Telegram Intel Intelligence
Live threat intelligence collected from criminal Telegram channels — real-time threat actor communications, malware distribution campaigns, and first-look intelligence before it hits mainstream reporting.
Telegram Intel — Archive & Latest
GIFTEDCROOK, Overlord & BRICKSTORM: OTX Pulse Analysis — Multi-Front APT Campaigns & Detection Pack
Russian, North Korean, and Chinese APTs target Ukraine, US Devs, and MSPs via WinRAR flaws, GitHub phishing, and edge device compromise.
GIFTEDCROOK, OtterCookie & BRICKSTORM: OTX Pulse Analysis — Multi-Vector Credential Theft Campaigns
Active campaigns by SHADOW-EARTH-066 and UNK_DeadDrop exploit WinRAR and GitHub to steal credentials. Urgent detection required.
THEGENTLEMEN Ransomware: Global Surge in Critical Infrastructure Targeting & Exploitation of Firewall Vulnerabilities
THEGENTLEMEN claims 15+ victims in 24 hours targeting Energy, Tech, and Manufacturing. Urgent patching of Check Point and Cisco CVEs required.
Salat Stealer, UNK_MassTraction & Cavern Manticore: OTX Pulse Analysis — Multi-Vector APT Campaigns
Three active campaigns: Salat Stealer infostealer, UNK_MassTraction exploiting Roundcube in universities, and Iran-linked Cavern Manticore targeting Israel. High urgency.
CrySome RAT, Salat Stealer & UNK_MassTraction: Multi-Vector Credential Theft Operations — OTX Intel
Active campaigns deploy CrySome RAT and Salat Stealer for credential theft, while UNK_MassTraction exploits university mail servers. Immediate action required.
QILIN Ransomware: 15 New Victims Posted — Construction & Business Services Targeted via Check Point & ScreenConnect Exploits
QILIN ransomware targets Business Services and Construction sectors using Check Point and ScreenConnect exploits. Immediate patching advised.
BabaDeda Loader: ClickFix Malware Campaign Analysis — Enterprise Detection Pack
Evolving BabaDeda loader using ClickFix technique for payload delivery. Urgent: block identified C2 IPs and hunt for installer-based infections.
SAFEPAY Ransomware: Aggressive German Sector Targeting & Critical Infrastructure Exploits
SAFEPAY targets German Health, Transport, Public Sector; exploits Check Point & Cisco CVEs.
Nezha Web Shell Campaign & BabaDeda ClickFix Loader: OTX Pulse Analysis — Enterprise Detection Pack
OTX pulses reveal active abuse of Nezha monitoring tool via phpMyAdmin log poisoning and the evolution of the BabaDeda ClickFix loader.
PAYLOAD Ransomware: Central European Campaign Targeting Energy and Agriculture via Firewall Exploits
PAYLOAD gang hits Energy and Food sectors in CH, IT, DE. Exploits targeting Check Point VPNs and Cisco FMC observed.
AsyncRAT & Remcos Steganography Campaign: OTX Pulse Analysis — Enterprise Detection Pack
Active global phishing campaign using Excel macros and steganography to deliver AsyncRAT/Remcos. High urgency.
OP-512 China-Linked Espionage + UNC3753 Targeted Campaigns: GhostKit, PlugX, Cobalt Strike, BazarLoader, TrickBot - OTX Pulse Analysis — Enterprise Detection Pack
China-linked OP-512 targets IIS with GhostKit; UNC3753 attacks US law firms with BazarLoader/TrickBot. HIGH PRIORITY threat intel.
CastleRAT, AsyncRAT & Havoc Framework: Multi-Vector Malware Campaign Analysis — Detection Pack
Active campaigns utilizing ClickFix, steganography, and tax lures delivering CastleRAT, AsyncRAT, and Havoc. High urgency.
Gaming Platform Phishing & Credential Harvesting: Roblox/Minecraft Targeted Campaign Analysis
Active phishing campaign targeting children via fake Roblox/Minecraft sites. High urgency for Education sectors to block IOCs.
GENESIS Ransomware Gang: 9 New US Victims Targeted — Critical Firewall & VPN Exploitation Detected
Genesis gang posts 9 US victims in Healthcare & Tech. Actively exploiting Check Point (CVE-2026-50751) and Cisco FMC flaws for initial access.
MarkiRAT Surveillance Operations + Pink Vishing Campaign + Global Smishing Network: OTX Pulse Analysis — Enterprise Detection Pack
Iran's TAG-182 using MarkiRAT; Pink gang with vishing; massive smishing op. High urgency for global enterprises.
Pink Vishing & Global PhaaS Campaigns: OTX Credential Theft Analysis
Pink actor vishing, global smishing operations, and gaming credential theft target finance, telco, and education sectors.
PLAY Ransomware Gang: Construction & Finance Sector Surge — Firewall & Remote Access Exploitation
PLAY targets AU/US Construction & Finance firms via ScreenConnect & Firewall flaws. Immediate patching of CVE-2024-1708 required.
Argamal RAT & Smishing-as-a-Service: Multi-Vector Credential Theft Campaigns — OTX Pulse Analysis
RAT via game mods & smishing ops targeting credentials across gaming, telecom, finance. High urgency: immediate blocking required.
WALLSTREET Gang: Critical Infrastructure Sweep via Firewall & RMM Exploits
WALLSTREET claims 4 new US/EC victims. Healthcare and Police hit via Check Point & Cisco CVEs.
BRAINCIPHER Ransomware: 4 New Victims Posted — Cross-Sector Surge & Detection Engineering
BRAINCIPHER claims 4 new US/BR victims. Actively exploiting Check Point & ScreenConnect flaws. Immediate detection guidance included.
WORLDLEAKS Ransomware: Global Business Services Surge — CISA KEV Exploitation & Detection Engineering
WORLDLEAKS posts 4 new victims across PK, BR, US, IT leveraging CVE-2024-1708 and Check Point vulnerabilities. Critical detection rules included.
BoryptGrab Stealer & Gafgyt C0XMO Botnet: OTX Pulse Analysis
Active campaigns deploying BoryptGrab stealer via GitHub impersonation and Gafgyt C0XMO botnet via router exploits. Credential theft focus.
APT73 Ransomware Gang: Global Surge Exploiting Check Point & ScreenConnect Vulnerabilities
APT73 targets Technology & Hospitality sectors across 4 nations. Active exploitation of CVE-2024-1708 & Check Point flaws confirmed.
SessionGate, RemusStealer, PCPJack & APT37 Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack
OTX detects large-scale open-source impersonation, cloud SMTP relays, and APT37 supply chain attacks targeting Yanbian.
SessionGate & BoryptGrab: TDS-Driven Infostealer Ecosystem OTX Analysis
Active campaigns using Traffic Distribution Systems (TDS) and GitHub impersonation to deploy SessionGate, RemusStealer, and BoryptGrab. Urgency: High.
MEDUSALOCKER Intelligence Briefing: Surge in DACH Region Targets Telecom & Public Sector — Critical CVEs Exploited
MedusaLocker posts 10 new victims, heavily targeting Germany. Active exploitation of Check Point & ConnectWise CVEs observed.
TA4922 Global Expansion, Avalon Framework, and Malicious VPN Extensions: OTX Pulse Analysis — Credential Theft & Ransomware
OTX Pulse: TA4922, Avalon, and malicious VPNs drive a surge in credential theft and ransomware. Critical detection guidance inside.
KRYBIT Ransomware Gang: 11 New Victims Posted — Perimeter Breach Analysis & Detection Rules
KRYBIT posts 11 new victims targeting Tech and Logistics. Immediate patching for Check Point, Cisco, and ScreenConnect CVEs is critical.
RedLine, TONResolver & Blacksite: Global Credential Theft Surge — OTX Pulse Analysis
Multi-vector credential theft targeting maritime/hotel sectors via RedLine, TONResolver, and Blacksite AiTM kits. High urgency.
INCRANSOM Gang: Aggressive Public Sector & Healthcare Targeting — Critical CVE Exploitation
INCRANSOM escalates attacks on US/BR Public Sector and Healthcare using Check Point & ScreenConnect exploits. Patch immediately.
Bumblebee Loader, The Gentlemen RaaS, and Ousaban: Multi-Vector OTX Pulse Analysis
Active campaigns delivering Akira via SEO poisoning, The Gentlemen RaaS exploiting VPNs, and Ousaban targeting Iberian banks.
Akira Ransomware & Infostealer Swarm: OTX Pulse Analysis — Bumblebee, RedLine, and RMM Exploits
Active campaigns deploying Akira ransomware and stealers (RedLine, Ousaban) via SEO poisoning, RMM exploits, and AI framework vulnerabilities.
THEGENTLEMEN Ransomware: France-Targeted Surge, Critical Infrastructure Hits & Exploit-Led Intrusions
THEGENTLEMEN gang exploits Check Point & ScreenConnect flaws, heavily targeting French logistics/healthcare. Actionable IOCs & detection rules inside.
Bumblebee Loader, The Gentlemen RaaS, and Ousaban: OTX Pulse Analysis — SEO Poisoning and Geofenced Banking Trojans
High-threat activity: SEO poisoning delivers Akira via Bumblebee; The Gentlemen RaaS exploits VPNs; Ousaban targets Iberia with geofenced phishing.
