ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments.

Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.

🧵

#shinyhunters Five sequential IPs with open directories (142.11.200[.]186 - 190) exposed identical bash histories, npm debug logs and Windows MeshCentral executables.

All share a Let's Encrypt certificate with a subject common name of azurenetfiles[.]net, plus a login portal titled 382198 - Login

Tracking a Rust-based C2

From downloading the framework to refining search queries, I'll guide you through my process of tracking adversary infrastructure.

Today, we'll briefly look at "link," which supports implants targeting Windows, MacOS, and Linux.

1/10 link became available on GitHub in 2021. Although the framework no longer seems to be actively maintained, it has over 500 stars and is still used today.

Running the link from the command line, we are prompted to set up our server.