Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

Source: https://securityaffairs.com/179239/cyber-warfare-2/iran-linked-threat-actors-cyber-fattah-leak-visitors-and-athletes-data-from-saudi-games.html

The reported security threat involves a data breach attributed to Iran-linked threat actors known as Cyber Fattah, who have leaked sensitive personal data of visitors and athletes associated with a major sporting event held in Saudi Arabia. The breach appears to be a targeted cyber espionage or information warfare operation aimed at compromising the confidentiality of individuals participating in or attending the Saudi Games. Although detailed technical specifics such as attack vectors, exploited vulnerabilities, or compromised systems are not provided, the nature of the breach suggests unauthorized access to databases or information systems managing event-related personal data. The leak of such data could include personally identifiable information (PII), travel details, biometric data, or other sensitive attributes that could be leveraged for further intelligence gathering, surveillance, or geopolitical leverage. The threat is categorized as a breach rather than a malware or ransomware attack, indicating the primary impact is data exposure rather than system disruption. The source of this information is a Reddit post linking to a security news article, with minimal discussion and no known exploits in the wild, suggesting the incident is recent and possibly still under investigation. The medium severity rating reflects the moderate impact of data exposure without immediate evidence of broader systemic compromise or active exploitation campaigns.

Detailed information about Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games. Get real-time updates, technical details, a

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games - Live Threat Intelligence - Threat Radar | OffSeq.com

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

Reddit Discussion: Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

Detailed information about Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Get real-time updates, technical details, and mitigation strategies

Around the World in 90 Days: State-Sponsored Actors Try ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

OSINT - New targeted attack against Saudi Arabia Government

This report describes an open-source intelligence (OSINT) finding regarding a new targeted attack campaign against the Saudi Arabian government. The information is limited and primarily sourced from a blog post, with no detailed technical indicators, affected software versions, or exploit mechanisms provided. The campaign is classified as low severity with a threat level of 3 (on an unspecified scale) and an analysis rating of 2, suggesting moderate confidence in the existence of the campaign but limited technical detail. No known exploits in the wild have been reported, and no specific vulnerabilities or attack vectors are identified. The lack of technical details such as malware type, attack vectors, or compromised systems limits the ability to fully characterize the threat. However, the campaign appears to be a targeted attack, implying a focused adversary likely aiming at government entities for espionage or disruption purposes. Given the target is a government entity in Saudi Arabia, the attack may involve sophisticated tactics, techniques, and procedures (TTPs) typical of nation-state or advanced persistent threat (APT) actors. The absence of indicators of compromise (IOCs) and patch information further restricts detailed technical analysis. Overall, this campaign represents a targeted threat with low publicized impact but potential strategic significance.

Detailed information about OSINT - New targeted attack against Saudi Arabia Government. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Affecting Saudi Arabia

Filter Threats

Threats Affecting Saudi Arabia

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility