Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They request quotes for specific items and inquire about Net 15/30/45-day financing. Once credit is approved, they provide shipping addresses, often using freight forwarding services or residential addresses. The scammers utilize a network of shipping services, warehouses, and money mules to facilitate their operations. Key characteristics of the scam include urgent financing requests, suspicious delivery addresses, and the use of free email accounts. Mitigation efforts included domain takedowns and intercepting fraudulent shipments.

The NET RFQ scam is a sophisticated social engineering and business email compromise (BEC) campaign targeting companies that use Request for Quote (RFQ) processes combined with Net financing terms (Net 15/30/45 days). Attackers impersonate legitimate procurement agents by leveraging stolen corporate information and creating lookalike domains to appear credible. They initiate contact by requesting quotes for high-value electronics and other goods, often specifying urgent financing terms to pressure victims. Once the victim approves credit, the scammers provide shipping addresses that are often freight forwarding services or residential locations, enabling them to intercept or divert shipments. The operation is supported by a network of shipping services, warehouses, and money mules to facilitate the movement and monetization of stolen goods. Key indicators include urgent financing requests, suspicious delivery addresses, and the use of free email accounts rather than corporate emails. Mitigation efforts have included domain takedowns and interception of fraudulent shipments. The campaign exploits weaknesses in supply chain procurement processes and financial controls, combining social engineering with logistical fraud to steal physical goods rather than digital assets. This threat aligns with MITRE ATT&CK techniques such as business email compromise (T1566), supply chain compromise (T1583), domain spoofing (T1598), and use of freight forwarding (T1608). The campaign does not rely on software vulnerabilities but on procedural and human factors, making it a complex challenge for organizations relying on RFQ and Net payment terms.

Detailed information about NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods. Get real-time updates, technical details, and mitigation st

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods - Live Threat Intelligence - Threat Radar | OffSeq.com

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

A new campaign exploiting GitHub to distribute malicious Python code disguised as legitimate hacking tools has been uncovered. The operation, attributed to the group known as Banana Squad, used 67 repositories hosting trojanized files that mimicked benign open-source projects. The attackers exploited GitHub's interface to conceal backdoor code using long space strings, making the malicious content invisible in normal view. Each GitHub account typically hosted one repository, likely fake and created solely to deliver malicious content. Hidden code within the Python files used encoding methods to obscure payload delivery functions. The campaign reflects a shift in open-source software supply chain attacks, with attackers now leveraging more covert tactics to target platforms like GitHub. Developers are advised to verify repositories, avoid reliance on single-repository accounts, and monitor for suspicious domains.

The threat involves a sophisticated malware campaign orchestrated by the group known as Banana Squad, which leverages GitHub as a distribution platform for malicious Python code disguised as legitimate hacking tools. The campaign uses 67 distinct GitHub repositories, each typically hosted by a single account, likely created solely for malicious purposes. These repositories mimic benign open-source projects to evade suspicion. The attackers exploit GitHub's interface by embedding backdoor code concealed within long space strings, rendering the malicious payload invisible during normal code review. Additionally, the Python files employ encoding techniques to obscure the payload delivery functions, further complicating detection. This approach represents an evolution in open-source software supply chain attacks, shifting towards more covert tactics that exploit trusted platforms like GitHub. The campaign includes indicators such as suspicious domains (e.g., 1312services.ru and dieserbenni.ru) used for command and control or payload delivery. The tactics align with MITRE ATT&CK techniques including supply chain compromise (T1587.001), software supply chain (T1608.001), repository creation (T1588.001), command and control via web services (T1102), user execution (T1204), and obfuscated files or information (T1027). The campaign does not require prior authentication to access the repositories, increasing its potential reach among developers who might unknowingly incorporate trojanized code into their projects. No known exploits in the wild have been reported yet, but the stealthy nature and supply chain vector pose significant risks to software integrity and trust.

Detailed information about Stealthy GitHub Malware Campaign Targets Devs. Get real-time updates, technical details, and mitigation strategies.

Stealthy GitHub Malware Campaign Targets Devs - Live Threat Intelligence - Threat Radar | OffSeq.com

Stealthy GitHub Malware Campaign Targets Devs

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltration, remote access, and long-term persistence on infected systems. The attack begins with trojanized open-source tools, progresses through complex infection chains using obfuscated scripts, and culminates in extensive system reconnaissance and data theft. Water Curse employs anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain control over affected systems. The campaign poses a significant supply chain risk, especially to those relying on open-source tooling from GitHub.

