Detailed information about Iranian Educated Manticore Targets Leading Tech Academics. Get real-time updates, technical details, and mitigation strategies.

Iranian Educated Manticore Targets Leading Tech Academics - Live Threat Intelligence - Threat Radar | OffSeq.com

Iranian Educated Manticore Targets Leading Tech Academics

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

Detailed information about Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Get real-time updates, technical details, and mitigation strategies

Around the World in 90 Days: State-Sponsored Actors Try ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

BiBi-Linux is a newly identified wiper malware attributed to a pro-Hamas hacktivist group, as reported by CIRCL. Wiper malware is designed to irreversibly delete or corrupt data on infected systems, rendering them unusable and causing significant operational disruption. This particular wiper targets Linux-based systems, which are commonly used in servers, critical infrastructure, and enterprise environments. Although specific technical details about BiBi-Linux's infection vectors, propagation methods, or payload mechanisms are not provided, its classification as a wiper indicates its primary objective is data destruction rather than data theft or espionage. The threat actor's motivation appears politically driven, aligning with hacktivist activities supporting Hamas, which suggests targeted attacks against entities perceived as adversaries or symbolic targets. The reported certainty level of 50% and a medium severity rating reflect some uncertainty about the malware's capabilities or prevalence but acknowledge a credible threat. No known exploits in the wild or patch information is available, indicating this may be a newly discovered or emerging threat. The lack of affected versions implies the malware targets Linux systems broadly rather than exploiting a specific vulnerability. Given the geopolitical context, this wiper could be deployed in cyber campaigns aimed at Israeli or allied organizations, potentially disrupting critical services or infrastructure.

Detailed information about BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group. Get real-time updates, technical details, and mitigation strategies.

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group - Live Threat Intelligence - Threat Radar | OffSeq.com

OSINT Arid Viper: Gaza vs Israel Cyber Conflict by Trend Micro

The provided information pertains to an OSINT (Open Source Intelligence) report titled 'OSINT Arid Viper: Gaza vs Israel Cyber Conflict' published by Trend Micro and referenced by CIRCL. The report appears to focus on the cyber conflict dynamics between Gaza and Israel, likely detailing cyber activities, threat actors, or campaigns associated with this geopolitical conflict. However, the data lacks specific technical details such as affected systems, vulnerabilities exploited, malware used, or attack vectors. The threat level is indicated as low, and no known exploits in the wild are reported. The absence of affected versions, CWE identifiers, or patch links suggests this is an intelligence overview rather than a direct vulnerability or active exploit. The 'type' is marked as 'unknown,' and the tags include 'osint' and 'tlp:green,' indicating that the information is open and can be shared within the community. Overall, this appears to be a situational awareness report rather than a direct actionable security threat.

Detailed information about OSINT Arid Viper: Gaza vs Israel Cyber Conflict by Trend Micro. Get real-time updates, technical details, and mitigation strategies.

OSINT Arid Viper: Gaza vs Israel Cyber Conflict by Trend Micro - Live Threat Intelligence - Threat Radar | OffSeq.com

OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman

This threat report details an OSINT (Open Source Intelligence) expansion on a systematic cyber attack campaign targeting Israeli and Palestinian entities, reportedly ongoing for about a year as of the publication date in 2015. The campaign appears to be persistent and focused on geopolitical targets within these regions. While the report does not specify technical details such as attack vectors, malware used, or exploited vulnerabilities, the characterization as a 'campaign' suggests coordinated and sustained malicious activity rather than isolated incidents. The lack of affected product versions or specific vulnerabilities indicates this is a broader threat actor activity rather than a single software flaw. The threat level is noted as moderate (threatLevel 4 on an unspecified scale) with low severity assigned by the source. No known exploits in the wild or technical indicators are provided, limiting detailed technical analysis. The campaign likely involves espionage or disruption motives given the geopolitical context, targeting information confidentiality and possibly availability of critical systems. The absence of authentication or user interaction details suggests potential use of phishing, malware, or network intrusion techniques common in cyber espionage campaigns. Overall, this is a low-severity but persistent cyber threat campaign focused on Israeli and Palestinian targets, with limited technical specifics available from the provided data.

Detailed information about OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman. Get real-time upda

OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman - Live Threat Intelligence - Threat Radar | OffSeq.com

OSINT - ATMZombie: banking trojan in Israeli waters

The threat described is a banking trojan named ATMZombie, reportedly active in Israeli waters as of early 2016. Banking trojans are a class of malware designed to steal financial information by intercepting online banking sessions, capturing credentials, or manipulating transactions. Although specific technical details about ATMZombie are limited in the provided information, it is categorized as malware with a low severity rating and no known exploits in the wild at the time of reporting. The trojan likely targets banking customers or financial institutions to gain unauthorized access to sensitive banking data. The mention of 'Israeli waters' suggests a regional focus or origin, possibly indicating initial infection vectors or targeted victims within Israel or nearby regions. The lack of affected versions or patch links implies that this malware may not exploit a specific software vulnerability but rather relies on social engineering, phishing, or other infection methods typical of banking trojans. The threat level and analysis scores (3 and 2 respectively) suggest moderate concern but limited technical detail or impact evidence. Overall, ATMZombie represents a typical banking trojan threat with potential to compromise financial data, but with limited public information and low assessed severity at the time of publication.

Detailed information about OSINT - ATMZombie: banking trojan in Israeli waters. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting Israel

Filter Threats

Threats Affecting Israel

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility