Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

CVE Database V5

SANS ISC Handlers Diary

SecurityWeek

Threatpost

The Hacker News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Kaspersky Security Blog

Check Point Research

AlienVault OTX General

Reddit NetSec

Reddit InfoSec News

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Storm-0249 is an advanced initial access broker group that has shifted from mass phishing campaigns to highly targeted exploitation of Endpoint Detection and Response (EDR) tools, specifically abusing SentinelOne's SentinelAgentWorker. exe via DLL sideloading. This technique allows the group to hide malicious activities within legitimate processes, evading detection and maintaining persistence. Their tactics also include Microsoft domain spoofing, curl-to-PowerShell command piping, and fileless execution methods, enabling stealthy reconnaissance and lateral movement. This evolution reflects a broader ransomware-as-a-service trend that lowers technical barriers for attackers and accelerates ransomware proliferation. The threat poses significant challenges for defenders due to its use of trusted system components and sophisticated evasion techniques. Indicators include specific file hashes, IP addresses, and suspicious domains linked to the campaign. No known public exploits or CVEs are associated yet, but the threat is active and evolving. European organizations using SentinelOne EDR are at risk, especially those in critical infrastructure and high-value sectors. Mitigation requires advanced monitoring of EDR processes, strict DLL loading policies, and enhanced phishing defenses.

Storm-0249 is a threat actor group recognized as an initial access broker that has evolved its attack methodology from broad mass phishing campaigns to precision exploitation of Endpoint Detection and Response (EDR) platforms. The group specifically targets SentinelOne's SentinelAgentWorker.exe process by leveraging DLL sideloading, a technique where a malicious DLL is loaded by a legitimate executable, allowing attackers to execute code under the guise of trusted system processes. This approach enables Storm-0249 to bypass traditional security controls and evade detection by blending malicious activity with routine EDR operations. Additional tactics include Microsoft domain spoofing to deceive users and security systems, use of curl piped into PowerShell for command execution, and fileless execution techniques that avoid writing malicious files to disk, further complicating detection efforts. These methods facilitate stealthy reconnaissance, lateral movement, and persistence within compromised environments. The group's activities align with trends in the ransomware-as-a-service ecosystem, where sophisticated post-exploitation techniques are increasingly commoditized, lowering the technical skill required to conduct impactful attacks. While no specific CVEs or public exploits are currently linked to this campaign, the threat is active and presents a medium severity risk. Indicators of compromise include several file hashes, IP addresses, and suspicious domains associated with the campaign. The exploitation of a widely deployed EDR solution like SentinelOne raises concerns about the potential scale and impact of attacks leveraging this vector.

Detailed information about Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation. Get real-time updates, technical details, and mi

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.

CountLoader is a newly identified malware loader associated with Russian ransomware groups, notably linked to affiliates of LockBit, BlackBasta, and Qilin ransomware operations. It is distributed in three distinct versions: .NET, PowerShell, and JScript, allowing it to adapt to different target environments and evade detection. The loader is primarily used as an initial access tool, either by Initial Access Brokers (IABs) or ransomware affiliates, to establish footholds in victim networks. CountLoader has been observed in phishing campaigns targeting Ukrainian citizens, masquerading as official Ukrainian police communications to increase the likelihood of user interaction and infection. Once executed, CountLoader attempts to connect to multiple command and control (C2) servers to download and execute additional malicious payloads, including CobaltStrike and AdaptixC2, which are known for their capabilities in post-exploitation, lateral movement, and persistence. The loader incorporates advanced evasion techniques such as obfuscation, use of multiple download methods, and system information gathering to tailor its payload delivery and maintain persistence. It also employs various persistence mechanisms consistent with MITRE ATT&CK techniques like scheduled tasks (T1053.005) and registry run keys (T1547.001). The malware’s multi-language implementation (.NET, PowerShell, JScript) increases its versatility and complicates detection by traditional antivirus and endpoint detection systems. Although no known exploits are currently reported in the wild, the threat’s association with high-profile ransomware groups and its use in targeted phishing campaigns underscore its potential for significant operational impact.

CC=US ASN=AS61272 informacines sistemos ir technologijos  uab

MD5 of 4cb6ec9522d8c1315cd3a2985d2204c634edc579b08a1b132254bd7dd5df72d8

SHA1 of 4cb6ec9522d8c1315cd3a2985d2204c634edc579b08a1b132254bd7dd5df72d8

MD5 of d34ca886266b7ce5f75f4caaa6e48f61e194bb55605c2bc4032ba8af5580b2e7

MD5 of 233c777937f3b0f83b1f6ae47403e03d1c3f72f650b4c6ae3facec7f2e5da4b5

SHA1 of d34ca886266b7ce5f75f4caaa6e48f61e194bb55605c2bc4032ba8af5580b2e7

SHA1 of 233c777937f3b0f83b1f6ae47403e03d1c3f72f650b4c6ae3facec7f2e5da4b5

CC=US ASN=AS21769 colocation america corporation

CC=US ASN=AS61317 digital energy technologies ltd.