The threat actor known as Water Curse has been identified exploiting the GitHub platform to distribute weaponized open-source repositories containing multistage malware. This campaign involves at least 76 GitHub accounts that have been used to target cybersecurity professionals, game developers, and DevOps teams. The attack vector begins with trojanized open-source tools, which appear legitimate but contain malicious payloads. Once a victim clones or downloads these repositories, the infection chain activates through obfuscated scripts that evade detection and analysis. The malware employs advanced anti-debugging techniques to hinder reverse engineering and forensic efforts. It also uses privilege escalation exploits to gain higher system permissions, enabling the attacker to establish persistence mechanisms that maintain long-term access to compromised systems. The malware conducts extensive system reconnaissance to gather detailed information about the environment and exfiltrates sensitive data back to the attacker. The campaign represents a significant supply chain risk, as it leverages the trust and widespread use of open-source tooling on GitHub, potentially impacting a broad range of organizations that rely on these resources. The malware's capabilities include remote access, data theft, and stealthy persistence, making it a sophisticated threat that can compromise confidentiality, integrity, and availability of targeted systems. Indicators of compromise include multiple malicious URLs, domains, and file hashes associated with the campaign. The attack techniques correspond to numerous MITRE ATT&CK tactics and techniques such as scheduled task execution (T1053.005), data from local system (T1005), credential dumping (T1003), and obfuscated files or information (T1027), among others. No known exploits in the wild have been reported yet, but the complexity and stealth of the malware suggest a high potential for future exploitation.

Detailed information about Clone, Compile, Compromise: Open-Source Malware Trap on GitHub. Get real-time updates, technical details, and mitigation strategies.

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub - Live Threat Intelligence - Threat Radar | OffSeq.com

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

Interlock Ransomware has recently targeted National Defense Corporation and its subsidiaries, impacting the defense industrial base supply chain. The group's attack on AMTEC, a manufacturer of ammunition and explosives, has exposed sensitive information about global defense contractors and their supply chains. This incident highlights the cascading effects of such attacks on military operations, national security, and intellectual property. The compromised data includes details about contracts, logistics, and distribution networks of major defense corporations. The attack underscores the critical need for robust cybersecurity measures in the defense sector, especially given the potential involvement of state-sponsored actors and the implications for geopolitical influence and espionage.

Interlock Ransomware is a sophisticated ransomware threat actor that has recently targeted entities within the defense industrial base (DIB), specifically focusing on National Defense Corporation and its subsidiaries such as AMTEC, a manufacturer of ammunition and explosives. The attack methodology involves encrypting critical operational data and simultaneously exfiltrating sensitive information related to defense contractors, including contract details, logistics, and distribution networks. This double extortion tactic not only disrupts the availability of essential systems but also threatens confidentiality by threatening to leak intellectual property and sensitive supply chain data. The ransomware campaign appears to leverage a combination of tactics including lateral movement (T1133), service stop (T1489), exploitation of public-facing applications (T1190), data from local system (T1567), remote services (T1021), data destruction (T1491), data manipulation (T1565), valid accounts (T1078), data encrypted for impact (T1486), and data exfiltration (T1490). The absence of known affected software versions or publicly known exploits suggests the adversary may be exploiting zero-day vulnerabilities, supply chain weaknesses, or social engineering vectors to gain initial access. The use of multiple IP addresses and a Tor-based leak site for publishing stolen data indicates a high level of operational security and sophistication, possibly pointing to state-sponsored involvement. The attack has cascading effects on military operations and national security by compromising the integrity and confidentiality of defense supply chains, potentially delaying or degrading defense readiness and exposing strategic defense capabilities to adversaries. This threat highlights the critical need for enhanced cybersecurity frameworks such as CMMC compliance within the defense sector to mitigate risks associated with ransomware and data leaks.

Detailed information about How Interlock Ransomware Affects the Defense Industrial Base Supply Chain. Get real-time updates, technical details, and mitigation s

Title	Severity	Type	Source	Date

Threats Tagged 'supply chain'

Filter Threats

Threats Tagged 'supply chain'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility