This Threat Analysis report is part of the “Purple Team Series” in which the LevelBlue Global Security Operations Center (GSOC) provides a technical overview of some of the methods that threat actors are using to compromise their victims.
LevelBlue’s Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
Amid escalating tensions between the US and Iran, Iranian cyber threats are facing increased attention and scrutiny. The Pulsedive research team recently analyzed a series of loader scripts added to Malware Bazaar by Security Researcher @JAMESWT_WT. These scripts caught our attention because they were associated with malware intrusions, in which Telegram was used for Command and Control (C2) - a tactic recently outlined in an FBI FLASH Report. Released on March 20, 2026, the FLASH Report outlined how threat actors aligned with Iran’s Ministry of Intelligence and Security (MOIS) leveraged Telegram as command-and-control infrastructure in cyber operations, using Telegram bots to exfiltrate data from user devices. In this blog, we dive into numerous loader scripts identified as being used in intrusions that leveraged Telegram as the C2. We provide an analysis of the scripts, mitigation recommendations, and a list of observed indicators of compromise.
The FBI FLASH report highlights that the intrusions began with social engineering, in which threat actors attempted to convince victims to install malware on their devices. The actors targeted victims via social media applications, posing as technical support or famous personas. The goal of the social engineering campaign was to convince the victim to execute malware on their device. The FBI notes that the malware masquerades as well-known applications.
Moreover, reports note that the malware used PowerShell to execute malware and modified registry keys to establish persistence. Malware observed in this campaign was capable of recording screen and audio activity, collecting information from the cache, and creating compressed file archives. These archive files were then exfiltrated using Telegram.
The first sample we will analyze is a simple PowerShell script, available on Malware Bazaar. The script is a one-liner that executes base64 encoded content with the PowerShell window hidden.
SHA256 | 4b8297daccf9745b585916ab4466629c645749350563eb9b697326e11f2ae420 |
SHA1 | aa26beaa960db344fec87df4f26414242d3c3d44 |
MD5 | 586d283e7a8979168c2270831ed8bff6 |
ssdeep | 48:EkTsIgYQdt4PvpMf4hZCU8vHfIDz8eZpwui:EasVYoKJMf47vyHwflZ65 |
File Size | 1643 bytes |
File Type | Powershell Script |
File Name | ps.ps1 |
The decoded base64 content indicates that the script is attempting to download additional files and execute them. This script attempts to download two additional files and execute them. At the time of analysis, both files were unavailable.
The script attempts to download files from Vultr Object Storage. The files are downloaded to the temp directory and then executed. The contents of the zip archive are extracted to the path C:\ProgramData\ssh-cache-default\, and the executable RuntimeSSH.exe is executed.
File Name | URL |
ok.txt.txt | hxxps[://]ppt1[.]sgp1[.]vultrobjects[.]com/ok[.]txt |
a76e0a8c25744429c.zip | hxxps[://]ppt1[.]sgp1[.]vultrobjects[.]com/RuntimeSSH_17[.]zip |
The second sample is almost identical to the first script. The similarity between the scripts is confirmed by the ssdeep value, which only differs by two characters. The only difference is that it specifies "C:\Windows\System32\cmd.exe" before the PowerShell command.
SHA256 | 153b0855f09b16ebdfdaf6e520e616751b3324b852193f97cb1c9b0958c7a93b |
SHA1 | 86dbec44e2ead21242acd6126ec4e829b75e8499 |
MD5 | 39411f31ccad546ef3eeaa24a813b66b |
ssdeep | 48:qkTsIgYQdt4PvpMf4hZCU8vHfIDz8eZpwui:qasVYoKJMf47vyHwflZ65 |
File Size | 1675 bytes |
File Type | Powershell Script |
File Name | cmd.ps1 |
The ssdeep hashes of script 1 and script 2 confirm that the files are almost identical. The hashes only differ by two characters.
Also available on Malware Bazaar is a VBS script that is significantly larger than the PowerShell scripts discussed thus far. The script is a one-liner that executes base64 encoded content with the PowerShell window hidden.
SHA256 | c379c5d6d5a8cf20ef120327a3c8dd2331f60216d0a11b85d1fbdb2aae147646 |
SHA1 | c1b012acc1f39b52f9ae230af5bfdefd97820b1c |
MD5 | 2e22ceb75e5bb1e03c74e222867b33d9 |
ssdeep | 768:s7mxa96MH7rOokUORcpFoa4bOYOd7O36nHzZljXRnSr9nMMzyBQbU5ovOr4kqUXc:q1bNkSoa4mjnHVlTRSrjb/XlnB3 |
File Size | 183,897 bytes |
File Type | VBS |
File Name | لیست شماره های افراد نیازمند شماره های افراد نیازمند خیلی خدمات شماره های شماره های افراد نیازمند افراد نیازمند به توانبخشی.vbs |
The file consists of 63791 lines. The bulk of these lines are blank and contain no characters. Once the empty lines of code are removed, we are left with 11 lines of code.
