{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/telegram/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Server 2016","Windows Server 2019","Shodan","Censys","Telegram"],"_cs_severities":["high"],"_cs_tags":["ransomware","smb","wanttocry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ISPsystem","Shodan","Censys","Telegram"],"content_html":"\u003cp\u003eWantToCry ransomware, named after the infamous WannaCry worm, targets organizations with internet-exposed SMB services. Unlike WannaCry, WantToCry is not self-propagating but uses brute-force attacks against exposed SMB services on ports 139 and 445. After gaining access, it exfiltrates files via authenticated SMB sessions to attacker-controlled infrastructure where they are encrypted. The encrypted files are then rewritten back to the victim\u0026rsquo;s system using the same SMB sessions. This operation minimizes the detection surface, as it doesn\u0026rsquo;t involve local malware execution or post-compromise activity beyond file exfiltration and rewriting. The attackers leave ransom notes named \u003ccode\u003e!Want_To_Cry.txt\u003c/code\u003e and append the \u003ccode\u003e.want_to_cry\u003c/code\u003e suffix to encrypted files. Observed ransom demands ranged from $400 to $1,800.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attackers scan the internet for systems with open SMB ports (139 and 445) using reconnaissance services like Shodan and Censys.\u003c/li\u003e\n\u003cli\u003eThey attempt to gain access to targeted networks via automated brute-force attacks against the exposed SMB services.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication using compromised or weak credentials, the attackers initiate file exfiltration via authenticated SMB sessions.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated files are then transferred to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eOn the attacker-controlled systems, the files are encrypted.\u003c/li\u003e\n\u003cli\u003eThe encrypted files are written back to the original locations on the victims\u0026rsquo; systems via the same authenticated SMB sessions.\u003c/li\u003e\n\u003cli\u003eA ransom note named \u003ccode\u003e!Want_To_Cry.txt\u003c/code\u003e is dropped on the affected systems.\u003c/li\u003e\n\u003cli\u003eThe attackers demand ransom payment via qTox or Telegram, ranging from $400-$1800, for the decryption keys, with the objective of financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWantToCry ransomware can lead to significant data loss and operational disruption for affected organizations. While the ransom demands ($400-$1800) are relatively low, the impact of data encryption can still be severe. The attacks are focused on systems with exposed SMB services, potentially limiting the scope of encryption. The primary targets appear to be organizations that have misconfigured or inadequately secured SMB services directly exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for sustained SMB read and write operations originating from external IP addresses, especially those from unusual geographic locations, using a network intrusion detection system (IDS) or firewall logs.\u003c/li\u003e\n\u003cli\u003eImplement account lockout policies and multi-factor authentication (MFA) for SMB services to prevent brute-force attacks; monitor authentication logs for repeated failed login attempts.\u003c/li\u003e\n\u003cli\u003eDeploy file integrity monitoring (FIM) solutions to detect unauthorized modification of files, particularly the creation of ransom notes named \u003ccode\u003e!Want_To_Cry.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBlock the listed IOCs (IP addresses) at your network perimeter to prevent communication with known attacker infrastructure.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with network connection monitoring to enhance visibility into SMB activity for the rules below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T12:05:29Z","date_published":"2026-05-19T12:05:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wanttocry-ransomware/","summary":"The WantToCry ransomware exploits exposed SMB services via brute-force for initial access, then exfiltrates files for remote encryption, rewriting the encrypted files to the original locations, demanding ransom payments from $400 to $1,800.","title":"WantToCry Ransomware Exploits SMB for Remote Encryption","url":"https://feed.craftedsignal.io/briefs/2026-05-wanttocry-ransomware/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chrome","Firefox","Edge","Opera","Vivaldi","Arc","Orion","WeChat","Miro","MetaMask","Phantom","1Password","Bitwarden","LastPass","Exodus","Atomic Wallet","Ledger Live","Trezor