Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The article provides insights into starting a career in cybersecurity, emphasizing that the path is not always straightforward. It highlights the importance of having a good attitude, being easy to work with, continuous learning, persistence, joining security communities, and making the most of current circumstances. The author reflects on their own non-linear journey and the evolving landscape of cybersecurity education and opportunities. The article also discusses the increasing exploitation of Large Language Models by cybercriminals, emphasizing the need for heightened vigilance and improved cybersecurity measures.

This content has been identified as promotional or non-threat material.

Detailed information about Getting a career in cybersecurity isn't easy, but this can help. Get real-time updates, technical details, and mitigation strategies.

Getting a career in cybersecurity isn't easy, but this can help - Live Threat Intelligence - Threat Radar | OffSeq.com

Getting a career in cybersecurity isn't easy, but this can help

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engineering, multi-stage loaders, and time-based evasion tactics. Victims are tricked into authorizing a fake bot, which leads to the deployment of AsyncRAT and a customized Skuld Stealer. These malware variants target browser credentials, Discord tokens, and cryptocurrency wallets. The campaign uses trusted platforms like GitHub and Bitbucket to host encrypted payloads, and employs advanced techniques to bypass security measures and maintain persistence.

The Discord Invite Hijacking campaign is a sophisticated multi-stage attack leveraging Discord's invite system and content delivery mechanisms to distribute malware aimed at stealing sensitive information. Attackers craft fake Discord invite links, expired invite codes, and vanity URLs to redirect users to malicious Discord servers. The attack chain begins with social engineering tactics that trick victims into authorizing a malicious bot within Discord. Once authorized, this bot facilitates the deployment of two primary malware payloads: AsyncRAT, a remote access trojan capable of extensive system control, and a customized variant of Skuld Stealer, which targets browser credentials, Discord authentication tokens, and cryptocurrency wallets. The campaign employs advanced evasion techniques including time-based payload delivery and encrypted multi-stage loaders hosted on trusted platforms such as GitHub and Bitbucket, which help bypass traditional security controls and maintain persistence on infected systems. The malware leverages techniques such as credential dumping (T1005), process injection (T1055), persistence mechanisms (T1547.001), and command and control communication over standard protocols (T1071.001). The use of wallet injection techniques and targeting of cryptocurrency assets highlights a financial motivation. This campaign does not require exploitation of software vulnerabilities but relies heavily on social engineering and user interaction to initiate the infection chain. No known exploits in the wild have been reported yet, but the campaign’s use of trusted infrastructure and sophisticated evasion tactics make it a credible threat vector for users of Discord and related platforms.

Detailed information about Discord Invite Hijacking: How Fake Links Are Delivering Infostealers. Get real-time updates, technical details, and mitigation strate

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers - Live Threat Intelligence - Threat Radar | OffSeq.com

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' credentials are stolen, potentially leading to further phishing attacks and theft of inventory items. The blog post lists numerous similar phishing domains and provides tips for users to stay safe, including only logging in through the legitimate Steam website, being cautious of unexpected messages with links, and using tools like URLscan.io and VirusTotal to check suspicious websites.

This threat describes a recent phishing campaign targeting users of the Steam gaming platform. Attackers exploit Steam's social features by sending deceptive messages through the Friends list, containing links to fraudulent websites that closely mimic Steam's official domain. These fake domains, such as 'steamcommnunity.com' and numerous visually similar variants, host counterfeit pages themed as a 'Summer Gift Marathon' to lure users into entering their Steam credentials. Once credentials are submitted, attackers steal them, enabling unauthorized access to victims' accounts. This can lead to further phishing attempts, unauthorized transactions, and theft of valuable in-game inventory items, which often have real-world monetary value. The campaign leverages social engineering tactics, exploiting trust within the Steam community and the popularity of promotional events. The attackers use a wide array of lookalike domains to evade detection and increase the likelihood of successful deception. Although no direct exploits or malware are involved, the campaign's success depends on user interaction and the ability to convincingly imitate legitimate Steam communications and URLs. The campaign is ongoing as of June 2025, with no known threat actors or exploits in the wild beyond credential theft. The campaign is categorized under social engineering and phishing techniques, with references available for further investigation.

