Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Chinese cyberespionage group APT41 conducted a targeted attack against government IT services in Africa. The attackers used various tools including Impacket, Cobalt Strike, and custom malware for lateral movement, privilege escalation, and data exfiltration. They leveraged DLL sideloading techniques and a compromised SharePoint server as a command and control center. The attack involved credential harvesting, use of web shells, and custom stealers to collect sensitive data. Notable TTPs included using hardcoded internal service names and proxy servers in malware, and exploiting a captive SharePoint server for C2 communication. The incident highlights the importance of comprehensive infrastructure monitoring and proper access controls.

The reported threat involves a targeted cyberespionage campaign conducted by the Chinese threat actor group APT41 against government IT services in Africa. APT41 is known for sophisticated, multi-stage attacks combining publicly available tools and custom malware to achieve persistence, lateral movement, privilege escalation, and data exfiltration. In this campaign, the attackers leveraged a combination of Impacket (a Python toolkit for network protocol manipulation), Cobalt Strike (a commercial penetration testing tool often abused by threat actors), and custom-developed malware components. A key technique used was DLL sideloading, which involves placing a malicious DLL alongside a legitimate executable to bypass security controls and evade detection. The attackers also compromised a SharePoint server, repurposing it as a command and control (C2) infrastructure, enabling covert communication and control of infected hosts. The campaign included credential harvesting using tools like Mimikatz, deployment of web shells for persistent remote access, and custom stealers designed to exfiltrate sensitive data. Notably, the malware contained hardcoded internal service names and proxy server configurations, indicating a high level of reconnaissance and customization tailored to the victim environment. The use of a captive SharePoint server for C2 communication is a sophisticated tactic that blends malicious traffic with legitimate enterprise services, complicating detection efforts. This attack underscores the importance of comprehensive monitoring of infrastructure components, especially collaboration platforms like SharePoint, strict access control policies, and robust credential management to mitigate risks from advanced persistent threats.

Detailed information about SOC files: an APT41 attack on government IT services in Africa. Get real-time updates, technical details, and mitigation strategies.

SOC files: an APT41 attack on government IT services in Africa - Live Threat Intelligence - Threat Radar | OffSeq.com

SOC files: an APT41 attack on government IT services in Africa

A new email attack distributing DCRAT, a Remote Access Trojan, has been uncovered. The threat actor impersonates a Colombian government entity to target organizations in Colombia. The attack employs multiple evasion techniques, including password-protected archives, obfuscation, steganography, base64 encoding, and multiple file drops. DCRAT features a modular architecture, comprehensive surveillance capabilities, information theft functions, system manipulation tools, file and process management, and browser credential harvesting. The attack chain involves a phishing email with a ZIP attachment containing a bat file, which drops an obfuscated vbs file. This file eventually runs a base64-encoded script that downloads and executes the final payload. The RAT employs various persistence mechanisms and anti-analysis techniques. It attempts to bypass Windows Antimalware Scan Interface (AMSI) and continuously tries to connect to its command-and-control server.

The threat involves a Remote Access Trojan (RAT) named DCRAT, which is being distributed via a targeted phishing campaign impersonating a Colombian government entity. The attack vector is primarily email-based, where victims receive a ZIP archive attachment that is password-protected to evade detection. Inside the archive is a batch (.bat) file that drops an obfuscated Visual Basic Script (.vbs) file. This script executes a base64-encoded payload that downloads and runs the final DCRAT malware. The malware employs multiple evasion techniques including obfuscation, steganography (hiding data within images), base64 encoding, and multiple file drops to complicate detection and analysis. DCRAT has a modular architecture enabling a wide range of malicious capabilities such as comprehensive surveillance (keylogging, screen capture), information theft, system manipulation, file and process management, and harvesting browser credentials. It also uses various persistence mechanisms to maintain foothold on infected systems and anti-analysis techniques to bypass Windows Antimalware Scan Interface (AMSI). The RAT continuously attempts to connect to its command-and-control (C2) server to receive commands and exfiltrate data. Indicators of compromise include specific file hashes, IP addresses, and URLs used in the attack chain. Although the campaign currently targets organizations in Colombia, the sophistication and modularity of DCRAT make it a significant threat capable of adaptation and expansion to other regions or targets.

Detailed information about DCRAT Impersonating the Colombian Government. Get real-time updates, technical details, and mitigation strategies.

