Pulsedive Threat Intelligence

In March, the US DOJ unsealed an indictment against 12 Chinese nationals for involvement in global espionage operations, including 8 i-Soon employees. Operations were related to and some attacks attributed to Earth Lusca, also known as FishMonger and Aquatic Panda, amongst other aliases. Learn more: US DOJ Release: https://lnkd.in/g_BCKahx Threat Profile: https://lnkd.in/eRE77fPB

Rilide intrusion chain observed during analysis by Pulsedive threat research. Full blog and details here: https://lnkd.in/efwkSxip NEW: we updated the TTP section to include TIDs.

Related Threats: Hellcat (https://lnkd.in/d2xBDRrq) & Morpheus (https://lnkd.in/dTe5DNj9) - Recent growth in activity for both RaaS brands which emerged in 2024 - Identical payloads suggest shared codebase - Hellcat is highly visible/vocal, with a focus on big game targets and government - Morpheus has smaller public visibility - Credit to original research and reporting by Bridewell & SentinelOne Threat Research teams, full analysis here: https://lnkd.in/dk__zdju, https://lnkd.in/dsVnAwYx

New analysis of Rilide by Pulsedive Threat Research out now: https://lnkd.in/efwkSxip First reported in April 2023, Rilide is an information stealer masquerading as a browser extension and targets Chromium-based browsers. This analysis covers the three known mechanisms for delivery (including PPT, Twitter, Google Ads lures) as well as the complete intrusion chain. Bonus: PCAP, SSLKeys, IOCs, TTPs, and more all available.

Technical Writers, come work with us: https://lnkd.in/eAbWDmGm

The SOC Report from Cisco Live APJC in Melbourne is now out with a review on business risk areas, architecture, operations, and interesting findings: https://lnkd.in/dgyHKDdw With our API integration, we were proud to provide Pulsedive's community threat data as a 3rd party enrichment source to support the SOCs' investigations and analysis.

Threat Update: Medusa Ransomware At a Glance: - New joint advisory published yesterday from Cybersecurity and Infrastructure Security Agency: https://lnkd.in/gFHKeUEC - Active since 2021 and continuing to scale - Evolved into a Ransomware-as-a-Service operation with double and triple-extortion - Targeting critical infrastructure organizations - Known to run phishing campaigns to steal credentials and exploit unpatched software bugs Pulsedive page: https://lnkd.in/e7F6gptF

Community Share: "Black Basta Chat Leak - Organization & Infrastructure" by Oleg L. / Cybercrime Diaries (https://lnkd.in/ejzjmaa9). In February, a goldmine of ~200K Black Basta chat logs were leaked online by an individual with the alias "ExploitWhispers". Since, threat researchers and the security community have been poring through the content, investigating and analyzing targets, techniques, and operations. This blog examines exposed details of Black Basta, including its leadership hierarchies, business model, and technical infrastructure. Pulsedive Black Basta Threat Page: https://lnkd.in/ewuf6FTX

New Threat Page: PolarEdge (https://lnkd.in/eCAbFEVN) - Botnet targeting edge devices from Cisco, QNAP, Synology, and ASUS - Active since at least Q4 2023 - Estimated to have compromised 2K+ unique IP addresses all over the world - Original reporting and analysis by Sekoia.io: https://lnkd.in/g4Wfi2Vt Related IOCs: https://lnkd.in/eGiknPQs

Simone Kraus has been producing lots of analysis and content about the Black Basta chat leak, and tying that into threat-informed defense plans. Her Medium is here: https://lnkd.in/eF2cq8aw The latest post today included a SWOT analysis examining the operations and psychology of the group - leading to a goldmine of (very) actionable intelligence. It was super refreshing to see this framework, which I most commonly utilized not for threat groups, but business strategy. I took a stab at summarizing it to bring this insight to more eyeballs. All the nitty gritty details here: https://lnkd.in/eH5adyQr