Some updates on the MISP Galaxy website:https://www.misp-galaxy.org/mitre-fraud-framework/#It now includes a matrix-like view of the galaxy for @misp #misp #cti #threatintel #threatintelligence

Tropic Trooper abuses GitHub + VS Code for covert C2 and persistence.AdaptixC2 + custom beacon listener in play.Trusted platforms = new attack surface.https://www.technadu.com/tropic-trooper-deploys-adaptixc2-and-custom-beacon-listener/626720/#Infosec #APT #ThreatIntel

(infoblox.com) Fake CAPTCHA Pages Weaponized for International Revenue Share Fraud via SMS Scam CampaignNew IRSF campaign weaponizes fake CAPTCHA pages to trigger international SMS fraud, costing victims ~$30 per session. Active since 2020, it exploits TDS and carrier billing gaps across 17 countries.In brief - Threat actors use typosquatting and fake CAPTCHA pages to force mobile users into sending premium SMS messages to 15+ international numbers, generating fraudulent termination fees. The operation targets victims via multi-hop TDS, defrauding both individuals and telecom carriers.Technically - The attack chain involves a TDS (colnsdital[.]com → hotnow[.]sweeffg[.]online → zawsterris[.]com) redirecting to fake CAPTCHA pages on AS15699. JavaScript calls makeTrackerDownload.php to fetch phone number lists and control parameters (forceRedirectURL, forceMessage). Back button hijacking via pushState() traps users, while cookie tracking filters targets. A secondary tier of 20 Egyptian numbers is passed via base64 to megaplaylive[.]com, embedding additional SMS triggers in media playback.Source: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/#Cybersecurity #ThreatIntel

Automation claims data breach on Russian Federation's Gemotest, on pwnforums.st. #DataBreach #Healthcare #RussianFederation #ThreatIntel

THREAT INTEL | STERIMED Actor "qilin" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-22-sterimed-ransomware-attack-by-qilin-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

New security advisory:CVE-2026-34275 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2026-34275-oracle-e-biz-unauth-takeover#InfoSec #ZeroDay #ThreatIntel

THREAT INTEL | Complete Aircraft Group🟠 Actor "everest" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-20-complete-aircraft-group-ransomware-claim-by-everest-apr-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(checkpoint.com) The Gentlemen Ransomware-as-a-Service: Multi-Platform RaaS Operation with Advanced Lateral Movement and GPO-Based Mass DeploymentNew RaaS operation "The Gentlemen" has compromised 320+ victims with multi-platform ransomware (Windows/Linux/ESXi) and advanced GPO-based deployment tactics.In brief - Emerging RaaS group "The Gentlemen" employs double extortion, targeting enterprises via Domain Admin access, Cobalt Strike, and mass ransomware deployment through Group Policy Objects. Over 320 victims reported, with 1,570+ SystemBC proxy victims globally.Technically - The Gentlemen ransomware uses X25519 key exchange with XChaCha20 encryption (Windows: Go, ESXi: C). Features include CLI-driven partial encryption (1-9%), GPO deployment, PsExec/WMI lateral movement, and defense evasion via Defender disabling, firewall shutdown, and SMB1 re-enablement. Attack chain observed: Cobalt Strike (91.107.247[.]163) → Mimikatz credential harvesting → SystemBC SOCKS5 tunneling (45.86.230[.]112) → AnyDesk persistence → GPO-scheduled ransomware detonation. ESXi variant shuts down VMs via vim-cmd before encrypting VMFS datastores.Source: https://research.checkpoint.com/2026/dfir-report-the-gentlemen/#Cybersecurity #ThreatIntel

The Gentlemen claims ransomware attack on Belgium's Anderlues. Targeting the official municipal website serving ~12,000 residents. #Ransomware #Government #Belgium #ThreatIntel

️ El Curso de Ciberseguridad está permanente disponible en el aula virtual para acceso inmediato. WhatsApp: https://wa.me/51949304030 https://www.reydes.com/e/Curso_de_Ciberseguridad #datasecurity #zerotrust #vulnerability #cyberattack #threatintel #databreach #cybersecurity