DCRAT Impersonating the Colombian Government - Live Threat Intelligence - Threat Radar | OffSeq.com

DCRAT Impersonating the Colombian Government

StealC V2, introduced in March 2025, is an enhanced version of the popular information stealer and malware downloader. Key updates include a streamlined JSON-based C2 communication protocol with RC4 encryption, expanded payload delivery options (MSI packages and PowerShell scripts), and a redesigned control panel with an integrated builder. New features comprise multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials. The malware now supports customizable payload delivery rules based on geolocation, hardware IDs, and installed software. Technical analysis reveals improvements in obfuscation, API resolution, and configuration encryption. StealC V2 is actively developed and frequently used in conjunction with other malware families like Amadey.

StealC V2 is an advanced iteration of the StealC malware family, first introduced in March 2025. It functions primarily as an information stealer and malware downloader, designed to exfiltrate sensitive data and facilitate further payload delivery. The malware employs a streamlined JSON-based command and control (C2) communication protocol secured with RC4 encryption, enhancing stealth and complicating detection efforts. Notably, StealC V2 expands its payload delivery mechanisms to include MSI installer packages and PowerShell scripts, increasing its flexibility and evasion capabilities. The control panel has been redesigned to integrate a builder, allowing attackers to customize malware builds easily. New technical features include multi-monitor screenshot capture, a unified file grabber capable of extracting diverse data types, and server-side brute forcing to harvest credentials more effectively. The malware supports granular payload delivery rules based on geolocation, hardware identifiers, and installed software, enabling targeted attacks and reducing exposure. Technical improvements also encompass enhanced obfuscation techniques, dynamic API resolution to evade static analysis, and encrypted configuration storage. StealC V2 is actively maintained and often deployed alongside other malware families such as Amadey, indicating its role within a broader threat ecosystem. Despite its sophistication, there are no known public exploits in the wild specifically targeting vulnerabilities, suggesting it relies on social engineering or other infection vectors. The malware’s capabilities align with multiple MITRE ATT&CK techniques, including credential dumping, process injection, and command and control communications, highlighting its multifaceted threat profile.

Detailed information about I StealC You: Tracking the Rapid Changes To Steal. Get real-time updates, technical details, and mitigation strategies.

I StealC You: Tracking the Rapid Changes To Steal - Live Threat Intelligence - Threat Radar | OffSeq.com

I StealC You: Tracking the Rapid Changes To Steal

This analysis examines a phishing campaign targeting Italian and US users, focusing on credential harvesting for Microsoft services and Italy's PEC system. The attackers use Notion workspaces and other cloud platforms to host phishing pages, exfiltrating stolen data via Telegram bots. The campaign, active since 2022, employs simple techniques and off-the-shelf tools, suggesting either low technical expertise or a focus on access brokering. The study demonstrates how intercepting Telegram bot communications can aid in profiling threat actors and provides insights into the campaign's evolution, victimology, and attacker characteristics.

This security threat involves a phishing campaign active since 2022, targeting primarily Italian and US users, with a focus on harvesting credentials for Microsoft services and Italy's PEC (Posta Elettronica Certificata) system. The attackers leverage cloud platforms such as Notion workspaces to host phishing pages, which are designed to mimic legitimate login portals to deceive victims into submitting their credentials. Once credentials are entered, the stolen data is exfiltrated using Telegram bots, which serve as command and control (C2) infrastructure and data relay points. The use of Telegram bots for exfiltration is notable because it allows attackers to bypass traditional network monitoring and detection mechanisms by blending malicious traffic with legitimate Telegram API communications. The campaign employs relatively simple and off-the-shelf tools, indicating either a low level of technical sophistication or a strategic focus on brokering access rather than developing complex malware. The analysis also highlights that intercepting communications between the attackers and their Telegram bots can provide valuable intelligence for profiling the threat actors, understanding their victimology, and tracking the campaign's evolution. The campaign uses a range of tactics and techniques mapped to MITRE ATT&CK IDs such as T1566 (Phishing), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1041 (Exfiltration Over C2 Channel), T1573 (Encrypted Channel), T1056 (Input Capture), T1132 (Data Encoding), T1189 (Drive-by Compromise), and T1008 (Fallback Channels), illustrating a multi-faceted approach to compromise, data capture, and exfiltration. The threat does not exploit software vulnerabilities directly but relies on social engineering and cloud-based infrastructure abuse, making it highly dependent on user interaction and phishing effectiveness.

