r/threatintel

Best courses or training to learn dark web monitoring for CTI?

I’m looking to build stronger skills in dark web monitoring as part of my CTI learning path. My goal is to understand how to monitor underground forums/markets, identify relevant threat intel, profiling Threat Actors, findings critical information about my employer etc and turn that into actionable CTI output rather than just collecting noise.

For those working in CTI or threat hunting, are there any good courses, trainings, labs, or practical resources you’d recommend for learning dark web monitoring properly?

reddit.com

Looking for Good Sources for Strategic Intelligence

Hello All,

I’m relatively new to the Strategic Intelligence space and looking to build a solid list of resources to follow regularly.

Could anyone recommend good sources for strategic intelligence?

Also, does anyone have examples of monthly strategic intelligence reports (sanitized/public versions are fine) that could be used as a reference for structure, writing style, and key sections?

Thank you!

reddit.com
u/MotherEmployee5113 — 4 days ago
▲ 11 r/threatintel+1 crossposts

Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay

Spent time researching a Sneaky 2FA-style campaign that was interesting because the email delivery and the phishing kit both showed meaningful evolution.

The initial message was not sent from a random throwaway account. It came through a compromised trusted SaaS sender account and targeted enterprise IT users. The lure was a Microsoft sign-in activity alert, but it was placed inside a business-thread chain, which made the message look more like part of an existing operational conversation than a standalone phishing email.

The web flow was also more interesting than a basic Microsoft credential clone. From the samples I reversed, the kit supported:

  • identity-check gating before exposing the Microsoft page
  • session-mutated routes, loader names, validation paths, and tokens
  • tenant-branded Microsoft 365 rendering using Microsoft tenant branding assets
  • signed resource URLs with hashed IP and user-agent values
  • password collection
  • verification code collection
  • SMS code collection
  • Microsoft Authenticator approval and number matching flows
  • final redirect back to Outlook

The strongest evidence came from controlled testing with non-valid credentials. After submitting them to the phishing page, Microsoft Entra ID recorded near-real-time OfficeHome sign-in attempts from external infrastructure. The attempts failed with error 50126, which confirms the credentials were replayed against Microsoft rather than only stored by the page.

The observed asset set, MFA workflow, href[.]li decoy behavior, and Sneaky/WikiKit-style page structure make Sneaky 2FA a strong match for this case.

u/ZeroBEC — 5 days ago

thoughts on proxy.hfzk.net.cn

​

Came across the apple website on proxy.hfzk.net.cn

Is that a phishing page?

What exactly is hosted on this website? Like what it does which is different from apple.com

reddit.com
u/SyllabubCute6485 — 6 days ago

Baker Hughes Energy - bulk domain registration, possibly threat.

Received 43 alerts + duplicates from CloudFlare Brand Protection:
NOTE: I do not work for and am not affiliated with "Baker Hughes Energy"

Observed: coordinated registration/appearance of Baker Hughes-themed domains around [2026-07-01T06:5X:XX;XXXXXXZ].

Brand tokens:

- bakerhughes

- baker-hughes

- bakerhughesenergy

- baker-hughes-energy

- bakerhughesenergyservices

- baker-hughes-energy-services

Notable namespaces:

- mil[.]tm

- gov[.]mu

- df.gov[.]br

- ngo[.]za

- nom[.]za

- edu[.]ee

- lib[.]ee

- int[.]la

- ws variants

- Cloudflare workers[.]dev infrastructure

Assessment:

Looks consistent with bulk-generated impersonation infrastructure for phishing, vendor/customer targeting, procurement fraud, credential capture, or document-delivery lures. The gov/mil/edu/ngo-style suffix selection may indicate government/defense/energy procurement pretexts.

Caveats:

- No confirmed phishing content observed yet.

- No confirmed attribution.

- Some entries may be subdomains under existing parent domains rather than independently registered domains.

- Some duplicates may be from alert/feed normalization.