Of those 11 lines, there are two large blobs of text that serve no function. These are the first and last lines of the file. The code executed consists of a string, an array of numbers, a for loop, string-manipulation operations, and a function that executes the manipulated string.
The first line of the For loop iterates over the array of numbers. The first step is to extract a character from the i-th position of the string in the af789f342e5024051 variable. The next line gets a number from the i-th minus 1 position in the array. From there, the script decodes a character by subtracting the value from step 1 from the value obtained in step 2, then converting the result to a character. This value is then added to an array, which is executed at the end of the loop.
The decoded content reveals that the script attempts to query the disk size. If the disk size exceeds 50 GB, it attempts to execute the PowerShell commands outlined in Scripts 1 and 2.
The Malware Bazaar collection contains another PowerShell that is similarly inflated at 183,069 bytes. This file contains the same content as the VBS script, as confirmed by the ssdeep values of the files.
MD5 Hash | File Type | ssdeep |
2e22ceb75e5bb1e03c74e222867b33d9 | VBS | 768:s7mxa96MH7rOokUORcpFoa4bOYOd7O36nHzZljXRnSr9nMMzyBQbU5ovOr4kqUXc:q1bNkSoa4mjnHVlTRSrjb/XlnB3 |
4cb321c61ba994666546f37c300dae53 | ps1 | 768:s7mxa96MH7rOokUORcpFoa4bOYOd7O36nHcZljXRnSr9nMMzyBQbU5ovOr4kqUXc:q1bNkSoa4mjnHolTRSrjb/XlnB3 |
While not the zip archive observed in the scripts we analyzed in our blog, Malware Bazaar contains the payload mentioned in the FBI report. This is a zip archive containing several .pyd files and smqdservice.exe. Sandbox results of the sample are available on Any.Run.
SHA256 | cbe9e32393529cd79e19a639a1d2da93fba06082be2bdb0c04241f269f98c773 |
SHA1 | ba3874ca96f9bca1daff22ef49ea7505d52b40d4 |
MD5 | 94779909cc510194900c3cc17d1194c8 |
ssdeep | 393216:izZShZzyv9YAppTWme9vKeUS2JjW4c4btED9Gn3Ff5+E:iIfGvnpMx9vnUS2JlG0Bf |
File Size | 23,178,389 bytes |
File Type | Zip archive |
The executable attempts to evade detection by adding exclusions within Microsoft Defender. This is done using PowerShell to exclude the path %ALLUSERSPROFILE%\SMQDServicePackages\ and C:\Users\Power\Downloads\Telegram Desktop
Once the exclusions are in place, the malware executes the smqdservice.exe binary, which loads various Python modules, including python311.dll, which was present in the zip archive.
The following Telegram bot details were extracted from the binary.
Connecting to the URL specified in the get info parameter provides details about the Telegram bot, including its username, ID, and enabled permissions.
The loaders analyzed in the blog are very basic. Their singular goal is to download additional content that is hosted on Vultr Object Storage. The PowerShell scripts contain base64-encoded content that, once decoded, reveals that the loader attempts to download a zip archive. The zip archive contains a file called RuntimeSSH.exe, which was identified in the FBI FLASH report. The report outlines that this file is used to exfiltrate sensitive information from the compromised device. Telegram is frequently used as C2 infrastructure, as it blends in with legitimate traffic and is relatively easy to create Telegram bots. Moreover, Telegram has served as an online marketplace for cybercrime actors where groups actively advertise malware, exfiltrated data, and services. This makes Telegram a popular tool, allowing threat actors to expand their capabilities without burning through in-house-developed tools. Iranian-affiliated groups like Handela Hack have been active on Telegram, where posts detail their operations.
Methods to mitigate the risks posed by malware include:
The table below lists network IOCs that have been identified and added to the Pulsedive platform.
IOCs |
hxxps[://]ppt1[.]sgp1[.]vultrobjects[.]com/ok[.]txt |
hxxps[://]ppt1[.]sgp1[.]vultrobjects[.]com/RuntimeSSH_17[.]zip |
The TTPs table uses Tactics and Techniques available in MITRE ATT&CK v19. One of the biggest changes in this version of the framework is that the Defense Evasion tactic has been separated into Stealth (TA0005) and Defense Impairment (TA0112).
