AlienVault OTX Threat Intelligence

A network of 71 purchase scam websites has been identified, linked to 12 shared merchant accounts used for fraudulent transactions. The scams employ brand impersonation, online ads, and malicious merchants to target victims. The network, operational since February 2025, uses typosquatting and brand logo abuse to impersonate legitimate retailers. Transactions with the identified merchant accounts are likely fraudulent and facilitate card compromise. The network's attribution remains unclear, possibly controlled by a single actor or multiple actors collaborating through dark web services. Mitigation strategies for card issuers and merchant acquirers are provided to reduce financial fraud and compliance risks associated with these scams.

Nitrogen, a new ransomware strain identified in September 2024, has become a significant threat to organizations worldwide, particularly in the financial sector. It encrypts critical data and demands substantial payments for decryption, targeting industries such as finance, construction, manufacturing, and technology in the United States, Canada, and the United Kingdom. The ransomware's attack chain begins with malvertising campaigns on search engines, tricking users into downloading trojanized installers. It uses tools like Cobalt Strike and Meterpreter shells to establish persistence and move laterally within networks. Notable victims include SRP Federal Credit Union, Red Barrels, Control Panels USA, and Kilgore Industries. Nitrogen employs sophisticated tactics, including system reconnaissance, advanced evasion techniques, and exploitation of vulnerable drivers to disable security tools.

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in various countries, with the USA, Italy, and Canada being the most affected. Sarcoma employs sophisticated encryption techniques, combining RSA and ChaCha20, and has versions for both Windows and Linux systems. The malware includes network propagation capabilities and anti-recovery measures for hypervisor systems. Notably, it avoids infecting systems with Uzbek keyboard layouts, suggesting possible origins or affiliations. The group's activities highlight the need for improved cybersecurity measures in organizations worldwide.

CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise. During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.

Command and Control URLs for AZORult. The URLs are taken from azorult-tracker.net/ and filtered for false positives.