Arda Büyükkaya
@whichbufferarda.bsky.social
Cyber Threat Intelligence Analyst
@EclecticIQ | Threat Hunter | Malware Analyst |. (All opinions expressed here are mine only). 🇹🇷🇳🇱
#cybersecurity
@EclecticIQ | Threat Hunter | Malware Analyst |. (All opinions expressed here are mine only). 🇹🇷🇳🇱
#cybersecurity
🇨🇳 UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428).Targets critical networks like US airports and Telecommunications companies in EU. Exfiltrating sensitive data from managed mobile devices. #cyber
Here is the full report:
blog.eclecticiq.com/china-nexus-...
Here is the full report:
blog.eclecticiq.com/china-nexus-...
May 22, 2025 at 11:34 AM
🇨🇳 UNC5221 China-Nexus Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428).Targets critical networks like US airports and Telecommunications companies in EU. Exfiltrating sensitive data from managed mobile devices. #cyber
Here is the full report:
blog.eclecticiq.com/china-nexus-...
Here is the full report:
blog.eclecticiq.com/china-nexus-...
🎉 Happy to share that my talk has been accepted at Virus Bulletin! I’ll be presenting in 🇩🇪 Berlin on Friday, September 26 at VB2025:
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
May 2, 2025 at 2:27 PM
🎉 Happy to share that my talk has been accepted at Virus Bulletin! I’ll be presenting in 🇩🇪 Berlin on Friday, September 26 at VB2025:
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Details: www.virusbulletin.com/conference/v...
See you there! #vbconference #VB2025
Microsoft Teams appears to have been used as part of the cyber kill chain in the Co-Op hack. I've recently seen similar tactics, where threat actors employed voice phishing via Teams calls. It’s a threat worth watching.
May 1, 2025 at 7:43 PM
Microsoft Teams appears to have been used as part of the cyber kill chain in the Co-Op hack. I've recently seen similar tactics, where threat actors employed voice phishing via Teams calls. It’s a threat worth watching.
🚨 Erlang SSH RCE (CVE-2025-32433) is a significant supply chain risks to ICS and OT devices, particularly critical networking equipment like routers, switches, and smart sensors. The public availability of a POC makes this vulnerability especially concerning, as it is straightforward to exploit.
April 25, 2025 at 8:02 PM
🚨 Erlang SSH RCE (CVE-2025-32433) is a significant supply chain risks to ICS and OT devices, particularly critical networking equipment like routers, switches, and smart sensors. The public availability of a POC makes this vulnerability especially concerning, as it is straightforward to exploit.
Since April 15, 2025, BreachForums 2 was offline. Admin “Normal” confirmed its return at breached[.]fi, with no prior data restored. The new site faces skepticism, with some calling it a potential honeypot, likely pushing threat actors toward other platforms.
April 23, 2025 at 8:59 PM
Since April 15, 2025, BreachForums 2 was offline. Admin “Normal” confirmed its return at breached[.]fi, with no prior data restored. The new site faces skepticism, with some calling it a potential honeypot, likely pushing threat actors toward other platforms.
Sri Lanka’s Foreign Ministry hit by phishing email posing as peacekeeper notice sent from Pakistan’s Naval Uni (likely breached) “[email protected].” Malicious link led to fake Gmail login via Railway-hosted page "gs23-production.up.railway[.]app", stealing user credentials and OTPs.
April 23, 2025 at 7:11 PM
Sri Lanka’s Foreign Ministry hit by phishing email posing as peacekeeper notice sent from Pakistan’s Naval Uni (likely breached) “[email protected].” Malicious link led to fake Gmail login via Railway-hosted page "gs23-production.up.railway[.]app", stealing user credentials and OTPs.
Telephone-oriented attack delivery (TOAD) should be part of your threat model. We're seeing a rise in phishing where real human voices trick IT admins or helpdesks. Threat actors even run affiliate programs, paying people to guide victims into RMM installs or password reset.
April 18, 2025 at 9:54 PM
Telephone-oriented attack delivery (TOAD) should be part of your threat model. We're seeing a rise in phishing where real human voices trick IT admins or helpdesks. Threat actors even run affiliate programs, paying people to guide victims into RMM installs or password reset.
