Year: 2025

A large phishing campaign against Telegram was detected.

The threat actors created thousand of websites mimicking Telegram.

At the time of writing, thousand of users are impacted.

The impact could lead to data theft such as PII, Financial lost and further.

Most of the phishing domains are hosted under CLOUDFLARENET.

CLOUDFLARE is offering free features such as fastest DNS resolver, Delivery Network (CDN), Free SSL certificate

which makes the service the best choice for threat actors to compromise the user, the user must enter his/her PII as a newly register user. Once done, the data will be sent to the malicious server and stored.

The certificates used on the domains are either from Google Trust Services WE1 or CLOUDFLARE, INC. Cloudflare TLS Issuing ECC CA 1, with the availability time set between 2025–03–20–2025–06–18 which means that the phishing domains might stay longer than expected .

Taking a precaution such as taking down the domains will be the best approach to protect the users.

Some of the Phishing domains:

elegeqwt[.]kim

telegmvev[.]lat

telegtrwe[.]kim

telegcmzb[.]hair

telegzmcb[.]lat

telegzcmz[.]hair

telegqtre[.]monster

telegzmbc[.]icu

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegrrm[.]fans

telegwrqt[.]monster

telegqtre[.]ren

telegjhgk[.]cam

telegrwtq[.]ren

Recommendations:

The domains should be taken down.

Blocked the domains if visible within your environment.

In case a user clicked on any domain, reset the user’s password.

For those who use Telegram, activate 2FA on Telegram.

Set up a password policy

In case a user entered financial information such Bank account number (Contact your bank and change the information ASAP)

Scan the host to ensure that no malicious payload was downloaded.

Main News

Malicious ConnectWise Control application downloaded in the wild

Bangaly Koita 1 month ago

ConnectWise ScreenConnect is a self-hosted remote desktop software application. The tool is used by thousand of people, Companies, businesses around the world.

As a well-known tool, abusing it, could help the threat actor to compromised many systems and organization by gaining unauthorized access to the computer or environment.

The malicious application is called ConnectWise Control 23.2.9.8466. Quite similar to the naming convention used by ConnectWise ScreenConnect application.

The malicious tool is available from the website krscreenconnect[.]com.

At the time of writing, the tool been downloaded by many users and organizations.

The domain name is quite new:

The domain is newly created:

Dates 50 days old

Created on 2025–01–26

Expires on 2026–01–26

Updated on 2025–01–26

Hosted on dedicated server with the IP address 192.159.99.10.

The application is available to download after connecting to the website via the link: hxxps://krscreenconnect[.]com/bin/support.client.exe?i&e=Support&y=Guest&r.

To fully investigate the application, we used couple of tools such as app any run, Virus total, urlscan, Domaintools, Censys.

First of all, we wanted to have the hash of the executable file “support.client.exe” or see what is behind the URL. To achieve that, we used: Search — urlscan.io

we got the following details:

A second technic we used was to run the URL via VirusTotal to get the Hash:

We got the same hash as we got from URLSCAN:

As you may know, Censys ( Censys Search will end on March 31, 2025) is one of the best tool to get more details about an IP address. Using Censys, we got:

192.159.99.10 — Host Summary — Censys

The unique IP 192.159.99.10 link to the domain in question:

On the port HTTP 443, a romote access ConnectWise Control 23.2.9.8466 is available.

We decided to run the executable file through app any run to be able to analyse it in the sandbox: https://app.any.run/browses/78c73b3d-b38e-48cd-813e-9d4b1883cb0c

After running the executable file, we found out that the file is digitally signed by ConnectWise LLC since 2023. Which look strange but possible.

While analysing the executable file, we found one interesintg indicator

The file name : C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb

following the ImportsHash: 7631a79a9071099fa4803e1c4c5df207

We found out that the Hash of the file is quite famous through Google search:

By checking the information from: MalwareBazaar | SHA256 d4b396874b63841713f83aecb7b3bf6e19b068f246c950cbdbb08bdafb394763 (ConnectWise)

We found very interesting details

The information found is the confirmation that the executable file is digitally signed by Connectwise, LLC.

To finalize our investigation, we checked the payload after execution

If you are already familiar with malware analysis, you may notice some suspicious functions used such as :

LoadLibraryA

GetCurrentProcess

TerminateProcess

CreateFileW

GetProcAddress

HeapAlloc

WriteFile

ExitProcess

HeapReAllo

The functions are usually used for code injection to hide the executable file from the EDR or Anti-Virus engine.

We can already limit here our investigation and come to the conclusion that the file is a malware and you should not run it.

The usage of the digitally signed certificate from is out of scope (if you want to know ask them ahhh).

We found many others malicious executable files using the signed certificate from the company: MalwareBazaar | Browse malware samples.

Which means that you should always check any application signed by this organization.

If you already notice such activity within your organization, the following measure should be taken as fast as possible:

Change the user password.

Re-image the host impacted.

Perform the full analyze on the host to detect any C2 or Persistency or privilege escalation method used.

Block the URL or domain.

Block the IOCs Hash.

Main News

Tesla website impersonated by threat actors

Bangaly Koita 1 month ago

We have detected several websites impersonating Tesla’s company. The activity could lead to data leak, lost of revenues, lost of clients.

The threats actors created several websites as they are from Tesla. The websites are are offering Logistics for World's Multinational Companies.

At the time of writing, many companies of third parties might be felt into this malicious activity.

We have provided full investigation of the websites created, you can enjoy with the full details below.

The threats actors created some domains with the keyword “elonmusk”, “tesla” to trick the users as the website is coming from Telsa.

elonmuskdelivery[.]com

Dates 17 days old

Created on 2025–02–17

Expires on 2026–02–17

Updated on 2025–02–26

2. tesladeliveryservice[.]online

Dates 7 days old

Created on 2025–02–27

Expires on 2026–02–27

Updated on 2025–02–28

3. TeslaDeliveryCorp[.]icu

Dates 5 days old

Created on 2025–03–01

Expires on 2026–03–01

Updated on 2025–03–01

The domains are on CLOUDFLARE.COM.

4. TesLadt[.]com

55 days old

Created on 2025–01–11

Expires on 2026–01–11

Updated on 2025–01–11

The domains are newly created and do not belong to Tesla Organization.

The websites contains the Tesla logo used to trick the users to trust the websites which could be considered as Trademarks issue.

Tesla has his own website for delivery services which can be found at https://www.tesla.com/support/taking-delivery.

At the end, we may conclude tat the websites are not trusted and they should be taken over.

Main News

Google Meet typosquat by threat actors

Bangaly Koita 2 months ago

Google Meet is an application used by million of people around the globe. The application is used by Companies, Schools, Universities, Governments, people and others.

As such a big platform, the impact of impersonation could be very devastating.

We found many domains impersonating Google Meet to trick the users to enter their credentials or to download the fake Google Meet to compromise their system.

The fake Google Meet contains the link or pop up to download the Google Meet application or Extension in the browser. By installing the fake Google Meet, the user will install a malicious payload that will be executed to compromise the system.

At the time of writing, many Companies, Schools, Universities, Governments, others are already compromised.

The impact can lead to data theft or even ransomware.

Please follow our recommendations:

Check your environment to detect the malicious domains:

google-meet-account[.]com

google-meetings[.]com

accountmeet-google[.]com

meet.gooqle-view. [.]com

meet.google[.]com

Blocked all those domains

Provide user awareness and training to the user

Bookmark the correct URL Google Meet for yours users (https://workspace.google.com/products/meet/)

In case you see such domain within your organization perform a full investigation on the host that was in touch with one of the domain by scanning the host and searching for any persistency behavior or C2 activity.

Change the user impacted credentials and re-image the host.

What is OSINT ?

Bangaly Koita 2 months ago

OSINT means Open-Source Intelligence. It is a set of tools that are available for everyone and everywhere.

OSINT is used in many different areas such as:

Cyber Threat Intelligence
Human Intelligence
Political Intelligence
Journalist Intelligence
And others.

OSINT allows to collect any type of data available online and analyze it. The OSINT cycle is:

Data collection
Data Analysis
Report (Documentation and Recommendations)

The OSINT Report depends on which area you are using OSINT. For example in Cyber Threat Intelligence (Why do we need a Cyber Threat Intelligence? - osintafrica), OSINT report can be writing following one of the models CYBER KILL CHAIN or The Diamond Model of Intrusion Analysis, more details about the models can be found here Three attacks frameworks that Cyber Security members should know osintafrica.

OSINT framework tools are available and easy to find online.

Some of them are:

OSINT Framework

Tools - Start.me

My OSINT Training's Tools

Advantages of using OSINT:

OSINT has many advantages such as many applications are free and accessible online, data available anywhere but the most important for us, are the following:

Detect Threats
Vulnerabilities
Information lookup
Data breached identification

Anything that has advantages, has inconveniences as well.

OSINT does have some.

OSINT Inconveniences:

Data can be query by anyone online

PII data accessible online

Vulnerability and threats are identifiable online

Data breached data are accessible on different platform (Dark Web, Hacking forum , OSINT tools and others ..).

OSINT tools can be vectors of attack.

The privacy concerning OSINT , the privacy concerns is quite similar to GDPR regulation requirements, such as collecting only information related to your investigation, having authorization to collect the data (PII or IP) and others.

OSINT is very useful, like said before, the tools are available for anyone to use. You can start using it by looking up some information related to your self. Do not forget about Privacy related to OSINT.