Tactic | Technique |
Stealth | Deobfuscate/Decode Files or Information (T1140) |
Obfuscated Files or Information: Encrypted/Encoded (T1027.013) | |
Masquerading: Match Legitimate Resource Name or Location (T1036.005) | |
Execution | User Execution: Malicious File (T1204.002) |
Command and Scripting Interpreter: PowerShell (T1059.001) | |
Command and Scripting Interpreter: Windows Command Shell (T1059.003) | |
Command and Scripting Interpreter: Visual Basic (1059.005) | |
Exfiltration | Exfiltration Over C2 Channel (T1041) |
https://www.ic3.gov/CSA/2026/260320.pdf
An FTC report says that Americans last year lost $2.1 billion in social media scams, such as shopping and investment schemes. Social media site have become the place where most of these scams start, and more than half of that money was stolen in scams began on Facebook, WhatsApp, and Instagram.
The post U.S. Consumers Lost $2.1 Billion in Social Media Scams in 2025, FTC Says appeared first on Security Boulevard.
Cybersecurity financial risk is rising in commodity markets as breaches, data loss and espionage threaten operations and investor trust.
The post The Overlap of Cybersecurity and Financial Risk: Protecting Sensitive Data in Commodity Markets appeared first on Security Boulevard.
A new report from the U.S.-China Economic and Security Review Commission reveals that while China is aggressively prosecuting fraud targeting its own citizens, it continues to turn a blind eye to industrial-scale scam centers victimizing Americans. This selective enforcement has incentivized Chinese criminal syndicates to pivot toward U.S. targets, resulting in over $10 billion in losses in 2024 through "pig-butchering" and crypto investment schemes. As attackers integrate AI to scale these operations and exploit cryptocurrency for money laundering, experts warn that organizations must treat social engineering as a structural infrastructure threat rather than a simple training issue, as diplomatic solutions remain unlikely in the current geopolitical climate
The post China Has its Sights Set on Scammers, Just Not Those Targeting Americans appeared first on Security Boulevard.
Modern cyberattacks no longer follow predictable patterns or slow timelines. They unfold at machine speed, often moving from initial access to data exfiltration in minutes. In this environment, security teams face a paradox: they are surrounded by vast amounts of data yet struggle to extract clarity from it quickly enough to prevent damage.
This is where Cyble Blaze AI introduces a different operational model, centered on cyber threat intelligence, security analytics, and large-scale threat intelligence automation designed to convert raw signals into immediate defensive action. Instead of treating security as a sequence of alerts and manual investigations, Cyble Blaze AI redefines it as a continuous intelligence system that observes, reasons, and responds in real time.
Enterprises today generate security telemetry across endpoints, cloud workloads, identity systems, SaaS platforms, and external intelligence feeds. On top of that, threat actors continuously operate in hidden ecosystems such as dark web forums and encrypted communication channels. The issue is not a lack of data; it is fragmentation. Security teams often deal with disconnected signals that fail to form a coherent picture of risk.
Cyble Blaze AI addresses this by applying ai security analytics to unify structured enterprise data with unstructured external intelligence. Instead of treating each alert as an isolated event, it interprets them as part of a broader behavioral system. This shift is essential for modern cyber threat intelligence, where context matters as much as detection.
At the core of Cyble Blaze AI is an architecture designed from the ground up for threat intelligence automation, not retrofitted with it. This distinction matters because it allows intelligence, analysis, and action to operate within a single system rather than across disconnected tools.
The platform is built on a dual-memory design:
This layer functions as a continuously evolving knowledge graph. It maps:
By structuring intelligence this way, Cyble Blaze AI can track how threats evolve rather than reacting to individual alerts.
This layer processes unstructured data such as analyst notes, reports, chat logs, and security documentation. Using semantic understanding, it identifies meaning rather than relying on keywords alone.
Together, these layers enable cross-domain reasoning, a core requirement for modern cyber threat intelligence platforms that rely on AI security analytics to connect disparate signals into actionable insights.
Cyble Blaze AI replaces traditional manual workflows with an automated intelligence lifecycle built on threat intelligence automation principles:
This end-to-end threat intelligence automation pipeline reduces the gap between detection and response.
Cyble Blaze AI operates through coordinated autonomous agents, each handling specific security domains:
These agents do not work in isolation. They continuously share intelligence, enabling synchronized responses.