(trmlabs.com) Russia-Linked Cryptomus and Parallel Service Heleket: Shared Infrastructure Enabling Sanctions Evasion and Illicit Crypto FlowsNew reporting confirms Russia-linked Cryptomus and Heleket are operationally connected, enabling sanctions evasion and illicit crypto flows post-enforcement. TRM Labs assesses high-confidence linkage via shared infrastructure, personnel, and on-chain activity.In brief - Russia-linked crypto payment processors Cryptomus and Heleket are likely the same operation rebranded to evade sanctions and KYC controls. Heleket now handles 80% of illicit flows, with 60% tied to sanctioned exchange Garantex. The shift follows FINTRAC’s penalty against Cryptomus and mirrors broader ‘Russian rebrand’ evasion tactics.Technically - On-chain analysis reveals Garantex as a liquidity provider for Heleket’s hot wallets (Jan 2025), with Heleket’s illicit inflow ratio at 0.6%—5x the peer average. Shared infrastructure includes domain registrar ties, identical fee structures (0.4%), and personnel overlap. Over 75K transactions link Cryptomus to Iranian exchanges (e.g., Nobitex), while forum posts confirm user credential crossover. Volume displacement aligns with Cryptomus’ post-KYC decline.Source: https://www.trmlabs.com/resources/blog/russia-linked-payment-processor-cryptomus-likely-behind-launch-of-parallel-service-heleket#Cybersecurity #ThreatIntel

RubiconH4ck claims data breach on Ukraine's Energy & Utilities organization. 6.3TB database of Ukraine's gas reserves (2018-2025) with documents, system data, driver data, and login credentials offered for $5,000 via Telegram. #DataBreach #Energy #Ukraine #ThreatIntel

Pharaohs Team selling access on Peru's Iriosanta / Independencia Educational Institutions. Advertising the compromised domains iriosanta.edu.pe and independencia.edu.pe on their marketplace. #InitialAccess #Education #Peru #ThreatIntel

protobuf.js RCE can trigger arbitrary JS execution when apps load attacker influenced schemas. Patch to 8.0.1 or 7.5.5.🟡 Tycoon 2FA crews are leaning into device code phishing to steal sessions and bypass MFA. Reinforce user training and conditional access.#CyberSecurity #ThreatIntel #AppSec #IdentitySecuritysolomonneas.dev/intel

New DTI Research: The evolution of the MOIS-linked cyber ecosystem (Handala/Homeland Justice)from the 2022 Albania attacks to the 2026 Stryker incident️Full research and analysis:https://dti.domaintools.com/research/mois-linked-moist-grasshopper-homeland-justice-karmabelow80-handala-hackers-campaigns-and-evolution#ThreatIntel #Handala #Cybersecurity #Iran

https://peer.adalta.social/w/eXRWkRHob85gVBZmZWeMtK [](https://adalta.info/articles/prstn_security_116421234802670946_de) [️](https://www.redpacketsecurity.com/safepay-ransomware-victim-abfall-kreis-kassel-de/")Strategische Analyse eines kritischen Infrastruktur-Zwischenfalls#security #war #ransomware #threatintel #osint

Nothing like a Friday afternoon malware hunt to remind you why you don't trust random GitHub repos.Even the "cybersecurity" ones. Especially those.

️ Heads up #infosec communityFound a malicious GitHub repo posing as a curated list of cybersecurity Telegram channels.Every link in the README (download, "official website", "Twitter") points to the same ZIP payload. Classic trojanized repo targeting security folks. https://github.com/simplefastfunnels254/tg-cybersecVT 0/91 on the URL for now, likely evasion. Reported to GitHub (Active Malware/DSA).#CyberSecurity #ThreatIntel #OSINT #Malware #GitHub

Cisco fixes Webex and ISE flaws up to CVSS 9.9, patch identity infra fast. 🟡 ZionSiphon highlights OT sabotage risk for water operators. 🟢 NIST will leave more CVEs unenriched, so review vuln triage workflows. #CyberSecurity #InfoSec #VulnMgmt #ThreatIntel solomonneas.dev/intel

Automation claims data breach on France's Domino's Pizza. on pwnforums.st #DataBreach #France #ThreatIntel