Threats Tagged 'apt'

Recent activity has been detected linked to the Sidewinder advanced persistent threat group. The campaign utilizes a malicious document named No.9374.docx with the hash value 64f2681ad0940e6c2c9c76e6834117bf as a lure mechanism. The infrastructure supporting command and control operations includes the domain update[.]ms-office[.]app. This observation indicates ongoing operations by Sidewinder, a threat actor known for targeting specific regions and sectors. The use of weaponized documents and deceptive domains mimicking legitimate Microsoft services demonstrates continued sophisticated social engineering tactics employed by this group.

ThreatNexus v2 is a threat intelligence platform focused on nation-state APT campaigns, providing improved data quality, strategic and operational context, and actionable intelligence for detection and hunting. It aggregates vendor research, news, and government/CERT sources into a digest format to aid analysts and decision-makers. This release aims to enhance usefulness across strategic, operational, and tactical levels but is not a direct security threat or vulnerability itself.

The UNC1151/Ghostwriter group is conducting high-intensity phishing campaigns targeting Gmail accounts of Polish citizens since March 2026. The campaigns primarily target individuals in political and public life, prominent positions, researchers, journalists, public administration and law enforcement employees, and their associates. Attackers use fraudulent emails impersonating Gmail administrators, claiming suspicious activity or policy violations to pressure victims into verifying their accounts. The phishing infrastructure captures login credentials and two-factor authentication codes through fake login panels. The group utilizes dedicated domains, Netlify subdomains, and compromised websites to host phishing pages. Campaigns run primarily on weekdays with new domains appearing almost daily, demonstrating persistent operational tempo against Polish targets.

MediumPhishingPoland#unc1151#gmail#phishing

This content is a retrospective analysis of the APT28 threat actor, also known as Fancy Bear, detailing their evolution in cyber tradecraft since 2004. The report highlights APT28's unique capability linking remote cyberattacks with physical close-access operations. The information is presented as a threat intelligence overview rather than a specific vulnerability or exploit. No direct technical vulnerability or exploit details are provided in this content.

FCaptcha versions 1.11 and 1.12 introduce mechanisms to detect AI agents that control real browsers. The detection techniques include Chrome DevTools Protocol (CDP) input forensics, analysis of think-time cadence, and matching declared user agents. This is a security-related development aimed at identifying automated AI-driven browser interactions.

HTTP-Basma is a multi-stage HTTP fingerprinting tool that probes servers with crafted HTTP requests to generate detailed behavioral fingerprints. It analyzes server responses such as status lines, headers, allowed methods, and edge-case handling to create unique signatures that identify servers regardless of their Server header claims. This tool is intended for security research, reconnaissance, attack surface mapping, and infrastructure analysis. It is open-source and freely available for use. There is no indication that this tool itself is a vulnerability or exploit, but rather a method for granular server differentiation.