VERY IMPORTANT

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal and banking data, including Aadhaar numbers, PAN card details, and net banking credentials. It exfiltrates stolen information in real-time to both a phishing server and a Telegram-based Command and Control server. Salvador Stealer also intercepts SMS messages to capture one-time passwords and banking verification codes, bypassing two-factor authentication. The malware demonstrates persistence mechanisms, automatically restarting itself if stopped and surviving device reboots. Analysis revealed exposed infrastructure, including an accessible admin panel, potentially linking the attacker to India.

Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target credentials of particular victims. QR code phishing, or quishing, embeds phishing URLs into QR codes, enticing recipients to scan them with smartphones. This bypasses traditional security measures and targets personal devices. Attackers use URL redirection, exploit open redirects, and incorporate human verification within redirects to evade detection. The phishing operations typically involve redirection, human verification, and credential harvesting. These evolving tactics challenge both security detection mechanisms and user awareness.

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor authentication and gain access to the MSP's ScreenConnect environment. They deployed their own ScreenConnect instance across multiple customer networks, performed reconnaissance, collected and exfiltrated data, and ultimately deployed Qilin ransomware. This attack matches a pattern of similar incidents dating back to 2022, utilizing fake ScreenConnect domains and the evilginx framework to intercept credentials and session cookies. The attackers employed various tools for lateral movement and defense evasion, including PsExec, NetExec, and WinRM.

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Windows and macOS systems. The infection chain leverages the ClickFix tactic, downloading and executing malicious payloads during the interview process. The campaign primarily targets centralized finance (CeFi) entities, aligning with Lazarus' focus on cryptocurrency-related targets. Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware provides remote control and data theft capabilities, including browser information exfiltration.

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters impersonating the CIA, Russian Volunteer Corps, Legion Liberty, and Hochuzhit. These campaigns aim to collect personal information from victims through fake websites and forms. The threat actors utilize bulletproof hosting, domain spoofing, and Google Forms to lure targets into providing sensitive data. The campaign's persistence, long-term targeting of specific groups, and impersonation of official organizations without apparent financial motives strongly suggest state-sponsored involvement. Mitigation efforts include identifying and blocking associated domains and IPs.

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.

A sophisticated phishing malware using Scalable Vector Graphics (SVG) format has been identified. The malware embeds malicious scripts within SVG files, using Base64 encoding to bypass detection. It employs various techniques to obstruct analysis, including blocking automation tools, preventing specific keyboard shortcuts, disabling right-clicks, and detecting debugging attempts. The malware redirects users to a fake CAPTCHA page, which, when interacted with, leads to further malicious actions, potentially a phishing site impersonating Microsoft login pages. This evolving threat highlights the need for increased user vigilance, especially when dealing with SVG files from unknown sources.

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activity traces. The malware efficiently exfiltrates critical data to remote servers and maintains persistence through registry modifications. Key tactics include exploiting file extension hiding, the 260-character limit in LNK files, and complex variables for detection evasion. Konni RAT's modular design and advanced strategies present substantial risks to system security, highlighting the need for robust cybersecurity measures and proactive defense strategies.

A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a configuration file, an encoded Remcos binary, a legitimate AutoIt loader, and a malicious AutoIt script. The AutoIt script employs evasion techniques, establishes persistence, decrypts the Remcos binary, and executes shellcode. The shellcode injects Remcos into a legitimate process (RegSvcs.exe) using various API calls. The Remcos RAT, once active, can steal information and execute remote commands based on C2 instructions. The campaign demonstrates the evolving tactics of cybercriminals, emphasizing the need for caution when handling emails from unknown sources.

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.

HijackLoader, a malware loader discovered in 2023, has evolved with new modules and evasion tactics. Recent updates include call stack spoofing to mask function call origins, virtual machine detection to identify analysis environments, and persistence establishment via scheduled tasks. The loader now implements anti-VM checks, mutex creation, custom injection paths, and additional modules for various functions. Notable changes include the addition of new blocklisted processes and modifications to module decryption methods. HijackLoader's modular nature and continuous updates suggest ongoing efforts to enhance its anti-detection capabilities and complicate analysis.

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut downloads additional files, leading to the execution of PowerShell and Mshta to retrieve the Emmenhtal loader. This loader, disguised as a modified Windows utility, deploys SmokeLoader while maintaining a stealthy execution flow. SmokeLoader, a modular malware, can download additional payloads, steal credentials, and execute remote commands. The campaign demonstrates the evolving tactics of financially motivated threat actors, leveraging LOLBAS techniques and commercial protection tools for obfuscation.

Operation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.

A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certain 8.5.x versions. Exploitation requires specific server configurations and involves sending malicious PUT and GET requests. Six malicious IP addresses have been identified attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the likelihood of ongoing exploitation attempts. Users are advised to upgrade to patched versions or implement network-level controls to restrict access to the Tomcat server.

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier money laundering, emphasizing the importance of targeting money laundering infrastructure to combat cybercrime. The newsletter also highlights recent security issues, including airport outages in Malaysia, satellite security, and a Chrome zero-day vulnerability. Additionally, it provides information on upcoming security events and lists prevalent malware files detected by Talos telemetry.

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russian intelligence services. Victims who fall for these phishing attempts risk severe legal consequences, including lengthy prison sentences for alleged treason. The phishing sites are promoted through search engine manipulation, appearing at the top of results on platforms like Yandex, DuckDuckGo, and Bing. The campaign's effectiveness is demonstrated by regular reports of arrests in Russia related to alleged attempts to aid Ukrainian forces.

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign.

Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration.

A Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users.

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middleware for user authorization, session data validation, route access control, redirections, and UI visibility management. The issue stems from how the runMiddleware function handles the x-middleware-subrequest header. Attackers can craft malicious headers to bypass middleware controls. Affected versions range from 11.1.4 to 15.2.3. Users are urged to update to patched versions or implement mitigation strategies to block external requests containing the vulnerable header.

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers leverage the widespread adoption of EDRKillShifter to track affiliate activities across multiple gangs and reconstruct its development timeline. The article also discusses the rise of EDR killers in ransomware attacks and provides insights into their anatomy and defense strategies. Despite disruptions to major ransomware groups, new threats like RansomHub quickly filled the void, highlighting the need for continued vigilance and law enforcement efforts targeting both operators and affiliates.

A new malware campaign is targeting users attempting to download the Snow White movie through torrent sites. The attackers exploit a compromised blog to distribute a malicious torrent package disguised as a pirated version of the film. The package contains a fake codec installer that, when executed, deploys sophisticated malware. This malware disables security features, installs the TOR browser, and communicates with a Dark Web C2 server. The campaign revives old social engineering tactics while incorporating modern malware delivery methods and anti-detection techniques. The article provides file hashes and IoCs for detection, emphasizing the ongoing risks associated with pirated content and the importance of updated security measures.

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

ESET researchers uncovered new activity by the FamousSparrow APT group, including two undocumented versions of their SparrowDoor backdoor. The group compromised a US financial sector trade group and a Mexican research institute in July 2024. The new SparrowDoor versions show significant improvements in code quality and architecture, implementing command parallelization. FamousSparrow also used the ShadowPad backdoor for the first time. The analysis revealed links between FamousSparrow and other China-aligned threat actors like Earth Estries. The group's continued development of tools during a period of apparent inactivity suggests they remained active but undetected from 2022 to 2024.

Two critical security flaws, CVE-2025-2746 and CVE-2025-2747, have been discovered in Kentico Xperience 13, a digital experience platform. These vulnerabilities allow unauthenticated attackers to bypass the Staging Sync Server's authentication, potentially gaining administrative control over the CMS. Both issues have a CVSS score of 9.8, indicating their severity. The vulnerabilities affect Kentico Xperience through version 13.0.178 when the Staging Service is enabled and configured to use username/password authentication. Exploitation can lead to unauthorized administrative access, remote code execution, data breaches, and system disruption. Mitigation steps include patching, disabling or restricting the Staging Service, using certificate-based authentication, and implementing enhanced monitoring and hardening measures.

A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm package 'ethers' with a new file containing malicious code. This patched file ultimately serves a reverse shell, connecting to the threat actor's server. The malware employs evasive techniques, maintaining persistence even after removal of the original malicious package. This approach demonstrates a high level of sophistication and poses a significant threat to software supply chain security. The campaign also includes other related packages, highlighting the growing scope of risks for both software producers and end-user organizations.

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote commands, potentially offering Pay-Per-Install or Malware-as-a-Service. It collects system information, creates persistence mechanisms, and communicates with command and control servers. The Go variant, less common than others, uses string obfuscation techniques to hinder analysis. While currently associated with adware delivery, the loader's capabilities pose a potential threat for more malicious payloads in the future.

This guide demonstrates how to use Hunt.io to investigate and track malicious infrastructure. Starting with a single suspicious IP address, the process involves analyzing hosting providers, domain information, open ports, HTTP responses, and TLS certificates. The investigation reveals connections to potential cryptocurrency fraud and malware operations. By leveraging Hunt's scan data and SQL queries, a small cluster of related servers is identified, possibly linked to Latrodectus malware. The guide emphasizes the importance of persistence, pattern recognition, and correlating data from multiple intelligence sources to effectively track threat actor operations.

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an update was released to fix the vulnerability (CVE-2025-2783). The campaign targeted media outlets, educational institutions, and government organizations in Russia, disguising itself as invitations to the 'Primakov Readings' forum. The attackers' goal appears to be espionage, and the sophistication of the malware suggests a state-sponsored APT group is behind the operation. The exploit chain involved sandbox escape and remote code execution, though only the former was fully analyzed.

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).

Cybercriminals are exploiting .NET MAUI, a cross-platform development framework, to create Android malware that evades detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. The malware campaigns use techniques such as hiding code in blob files, multi-stage dynamic loading, and encrypted communications to avoid security measures. Two examples are discussed: a fake bank app targeting Indian users and a fake social media app targeting Chinese-speaking users. The latter employs advanced evasion techniques like excessive permissions in the AndroidManifest.xml file and encrypted socket communication. Users are advised to be cautious when downloading apps from unofficial sources and to use up-to-date security software for protection.

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malware uses raw TCP sockets and a custom XTEA-like cipher for C2 communication, implements anti-debugging and anti-analysis checks, and authenticates to its C2 server using a SHA-256-based token. Attack commands are encoded, hashed, and processed using a Mirai-style attack_parse function. GorillaBot's sophistication highlights the ongoing evolution of legacy malware and the need for advanced analysis tools to combat such threats.