Detailed information about Steam Phishing: Popular as Ever. Get real-time updates, technical details, and mitigation strategies.

Steam Phishing: Popular as Ever - Live Threat Intelligence - Threat Radar | OffSeq.com

Steam Phishing: Popular as Ever

A phishing campaign has been identified that exploits Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn. Cybercriminals send phishing emails with links to a malicious page on Vercel, impersonating an Adobe PDF viewer and prompting users to download a disguised executable. Once executed, the malware installs and connects to a LogMeIn server, allowing remote access and control of the compromised machine. Over 28 distinct campaigns targeting more than 1,271 users have been observed in the past two months. The technique's effectiveness stems from the use of a legitimate platform, a genuine remote access tool, and social engineering tactics. Recommendations include monitoring suspicious Vercel subdomains, educating employees about fake support scams, and implementing strict controls for remote access software installations.

This threat involves a sophisticated phishing campaign leveraging the legitimate frontend hosting platform Vercel to distribute a malicious variant of the remote access tool LogMeIn. Attackers send phishing emails containing links to malicious pages hosted on Vercel, which impersonate an Adobe PDF viewer interface to deceive users. The malicious page prompts users to download an executable disguised as a legitimate file. Upon execution, the malware installs itself and establishes a connection to a LogMeIn server controlled by the attacker, granting remote access and control over the compromised system. This campaign has been active for at least two months, with over 28 distinct campaigns targeting more than 1,271 users. The attack's success is attributed to the abuse of a trusted platform (Vercel), use of a genuine remote access tool (LogMeIn), and effective social engineering tactics such as impersonation of common software and fake support scams. Indicators of compromise include multiple file hashes and suspicious domains. The campaign techniques align with MITRE ATT&CK tactics such as T1566 (phishing), T1204 (user execution), T1219 (remote access software), T1036 (masquerading), and T1105 (remote file copy). No known exploits or threat actors have been identified, and no CVSS score is assigned. The threat is rated medium severity due to its reliance on user interaction and social engineering, but it poses significant risk due to the potential for unauthorized remote access and control.

Detailed information about Cybercriminals Abusing Vercel to Deliver Remote Access Malware. Get real-time updates, technical details, and mitigation strategies.

Cybercriminals Abusing Vercel to Deliver Remote Access Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Cybercriminals Abusing Vercel to Deliver Remote Access Malware

A new phishing campaign has been observed leveraging a .gov domain to deceive employees into believing they owe an unpaid toll. The scam uses urgency and fear tactics, threatening penalties or vehicle registration holds if the balance is not paid immediately. The threat actors utilize the GovDelivery system to increase legitimacy, despite using Indiana's instance for a Texas-related scam. The phishing link leads to a fake website that collects personal information and credit card details. The campaign exploits fear of consequences and mimics a well-known service, highlighting the importance of integrating human expertise into email security processes to identify threats that bypass conventional malicious indicators.

The TxTag Takedown phishing campaign is a sophisticated social engineering attack that exploits the inherent trust in official government communication channels to deceive recipients into believing they owe unpaid toll fees. The attackers leverage a legitimate .gov domain and the GovDelivery communication platform—specifically Indiana's GovDelivery instance—to lend credibility to fraudulent emails purporting to be related to Texas toll violations. These emails employ urgency and fear tactics, warning recipients of penalties or vehicle registration holds if immediate payment is not made. Victims are directed to a counterfeit website hosted on the domain txtag-help.xyz, which mimics the legitimate TxTag service interface. This fake site is designed to harvest sensitive personal information, including credit card details, enabling identity theft and financial fraud. The campaign bypasses conventional email security filters by abusing trusted government infrastructure and domains, making automated detection challenging. The attackers rely heavily on psychological manipulation, exploiting fear and urgency to prompt victims to act without verifying the legitimacy of the request. Indicators of compromise include the IP address 43.166.239.78 and multiple URLs under txtag-help.xyz, such as /address, /login, and /pay, used to collect victim data. The campaign aligns with several MITRE ATT&CK techniques including spearphishing links (T1566.002), abuse of public-facing applications (T1608.004), domain acquisition (T1583.001), victim identity information gathering (T1589), social media account establishment (T1585.002), active scanning (T1595), phishing (T1598), and user execution of malicious links (T1204.001). No known exploits or CVEs are associated with this campaign, and it is currently assessed as medium severity. The campaign underscores the critical need for integrating human expertise into email security processes to detect sophisticated phishing attempts that evade automated detection mechanisms.

