Jun 4, 2025 | APT, Cybersecurity News, Malware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
New Linux Vulnerabilities Expose Password Hashes via Core Dumps
Source: Infosecurity Magazine
Two local information-disclosure vulnerabilities have been identified in popular Linux crash-reporting tools, allowing attackers to access sensitive system data. The vulnerabilities impact Apport on Ubuntu and systemd-coredump on Red Hat Enterprise Linux (RHEL) and Fedora. Read more.
Crocodilus Mobile Malware: Evolving Fast, Going Global
Source: Threat Fabric
In March 2025, researchers discovered Crocodilus, a new device-takeover Android banking Trojan entering the threat landscape. The first observed samples were mostly related to test campaigns, with sporadic instances of live campaigns. Ongoing monitoring of the threat landscape revealed a growing number of campaigns and continuous development of the Trojan. Read more.
A mysterious leaker is exposing ransomware hackers to the world
Source: TechRadar
A mysterious leaker has been spotted unveiling the identities of some of the world’s most wanted cybercriminals, including the masterminds behind Conti and Trickbot ransomware, infamous groups responsible for some of the biggest extortions in modern history. Read more.
Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
Source: The Record
BO Team, also known as Black Owl, has been active since early 2024 and appears to operate independently, with its own arsenal of tools and tactics, researchers at Russian cybersecurity firm Kaspersky said. Read more.
Cybercriminals camouflaging threats as AI tool installers
Source: Cisco Talos
Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors. Read more.
Monkey-Patched PyPI Packages Use Transitive Dependencies to Steal Solana Private Keys
Source: Socket
Once imported, the malware monkey-patches Solana key-generation methods by modifying functions at runtime without altering the original source code. Each time a keypair is generated, the malware captures the private key. It then encrypts the key using a hardcoded RSA?2048 public key and encodes the result in Base64. Read more.
Your AI Notetaker Might Be a Liability: Insights from Stealer Logs
Source: SOCRadar
Using AI note-taking tools can be incredibly helpful but they also come with some serious legal and ethical responsibilities. Organizations need to think about how these tools collect, store, and use data, and how the output might influence decisions or impact privacy. If you’re choosing a transcription service, make sure it follows data privacy laws and uses secure, well-managed systems. Read more.
Tracking AyySSHush: a Newly Discovered ASUS Router Botnet Campaign
Source: Censys
A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods. Read more.
Police takes down AVCheck site used by cybercriminals to scan malware
Source: BLEEPING COMPUTER
An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. The service’s official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie). Read more.
Russian-linked hackers target UK Defense Ministry while posing as journalists
Source: KYIV Independent
Russian-linked hackers targeted U.K. Defense Ministry staff in an espionage operation while posing as journalists, Sky News reported on May 29, citing the British government. The cyber attack was detected and thwarted, the government said. Read more.
May 21, 2025 | APT, Cybersecurity News, Malware, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
SEC SIM-swapper who Googled ‘signs that the FBI is after you’ put behind bars
Source: The Register
An Alabama man who SIM-swapped his way into the SEC’s official X account, enabling a fake ETF announcement that briefly pumped Bitcoin, has been sentenced to 14 months in prison and three years of supervised release. Prior to his conviction and sentencing on Friday, Eric Council Jr., 26, of Huntsville, Alabama, proved once again that cybercriminals are very bad at internet search hygiene. Read more.
Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems
Source: GBHackers
Often compared to .NET for its persistence in malicious campaigns, AutoIT’s simplicity and ability to interact with Windows components make it a favored tool among cybercriminals. This weekend, a particularly intricate malware delivery mechanism was identified, featuring a double-layered AutoIT script designed to deploy a potentially devastating payload. Read more.
Malware of the Day – C2 over ICMP (ICMP-GOSH)
Source: ACTIVE COUNTER MEASURES
The potential for ICMP to be used as a C2 channel is often overlooked precisely because it is such a foundational troubleshooting protocol, integral to the normal functioning of network communication. Many people view it as “background chatter”, not considering its potential to be intentionally leveraged to carry data for this exact reason. Read more.
Backdoor implant discovered on PyPI posing as debugging utility
Source: REVERSING LABS
On Tuesday, the RL threat research team detected a newly uploaded malicious package that poses as a Python debugging utility. When installed, the package implants a backdoor on the developer’s system, enabling malicious actors to execute malicious code and exfiltrate sensitive data. Read more.