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake Microsoft webpages. These pages trick users into executing PowerShell scripts that download and run malware, such as Lumma Stealer. The malware steals browser data, cryptocurrency wallet information, and other sensitive data, transmitting it to command and control servers. The attack chain includes stealth and persistence mechanisms to evade detection. This campaign exploits content creators' interest in brand deals and partnerships, representing an evolution of previously observed tactics against YouTube channels.

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.

SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detection. It targets various applications, including web browsers, email clients, and FTP software, to harvest sensitive data and credentials. The campaign utilizes an Apache server for malware distribution, regularly updating encrypted payloads. SnakeKeylogger's primary objective is to collect Outlook profile credentials, email configurations, and stored authentication details, which can be exploited for business email compromise or sold on underground markets.

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identity of the pro eSports team Navi and promoting their scams on platforms like YouTube. The stolen accounts are likely intended for resale on online marketplaces. The majority of the phishing sites are in English, with one Chinese site discovered. This campaign highlights the ongoing evolution of phishing techniques and the importance of vigilance when encountering login pop-ups, especially for desktop users.

VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms, including Windows, Linux, BSD, ARM, and ESXi systems. Within two weeks of its launch, VanHelsing infected three victims, demanding large ransoms. The ransomware, written in C++, is actively evolving, with two variants discovered just five days apart. It employs various techniques to evade detection, including a 'Silent' mode and selective encryption of files. The rapid growth and sophistication of VanHelsin gRaaS highlight the increasing threat of ransomware attacks.

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific processes, and harvests data from various sources. It compresses the collected information and sends it to a command and control server. The malware can also download additional payloads and implements evasion techniques. It targets multiple browsers, messaging applications, and specific file types. The campaign was observed in late January 2025, with the threat actors potentially selling the stolen data on underground forums and marketplaces.

Phishing remains a prevalent cybersecurity threat, causing financial loss, data theft, and malware deployment. Attackers are expanding targets across platforms and using AI to refine techniques, making detection more challenging. Real-time anti-phishing (RTAP) solutions using AI and machine learning are crucial to combat emerging threats. Recent trends show Facebook as a consistent target, with Roblox and various platforms like Telegram, Coinbase, and PayPal also being targeted. FortiGuard Labs offers advanced RTAP services, employing machine learning, URL reputation checks, and content analysis. Employee awareness and education are essential, with tools like FortiPhish and FortiSAT available for training. The evolving nature of phishing attacks necessitates continuous adaptation of cybersecurity measures to stay ahead of cybercriminals.

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's business help center, where they're prompted to interact with a fake chat support or follow step-by-step instructions. The ultimate goal is to trick users into adding the attacker's device as a secure login method via Two-Factor Authentication, effectively hijacking the account. The campaign employs convincing email templates, landing pages, and even includes live agent support to add credibility. Users are urged to verify communications and examine URLs carefully before taking action to protect their social media credentials.

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The attackers used implants like ShadowPad, SodaMaster, and Spyder, which are common or exclusive to China-aligned threat actors. The operation involved sophisticated tactics including lateral movement, credential theft, and custom malware deployment. Seven victims were identified across various countries and sectors. The analysis provides technical details on the malware used, initial access methods, and command and control infrastructure.

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line. This method bypasses modern security solutions by tricking users into executing commands themselves. Recent campaigns like OBSCURE#BAT and Storm-1865 have targeted various industries and regions. The attack vector has been observed in Field Effect's telemetry, with attempts to deploy AsyncRAT and other malware. Mitigation strategies include restricting command line use, deploying advanced threat detection solutions, enhancing email and web filtering, training users, and maintaining up-to-date security measures.

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts certain file extensions, and kills various processes. It collects system information and stores it in a PostgreSQL database. The GitHub repository, created in February 2024, shows active development with increased activity during specific hours. A newer version 2.5 is likely in development, introducing new cryptocurrency wallets. To mitigate the threat, organizations should implement regular backups, network segmentation, system updates, and user training.

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with multiple layers of obfuscation. AnubisBackdoor's core functionality includes network communication, system access, and anti-analysis features. It can execute commands, manipulate files, and gather system information. The backdoor maintains persistence through Windows Registry and uses a custom command protocol for C2 communication. This new tool demonstrates FIN7's continued evolution in developing covert communication channels and highlights their advanced capabilities in cybercrime operations.

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses obfuscation techniques to hinder analysis. It provides various functionalities including file manipulation, process and driver termination, and EDR system disabling. The driver's capabilities include removing callbacks, replacing driver functions, killing system threads, and detaching mini-filter devices. It uses unconventional methods like creating IRPs from scratch to perform file operations. The malware's sophisticated approach demonstrates the evolving tactics of cybercriminals in evading detection and disabling security measures.

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in legitimate files. Victims are directed to execute commands that download and install the LummaStealer malware, which can steal sensitive data like login credentials and cryptocurrency information. The attackers also create hidden admin users in infected WordPress sites for persistence. Multiple variants of this attack have been observed, with some using URL shortening services to obfuscate malicious links. Website owners are advised to keep software updated, use strong passwords, and implement 2FA to mitigate risks.

The report investigates Paragon Solutions, an Israeli spyware company founded in 2019 that sells a product called Graphite. Through infrastructure analysis, the researchers identified potential Paragon deployments in several countries. They also found evidence linking Paragon to the Canadian Ontario Provincial Police. Working with WhatsApp, they discovered and mitigated a Paragon zero-click exploit targeting civil society members. Forensic analysis of Android devices in Italy confirmed Paragon infections. The report also examines a potentially related iPhone spyware case. It highlights Paragon's targeting of individuals involved in migrant rescue operations in the Mediterranean, raising questions about the company's claims of only selling to customers respecting human rights. The findings challenge Paragon's marketing approach and demonstrate the ongoing risks of mercenary spyware abuse, even in democracies.

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather than large-scale ransomware extortion. Dragon RaaS primarily targets organizations in the US, Israel, UK, France, and Germany, exploiting vulnerabilities in web applications, using brute-force attacks, and leveraging stolen credentials. The group operates two ransomware strains: a Windows-focused encryptor based on StormCry and a PHP webshell. Despite claims of creating a unique ransomware variant, analysis reveals that Dragon RaaS's payloads are slightly modified versions of StormCry.

An exposed web server containing tools for an intrusion campaign targeting South Korean organizations was identified. The server hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat, along with SQLMap, Web-SurvivalScan, and dirsearch. The threat actor used these tools to identify and exploit vulnerable web applications, targeting government and commercial entities. The campaign utilized a Rust-compiled loader with a modified version of Cobalt Strike, providing insight into the actor's malware delivery and post-exploitation techniques. Analysis revealed reconnaissance tools, SQL injection exploitation, and malware delivery components, with logs confirming beacon activity from compromised hosts. The attackers used MinGW- and Rust-compiled loaders to deploy Cobalt Strike Cat and Marte shellcode.

Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with APT10. MirrorFace employed spearphishing emails with malicious attachments or links to gain initial access. The attackers used legitimate applications to stealthily install malware, including ANEL, HiddenFace, and AsyncRAT. They also abused Visual Studio Code's remote tunnels feature for stealthy access. The campaign showcased complex execution chains and the use of Windows Sandbox to avoid detection. This operation provides evidence that MirrorFace is likely a subgroup under the APT10 umbrella.

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk files abusing this vulnerability have been identified, with APT groups from North Korea, Iran, Russia, and China involved in the attacks. Targeted sectors include government, finance, telecommunications, military, and energy across North America, Europe, Asia, South America, and Australia. The exploitation leverages hidden command line arguments within .lnk files, complicating detection. Organizations are urged to implement security measures and maintain vigilance against suspicious .lnk files.

A new security threat using the Legacy Driver Exploitation technique has been identified, focusing on remote system control via Gh0stRAT malware. The attack distributes malware through phishing and messaging apps, utilizing DLL side-loading for additional payloads. A modified TrueSight.sys driver bypasses Microsoft's driver blocking system, terminating security processes. The key vulnerability lies in TrueSight.sys versions 3.4.0 and below, exploited by the AVKiller tool. The attacker manipulated the WIN_CERTIFICATE structure's padding area to bypass certificate validation. Microsoft responded by updating the Vulnerable Driver Blocklist. This technique is related to the CVE-2013-3900 vulnerability, highlighting the importance of strengthening certificate validation.

A sophisticated malware campaign employs DLL side-loading to deliver a Python bot. The attack begins with a ZIP archive containing a legitimate PDF reader executable and a hidden malicious DLL. When executed, the malicious DLL is loaded instead of the intended Microsoft one, altering the PDF reader's behavior. The malware then unpacks a Python environment, fetches the bot code from a Bitbucket repository, and establishes persistence through registry modifications. The attacker uses various techniques to bypass security controls, including renaming processes and implementing a Byte Order Mark. The campaign demonstrates advanced evasion tactics and leverages trusted applications to deploy its payload.

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credentials, establishes command-and-control communication, executes remote commands, achieves persistence through Windows services, monitors RDP sessions, collects clipboard data, and employs anti-forensic measures. StilachiRAT's capabilities include system reconnaissance, digital wallet targeting, credential theft, command execution, and clipboard monitoring. The analysis reveals its potential for cryptocurrency theft and system manipulation.

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HTA file, which in turn downloads a VBS script. The script retrieves a JPG file concealing base64-encoded malware. The payload is then injected into legitimate processes using process hollowing techniques. The campaign demonstrates advanced evasion methods and the potential to deploy various remote access trojans, highlighting the need for robust cybersecurity practices.

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight evolving attacker techniques that prioritize stealth, persistence, and unconventional execution methods to evade detection.

The Akamai Security Intelligence and Response Team (SIRT) has identified a critical command injection vulnerability, CVE-2025-1316, in Edimax IC-7100 IP cameras. This flaw allows attackers to execute arbitrary commands remotely, leading to the integration of these devices into Mirai-based botnets. The vulnerability stems from improper neutralization of special elements in OS commands, enabling remote code execution through specially crafted requests. Despite detection efforts, Edimax has not provided patches, leaving affected devices exposed to ongoing exploitation.

Black Basta ransomware group has been using a previously unknown brute forcing framework called BRUTED since 2023. This framework automates internet scanning and credential stuffing against edge network devices, including firewalls and VPN solutions. The group targets high-impact industries, with Business Services being the most targeted sector. BRUTED enables Black Basta affiliates to scale attacks and expand their victim pool. The framework supports multiple vendors and technologies, using specialized brute-force logic for each platform. Black Basta's strategy involves exploiting edge network devices for initial access, then targeting ESXi hypervisors to maximize operational impact. The leak of internal chat logs has likely disrupted Black Basta's operations, but former members may reintegrate into other ransomware-as-a-service ecosystems.

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed exploit attempts, missing a dash in 'cgi-bin', has been observed. The attacks aim to upload and execute bot variants, primarily Mirai. The latest malformed exploit attempts to download a multi-architecture bash script and the actual bot. String analysis of the bot reveals attempts to exploit other vulnerabilities and likely includes a brute force component.

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout page, collected payment and billing information, sending it to a malicious server. A PHP backdoor allowed remote system command execution, while a reconnaissance script gathered server information. The attack demonstrates the evolving complexity of e-commerce platform threats, emphasizing the need for strict security measures, regular scans, proper access controls, and timely updates to prevent such exploits.

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configurations, and uses VPN access for lateral movement. They selectively target file servers for encryption after data theft. The ransomware, named SuperBlack, uses LockBit's infrastructure but removes branding. The actor employs a custom VPN brute-forcing tool and leaves ransom notes linking to LockBit's Tox chat ID. This campaign highlights the increasing trend of exploiting perimeter security appliances and the evolving ransomware landscape.

This article examines three unique malware samples discovered in the past year. The first is a passive IIS backdoor written in C++/CLI, an uncommon language for malware. It has extensive functionality and appears professionally developed, possibly for targeted attacks. The second is a bootkit that installs a customized GRUB 2 bootloader to play Dixie through the PC speaker on boot. While sharing some characteristics with Equation Group malware, it's likely unrelated. The third is a new cross-platform post-exploitation framework called ProjectGeass, still in development. It has features like file management, keylogging, and payload execution. These samples demonstrate novel techniques being used by malware authors.

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs PowerShell to perform malicious activities, including dropping files in the Startup folder for persistence, modifying registries, and connecting to Pastebin for C2 communication. The malware creates a DataLogs.conf file to capture keystrokes and sensitive data, which is then exfiltrated to the C2 server. The campaign also utilizes AES encryption and multiple layers of obfuscation to evade detection.

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social media verification badges, AI-generated promotions, and psychological manipulation to lure victims. The scams range from 'earn while you worship' programs to fake data pack giveaways and counterfeit product listings. The rise of Ramadan-themed tokens on cryptocurrency platforms highlights the need for increased regulation. Victims are often tricked into connecting their crypto wallets or sharing personal information, leading to financial losses and potential identity theft.

This analysis emphasizes the importance of addressing old vulnerabilities in software systems globally. It highlights the end of Windows 10 support in October 2025 and the risks associated with unpatched systems. The article discusses the relevance of vulnerabilities regardless of geographic location, citing examples like Log4j and NotPetya. It also mentions a recent CVE (CVE-2025-22224) that affected over 40,000 instances globally within a week of discovery. The article stresses the need for regular software updates and patching, regardless of nationality or location, to maintain robust cybersecurity.

A large-scale affiliate marketing campaign has been uncovered, utilizing AI-generated content, automation, fake social media accounts, and Black Hat SEO to manipulate search rankings and drive traffic to iGaming and VPN promotions. The operation involves thousands of subdomains, redirection chains, and fake social media accounts across multiple platforms. The campaign aligns with high-traffic events and seasonal promotions, exploiting affiliate programs like 7StarPartners and NordVPN. It employs sophisticated SEO manipulation techniques and AI-generated content in multiple languages to maximize visibility and engagement. The fraudulent activities undermine market integrity, consumer trust, and legitimate businesses' visibility while compromising the reliability of affiliate programs.

A phishing campaign targeting the hospitality industry impersonates Booking.com to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, uses a social engineering technique called ClickFix to trick users into downloading malicious payloads. Targets are sent emails with links to fake Booking.com pages, which prompt users to execute commands that download malware. The campaign delivers various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Organizations in North America, Oceania, Asia, and Europe are targeted. The threat actor's evolving tactics demonstrate attempts to bypass conventional security measures.

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contractors. They used various tools for reconnaissance, privilege escalation, lateral movement, and data exfiltration. The final goal was file encryption using LockBit 3.0 and Babuk ransomware. Overlaps in infrastructure, tactics, and tools suggest collaboration between the two groups. The attacks primarily targeted manufacturing, government, and energy sectors in Russia.

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platforms suggests the use of a standardized toolkit for large-scale development. Domains are primarily registered in Singapore using lenient registrars and fake names. The scam targets users in East African and Asian countries, utilizing Telegram channels for engagement. The platforms operate like Ponzi schemes, encouraging user recruitment through multi-level affiliate programs. Evidence points to a single threat actor behind the campaign, given the consistent registration patterns and infrastructure use.

This analysis showcases the use of Power BI to examine file hash data from a DShield SIEM over a 60-day period. The process involved exporting data from Elastic Discover, importing it into Power BI, and creating visualizations for analysis. Key findings include the identification of an IP address (87.120.113.231) associated with RedTail malware, uploading six different files with multiple hashes. The analysis also revealed the reappearance of a previously identified Linux Trojan (Xorddos) from new IP addresses within the same subnet. Additionally, two strange filenames were discovered and investigated, with one identified as an IRCBot through VirusTotal. This method of large dataset analysis proves valuable in uncovering potentially overlooked or lost data through retrospective examination.

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferencing application. This sophisticated social engineering attack deploys Remote Access Trojans and information-stealing programs like Rhadamanthys for Windows users and Atomic macOS Stealer for Mac users. The campaign aims to compromise systems and steal cryptocurrency assets, with hundreds of people already affected. The infection chain involves impersonation, phishing communication, and malware deployment, showcasing the group's advanced tactics in identity fraud and cryptocurrency theft.

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity.

Researchers have identified a cluster of JSPSpy web shell servers featuring 'Filebroser', a modified version of the open-source File Browser project. The infrastructure spans multiple hosting providers in China and the United States, using both cloud services and traditional ISPs. JSPSpy, a Java-based web shell first observed in 2013, has been used by various threat actors, including the Lazarus Group. The servers typically host JSPSpy on port 80, with one instance on port 8888. Two servers also host the 'filebroser' login panel on port 8001. Detection strategies for JSPSpy include analyzing login page titles and HTTP response headers. The presence of 'filebroser' alongside JSPSpy raises questions about its purpose in attack operations.

China-nexus espionage group UNC3886 has been discovered deploying custom backdoors on Juniper Networks' Junos OS routers. The attackers used TINYSHELL-based backdoors with varying capabilities, including active and passive functions, and an embedded script to disable logging. The group demonstrated advanced knowledge of system internals and focused on maintaining long-term access while minimizing detection risk. UNC3886 targeted defense, technology, and telecommunication organizations in the US and Asia, leveraging legitimate credentials for initial access. The malware ecosystem included six distinct samples, each with unique features for bypassing security measures and maintaining persistence. The activity highlights the ongoing trend of targeting networking infrastructure for espionage purposes.

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing emails containing ZIP attachments that conceal malicious LNK files. When executed, these files initiate a multi-stage attack using batch scripts and PowerShell, ultimately deploying RokRat as the final payload. RokRat, a remote access Trojan, collects detailed system information, abuses cloud services for command and control, and employs anti-analysis techniques. It can execute remote commands, exfiltrate data, and perform various malicious activities on infected systems.

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticated phishing campaign aims to exploit the trust associated with legitimate recruitment processes to gather confidential data from unsuspecting employees. The operation demonstrates the evolving tactics of cyber espionage groups, blending social engineering with financial incentives to compromise organizational security.

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign poses a significant risk to cloud-native environments by enabling unauthorized access and long-term control over compromised systems. The attack flow includes initial access through an unauthenticated JupyterLab instance, downloading and extracting malicious files, executing scripts to launch additional binaries, and establishing persistence while evading detection. The malware deploys cryptominers and attempts to kill competing processes. Runtime protection solutions can effectively detect, block, and mitigate these threats using real-time threat intelligence, malware scanning, and customizable policies.

Microsoft Threat Intelligence has discovered a new variant of XCSSET, a sophisticated macOS malware that infects Xcode projects. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware steals and exfiltrates files, system information, and user data, including digital wallet information and notes. It uses a modular approach with encoded payloads, improved error handling, and heavy use of scripting languages and legitimate binaries. The malware's infection chain consists of four stages, with the fourth stage running various sub-routines. Notable capabilities include three distinct persistence techniques and a new infection method for Xcode projects. The malware's command-and-control server is active and downloading additional modules.

An email campaign impersonating Binance is offering fake TRUMP coins to lure victims into downloading a malicious 'Binance Desktop' application, which actually installs ConnectWise RAT. The attackers have created a convincing web page mimicking Binance's interface to host the malware download. Once infected, threat actors quickly establish remote control of the victim's computer, targeting saved passwords in applications like Microsoft Edge. The campaign employs sophisticated social engineering tactics, including sender name spoofing and risk warnings, to appear legitimate. Threat actors are actively monitoring infections and can connect to compromised systems within minutes of installation.

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malware is designed to search for crypto wallets and interact with a Telegram bot. The most targeted countries include Egypt, Libya, UAE, Russia, Saudi Arabia, and Turkey. The attack chain involves multiple stages, including the use of PowerShell scripts and a reflective loader written in C#. The AsyncRAT modification includes an offline keylogger and collects information about crypto wallet extensions and software. The campaign has affected approximately 900 victims from various countries, including employees of companies in oil extraction, construction, IT, and agriculture sectors.

A watering hole attack targeting unification education program applicants has been discovered. The attackers uploaded malicious HWP document files to a notice board for an educational program. When opened, the file executes hidden malicious code through OLE objects. The malware creates persistence using scheduled tasks, downloads additional payloads, and communicates with a command and control server. Based on the techniques used, the attack is attributed to the North Korean Kimsuky group. Users are advised to exercise caution when downloading application forms from such websites.

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxies between the malware and secondary C2 servers. Various webshells were identified, including RedHat Hacker and custom ASP shells. The LazarLoader downloader was used to fetch additional payloads, while a privilege escalation tool exploited UAC bypass techniques. The attackers aim to establish persistence and gain elevated access on compromised systems.

Akira, a prominent ransomware group, accounted for 15% of incidents in 2024, showcasing novel evasion techniques. In a recent attack, Akira circumvented an Endpoint Detection and Response (EDR) tool by compromising an unsecured webcam to deploy ransomware. After initial detection, the group pivoted to exploit IoT devices, particularly a vulnerable webcam running Linux. This allowed them to execute their Linux ransomware variant without EDR interference. The incident highlights the importance of comprehensive security measures, including IoT device monitoring, network segmentation, and regular audits. Key takeaways include prioritizing patch management for all devices, adapting to evolving threat actor tactics, and ensuring proper EDR implementation.

