Email Sender:
reply-ff2913777d64-449_HTML-1463564-534018293-0[@]s12[.]y[.]mc[.]salesforce[.]com
Link Embedded in 'View the role' button in the Email body:
cl[.]s12[.]exct[.]net (13.110.204.9 - Salesforce ASN)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Regular_expression('User defined','.*bank.*',true,false,false,false,false,false,'List matches') | |
| Regular_expression('User defined','.*, US.*',true,false,false,false,false,false,'List matches') | |
| Find_/_Replace({'option':'Regex','string':'</a>'},'',true,false,true,false) | |
| Find_/_Replace({'option':'Regex','string':'^.*>'},'',true,false,true,false) |
BushidoUK
/ GoogleCareersGmailPhish.md
Last active
October 24, 2025 03:15
Gmail phishing posing as Google Careers
BushidoUK
/ uae_qa_phishing.md
Created
August 13, 2025 00:33
Dubai Police & Qatar Police Phishing Domains
Dubai Police Domains
dubai-police-ae-gonv[.]com
dubai-police-ae[.]com
dubai-police-gov[.]com
dubai-police-govn[.]com
dubai-police-uae[.]com
dubai-policeae-gov[.]com
dubai-policegovae[.]com
dubai-policegovr[.]com
BushidoUK
/ meta_phishing.md
Created
April 4, 2025 11:39
Meta recruitment themed credential phishing
- Phishing campaign target Facebook accounts, as well as Threads and WhatsApp
- Emails sent using a recruitment platform called
recruitee.com - Landing pages are hosted with Cloudflare and target Facebook login credentials
- The websites are built with
Socket.io
- application[@]realitylabshiring.recruitee.com
BushidoUK
/ CACTUS_RULES.txt
Created
January 15, 2025 00:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rules | |
| WHAT'S REALLY GOING ON? | |
| - We completed a security audit of your network, conducted a thorough investigation, downloaded all confidential, private, proprietary, legal, financial, compromising information of you, your customers and employees, including databases and all documents of value to you and your customers to show insecurity of your infrastructure. | |
| - Encrypted your data with a very strong AES+RSA algorithm, making it impossible to view or use by anyone but us. | |
| - Deleted all backups. | |
| - We have compiled a security report and are waiting for your payment for our services to recover and protect your sensitive information from exposure. | |
| - How can I get my organization back to normal operations and avoid long-term losses due to sensitive data leakage and loss of access to encrypted files forever? |
BushidoUK
/ Security_Tools_Used_by_Ransomware_Gangs
Created
September 28, 2024 11:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ossec-win32 used by Storm-0501 | |
| https://www.ossec.net/about/ | |
| OSQuery used by Storm-0501 | |
| https://www.osquery.io/ | |
| GitGuardian used by Scattered Spider* | |
| https://www.gitguardian.com/ | |
| MAGNET RAM Capture used by Scattered Spider* |
BushidoUK
/ UK_PPCN_SMS_Phishing.md
Last active
September 26, 2024 01:13
UK Parking Penalty Charge Notice SMS Phishing
- New SMS phishing campaign targeting the UK posing as parking penalty charges
- It has borrowed assets from UK.GOV sites to look legit
- It uses qrco[.]de shortening links
- It redirects to stockx[.]com if you are not the intended target
- The sites are protected by Cloudflare and registered through NameSilo
- It gets the target to enter their number plate then presents the "fine" and then asks for payment data (for fraud)
- Quite a few UK councils have warned about it:
BushidoUK
/ Israel_Palestine_Hacktivism_OSINT
Created
October 8, 2023 15:26
Israel_Palestine_Hacktivism_OSINT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Twitter Accounts | |
| https://twitter.com/ReVolution44Tm | |
| https://twitter.com/barbbyofficial | |
| https://twitter.com/Team_insane_pk1 | |
| https://twitter.com/anonymusweare | |
| https://twitter.com/PalCyberNews | |
| https://twitter.com/AnonAnonymous | |
| Telegram Channels | |
| https://t.me/s/CyberAv3ngers |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 7 May 2023 https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/ | |
| 9 May 2023 https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/ | |
| 10 May 2023 https://blog.reconinfosec.com/emergence-of-akira-ransomware-group | |
| 10 May 2023 https://cyble.com/blog/unraveling-akira-ransomware/ | |
| 19 May 2023 https://securitynews.sonicwall.com/xmlpost/akira-ransomware-double-extortion-scheme-encrypts-and-publicly-leaks-sensitive-data/ | |
| 26 May 2023 https://labs.k7computing.com/index.php/akira-ransomware-unleashing-chaos-using-conti-leaks/ | |
| 28 June 2023 https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/ | |
| 29 June 2023 https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/#how_to | |
| 11 July 2023 https://twitter.com/TrendMicroRSRCH/status/1678811395448504325 | |
| 21 July 2023 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2023-2113 |
BushidoUK
/ gist:20b81335c6729dc8e0b5997ca83fa35f
Created
September 14, 2023 20:24
BlackCat/ALPHV - MGM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Statement on MGM Resorts International: Setting the record straight | |
| 9/14/2023, 7:46:49 PM | |
| We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight. | |
| No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams. | |
| MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan. | |
| On Sunday night, MGM implement |
NewerOlder