Simon Kenin
@k3yp0d.bsky.social
Threat Hunter at SentinelOne | curatedintel.org Member | k3yp0d.blogspot.com | Opinions are of my own voices inside my own head | memes and music are welcome
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog
www.koi.ai
December 9, 2025 at 10:04 AM
4/4
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
Handala attempts a supply chain hack via ReutOne
During the week, Handala — a group painfully in love with Israel, tried a forward supply chain attack.
doublepulsar.com
November 16, 2025 at 3:36 PM
4/4
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
VIBE attribution to Handala because of similarities in TTPs and similarities to their HEAVYGRAM malware.
Ref: doublepulsar.com/handala-atte...
I don't need to reverse this shit to know... 🤡
3/4
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
November 16, 2025 at 3:36 PM
3/4
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
securityscanner.exe
7f4ded56abaacb2bf4649665ac259c7c
25f27131e8de91f8d6fdf9bfa1901577f992ce33
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
This file is not signed by Check Point... it connects to Telegram and Dropbox for exfiltration and probably more...
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
November 16, 2025 at 3:36 PM
2/4
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
The PDF masquerades the download link to be a Check Point security tool.
The password for the RAR however is related to a cloud provider called cloudstar, but the small print say the service is provided by G.N.S.
cellcom.co.il/production/B...
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
4/5
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
This onlyoffice subdomain is also mentioned by Proofpoint, but the shared key and content are different.
Test Projects.zip -> 8e7771ed1126b79c9a6a1093b2598282221cad8524c061943185272fbe58142d
This file is listed in the IOCs of the CP blog and might have been reused
November 7, 2025 at 9:34 PM
2/5
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Nimbus Manticore Deploys New Malware Targeting Europe - Check Point Research
Nimbus Manticore continuously attacks defense, manufacturing, telecommunications, and aviation targets aligned with the IRGC
research.checkpoint.com
November 7, 2025 at 9:34 PM
2/5
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
Part of this activity was reported by Check Point research.checkpoint.com/2025/nimbus-...
4/4
Iranian Kittens go O_o
Iranian Kittens go O_o
a close up of a cat 's face with its mouth open
ALT: a close up of a cat 's face with its mouth open
media.tenor.com
October 28, 2025 at 5:23 PM
4/4
Iranian Kittens go O_o
Iranian Kittens go O_o
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
October 28, 2025 at 5:23 PM
2/4 Evidence
www.secureworks.com/blog/abraham...
www.secureworks.com/blog/abraham...
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
October 25, 2025 at 9:19 AM
4/5
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
JS downloads NetSupport RAT and drops decoy PDF
Example C2 139.28.38.39
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
October 25, 2025 at 9:19 AM
3/5
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload
Example zip 0f6f4c1821b71ea73213b3b290b7e23b
Vchasno_doc_22.10.2025_0029.zip
Zip contains either just a JS payload or benign files with additional archives which contains the JS payload