Post by VMRay
7,845 followers
Most #ThreatIntelligence work stops at the blocklist. You take an indicator, confirm it's live, push it into a SIEM rule, and move on. Pivoting takes the same indicator further, and sometimes it leads somewhere you didn't expect. https://lnkd.in/e8ER6xpe The new investigation on the VMRay blog starts with a single #RedLine Stealer C2 IP pulled from VMRay #UniqueSignal and follows it outward. The RedLine infrastructure itself was a short thread. But the files communicating with that C2 pointed somewhere else entirely: a tailored spear-phishing campaign targeting a South Korean maritime manufacturer, delivered through business email compromise. From there, the investigation moves to the email distribution infrastructure behind the campaign, and surfaces a cluster of attacker-owned domains and servers, each one blockable at the email gateway before the next wave lands. š https://lnkd.in/e8ER6xpe #ThreatIntelligence #ThreatHunting #CTI #BEC #Phishing
Video Content