Strela Stealer is an infostealer targeting email clients in specific European countries. It exfiltrates login credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily affecting Spain, Italy, Germany, and Ukraine. Recent campaigns involve forwarding legitimate emails with malicious attachments. Strela Stealer employs custom obfuscation techniques and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific language regions. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure used by Strela Stealer is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained through brute force attacks using weak credentials. The malware has diverse functions including data exfiltration, additional crimeware deployment, self-termination to avoid detection, persistence establishment, remote access disabling, and pivot attacks to targeted CIDRs. The actors perform minimal intrusive operations, relying on scripting languages and API calls for C2 operations. The campaign specifically targets ISP infrastructure, likely for cryptomining purposes.

A campaign using fake GitHub repositories to distribute SmartLoader and Lumma Stealer malware has been uncovered. The attackers create convincing repositories using AI-generated content to deceive users into downloading malicious files disguised as gaming cheats, cracked software, and system tools. The malware is delivered through obfuscated Lua scripts in ZIP files, exploiting GitHub's trusted reputation to evade detection. Upon execution, SmartLoader facilitates the delivery of Lumma Stealer, which can steal sensitive information like cryptocurrency wallets, 2FA extensions, and login credentials. This campaign demonstrates the evolving tactics of cybercriminals, adapting from using GitHub file attachments to creating entire repositories with AI-assisted deception.

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 packages lacking repository URLs. Attackers employ methods such as obfuscation, command overwrite, and typosquatting to bypass security measures. The analysis highlights the use of suspicious APIs, URLs, and installation scripts to exfiltrate data, establish backdoors, and perform remote control activities. Specific cases involve malicious Python and Node.js packages targeting developers and harvesting sensitive information. The report emphasizes the importance of robust detection strategies and proactive defense measures to mitigate these evolving cybersecurity threats.

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT as the final payload. The campaigns have high infection rates, with over 1,600 victims in a single operation. Blind Eagle utilizes legitimate platforms like Google Drive and GitHub for malware distribution. The group's operating timezone suggests South American origins. An operational failure revealed past phishing activities targeting Colombian banks, resulting in over 8,000 stolen PII entries.

A massive SMS phishing campaign targeting U.S. drivers exploits various toll systems, including E-ZPass, SunPass, and TxTag. The scam uses fake payment alerts sent via iMessage and SMS from foreign numbers to lure victims to fraudulent websites. Analysis reveals a pattern in domain names and infrastructure, with most phishing sites hosted on Chinese ASNs like Tencent and Alibaba Cloud. The campaign employs nginx web servers and constantly shifts tactics to evade detection. Over 2,000 complaints have been filed with the FBI's Internet Crime Complaint Center, prompting warnings from the FTC and toll authorities. The scam's effectiveness stems from the inconsistency in legitimate toll collection domain names, making it challenging for users to distinguish between real and fake websites.

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in global espionage, sabotage, and influence operations. The report details their targets, which include government organizations, critical infrastructure, and diplomatic entities across multiple countries. It also describes the groups' adaptation to new security measures and their use of advanced techniques such as zero-day exploits, social engineering, and living off the land tactics. The analysis emphasizes the importance of understanding these actors' methods for improving global cybersecurity resilience.

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden elements to force redirects, potentially leading to phishing pages, malvertising, exploit kits, or scam sites. At least 31 infected websites were identified, with domains like awards2today[.]top and chilsihooveek[.]net involved. The infection methods include compromised admin accounts, exploited vulnerabilities, inadequate file permissions, and hidden PHP backdoors. Impacts include traffic loss, reputation damage, SEO blacklisting, and risks of further infections. Detection involves inspecting network activity and file modifications, while prevention measures include regular security audits, updates, strong passwords, and web application firewalls.

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024.

The GrassCall malware campaign is an advanced social engineering attack conducted by a Russian-speaking cybercriminal group called Crazy Evil. Targeting job seekers in the cryptocurrency and Web3 sectors, the campaign uses fake job interviews to compromise victims' systems and steal cryptocurrency assets. The attackers create a fake company, post job advertisements on reputable platforms, and guide candidates through a sophisticated process involving phishing emails, Telegram conversations, and the installation of malicious software disguised as a video conferencing application. The malware deployed includes a Remote Access Trojan (RAT) and information-stealing programs like Rhadamanthys for Windows users, and the Atomic macOS Stealer (AMOS) for Mac users. The campaign has affected hundreds of people, with some victims reporting drained cryptocurrency wallets.

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

HUMAN's Satori Threat Intelligence team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting low-cost consumer devices. This operation, an expansion of the 2023 BADBOX scheme, infected over 1 million Android Open Source Project devices worldwide with a backdoor called BB2DOOR. The infection enabled various fraud schemes, including residential proxy services, ad fraud, and click fraud. Four threat actor groups were identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The operation targeted devices in 222 countries, with Brazil being the most affected. HUMAN collaborated with Google and other partners to disrupt the infrastructure and protect customers from the threat.

This investigation uncovers a massive criminal operation known as 'PrintSteal' that generates and distributes fake Indian KYC documents. The scheme involves over 1,800 fraudulent domains impersonating government websites, with at least 2,727 registered operators on one platform alone. Over 167,000 fake documents have been created, including birth certificates, Aadhaar cards, and PAN cards. The operation uses a network of affiliates, illicit APIs, and encrypted communication channels. Financial analysis shows an estimated 40 Lakhs in revenue from a single platform. The widespread nature of this fraud poses significant risks to India's digital security, financial systems, and public trust in government services.

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data and credentials, a malicious script spreading through social media posts, and backdoors targeting Chinese users. The attacks use various methods to lure victims, including typosquatting and ad traffic. Users are advised to carefully check website addresses and be cautious of unverified links, especially for popular services. The malware distributed includes stealers, backdoors, and trojans, potentially leading to data theft and remote access to victims' computers.

A new campaign leveraging newly registered domains (NRDs) and a novel variant of domain generation algorithms (DGAs) has been uncovered. The campaign used over 6,000 NRDs redirecting to domains resembling dictionary-based DGAs. These NRDs led to advertisements of potentially unwanted Android applications. Further investigation revealed 444,898 NRDs belonging to the same actor, redirecting to 178 domains exhibiting 'typo DGA' characteristics. This new pattern combines dictionary words with typographical errors, potentially designed to evade traditional detection methods. The campaign utilized shared WHOIS information, hosting infrastructure, and epoch timestamp subdomains for redirections. The findings highlight the need for advanced detection capabilities to combat evolving malicious techniques.

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.

A new botnet that infects tens of thousands of internet-connected devices has been identified as being linked to Iran, according to research by GreyNoise and Nokia Deepfield. and Censys.

This analysis explores the use of traffic distribution systems (TDS) by threat actors to redirect network traffic for illicit purposes like phishing and malvertising. TDS act as central hubs, obfuscating final destinations and hindering detection. The study found that malicious TDS exhibit distinct topological characteristics compared to benign networks, including longer redirection chains, more URLs, and higher connectivity. Using these insights, a machine learning-based detection system was developed to identify various types of malicious TDS infrastructure. The research also presents case studies of TDS usage in phishing campaigns, malvertising, darknet services, and cloaking techniques.

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.

Spur Engineering is releasing a comprehensive list of IP addresses associated with the Astrill VPN service to help companies protect against fraud and abuse from the Democratic Republic of Korea (DPRK) in the future.

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT and other malware families. From our analysis, it seems to be targeting European institutions.

A mass malware campaign is infecting users with a cryptocurrency miner disguised as a tool for bypassing internet restrictions. The campaign has affected over 2,000 victims in Russia, utilizing YouTube channels to spread malicious links. Attackers are blackmailing content creators to post videos with infected file links, threatening channel shutdowns. The malware uses a multi-stage infection process, including a Python loader that downloads and executes the SilentCryptoMiner. This miner, based on XMRig, employs stealth techniques like process hollowing and can mine various cryptocurrencies. The campaign highlights the growing exploitation of restriction bypass tools for malware distribution, posing significant risks to user data security.

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.

A threat group impersonating the Electronic Frontier Foundation (EFF) is targeting Albion Online players through phishing messages and decoy documents. The campaign uses malware such as Stealc stealer and Pyramid C2 to compromise player accounts. Analysis of an exposed directory revealed PowerShell scripts, PDFs, and malicious payloads. The infrastructure includes multiple servers sharing SSH keys. Code comments suggest Russian-speaking developers. The attackers use EFF's reputation to lend credibility while executing malware in the background. The campaign exploits the game's player-driven economy, where in-game assets have real-world value. Mitigation strategies include cautious handling of unsolicited communications and verifying sources' authenticity.

A sophisticated JavaScript-based credential harvesting campaign has been discovered, utilizing fake voicemail notifications to capture Microsoft 365 credentials. The attackers employ HTML smuggling, obfuscation, and encryption techniques to evade detection. The phishing emails contain PDF attachments with QR codes and HTM files with embedded JavaScript. The malicious code uses base64 encoding, CryptoJS for encryption, and dynamic URL generation to redirect victims to a fake Microsoft 365 login page. The campaign involves multiple stages, including CAPTCHA and media player mimicry, to increase legitimacy. This evolving threat poses significant challenges for automated detection and analysis systems.

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campaign has expanded globally, focusing on malvertising. The infection chain involves a fake booking confirmation link, obfuscated PHP scripts, and payload download mechanisms. LummaStealer samples in this attack are significantly larger, up to 350% increase in size, and use techniques like Binary Padding and Indirect Control Flow for evasion. The campaign's sophistication and global reach indicate a growing threat in the cybercrime landscape.

A new Rust-based ransomware called FunkSec has emerged, claiming to use artificial intelligence in its development. First appearing in 2024, it demonstrates a mix of sophisticated capabilities and developmental inconsistencies. FunkSec implements advanced features like XChaCha20 encryption and comprehensive anti-VM techniques, but also shows peculiarities such as dependency on downloading a specific wallpaper image. The malware disables Windows security features, establishes persistence via scheduled tasks, and targets multiple file extensions. It employs various evasion techniques, including disabling event logging and real-time protection. The ransomware's execution reveals technical anomalies, suggesting it may still be in development and could evolve further.

A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage process: an encrypted payload in the PE overlay, a virtualized payload using KoiVM, and a final payload that is typically Agent Tesla or XWorm. The obfuscation methods aim to evade sandbox detection and hinder static analysis. The article provides insights into extracting configuration parameters through unpacking each stage and discusses potential automation opportunities for sandboxes performing static analysis.