Suite","iCloud","Telegram"],"_cs_severities":["high"],"_cs_tags":["macos","infostealer","shub reaper","malware"],"_cs_type":"advisory","_cs_vendors":["Apple","Google","Mozilla","Brave","Microsoft","Opera","Vivaldi","Arc","Orion","MetaMask","Phantom","1Password","Bitwarden","LastPass","Exodus","Atomic Wallet","Ledger","Trezor"],"content_html":"\u003cp\u003eA new variant of the SHub macOS infostealer, dubbed Reaper, has emerged, employing a novel approach to bypass existing security mitigations. Unlike previous SHub campaigns that relied on tricking users into pasting commands in Terminal, Reaper leverages the \u003ccode\u003eapplescript://\u003c/code\u003e URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript. This technique circumvents Apple\u0026rsquo;s late March mitigations in macOS Tahoe 26.4, which aimed to block the execution of harmful commands pasted into the Terminal. SentinelOne researchers discovered that victims are lured by fake installers for WeChat and Miro applications hosted on domains designed to appear legitimate. The malware fingerprints the victim\u0026rsquo;s device to detect virtual machines and VPNs, and enumerates installed browser extensions for password managers and cryptocurrency wallets, sending telemetry data to the attacker via a Telegram bot.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim visits a malicious website impersonating WeChat or Miro.\u003c/li\u003e\n\u003cli\u003eThe website fingerprints the visitor\u0026rsquo;s device, checking for VMs/VPNs and enumerating browser extensions. This information is sent to a Telegram bot.\u003c/li\u003e\n\u003cli\u003eThe website prompts the user to download a fake installer, which then uses the \u003ccode\u003eapplescript://\u003c/code\u003e URL scheme.\u003c/li\u003e\n\u003cli\u003eClicking the URL opens the macOS Script Editor with a preloaded malicious AppleScript.\u003c/li\u003e\n\u003cli\u003eIf the user clicks \u0026ldquo;Run\u0026rdquo; in the Script Editor, the script displays a fake Apple security update message referencing XProtectRemediator.\u003c/li\u003e\n\u003cli\u003eThe script downloads a shell script using \u003ccode\u003ecurl\u003c/code\u003e and executes it silently via \u003ccode\u003ezsh\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell script checks for a Russian keyboard layout; if detected, the malware exits.\u003c/li\u003e\n\u003cli\u003eIf the keyboard layout is not Russian, the script retrieves and executes a malicious AppleScript with data theft routines via \u003ccode\u003eosascript\u003c/code\u003e. This script prompts the user for their macOS password, and then steals browser data, cryptocurrency wallet data, and other sensitive files. The malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent, running every minute as a beacon.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection by the SHub Reaper infostealer results in the theft of sensitive data, including browser data from Chrome, Firefox, Edge, Opera, Vivaldi, Arc, and Orion, cryptocurrency wallet data (MetaMask, Phantom), password manager data (1Password, Bitwarden, LastPass), desktop cryptocurrency wallet application data (Exodus, Atomic Wallet, Ledger Live, Trezor Suite), iCloud account data, Telegram session data, and developer configuration files. The malware also targets files on the Desktop and Documents folders, collecting documents smaller than 2MB, or images up to 6MB (total limit 150MB). Cryptocurrency wallet applications are hijacked by replacing their core application file with a malicious version downloaded from the C2 server. This gives the attacker persistent access to the compromised machine and enables further malware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious outbound network traffic after Script Editor execution, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new LaunchAgents and related files in the namespace of trusted vendors to detect persistence mechanisms, as recommended by SentinelOne.\u003c/li\u003e\n\u003cli\u003eBlock access to the known malicious domains: \u003ccode\u003eqq-0732gwh22[.]com\u003c/code\u003e, \u003ccode\u003emlcrosoft[.]co[.]com\u003c/code\u003e, and \u003ccode\u003emlroweb[.]com\u003c/code\u003e at the DNS resolver based on the IOCs provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T21:42:54Z","date_published":"2026-05-18T21:42:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-shub-macos-reaper/","summary":"A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.","title":"SHub macOS Infostealer Variant 'Reaper' Spoofing Apple Security Updates","url":"https://feed.craftedsignal.io/briefs/2026-05-shub-macos-reaper/"}],"language":"en","title":"CraftedSignal Threat Feed — Telegram","version":"https://jsonfeed.org/version/1.1"}