Detailed information about CountLoader: New Malware Loader Being Served in 3 Different Versions. Get real-time updates, technical details, and mitigation strate

CountLoader: New Malware Loader Being Served in 3 Different Versions - Live Threat Intelligence - Threat Radar | OffSeq.com

CountLoader: New Malware Loader Being Served in 3 Different Versions

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to compromised systems to various cybercriminal clients. The primary tactic involves deceptive 'fake browser update' lures initiated by JavaScript injections on compromised websites, leading to drive-by malware downloads. SocGholish leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious content. TA569 acts as an Initial Access Broker, enabling other notorious groups and even Russian GRU's Unit 29155 to conduct follow-on attacks, including ransomware deployments. The threat uses domain shadowing and frequent domain rotation to evade detection, making proactive threat intelligence crucial for defense.

SocGholish is a sophisticated Malware-as-a-Service (MaaS) campaign operated by the threat actor TA569, who acts as an Initial Access Broker (IAB). The campaign primarily employs deceptive tactics involving fake browser update prompts delivered via JavaScript injections on compromised legitimate websites. These injections trigger drive-by downloads of malware payloads without requiring explicit user consent beyond interacting with the fake update prompt. SocGholish leverages Traffic Distribution Systems (TDS) such as Parrot TDS and Keitaro TDS to selectively filter and redirect victims to malicious content, enhancing the efficiency and targeting of the campaign. The operator TA569 sells access to compromised systems to various cybercriminal clients, including notorious ransomware groups and reportedly Russian GRU’s Unit 29155, enabling follow-on attacks such as ransomware deployment and espionage. The campaign employs domain shadowing and frequent domain rotation to evade detection and takedown efforts, complicating defensive measures. Indicators of compromise include a large set of suspicious domains used in the infrastructure. The campaign’s tactics align with multiple MITRE ATT&CK techniques, including T1059.007 (JavaScript execution), T1133 (External Remote Services), T1547 (Boot or Logon Autostart Execution), T1204.002 (User Execution: Malicious File), T1071 (Application Layer Protocol), T1190 (Exploit Public-Facing Application), T1036 (Masquerading), T1090 (Proxy), T1497 (Virtualization/Sandbox Evasion), T1102 (Web Service), T1608 (Stage Capabilities), T1199 (Trusted Relationship), T1559 (Inter-Process Communication), T1078 (Valid Accounts), T1027 (Obfuscated Files or Information), T1573 (Encrypted Channel), T1132 (Data Encoding), and T1189 (Drive-by Compromise). This multi-faceted approach makes SocGholish a persistent and adaptable threat requiring proactive and layered defense strategies.

Detailed information about Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569. Get real-time updates, technical 

Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569 - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking SocGholish: The Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator, TA569

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.

SocGholish is a sophisticated Malware-as-a-Service (MaaS) platform operated by the threat actor group TA569. It primarily uses deceptive tactics, notably fake browser update prompts, to trick users into initiating the infection process. The malware campaign employs Traffic Distribution Systems (TDS) such as Parrot TDS and Keitaro TDS to selectively filter and redirect victims, ensuring that only high-value targets receive the final malicious payload. This selective targeting is achieved through advanced filtering and tracking mechanisms, which analyze victim attributes before payload delivery. SocGholish’s infection chain is multi-staged, beginning with compromised legitimate websites that redirect victims to malicious domains or URLs. The malware also uses domain shadowing and frequent domain rotation to evade detection and takedown efforts, complicating defensive measures. TA569 acts as an Initial Access Broker, selling or leasing access to compromised systems to other cybercriminal groups, including notable ransomware operators like Evil Corp and MintsLoader. These groups then conduct follow-on attacks such as ransomware deployment, data exfiltration, or further network compromise. Indicators of compromise include numerous malicious domains and URLs used in the infection chain, many of which are designed to appear legitimate or benign. The malware leverages various techniques including living-off-the-land binaries (LOLBins), obfuscation, and persistence mechanisms to maintain footholds on infected systems. The campaign’s sophistication and modularity make it a persistent threat capable of adapting to defensive countermeasures and targeting specific victims with tailored payloads.

Detailed information about Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator. Get real-time updates, techni

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.