Ransomware gangs increasingly use Skitnet post-exploitation malware
Source: BLEEPING COMPUTER
Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Read more.
Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
Source: The Hacker News
The vulnerability, referred to as Branch Privilege Injection (BPI), “can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users,” ETH Zurich said. Read more.
Android users bombarded with unskippable ads
Source: Malwarebytes Labs
Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores. Read more.
Operation RoundPress
Source: welivesecurity
In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. Read more.
GovDelivery, an email alert system used by governments, abused to send scam messages
Source: TechCrunch
An email notification system used by U.S. federal and state government departments to alert residents to important information has been used to send scam emails, TechCrunch has learned. Read more.
APT GROUP123
Source: CYFIRMA
Group123 is a North Korean state-sponsored APT group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. The group is known for its cyber espionage campaigns primarily targeting South Korea, however since 2017 it has expanded its operations to Japan, Vietnam, the Middle East, and other regions. Read more.
May 7, 2025 | APT, Cybersecurity News, DDoS, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
New “Bring Your Own Installer” EDR bypass used in ransomware attack
Source: Bleeping Computer
A new “Bring Your Own Installer” EDR bypass technique is exploited in attacks to bypass SentinelOne’s tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. Read more.
Mamona: Technical Analysis of a New Ransomware Strain
Source: ANY RUN
Mamona is a newly identified commodity ransomware strain. The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration. All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries. Read more.
Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims
Source: Arctic Wolf
Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails. The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs. Read more.
The Signal Clone the Trump Admin Uses Was Hacked
Source: 404 Media
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. Read more.
Critical Commvault Vulnerability in Attacker Crosshairs
Source: Security Week
A second Commvault flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within a week, signaling increased threat actor interest in the platform. Tracked as CVE-2025-34028 (CVSS score of 10/10), the issue is described as a path traversal flaw in Commvault Command Center that could be exploited without authentication for remote code execution (RCE). Read more.
Revived CryptoJS library is a crypto stealer in disguise
Source: Sonatype
An illicit npm package called ‘crypto-encrypt-ts’ may appear to revive the unmaintained but vastly popular CryptoJS library, but what it actually does is peek into your crypto wallet and exfiltrate your secrets to threat actors. Read more.
Ukrainian Nefilim Ransomware Affiliate Extradited to US
Source: Security Week
A Ukrainian national was extradited from Spain to the US on Wednesday to face charges related to his involvement in Nefilim ransomware attacks. The man, Artem Stryzhak, was arrested in Spain in 2024. He is charged with fraud conspiracy, including extortion, and faces up to five years in prison. Read more.
Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
Source: Wordfence
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. Read more.
Finding Minhook in a sideloading attack – and Sweden too
Source: SOPHOS
The campaign made use of the Minhook DLL (Minhook is a minimalistic API hooking library for Windows) to detour Windows API calls. The clean loader was not part of the sideloading package; instead, it was snatched from the infected system. Read more.
French Foreign Ministry blames Russian GRU-linked APT28 for cyberattacks on national entities; urges global action
Source: Industrial Cyber
The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities. Read more.
Apr 23, 2025 | APT, Cybersecurity News, Malware, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials
Source: The Hacker News
In what has been described as an “extremely sophisticated phishing attack,” threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google’s infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. Read more.
False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation
Source: Unit 42
Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. Read more.
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation
Source: Trellix
Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, and procedures (TTPs) to stay aligned with emerging trends. It is distributed on the dark web via a subscription-based model, Malware-As-A-Service(MaaS). Read more.
Critical AnythingLLM Vulnerability Exposes Systems to Remote Code Execution
Source: GBHackers
A critical security flaw (CVE-2024-13059) in the open-source AI framework AnythingLLM has raised alarms across cybersecurity communities. The vulnerability, discovered in February 2025, allows attackers with administrative privileges to execute malicious code remotely, potentially compromising entire systems. Read more.
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
Source: SECURE LIST
However, recently we managed to spot attempted deployments of a new version of this implant, occurring in government organizations located in Mongolia and Russia. To us, this observed choice of victims wasn’t surprising, as back in 2018, we wrote that IronHusky, the actor related to this RAT, has a specific interest in targeting these two countries. Read more.
