Group-IB Threat Intelligence has uncovered a global phishing campaign orchestrated by MuddyWater (TA450). The phishing campaign targeted international organizations and more than 100 governments worldwide to gather foreign intelligence using the Phoenix V4 malware.
Key highlights:
๐น Over 100 governments and international organizations targeted globally
๐น Use of FakeUpdate injector and Phoenix v4 malware with new persistence methods
๐น Integration of legitimate RMM tools (Action1, PDQ) and a custom Chromium credential stealer
๐น C2 infrastructure hosted behind Cloudflare and active for just five days, indicating strong OPSEC discipline
This campaign highlights how MuddyWater continues to evolve its tradecraft, blending social engineering, custom malware, and legitimate tools to gather foreign intelligence.
Read the full technical analysis here.
#ThreatIntelligence #APT #Phishing #MuddyWater #CyberSecurity #MalwareAnalysis
Key highlights:
๐น Over 100 governments and international organizations targeted globally
๐น Use of FakeUpdate injector and Phoenix v4 malware with new persistence methods
๐น Integration of legitimate RMM tools (Action1, PDQ) and a custom Chromium credential stealer
๐น C2 infrastructure hosted behind Cloudflare and active for just five days, indicating strong OPSEC discipline
This campaign highlights how MuddyWater continues to evolve its tradecraft, blending social engineering, custom malware, and legitimate tools to gather foreign intelligence.
Read the full technical analysis here.
#ThreatIntelligence #APT #Phishing #MuddyWater #CyberSecurity #MalwareAnalysis
๐ฅ6๐2โค1๐1
Investment scams are no longer isolated schemes, they have evolved into industrialized, multi-actor fraud networks operating at a global scale.
Key highlights:
๐น A shared centralized backend powers hundreds of fake trading platforms, linked through recurring API endpoints, reused SSL certificates, and identical admin panels.
๐น Chatbots act as automated operators screening victims, simulating support, and distributing payment instructions that expose valuable artifacts for attribution.
๐น Fraud groups exploit weak KYB/KYC processes using forged documents and biometric bypass services traded on Telegram to open mule accounts.
๐น Auxiliary infrastructure such as chat simulators and exposed admin panels fabricates investor activity and leaves technical footprints that analysts can pivot on.
Our report maps the Victim Manipulation Flow, details the infrastructure links, and exposes the mechanics behind the illusion.
Read the full technical report.
#InvestmentScams #Cybersecurity
Key highlights:
๐น A shared centralized backend powers hundreds of fake trading platforms, linked through recurring API endpoints, reused SSL certificates, and identical admin panels.
๐น Chatbots act as automated operators screening victims, simulating support, and distributing payment instructions that expose valuable artifacts for attribution.
๐น Fraud groups exploit weak KYB/KYC processes using forged documents and biometric bypass services traded on Telegram to open mule accounts.
๐น Auxiliary infrastructure such as chat simulators and exposed admin panels fabricates investor activity and leaves technical footprints that analysts can pivot on.
Our report maps the Victim Manipulation Flow, details the infrastructure links, and exposes the mechanics behind the illusion.
Read the full technical report.
#InvestmentScams #Cybersecurity
โค7๐3๐1
๐จ New technical deep-dive: โGhosts in / procโ ๐จ
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linuxโs / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
๐นMalicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
๐นTimeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
๐นWhen / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
๐นFull lab walkthrough, indicators, and practical mitigations included
๐ Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linuxโs / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
๐นMalicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
๐นTimeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
๐นWhen / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
๐นFull lab walkthrough, indicators, and practical mitigations included
๐ Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
๐5๐ฅ1๐1
๐จUncovering a Multi-Stage Phishing Kit Targeting Italyโs Infrastructure
Phishing has evolved, becoming industrialized, automated, and powered by underground ecosystems that mirror legitimate SaaS businesses.
Our latest investigation exposes a professional phishing framework impersonating Aruba S.p.A., Italyโs major IT and web services provider.
The key findings:
๐น Multi-stage kit automating every phase of the attack from CAPTCHA evasion to OTP interception
๐น Pre-filled login URLs designed to increase credibility and lower suspicion
๐น Fake payment pages harvesting full credit card and 3D Secure/OTP data
๐น Telegram bots used for real-time exfiltration and backup data logging
๐น Evidence of Phishing-as-a-Service (PhaaS) scaling fraud through automation and community support
Phishing may be one of the oldest cyber threats, but today, it operates like a fully industrialized ecosystem.