This threat involves an initial access broker group identified as TGR-CRI-0045 exploiting leaked Machine Keys from ASP.NET web applications to gain unauthorized access to targeted organizations. Machine Keys in ASP.NET are cryptographic keys used to protect View State data, authentication tokens, and other sensitive information. If these keys are leaked or compromised, attackers can manipulate or forge View State data, enabling deserialization attacks that execute arbitrary code in server memory. The attackers leverage ASP.NET View State deserialization vulnerabilities to run malicious payloads directly in memory, which reduces forensic footprints and complicates detection. After initial access, the threat actors deploy post-exploitation tools to maintain persistence and escalate privileges within the compromised environment. The campaign, active since October 2024 with heightened activity from January to March 2025, targets industries including finance, manufacturing, and technology sectors primarily in Europe and the United States. The group’s tactics and indicators overlap with those attributed to the Gold Melody threat actor, suggesting possible linkage. The exploitation technique focuses on abusing leaked cryptographic keys rather than exploiting software vulnerabilities directly, making traditional patching ineffective. Organizations are advised to audit and rotate Machine Keys following Microsoft's remediation guidance to invalidate compromised keys and prevent further exploitation. Indicators of compromise include multiple IP addresses and file hashes associated with the attack infrastructure and payloads. The attack chain involves initial access via crafted View State payloads, in-memory execution of malicious code, and subsequent lateral movement and privilege escalation using known techniques such as token manipulation and service persistence. The threat leverages IIS-hosted ASP.NET applications, which are prevalent in enterprise environments, making this a significant risk vector for organizations relying on this technology stack.

Detailed information about Exploitation of Leaked Machine Keys by Initial Access Broker. Get real-time updates, technical details, and mitigation strategies.

Exploitation of Leaked Machine Keys by Initial Access Broker - Live Threat Intelligence - Threat Radar | OffSeq.com

Exploitation of Leaked Machine Keys by Initial Access Broker

A spam campaign targeting Brazilian users, particularly C-level executives and financial/HR accounts, has been identified since January 2025. The campaign exploits commercial remote monitoring and management (RMM) tools, specifically PDQ Connect and N-able remote access tools. Attackers use Brazilian electronic invoice system (NF-e) as bait, leading victims to malicious content on Dropbox. The threat actor, likely an initial access broker, abuses free trial periods of RMM tools to gain complete control of target machines. The campaign's objective is to create a network of compromised machines for potential sale to third parties, including ransomware operators and state-sponsored actors. The abuse of commercial RMM tools is increasing due to their digital signatures, full backdoor capabilities, and low cost.

This threat involves a spam campaign primarily targeting Brazilian users, with a focus on high-value targets such as C-level executives and financial or HR personnel. The attackers exploit commercial Remote Monitoring and Management (RMM) tools, specifically PDQ Connect and N-able remote access tools, to gain unauthorized access to victim machines. The campaign uses the Brazilian electronic invoice system (NF-e) as a lure, directing victims to malicious content hosted on Dropbox. The attackers leverage free trial periods of these RMM tools to establish persistent, fully backdoored access to compromised systems. These RMM tools are attractive to attackers because they are digitally signed, which helps evade detection, and provide comprehensive remote control capabilities. The ultimate goal of the campaign is to build a network of compromised machines that can be sold to third parties, including ransomware operators and state-sponsored threat actors. The campaign employs multiple tactics and techniques such as initial access brokering, social engineering via spam, and abuse of legitimate software to bypass security controls. Although the campaign is currently focused on Brazil, the abuse of RMM tools is a growing trend globally due to their stealth and effectiveness in establishing long-term access.

Detailed information about Spam campaign targeting Brazil abuses Remote Monitoring and Management tools. Get real-time updates, technical details, and mitigatio

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools - Live Threat Intelligence - Threat Radar | OffSeq.com

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.

ToyMaker is an initial access broker (IAB) threat actor identified with medium confidence by Talos, primarily motivated by financial gain. This actor targets vulnerable internet-exposed systems to gain initial footholds within enterprise environments. Upon successful compromise, ToyMaker deploys a custom backdoor malware named LAGTOY. LAGTOY is a versatile tool capable of establishing reverse shells and executing arbitrary commands on infected endpoints, enabling attackers to maintain persistence and control over compromised systems. It also facilitates credential harvesting, allowing the adversary to extract sensitive authentication data from the victim enterprise, which can be leveraged for lateral movement or sold to other threat actors. 

LAGTOY’s capabilities include file transfer, command execution, and persistence mechanisms. The malware often uses legitimate administrative tools and protocols such as PowerShell, SSH, AnyDesk, and WinSCP to blend in with normal network activity, complicating detection efforts. The threat actor’s toolkit references frameworks like Metasploit and Impacket, indicating a sophisticated approach to exploitation and post-exploitation activities. Although no known exploits in the wild have been reported for this specific malware, multiple hashes associated with LAGTOY samples suggest active deployment. 

The modus operandi aligns with typical IAB behavior: gaining initial access, establishing persistence, harvesting credentials, and potentially selling access or enabling subsequent ransomware attacks. The medium severity rating reflects the potential for significant impact if the malware is deployed in critical environments but also indicates that the threat is not currently widespread or fully weaponized at scale. The use of common administrative tools and protocols requires vigilant monitoring for anomalous usage patterns to detect this threat effectively.

Detailed information about Introducing ToyMaker. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'initial access broker'

Stop chasing alerts. Route them.

Filter Threats

Threats Tagged 'initial access broker'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility