PacketWatch @packetwatch

6/16/26 packetwatch.com/resources/thre… - PacketWatch's Team Sixty43 profiles how a ClickFix attack leverages the finger protocol to deliver its first payload (CastleLoader). See the TTPs and IOCs. #clickfix #castleloader #threatprofile #threatintelligence #threathunting #cybersecurity #phishing #dfir #networksecurity #informationsecurity #teamsixty43

6/15/26 packetwatch.com/resources/thre… - This week, we briefed our clients on the new Ghost-sender Email Spoofing research from InfoGuard Labs. Be sure to test your domain for the vulnerability. #cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir

6/1/26 packetwatch.com/resources/thre… - This week, we briefed our clients on new social engineering attacks targeting law firms. The Silent Ransomware Group has been showing up in person. #cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir

PacketWatch's Team Sixty43 profiles an M365 threat traced to Device Code Phishing, complete with tactics, techniques, and procedures. packetwatch.com/resources/thre… #malware #threatprofile #threatintelligence #threathunting #cybersecurity #devicecodephishing #phishing #dfir #networksecurity #informationsecurity #teamsixty43

While hunting for anomalous RMMs in a healthcare organization, #TeamSixty43 identified #ScreenConnect traffic from an unmanaged endpoint. We immediately kicked off an investigation, as rogue RMMs are almost never a good thing and are often leveraged by various criminal actors, such as #ransomware groups. Forensic analysis of the device revealed that the user had fallen for a fake IRS-themed phishing attack. Based on Team Sixty43’s analysis, this was most likely an Initial Access Broker who was quietly and slowly staging. They brought in tools such as #HideUL to hide evidence of their presence, and deleted event logs, tools, and parts of the browser's history. Criminal operators do not need exploits, AI, or fancy tactics. They exploit the obvious gaps in security: unmanaged devices, tight IT budgets, and social engineering. And traditional controls alone are no longer sufficient. - Firewalls do not block #RMM traffic by default. - Network logs only capture a fraction of your network's data. - EDRs often fail to alert on rogue RMM activity because IT teams need to use them. - Email filters allow phishing emails from trusted vendors. You need to control what RMMs are allowed to run in your environment and monitor the network for signs of rogue RMMs. Only proactive threat hunting using Full Packet Capture can identify the subtle signs of these risks before they reach endgame. Team Sixty43 used PacketWatch platform data to identify the suspicious ScreenConnect traffic, pinpoint the source hostname of the unmanaged device, and retroactively hunt for signs of lateral movement—all within minutes. Below are the IOCs our team collected from the incident. Your team can use these to hunt for this threat in your environment, too. +++ IOCs +++ store-na-phx-1.gofile[.]io (download link for ScreenConnect) pub-e468619e47134d1e942f5a4c5dba818b.r2[.]dev (download URL for ScreenConnect) superops-wininstaller-prod.s3.us-east-2.amazonaws[.]com (SuperOps download link) acosigin[.]cc (phishing link) instance-sr3d21-relay.screenconnect[.]com (ScreenConnect Relays) relay.gnmstechome[.]top (ScreenConnect Relays) relay.sslenfftechio[.]top (ScreenConnect Relays) +++ #threathunting #dfir #cybersurity #informationsecurity #threatintelligence #networksecurity

keyboard_arrow_left Previous keyboard_arrow_right Next

5/18/26 packetwatch.com/resources/thre… - This week, we briefed our clients on the recent increase in Device Code Phishing attacks and how to protect themselves, starting with Microsoft 365. #cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir

From Andy O. on PacketWatch's #TeamSixty43: Happy Friday! I wanted to share a quick threat-hunting tip: hunt for cleartext LDAP in your networks. One of the best ways to do this is through using Full Packet Capture. Using PacketWatch's FPC session data, you can run the query "ldap.authtype:simple". What this does is looks for the value "simple" in LDAP authentication. In LDAP, simple authentication is, if you will, simply authenticating by sending the LDAP server your FQDN and your password.... in cleartext. You might say "wow, that's crazy, why would anyone ever do that?" That's the thing, every time I run this hunt and find cleartext LDAP credentials in simple authentication, the client's IT and security teams are never aware of it. When I pull up PacketWatch or Wireshark to show them the password of a domain admin account, they are always shocked. "We never knew this system was doing this..." Based on Team Sixty43's research and data from the hunts we have run, these simple LDAP authentications are often caused by bad default configurations for firewall LDAP integrations to Active Directory. Many firewalls can use LDAP to do user lookups to help authenticate users via VPN. There are many issues with this alone, but there are reasons organizations choose this, which is a different subject. And, based on our findings, it is every major firewall vendor - PAN, SonicWall, Fortinet, Cisco, etc. Outside of insecure default configurations of firewalls/VPNs, we also see it when other LDAP integrations are not properly secured, like IT management systems and AD management software. And, in almost every case, they are leaking domain admin credentials or service accounts with DA. The fix for this is enforcing LDAPS, or at minimum, SASL authentication for LDAP. The implementation varies per vendor unfortunately. This is absolutely a goldmine for threat actors. Why dump LSASS when the network has DA creds floating in it? This is why when clients onboard at PacketWatch, we run a full security assessment to find critical issues like cleartext LDAP and fix them ASAP. If you want to see if your network is leaking credentials in cleartext LDAP, or has other hidden vulnerabilities, please hit us up PacketWatch!! We can run a Network Security Assessment and give you full network visibility with our Rapid Response Assurance! #threathunting #cybersecurity #networksecurity #informationsecurity #dfir #passwords

keyboard_arrow_left Previous keyboard_arrow_right Next

PacketWatch's Team Sixty43 profiles a threat involving EvilAI and Vibe-coded malware, complete with tactics, techniques, and procedures. packetwatch.com/resources/thre… #malware #threatprofile #threatintelligence #threathunting #cybersecurity #evilai #vibecoding #powershell #dfir #networksecurity #informationsecurity #teamsixty43

PacketWatch's #TeamSixty43 profiles a threat packetwatch.com/resources/thre… involving the toxic trio #KongTuke, #ClickFix, and #Havoc, complete with tactics, techniques, and procedures. #ransomware #malware #threatprofile #threatintelligence #threathunting #cybersecurity #informationsecurity #dfir

5/4/26 packetwatch.com/resources/thre… - This week, we briefed our clients on the second-most-active Ransomware-as-a-Service organization, The Gentleman. We describe their observed TTPs. #cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #ransomware #malware #dfir

PacketWatch's #TeamSixty43 has detected a new #ClickFix campaign. This campaign lures victims in with a #FakeCaptcha to solve that tricks the user into running a malicious PowerShell script that installs #Vidar Stealer onto the victim's machine. Below is a list of #IOCs our team has recovered from these incidents. It is recommended to block these domains. If you are a #PacketWatch client, rest assured that our threat hunt team has run hunts to identify any sign of this campaign in your environment. +++ IOCs +++ FakeCaptcha > Vidar Windows Terminal > PowerShell > [random characters].exe pohuimne[.]lol (payload) noscalpelvasectomy[.]com (FakeCaptcha) productionmaza[.]cfd (C2) prokladka[.]lol (payload) dtc.victorramarisimobiliaria[.]com[.]br (C2) +++ #threathunting #dfir #cybersurity #informationsecurity #threatintelligence

keyboard_arrow_left Previous keyboard_arrow_right Next

Threat Profile: packetwatch.com/resources/thre… PacketWatch Team Sixty43 provides extensive profile on Lynx Ransomware and its tactics, techniques, and procedures. #teamsixty43 #lynx #ransomware #threatprofile #threatintelligence #threathunting #cybersecurity #informationsecurity #dfir

4/20/26 packetwatch.com/resources/thre… - This week, we briefed our clients on Anthropic's announcement of Claude Mythos Preview and its alleged ability to discover and exploit vulnerabilities. #cybersecurity #threatintelligence #threathunting #informationsecurity #networksecurity #dfir

PacketWatch Threat Intelligence: Windows Downgrade Attack, National Public Data Leak, More: hubs.li/Q02K-9Kw0

GitHub Access Concerns, CrowdStrike Scams, and more in our latest #ThreatIntel report on July 29, 2024: hubs.li/Q02JhL050

Read our latest #ThreatIntel report: Microsoft MHTML Zero-Day, Rockyou2024, and More hubs.li/Q02GF-s50

CEO Vantage Point: Partners are More than Vendors Read now: hubs.li/Q02FJBJ20 #cybersecurity

A GrimResource Breakdown and a Vulnerability Roundup: hubs.li/Q02DZ8Nq0

"In the race to get systems back online after a #ransomware incident, organizations tend to 'jump the gun.' But remember, Eradication comes before Recovery in the SANS Incident Response (IR) Framework," says PacketWatch CEO Chuck Matthews. hubs.li/Q02D3brb0

#ThreatIntel 🔒 Stay ahead of #cybersecurity threats with our latest insights: hubs.li/Q02C6-FX0