๐งฉ Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #Phishing #CyberCrime
Phishing has evolved, becoming industrialized, automated, and powered by underground ecosystems that mirror legitimate SaaS businesses.
Our latest investigation exposes a professional phishing framework impersonating Aruba S.p.A., Italyโs major IT and web services provider.
The key findings:
๐น Multi-stage kit automating every phase of the attack from CAPTCHA evasion to OTP interception
๐น Pre-filled login URLs designed to increase credibility and lower suspicion
๐น Fake payment pages harvesting full credit card and 3D Secure/OTP data
๐น Telegram bots used for real-time exfiltration and backup data logging
๐น Evidence of Phishing-as-a-Service (PhaaS) scaling fraud through automation and community support
Phishing may be one of the oldest cyber threats, but today, it operates like a fully industrialized ecosystem.
๐งฉ Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #Phishing #CyberCrime
๐7๐ฅ4๐2โค1๐1
๐จ New Threat Report Released: UNC2891 โ ATM Threats Never Die
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
๐ Get the full breakdown of UNC2891โs TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
๐ Get the full breakdown of UNC2891โs TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
๐ฅ12
๐จBloody Wolf Expands Across Central Asia ๐จ
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
๐น Their spear-phishing techniques and localized PDF lures
๐น How custom JAR loaders deploy NetSupport RAT
๐น Infrastructure masquerading as government portals
๐น Multi-layered persistence and evasion methods
๐น IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
๐น Their spear-phishing techniques and localized PDF lures
๐น How custom JAR loaders deploy NetSupport RAT
๐น Infrastructure masquerading as government portals
๐น Multi-layered persistence and evasion methods
๐น IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
โค10๐ฅ1
๐จ New launch: Fraud moves fast. Now defense does too.
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
๐นShare risk signals on suspicious activity, not just confirmed fraud.
๐นStop APP fraud & mule networks before funds are lost.
๐นGDPR-compliant, Bureau Veritas verified.
๐นPersonal data never leaves your organization.
Collective problem. Collective defense.
๐ Read the press release here.
๐ Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
๐นShare risk signals on suspicious activity, not just confirmed fraud.
๐นStop APP fraud & mule networks before funds are lost.
๐นGDPR-compliant, Bureau Veritas verified.
๐นPersonal data never leaves your organization.
Collective problem. Collective defense.
๐ Read the press release here.
๐ Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
๐ฅ9โค3๐2
Group-IBโs latest threat report exposes the full scale of GoldFactoryโs mobile fraud operation, one of the most technically advanced campaigns currently targeting APAC.
Key insights:
๐นA surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
๐นOver 11,000 device infections traced through Group-IB Fraud Protection telemetry
๐นA unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
๐นNew Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
๐นInfrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
Key insights:
๐นA surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
๐นOver 11,000 device infections traced through Group-IB Fraud Protection telemetry
๐นA unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
๐นNew Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
๐นInfrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
โค7๐ฅ5
As digital lending accelerates in Uzbekistan, cybercriminals are exploiting verification gaps, low financial awareness, and social engineering to weaponize online credit services at scale turning personal identity into a profitable attack surface.
Key Highlights:
๐น Online credit fraud cases surged 42% in 2024 compared to 2023
๐น 34% of incidents involved fraudsters posing as bank or government officials
๐น Microcredits are approved using stolen passport, FaceID, and OTP data
๐น Scammers deploy Telegram bots and SMS-stealers to bypass authentication
๐น New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
Key Highlights:
๐น Online credit fraud cases surged 42% in 2024 compared to 2023
๐น 34% of incidents involved fraudsters posing as bank or government officials
๐น Microcredits are approved using stolen passport, FaceID, and OTP data
๐น Scammers deploy Telegram bots and SMS-stealers to bypass authentication
๐น New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
๐6โค3๐ฅ3
Group-IBโs Red Team has identified two previously unknown zero-day vulnerabilities in widely used enterprise platforms: Cisco UCCX and IBM Sterling.
Following responsible disclosure, both vendors validated the findings and released security updates to protect their customers.