Bumblebee Loader, RedLine Stealer, and RMM Exploitation: OTX Pulse Analysis — Credential Theft & Ransomware Campaigns
Active campaigns leveraging SEO poisoning and RMM exploits to deliver Bumblebee, RedLine, and Djinn stealers, facilitating credential theft and Akira ransomware.
THEGENTLEMEN Ransomware Gang: Global Campaign Intensifies — Sector Targeting Analysis & Detection Rules
THEGENTLEMEN ransomware group posts 15 new victims across multiple sectors with focus on France, US, and Taiwan. Immediate action required for exposed Check Point and Cisco systems.
RustDuck Botnet, AsyncRAT Sideloading & Gamaredon GammaWorm: OTX Pulse Analysis — Enterprise Detection Pack
Critical surge in threats: RustDuck IoT DDoS botnet, AsyncRAT via typosquatting, and Gamaredon espionage targeting Ukraine.
Bumblebee/Akira RaaS, The Gentlemen Backdoors, and Ousaban Banking Trojan: OTX Pulse Analysis — Enterprise Detection Pack
Severe RaaS and banking trojan campaigns detected via SEO poisoning and phishing. Urgency: High.
Credential Harvesting & Ransomware Delivery: Bumblebee, RedLine, and Ousaban Campaigns — OTX Pulse Analysis
Credential theft and ransomware delivery via SEO poisoning, RMM exploits, and maritime phishing targeting finance and tech. Urgency: High.
THEGENTLEMEN Ransomware: Critical Infrastructure Surge & Exploitation of Network Perimeter
THEGENTLEMEN exploits Check Point & Cisco FMC flaws to hit 15 victims across Energy & Public Sector. Detection rules inside.
Gamaredon APT, BTMOB Android RAT & Malicious VPN Extensions: OTX Pulse Analysis
FSB-linked Gamaredon targeting Ukraine, Android RAT surge in LatAm, and clipper malware distributed via trojanized VPN extensions.
Bumblebee Loader, The Gentlemen RaaS, and JINX-0164: OTX Pulse Analysis — Supply Chain & SEO Poisoning Wave
SEO poisoning, supply chain attacks, and RaaS identified via Bumblebee, Akira, and JINX-0164. Critical urgency for crypto and enterprise sectors.
JINX-0164 & GHOST STADIUM: Multi-Vector Credential Theft & Ransomware Delivery Chain — OTX Pulse Analysis
Active campaigns leveraging SEO poisoning, RMM exploits, and phishing to deploy Vidar, Lumma, and Bumblebee. High urgency.
THEGENTLEMEN Ransomware: 15+ Victims Posted — Analysis of Multi-Vector CVE Exploitation
THEGENTLEMEN aggressively targets logistics, healthcare, and public sectors across FR/US. Immediate patching for ScreenConnect, Check Point, and Cisco FMC required.
Bumblebee Loader & Akira Ransomware: SEO Poisoning and Supply Chain Attack Vector Analysis — Detection Engineering Pack
Active campaigns using Bumblebee, Djinn, and Lumma stealers via SEO poisoning and RMM exploits to deliver Akira ransomware. Urgency: High.
QILIN Ransomware: Global Surge Targets Manufacturing & Services — Critical Edge Device Exploitation Detected
QILIN posts 19 victims in 48 hours, targeting manufacturing and business services via Check Point and Cisco exploits.
OTX Pulse Analysis: GHOST STADIUM, JINX-0164, and Bumblebee — Credential Theft & Ransomware Operations
Active campaigns leveraging trojanized installers, event-based phishing, and LinkedIn scams to deploy Akira, Vidar, and custom macOS stealers.
QILIN Ransomware: 19 New Victims & Surge in Business Services Targeting — Detection Rules for CVE Exploitation
QILIN attacks surge with 19 new victims targeting Business Services. Detection rules for Check Point & ScreenConnect exploits provided.
Multi-Vector RaaS and Supply Chain Attacks: Bumblebee, The Gentlemen, and JINX-0164 OTX Pulse Analysis
Urgent detection guidance for SEO poisoning, RaaS expansion via SharkLoader, and crypto supply chain attacks targeting dev infrastructure.
Showing 50 of 749 reports. Archive expands automatically as new intel is generated.
Every Telegram IntelReport Includes SIGMA & KQL Detection Rules
Every intelligence briefing on this page includes at least one Sigma rule, a Microsoft Sentinel KQL hunt query, and an IOC check script — ready to drop into your SIEM. No paywall. No registration.