In optimized scenarios, full incident handling, from detection to containment, can be completed in under two minutes, a major reduction compared to traditional workflows.
This capability highlights how AI security analytics can compress response timelines when paired with effective threat intelligence automation.
Beyond real-time response, Cyble Blaze AI extends into predictive analysis. By processing global datasets and behavioral signals, it identifies emerging threats before they fully materialize.
The system analyzes:
Based on these inputs, it can forecast potential attack campaigns up to six months in advance. This shifts cyber threat intelligence from reactive monitoring to anticipatory defense, where organizations can prepare for threats long before execution.
One of the defining strengths of Cyble Blaze AI is its ability to unify internal enterprise telemetry with external threat ecosystems. This includes dark web monitoring sources, phishing infrastructures, and underground communication channels.
By applying AI security analytics, the platform correlates these external signals with internal system behavior, building a complete view of organizational risk.
This 360° visibility ensures that compromised credentials, for example, detected on underground forums can immediately be traced across enterprise environments to identify potential exploitation.
Cyble Blaze AI operates at large enterprise scale with integration support for more than 70 security and IT tools, including SIEM, SOAR, EDR/XDR, cloud platforms, and collaboration systems.
Its intelligence foundation is supported by over 350 billion threat data points, enabling deep contextual analysis across global threat landscapes.
This scale is essential for effective threat intelligence automation, where the quality of decisions depends on the breadth and depth of underlying data.
The platform’s design supports different security roles:
This alignment ensures that cyber threat intelligence is not confined to security teams but becomes actionable across the organization.
Cyble brings cyber threat intelligence, AI security analytics, and threat intelligence automation together through Cyble Blaze AI to turn massive volumes of security data into coordinated, real-time defense actions. Instead of overwhelming teams with alerts, it focuses on context, prediction, and autonomous response—reducing the time between detection and mitigation to near real time.
With this approach, Cyble shifts security operations from reactive monitoring to proactive and automated defense, where threats are identified earlier and neutralized faster across enterprise environments.
To explore how Cyble can help modernize security operations with AI-native intelligence, organizations can connect with Cyble and schedule a demo to see Cyble Blaze AI in action.
The post How Cyble Blaze AI Turns Billions of Threat Signals into Actionable Intelligence appeared first on Cyble.
Agentic AI’s impact on ransomware—it’s execution, its success and even who gets to play, is being widely felt. And we’re just getting started.
The post Ransomware Victims up 389%, TTE in Less Than Two Days: How Can Defenders Stay Ahead? appeared first on Security Boulevard.
The post Vimeo Data Exposed in Anodot Supply Chain Attack appeared first on Daily CyberSecurity.
The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale.
At the center of this shift is ransomware dark web intelligence, which paints a clear picture of attacker intent. Threat actors are not simply increasing volume; they are refining their focus. The ANZ region, with its high-value economy and deeply digitized infrastructure, has become a preferred hunting ground.
Australia’s economic profile plays directly into the hands of ransomware operators. A strong GDP, combined with a relatively small population, creates a high-return environment. Attackers don’t need to cast a wide net; each successful breach can yield significant payouts.
By mid-2025, 71 ransomware incidents had been publicly claimed in Australia, compared to nine in New Zealand. On the surface, those figures may seem moderate. However, when adjusted for population, the rate of ransomware attacks in Australia and New Zealand stands out globally. Even larger economies have not experienced the same intensity relative to their size.
This imbalance reflects a fundamental principle driving ANZ organizations cybersecurity risks: attackers prioritize value over volume. In practical terms, fewer victims can still mean higher profits.
Unlike regions where one ransomware group dominates headlines, the dark web ANZ cyber threats ecosystem is notably fragmented. Multiple groups, including Qilin, Akira, INC, Lynx, and Dragonforce, operate concurrently, each claiming a similar share of attacks.
This decentralization complicates defense strategies. Organizations are not facing a predictable adversary with a consistent playbook. Instead, they must prepare for a rotating cast of threat actors, each bringing different techniques, timelines, and negotiation tactics.
From a ransomware dark web intelligence perspective, this fragmentation signals a competitive market. Threat actors are actively testing sectors, probing defenses, and adapting quickly based on what works.
The distribution of ANZ ransomware threats is far from uniform. Certain sectors continue to absorb the majority of attacks due to the nature of their operations.
Healthcare and professional services sit at the top of the list. In healthcare, the urgency of patient care creates a near-zero tolerance for downtime, increasing the likelihood of ransom payments. Professional services firms, on the other hand, hold large volumes of sensitive client data, making them lucrative targets.
