Front Page

Law Enforcement & Attribution

OSINT Catches Scattered Spider: 'Tylerb' Pleads Guilty to $8M SIM-Swap Campaign Against Twilio, LastPass & Others

On April 21, Tyler Robert Buchanan — a 24-year-old British national and senior Scattered Spider operator known as 'Tylerb' — pleaded guilty to wire fraud conspiracy and aggravated identity theft in federal court. Buchanan led SMS phishing campaigns that compromised Twilio, LastPass, DoorDash, Mailchimp, and at least eight other tech companies in 2022, enabling SIM-swap attacks that stole over $8 million in cryptocurrency from victims.

FBI investigators broke attribution using open-source techniques: Buchanan had reused identical usernames and email addresses across dozens of phishing domain registrations, leaving a recoverable thread through infrastructure records. Spanish authorities arrested him in June 2024 while boarding a flight to Italy before extradition to the US. The case is a textbook example of how repeated identifiers in domain registration data enable OSINT attribution of otherwise sophisticated threat actors.

Social Engineering & Lateral Movement

UNC6692 Weaponizes FTK Imager to Steal Active Directory Databases via Fake Microsoft Teams IT Helpdesk

Google Threat Intelligence Group and Mandiant disclosed UNC6692 — a newly identified threat group combining email flooding, Microsoft Teams impersonation of IT helpdesk staff, and a custom modular malware suite named SNOW. Active since December 2025, the campaign targets senior employees (77% of March–April incidents were director-level or above). Initial access is pure social engineering — no CVE exploitation required.

Once inside, UNC6692 deploys SNOWBELT (Chrome extension for persistence), SNOWGLAZE (Python tunneler), and SNOWBASIN (Python backdoor), then spreads via PsExec and LSASS credential dumping. Most forensically significant: the group weaponizes legitimate forensic tool FTK Imager to extract the Active Directory database (ntds.dit) and registry hives before exfiltration via LimeWire peer-to-peer sharing — adding FTK Imager to the growing list of DFIR tools turned against defenders.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-33825

Microsoft Defender — insufficient access control enabling local privilege escalation; added to CISA KEV April 22, 2026 with confirmed active exploitation in the wild. Forensic Note: Review Windows Security logs for unexpected privilege escalation sequences (Event ID 4672/4673) and Defender service modification events that may indicate exploitation prior to detection.

CRITICAL
CVE-2025-31324

SAP NetWeaver Visual Composer — unrestricted file upload to Metadata Uploader endpoint enabling unauthenticated RCE; CVSS 10.0. Active exploitation campaigns targeting unpatched instances renewed in April 2026. Forensic Note: Inspect SAP HTTP access logs for POST requests to /developmentserver/metadatauploader and scan web-accessible directories for planted JSP or ASPX web shells.

Malware Spotlight

Lotus Wiper (Venezuela Energy Sector)

Data-wiping malware targeting Venezuela's energy and utilities sector; compiled September 2025, active through April 2026. Two batch scripts orchestrate MBR overwrite, drive destruction, defense weakening, and full-volume file deletion — no ransom demand, pure geopolitical sabotage. Forensic Note: Disk imaging must be prioritized on triage; hunt batch script artifacts and abnormal system utility process trees in Windows event logs preceding the wipe timestamp.