Ransomware brands come and go, but affiliates stay active, favoring repeatable/high-ROI tradecrafts. Many work with multiple RaaS crews at once. Their playbooks aren’t static, affiliates adapt to tech shifts like cloud adoption. Focus on affiliate behavior and hunt the tradecraft. #Ransomware
April 13, 2025 at 11:08 AM
Ransomware brands come and go, but affiliates stay active, favoring repeatable/high-ROI tradecrafts. Many work with multiple RaaS crews at once. Their playbooks aren’t static, affiliates adapt to tech shifts like cloud adoption. Focus on affiliate behavior and hunt the tradecraft. #Ransomware
🎙️ Honored to be speaking at FIRST 🇳🇱 🇪🇺 Amsterdam Technical Colloquium on March 27 (Day 2) about Scattered Spider’s Cloud Tactics and the Ransomware Deployment Life Cycle!. If you’re attending, let’s connect—DMs are open :)
#FIRSTAMS2025 #CyberSecurity
@firstdotorg.bsky.social
#FIRSTAMS2025 #CyberSecurity
@firstdotorg.bsky.social
March 1, 2025 at 12:59 PM
🎙️ Honored to be speaking at FIRST 🇳🇱 🇪🇺 Amsterdam Technical Colloquium on March 27 (Day 2) about Scattered Spider’s Cloud Tactics and the Ransomware Deployment Life Cycle!. If you’re attending, let’s connect—DMs are open :)
#FIRSTAMS2025 #CyberSecurity
@firstdotorg.bsky.social
#FIRSTAMS2025 #CyberSecurity
@firstdotorg.bsky.social
I'm incredibly honored to have my threat research on Sandworm APT featured in WIRED Magazine. I'm excited about what's ahead as I continue contributing to the cybersecurity community with actionable intelligence!
www.wired.com/story/russia...
www.wired.com/story/russia...
February 12, 2025 at 6:02 PM
I'm incredibly honored to have my threat research on Sandworm APT featured in WIRED Magazine. I'm excited about what's ahead as I continue contributing to the cybersecurity community with actionable intelligence!
www.wired.com/story/russia...
www.wired.com/story/russia...
🚨 EclecticIQ analysts uncovered a Sandworm #cyber espionage campaign targeting Ukrainian Windows users. Attackers used trojanized #Microsoft KMS activation tools to deploy the BACKORDER loader and Dark Crystal RAT, enabling data theft and espionage. blog.eclecticiq.com/sandworm-apt...
February 11, 2025 at 3:30 PM
🚨 EclecticIQ analysts uncovered a Sandworm #cyber espionage campaign targeting Ukrainian Windows users. Attackers used trojanized #Microsoft KMS activation tools to deploy the BACKORDER loader and Dark Crystal RAT, enabling data theft and espionage. blog.eclecticiq.com/sandworm-apt...
Attacker compromised email account from mx[.]jurimex[.]ua to deliver phishing email. Email contains malicious URL abuse infrastructure from drive[.]legalaid[.]gov[.]ua, owned by Ukraine's Coordination Centre for Legal Aid Provision that was abused to deliver RAR file contains #SmokeLoader malware.
February 7, 2025 at 9:24 PM
Attacker compromised email account from mx[.]jurimex[.]ua to deliver phishing email. Email contains malicious URL abuse infrastructure from drive[.]legalaid[.]gov[.]ua, owned by Ukraine's Coordination Centre for Legal Aid Provision that was abused to deliver RAR file contains #SmokeLoader malware.
🚨 Targeted #phishing attacks on Ukrainian 🇺🇦 gov! Emails from moulmg@meta[.]ua & info@betta[.]com[.]ua deliver malicious 7ZIP files exploiting CVE-2025-0411 to drop #SmokeLoader. Notably, the meta[.]ua mail service has been previously abused by #APT28 (GRU) for #cyber operations.
February 7, 2025 at 9:24 PM
🚨 Targeted #phishing attacks on Ukrainian 🇺🇦 gov! Emails from moulmg@meta[.]ua & info@betta[.]com[.]ua deliver malicious 7ZIP files exploiting CVE-2025-0411 to drop #SmokeLoader. Notably, the meta[.]ua mail service has been previously abused by #APT28 (GRU) for #cyber operations.
It was an honor to speak at the SANS CTI Summit today. Such a fantastic event filled with great networking opportunities and insights from the rock stars of the infosec industry! @likethecoins.bsky.social
January 28, 2025 at 2:23 AM
It was an honor to speak at the SANS CTI Summit today. Such a fantastic event filled with great networking opportunities and insights from the rock stars of the infosec industry! @likethecoins.bsky.social
🇳🇱 ✈️ 🇺🇸 Dear all,
From January 27-28, I’ll be attending the SANS Cyber Threat Intelligence Summit in Alexandria, VA.
If you’re attending the summit, let’s connect my DMs are open!
Looking forward to seeing you in Alexandria!
#SANS #cybersecuirty
From January 27-28, I’ll be attending the SANS Cyber Threat Intelligence Summit in Alexandria, VA.
If you’re attending the summit, let’s connect my DMs are open!
Looking forward to seeing you in Alexandria!
#SANS #cybersecuirty
January 23, 2025 at 9:13 AM
🇳🇱 ✈️ 🇺🇸 Dear all,
From January 27-28, I’ll be attending the SANS Cyber Threat Intelligence Summit in Alexandria, VA.