Detailed information about How Adversary Telegram Bots Help to Reveal Threats: Case Study. Get real-time updates, technical details, and mitigation strategies.

How Adversary Telegram Bots Help to Reveal Threats: Case Study - Live Threat Intelligence - Threat Radar | OffSeq.com

How Adversary Telegram Bots Help to Reveal Threats: Case Study

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting attempts and malware. Their tactics included using HTML and CHM files with embedded PowerShell for malware deployment, as well as fake Microsoft security alerts for credential theft. The malware conducted extensive reconnaissance on target hosts, gathering system information and checking for anti-virus tools. TA406's focus appears to be on collecting strategic, political intelligence to assess the ongoing conflict and potential risks to North Korean forces in the region.

In February 2025, the North Korean state-sponsored threat actor TA406 initiated a targeted phishing campaign against Ukrainian government entities. The campaign's primary objective is intelligence gathering related to the ongoing Russian invasion of Ukraine, with a strategic focus on assessing risks to North Korean forces potentially involved in the region. TA406 employs sophisticated social engineering tactics, impersonating think tank members via freemail accounts to increase the credibility of their phishing emails. These emails deliver malicious payloads through HTML and CHM (Compiled HTML Help) files embedding PowerShell scripts, enabling stealthy malware deployment. Additionally, the group uses fake Microsoft security alerts as a lure to harvest credentials. Once deployed, the malware performs extensive reconnaissance on infected hosts, collecting detailed system information and scanning for antivirus or other security tools to evade detection and maintain persistence. Indicators of compromise include specific file hashes, URLs hosting malicious payloads, and email addresses used in the phishing campaigns. Although no known exploits are reported in the wild and the campaign is rated medium severity, the use of PowerShell-based malware and credential harvesting techniques highlights TA406's capability to conduct prolonged espionage operations. The campaign's focus on Ukrainian government targets underscores its geopolitical motivation and the potential for intelligence to influence regional security dynamics.

Detailed information about TA406 Pivots to the Front. Get real-time updates, technical details, and mitigation strategies.

TA406 Pivots to the Front - Live Threat Intelligence - Threat Radar | OffSeq.com

TA406 Pivots to the Front

An ongoing phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been identified, utilizing over 100 domains for credential harvesting. The operation, observed since early 2025, employs cloned login portals and impersonated web pages. The infrastructure shares operational fingerprints, including reused SSH authentication keys and consistent ASN usage, allowing related assets to be linked. The campaign primarily targets the National Fishing Company of Kuwait, automotive insurance sector, and Zain telecommunications. The actors use brand-inspired domain names and transliterations rather than direct typosquatting. Mobile payment lures targeting Zain customers have also been observed, potentially enabling further social engineering attacks.

This ongoing phishing campaign, active since early 2025, targets critical sectors in Kuwait including fisheries, telecommunications, and insurance. The attackers operate a sophisticated infrastructure comprising over 100 domains designed for credential harvesting through cloned login portals and impersonated web pages. A notable technical characteristic of this campaign is the reuse of SSH authentication keys across multiple operational assets, which serves as a unique fingerprint linking related infrastructure components. Additionally, the campaign exhibits consistent use of specific Autonomous System Numbers (ASNs), further aiding in the attribution and tracking of the threat actors' infrastructure. The attackers employ brand-inspired domain names and transliterations rather than simple typosquatting, increasing the likelihood of deceiving targeted users. Particularly, the National Fishing Company of Kuwait, automotive insurance providers, and Zain telecommunications customers are primary targets. The campaign also includes mobile payment lures aimed at Zain customers, potentially facilitating deeper social engineering attacks and financial fraud. The combination of credential harvesting, domain impersonation, and social engineering tactics underscores a multi-faceted approach to compromise user credentials and potentially gain unauthorized access to sensitive systems. The reuse of SSH keys within the attacker infrastructure is a notable operational security lapse that allows defenders to link and potentially disrupt the campaign's infrastructure. Although no known exploits are reported in the wild, the campaign leverages multiple MITRE ATT&CK techniques such as spearphishing via service (T1566.002), domain fronting (T1586.002), and credential dumping (T1589.002), indicating a well-resourced and persistent adversary.

Detailed information about Shared SSH Keys Expose Phishing Infrastructure Targeting Kuwait. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'credential harvesting'

Filter Threats

Threats Tagged 'credential harvesting'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility