Group-IB
Открыть в Telegram
Your daily source of cybersecurity news brought to you by Group-IB, one of the global industry leaders.
Больше2 347
Подписчики
Нет данных24 часа
+87 дней
+1230 день
Загрузка данных...
Похожие каналы
Облако тегов
Входящие и исходящие упоминания
---
---
---
---
---
---
Привлечение подписчиков
июль '26
июль '26
+13
в 0 каналах
июнь '26
+2 345
в 1 каналах
Get PRO
май '260
в 0 каналах
Get PRO
апрель '26
+46
в 0 каналах
Get PRO
март '26
+82
в 0 каналах
Get PRO
февраль '26
+94
в 1 каналах
Get PRO
январь '26
+62
в 0 каналах
Get PRO
декабрь '25
+53
в 0 каналах
Get PRO
ноябрь '25
+64
в 0 каналах
Get PRO
октябрь '25
+2 159
в 0 каналах
Get PRO
сентябрь '25
+18
в 0 каналах
Get PRO
август '25
+42
в 0 каналах
Get PRO
июль '25
+56
в 0 каналах
Get PRO
июнь '25
+32
в 0 каналах
Get PRO
май '25
+43
в 0 каналах
Get PRO
апрель '25
+57
в 0 каналах
Get PRO
март '25
+46
в 1 каналах
Get PRO
февраль '25
+63
в 0 каналах
Get PRO
январь '25
+73
в 0 каналах
Get PRO
декабрь '24
+71
в 0 каналах
Get PRO
ноябрь '24
+81
в 0 каналах
Get PRO
октябрь '24
+70
в 0 каналах
Get PRO
сентябрь '24
+117
в 0 каналах
Get PRO
август '24
+75
в 0 каналах
Get PRO
июль '24
+85
в 0 каналах
Get PRO
июнь '24
+74
в 0 каналах
Get PRO
май '24
+85
в 0 каналах
Get PRO
апрель '24
+95
в 0 каналах
Get PRO
март '24
+92
в 1 каналах
Get PRO
февраль '24
+122
в 0 каналах
Get PRO
январь '24
+106
в 2 каналах
Get PRO
декабрь '23
+109
в 1 каналах
Get PRO
ноябрь '23
+87
в 0 каналах
Get PRO
октябрь '23
+89
в 0 каналах
Get PRO
сентябрь '23
+104
в 0 каналах
Get PRO
август '23
+95
в 0 каналах
Get PRO
июль '23
+149
в 0 каналах
Get PRO
июнь '23
+102
в 0 каналах
Get PRO
май '23
+102
в 0 каналах
Get PRO
апрель '23
+87
в 0 каналах
Get PRO
март '23
+32
в 0 каналах
Get PRO
февраль '23
+176
в 0 каналах
Get PRO
январь '23
+15
в 0 каналах
Get PRO
декабрь '22
+16
в 0 каналах
Get PRO
ноябрь '22
+24
в 0 каналах
Get PRO
октябрь '22
+17
в 0 каналах
Get PRO
сентябрь '22
+76
в 0 каналах
Get PRO
август '22
+29
в 0 каналах
Get PRO
июль '22
+71
в 0 каналах
Get PRO
июнь '22
+20
в 0 каналах
Get PRO
май '22
+14
в 0 каналах
Get PRO
апрель '22
+29
в 0 каналах
Get PRO
март '22
+21
в 0 каналах
Get PRO
февраль '22
+15
в 0 каналах
Get PRO
январь '22
+25
в 0 каналах
Get PRO
декабрь '21
+38
в 0 каналах
Get PRO
ноябрь '21
+13
в 0 каналах
Get PRO
октябрь '21
+25
в 0 каналах
Get PRO
сентябрь '21
+20
в 0 каналах
Get PRO
август '21
+23
в 0 каналах
Get PRO
июль '21
+20
в 0 каналах
Get PRO
июнь '21
+261
в 0 каналах
| Дата | Привлечение подписчиков | Упоминания | Каналы | |
| 07 июля | 0 | |||
| 06 июля | +2 | |||
| 05 июля | 0 | |||
| 04 июля | +2 | |||
| 03 июля | +3 | |||
| 02 июля | +2 | |||
| 01 июля | +4 |
Посты канала
🚨Smishing campaigns continue to evolve beyond convincing lures. Modern phishing operations are increasingly engineered to evade detection.
In our latest technical analysis, Group-IB researchers dissect a campaign targeting drivers in Serbia through fake traffic fine SMS notifications. The investigation links the operation to two Phishing-as-a-Service ecosystems, Darcula and Phoenix, and reveals a phishing framework built for scale, resilience, and evasion.
The report explores how attackers:
🔹Deploy disposable lookalike domains and cloned government portals
🔹Use JavaScript-based runtime decoding and client-side obfuscation to hide phishing content from automated scanners
🔹Leverage browser APIs such as requestIdleCallback and IntersectionObserver to selectively render malicious content
🔹Rotate infrastructure rapidly to stay ahead of detection and takedowns
Read the full technical analysis.
#Phishing #Smishing #CyberSecurity
| 2 | Group-IB supported INTERPOL and the Algerian National Police in dismantling SniperDz, a phishing-as-a-service (PhaaS) platform that operated for nearly a decade and enabled cybercriminals to launch phishing campaigns at scale.
Key findings:
🔹 20,000+ domains linked to the ecosystem
🔹 30+ global brands impersonated
🔹 80 phishing templates across five languages
🔹 45,000+ victim records reported by the platform in 2016 alone
Following a multi-month investigation, the operation led to the disruption of SniperDz infrastructure and the arrest of its primary developer and administrator.
The takedown of a platform operating at this scale is a major blow to the phishing ecosystem and helps better protect users of financial, telecom, entertainment, and other online services.
🔗 Read the full story.
#CyberSecurity #Phishing #ThreatIntelligence #INTERPOL | 914 |
| 3 | Our latest research examines SilabRAT, a Malware-as-a-Service platform sold on underground forums that combines credential theft, browser profile cloning, HVNC, Chrome App-Bound Encryption bypass techniques, and cryptocurrency-focused capabilities into a single offering.
Key findings:
🔹 SilabRAT has been marketed on underground forums since late 2025 for $5,000/month
🔹 Leverages HVNC for invisible interaction with victim systems; other session access options include browser profile cloning, cookie theft
🔹 Includes functionality to bypass Chrome App-Bound Encryption (ABE) and extract protected browser data
🔹 Features automated cryptocurrency wallet targeting and password recovery capabilities
🔹 Observed in real-world campaigns leveraging ClickFix social engineering techniques
As cybercriminals move beyond simple credential theft toward full session compromise, understanding emerging RAT capabilities is critical for defenders.
🔗 Read the full analysis.
#ThreatIntel #MalwareAnalysis #CyberSecurity | 764 |
| 4 | 💳 The $48 Billion Blind Spot: Why Merchants Pay for Card Breaches They Can’t See
The scale of the problem:
🔹200M+ compromised payment cards actively circulating in underground markets
🔹E-commerce fraud projected to reach $53 billion in 2025
🔹Every $1 of fraud costs merchants $4.61 once chargebacks, fees, and operational costs are factored in
Why merchants can’t access the intelligence:
1️⃣ PCI DSS prohibits storing raw card data
2️⃣ Card network notification systems (Visa CAMS, Mastercard SAFE) operate issuer-to-issuer only
3️⃣ GDPR and data protection laws block cross-border sharing of personal identifiers
The result: Merchants absorb losses from cards that were already confirmed compromised. They just had no way to know.
What’s changing: Privacy-preserving Distributed Tokenization enables real-time compromised card checks at authorization, without raw card data or PCI DSS scope expansion.
Read the full analysis.
#FraudPrevention #EcommerceSecurity #Cybersecurity | 657 |
| 5 | 🚨Group-IB researchers uncovered a sophisticated global smishing operation that has impersonated more than 267 brands across 72 countries and generated over 4,389 phishing domains since the second half of 2025.
The campaign combines SMS phishing, geofencing, device fingerprinting, fake Cloudflare error pages, and encrypted WebSocket communications to evade detection and harvest personal and payment card data in real time.
Key findings:
🔹 Telecommunications emerged as the most targeted sector with 1,754 domains, followed by financial services with 696 domains and consumer rewards programs with 488 domains.
🔹 Malicious content is revealed only to victims matching specific geographic and mobile device criteria.
🔹 Stolen data is exfiltrated through encrypted WebSocket channels using binary encoded payloads.
🔹 Approximately 30 percent of the infrastructure is hosted on Tencent Cloud and Alibaba origin servers while being fronted by Cloudflare.
Read the full technical analysis.
#DRP #Smishing | 830 |
| 6 | 🚨Group-IB researchers uncovered a large-scale fraud ecosystem operating ahead of kickoff, with more than 4,300 fraudulent domains impersonating the tournament’s official web presence and over 300 active phishing domains targeting fans globally.
At the center of the operation is GHOST STADIUM, a sophisticated phishing campaign leveraging cloned SSO authentication flows, fake hospitality portals, coordinated social media distribution, and multi-rail payment fraud infrastructure.
Key Highlights:
🔹4,300+ fraudulent tournament-themed domains identified.
🔹300+ active phishing domains linked to one coordinated operator.
🔹2,513 compromised credential pairs circulating on dark web markets.
🔹Estimated premium ticket fraud losses ranging from $71M to $474M USD.
🔹130,000+ infostealer logs containing tournament-related data.
🔹Underground Fraud-as-a-Service vendors selling phishing kits and ticket scam infrastructure.
Read the full technical analysis.
#ThreatIntelligence #FraudProtection | 960 |
| 7 | 🚨Chinese-language dark web forums and Telegram channels are flooding cybercrime ecosystems with claims of stolen data from financial institutions worldwide. Group-IB researchers dug in, and the datasets don't hold up.
After analyzing 17,000+ messages across five active sources, names and phone numbers trace back to the 2021 Facebook leak, password hashes to the 2020 Eatigo breach, assigned to entirely different individuals. These are not fresh breaches. They are repackaged old data sold as new.
The research includes sample validation walkthroughs, upstream source mapping, and identification markers organizations can use to assess similar claims.
Read the full analysis.
#CyberSecurity #DarkWeb #InfoSec #ThreatIntelligence | 1 076 |
| 8 | 🚨201 arrests. 3,867 victims identified. 53 servers seized.
Group-IB supported INTERPOL’s Operation Ramz, the first large-scale cybercrime operation across the MENA region, spanning 13 countries and targeting phishing, malware, and cyber fraud infrastructure.
Key contributions from Group-IB:
🔹Intelligence on 5,000+ compromised accounts, including government-linked accounts
🔹Identification of active phishing infrastructure across MENA
🔹 Mapping of threat actor clusters involved in phishing distribution and leaked data trafficking
This operation reflects what public-private collaboration can achieve when intelligence is regionally grounded and globally coordinated. Our Digital Crime Resistance Centers in Egypt and the UAE were central to delivering that visibility.
We remain committed to supporting international efforts to dismantle cybercriminal ecosystems and protect individuals and organisations across the MENA region and beyond.
Read More.
#ThreatIntelligence #INTERPOL #DCRC #Phishing | 904 |
| 9 | 🚨The new Group-IB research uncovers a sophisticated fraud operation targeting SNCF customers through phishing emails, fake SNCF-themed websites, legitimate payment processors, and social engineering phone calls impersonating bank advisors.
Key findings from the investigation:
🔹Fraud infrastructure was timed around French school holidays to exploit periods of increased travel activity
🔹Victims were redirected through legitimate Stripe-hosted payment pages to reduce suspicion during checkout
🔹Targeted users were linked to previously exposed data from the Addka72424 breach, indicating the use of leaked datasets for precision targeting
🔹Threat actors leveraged emotional manipulation and real-time phone calls to extract OTPs, IBAN details, and authorize secondary payments
🔹Infrastructure overlaps and recurring domain patterns suggest a centralized and scalable fraud ecosystem
Read the full analysis
#Cybersecurity #Phishing #FraudPrevention | 968 |
| 10 | 🎉 Group-IB unveils Prevyn AI, the cognitive core of its Unified Risk Platform designed to shift cybersecurity from reactive detection to predictive defense. Powered by decades of cybercrime intelligence and real-world investigative logic, Prevyn AI enables organizations to anticipate threats, accelerate response, and outpace machine-speed attacks.
Think Faster Than The Threat.
Learn More
#PrevynAI | 890 |
| 11 | 🚨Our latest investigation uncovers how threat actors are combining deepfake impersonation, social engineering, and cryptocurrency infrastructure to operate at industrial scale across Australia and the United States.
Key highlights:
🔹 A network of 208+ connected fake investment platforms with an estimated $187M in illicit revenue.
🔹 Threat actors impersonate well-known financial professionals using deepfake technology & geo-targeted social media advertisements to funnel victims into WhatsApp-based coordination groups.
🔹 20+ fake WhatsApp accounts impersonating a single Australian economist were identified, indicating centralized control by an organized group.
🔹 Coordinated inflows of $1.5M to $3M, achievable with 500 to 3,000 victims, can drive up to 12.4% price movement in a NASDAQ-listed small-cap stock.
🔹 Use of KYC-compliant exchanges for cash-out, with minimal obfuscation, creating both risk and investigative opportunity.
🔗 Read the full analysis.
#CyberSecurity #FraudPrevention #InvestmentScams | 1 042 |
| 12 | 🚨 Group-IB’s latest research exposes the Phoenix System, a Phishing-as-a-Service platform powering reward point scams, fake parcel delivery lures, and large-scale mobile phishing campaigns worldwide.
Key highlights:
🔹 SMS delivery via fake BTS to bypass carrier-level filtering and spoof trusted brands.
🔹 2,500+ phishing domains linked to the operation since January 2025.
🔹 More than 70 organizations targeted across finance, telecom, and logistics globally.
🔹 The phishing sites implement IP-based filtering and geofencing to precisely target victims within specific countries.
🔹 Shared infrastructure is found across reward scam and parcel delivery campaigns despite differences in their attack contexts and target audiences.
