InfoSec Articles (12/31/24 – 01/14/25)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks

Source: SECURITY WEEK

Tracked as CVE-2024-12686, the flaw is a medium-severity command injection issue that was discovered during BeyondTrust’s investigation into the compromise of a limited number of customer RS SaaS instances, including one associated with the US Department of Treasury. Read more.

Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations

Source: Sekoia

Later, in July 2024, CERT-UA published another report exposing UAC-0063 activities targeting Ukrainian scientific research institutions with new malware (dubbed HATVIBE and CHERRYSPY). The report associates the intrusion set UAC-0063 with APT28 with medium confidence. Read more.

HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption

Source: CYBLE

HexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution after the affected system reboots. The updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system before encryption. Read more.


Banshee: The Stealer That “Stole Code” From MacOS XProtect

Source: CHECK POINT RESEARCH

One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS. Read more.

Phish-free PayPal Phishing

Source: FORTINET

The scammer appears to have simply registered an MS365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails. On the PayPal web portal, they simply request the money and add the distribution list as the address. Read more.

APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises

Source: ThreatBook CTI

In this attack, the attackers used a novel and concealed method for the first time by embedding a malicious .suo file into a Visual Studio project. When the victim compiles the Visual Studio project, the Trojan will execute automatically. Read more.

Gayfemboy: A botnet that spreads using Four-Faith Industrial Routers 0DAY

Source: Qianxin X Lab

Gayfemboy used more than 20 vulnerabilities and Telnet weak passwords to spread samples, including the 0day vulnerability of Four-Faith Industrial Routers, and some unknown vulnerabilities involving Neterbit and vimar devices. Read more.

Cybersecurity firm’s Chrome extension hijacked to steal users’ data

Source: BLEEPING COMPUTER

At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Read more.

Threat actors breached the Argentina’s airport security police (PSA) payroll

Source: Security Affairs

Threat actors have breached Argentina’s airport security police (PSA) and compromised the personal and financial data of its officers and civilian personnel. Threat actors deducted from 2,000 to 5,000 pesos under false charges like “DD mayor” and “DD seguros.” Read more.

Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques

Source: The Hacker News

“The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques,” Cyfirma said in a technical analysis published. Read more.

InfoSec Articles (12/03/24 – 12/17/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Source: Elastic Security Labs

Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE). SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR). GOSAR is a multi-functional backdoor under active development with incomplete features and iterations of improved features observed over time. Read more.

Analysis of TIDRONE attackers’ attacks on domestic companies

Source: ASEC

AhnLab Security Intelligence Center (ASEC) has confirmed that the TIDRONE attacker has recently been conducting attacks against companies. The software exploited in these attacks is ERP, through which a backdoor malware called CLNTEND is installed. Read more.

Declawing PUMAKIT

Source: Elastic Security Labs

PUMAKIT is a sophisticated piece of malware, initially uncovered during routine threat hunting on VirusTotal and named after developer-embedded strings found within its binary. Its multi-stage architecture consists of a dropper (cron), two memory-resident executables (/memfd:tgt and /memfd:wpn), an LKM rootkit module and a shared object (SO) userland rootkit. Read more.


Gamaredon Deploys Android Spyware “BoneSpy” and “PlainGnome” in Former Soviet States

Source: The Hacker News

The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. Read more.

Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms

Source: The Hacker News

The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. Read more.

Careto is back: what’s new after 10 years of silence?

Source: SECURE LIST

The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server. These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file. Read more.

Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

Source: G Data

We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. Read more.

Law enforcement shuts down 27 DDoS booters ahead of annual Christmas attacks

Source: EUROPOL

Law enforcement agencies worldwide have disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks to take websites offline. As part of an ongoing international crackdown known as PowerOFF, authorities have seized 27 of the most popular platforms used to carry out these attacks. Read more.

Inside Zloader’s Latest Trick: DNS Tunneling

Source: Zscaler

Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015. Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks. Read more.

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

Source: CADO

“Meeten” is the application that is attempting to scam users into downloading an information stealer. The company regularly changes names, and is currently going by the name Meetio. The threat actors set up full company websites, with AI-generated blog and product content and social media accounts including Twitter and Medium. Read more.

InfoSec Articles (11/19/24 – 12/03/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Russia sentences Hydra dark web market leader to life in prison

Source: BLEEPING COMPUTER

Russian authorities have sentenced the leader of the criminal group behind the now-closed dark web platform Hydra Market to life in prison. Additionally, more than a dozen accomplices have been convicted for their involvement in the production and sale of nearly a ton of drugs. Read more.

Threat Assessment: Howling Scorpius (Akira Ransomware)

Source: Unit 42

Akira is a RaaS group we track as Howling Scorpius. This group employs a double extortion strategy, exfiltrating critical data from a network before executing its encryption process. This double extortion tactic allows the group to leak stolen data even if victims recover their systems without paying, maximizing the pressure to comply. Read more.

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

Source: The Hacker News

The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. Read more.


Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

Source: SECURELIST

According to our telemetry, the campaign began around March 2023 and hit more than a thousand private users, retailers and service businesses located primarily in Russia. We dubbed this campaign Horns&Hooves, after a fictitious organization set up by swindlers in the Soviet comedy novel The Golden Calf. Read more.

Guess Who’s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024

Source: TREND MICRO

The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the recipient to download a ZIP file. Read more.

Hearts Stolen, Wallets Emptied: Insights into CryptoLove Traffer’s Team

Source: TRAC Labs

CryptoLove is a traffer’s group specializing in crypto scams for over two years, recruiting workers to spread stealers through custom launchers and loaders that can track every stage of payload delivery. Read more.

Ransom gang claims attack on NHS Alder Hey Children’s Hospital

Source: The Register

INC Ransom, the group that claimed responsibility for an attack on NHS Scotland in June this year, now claims to have stolen data from Liverpool’s Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust. Read more.

Gaming Engines: An Undetected Playground for Malware Loaders

Source: CHECK POINT

The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware. Read more.

Police bust pirate streaming service making €250 million per month

Source: BLEEPING COMPUTER

Italy’s Postal and Cybersecurity Police Service announced the action, codenamed “Taken Down,” stating they worked with Eurojust, Europol, and many other European countries, making this the largest takedown of its kind in Italy and internationally. Read more.

Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)

Source: Trustwave

We have associated this campaign with a phishing kit called Rockstar 2FA, which is an updated version of the DadSec/Phoenix phishing kit. Microsoft tracks the threat actor behind this as Storm-1575, where ‘Storm-####’ is a temporary label for emerging or unidentified threat clusters. Read more.

InfoSec Articles (11/05/24 – 11/19/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

When AI Moderation Blocks Cybersecurity: Challenges of Producing Threat Actor Videos

Source: Malware Patrol

While we fully support preventing #AI from facilitating misinformation, this was clearly not the case here. Cyber threat actors engage in harmful activities, and videos about them will inevitably address such topics. Nevertheless, it is necessary to educate cybersecurity practitioners and the general public about these malicious actions. Read more.

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

Source: The Hacker News

Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. Read more.

QuickBooks popup scam still being delivered via Google ads

Source: Malwarebytes LABS

Researchers have seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent. Read more.


Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Source: UNIT 42

Unit 42 researchers identified a North Korean IT worker activity cluster tracked as CL-STA-0237. This cluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates from Laos, using Lao IP addresses and identities. Read more.

Malware Spotlight: A Deep-Dive Analysis of WezRat

Source: CHECK POINT RESEARCH

The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Read more.

New Glove infostealer malware bypasses Chrome’s cookie encryption

Source: BLEEPING COMPUTER

During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails. Read more.

New PXA Stealer targets government and education sectors for sensitive information

Source: CISCO TALOS

Researchers discovered a new Python program called PXA Stealer that targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. Read more.

Strela Stealer: Today’s invoice is tomorrow’s phish

Source: Security Intelligence

The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. Read more.

Volt Typhoon rebuilds malware botnet following FBI disruption

Source: BLEEPING COMPUTER

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Read more.

LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign

Source: BlackBerry

The threat actor behind LightSpy, who is believed with a high level of confidence is associated with Chinese cyber-espionage group APT41, has now expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities. Read more.

InfoSec Articles (10/22/24 – 11/05/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT

Source: CHECK POINT

Our analysis of recent campaigns reveals continuous enhancements in the malware’s evasion techniques, along with introducing a new stealer payload called “ApoloStealer.” Read more.

TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit

Source: UNIT 42

In a recent investigation involving an extortion attempt, we discovered a threat actor had purchased access to the client network via Atera RMM from an initial access broker. We discovered the threat actor used rogue systems to install the Cortex XDR agent onto a virtual system. Read more.


Custom “Pygmy Goat” malware used in Sophos Firewall hack on govt network

Source: BLEEPING COMPUTER

UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors. Read more.

Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network

Source: Microsoft

Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Read more.

Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV

Source: CYBLE

The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain. Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords. Read more.

Every Doggo Has Its Day: Unleashing the Xi? G?u Phishing Kit

Source: Netcraft

The kit comes equipped with Telegram bots to exfiltrate credentials, ensuring that threat actors can maintain access to data even if their phishing site is taken down. Threat actors using the kit use Rich Communications Services (RCS) rather than SMS to send lure messages. Read more.

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Source: The Hacker News

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. Read more.

Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

Source: Microsoft

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Read more.

CloudScout: Evasive Panda scouting cloud services

Source: welivesecurity

CloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored at various cloud services. We analyzed three CloudScout modules, which aim to steal data from Google Drive, Gmail, and Outlook. We believe that at least seven additional modules exist. Read more.

RAT Malware Operating via Discord Bot

Source: ASEC

This post analyzes a case (PySilon) where RAT malware was implemented using a Discord Bot. The full source code of this RAT malware is publicly available on GitHub, and there are communities on platforms like its website and Telegram servers. Read more.

InfoSec Articles (10/08/24 – 10/22/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

IcePeony Hackers Exploiting Public Web Servers To Inject Webshells

Source: GBHackers

IcePeony, a China-nexus APT group, has been active since 2023, targeting India, Mauritius, and Vietnam by exploiting SQL injection vulnerabilities to compromise systems using webshells and backdoors, leveraging a custom IIS malware called IceCache. Read more.

WrnRAT disguised as a gambling game

Source: ASEC

The attacker created a homepage disguised as a gambling game, and if the game access device is downloaded, malicious code is installed that can control the infected system and steal information. The malicious code appears to have been created by the attacker himself, and it is called WrnRAT based on the string used in its creation. Read more.


New Bumblebee Loader Infection Chain Signals Possible Resurgence

Source: Netskope

The infection likely starts via a phishing email luring the victim to download a ZIP file and extract and execute the file inside it. The ZIP file contains an LNK file named “Report-41952.lnk” that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk, as observed in previous campaigns. Read more.

Stealer here, stealer there, stealers everywhere!

Source: SECURELIST

According to Kaspersky Digital Footprint Intelligence, almost 10 million devices, both personal and corporate, were attacked by information stealers in 2023. That said, the real number of the attacked devices may be even higher, as not all stealer operators publish all their logs immediately after stealing data. Read more.

Bored BeaverTail Yacht Club – A Lazarus Lure

Source: eSENTIRE

Upon installation of the malicious NPM packages through Visual Studio Code, the NPM packages attempted to download a Python executable and associated components from a remote location through a cURL command, attempting to retrieve the initial components of the InvisibleFerret backdoor malware. Read more.

Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism

Source: UNIT 42

Apple assumes that developers will comply with their security guidelines regarding the inheritance of extended attributes, to ensure that this scanning mechanism can properly function. Because this is not necessarily the case, this can pose a weakness in the Gatekeeper mechanism. Read more.

Call stack spoofing explained using APT41 malware

Source: CYBER GEEKS

Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions. The purpose of the technique is to construct a fake call stack that mimics a legitimate call stack in order to hide suspicious activity that might be detected by EDR or other security software. Read more.

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

Source: Cisco TALOS

The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader. Read more.

US disables Anonymous Sudan infrastructure linked to DDoS attack spree

Source: CYBERSECURITY DIVE

“The FBI’s seizure of this powerful attack tool successfully disabled the attack platform that caused widespread damage and destruction to critical infrastructure and networks across the world,” Rebecca Day, special agent in charge of the FBI Anchorage field office, said in a statement. Read more.