However, the scope is broader than these two sectors alone. Aviation software providers, pharmaceutical companies, engineering firms, and even steel manufacturers have all been affected. This pattern reinforces a key insight: ransomware attacks in Australia and New Zealand are opportunistic but calculated, targeting environments where disruption carries tangible consequences.
Several incidents in 2025 highlight how attackers are evolving their methods.
The Akira group compromised an Australian industrial technology provider, exfiltrating approximately 10GB of sensitive data, including financial records and employee identification documents. This case highlights the growing overlap between ransomware and critical infrastructure risk.
In another breach, a political organization suffered exposure to communications, identity records, and financial data, highlighting that ANZ organizations' cybersecurity risks extend beyond the private sector.
Meanwhile, Dragonforce leaked over 100GB of data from an engineering firm, including technical drawings and internal reports. The long-term implications of such intellectual property theft often exceed immediate financial damage.
These cases share a common thread: encryption is no longer the sole objective. Data exfiltration and double extortion have become standard practices.
One of the most important developments in shaping dark web ANZ cyber threats is the growth of the initial access market. In 2025 alone, 92 instances of compromised access sales were observed across Australia and New Zealand.
Retail organizations accounted for roughly 34% of these cases, followed by BFSI and professional services. The implications are significant. Attackers no longer need to breach networks themselves; they can simply purchase access.
This shift has redefined how ANZ ransomware threats materialize. The most complex phase of an attack—initial intrusion—is now outsourced, accelerating timelines and increasing overall attack volume.
It also introduces indirect risk. Organizations may be compromised through vendors, partners, or shared platforms, expanding the attack surface beyond traditional boundaries.
The emergence of affiliate-driven models, particularly groups like INC Ransom, has further amplified ransomware attacks in Australia and New Zealand. Operating under a Ransomware-as-a-Service structure, these groups separate responsibilities: affiliates handle intrusions, while core operators manage ransom negotiations.
This model enables rapid scaling. Multiple attacks can be executed simultaneously, each leveraging shared infrastructure and tooling.
INC Ransom’s activity across healthcare and professional services highlights how effective this approach has become. Their operations often involve credential compromise, privilege escalation, lateral movement, and eventual deployment of ransomware—frequently paired with data exfiltration.
From a ransomware dark web intelligence standpoint, this reflects a mature ecosystem where roles are specialized, and efficiency is maximized.
Although Australia is the primary target, the broader region is not immune. A ransomware attack on Tonga’s Ministry of Health disrupted national healthcare services, while a major breach in New Zealand’s healthcare sector involved both data theft and system encryption.
These incidents reinforce the interconnected nature of ANZ organizations' cybersecurity risks. Threat actors operate without regard for national boundaries, shifting focus wherever defenses appear weakest.
Despite the evolving ecosystem, many attack methods remain consistent. Spear-phishing campaigns, exploitation of unpatched systems, and the use of stolen credentials continue to dominate.
Once inside, attackers often rely on legitimate tools—file compression utilities, remote management software, and standard data transfer mechanisms—to blend into normal operations. This “living off the land” approach makes detection significantly more difficult.
The steady rise of ANZ ransomware threats signals a need for strategic change. Perimeter-based defenses are no longer sufficient in an environment where access can be purchased, and attacks can be outsourced.
As access is bought and attacks are outsourced, organizations must shift toward stronger identity controls, continuous monitoring, rapid patching, and tighter third-party risk management.
Cybersecurity is no longer just about prevention—it’s about resilience. Attacks are inevitable, but their impact doesn’t have to be. Cyble helps organizations stay ahead with AI-powered threat intelligence, dark web monitoring, and predictive defense through its AI-native platform, Cyble Blaze.
Stay ahead of ransomware threats—book a free demo and build a more resilient security posture.
The post ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us appeared first on Cyble.
China-sponsored threat groups like Salt Typhoon and Flax Typhoon are increasingly relying on multiple massive botnets comprising edge and IoT devices to run their cyber espionage and network intrusion campaigns, CISA and other security agencies say. The use of such "covert networks" makes it more difficult to detect and mitigate their campaigns.
The post China-Backed Groups are Using Massive Botnets in Espionage, Intrusion Campaigns appeared first on Security Boulevard.
For decades, the "gray area" of undercover research was governed by internal policies. The SPLC indictment suggests that internal oversight is no longer a shield.
The post When Research Becomes a Crime: The New Risk Landscape for OSINT and Dark Web Intelligence appeared first on Security Boulevard.
Entrar