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. They exploit Microsoft Teams and Quick Assist for unauthorized access and privilege escalation. The malware is deployed through abuse of OneDriveStandaloneUpdater.exe, which side-loads malicious DLLs. The attackers utilize commercial cloud storage services to host and distribute malicious files. Since October 2024, most incidents occurred in North America and Europe, with the US being the most affected. The manufacturing sector was the primary target, followed by financial and real estate industries.

North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Recorded Future's Insikt Group have also reported on DPRK threat actors' preference for this VPN service. Silent Push analysts have developed a 'Bulk Data Feed' of Astrill VPN IPs, updated in real-time, to help protect against threats. The research includes confirmation of Astrill VPN usage in recent attacks, including the $1.4 billion ByBit heist. A sample list of active Astrill VPN IP addresses is provided, with more comprehensive data available to enterprise users.

The report highlights significant trends in malicious infrastructure for 2024, including the rise of malware-as-a-service infostealers, continued dominance of Cobalt Strike among offensive security tools, and increased use of legitimate services by threat actors. Key findings include LummaC2's dominance in command-and-control servers, AsyncRAT and Quasar RAT remaining top remote access tools, and Android being the primary target for mobile malware. The US and China were the top malicious hosting locations, while traffic distribution systems enhanced cybercrime efficiency. Chinese state-sponsored groups expanded their use of relay networks, and Russian groups increasingly relied on legitimate services to evade detection. The report suggests defenders should prioritize top malware and infrastructure techniques, enhance network monitoring, and balance blocking high-risk services based on criticality and risk level.

A campaign originating from Russia has been identified, targeting Romanian WhatsApp users. The operation involves sending messages to victims, encouraging them to vote in a fake contest. When users click on the provided link, they are prompted to enter their WhatsApp number and an 8-character code, which grants the attackers access to the victim's account. The campaign uses multiple domains with Romanian-themed names, and evidence suggests previous targeting of English and Turkish-speaking users. The attackers exploit compromised accounts to spread the malicious messages further, potentially leading to account loss due to spamming. Users are advised against entering codes from suspicious websites to protect their WhatsApp accounts.

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.

Between October 2024 and February 2025, LummaStealer malware was distributed via fake CAPTCHA pages, targeting users who store sensitive information in browsers and cryptocurrency wallets. The malware, available as a Malware-as-a-Service, collects data for fraud and unauthorized access. Threat actors use fake CAPTCHA to establish trust and initiate obfuscated scripts, leading to secondary payloads and lateral movements. Infoblox's DNS monitoring detected malicious domains an average of 46.8 days before public reports, providing early protection for customers. Given the easy access to malicious adtech services and fake CAPTCHA content, continued and increased usage by threat actors is expected.

The Vo1d botnet has infected 1.6 million Android TV devices across 200+ countries, posing a significant cybersecurity threat. This new variant demonstrates enhanced stealth and resilience, utilizing RSA encryption, DGA-based infrastructure, and a modified XXTEA algorithm. The botnet's scale and capabilities surpass previous major attacks, potentially enabling devastating DDoS attacks or unauthorized content broadcasting. Analysis reveals a sophisticated multi-component system including downloaders, backdoors, and modular malware for proxy services and ad fraud. The botnet's rapid growth and evasion techniques highlight the urgent need for improved security measures in smart TV devices and set-top boxes.

In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.

This report discusses two main topics: imposter syndrome in cybersecurity and scams targeting sellers. It highlights the prevalence of imposter syndrome among cybersecurity professionals, especially in high-performing teams, and offers advice on coping with self-doubt. The report also addresses seller abuse, where sellers are defrauded by buyers, emphasizing the importance of understanding both buyer and seller experiences to prevent fraud. Additionally, it mentions recent security headlines, including data breaches affecting veterans and IVF patients, and a new Linux backdoor targeting education and public sectors.

DragonForce ransomware has targeted organizations in Saudi Arabia, with a significant data leak from a Riyadh real estate and construction company. The group exfiltrated over 6 TB of data, setting a deadline just before Ramadan. DragonForce operates on a RaaS model, offering high commission rates for affiliates and supporting various platforms. They use advanced techniques, including a customized CAPTCHA filter and encrypted communications. The group's builder offers flexibility in payload configuration, and they leverage legitimate tools for file transfers. DragonForce employs a dual extortion strategy and has been observed using specific CVEs for network infiltration. The targeting of Saudi Arabia raises concerns about critical infrastructure security in the region.

A new Njrat malware campaign has been detected utilizing Microsoft's dev tunnels service for command and control (C2) communication. This service, designed for developers to securely expose local services to the internet, is being exploited by the malware to establish connections with C2 servers. Two samples were identified with different dev tunnel URLs but identical Import Hashes. The malware sends status updates to the C2 server and can potentially propagate through USB devices. A configuration file extracted from one sample reveals details about the C2 server, ports, and botnet name. The article suggests monitoring DNS logs for 'devtunnels.ms' as a defensive measure against this threat.

Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols—including Outlook API, DNS tunneling, and ICMP tunneling—to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.

Cisco Talos uncovered multiple cyber espionage campaigns attributed to the Lotus Blossom group, targeting government, manufacturing, telecommunications, and media sectors. The operations utilize various versions of the Sagerunex backdoor and other hacking tools. Lotus Blossom has been active since 2012 and continues to evolve its tactics. New Sagerunex variants use third-party cloud services like Dropbox, Twitter, and Zimbra for command and control, enhancing evasion capabilities. The group employs a multi-stage attack chain for long-term persistence, often remaining undetected for months. Victims include organizations in the Philippines, Vietnam, Hong Kong, and Taiwan. The analysis reveals Lotus Blossom's sophisticated techniques, including the use of VMProtect for code obfuscation and strategic placement of tools in public folders for evasion.

A recent investigation uncovered a malicious WordPress plugin disguised as an innocent security tool, injecting casino spam into website footers. The attackers employed obfuscation techniques and cURL to fetch data from a remote URL, decrypting it using XOR encryption. The malware retrieves a set of spammy casino links from a malicious domain and injects them into the victim's website footer. This tactic aims to improve search engine rankings for the attacker's websites, drive traffic to malicious sites, or fulfill paid link-building schemes. Website owners are advised to keep software updated, enforce strong passwords, review installed plugins, regularly scan for malware, monitor logs, and implement a web application firewall to mitigate such risks.

Between October 2024 and February 2025, LummaStealer malware was distributed via fake CAPTCHA pages, targeting users who store sensitive information in browsers and cryptocurrency wallets. LummaStealer, available as Malware-as-a-Service, collects data for fraud and unauthorized access. Fake CAPTCHA pages deceive users into executing commands that download evasive files. Infoblox monitored threat actor infrastructure by analyzing DNS traffic, providing early detection of malicious domains an average of 46.8 days before public reports. The use of fake CAPTCHAs in malicious adtech schemes, involving operators and advertisers, was also highlighted. These sophisticated tactics pose significant risks to individuals and organizations.

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. The malware suite includes "RustDoor," a Rust-based backdoor masquerading as legitimate software updates, and a previously undocumented macOS variant of "Koi Stealer," designed to exfiltrate sensitive information

The Solar 4RAYS team discovered a malicious campaign targeting Russian IT organizations providing services to the government sector. They found a customized version of the open-source Stowaway proxy tool being used by the threat actor Erudite Mogwai (also known as Space Pirates). The attackers modified Stowaway to remove some functionality and alter the remaining features. They use it in combination with other tools like ShadowPad Light for lateral movement and data exfiltration. The campaign began in March 2023 by compromising public web services and slowly spread through the victim's infrastructure over 19 months before being detected. The attackers customized Stowaway by changing compression and encryption methods, adding QUIC protocol support, and modifying the communication protocol.

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as native file hosting CDN, public packers for encryption, dynamic C2 address changes, and DLL sideloading. The attack shares similarities with previous campaigns using open-source RATs like Gh0st RAT and FatalRAT, but demonstrates a shift in tactics tailored to Chinese-speaking targets. The malware installation process is complex, involving multiple stages and the use of legitimate applications to disguise malicious activity.

A new campaign attributed to the Ghostwriter threat actor has been observed targeting opposition activists in Belarus and Ukrainian military and government organizations. The operation, which began preparation in mid-2024 and entered an active phase in late 2024, employs weaponized Excel documents with malicious macros to deliver PicassoLoader variants and other payloads. The campaign uses lures related to Ukrainian military and government interests, as well as Belarusian opposition topics. Multiple stages of the attack chain involve obfuscated downloaders, decoy documents, and attempts to fetch additional payloads from command and control servers. The threat actor's tactics have evolved, showing adaptations to previous techniques and targeting both Ukrainian entities and Belarusian opposition groups.

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation revealed 27 unique Astrill VPN IP addresses in logs associated with the group's test records. The ongoing campaign involves fake job interviews on LinkedIn to lure victims into downloading malware. The research also uncovered connections to multiple domains likely part of Lazarus infrastructure, with a focus on employment scams targeting the crypto community. The group's tactics include sophisticated social engineering and malware deployment methods.

TgToxic, an Android banking trojan, has undergone significant updates to enhance its capabilities and evade detection. Initially targeting Southeast Asia, the malware has expanded its reach to include European and Latin American banks. The latest version incorporates improved emulator detection techniques, shifts from hard-coded C2 domains to dead drop locations on community forums, and finally adopts a domain generation algorithm (DGA) for C2 communication. These changes demonstrate the threat actors' adaptability and commitment to improving the malware's effectiveness. The campaign distributes TgToxic through various channels, including SMS, phishing websites, and deceptive applications. The malware's ongoing evolution poses significant challenges for cybersecurity defenses and highlights the need for dynamic, adaptive countermeasures.

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process commands from a disguised PDF. The malware, a trojanized version of PDF-XChange Driver Installer, dynamically resolves API calls to evade detection and establishes persistence through registry modification. It connects to a C2 server at 154.90.47.77 over TCP Port 443, with geo-locking to Thailand. This campaign appears to be part of a broader effort targeting Thai officials, highlighting the ongoing cyber espionage landscape in Southeast Asia.

Cybercriminals are exploiting DeepSeek's popularity by creating fake look-alike domains to deliver the Vidar information stealer. The attack chain involves a deceptive website that prompts users to complete a fake partner registration, leading to a malicious CAPTCHA page. This page injects a PowerShell command into the user's clipboard, which when executed, downloads and launches the Vidar malware. Vidar targets cryptocurrency wallets, browser data, and sensitive files, using Telegram and Steam for C2 communication. The campaign highlights the rapid exploitation of AI technologies by threat actors and emphasizes the need for enhanced security measures and user education.

