World Watch OCD 's Avatar

World Watch OCD

@ocdworldwatch.bsky.social

World Watch CTI team from Orange Cyberdefense https://www.orangecyberdefense.com/global/offering/managed-services/threat-and-risk-management/world-watch

46 Followers  |  89 Following  |  15 Posts  |  Joined: 25.11.2024  |  1.9761

Latest posts by ocdworldwatch.bsky.social on Bluesky

πŸ”— Related IoCs could be found on GitHub:
github.com/cert-orangec...

23.09.2025 09:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
This is a scheme describing the infection chain. 1. Email received. 2. Download a ZIP file from an actor-controlled website. 3. User clicks on an executable that sideloads a malicious DLL. 4. The malicious DLL unpacks an archive contained in the ZIP file, opens a Word document, and executes a Python script or a BAT file to fetch the final payload.

This is a scheme describing the infection chain. 1. Email received. 2. Download a ZIP file from an actor-controlled website. 3. User clicks on an executable that sideloads a malicious DLL. 4. The malicious DLL unpacks an archive contained in the ZIP file, opens a Word document, and executes a Python script or a BAT file to fetch the final payload.

☣ The main lure deploys a full Python environment and runs a Python script responsible for fetching the next stage from a remote C2. Then it opens a decoy file in Word. C2 are now inactive but have been tied to Pure malware family.

23.09.2025 09:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

βœ‰ The campaigns are initiated from the legitimate noreply[@]appsheet.com address and deliver various payloads, with lures targeting corporate sales, marketing, and legal teams. We advise to hunt for emails from this sender.

23.09.2025 09:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
MalwareHunterTeam on X: ""invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... πŸ€·β€β™‚οΈ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG" / X "invoice.bat": ebc3a6999612cc73ab2162c2e461018967748245cd150798c268c5821f8af10b Another case when the file is FUD on VT for the vendors, but there are @thor_scanner comments... πŸ€·β€β™‚οΈ bestsaleshoppingday[.]com 166.0.184[.]127 162.218.115[.]218 https://t.co/SeTWXQetyG

✨ AppSheet is a Google platform that enables no-code development of mobile, tablet, and web applications. Knowbe4, RavenMail, and MalwareHunterTeam have also previously mentioned such campaigns.
x.com/i/web/status...
ravenmail.io/blog/appshee...
blog.knowbe4.com/impersonatin...

23.09.2025 09:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

πŸŽ£πŸ§€ Since early September 2025, the Orange Cyberdefense CSIRT and CyberSOC teams have detected phishing campaigns impersonating Meta, AppSheet and Paypal, leading to malware delivery. Our team tracks this activity under the alias "Metappenzeller".
#CTI #ThreatIntel #Metappenzeller #phishing

23.09.2025 09:37 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

The new version has removed these notable behaviours and is seen in campaign with fake invoices lures. New indicators of compromise (IoCs) are available on our GitHub: github.com/cert-orangec...

03.07.2025 07:43 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

πŸ€–These detection opportunities were presented during the Botconf 2025: www.botconf.eu/wp-content/u...

03.07.2025 07:43 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Andrew Melville : Morison, William : Free Download, Borrow, and Streaming : Internet Archive The metadata below describe the original scanning. Follow the All Files: HTTP link in the View the book box to the left to find XML files that contain more...

β›ͺπŸ”ŽHistorically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from a book, Andrew Melville by William Morison.
The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs: archive.org/details/cu31...

03.07.2025 07:43 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

πŸ§€ Update on MintsLoader: a thread πŸ”½
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.
#threatintel #cti #mintsloader

03.07.2025 07:43 β€” πŸ‘ 3    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
Post image

Written in C++, #NailaoLocker is relatively unsophisticated and poorly designed. The ransomware uses the β€œ.locked” extension. It is loaded through DLL search-order hijacking.

20.02.2025 08:16 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

➑️The full article on the Green Nailao cluster is available here: orangecyberdefense.com/global/blog/...
➑️IOCs and Yara can be found on our GitHub: github.com/cert-orangec...

20.02.2025 08:16 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

πŸ†•We publish today the result of a deep-dive investigation into a malicious campaign leveraging #ShadowPad and #PlugX to distribute a previously-undocumented ransomware, dubbed #NailaoLocker.
This campaign targeted πŸ‡ͺπŸ‡Ί organizations during S2 2024 and is tied to Chinese TA πŸ‡¨πŸ‡³.

20.02.2025 08:16 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

We provide a #Yara Rule to hunt for Edam Dropper, as well as related #Iocs and technical details, available on GitHub.
🀝The infection chain was also analyzed by @strikereadylabs.com last week, and could be tied to πŸ‡·πŸ‡Ί #Sandworm APT (low confidence).

strikeready.com/blog/ru-apt-...

05.12.2024 10:55 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Preview
GitHub - cert-orangecyberdefense/edam: Edam dropper Edam dropper. Contribute to cert-orangecyberdefense/edam development by creating an account on GitHub.

While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster πŸ‡ͺπŸ‡Ί, strongly differing from usual financially motivated Emmenhtal distribs.
This cluster drops another malware we dubbed #Edam DropperπŸ§€
github.com/cert-orangec...

Targets: European #energy sectorπŸ”‹

05.12.2024 10:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Orange Cyberdefense CERT Threat Research: The hidden network map

πŸ“For more than 8 months, our threat researchers from OCD
have worked on mapping China's civil-military–industrial complex when it comes to #cyberespionage operations.

β›― Consult our newly published deep-dive report and interactive map here:
research.cert.orangecyberdefense.com/hidden-netwo...

25.11.2024 10:59 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

@ocdworldwatch is following 20 prominent accounts