If you’re attending the summit, let’s connect my DMs are open!
Looking forward to seeing you in Alexandria!
#SANS #cybersecuirty
From January 27-28, I’ll be attending the SANS Cyber Threat Intelligence Summit in Alexandria, VA.
If you’re attending the summit, let’s connect my DMs are open!
Looking forward to seeing you in Alexandria!
#SANS #cybersecuirty
SHA-256:
6dd97f5ac9f05bfe3b810ac08f4fe0377933d54a4ab64158d4e40f94feab2cf0 -> bb.ps1
fe08a5e0fb220232e70a4da3378162608a7fe0655bf999685d441e89d68a454a -> trigger
Additional IOCs from BAT file:
154[.]12[.]242[.]190
38[.]242[.]143[.]200
144[.]126[.]146[.]201
31[.]220[.]97[.]187
154[.]38[.]179[.]250
6dd97f5ac9f05bfe3b810ac08f4fe0377933d54a4ab64158d4e40f94feab2cf0 -> bb.ps1
fe08a5e0fb220232e70a4da3378162608a7fe0655bf999685d441e89d68a454a -> trigger
Additional IOCs from BAT file:
154[.]12[.]242[.]190
38[.]242[.]143[.]200
144[.]126[.]146[.]201
31[.]220[.]97[.]187
154[.]38[.]179[.]250
December 5, 2024 at 7:04 PM
SHA-256:
6dd97f5ac9f05bfe3b810ac08f4fe0377933d54a4ab64158d4e40f94feab2cf0 -> bb.ps1
fe08a5e0fb220232e70a4da3378162608a7fe0655bf999685d441e89d68a454a -> trigger
Additional IOCs from BAT file:
154[.]12[.]242[.]190
38[.]242[.]143[.]200
144[.]126[.]146[.]201
31[.]220[.]97[.]187
154[.]38[.]179[.]250
6dd97f5ac9f05bfe3b810ac08f4fe0377933d54a4ab64158d4e40f94feab2cf0 -> bb.ps1
fe08a5e0fb220232e70a4da3378162608a7fe0655bf999685d441e89d68a454a -> trigger
Additional IOCs from BAT file:
154[.]12[.]242[.]190
38[.]242[.]143[.]200
144[.]126[.]146[.]201
31[.]220[.]97[.]187
154[.]38[.]179[.]250
After further investigation, I found the threat actor who very likely compromised that legitimate VICIdial server, it was 158.220.106[.]204 - liceba[.]store, also delivering an Powershell RDP backdoor with an interesting file path named "UP".
December 5, 2024 at 7:04 PM
After further investigation, I found the threat actor who very likely compromised that legitimate VICIdial server, it was 158.220.106[.]204 - liceba[.]store, also delivering an Powershell RDP backdoor with an interesting file path named "UP".
Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server, threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69[.]106/vicidial/up.js).
December 5, 2024 at 7:04 PM
Threat actors exploits GlobalProtect (CVE-2024-3400) to deliver the Sliver C2 malware (up.js) by leveraging the compromised VICIdial server, threat actor likely exploited the (CVE-2024-8504) to store their payloads on legitimate server (104.131.69[.]106/vicidial/up.js).
Critical energy infrastructure, including power grids, gas pipelines, and energy companies in Ukraine, the US, and Europe (especially the UK and Germany), is highly likely a target of Russia’s cyber sabotage unit Sandworm (APT44).
www.politico.eu/article/russ...
www.politico.eu/article/russ...
November 22, 2024 at 6:44 PM
Critical energy infrastructure, including power grids, gas pipelines, and energy companies in Ukraine, the US, and Europe (especially the UK and Germany), is highly likely a target of Russia’s cyber sabotage unit Sandworm (APT44).
www.politico.eu/article/russ...
www.politico.eu/article/russ...
After using some cool network pivoting tricks and a zero-day privilege escalation, the threat actor leveraged noisy reg.exe to dump SAM credentials and PowerShell to compress the results.
November 22, 2024 at 6:43 PM
After using some cool network pivoting tricks and a zero-day privilege escalation, the threat actor leveraged noisy reg.exe to dump SAM credentials and PowerShell to compress the results.
🕷 🕸 The FBI has linked Tyler Robert Buchanan, aka "bobsagetfaget," to Scattered Spider’s credential theft campaigns. Key evidence includes phishing domains like tmobiie[.]us, registered via NameCheap with the email [email protected] under the username "bobsagetfaget."
November 20, 2024 at 9:04 PM
🕷 🕸 The FBI has linked Tyler Robert Buchanan, aka "bobsagetfaget," to Scattered Spider’s credential theft campaigns. Key evidence includes phishing domains like tmobiie[.]us, registered via NameCheap with the email [email protected] under the username "bobsagetfaget."