A new malware campaign using fake CAPTCHA pages to deliver Lumma Stealer has been identified. The attack leverages ClickFix, a deceptive tactic involving phishing and fake reCAPTCHA pages impersonating Cloudflare verification. The infection chain begins with a fake CAPTCHA page tricking victims into running malicious commands copied to their clipboard. This launches mshta.exe, which executes a VBScript to run PowerShell commands. These commands download and execute a malicious payload, which acts as a loader for Lumma Stealer. The attack uses various evasion techniques, including anti-debugging measures and code injection. The stealer captures screen data, extracts clipboard information, and exfiltrates stolen data through multiple command-and-control servers.

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic through infected systems. The malware's integration with Lumma, including automatic provisioning and discounted pricing, enhances post-infection capabilities for credential abuse and anti-fraud bypassing. GhostSocks contains additional backdoor functionality, such as arbitrary command execution and credential modification. Its C2 infrastructure largely operates on VDSina (AS216071), a Russian-speaking server provider. The malware exemplifies the commodification of SOCKS5 backconnect malware in the criminal ecosystem, posing a significant threat to financial institutions and high-value targets.

An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.

Forescout reportead a cyber attack by the Silver Fox APT group on Philips DICOM medical imaging software. The attackers exploited vulnerabilities in the software to gain unauthorized access to sensitive patient data and hospital networks.

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a malicious library implant to intercept system calls and conceal its network activity. It provides threat actors with full remote access to compromised machines and is difficult to remove. Auto-color primarily targets universities and government offices in North America and Asia. The malware's C2 protocol includes a simple handshake and encrypted messages for issuing commands. Its capabilities include file operations, network proxying, and creating reverse shells.

Check Point Research uncovered an extensive campaign exploiting a vulnerability in the legacy version 2.0.2 of the Truesight.sys driver, part of Adlice's RogueKiller Antirootkit suite. Attackers leveraged this vulnerability to deploy an EDR/AV killer module, effectively disabling security solutions on targeted systems.

Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Google Forms for phishing. Another involved cloning university login pages and re-hosting them on attacker-controlled infrastructure. A third campaign targeted staff and students in a two-step process, first phishing faculty credentials and then using compromised accounts to target students. These attacks aim to steal login credentials and financial information, often timed to coincide with key dates in the academic calendar. The campaigns employ various tactics to increase perceived legitimacy and perform payment redirection attacks.

The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented in various programming languages, downloads and executes further malicious components from attacker-controlled repositories. These components include a Node.js stealer, AsyncRAT, Quasar backdoor, and a clipboard hijacker targeting cryptocurrency transactions. The campaign has been active for several years, with infection attempts observed worldwide, particularly in Russia, Brazil, and Turkey. The attackers' tactics highlight the importance of carefully examining third-party code before integration or execution.

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt scripts to deploy the Lumma Trojan stealer. The malware exfiltrates sensitive data, including browser information, cryptocurrency wallets, and authentication details. Hundreds of victims have been identified, mostly in Russia and Belarus. The group's tactics remain consistent, with periodic pauses in activity followed by new attack waves. They rely on readily available malicious utilities rather than developing custom tools.

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deployed ransomware through multiple methods, including SMB file copying and automated distribution via PDQ Deploy. Sensitive data was exfiltrated using Rclone to MEGA.io cloud storage. The intrusion had a rapid Time to Ransom of approximately two hours, showcasing the efficiency of the attack.

A sophisticated Android malware called SpyLend, disguised as a 'Finance Simplified' app, is targeting Indian users through the Google Play Store. The app leverages location-based targeting to display unauthorized loan applications, enabling predatory lending, blackmail, and extortion. It has rapidly gained downloads, increasing from 50,000 to 100,000 in a week. The malware collects sensitive user data, including photos, contacts, and clipboard content, which is then used for harassment and extortion. The app's infrastructure suggests Chinese-speaking attackers are behind the operation. It employs various techniques to evade detection and persist on devices, posing a significant threat to user privacy and financial security.

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential records. There's an alarming increase in malware spread via malicious YouTube links and infected files disguised in videos, comments, or descriptions. Lumma Stealer infections typically enable more extensive attacks, including ransomware deployment and espionage operations. The malware targets multiple Windows versions, stealing sensitive information like login credentials, browser data, chat logs, and cryptocurrency wallet details. Distribution methods include malvertising on popular search engines and malspam with harmful attachments. Threat actors register clusters of 10-20 domains at a time, some used immediately while others age for up to two weeks.

LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 commands spanning multiple platforms. New Android commands specifically target Facebook and Instagram database files, potentially allowing attackers to collect private messages, contact lists, and account metadata. The infrastructure analysis uncovered previously unreported components, including a core version dated 2021-12-31. Windows plugins focus on keylogging, audio recording, video capture, and USB interaction. The exposure of admin panel authentication endpoints provides insights into the malware's operational framework.

A new payment card skimming campaign has been discovered, demonstrating advanced techniques to evade detection. The attack exploits Stripe's deprecated API to verify card details before exfiltration, ensuring only valid payment information is stolen while maintaining a seamless customer experience. The multi-stage compromise begins with a compromised first-party script that targets checkout pages. The attackers then remove legitimate Stripe payment elements, inject visually identical but compromised elements, and capture payment details. The stolen data is validated through Stripe's API before being exfiltrated to an unidentified malicious domain. This sophisticated approach allows the attack to operate seamlessly, making detection extremely challenging for both users and security researchers.

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login credentials. Attackers pose as recruiters on platforms like LinkedIn and GitHub, providing trojanized projects as part of fake interview processes. The malware steals browser data, cryptocurrency wallets, and system information, and can deploy remote access tools. Hundreds of victims globally have been observed across Windows, Linux and macOS systems. The operation shows increasing sophistication and is expected to continue evolving its tactics to target cryptocurrency users.

The darcula-suite 3.0 represents a significant advancement in phishing capabilities, allowing criminals to easily create customized phishing campaigns targeting any brand. This new version, set to launch in February 2025, builds upon the previous darcula V2 platform, which has already impacted over 200 brands worldwide. The suite utilizes browser automation tools to clone legitimate websites and create convincing phishing versions. It features improved admin dashboards, performance statistics, and Telegram notifications for criminals. The platform's ease of use and advanced deception techniques, such as unique deployment paths and IP filtering, make it a significant threat to brands previously not targeted. Netcraft has detected and blocked over 90,000 darcula phishing domains and taken down more than 20,000 fraudulent websites since March 2024.

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophistication of banking malware campaigns. The report also examines the rise of Phishing-as-a-Service models and their impact on financial institutions. Additionally, it explores state-sponsored Advanced Persistent Threats (APTs) targeting the sector, including North Korean groups focused on bypassing sanctions, and the growing collaboration between APTs and cybercriminal operators. The analysis covers the actors' motivations, victimology, infection vectors, and tools used in their campaigns against financial entities.

Bloody Wolf, a notorious threat actor, has shifted its tactics by replacing malware with the legitimate remote administration tool NetSupport. The group has expanded its targets to include organizations in both Kazakhstan and Russia, compromising over 400 systems. Their attack method involves phishing emails with PDF attachments containing links to malicious JAR files. These files download and install NetSupport components, enabling full system access. The campaign exploits the prevalence of remote work and the increased use of remote administration software. The attackers' use of legitimate tools makes detection more challenging for conventional defenses. The report provides detailed technical information about the attack process and indicators of compromise.

Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group has been using both Bookworm and ToneShell malware in their operations. Bookworm has undergone minimal changes since 2015, demonstrating its versatility and continued effectiveness. The malware's modular design allows for flexible packaging to meet operational needs. Stately Taurus is expected to continue developing and utilizing Bookworm in future attacks targeting Southeast Asian organizations.

This analysis examines a recent cryptocurrency mining operation targeting MSSQL servers, focusing on PKT Classic and Monero cryptocurrencies. The attack exploits vulnerabilities to deploy mining tools, including PacketCrypt for PKT and XMRIG for Monero. The process involves using Windows utilities and PowerShell scripts to download and execute malicious files. The miners consume significant system resources, potentially degrading performance and causing hardware wear. The attackers utilize GitHub repositories, obfuscation techniques, and multi-stage attacks to evade detection. The article provides details on the attack chain, wallet information, and file analysis, highlighting the sophisticated nature of the operation. Mitigation strategies include regular software updates, strong authentication measures, and robust antivirus protection.

A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication. The Shadowpad malware showed enhancements in anti-debugging techniques and encryption methods. Unusually, a previously unreported ransomware was deployed in some cases, mimicking the appearance of Kodex Evil Extractor but with different functionality. The attackers also used tools like CQHashDumpv2 and Impacket for post-exploitation activities. While attribution remains uncertain, there are weak links to the Teleboyi threat actor.

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web browsers by logging keystrokes, capturing credentials, and monitoring the clipboard. It exfiltrates data to its command-and-control server using SMTP and Telegram bots. FortiSandbox's advanced AI engine, PAIX, detected the malware through static and dynamic analysis, revealing its use of AutoIt for obfuscation, process hollowing techniques, and persistence mechanisms. The keylogger also employs specialized modules to steal credit card details and leverages the SetWindowsHookEx API for keystroke capture.

A high-severity deserialization vulnerability in Trimble Cityworks, CVE-2025-0994, affects versions before 15.8.9 and Office Companion versions before 23.10. This flaw allows authenticated attackers to execute remote code on Microsoft IIS web servers. Exploitation indicators suggest the use of Rust-based loaders to deploy VShell and Cobalt Strike. Malicious files, including obfuscated JavaScript and executables, were likely downloaded from Cobalt Strike C2 servers. Shodan reveals 111 exposed Cityworks instances, with 21% vulnerable. The majority are in the US, including .gov domains. Organizations are urged to upgrade to patched versions immediately, as CISA has added this CVE to their Known Exploited Vulnerabilities Catalog.

A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XWorm malware, including functions for system manipulation, data exfiltration, and keylogging. The obfuscation technique involves Base64 encoding, compression, and mathematical operations combined with logical operands. The malware attempts to evade detection, create persistence, and perform various malicious activities. The investigation highlights the complexity of modern malware obfuscation techniques and the challenges in deobfuscating such threats.

A malicious campaign is targeting Chinese-speaking users by distributing backdoored executables through fake download pages for popular apps like Signal, Line, and Gmail. The attackers use seemingly unrelated domain names and rely on search engine manipulation to lure victims. The malware follows a consistent execution pattern, involving temporary file extraction, process injection, security modifications, and network communications. It exhibits infostealer-like functionality and has been identified as 'MicroClip'. The campaign uses centralized infrastructure hosted on Alibaba servers in Hong Kong. Users are advised to be cautious of unofficial download sites and verify software sources to protect against such threats.

