🚨 Possible first Iranian wiper activity since the start of the war.
Handala (MOIS-linked) claims targeting Stryker Corporation, reportedly pushing a wiper to Intune-managed endpoints.
Claims currently unverified but seeing more public reporting on it.
Now, who's got samples for analysis?
It’s no secret that investigative journalism is on life support. The economics of the profession, always shaky, have become increasingly untenable. If you enjoyed this, or any of my other work, and are looking for a full-time editor or writer, get in touch!
www.politico.com/news/magazin...
☁️ 🧪 We've been cooking in the lab!
In our new scenario you can play with EKS, ECR, pipelines and more fun stuff in the cloud.
Sign up and take advantage of our #BlackFriday deal!
🔗cloudlabs.invictus-ir.com
#DFIR #Cloud #Training #cybersecurity
The VendorVandals threat actor tried to compromise us using a phishing lure + fake WeTransfer delivery to achieve a BEC attack.
We followed the breadcrumbs and exposed their campaign.
Details 👇
www.invictus-ir.com/news/the-sto...
🎉BEHOLD! THE AGENDA! 🎉
The inaugural agenda features 15 talks detailing operational updates on the threat landscape, matters of attribution, and unique explorations of unconventional manifestations of state presence.
Get registered quick!!!
stateofstatecraft.com/agenda
Cloud Labs is live!
🏗️ Build or increase your cloud incident response skills with realistic labs and scenarios.
Register for Cloud Labs: cloudlabs.invictus-ir.com
💙Microsoft Extractor Suite v4 is here
𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦
Learn more about the new features in the blog and thanks everyone that contributed!
invictus-ir.com/news/black-h...
#stayInvictus #CloudIncidentResponse #DFIR
Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17
So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
#CharmingKitten #APT42 #TA453
Hash:
87144d0aa002a87376b673f7d0c0eb88
C2:
Telegram Bot used for error messages and auto-start messaging to the operator
computerlearning.ddns./net
Pivots:
bookstoragestore./com
lastfilterfile/.info
78.159.117./177
78.159.117./175
185.132.176./241
154.44.186./106
Dutch intelligence discover a new Russian APT—LAUNDRY BEAR
www.aivd.nl/documenten/p...
Microsoft calls it Void Blizzard. Their report is here: www.microsoft.com/en-us/securi...
The limited IOCs on this pointed toward an ORB network...nice to see some reporting that supports attribution.
High-level overview of JavaGhost's TTPs
This isn’t recycled noise on JavaGhost. It surfaces the often-overlooked details responders and CTI analysts actually need.
Practical takeaways include:
✔️ Mapped TTPs
✔️ IR checklist
✔️ Actor context & relevancy
invictus-ir.com/news/profili...
#CTI #CloudSecurity #AWS #DFIR #JavaGhost
Call-back Proxy Network: 103.131.213[.]89 | 182.185.156[.]45 – likely a mix of anonymous activity and normal activity.
Mass SMTP Tester: 134.199.148[.]132 – banner previously responded with Mass SMTP Tester header.
🚨 New blog from @securitylabs.datadoghq.com on fresh AWS TTPs! I pivoted & enriched their infra data to uncover the actor #JavaGhost is likely abusing callback proxy networks and leveraging Mass SMTP Tester.
🔗 securitylabs.datadoghq.com/articles/tal...
#CloudSecurity #ThreatIntel #CTI
ATT&CK v17 is now live! This release includes the first version of the ESXi platform, a pile of defensive upgrades, and fresh content across Enterprise, Mobile, and ICS.
Check out our blog post describing the changes by Amy Robertson & @whatshisface.bsky.social at medium.com/mitre-attack....
@volexity.com #threatintel: Multiple Russian threat actors are using Signal, WhatsApp & a compromised Ukrainian gov email address to impersonate EU officials. These phishing attacks abuse 1st-party Microsoft Entra apps + OAuth to compromise targets.
www.volexity.com/blog/2025/04...
#dfir
🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud.
Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness.
👉 invictus-ir.com/news/cloud-h...
#DFIR #CloudSecurity #CTI
🔍 New Blog: Essential Cloud Logs for Incident Response
🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud.
🔗 www.invictus-ir.com/news/cloud-i...
#dfir #aws #microsoft #google
🚨 New Blog: Forensic Analysis of eM Client 🚨
If you handle BEC investigations, you've probably encountered eM Client more than once. We break down the forensic traces this application leaves behind.
🔍 Read now: www.invictus-ir.com/news/forensi...
#CyberSecurity #DFIR #BEC #ThreatIntel #CTI
Link to the IOCs and TTPs: github.com/invictus-ir/...
#DFIR #CTI #ThreatIntel
🚨 New Blog Alert: “Locked Out, Dropboxed In: When BEC Threats Innovate” 🚨
Dive into an intriguing BEC attack and discover how this threat actor navigated a cloud environment to evade detection. We’ve also mapped the TTPs and shared IOCs on our GitHub.
👉 www.invictus-ir.com/news/locked-...