Emulating the Stealthy StrelaStealer Malware
Source: ATTACK IQ
In recent analysis, StrelaStealer has been associated with the threat actor group HIVE-0145, a cluster identified for its focus on credential theft and espionage-driven campaigns. As reported by IBM, HIVE-0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of StrelaStealer. Read more.
Cisco Webex bug lets hackers gain code execution via meeting links
Source: BLEEPING COMPUTER
Tracked as CVE-2025-20236, this security flaw was found in the Webex custom URL parser and can be exploited by tricking users into downloading arbitrary files, which lets threat actors execute arbitrary commands on systems running unpatched software in low complexity attacks. Read more.
Billbug: Intrusion Campaign Against Southeast Asia Continues
Source: Symantec
The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. Read more.
Malware of the Day – C2 over NTP (goMESA)
Source: Active Countermeasures
To complete the disguise, an attacker’s NTP server used for C2 can often be set up to also respond with valid time information, making the malicious traffic blend seamlessly with legitimate NTP activity and harder to detect by both automated systems and security analysts. This combination of permitted passage, potential for data hiding, and plausible deniability makes NTP an attractive channel for stealthy C2 operations. Read more.
Unmasking the new XorDDoS controller and infrastructure
Source: CISCO TALOS
Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. Read more.
Apr 9, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Windows Remote Desktop Protocol: Remote to Rogue
Source: Google Cloud
Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture. This technique has been previously dubbed as “Rogue RDP.” Read more.
Malicious VSCode extensions infect Windows with cryptominers
Source: BLEEPINGCOMPUTER
Nine VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. Read more.
How ToddyCat tried to hide behind AV software
Source: SECURELIST
Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel. Monitoring tools track the installation of such drivers and check applications that perform it. But what if a security solution performs unsafe activity? Read more.
Someone hacked ransomware gang Everest’s leak site
Source: TechCrunch
The leak site, which the ransomware gang uses to publish stolen files to extort its victims into paying a ransom demand, was replaced with a brief text note: “Don’t do crime CRIME IS BAD xoxo from Prague.” Read more.
OH-MY-DC: OIDC Misconfigurations in CI/CD
Source: Unit 42
In the course of investigating the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments, Unit 42 researchers discovered problematic patterns and implementations that could be leveraged by threat actors to gain access to restricted resources. One instance of such an implementation was identified in CircleCI’s OIDC. Read more.
The Rising Threat of Cyberwarfare: Extreme Cyber Weapons and Their Potential to Disrupt Critical Infrastructure
Source: IDST
Cyber warfare is the use of technology to launch covert attacks on nations, governments, and even citizens, causing harm comparable to that of conventional warfare. This new battleground allows adversaries to disrupt or destroy critical infrastructure—power grids, telecommunications, banking systems—by targeting the computer networks that control them. Read more.
Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs
Source: Hunt.io
The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim’s IP address-before transitioning to Pyramid C2 to control the infected host. Read more.
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Source: Sophos News
Late in January 2025, a Managed Service Provider (MSP) administrator received a well-crafted phishing email containing what appeared to be an authentication alert for their ScreenConnect RMM tool. That email resulted in Qilin ransomware actors gaining access to the administrator’s credentials—and launching ransomware attacks on the MSP’s customers. Read more.
RolandSkimmer: Silent Credit Card Thief Uncovered
Source: Fortinet
FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named after the unique string “Rol@and4You” found embedded in its payload. This threat actor targets users in Bulgaria and represents a new wave of credit card skimming attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox. Read more.
Emulating the Sophisticated Russian Adversary Seashell Blizzard
Source: ATTACKIQ
The BadPilot campaign is a sophisticated, long-running operation primarily focused on gaining initial access to targeted networks. The campaign is attributed to a Seashell Blizzard subgroup and is known for its strategic use of spear-phishing emails and exploiting vulnerabilities in software to breach networks. Read more.
Mar 26, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder
Source: Cofense
The Cofense Phishing Defense Center (PDC) has discovered a new phishing campaign that tricks users into giving out access to their Meta Business accounts. While social media phishing attempts are prevalent, this one went above and beyond by employing fake chat support, providing detailed instructions, and attempting to add itself as a secure login method. Read more.