New FASTCash malware Linux variant helps steal money from ATMs

Source: BLEEPING COMPUTER

North Korean hackers are using a new Linux variant of the FASTCash malware to infect the payment switch systems of financial institutions and perform unauthorized cash withdrawals. Read more.

InfoSec Articles (09/24/24 – 10/08/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Large scale Google Ads campaign targets utility software

Source: Malwarebytes LABS

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking. Read more.

Mind the (air) gap: GoldenJackal gooses government guardrails

Source: welivesecurity

These toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems. Read more.


Awaken Likho is awake: new techniques of an APT group

Source: SECURE LIST

Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. Read more.

How Malware is Evolving: Sandbox Evasion and Brand Impersonation

Source: VERITI

According to the MITRE ATT&CK framework, malware can check for signs of a sandbox by monitoring system behavior, including checking for user actions like mouse clicks or running time-based checks. Once the malware detects it is inside a sandbox, it can change its behavior, often terminating its execution or connecting to benign domains to avoid raising suspicion. Read more.

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

Source: Aqua

During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware. Read more.

Scam Information and Event Management

Source: SECURE LIST

The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. These websites were shown to users in the top search results in Yandex. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. Read more.

Crypto-Stealing Code Lurking in Python Package Dependencies

Source: Checkmarx

On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. Read more.

Stonefly: Extortion Attacks Continue Against U.S. Targets

Source: Symantec

In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. Read more.

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

Source: Group-IB

Pig Butchering is a term used to describe a sophisticated and manipulative scam in which cybercriminals lure victims into fraudulent investment schemes, typically involving cryptocurrency or other financial instruments. The name of the scam refers to the practice of fattening a pig before slaughter. Read more.

BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell

Source: G Data

In a complex infection chain that starts with an email containing an ISO image, this malware stands out by its way of compiling C# code directly on the infected machine. It also uses a technique known as AppDomain Manager Injection to advance execution. Read more.

InfoSec Articles (09/10/24 – 09/24/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Tyson Ransomware

Source: EnigmaSoft

The Tyson Ransomware infiltrates systems, encrypts data, and holds files hostage, demanding payment for decryption. Once installed on a device, it immediately starts locking down files and appends a “.tyson” extension to encrypted files. Read more.

Undetected Android Spyware Targeting Individuals In South Korea

Source: CYBLE

The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos. The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information. Read more.


How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections

Source: TREND MICRO

The RansomHub ransomware’s attack chain includes exploiting the Zerologon vulnerability (CVE-2020-1472). Left unpatched, it can enable threat actors to take control of an entire network without needing authentication. Read more.

The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector

Source: Security Affairs

Microsoft Threat Intelligence team revealed that a financially motivated threat actor, tracked as Vanilla Tempest (formerly DEV-0832) is using the INC ransomware for the first time to target the U.S. healthcare sector. Read more.

Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool

Source: UNIT 42

Splinter is developed in Rust, a relatively new programming language that’s recommended for developing memory-safe software. However, it has densely layered runtime code, which amounts for up to 99% of a program’s code. This density makes analysis a real challenge for malware reverse engineers. Read more.

UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

Source: Google Cloud

A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. Read more.

Walmart customers scammed via fake shopping lists, threatened with arrest

Source: Malwarebytes LABS

Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site. Read more.

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Source: TREND MICRO

Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. Read more.

An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader

Source: Google Cloud

UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets. Read more.

Malware locks browser in kiosk mode to steal Google credentials

Source: BLEEPING COMPUTER

Specifically, the malware “locks” the user’s browser on Google’s login page with no obvious way to close the window, as the malware also blocks the “ESC” and “F11” keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to “unlock” the computer. Read more.

InfoSec Articles (08/27/24 – 09/10/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC)

Source: CYBLE

This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection. Read more.

Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401

Source: FORTINET

Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. Read more.


BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

Source: Zscaler

BlindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers. Read more.

Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords

Source: BLEEPING COMPUTER

Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. Read more.

Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command

Source: TREND MICRO

Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. Read more.

Mallox ransomware: in-depth analysis and evolution

Source: SECURE LIST

In the first half of 2024, the malware was still being actively developed, with new versions being released several times a month, while the Mallox RaaS affiliate program advertised on dark web forums was seeking new partners. Read more.

Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk

Source: JFrog

This attack technique involves hijacking PyPI software packages by manipulating the option to re-register them once they’re removed from PyPI’s index by the original owner; a technique we’ve dubbed “Revival Hijack”. Read more.

Hacker Leaks Data of 390 Million Users from VK, a Russian Social Network

Source: HACK READ

A hacker using the alias “HikkI-Chan” has leaked the personal details of over 390 million VK users (specifically, 390,425,719) on the notorious cybercrime and hacker platform Breach Forums. Read more.

In plain sight: Malicious ads hiding in search results

Source: We Live Security

Malvertising campaigns typically involve threat actors buying top ad space from search engines to lure potential victims into clicking on their malicious ads; attackers have delivered ads imitating popular software such as Blender, Audacity, GIMP, and MSI Afterburner, to name a few. Read more.

North Korean threat actor Citrine Sleet exploiting Chromium zero-day

Source: Microsoft

Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. Read more.

InfoSec Articles (08/13/24 – 08/27/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Researchers Identify Over 20 Supply Chain Vulnerabilities in MLOps Platforms

Source: The Hacker News

These vulnerabilities, which are described as inherent- and implementation-based flaws, could have severe consequences, ranging from arbitrary code execution to loading malicious datasets. Read more.

Newly Discovered Group Offers CAPTCHA-Solving Services to Cybercriminals

Source: Infosecurity Magazine

ACTIR described Greasy Opal’s CAPTCHA-bypassing tool as an easy, fast, and flexible tool for the automatic recognition of a wide array of CAPTCHAs. Greasy Opal’s tool boasts a 10-time faster efficiency than typical CAPTCHA-solving solutions, such as AntiGate (Anti-Captcha), RuCaptcha or DeCaptcher. Read more.


PEAKLIGHT: Decoding the Stealthy Memory-Only Malware

Source: Google Mandiant

Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. Read more.

China-Nexus Threat Group ‘Velvet Ant’ Leverages a Zero-Day to Deploy Malware on Cisco Nexus Switches

Source: Sygnia

The modus-operandi of ‘Velvet Ant’ highlights risks and questions regarding third-party appliances and applications that organizations onboard. Due to the ’black box‘ nature of many appliances, each piece of hardware or software has the potential to turn into the attack surface that an adversary is able to exploit. Read more.

PG_MEM: A Malware Hidden in the Postgres Processes

Source: Aqua

Aqua Nautilus researchers have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into PostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency. Read more.

Qilin ransomware caught stealing credentials stored in Google Chrome

Source: Sophos

During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential-harvesting technique with potential implications far beyond the original victim’s organization. Read more.

MSC file distribution exploiting Amazon services

Source: ASEC

Recently, ASEC (AhnLab SECURITY INTELLIGENCE CENTER) confirmed that malicious MSC files exploiting Amazon services are being distributed. The MSC extension is characterized by its XML file format structure and is executed by MMC (Microsoft Management Console). Read more.

MoonPeak malware from North Korean actors unveils new details on attacker infrastructure

Source: Cisco Talos

This campaign consists of distributing a variant of the open-source XenoRAT malware we’re calling “MoonPeak,” a remote access trojan (RAT) being actively developed by the threat actor. Analysis of XenoRAT against MoonPeak malware samples we’ve discovered so far illustrates the evolution of the malware family after it was forked by the threat actors. Read more.

Ailurophile: New Infostealer sighted in the wild

Source: G Data

We discovered a new stealer in the wild called ‘”Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the website’s web panel, its customers are provided the ability to customize and generate malware stubs. Read more.

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Source: Cisco Talos

The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. Read more.

InfoSec Articles (07/30/24 – 08/13/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources

Source: Aqua

These vulnerabilities could have impacted any organization in the world that has ever used any of these services. In this blog, we thoroughly explain the “Shadow Resource” attack vector, which may lead to resource squatting, and the “Bucket Monopoly” technique that dramatically increases the success rate of an attacker. Read more.

Vulnerability in Windows Driver Leads to System Crashes

Source: Infosecurity Magazine

This issue, identified by Fortra cybersecurity researcher, Ricardo Narvaja, highlights a flaw that could allow an unprivileged user to cause a system crash, resulting in Blue Screen of Death (BSOD). Read more.