This discovery highlights the strength of Group-IBโs approach to rigorous, dependable, and attributable analysis. By leveraging deep empirical threat intelligence to replicate highly advanced attacks, our teams reveal critical risks that many other security assessments overlook.
Full technical details are available in our press release.
#CyberSecurity #ZeroDay #VulnerabilityAssessment #ThreatIntelligence #EnterpriseSecurity #SecurityUpdates #FightAgainstCybercrime
Following responsible disclosure, both vendors validated the findings and released security updates to protect their customers.
This discovery highlights the strength of Group-IBโs approach to rigorous, dependable, and attributable analysis. By leveraging deep empirical threat intelligence to replicate highly advanced attacks, our teams reveal critical risks that many other security assessments overlook.
Full technical details are available in our press release.
#CyberSecurity #ZeroDay #VulnerabilityAssessment #ThreatIntelligence #EnterpriseSecurity #SecurityUpdates #FightAgainstCybercrime
โค14๐1
๐จAndroid-based financial fraud in Uzbekistan has entered a new stage of operational maturity, with threat actors shifting from simple SMS stealers to sophisticated, multi-stage infection chains built around stealthy droppers, advanced obfuscation, and automated infrastructure.
Key Highlights:
๐นOver $2M stolen by a single tracked group since January 2025
๐นTwo primary dropper families, MidnightDat and RoundRift, were identified using native decryption and encrypted asset storage.
๐นWonderland, a new SMS stealer with bidirectional WebSocket Cโ, enables real-time command execution, SMS sending, and USSD control.
๐นTelegram remains the central distribution channel, fueled by stolen sessions sold on dark web markets.
๐นThousands of unique samples generated through automated build pipelines to evade signature-based detection
๐ Read the full analysis here.
#ThreatIntelligence #AndroidMalware
Key Highlights:
๐นOver $2M stolen by a single tracked group since January 2025
๐นTwo primary dropper families, MidnightDat and RoundRift, were identified using native decryption and encrypted asset storage.
๐นWonderland, a new SMS stealer with bidirectional WebSocket Cโ, enables real-time command execution, SMS sending, and USSD control.
๐นTelegram remains the central distribution channel, fueled by stolen sessions sold on dark web markets.
๐นThousands of unique samples generated through automated build pipelines to evade signature-based detection
๐ Read the full analysis here.
#ThreatIntelligence #AndroidMalware
๐11๐ฅ4
๐ธ โEasy money. Simple tasks. Work from your phone.โ
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
๐น Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
๐น Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
๐น Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront โdepositsโ are collected.
๐นThe scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
๐น Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
๐น Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
๐น Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront โdepositsโ are collected.
๐นThe scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
๐ฅ11โค2๐2
๐จ Tap-to-pay fraud has evolved into a remote, industrialized threat. Chinese cybercrime groups are now selling NFC relay malware on Telegram, enabling real-time payment fraud from anywhere in the world.
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. ๐ Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. ๐ Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
โค6๐3๐ฅ2
Most organizations are stuck in survival mode. Real resilience is achieved when we move beyond reaction to planning ahead with real-world threat intelligence.
Gartner report highlights:
๐น 90% of attacks will exploit known vulnerabilities by 2028
๐น Most can be prevented with strategic Threat Intelligence
๐น Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
Gartner report highlights:
๐น 90% of attacks will exploit known vulnerabilities by 2028
๐น Most can be prevented with strategic Threat Intelligence
๐น Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
โค5
๐จ Group-IB has uncovered a sophisticated new threat rewriting the ransomware playbook. DeadLock leverages Polygon smart contracts to rotate proxy addresses, a stealthy, under-reported technique that bypasses traditional defenses by abusing decentralized infrastructure.
Key Highlights:
๐น Decentralized Proxy Management: Uses Polygon smart contracts to dynamically retrieve and rotate proxy server addresses, complicating takedowns.
๐น Service Disruption: Employs a custom PowerShell script to stop all non-whitelisted Windows services, sparing only native processes & its own RMM tool, AnyDesk.
๐น Evolving Extortion: Ransom notes have matured from simple encryption alerts to explicit threats of selling stolen data, even offering "security reports" and promises not to re-target victims.
๐นInfrastructure Tracking: We traced proxy servers and smart contract transactions, revealing dedicated infrastructure & recent reactivation of operations.
Read the full technical analysis.