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security alert on Google Docs, followed by a fraudulent login page. The scam then requests personal details, address information, and payment card data. This sophisticated phishing campaign not only seeks credentials but also additional information to bypass security measures. Users are advised to verify sender authenticity, log in directly to their accounts, and contact customer service for inquiries. The scheme's resemblance to legitimate Amazon processes makes it particularly dangerous for unsuspecting users.

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple stages, including initial contact, downloader execution, persistence establishment, reconnaissance, credential theft, and data exfiltration. The malware uses various tactics such as disabling event logging, modifying registry keys, harvesting credentials, scheduling tasks, and communicating via non-standard ports. It exfiltrates stolen data to a command-and-control server in Hong Kong. Organizations are advised to train support teams, restrict file execution, monitor network traffic, and use real-time analysis tools to protect against this threat.

Proofpoint has identified two new cybercriminal threat actors, TA2726 and TA2727, operating web inject campaigns. TA2726 acts as a traffic distribution service for TA569 and TA2727, while TA2727 delivers various malware payloads including a new MacOS information stealer called FrigidStealer. The landscape of web inject campaigns is expanding, with multiple copycat actors using similar techniques, making it challenging to track distinct activities. These campaigns typically involve malicious injects, traffic distribution services, and ultimate payloads, sometimes managed by different actors. The attacks use fake browser update lures to deliver malware to Windows, Android, and now Mac systems.

A cybercriminal campaign launched on December 31 exploited reduced vigilance during the holiday season by distributing trojanized versions of popular games via torrent sites. The attack, which lasted a month, affected users worldwide by spreading the XMRig cryptominer. The sophisticated infection chain employed various defense evasion techniques. Malicious installers were created using Inno Setup and contained encrypted malware components. Multiple stages of the attack chain involved anti-debugging checks, IP geolocation, system fingerprinting, and resource spoofing. The final payload was an XMRig miner configured to connect to the attacker's mining pool. The campaign primarily targeted regular users, with some organizational infections likely due to compromised computers within corporate networks.

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exposure and financial extortion. It uses advanced encryption techniques and sophisticated evasion and persistence mechanisms, making detection and removal challenging. The threat highlights the need for proactive cybersecurity measures and robust incident response strategies to protect data integrity and prevent breaches.

A Chinese-speaking group is conducting an SEO manipulation campaign in Asia using BadIIS malware. The campaign targets vulnerable Internet Information Services (IIS) servers, compromising them to redirect users to illegal gambling sites or malicious servers. Affected regions include India, Thailand, Vietnam, and others, with government, universities, and tech sectors being targeted. The malware can alter HTTP responses, inject suspicious JavaScript, and perform SEO fraud. This campaign highlights the need for organizations to update and patch IIS systems, monitor for abnormal installations, restrict administrative access, and implement strong security measures to mitigate risks.

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal sensitive information, including browser credentials, cryptocurrency wallet data, and Outlook contents. The malware utilizes advanced techniques such as process injection, JA3 fingerprint manipulation, and web injection to evade detection and intercept user data. The attackers primarily target non-AD-joined machines, suggesting a focus on smaller organizations or individual users with weaker security measures.

An ongoing malware campaign is distributing Lumma Stealer, an information-stealing malware, through malicious LNK files disguised as PDF documents. The campaign exploits compromised educational institutions' infrastructure to host these files. When executed, the LNK files initiate a multi-stage infection process, ultimately deploying Lumma Stealer on the victim's machine. The malware targets various industries, including education, finance, healthcare, and technology. It employs sophisticated evasion techniques, such as using Steam profiles for command-and-control operations. The campaign highlights the importance of user awareness and robust security measures to protect against this Malware-as-a-Service (MaaS) threat that steals sensitive data like passwords, browser information, and cryptocurrency wallet details.

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion techniques, including encrypted communication with C2 servers, dynamic payload execution, and runtime behavior alterations. The attackers aim for financial gain through credential theft, unauthorized transactions, and data sale on darknet forums. The campaign employs Telegram bots, SQL injection attacks, and XOR encryption. The analysis highlights the threat's impact and provides recommendations for mitigation, including advanced monitoring, vulnerability patching, and user education.

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and prints ransom notes. It targets specific processes and services, avoiding certain folders and file types. The ransomware has affected 96 victims across 16 countries, primarily in the United States, with manufacturing and construction industries most impacted. Despite claims of excluding certain sectors, some healthcare and energy organizations have been targeted. Fortinet products offer protection against Lynx through various security measures.

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These threats utilize holiday-themed tactics and advanced technical infrastructure, exacerbated by fake e-commerce sites, manipulated payment gateways, and social media-driven amplification. The attacks spread through trusted connections, causing financial losses and lasting impacts such as compromised OAuth tokens, stolen credentials, and vulnerable business networks. This creates a persistent and self-replicating threat ecosystem that targets both consumers and organizations during this high-risk period.

While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploitation activities.

This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hosting. The cybercriminal leverages ChatGPT to craft convincing phishing messages and uses Gammadyne Mailer to distribute emails. The campaign successfully sent nearly 6,000 emails in 30 minutes, resulting in several compromised victims. The malware, identified as XLogger, is distributed via RAR attachments containing executable files. Upon execution, it deploys a PowerShell script to decrypt the payload, inject it into a Windows service, and exfiltrate stolen data to a Telegram channel. This insight into the hacker's methodology highlights the ongoing challenges in cybersecurity and the need for improved user awareness and countermeasures.

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures, impersonating entities like the US Department of State and Ukrainian Ministry of Defence. Three distinct threat actors (UTA0304, CozyLarch/APT29, and UTA0307) have been identified using similar tactics but with slight variations in their approach and infrastructure. The attacks exploit users' unfamiliarity with the Device Code Authentication process, making it challenging to recognize as phishing. Detection methods and preventive measures are available but often not implemented by organizations.

The latest versions of the Xloader malware, known as Formbook, use advanced obfuscation techniques to mask critical parts of its code and data, as part of a two-part technical analysis.

Interpol is advocating for a linguistic shift in describing romance scams, proposing to replace the term 'pig butchering' with 'romance baiting'. This change aims to prioritize respect and empathy for victims, encouraging more people to come forward and report these crimes. The article also highlights a recent Talos Vulnerability Deep Dive, which discovered a potential vulnerability in the IPP over USB specification. However, modern compiler features and static analysis tools successfully mitigated the issue, showcasing a rare win in cybersecurity. The newsletter also covers recent cybersecurity news, including the push for a Cyber Force at the Pentagon, the disruption of the 8Base ransomware group, and Magecart attackers abusing Google Tag Manager.

The upcoming German federal elections on February 23, 2025 are being targeted by Russian influence operations. While these efforts have not significantly altered voter behavior or public opinion as of mid-February, they aim to exacerbate German sociopolitical divisions, spread manipulated content, foster anti-US and EU sentiment, and undermine NATO unity. The operations include Doppelgänger, Operation Overload, CopyCop, Operation Undercut, and the Russia-based Foundation to Battle Injustice. These campaigns are evolving their tactics, expanding to new platforms like Bluesky, launching new brands and websites, and using AI-based tools. Despite limited impact so far, the persistence and evolving nature of these operations pose ongoing risks to media integrity and public trust.

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected North Korean front companies in China were identified spoofing legitimate IT firms. The threat extends beyond financial fraud to cyber espionage and intellectual property theft. Organizations are advised to implement stringent identity verification, enhanced remote work security, and robust international intelligence-sharing to counter this expanding threat from North Korean IT operatives.

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network signatures for detection, and highlights recently identified servers. The infrastructure exhibits distinctive HTTP response patterns, allowing for structured detection queries. Nine IP addresses across different ports were identified matching the criteria. Three of these IPs were previously associated with RansomHub activities. The post emphasizes the importance of proactive detection strategies to counter evolving tactics by adversaries using open-source offensive security tools.

A sophisticated credit card stealing malware, disguised within an tag, was discovered on a Magento-based eCommerce website. The malware uses Base64 encoding to hide its malicious JavaScript code, making it difficult to detect. It activates on the checkout page, waiting for user interaction before collecting credit card information. The script creates a hidden form to capture card details and sends the data to a remote server. This technique allows the malware to avoid detection by security scanners and remain unnoticed by users. The article emphasizes the importance of keeping eCommerce platforms updated, using web application firewalls, enforcing strong passwords, and implementing additional security measures to protect against such attacks.

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tactics include deploying web shells, modifying network resources, and using remote management tools for persistence and command and control. The campaign has expanded Seashell Blizzard's geographical reach beyond Eastern Europe, targeting organizations in the US, UK, Canada, and Australia. The subgroup's activities enable Russia to respond to evolving strategic objectives and provide options for future actions.

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.

The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) for initial access. Over 1.6 million assets are potentially vulnerable to this exploit. The report provides IOCs, MITRE ATT&CK techniques, and YARA rules for detection. Cl0p is associated with the Russian cybercriminal group TA505/Evil Corp, known for custom malware development and sophisticated attack techniques. Recommendations include prioritizing patch management, implementing robust email filtering, and strengthening overall security posture.

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chain involves multiple stages, including a malicious OLE object, a PyInstaller executable, and Python scripts. The malware utilizes a Discord bot for command and control, enabling various malicious activities such as credential theft, file exfiltration, and system disruption. The ransomware component, XELERA, not only encrypts data but also corrupts the Master Boot Record, making systems unbootable. The campaign demonstrates sophisticated social engineering tactics and multi-stage malware deployment, posing a significant threat to individuals and organizations in India's tech sector.

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys Dark Crystal RAT (DcRAT). This enables data exfiltration and espionage activities. The campaign, likely ongoing since late 2023, exploits Ukraine's high software piracy rates, potentially compromising home users, businesses, and government networks. Multiple distribution campaigns have been observed, using similar lures and tactics. The attackers employ sophisticated techniques, including disabling Windows Defender, using Living Off the Land Binaries, and establishing persistence through scheduled tasks. The operation aligns with Russia's broader hybrid warfare strategy against Ukraine.

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security measures. A malicious domain was discovered distributing malware via deceptive verification buttons. The campaign uses Cloudflare to mask its true nature and evade detection. The malware incorporates social media platforms for updates, support, and command-and-control functionality. Recommendations include user education, multi-factor authentication, email filtering, network segmentation, and regular software updates to mitigate the risks of phishing attacks and protect against data theft and financial loss.