Question:

Has anyone else seen this cluster, related MX/TLS/passive DNS, or Baker Hughes-themed lure content?

bakerhughes.chantysothy[.]kh

bakerhughes.lib[.]ee

baker-hughes.mil[.]tm

baker-hughes.df.gov[.]br

baker-hughes.ngo[.]za

baker-hughes.chantysothy[.]kh

baker-hughes-energy.aquila[.]it

baker-hughes-energy.gov[.]mu

baker-hughes.org[.]ws

baker-hughes.edu[.]ws

baker-hughes.net[.]ws

baker-hughes-energy.ngo[.]za

baker-hughes-energy.edu[.]ee

baker-hughes-energy.net[.]ws

baker-hughes-energy-services.nom[.]za

baker-hughes-energy-services.lib[.]ee

baker-hughes-energy-services.df.gov[.]br

baker-hughes-energy.chantysothy[.]kh

baker-hughes-energy-services.int[.]la

baker-hughes-energy.mil[.]tm

baker-hughes-energy.edu[.]ws

baker-hughes-energy-services.gov[.]mu

baker-hughes-energy.int[.]la

baker-hughes-energy-services.com[.]ws

baker-hughes-energy-services.chantysothy[.]kh

baker-hughes-energy-services.edu[.]ws

bakerhughesenergy.ngo[.]za

baker-hughes-energy.nom[.]za

bakerhughesenergy.chantysothy[.]kh

baker-hughes.nom[.]za

bakerhughesenergyservices.aquila[.]it

bakerhughesenergy.df.gov[.]br

bakerhughesenergyservices.edu[.]ee

bakerhughesenergyservices.df.gov[.]br

bakerhughesenergy.edu[.]ee

bakerhughesenergyservices.net[.]ws

bakerhughesenergy.lib[.]ee

bakerhughesenergyservices.int[.]la

bakerhughesenergyservices.chantysothy[.]kh

bakerhughesenergyservices.gov[.]mu

bakerhughesenergy.org[.]ee

Duplicates:

bakerhughes.chantysothy[.]kh

baker-hughes.mil[.]tm

baker-hughes.df.gov[.]br

baker-hughes-energy.gov[.]mu

baker-hughes.edu[.]ws

baker-hughes-energy-services.nom[.]za

baker-hughes-energy-services.df.gov[.]br

baker-hughes-energy.mil[.]tm

baker-hughes-energy-services.gov[.]mu

baker-hughes-energy-services.com[.]ws

baker-hughes-energy-services.edu[.]ws

bakerhughesenergy.chantysothy[.]kh

bakerhughesenergyservices.aquila[.]it

bakerhughesenergyservices.edu[.]ee

bakerhughesenergyservices.net[.]ws

bakerhughesenergyservices.int[.]la

bakerhughes.mil[.]ph

Update:
baker-hughes-energy-services.org[.]ph

reddit.com
u/piratedeus — 5 days ago
▲ 14 r/threatintel+5 crossposts

Introducing FortiBleed!

The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.

Here is the damage report:

🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.

🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.

🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.

⚠️ Status: STILL active as of this publication.

Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.

Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/

#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar

u/socradario — 7 days ago
▲ 50 r/threatintel+3 crossposts

Tracking 3,900+ C2 servers, across 302 Eastern Europe providers

Over a three-month window Hunt.io mapped malicious infrastructure across 10 Eastern European countries and tracked more than 3,900 active C2 servers across 302 hosting providers.

A single Bulgarian host, Friendhosting, was running 2,100 of them, roughly 53.5% of the regional total. We also linked specific infrastructure to Cloud Atlas, ShinyHunters' PeopleSoft exploitation, and Nemesys ransomware sharing the same provider networks.

Read the full story: https://hunt.io/blog/eastern-europe-malicious-infrastructure-report

hunt.io
u/Straight-Practice-99 — 11 days ago
▲ 17 r/threatintel+7 crossposts

Dismantling FortiBleed: We found the Russian operation turning FortiGate firewalls into passive credential vacuums (110M+ creds harvested) 🚨

If you manage Fortinet gear, grab a coffee. You're going to need it. ☕

Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.

There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:

  1. The Weapon: A custom Golang tool called "FortigateSniffer". It literally turns compromised firewalls into passive collectors, sniffing traffic across 24 different authentication protocols.
  2. The Scale: Over 430,000 FortiGate firewalls targeted. They ran 659+ harvest cycles, exposing over 110 million credentials (including RADIUS, NTLM, and Kerberos material).
  3. The Infrastructure:They aren't playing around. We mapped an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, and rented vast(.)ai capacity used to crack hashes at scale.
  4. The Victims: The dominant profile is IT services and SMBs (under 200 employees), but they also successfully breached and exfiltrated DFS data from a NATO-aligned defense contractor.

We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.

We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.

Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0

Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇

reddit.com
u/socradario — 13 days ago
▲ 6 r/threatintel+1 crossposts

Notes from reversing a CodeStorm M365 phishing flow

I spent some time reversing a CodeStorm Microsoft 365 phishing flow that looked like a basic voicemail lure at first, but the deeper chain was more interesting.

The visible email was short:

missed call
date received
duration
reference number
open voicemail portal

Nothing too special on the surface.

The strange part was the full message body. Far below the visible lure, after a lot of whitespace, there was a full unrelated historical email thread with reply headers, signatures, disclaimers, addresses, and phone numbers.

I saw the same buried thread reused across unrelated victim environments.

That feels intentional. To the user, it is a short voicemail email. To a filter, it is a much longer business-looking message. That can change things like URL-to-text ratio, body length scoring, reply-chain heuristics, keyword density, and normal-business-language signals.

The rough flow I observed:

email lure
→ trusted redirectors
→ adservice hops
→ randomized landing domain
→ Cloudflare Turnstile
→ anti-analysis JavaScript
→ second-stage JavaScript
→ POST /google.php

The landing pages accepted the victim identity in multiple formats:

#<email>
?e=<email>
#?<random_param>=<base64_email>

The first-stage JavaScript included a few analyst-friction checks:

if (
  navigator.webdriver ||
  window.callPhantom ||
  window._phantom ||
  navigator.userAgent.includes("Burp")
) {
  window.location = "about:blank";
}

It also blocked common DevTools shortcuts, right-click, and used a debugger timing trap. If debugging was detected, it redirected to what looked like a legitimate Outlook encrypted-message URL.

The second stage used a backend controller pattern:

var file = "<base64 encoded URL>";
const controller = atob(file);

// decoded to:
// https://<backend-domain>/google.php

The backend actions I observed included:

do=check
do=login
do=verify
checkVerify

do=check appeared to perform Microsoft identity discovery. In controlled testing, managed M365 users, nonexistent users, and federated tenants received different responses.

Examples of the behavior:

managed M365 existing user
→ status=success
→ type=office
→ federationLogin=""
→ canary returned

managed M365 nonexistent user
→ status=error
→ "We couldn't find an account with that username. Try another account."

federated M365 tenant
→ status=success
→ federationLogin=<tenant federation route>
→ branding returned

provider-labeled federation example
→ type=godaddy
→ federationLogin=sso.godaddy.com/?domain=...&realm=pass&app=o365...

I would not treat GoDaddy as a separate authentication category. It is still a federated M365 path. The interesting part is that the backend can label some provider-backed federation routes.

For do=login, I only used fake credentials against a controlled tenant. The backend returned a Microsoft-style error:

{"status":"error","message":"Your account or password is incorrect"}

Immediately after, Entra sign-in logs showed failed OfficeHome sign-ins for the same account:

Application: OfficeHome
Client app: Browser
Status: Failure
Error: 50126
Failure reason: invalid username or password
Authentication requirement: single-factor authentication
Source IPs: external IPs

So this did not behave like a simple credential collection form. It attempted to validate or replay the submitted credentials against Microsoft.

I also saw the same /google.php controller model across rotating infrastructure. The visible frontend domains changed, but the protocol stayed consistent:

victim identity in URL
→ POST /google.php
→ do=check
→ do=login
→ do=verify / checkVerify

Static strings in the second-stage JavaScript showed support for multiple MFA-related paths, including authenticator app, OTP, SMS, phone call, and Hotmail-style recovery/OTP flows.

Some detection ideas from this analysis:

- short visible lure + very long unrelated buried thread
- voicemail-themed M365 lure with organization-specific subject
- self-addressed sender/recipient pattern
- Google redirector → adservice hop → S3 or randomized landing
- victim identity carried as email or base64 email in URL
- Turnstile gate before content
- anti-analysis checks for webdriver, Phantom, Burp, DevTools shortcuts
- browser POST to cross-site /google.php
- Entra OfficeHome failures with 50126 from external replay IPs after a phishing click

Main takeaway: the lure was basic, but the backend was not. The flow behaved like a tenant-aware M365 authentication relay, with identity discovery before credential replay.

u/ZeroBEC — 14 days ago
▲ 1 r/threatintel+2 crossposts

We are Anonymous. We have something to show you. C ⏱ M L. @ /u/ :D 8-

5⁄3 Oc. Not Q., C. S. Lou.

u/Bzzhum — 14 days ago