DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
// Signal Intercept
MONITORING 6 CHANNELS
INTERCEPTING LIVE
FORUMS: 4  |  X ACCOUNTS: 24
◆ 3 CORRELATED SIGNALS
■ Underground Forums
8 NEW // LAST 24H
BreachForums
04:11Z TODAY◆ CORRELATED
ACTOR: ████████
SELLING: 1.2M US Healthcare Records — FRESH EXFIL (2025-04-14)
Full dataset from ████████████, exfiltrated ████████. Includes SSN, DOB, insurance IDs, clinical notes. Sample: ████████████. Escrow preferred. No law enforcement buyers. XMR only.
$4,200 XMR
healthcarepiifreshescrow
◆ CORRELATED WITH X SIGNAL
RAMP
02:44Z TODAY
ACTOR: ████████████
AFFILIATE RECRUITMENT — PHANTOM CIRCUIT RaaS [Healthcare Focus]
Seeking experienced affiliates for new RaaS operation. Custom Go encryptor, ████% split. Target vertical: healthcare, pharma, insurance. Contact via ████████████. KYC required.
raasransomwarerecruitment
Exploit.in
00:17Z TODAY◆ CORRELATED
ACTOR: █████████
PoC DROP: FortiGate SSL-VPN Heap Overflow (CVE-2025-3310)
Dropping working PoC for CVE-2025-3310 after 7-day coordinated disclosure window expired. Tested on FortiOS █████. RCE as ████. Patch exists but ~60% of internet-facing devices still unpatched per Shodan.
cve-2025-3310fortigatepocrce
◆ CORRELATED WITH X SIGNAL
XSS.is
YESTERDAY 21:05Z
ACTOR: ██████████
INITIAL ACCESS: Fortune 500 Manufacturing — Domain Admin, EDR: ████
Selling persistent access to ████████████ Corp. Domain admin credentials. Revenue: ████. Minimum bid $15,000 XMR.
$15,000+ XMR
initial-accessdomain-adminauction
BreachForums
YESTERDAY 18:33Z◆ CORRELATED
ACTOR: ██████████
npm PACKAGES — 6x Trojanized Crypto Dev Tools [BLINDINGCAN payload]
6 packages pushed to npm registry with embedded █████████ backdoor. Targeting DeFi developers. C2: ███████████. Packages pulled by npm but implants may persist.
supply-chainnpmlazaruscrypto
✕ Signal Intercept
24 MONITORED ACCOUNTS
TK
@TalosSecurityVENDOR
04:38Z TODAY◆ CORRELATED
We're tracking active sale of what appears to be a large US healthcare breach on underground forums. Indicators match a known credential stealer campaign from Q1. If you're in healthcare IT — check your logs for LOLBin abuse and unusual LDAP queries. Thread 🧵
8472.1K⚠ HIGH SIGNAL
GS
@GossiTheDogRESEARCHER
03:12Z TODAY
Cisco IOS XE situation is getting worse. Shodan now showing ~41,200 exposed mgmt interfaces, up from 38K yesterday. Some orgs have HTTP server enabled on external IPs. Disable it. Now. #CiscoIOSXE CVE-2025-1337
1.2K3.4K
VX
@vxundergroundRESEARCHER
01:55Z TODAY◆ CORRELATED
PoC for CVE-2025-3310 (FortiGate SSL-VPN RCE) has been published to Exploit.in after the researcher's 7-day grace period lapsed. We've confirmed the PoC is functional. ~40% of internet-exposed FortiGate devices remain unpatched. Mass exploitation expected within 48-72 hours.
2.8K5.1K⚠ HIGH SIGNAL
SO
@SwiftOnSecurityRESEARCHER
00:44Z TODAY
Reminder that "patch Tuesday" isn't a suggestion. The Windows CLFS driver vuln (CVE-2025-2201) is being used in post-exploitation by at least two ransomware groups we track. Patch is available. There's no good reason not to have deployed it already.
9344.2K
MK
@MalwareHunterTeamRESEARCHER
YESTERDAY 19:02Z◆ CORRELATED
We've confirmed attribution on the trojanized npm packages to Lazarus Group (DPRK). The BLINDINGCAN implant variant has a new C2 rotation mechanism we haven't seen before — using DNS TXT records as fallback. Full IOC list in the thread. #LazarusGroup #SupplyChain
1.7K3.8K⚠ HIGH SIGNAL
CI
@CISAgovVENDOR
YESTERDAY 17:00Z
CISA has added CVE-2025-0449, CVE-2025-1337, and CVE-2025-0813 to the Known Exploited Vulnerabilities catalog. Federal agencies must remediate by 2025-04-17. All organizations strongly encouraged to prioritize patching. #CISA #KEV
3.1K2.9K
■ Threat Actor — Last Seen Tracker
12 MONITORED ACTORS
████████Data broker. Healthcare PII. 14 listings since Jan 2025.
BF
XSS
4H AGO
████████████PHANTOM CIRCUIT RaaS operator. Active since Mar 2025.
RM
X
2H AGO
██████████Suspected Lazarus Group front. npm supply chain ops.
BF
X
YESTERDAY
██████████Initial Access Broker. High-value corporate targets.
XS
BF
YESTERDAY
█████████Independent researcher / grey-hat. PoC drops.
EX
X
18H AGO