Nuxt Users Beware: CVE-2025-27415 Opens the Door to Cache Poisoning Attacks
Source: Cybersecurity News
A newly discovered vulnerability in the popular Nuxt framework could allow attackers to poison CDN caches and disrupt access to full-stack Vue.js applications. Tracked as CVE-2025-27415 and scored 7.5 on the CVSS scale. The issue lies in how Nuxt handles certain HTTP requests, particularly ones that resemble: https://yoursite.com/?/_payload.json Read more.
Unboxing Anubis: Exploring the Stealthy Tactics of FIN7’s Latest Backdoor
Source: G Data
In the ever-evolving landscape of advanced persistent threats (APTs), the notorious financial cybercrime group FIN7 has added another sophisticated tool to their arsenal. We have recently discovered a new Python-based backdoor, called “AnubisBackdoor”, being deployed in their latest campaigns. Read more.
Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation
Source: Sygnia
Sygnia details Weaver Ant, a China-nexus threat actor infiltrating a major telecom provider. Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage. Read more.
Over 150 US Government Database Servers Vulnerable to Internet Exposure
Source: GB Hackers
The investigation, conducted using data from Shodan, a tool often referred to as the “Google of internet-connected devices,” identified over 2,000 instances of exposed government database servers since early 2025. Read more.
Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations
Source: Trend Micro
Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations. Read more.
AI-Generated Zoom Impersonation Attack Exploits Tax Season to Deploy Remote Desktop Tool
Source: Abnormal
Disguised as a routine Zoom meeting invitation related to the 2024 tax season, a campaign recently stopped by Abnormal leveraged generative AI to construct a highly convincing phishing page. However, unlike traditional credential-harvesting scams, these attacks attempted to deceive targets into downloading a RMM tool—granting threat actors full control over their devices. Read more.
UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools
Source: The Hacker News
“UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting,” Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said. Read more.
VanHelsing Ransomware
Source: Cyfirma
This new ransomware strain encrypts files and demands payment for decryption. It also employs double extortion tactics, threatening to leak stolen data to pressure victims into paying. Once executed, VanHelsing appends the “.vanhelsing” extension to encrypted files, modifies the desktop wallpaper, and drops a ransom note named “README.txt” on the victim’s system. Read more.
Operation FishMedley
Source: Welivesecurity
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States. Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors. We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group. Read more.
Mar 11, 2025 | APT, Cybersecurity News, Malware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
Source: CHECK POINT
Check Point Research (CPR) has uncovered a series of ongoing, targeted cyber campaigns by Blind Eagle (APT-C-36)—one of Latin America’s most dangerous threat actors. Days after Microsoft released a fix for CVE-2024-43451, the group began employing a comparable technique involving harmful .url files, showing how attackers can turn security updates into weapons against their victims. Read more.
SideWinder targets the maritime and nuclear sectors with an updated toolset
Source: SECURE LIST
It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Based on our observation of the group’s activities, we presume they are constantly monitoring detections of their toolset by security solutions. Read more.
Desert Dexter Targets 900 Victims Using Facebook Ads and Telegram Malware Links
Source: The Hacker News
The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024. The campaign is estimated to have claimed approximately 900 victims since the fall 2024, the Russian cybersecurity company added, indicating its widespread nature. Read more.
Malware of the Day – IPv6 Address Aliasing
Source: Active Counter Measures
The introduction of IPv6 brought with it a wealth of new features over its predecessor, IPv4. One of the most interesting of these features is its flexibility in address assignment, which allows for a concept known as IPv6 aliasing. Aliasing is essentially the ability for a host to assign multiple IPv6 addresses to itself, all of which can then be used interchangeably. Read more.
The Next Level: Typo DGAs Used in Malicious Redirection Chains
Source: UNIT 42
We have uncovered a new campaign in which an attacker leverages newly registered domains (NRDs) and introduces a new variant of DGAs potentially designed to avoid detection. We found this through our novel graph-intelligence based pipeline. The system infers attack campaigns by correlating domain registrations with hosting infrastructure, passive DNS and WHOIS data. Read more.
Zen and the Art of Microcode Hacking
Source: Bug Hunters
We are releasing the full details of EntrySign, the AMD Zen microcode signature validation vulnerability which we initially disclosed last month. In this post, we first discuss the background of what microcode is, why microcode patches exist, why the integrity of microcode is important for security, and how AMD attempts to prevent tampering with microcode. Read more.
Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes
Source: Human Security
BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely. These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors. Read more.
Silk Typhoon targeting IT supply chain
Source: Microsoft
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. Read more.
Android zero-day vulnerabilities actively abused. Update as soon as you can
Source: Malwarebytes Labs
Google has issued updates to fix 43 vulnerabilities in Android, including two zero-days that are being actively exploited in targeted attacks. The updates are available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately. Read more.
Qilin ransomware gang boasts of cyberattacks on cancer clinic, Ob-Gyn facility
Source: The Register
Qilin – the “no regrets” ransomware crew wreaking havoc on the global healthcare industry – just claimed responsibility for fresh attacks on a cancer treatment clinic in Japan and a women’s healthcare facility in the US. Read more.
Feb 26, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail
Source: Malwarebytes LABS
A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending. Read more.
Android trojan TgToxic updates its capabilities
Source: Intel471
This new version of the trojan abused 25 community forums to host encrypted malware configurations. The actors created user accounts on these forums and embedded specific encrypted strings within the user profiles, serving as dead drop locations from which malware bots could retrieve the final command-and-control (C2) URL. Read more.
Phishing Campaigns Targeting Higher Education Institutions
Source: Google Cloud
These attacks exploit trust within academic institutions to deceive students, faculty, and staff, and have been timed to coincide with key dates in the academic calendar. The beginning of the school year, with its influx of new and returning students combined with a barrage of administrative tasks, as well as financial aid deadlines, can create opportunities for attackers to carry out phishing attacks. Read more.
Auto-Color: An Emerging and Evasive Linux Backdoor
Source: Unit42
Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation. Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software. Read more.
The Bybit Incident: When Research Meets Reality
Source: CHECKPOINT
The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that ByBit cold wallet got hacked, resulting in the theft of approximately $1.5 billion worth of digital assets, primarily in Ethereum tokens. This incident marks one of the largest thefts in the history of the digital asset industry. Read more.
Beware: PayPal “New Address” feature abused to send phishing emails
Source: BLEEPING COMPUTER
An ongoing PayPal email scam exploits the platform’s address settings to send fake purchase notifications, tricking users into granting remote access to scammers. The email includes the new address that was allegedly added to your PayPal account, a message claiming to be a purchase confirmation for a MacBook M4, and to call the enclosed PayPal number if you did not authorize the purchase. Read more.
Angry Likho: Old beasts in a new forest
Source: SECURE LIST
Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. Read more.
FBI and CISA Warn of Ghost Ransomware: A Threat to Firms Worldwide
Source: HACK READ
FBI and CISA warn of Ghost ransomware, a China-based cyber threat targeting businesses, schools, and healthcare worldwide by exploiting software vulnerabilities. Read more.
LummaC2 malware distributed disguised as Total Commander Crack
Source: ASEC
ASEC discovered LummaC2 malware that is being distributed disguised as a tool called Total Commander. Total Commander is a file manager for Windows that supports various file formats and provides convenient overall file management, including copy and move functions, advanced search functions using strings within files, folder synchronization, and FTP/SFTP functions. Read more.
Updated Shadowpad Malware Leads to Ransomware Deployment
Source: TREND MICRO
Two recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese threat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries in Europe, the Middle East, Asia, and South America. Read more.
Feb 12, 2025 | APT, Cybersecurity News, Malware, Phishing, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
Source: EclecticIQ
Multiple pieces of evidence strongly link this campaign to Sandworm, also tracked by CERT-UA as UAC-0145 [4], based on recurring use of ProtonMail accounts in WHOIS records, overlapping infrastructure, and consistent Tactics, Techniques and Procedures (TTPs). Read more.
Crooks use Google Tag Manager skimmer to steal credit card data from a Magento-based e-stores
Source: Security Affairs
Google Tag Manager (GTM) is a free tool that lets website owners manage marketing tags without modifying site code, simplifying analytics and ad tracking. Sucuri inspected the website and discovered the malicious code hidden in a website’s database (cms_block.content), disguised as a Google Tag Manager and Google Analytics script to evade detection. Read more.
Operation Phobos Aetor: Police dismantled 8Base ransomware gang
Source: Security Affairs
An international law enforcement operation, codenamed Operation Phobos Aetor, dismantled the 8Base ransomware gang. The police took down the dark web data leak and negotiation sites. The police has yet to disclose the names of the suspects. Read more.
SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos
Source: Kaspersky
This malware is currently configured to steal crypto wallet data, but it could easily be repurposed to steal any other valuable information. The worst part is that this malware has made its way into official app stores, with almost 250,000 downloads of infected apps from Google Play alone. Read more.
Scalable Vector Graphics files pose a novel phishing threat
Source: Sophos
But because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere. Read more.
Google Cloud Platform Data Destruction via Cloud Build
Source: Cisco Talos
Google Cloud Platform (GCP) Cloud Build is a Continuous Integration/Continuous Deployment (CI/CD) service offered by Google that is utilized to automate the building, testing and deployment of applications. Orca Security published an article describing certain aspects of the threat surface posed by this service, including a supply chain attack vector they have termed “Bad.Build”. Read more.
Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor
Source: Field Effect
The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware had Field Effect MDR not prevented the attack. Read more.
macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Source: SentinelOne
In this post, we briefly recap previous research for context, including Apple’s contribution through its malware signatures, before describing newly discovered samples that we have labelled ‘FlexibleFerret’ and which remain undetected by XProtect at the time of writing. Read more.
Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks
Source: Silent Push
Our discovery of a suspicious domain, filessauploaderchecker[.]com, in the Silent Push Web Scanner, led us to further explore for malicious intent. As we continue investigating, we believe potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control. Read more.
Flesh Stealer: Unmasking the Blue Masked Thief
Source: CYFIRMA
This report examines Flesh Stealer, a .NET executable written in C#. The malware does not target CIS countries and is capable of bypassing app-bound encryption employed by Chrome. Developed by a Russian-speaking individual, Flesh Stealer includes various features such as anti-debugging and anti-VM capabilities. Read more.
Jan 29, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Dark Web Profile: FunkSec
Source: SOCRadar
A new ransomware group, FunkSec, has gained attention after taking responsibility for attacks on numerous victims in December 2024. By January 2025, the group continued to target new victims, with the total number surpassing 100. FunkSec seems to be engaged in both hacktivism and ransomware/extortion. Read more.
GamaCopy targets Russia mimicking Russia-linked Gamaredon APT
Source: Security Affairs
The Knownsec 404 Advanced Threat Intelligence team recently analyzed attacks on Russian-speaking targets using military-themed bait, 7z SFX for payloads, and UltraVNC, mimicking Gamaredon’s TTPs. The researchers linked the activity to the APT Core Werewolf (aka Awaken Likho, PseudoGamaredon), it mimics Gamaredon and for this reason, researchers called it GamaCopy. Read more.
Cybersecurity Stop of the Month: E-Signature Phishing Nearly Sparks Disaster for an Electric Company
Source: Proofpoint
In an e-signature phishing attack, bad actors will spoof a trusted brand and send malicious content through legitimate digital channels. Often, they use advanced methods like AitM to bypass MFA in an effort to further extend their access. And when bad actors use combined tactics, such as Adversary-in-the-Middle plus geofencing, they can be extremely successful in evading detection. Read more.
HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code
Source: Sentinel One
Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy. Read more.
Change Healthcare Breach Almost Doubles in Size to 190 Million Victims
Source: Infosecurity Magazine
The largest healthcare data breach on record just got even bigger, after UnitedHealth Group (UHG) confirmed that 90 million additional customers were impacted by a ransomware attack on Change Healthcare last year. Read more.
Invisible Prompt Injection: A Threat to AI Security
Source: TREND MICRO
LLMs can interpret hidden texts that are not visible on the UI; thus, these hidden texts may be used for prompt injection. To protect your AI application, verify if the LLM can respond to invisible text. If it can, do not allow such invisible text to be input. Read more.
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
Source: The Hacker News
A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. Read more.
Threat Spotlight: Tycoon 2FA phishing kit updated to evade inspection
Source: Barracuda
Tycoon became Tycoon 2FA when it evolved to bypass multifactor authentication — in this case 2FA — by collecting and using Microsoft 365 session cookies. The latest version of Tycoon 2FA was first seen in November 2024, and it features advanced tactics designed to obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages. Read more.
7-Zip bug could allow a bypass of a Windows security feature. Update now
Source: Malwarebytes LABS
A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows. The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. Read more.
