Orange Cyberdefense CERT's Avatar

Orange Cyberdefense CERT

@ocd-cert.bsky.social

The CERT Orange Cyberdefense brings together experts on Cyber Threat Intelligence (CTI), Cybercrime Monitoring (MCM), Vulnerability Operation Center (VOC) and digital forensics and incident responders (CSIRT). https://www.orangecyberdefense.com/

105 Followers  |  2 Following  |  7 Posts  |  Joined: 26.11.2024  |  1.2141

Latest posts by ocd-cert.bsky.social on Bluesky

Post image

Our analysis covers updated #BURNBOOK and #MISTPEN variants, that feature slight changes in their main routines and C2 loop.
UNC2970 relied on compromised infrastructure on SharePoint and WordPress, aligning with previous findings.

20.11.2025 14:36 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

๐Ÿ”ŽOur CERT is releasing a new technical report on ๐Ÿ‡ฐ๐Ÿ‡ตOperation #DreamJob, focusing on recent evolution in its tooling.
Following an IR engagement at a large manufacturing client based in ๐Ÿ‡ช๐Ÿ‡บ, we investigated artefacts we attribute to #UNC2970.
โžก๏ธFull blog: ow.ly/V4mr50Xug1l

20.11.2025 14:36 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

๐ŸŽฃ๐Ÿง€ Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".
#CTI #ThreatIntel #Metappenzeller #phishing

23.09.2025 09:37 โ€” ๐Ÿ‘ 0    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

๐Ÿง€ Update on MintsLoader: a thread ๐Ÿ”ฝ
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.
#threatintel #cti #mintsloader

03.07.2025 07:43 โ€” ๐Ÿ‘ 3    ๐Ÿ” 4    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
cti/emmenhtal at main ยท cert-orangecyberdefense/cti IOCs for World Watch investigations. Contribute to cert-orangecyberdefense/cti development by creating an account on GitHub.

๐Ÿ”—IoCs and Yara available on our GitHub: github.com/cert-orangec...
๐Ÿ“ฎWorld Watch advisory released today for our clients.

17.03.2025 15:56 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

During our analysis, we noticed a surprising line, likely written by threat actors to prevent AI-powered file scanning
This is actually the first time we observed such an attempt, even though we found it to be unsuccessful with GPT-4o.

17.03.2025 15:56 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

V3 features several changes including new mouse movements speed check.
Recent infection chains includes new intermediary stage (Powershell with AMSI bypass feature which loads a .NET stage) in charge of delivering #stealers.

17.03.2025 15:56 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

๐Ÿ†•New version of #Emmenhtal loader actively distributed worldwide since early March, leading to #Lumma or #Rhadamanthys stealers.
Very low AV detection on VT for now.
Similarly to V2, Emmenhtal V3 masquerades as #mp3 or #mp4 files, including relaxation songs.๐Ÿง˜โ€โ™€๏ธ

17.03.2025 15:56 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

๐Ÿ†•New version of our #ransomware mapping is out on our GitHub!
โžก๏ธhttps://github.com/cert-orangecyberdefense/ransomware_map/blob/main/OCD_WorldWatch_Ransomware-ecosystem-map.pdf
V28 (!) includes latest newcomers and recent ecosystem evolutions.๐Ÿ”
As always, feedback is welcome!
#cti #threatintel

05.03.2025 16:32 โ€” ๐Ÿ‘ 3    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Orange Cyberdefense CERT Threat Research: The hidden network map

๐Ÿ“For more than 8 months, our threat researchers from OCD
have worked on mapping China's civil-militaryโ€“industrial complex when it comes to #cyberespionage operations.

โ›ฏ Consult our newly published deep-dive report and interactive map here:
research.cert.orangecyberdefense.com/hidden-netwo...

25.11.2024 10:59 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@ocd-cert is following 2 prominent accounts