#ThreatIntelligence #DeadLockRansomware
Key Highlights:
๐น Decentralized Proxy Management: Uses Polygon smart contracts to dynamically retrieve and rotate proxy server addresses, complicating takedowns.
๐น Service Disruption: Employs a custom PowerShell script to stop all non-whitelisted Windows services, sparing only native processes & its own RMM tool, AnyDesk.
๐น Evolving Extortion: Ransom notes have matured from simple encryption alerts to explicit threats of selling stolen data, even offering "security reports" and promises not to re-target victims.
๐นInfrastructure Tracking: We traced proxy servers and smart contract transactions, revealing dedicated infrastructure & recent reactivation of operations.
Read the full technical analysis.
#ThreatIntelligence #DeadLockRansomware
๐4
๐จPeruvian Peaks: The Illusion of Digital Loans
Phishing scams based on fake digital loan offers are growing at an alarming rate in Peru and across Latin America. In this new technical blog, we present an inโdepth investigation into a fraudulent campaign that combines social media advertising, bank impersonation, and advanced credentialโharvesting techniques.
Since 2024, GroupโIB has identified approximately 370 fraudulent domains and dozens of malicious socialโmedia advertisements, all designed to mimic legitimate loan application processes in order to capture sensitive financial data, including card numbers, PINs, and online banking credentials, for sale on underground markets or use in further attacks.
๐ Discover how this scheme operates, why it is so effective, and what risks it poses to the regional financial ecosystem. Read the full technical analysis here.
#DigitalLoans #PhishingScams #CyberSecurity #FraudPrevention #LATAM #OnlineScams
Phishing scams based on fake digital loan offers are growing at an alarming rate in Peru and across Latin America. In this new technical blog, we present an inโdepth investigation into a fraudulent campaign that combines social media advertising, bank impersonation, and advanced credentialโharvesting techniques.
Since 2024, GroupโIB has identified approximately 370 fraudulent domains and dozens of malicious socialโmedia advertisements, all designed to mimic legitimate loan application processes in order to capture sensitive financial data, including card numbers, PINs, and online banking credentials, for sale on underground markets or use in further attacks.
๐ Discover how this scheme operates, why it is so effective, and what risks it poses to the regional financial ecosystem. Read the full technical analysis here.
#DigitalLoans #PhishingScams #CyberSecurity #FraudPrevention #LATAM #OnlineScams
๐ฅ8๐4
๐จGroup-IBโs first Weaponized AI report reveals how cybercriminals are operationalizing artificial intelligence to drive a fifth wave of cybercrime.
Skills that once required human expertise, such as persuasion, impersonation, and malware development, are now being turned into on-demand services, available at scale and speed. From the abuse of publicly available LLMs to the rise of proprietary Dark LLMs traded on the dark web, AI crimeware is rapidly being commercialized across the underground economy.
Key insights from the report:
โ Mentions of AI on dark web forums surged 371% between 2019 and 2025, signalling rapid adoption by threat actors.
โ AI-powered phishing tools are selling for as little as $30 per month.
โ A growing deepfake-as-a-service market, with synthetic identity kits from US$5 and activity up 52% YoY in 2025.
โ Criminal-grade LLMs sold for $30โ$200 per month, with customer bases exceeding 1,000 users.
๐ Download the full report.
#AI #DarkWeb #Deepfake
Skills that once required human expertise, such as persuasion, impersonation, and malware development, are now being turned into on-demand services, available at scale and speed. From the abuse of publicly available LLMs to the rise of proprietary Dark LLMs traded on the dark web, AI crimeware is rapidly being commercialized across the underground economy.
Key insights from the report:
โ Mentions of AI on dark web forums surged 371% between 2019 and 2025, signalling rapid adoption by threat actors.
โ AI-powered phishing tools are selling for as little as $30 per month.
โ A growing deepfake-as-a-service market, with synthetic identity kits from US$5 and activity up 52% YoY in 2025.
โ Criminal-grade LLMs sold for $30โ$200 per month, with customer bases exceeding 1,000 users.
๐ Download the full report.
#AI #DarkWeb #Deepfake
๐ฅ9
๐ Group-IB announces the launch of Cloud Security Posture Management (CSPM) as part of our Unified Risk Platform. Designed to help organizations reduce risks associated with cloud transformation, it ensures business continuity by identifying misconfigurations, eliminating compliance gaps, and enhancing cloud security from initial development through to deployment.
