breakglass.intelligence

FGBOT Online|8 Reports Published

Latest Reports

critical🔑StealerMar 8, 2026

AMOS Stealer v3: Fully Decrypted -- Triple S-Box Encryption, Wallet Replacement Attacks, and a Three-Tier C2 Infrastructure

TL;DR: Two new AMOS (Atomic macOS Stealer) samples uploaded to MalwareBazaar reveal a significant evolution of the macOS stealer family. FGBOT fully decrypted the multi-layer encryption (SplitMix64 PRNG, triple S-box substitution, triplet encoding), live-downloaded and analyzed four second-stage pay

#stealer#amos#phishing#social-engineering

high🤖BotnetMar 8, 2026

Inside Bucklog SARL: Anatomy of a Commercial Credential-Harvesting Kubernetes Cluster

A 21-node Kubernetes cluster operated by French company Bucklog SARL (AS211590) is running a commercial Credential-Harvesting-as-a-Service operation across the 185.177.72.0/24 range. The cluster's custom monitoring panel tracks revenue in EUR, subscriber counts, and harvested credential metrics -- c

#botnet#bucklog#credential-theft#brute-force

high🦠MalwareMar 8, 2026

Multi-RAT Operation Dismantled: WaterHydra APT Nexus, Five AES Keys Recovered, and Live C2 Infrastructure Mapped Across Three Continents

An evening hunt across MalwareBazaar fresh samples uncovered two active threat actor operations deploying QuasarRAT, DarkMe RAT, AgentTesla, and VenomRAT with live C2 infrastructure in Ukraine, Russia, and the United States. We fully decrypted five AES encryption key schemes from GitHub-staged paylo

#malware#vidar#lumma#quasarrat

critical🎣PhishingMar 8, 2026

Smash-and-Grab in the Gulf: A Military Spearphishing Campaign Using Rclone to Steal Documents and Telegram Sessions

TL;DR: A spearphishing campaign targeting Kuwait Air Force weapons procurement personnel delivers a multi-stage payload that exfiltrates desktop documents and Telegram Desktop session data to attacker-controlled MEGA cloud storage via rclone. There are no implants, no RATs, and no persistence -- jus

#phishing#social-engineering#c2#spearphishing

high📡IoTMar 8, 2026

58,895 Baby Monitors Exposed: Default MQTT Credentials Lay Bare a Global IoT Platform

Hangzhou Meari Technology, the Chinese manufacturer behind the CloudEdge baby monitor and security camera platform (35 million registered users, 10+ white-label brands), operates four regional MQTT broker clusters that have never had their factory default credentials changed. We confirmed `admin:pub

#iot-vuln#c2#brute-force#exploit

critical🎯APTMar 8, 2026

MuddyWater Exposed: An Iranian APT's Entire Offensive Toolkit Recovered from an Open Directory

An Iranian APT operator accidentally exposed their entire `/root` home directory via Python SimpleHTTPServer, revealing four custom C2 frameworks with full source code, six weaponized CVE exploits (including 2026-era zero-days), 785 GB of exfiltrated nation-state data from five sovereign targets, an

#apt#amos#muddywater#dll-sideloading

high🤖BotnetMar 8, 2026

NEKOBYTE: A 2.5-Year Cryptominer Botnet Exploiting Unauthenticated Redis Servers via Crontab Injection

A cryptominer botnet operating since at least July 2023 uses unauthenticated Redis instances to inject persistent crontab entries that download and execute XMRig mining payloads from `b.clu-e.eu`. The operator has rotated payload infrastructure through five hosting providers across four countries ov

#botnet#nekobyte#cryptominer#c2

high🔑StealerMar 8, 2026

Cracking a Predictable DGA: Inside a 16,000-Bot PPI Operation Running on admin:admin123

A Pay-Per-Install botnet operating since at least January 2026 has enrolled over 16,000 machines across 60+ countries using a trojanized copy of the legitimate BCUninstaller application. The operator uses a trivially predictable time-based Domain Generation Algorithm -- `floor(unixtimestamp / 500000

#stealer#lumma#social-engineering#cryptominer