#Tag · bonfire.cafe

RE: https://infosec.exchange/@greynoise/116047942661766828

FWIW, if you were using the #GAYINT block list for your Ivanti RMM system, that IP on the bulletproof AS200593 would have been blocked.

GreyNoise

@greynoise@infosec.exchange · 21 hours ago

83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️ https://www.greynoise.io/blog/active-ivanti-exploitation

#Ivanti #ThreatIntel #CVE20261281 #InfoSec

cR0w h0 h0

@cR0w@infosec.exchange · 21 hours ago

RE: https://infosec.exchange/@greynoise/116047942661766828

FWIW, if you were using the #GAYINT block list for your Ivanti RMM system, that IP on the bulletproof AS200593 would have been blocked.

GreyNoise

@greynoise@infosec.exchange · 21 hours ago

#Ivanti #ThreatIntel #CVE20261281 #InfoSec

cR0w h0 h0

@cR0w@infosec.exchange · 6 days ago

Behind the scenes look at #GAYINT CTI curation.

Where do I begin with this one? It's a painting or drawing of a pond meadow scene. In the pond is a hippo blasting fire from its ass. On its back is a racoon lighting sparklers on the flame. On the shore are three cows on their hind legs with beavers shooting milk from their udders at the hippo's flame. Below where the milk is hitting the flame is another beaver holding a peel with some sort of dishes being cooked and milked.

Cat 🐈🥗 (D.Burch) :paw:⁠:paw: boosted

cR0w h0 h0

@cR0w@infosec.exchange · last week

https://www.infoblox.com/blog/threat-intelligence/compromised-routers-dns-and-a-tds-hidden-in-aeza-networks/

Maybe try blocking some full Aeza ASNs. The prefixes for AS210644 and AS216246 are already in the #GAYINT naughty list: https://intel.gayint.org/

Screenshot showing AS210644 with 166 prefixes and AS216246 with 24 prefixes in the GAYINT block list.

Infoblox Blog

Compromised Routers, DNS, and a TDS Hidden in Aeza Networks

Compromised routers silently reroute DNS, enabling a powerful Traffic Distribution System (TDS) that forces users to scams and malware via affiliate marketing.

cR0w h0 h0

@cR0w@infosec.exchange · last week

https://www.infoblox.com/blog/threat-intelligence/compromised-routers-dns-and-a-tds-hidden-in-aeza-networks/

Maybe try blocking some full Aeza ASNs. The prefixes for AS210644 and AS216246 are already in the #GAYINT naughty list: https://intel.gayint.org/

Infoblox Blog

Compromised Routers, DNS, and a TDS Hidden in Aeza Networks

Compromised routers silently reroute DNS, enabling a powerful Traffic Distribution System (TDS) that forces users to scams and malware via affiliate marketing.

cR0w h0 h0

@cR0w@infosec.exchange · last week

@nyanbinary @hrbrmstr The ASN is there.

#GAYINT

Michał "rysiek" Woźniak · 🇺🇦 and 1 other boosted

Kevin Beaumont

@GossiTheDog@cyberplace.social · last week

Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.

The infrastructure and update mechanisms have since been tightened. For what it’s worth - entry was to telcos and financial services with interests aligned to China. Notepad++ dev did a great job treating issue seriously.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Kevin Beaumont

@GossiTheDog@cyberplace.social · last week

Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · last week

Here’s my original blog with threat hunting suggestions: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

Of note - the cyber industry entirely slept through it. A cartoon porg with #GAYINT threat intelligence had to blow it up.

Medium

Small numbers of Notepad++ users reporting security woes

Auto updates are fun.

Kevin Beaumont

@GossiTheDog@cyberplace.social · 2 months ago

I consulted the official #GAYINT threat actor mapping chart and made this diagram for Notepad++ hack attribution

Kevin Beaumont

@GossiTheDog@cyberplace.social replied · last week

Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Cat 🐈🥗 (D.Burch) :paw:⁠:paw: boosted

GAYINT

@gayint@infosec.exchange · last month

Don't forget to put your puppygirls in a quiet room tonight. Fireworks can be loud and scary for them. #GAYINT #FURINT

GAYINT

@gayint@infosec.exchange · last month

Don't forget to put your puppygirls in a quiet room tonight. Fireworks can be loud and scary for them. #GAYINT #FURINT

Cat 🐈🥗 (D.Burch) :paw:⁠:paw: boosted

GAYINT

@gayint@infosec.exchange · 2 months ago

As you may know, we do our fair amount of bitching here at GAYINT which made it difficult to narrow it down to one thing for a Festivus post. But we did. So let the airing of grievances commence.

https://blog.gayint.org/festivus.html

#GAYINT #FURINT #festivus

GAYINT Blog

Airing of Grievances: CVE-2025-9491

Have some holiday-sanctioned bitching.

GAYINT

@gayint@infosec.exchange · 2 months ago

As you may know, we do our fair amount of bitching here at GAYINT which made it difficult to narrow it down to one thing for a Festivus post. But we did. So let the airing of grievances commence.

https://blog.gayint.org/festivus.html

#GAYINT #FURINT #festivus

GAYINT Blog

Airing of Grievances: CVE-2025-9491

Have some holiday-sanctioned bitching.

Cat 🐈🥗 (D.Burch) :paw:⁠:paw: boosted

GAYINT

@gayint@infosec.exchange · 2 months ago

@briankrebs

Hi Brian,

I'm reaching out with #GAYINT, INFOSEC's gayest CTI shitpost. We protect companies from AI snakeoilers with next-generation common sense. We have a major announcement CUmming Next Tuesday. I came across your profile and thought you'd be a great fit for a sponsored post supporting the news.

We're happy to start at $0 for a single post.

Our marketing team can provide you a content draft, so all you'll have to do is copy and paste

Let me know if you're up for it - we are finalizing our sponsored community soon. We tried reaching around to you on LinkedIn but it said we weren't premium enough to message you there.

Cheers,

GAYINT

@gayint@infosec.exchange · 2 months ago

@briankrebs

Hi Brian,

We're happy to start at $0 for a single post.

Our marketing team can provide you a content draft, so all you'll have to do is copy and paste

Let me know if you're up for it - we are finalizing our sponsored community soon. We tried reaching around to you on LinkedIn but it said we weren't premium enough to message you there.

Cheers,

Kevin Beaumont

@GossiTheDog@cyberplace.social · 2 months ago

Since making this thread yesterday the infrastructure appears to have gone AWOL and they've nuked the DNS entries on the C2s etc etc. They had access to a bunch of orgs for 5 months, if anybody interested.