Detailed information about TxTag Takedown: Busting Phishing Email Schemes. Get real-time updates, technical details, and mitigation strategies.

TxTag Takedown: Busting Phishing Email Schemes - Live Threat Intelligence - Threat Radar | OffSeq.com

TxTag Takedown: Busting Phishing Email Schemes

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom extension. The intrusion involved multiple stages of malware deployment, including persistent implants, backdoors, keyloggers, and cryptocurrency stealers. The attackers utilized advanced techniques such as process injection on macOS and leveraged various tools to collect sensitive information, particularly focusing on cryptocurrency-related data. The analysis covers the initial access vector, technical details of the malware components, and their functionalities, providing insights into the evolving tactics of state-sponsored threat actors targeting macOS systems.

The BlueNoroff Web3 macOS intrusion campaign is a sophisticated cyber espionage and cryptocurrency theft operation attributed to the North Korean APT group BlueNoroff. The attack targets employees of cryptocurrency foundations, leveraging social engineering via Telegram to initiate the compromise. The initial access vector involves a lure message on Telegram that convinces the target to install a malicious software component masquerading as a Zoom extension. This deceptive tactic exploits user trust in legitimate collaboration tools to bypass initial suspicion.

Once installed, the malware deploys multiple stages of payloads designed for persistence and extensive data exfiltration. These include implants that maintain long-term access, backdoors for remote control, keyloggers to capture user input, and cryptocurrency stealers specifically crafted to harvest sensitive wallet credentials and transaction data. The attackers employ advanced macOS-specific techniques such as process injection using the dynamic linker (dyld), enabling stealthy code execution within legitimate processes to evade detection.

The campaign utilizes a variety of malware components with capabilities including credential dumping (T1555), process injection (T1055), masquerading (T1036), and command and control communication over standard protocols (T1071.001). The attackers also use obfuscation (T1027) and persistence mechanisms (T1547.001) to maintain foothold. The focus on Web3 and cryptocurrency-related data indicates a strategic targeting of digital asset infrastructure. The campaign demonstrates evolving tactics of state-sponsored actors adapting to macOS environments, which have traditionally been less targeted than Windows but are increasingly attractive due to growing adoption in high-value sectors.

Indicators of compromise include multiple file hashes and suspicious domains used for command and control or malware distribution, such as 'metamask.awaitingfor.site' and 'support.us05web-zoom.biz'. The campaign does not rely on known software vulnerabilities but rather on social engineering and custom malware, highlighting the importance of user awareness and endpoint detection on macOS platforms.

Detailed information about Inside the BlueNoroff Web3 macOS Intrusion Analysis. Get real-time updates, technical details, and mitigation strategies.

Inside the BlueNoroff Web3 macOS Intrusion Analysis - Live Threat Intelligence - Threat Radar | OffSeq.com

Inside the BlueNoroff Web3 macOS Intrusion Analysis

Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for these products online, leading them to malicious GitHub repositories or YouTube videos. These repositories use social engineering tactics, including detailed descriptions, fake licenses, and instructions to disable antivirus software. The malware collects sensitive information from infected systems and transfers it to command-and-control servers. McAfee provides detection and mitigation strategies, emphasizing the importance of user education, regular software updates, and avoiding unofficial downloads.