A Dive into Earth Baku’s Latest Campaign

Source: Trend Micro

The group uses public-facing applications such as IIS servers as entry points, deploying advanced malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. Read more.

Unmasking the Overlap Between Golddigger and Gigabud Android Malware

Source: Cyble

Gigabud is now using sophisticated phishing tactics, distributing its malware by disguising it as legitimate airline applications. These fake apps are being circulated through phishing sites that closely mimic the official Google Play Store, aiming to deceive unsuspecting users. Read more.

The i-Soon-Leaks: Industrialization of Cyber Espionage

Source: BfV

The internal documents show the extent of cooperation between the Chinese cybersecurity company i-Soon and the Chinese government and intelligence services. In four consecutive reports BfV examines the leak in detail and describes the level of industrialization of cyber espionage activities by privately organized companies, who carry out cyber-attacks for state entities. Read more.

Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site

Source: Cyble

The phishing site’s primary goal is to deceive users into downloading a file that purports to be Google Authenticator. In reality, this file is a malicious application designed to install additional malicious software on the victim’s system. The malicious file drops two distinct types of malware: Latrodectus and ACR Stealer. Read more.

Botnet 7777: Are You Betting on a Compromised Router?

Source: Team Cymru

Identification of a potential expansion of the Quad7 threat operator’s modus operandi to include a second tranche of bots, characterized by an open port 63256. The port 63256 botnet appears to be comprised mainly of infected Asus routers. Read more.

Thousands of Devices Wiped Remotely Following Mobile Guardian Hack

Source: Security Week

According to the company, which specializes in MDM solutions for the education sector, it detected unauthorized access to its platform on August 4. In response to the intrusion, servers were shut down to contain the incident and prevent further disruption. The incident involved unauthorized access to iOS and Chrome OS devices enrolled in the Mobile Guardian platform. Read more.

Google warns of an actively exploited Android kernel flaw

Source: Security Affairs

Google fixed a high-severity flaw, tracked as CVE-2024-36971, impacting the Android kernel. The IT giant is aware that the vulnerability has been actively exploited in the wild. The company did not share details of the attacks exploiting this vulnerability. The vulnerability is a remote code execution impacting the kernel. Read more.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

Source: Cisco Talos

The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation. Read more.

InfoSec Articles (07/16/24 – 07/30/24)

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption

Source: Microsoft

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Read more.

“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails

Source: Guardio

Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. Read more.


Malicious Python Package Targets macOS Developers To Access Their GCP Accounts

Source: Checkmarx

A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation. The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data. The harvested credentials are sent to a remote server. Read more.

WhatsApp for Windows lets Python, PHP scripts execute with no warning

Source: BLEEPING COMPUTER

A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them. For the attack to be successful, Python needs to be installed, a prerequisite that may limit the targets to software developers, researchers, and power users. Read more.

5 ways threat actors are taking advantage of the CrowdStrike outage

Source: SC Media

The CrowdStrike outage incident exposed both widespread security shortcomings across organizations and the ruthless, opportunistic nature of cybercriminals in the wake of a worldwide disaster. Read more.

Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed to SN_BLACKMETA

Source: Radware

This year has been marked by a record-breaking six-day attack campaign consisting of multiple four to 20-hour Web DDoS waves, amounting to a total of 100 hours of attack time and sustaining an average of 4.5 million RPS with a peak of 14.7 million RPS. Read more.

APT45: North Korea’s Digital Military Machine

Source: Google Cloud

APT45 has gradually expanded into financially-motivated operations, and the group’s suspected development and deployment of ransomware sets it apart from other North Korean operators. Read more.

Stargazers Ghost Network

Source: Check Point Research

Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate. Read more.

Daggerfly: Espionage Group Makes Major Update to Toolset

Source: Symantec

Among the new additions to Daggerfly’s arsenal are a new malware family based on the group’s MgBot modular malware framework and a new version of the Macma macOS backdoor. Read more.

Novel ICS Malware Sabotaged Water-Heating Services in Ukraine

Source: DARK READING

The malware, dubbed FrostyGoop by researchers at Dragos who discovered it, is the first known malware that lets threat actors interact directly with operational technology (OT) systems via Modbus, a widely used communication protocol in ICS environments. Read more.