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Source: SOPHOS
Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users. Read more.
Jan 15, 2025 | APT, Cybersecurity News, Malware, Phishing, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks
Source: SECURITY WEEK
Tracked as CVE-2024-12686, the flaw is a medium-severity command injection issue that was discovered during BeyondTrust’s investigation into the compromise of a limited number of customer RS SaaS instances, including one associated with the US Department of Treasury. Read more.
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Source: Sekoia
Later, in July 2024, CERT-UA published another report exposing UAC-0063 activities targeting Ukrainian scientific research institutions with new malware (dubbed HATVIBE and CHERRYSPY). The report associates the intrusion set UAC-0063 with APT28 with medium confidence. Read more.
HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption
Source: CYBLE
HexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution after the affected system reboots. The updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system before encryption. Read more.
Banshee: The Stealer That “Stole Code” From MacOS XProtect
Source: CHECK POINT RESEARCH
One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS. Read more.
Phish-free PayPal Phishing
Source: FORTINET
The scammer appears to have simply registered an MS365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails. On the PayPal web portal, they simply request the money and add the distribution list as the address. Read more.
APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises
Source: ThreatBook CTI
In this attack, the attackers used a novel and concealed method for the first time by embedding a malicious .suo file into a Visual Studio project. When the victim compiles the Visual Studio project, the Trojan will execute automatically. Read more.
Gayfemboy: A botnet that spreads using Four-Faith Industrial Routers 0DAY
Source: Qianxin X Lab
Gayfemboy used more than 20 vulnerabilities and Telnet weak passwords to spread samples, including the 0day vulnerability of Four-Faith Industrial Routers, and some unknown vulnerabilities involving Neterbit and vimar devices. Read more.
Cybersecurity firm’s Chrome extension hijacked to steal users’ data
Source: BLEEPING COMPUTER
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Read more.
Threat actors breached the Argentina’s airport security police (PSA) payroll
Source: Security Affairs
Threat actors have breached Argentina’s airport security police (PSA) and compromised the personal and financial data of its officers and civilian personnel. Threat actors deducted from 2,000 to 5,000 pesos under false charges like “DD mayor” and “DD seguros.” Read more.
Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques
Source: The Hacker News
“The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques,” Cyfirma said in a technical analysis published. Read more.
Dec 18, 2024 | APT, Cybersecurity News, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite
Source: Elastic Security Labs
Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE). SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR). GOSAR is a multi-functional backdoor under active development with incomplete features and iterations of improved features observed over time. Read more.
Analysis of TIDRONE attackers’ attacks on domestic companies
Source: ASEC
AhnLab Security Intelligence Center (ASEC) has confirmed that the TIDRONE attacker has recently been conducting attacks against companies. The software exploited in these attacks is ERP, through which a backdoor malware called CLNTEND is installed. Read more.
Declawing PUMAKIT
Source: Elastic Security Labs
PUMAKIT is a sophisticated piece of malware, initially uncovered during routine threat hunting on VirusTotal and named after developer-embedded strings found within its binary. Its multi-stage architecture consists of a dropper (cron), two memory-resident executables (/memfd:tgt and /memfd:wpn), an LKM rootkit module and a shared object (SO) userland rootkit. Read more.
Gamaredon Deploys Android Spyware “BoneSpy” and “PlainGnome” in Former Soviet States
Source: The Hacker News
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. Read more.
Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms
Source: The Hacker News
The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. Read more.
Careto is back: what’s new after 10 years of silence?
Source: SECURE LIST
The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server. These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file. Read more.
Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead
Source: G Data
We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. Read more.
Law enforcement shuts down 27 DDoS booters ahead of annual Christmas attacks
Source: EUROPOL
Law enforcement agencies worldwide have disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks to take websites offline. As part of an ongoing international crackdown known as PowerOFF, authorities have seized 27 of the most popular platforms used to carry out these attacks. Read more.
Inside Zloader’s Latest Trick: DNS Tunneling
Source: Zscaler
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015. Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks. Read more.
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
Source: CADO
“Meeten” is the application that is attempting to scam users into downloading an information stealer. The company regularly changes names, and is currently going by the name Meetio. The threat actors set up full company websites, with AI-generated blog and product content and social media accounts including Twitter and Medium. Read more.