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activities conducted within a targeted organization in September 2024 after compromising an Ivanti CSA device. A cluster of associated implants and infrastructure is identified. A root cause analysis of CVE-2024-8963 reveals it stems from URL parsing issues in Ivanti's proprietary web server and PHP CGI configuration. The vulnerability allowed unauthenticated remote code execution. Various webshell variants deployed by attackers are described. Over 1,100 vulnerable Ivanti CSA devices were found online, with webshells on nearly half of them.

Abyss Locker (AKA Abyss ransomware) is a relatively new threat group that emerged in 2023, specializing in swift and decisive intrusions designed to cripple victims with ransomware. Abyss Locker was active throughout 2024, causing multiple incidents investigated by Sygnia. However, no recent technical blogs provide detailed insights into the group’s modus operandi.

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.

LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware.

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into explorer.exe, creates a duplicate in the AppData directory, and communicates with command-and-control servers. The campaign leverages financial-themed lures, impersonating known Ukrainian businesses to increase credibility. The exposed servers reveal the threat actor's staging and distribution methods, providing insight into their operational tactics. This activity demonstrates SmokeLoader's continued use in both cybercrime and espionage-driven attacks against Ukrainian organizations.

RL researchers have identified a novel attack technique called nullifAI on the Hugging Face platform, which abuses Pickle file serialization to distribute malware. Two malicious models were found containing reverse shell code, bypassing Hugging Face's security scanning mechanisms. The attack exploits a vulnerability in the Picklescan tool, which fails to detect dangerous functions in broken Pickle files. This poses a significant risk to developers using the platform. The researchers created proof-of-concept samples to demonstrate the flaw and reported their findings to Hugging Face, who promptly removed the malicious models and updated their security tools.

A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment. The threat actor connected via a vulnerable RMM client, executed discovery commands, created a new admin account, and installed a Sliver backdoor. The backdoor was configured to connect to specific IP addresses. On the domain controller, a cloudflared tunnel was installed for potential further payload deployment. The attack's TTPs resembled those of the Akira Ransomware group. A previous incident involving SimpleHelp RMM exploitation was also confirmed. Organizations are urged to update their RMM clients and adopt robust cybersecurity solutions.

An unattributed threat actor has been observed exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks, delivering the Godzilla post-exploitation framework. Over 3,000 publicly disclosed keys have been identified as potentially vulnerable to this attack method. The attack chain involves crafting malicious ViewState data using stolen keys, sending it to the target website via POST request, and executing malicious code on the IIS web server. Microsoft recommends against using publicly available keys, regular key rotation, and provides detection and mitigation strategies. Affected organizations should investigate for possible backdoors or persistence methods established by threat actors.

A new malware campaign dubbed 'SparkCat' has been discovered targeting Android and iOS users through both official and unofficial app stores. The malware, embedded in various apps, uses OCR technology to scan users' image galleries for crypto wallet recovery phrases. Infected Android apps on Google Play had over 242,000 downloads. This marks the first occurrence of such a stealer in Apple's App Store. The malware utilizes Google's ML Kit for OCR and communicates with C2 servers using a custom Rust-based protocol. Active since March 2024, SparkCat affects users in Europe and Asia, targeting multiple languages. The campaign highlights the vulnerability of both Android and iOS platforms to sophisticated malware threats.

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirecting them to a fake Microsoft login page. This tactic leverages users' trust in familiar workplace tools, making it harder to detect. The campaign demonstrates the evolving nature of phishing attacks and the importance of employee training in recognizing potential threats. The use of legitimate services and familiar templates makes it challenging for automated defenses to catch these scams, highlighting the need for human-centric approaches to cybersecurity.

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitations to sophisticated replicas that are difficult to distinguish from the legitimate DeepSeek website. Some sites aim to collect personal information or distribute malware disguised as DeepSeek apps. The campaign appears to be evolving in real-time, with new sites emerging rapidly to replace those that are shut down. Cybersecurity experts warn that this may be a coordinated attack campaign, exploiting the window of opportunity before traditional takedown systems can respond.

This analysis reveals a new phishing trend using domains with a "com-" prefix to mimic legitimate websites. The scam targets users of Florida's Sunpass toll system, exploiting the similarity between sunpass.com and fraudulent "com-" domains. A surge in "com-" prefix domain registrations has been observed, particularly using top-level domains like .top, .xyz, and .com. The article suggests monitoring DNS logs for these domains, as many have been confirmed malicious. The trend shows an increase in registrations since November, with 10% of recently registered domains found in Phishtank. This tactic is part of an ongoing cat-and-mouse game between attackers and security tools.

A mobile malware campaign targeting Indian banks has been uncovered, comprising nearly 900 samples aimed at Android devices. The malware, distributed via WhatsApp as fake government or banking apps, steals sensitive financial and personal data, including Aadhar and PAN card details, credit card information, and banking credentials. It intercepts SMS messages, including OTPs, to facilitate unauthorized transactions. The campaign uses three variants: SMS forwarding, Firebase exfiltration, and a hybrid approach. Over 222 exposed Firebase storage buckets contained 2.5GB of stolen data from an estimated 50,000 users. The malware's phone numbers were traced to West Bengal, Bihar, and Jharkhand. The campaign impersonates various Indian banks and government schemes to increase its reach.

Chinese hackers, specifically the DaggerFly espionage group, are targeting Linux devices with a sophisticated SSH backdoor called ELF/Sshdinjector.A!tr. The Lunar Peek campaign, active since mid-November 2024, primarily focuses on network appliances and IoT devices. The attack involves a dropper that deploys malicious binaries, including a modified SSH library and infected versions of common utilities. The core backdoor communicates with a remote C2 server, enabling system information gathering, data exfiltration, and arbitrary command execution. The malware uses a custom communication protocol with hardcoded identifiers and can perform various actions through specific command IDs. Users are advised to keep their AntiVirus definitions up-to-date to mitigate the threat.

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and scripts that link to malicious web pages, often disguised as legal documents or voicemails. When victims click on the embedded links, they are directed to phishing pages that mimic popular services like DocuSign, Microsoft SharePoint, and Office365. The attackers use various social engineering techniques and sophisticated methods to capture and exfiltrate user credentials. Some SVG files even contain encoded malware. To protect against this threat, users are advised to change the default program for opening SVG files and be cautious of suspicious emails.

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection chain begins with a fake Chrome browser download, followed by the execution of a Setup.exe file that downloads additional components. The malware employs DLL side-loading, process injection, and anti-VM techniques to evade detection. It includes features such as keylogging, screen monitoring, and persistence mechanisms. ValleyRAT communicates with command and control servers and can execute various commands, including dropping and executing files, setting startup configurations, and manipulating processes.

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. The malicious files contained OLE objects that executed PowerShell commands and shellcode, ultimately deploying the RoKRAT malware. This file-less attack method allowed for information gathering and potential remote control of infected systems. The attackers used pCloud for data exfiltration and command-and-control communication. The report emphasizes the importance of endpoint detection and response (EDR) systems to combat such evolving threats.

Researchers discovered a new malware campaign dubbed 'SparkCat' targeting Android and iOS users through both official and unofficial app stores. The malware, embedded in various apps, uses OCR technology to scan users' image galleries for crypto wallet recovery phrases. Infected apps on Google Play had over 242,000 downloads. This marks the first known case of such a stealer in Apple's App Store. The malware employs Google's ML Kit for OCR and communicates with C2 servers using a custom protocol implemented in Rust. It targets users in Europe and Asia, searching for keywords related to crypto wallets in multiple languages. The campaign has been active since March 2024, demonstrating sophisticated techniques to evade detection.

The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certificate common to BADBOX infrastructure was identified, revealing five IPs and numerous domains using the same certificate and SSH host key. This indicates a single actor controlling a templated environment. The analysis uncovered shared attributes among the infected hosts, including open SSH ports and nginx 1.20.1 running on CentOS. The scale and stealthy nature of BADBOX highlight the critical need for supply chain integrity monitoring and network traffic analysis.

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains mimicking 163.com services, with one hosting a malicious login page and others presenting fake large attachment download services. The campaign uses deceptive domain registrations, manipulated TLS certificates, and counterfeit interfaces to harvest credentials. While primarily focused on Chinese targets, this operation highlights the vulnerability of free email services to advanced threat actors and emphasizes the importance of enhanced security measures like multi-factor authentication.

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article describes their distribution methods, execution processes, and data exfiltration techniques. It highlights the risks posed by infostealers, including potential data breaches and further malicious activities. The research reveals a 101% increase in macOS infostealer detections between the last two quarters of 2024. The article also discusses protection measures and mitigations, emphasizing the importance of advanced detection modules and multi-layered defense strategies.

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals credentials, captures keystrokes, takes screenshots, and extracts clipboard data. The malware gains persistence through Windows Task Scheduler and can disable security features. It's distributed on underground forums with subscriptions starting at $50. The campaign highlights the ongoing threat of stealers and the potential for stolen data to be used in future targeted attacks.

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phishing emails with homoglyph attacks to trick users into executing malicious files. The exploit was likely part of a cyberespionage effort in the ongoing Russo-Ukraine conflict. Affected organizations include government entities and businesses. Recommendations include updating 7-Zip, implementing email security measures, and training employees on phishing and homoglyph attacks.

This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package containing multiple components, including a fake Zoom binary and an InstallerAlert application. These components establish persistence and communicate with a command and control server. The campaign has expanded its tactics, now targeting GitHub users by creating fake issues on legitimate repositories. The malware remains undetected by Apple's XProtect tool, highlighting the evolving nature of the threat.

This investigation explores the connections between SmartApeSG, a FakeUpdate threat, and NetSupport RAT. Through analysis of Internet telemetry data, the research uncovered related C2 management hosts, active NetSupport RAT servers, and cross-connections to suspicious infrastructure. Key findings include the identification of Moldovan IPs used for C2 management, an active NetSupport RAT cluster with old C2s still receiving victim communication, and potential links between SmartApeSG and NetSupport RAT infrastructures. The investigation also revealed connections to Quasar RAT and cryptocurrency-related activities. The research demonstrates how pivoting through Internet telemetry data can uncover complex threat actor infrastructures and their persistent evolution.

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sectors. They have demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability. XE Group maintains long-term access to compromised systems, as evidenced by their reactivation of a webshell planted years earlier. Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands. The group's evolution highlights their adaptability and growing threat to supply chain security.

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement, suspicious domains were registered, seemingly designed to impersonate legitimate sources. Key attack vectors identified include malware-laced files, fake phishing websites, embedded browser exploits, and email-based phishing attacks. The campaign highlights the swift adaptability of cybercriminals to real-world events and the importance of cyber resilience against social engineering tactics. Users are advised to verify sources and access files only from official government websites to mitigate risks.