What makes Group-IB CSPM different:
๐น See the configurations that matter most: By enriching posture findings with real-world exposure data from Group-IB Attack Surface Management and industry-leading Group-IB Threat Intelligence, your team sees cloud risks as attackers would.
๐น Combined with built-in CI/CD misconfiguration checks and a unified Group-IB ecosystem, it goes beyond traditional CSPM to give you deep visibility that closes active cloud risks.
Read the full press release to learn how Group-IB is redefining cloud security posture management.
#CloudSecurity #CSPM #CyberSecurity
What makes Group-IB CSPM different:
๐น See the configurations that matter most: By enriching posture findings with real-world exposure data from Group-IB Attack Surface Management and industry-leading Group-IB Threat Intelligence, your team sees cloud risks as attackers would.
๐น Combined with built-in CI/CD misconfiguration checks and a unified Group-IB ecosystem, it goes beyond traditional CSPM to give you deep visibility that closes active cloud risks.
Read the full press release to learn how Group-IB is redefining cloud security posture management.
#CloudSecurity #CSPM #CyberSecurity
๐5โค3๐ฅ1
โจWe are proud to continue our participation in the Hong Kong Cyber Security Action Task Force, following its extension by the Hong Kong Police Force for another 2 years. This ongoing collaboration reflects the trust placed in Group-IBโs predictive, adversary-focused threat and fraud intelligence, helping authorities and organizations anticipate and disrupt cyber threats before impact.
During the Inauguration Ceremony, Anastasia Tikhonova, Global Threat Research Lead at Group-IB, received the CSATF certificate from Commissioner of Police CHOW Yat-ming in recognition of Group-IBโs contribution to the Cyber Security Action Task Force and its support of law-enforcement efforts in Hong Kong.
At the same event, Vesta Matveeva, Head of Strategic Cybercrime Investigations at Group-IB, was awarded Silver at the Cyber Security Professional Awards 2025 (CSPA), a recognition of investigative excellence and real-world impact.
๐ Read the full press release.
#LawEnforcement #ThreatIntelligence #CyberCrime #CSPA2025
During the Inauguration Ceremony, Anastasia Tikhonova, Global Threat Research Lead at Group-IB, received the CSATF certificate from Commissioner of Police CHOW Yat-ming in recognition of Group-IBโs contribution to the Cyber Security Action Task Force and its support of law-enforcement efforts in Hong Kong.
At the same event, Vesta Matveeva, Head of Strategic Cybercrime Investigations at Group-IB, was awarded Silver at the Cyber Security Professional Awards 2025 (CSPA), a recognition of investigative excellence and real-world impact.
๐ Read the full press release.
#LawEnforcement #ThreatIntelligence #CyberCrime #CSPA2025
๐ฅ8โค3
๐จShadowSyndicate isnโt a single campaign or threat actor, itโs a malicious activity cluster formed by numerous servers sharing the same SSH fingerprints. That infrastructure is used for hosting of various attack frameworks and is involved in multiple, mostly ransomware, cyber operations.
Our latest research breaks down how reuse of SSH fingerprints performed with OPSEC inaccuracies reveals links between seemingly unrelated activities. Discovered server clusters have the same use as known ones: various C2 frameworks running on servers, connections to multiple cyber campaigns attributed to different threat actors. All of that points to ShadowSyndicateโs likely role as either an Initial Access Broker or a Bulletproof Hosting provider.
For threat intelligence teams, these patterns matter. Infrastructure reuse creates opportunities for earlier detection, stronger correlation, and more effective disruption across the cybercrime supply chain. Read the full technical analysis here.
#CyberSecurity #ShadowSyndicate
Our latest research breaks down how reuse of SSH fingerprints performed with OPSEC inaccuracies reveals links between seemingly unrelated activities. Discovered server clusters have the same use as known ones: various C2 frameworks running on servers, connections to multiple cyber campaigns attributed to different threat actors. All of that points to ShadowSyndicateโs likely role as either an Initial Access Broker or a Bulletproof Hosting provider.
For threat intelligence teams, these patterns matter. Infrastructure reuse creates opportunities for earlier detection, stronger correlation, and more effective disruption across the cybercrime supply chain. Read the full technical analysis here.
#CyberSecurity #ShadowSyndicate
๐ฅ7โค1