This threat involves cybercriminals leveraging GitHub's trusted platform to distribute malware disguised as game hacks, cracked software, and cryptocurrency tools. The malicious actors create repositories that appear legitimate by including detailed descriptions, fake licenses, and instructions that encourage users to disable antivirus protections. The primary malware involved is a variant of the Lumma Stealer, a type of information-stealing malware. The infection chain typically starts when users, often gamers or younger individuals, search online for unauthorized software or cheats and are directed to these malicious GitHub repositories or associated YouTube videos. Once executed, the Lumma Stealer variant collects sensitive information from the victim's system, including credentials, system details, and potentially cryptocurrency wallet data, and exfiltrates this data to attacker-controlled command-and-control servers. The malware employs various techniques such as process injection, credential dumping, and network communication obfuscation, as indicated by the MITRE ATT&CK tags (e.g., T1059 - Command and Scripting Interpreter, T1566 - Phishing, T1071 - Application Layer Protocol). The threat actors use social engineering to bypass user suspicion and antivirus defenses, making the attack effective against less security-aware users. Although no specific affected software versions are noted, the attack vector relies heavily on user interaction and deception rather than exploiting software vulnerabilities. McAfee and other security vendors have documented detection and mitigation strategies focusing on user education, software patching, and avoiding unofficial downloads. The hashes provided serve as indicators of compromise for detection and response efforts.

Detailed information about GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools. Get real-time updates, technical details, and mit

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools - Live Threat Intelligence - Threat Radar | OffSeq.com

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access trojan and infostealer. The campaign exploits user psychology, bypasses traditional defenses, and has seen increased activity in 2025. The analysis covers the infection chain, technical details of GHOSTPULSE and ARECHCLIENT2, and the associated infrastructure. The attack targets a wide range of sensitive user data and system information, including cryptocurrency wallets, browser data, and system details.

The threat described involves a sophisticated multi-stage malware campaign that leverages social engineering and advanced malware loaders to deploy a potent Remote Access Trojan (RAT) and information stealer. The attack begins with a deceptive social engineering tactic known as ClickFix, which manipulates users into executing malicious payloads. This initial deception is critical as it bypasses traditional security defenses by exploiting user psychology rather than relying solely on technical vulnerabilities. Once the user is compromised, the GHOSTPULSE loader is deployed. GHOSTPULSE acts as a sophisticated delivery mechanism that loads subsequent malicious components onto the victim's system. The final payload is ARECHCLIENT2, a powerful RAT and infostealer that targets a broad spectrum of sensitive data. This includes cryptocurrency wallets, browser-stored credentials and data, and detailed system information. The campaign's multi-stage nature allows it to evade detection by segmenting the attack into smaller, less suspicious steps, complicating incident response and forensic analysis. The technical details highlight the use of various tactics and techniques mapped to MITRE ATT&CK, such as T1539 (stealing application access tokens), T1566.002 (spearphishing link), T1082 (system information discovery), T1140 (deobfuscate/decode files or information), T1059 (command and scripting interpreter), T1204 (user execution), T1057 (process discovery), T1059.001 (PowerShell), T1574.002 (DLL side-loading), T1105 (ingress tool transfer), and T1204.001 (malicious file execution). These techniques indicate a highly versatile and evasive malware campaign that leverages both social engineering and technical exploitation to achieve persistence, data exfiltration, and remote control. The campaign has seen increased activity in 2025, signaling an evolving threat landscape. The associated infrastructure and malware components are actively analyzed by security researchers, with references such as Elastic Security Labs providing in-depth technical insights.

Detailed information about From ClickFix deception to information stealer deployment. Get real-time updates, technical details, and mitigation strategies.

From ClickFix deception to information stealer deployment - Live Threat Intelligence - Threat Radar | OffSeq.com

From ClickFix deception to information stealer deployment

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_eggs, a JavaScript-based backdoor. The group uses trusted cloud services like AWS to host malicious infrastructure, evading detection. Their phishing emails impersonate job applicants, with domains mimicking real names. FIN6 employs sophisticated filtering techniques to ensure malware delivery only to intended targets. The more_eggs malware, developed by Venom Spider, allows for command execution and credential theft. Defense strategies include cautious handling of resume links, blocking execution of suspicious files, and implementing EDR policies.