🔹 Both campaigns use the Phoenix System, successor to the Mouse System.
🔹 The phishing kits are distributed via a dedicated Telegram ecosystem.
Read the full analysis here.
#Phishing #CyberSecurity #Smishing #ThreatIntelligence | 1 110 |
| 13 | 🚨 Our latest research suggests that a significant share of newly registered business accounts in France may be linked to mule activity, highlighting how business-grade payment infrastructure combined with fast remote onboarding has created an attractive entry point for large-scale financial crime operations
Key Highlights:
🔹Verified mule business accounts are sold on underground markets for $300–$700, with sellers offering escrow services, replacement guarantees, and daily inventory.
🔹Threat actors bypass KYC by using real victims harvesting PII via phishing and socially engineering them to complete identity verification.
🔹Operations rely on SIM farms, anti detect environments, and cheap Android devices to scale account creation and maintain infrastructure.
🔹Detecting these operations requires analysing the entire account lifecycle, since sign up, KYC, and first login can appear legitimate in isolation.
Read the full technical analysis.
#FraudPrevention #FintechSecurity #CyberSecurity | 1 175 |
| 14 | 😧 In 2025, a hacktivist group filmed itself blocking biomass fuel supply and triggering emergency alarms at a Polish factory, then posted the video on Telegram.
Group-IB's Threat Intelligence team analyzed the 2025–early 2026 threat landscape targeting European manufacturing across six countries.
What we detected ⬇️
▪️200 hacktivist incidents targeting European manufacturers
▪️57 cases of claimed access to industrial control systems
‼️ The shift is real: hacktivist groups have moved beyond website takedowns to physical control of production systems, manipulating boiler temperatures, ventilation pressure, and biomass fuel supply.
Hacktivism is only one of five threat categories covered in our new report, Inside Europe's Manufacturing Cyber Threat Landscape. The other four are just as urgent.
Read more to predict and prevent attacks on your organization.
#CyberSecurity #Hacktivism #ThreatIntelligence | 1 028 |
| 15 | 🚨 W3LL wasn't just another phishing operation, it was a mature phishing-as-a-service ecosystem that industrialized BEC at scale. Over 7+ years, the actor built a closed, referral-only marketplace powering 500+ cybercriminals with AiTM tooling designed to bypass MFA, hijack sessions, and compromise Microsoft 365 accounts.
This investigation reveals not just the tools, but the infrastructure, operational model, and key weaknesses behind the W3LL phishing ecosystem.
Key highlights:
🔹 AiTM-based W3LL Panel engineered for MFA bypass and session cookie theft
🔹 W3LL Store: a full-service PhaaS marketplace with tooling, data, and infrastructure
🔹 License validation APIs exposing backend links to the operator
🔹 Analysis of 700+ weaponized phishing samples that supported victim and campaign mapping
🔹 OpSec failures across forums, infrastructure, Telegram, and Indonesian-speaking hacking community ties
Read the full technical analysis.
#ThreatIntel #Cybercrime #Phishing #BEC #CyberSecurity #Infosec | 1 116 |
| 16 | 💫We are proud to announce that Group-IB is an initial data contributor to the newly released MITRE Fight Fraud Framework™ (F3) developed by MITRE Corporation.
By contributing our proprietary fraud taxonomy and intelligence derived from real-world investigations, we are helping shape a standardized framework that enables organizations to classify, understand, and respond to fraud threats more effectively.
This collaboration goes beyond classification. By integrating the framework into Group-IB’s Fraud Matrix, organizations will be able to connect standardized fraud techniques with live adversary intelligence, detection methodologies, and mitigation strategies strengthening predictive fraud defense across industries.
Fraud doesn’t begin with a transaction. It begins with an attacker and understanding adversary behavior is key to staying ahead.
Read the full announcement here.
#CyberSecurity #FinancialSecurity #FraudPrevention #ThreatIntelligence #FraudMatrix | 1 174 |
| 17 | 🚨Remote hiring has opened new opportunities for companies worldwide but it has also created a new attack surface.
Our latest research dives into how DPRK-linked IT worker operations are infiltrating global companies by posing as remote developers. Instead of relying on traditional cyber intrusions, these actors exploit legitimate hiring processes using synthetic identities, AI-assisted workflows, and trusted developer platforms.
Key highlights:
🔹A coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
🔹Reusable identity infrastructure including resumes, email accounts, and repositories.
🔹Evidence of AI-assisted job application workflows and templated interview responses
🔹Archived “persona packages” containing identity documents, portfolio assets, and operational instructions.
🔹Monitoring the activities of a specific intruder “group” from 2021 to March 2026.
Read the full blog here.
#ThreatIntelligence #CyberSecurity #InsiderThreat #DPRK | 1 045 |
Уже доступно! Исследование Telegram 2025 — ключевые инсайты года 