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has transitioned from primarily targeting point-of-sale (POS) systems to conducting broader enterprise-level attacks. Their current modus operandi involves sophisticated social engineering campaigns, particularly leveraging professional networking platforms like LinkedIn. They impersonate job seekers by creating phishing emails that appear as legitimate job applications, often using domains that closely mimic real names to increase credibility and evade initial suspicion. The phishing messages contain links or attachments that lead to the deployment of their preferred malware payload, more_eggs, a JavaScript-based backdoor developed by the Venom Spider group. This malware enables attackers to execute arbitrary commands on compromised systems and steal credentials, facilitating further lateral movement and data exfiltration within the targeted enterprise environment.

A notable evasion technique employed by FIN6 is the use of trusted cloud infrastructure, specifically Amazon Web Services (AWS), to host their malicious payloads and command-and-control (C2) servers. By leveraging reputable cloud services, they reduce the likelihood of detection by security tools that often whitelist or trust traffic to and from such platforms. Additionally, FIN6 applies sophisticated filtering mechanisms to ensure that malware delivery occurs only to intended targets, minimizing exposure and increasing the success rate of their campaigns.

The attack chain typically begins with a phishing email containing a resume lure, which when interacted with, triggers the download or execution of the more_eggs backdoor. The malware supports various techniques including command execution (T1059.007), persistence (T1547), credential access (T1078.001), and evasion tactics such as obfuscated files or information (T1027). The group also uses scheduled tasks or services (T1053.005) to maintain persistence and employs network communication techniques (T1071) to communicate with their C2 infrastructure hosted on cloud domains like bobbyweisman.com and others. Indicators of compromise include multiple hashes of malicious files, IP addresses, and domains associated with their infrastructure.

Overall, Skeleton Spider's approach combines social engineering, cloud-based infrastructure abuse, and advanced malware capabilities to conduct targeted, stealthy intrusions into enterprise networks.

Detailed information about Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery. Get real-time updates, technical details, and mitigation s

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery - Live Threat Intelligence - Threat Radar | OffSeq.com

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data collection enables selective targeting. The website also replaces a real model's profile with a fake one, likely for social engineering purposes. The operation's complexity and methods suggest involvement of an Iranian threat group, possibly overlapping with Agent Serpens (APT35 or Charming Kitten). This group is known for targeting Iranian dissidents, journalists, and activists abroad. The fake website includes sophisticated data collection routines and dynamic profile alterations, indicating an ongoing and evolving threat.

This threat involves Iranian cyber actors, likely linked to the APT group known as Agent Serpens (also referenced as APT35 or Charming Kitten), conducting a sophisticated espionage campaign by impersonating a legitimate German model agency. The attackers have created a fraudulent website (notably using the domains megamodelstudio.com and www.megamodelstudio.com) that closely mimics the authentic agency's branding and content. This counterfeit site employs obfuscated JavaScript code designed to capture detailed visitor information, including potentially sensitive data such as device fingerprints, browser details, and interaction patterns. The collected data enables the threat actors to selectively target individuals of interest, enhancing the precision of their espionage efforts. Additionally, the attackers dynamically replace a real model's profile on the site with a fabricated one, likely as a social engineering tactic to lure targets into engagement or to facilitate further reconnaissance and exploitation. The operation's complexity, including the use of advanced data collection routines and dynamic content manipulation, indicates an ongoing and evolving threat rather than a one-off phishing attempt. The campaign aligns with known tactics, techniques, and procedures (TTPs) of Agent Serpens, who historically target Iranian dissidents, journalists, and activists abroad, suggesting a focus on intelligence gathering rather than mass disruption or financial gain. The absence of known exploits in the wild and the medium severity rating reflect the targeted nature of this campaign, which relies heavily on social engineering and information harvesting rather than direct system compromise or malware deployment.

Detailed information about Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation. Get real-time updates, technical details, and mitigat

Title	Severity	Type	Source	Date

Threats Tagged 'social engineering'

Filter Threats

Threats Tagged 'social engineering'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility