May 21, 2025 | APT, Cybersecurity News, Malware, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
SEC SIM-swapper who Googled ‘signs that the FBI is after you’ put behind bars
Source: The Register
An Alabama man who SIM-swapped his way into the SEC’s official X account, enabling a fake ETF announcement that briefly pumped Bitcoin, has been sentenced to 14 months in prison and three years of supervised release. Prior to his conviction and sentencing on Friday, Eric Council Jr., 26, of Huntsville, Alabama, proved once again that cybercriminals are very bad at internet search hygiene. Read more.
Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems
Source: GBHackers
Often compared to .NET for its persistence in malicious campaigns, AutoIT’s simplicity and ability to interact with Windows components make it a favored tool among cybercriminals. This weekend, a particularly intricate malware delivery mechanism was identified, featuring a double-layered AutoIT script designed to deploy a potentially devastating payload. Read more.
Malware of the Day – C2 over ICMP (ICMP-GOSH)
Source: ACTIVE COUNTER MEASURES
The potential for ICMP to be used as a C2 channel is often overlooked precisely because it is such a foundational troubleshooting protocol, integral to the normal functioning of network communication. Many people view it as “background chatter”, not considering its potential to be intentionally leveraged to carry data for this exact reason. Read more.
Backdoor implant discovered on PyPI posing as debugging utility
Source: REVERSING LABS
On Tuesday, the RL threat research team detected a newly uploaded malicious package that poses as a Python debugging utility. When installed, the package implants a backdoor on the developer’s system, enabling malicious actors to execute malicious code and exfiltrate sensitive data. Read more.
Ransomware gangs increasingly use Skitnet post-exploitation malware
Source: BLEEPING COMPUTER
Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Read more.
Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
Source: The Hacker News
The vulnerability, referred to as Branch Privilege Injection (BPI), “can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users,” ETH Zurich said. Read more.
Android users bombarded with unskippable ads
Source: Malwarebytes Labs
Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores. Read more.
Operation RoundPress
Source: welivesecurity
In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. Read more.
GovDelivery, an email alert system used by governments, abused to send scam messages
Source: TechCrunch
An email notification system used by U.S. federal and state government departments to alert residents to important information has been used to send scam emails, TechCrunch has learned. Read more.
APT GROUP123
Source: CYFIRMA
Group123 is a North Korean state-sponsored APT group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. The group is known for its cyber espionage campaigns primarily targeting South Korea, however since 2017 it has expanded its operations to Japan, Vietnam, the Middle East, and other regions. Read more.
May 7, 2025 | APT, Cybersecurity News, DDoS, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
New “Bring Your Own Installer” EDR bypass used in ransomware attack
Source: Bleeping Computer
A new “Bring Your Own Installer” EDR bypass technique is exploited in attacks to bypass SentinelOne’s tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. Read more.
Mamona: Technical Analysis of a New Ransomware Strain
Source: ANY RUN
Mamona is a newly identified commodity ransomware strain. The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration. All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries. Read more.
Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims
Source: Arctic Wolf
Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails. The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs. Read more.
The Signal Clone the Trump Admin Uses Was Hacked
Source: 404 Media
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. Read more.
Critical Commvault Vulnerability in Attacker Crosshairs
Source: Security Week
A second Commvault flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within a week, signaling increased threat actor interest in the platform. Tracked as CVE-2025-34028 (CVSS score of 10/10), the issue is described as a path traversal flaw in Commvault Command Center that could be exploited without authentication for remote code execution (RCE). Read more.
Revived CryptoJS library is a crypto stealer in disguise
Source: Sonatype
An illicit npm package called ‘crypto-encrypt-ts’ may appear to revive the unmaintained but vastly popular CryptoJS library, but what it actually does is peek into your crypto wallet and exfiltrate your secrets to threat actors. Read more.
Ukrainian Nefilim Ransomware Affiliate Extradited to US
Source: Security Week
A Ukrainian national was extradited from Spain to the US on Wednesday to face charges related to his involvement in Nefilim ransomware attacks. The man, Artem Stryzhak, was arrested in Spain in 2024. He is charged with fraud conspiracy, including extortion, and faces up to five years in prison. Read more.
Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
Source: Wordfence
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. Read more.
Finding Minhook in a sideloading attack – and Sweden too
Source: SOPHOS
The campaign made use of the Minhook DLL (Minhook is a minimalistic API hooking library for Windows) to detour Windows API calls. The clean loader was not part of the sideloading package; instead, it was snatched from the infected system. Read more.
French Foreign Ministry blames Russian GRU-linked APT28 for cyberattacks on national entities; urges global action
Source: Industrial Cyber
The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities. Read more.
Apr 23, 2025 | APT, Cybersecurity News, Malware, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials
Source: The Hacker News
In what has been described as an “extremely sophisticated phishing attack,” threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google’s infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. Read more.
False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation
Source: Unit 42
Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat. Read more.
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation
Source: Trellix
Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, and procedures (TTPs) to stay aligned with emerging trends. It is distributed on the dark web via a subscription-based model, Malware-As-A-Service(MaaS). Read more.
Critical AnythingLLM Vulnerability Exposes Systems to Remote Code Execution
Source: GBHackers
A critical security flaw (CVE-2024-13059) in the open-source AI framework AnythingLLM has raised alarms across cybersecurity communities. The vulnerability, discovered in February 2025, allows attackers with administrative privileges to execute malicious code remotely, potentially compromising entire systems. Read more.
IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
Source: SECURE LIST
However, recently we managed to spot attempted deployments of a new version of this implant, occurring in government organizations located in Mongolia and Russia. To us, this observed choice of victims wasn’t surprising, as back in 2018, we wrote that IronHusky, the actor related to this RAT, has a specific interest in targeting these two countries. Read more.
Emulating the Stealthy StrelaStealer Malware
Source: ATTACK IQ
In recent analysis, StrelaStealer has been associated with the threat actor group HIVE-0145, a cluster identified for its focus on credential theft and espionage-driven campaigns. As reported by IBM, HIVE-0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of StrelaStealer. Read more.
Cisco Webex bug lets hackers gain code execution via meeting links
Source: BLEEPING COMPUTER
Tracked as CVE-2025-20236, this security flaw was found in the Webex custom URL parser and can be exploited by tricking users into downloading arbitrary files, which lets threat actors execute arbitrary commands on systems running unpatched software in low complexity attacks. Read more.
Billbug: Intrusion Campaign Against Southeast Asia Continues
Source: Symantec
The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. Read more.
Malware of the Day – C2 over NTP (goMESA)
Source: Active Countermeasures
To complete the disguise, an attacker’s NTP server used for C2 can often be set up to also respond with valid time information, making the malicious traffic blend seamlessly with legitimate NTP activity and harder to detect by both automated systems and security analysts. This combination of permitted passage, potential for data hiding, and plausible deniability makes NTP an attractive channel for stealthy C2 operations. Read more.
Unmasking the new XorDDoS controller and infrastructure
Source: CISCO TALOS
Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. Read more.
Apr 9, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Windows Remote Desktop Protocol: Remote to Rogue
Source: Google Cloud
Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture. This technique has been previously dubbed as “Rogue RDP.” Read more.
Malicious VSCode extensions infect Windows with cryptominers
Source: BLEEPINGCOMPUTER
Nine VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. Read more.
How ToddyCat tried to hide behind AV software
Source: SECURELIST
Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel. Monitoring tools track the installation of such drivers and check applications that perform it. But what if a security solution performs unsafe activity? Read more.
Someone hacked ransomware gang Everest’s leak site
Source: TechCrunch
The leak site, which the ransomware gang uses to publish stolen files to extort its victims into paying a ransom demand, was replaced with a brief text note: “Don’t do crime CRIME IS BAD xoxo from Prague.” Read more.
OH-MY-DC: OIDC Misconfigurations in CI/CD
Source: Unit 42
In the course of investigating the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments, Unit 42 researchers discovered problematic patterns and implementations that could be leveraged by threat actors to gain access to restricted resources. One instance of such an implementation was identified in CircleCI’s OIDC. Read more.
The Rising Threat of Cyberwarfare: Extreme Cyber Weapons and Their Potential to Disrupt Critical Infrastructure
Source: IDST
Cyber warfare is the use of technology to launch covert attacks on nations, governments, and even citizens, causing harm comparable to that of conventional warfare. This new battleground allows adversaries to disrupt or destroy critical infrastructure—power grids, telecommunications, banking systems—by targeting the computer networks that control them. Read more.
Same Russian-Speaking Threat Actor, New Tactics: Abuse of Cloudflare Services for Phishing and Telegram to Filter Victim IPs
Source: Hunt.io
The lure abuses the ms-search protocol to download a malicious LNK file disguised as a PDF via a double extension. Once executed, the malware checks in with an attacker-operated Telegram bot-sending the victim’s IP address-before transitioning to Pyramid C2 to control the infected host. Read more.
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Source: Sophos News
Late in January 2025, a Managed Service Provider (MSP) administrator received a well-crafted phishing email containing what appeared to be an authentication alert for their ScreenConnect RMM tool. That email resulted in Qilin ransomware actors gaining access to the administrator’s credentials—and launching ransomware attacks on the MSP’s customers. Read more.
RolandSkimmer: Silent Credit Card Thief Uncovered
Source: Fortinet
FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named after the unique string “Rol@and4You” found embedded in its payload. This threat actor targets users in Bulgaria and represents a new wave of credit card skimming attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox. Read more.
Emulating the Sophisticated Russian Adversary Seashell Blizzard
Source: ATTACKIQ
The BadPilot campaign is a sophisticated, long-running operation primarily focused on gaining initial access to targeted networks. The campaign is attributed to a Seashell Blizzard subgroup and is known for its strategic use of spear-phishing emails and exploiting vulnerabilities in software to breach networks. Read more.
Mar 26, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder
Source: Cofense
The Cofense Phishing Defense Center (PDC) has discovered a new phishing campaign that tricks users into giving out access to their Meta Business accounts. While social media phishing attempts are prevalent, this one went above and beyond by employing fake chat support, providing detailed instructions, and attempting to add itself as a secure login method. Read more.
Nuxt Users Beware: CVE-2025-27415 Opens the Door to Cache Poisoning Attacks
Source: Cybersecurity News
A newly discovered vulnerability in the popular Nuxt framework could allow attackers to poison CDN caches and disrupt access to full-stack Vue.js applications. Tracked as CVE-2025-27415 and scored 7.5 on the CVSS scale. The issue lies in how Nuxt handles certain HTTP requests, particularly ones that resemble: https://yoursite.com/?/_payload.json Read more.
Unboxing Anubis: Exploring the Stealthy Tactics of FIN7’s Latest Backdoor
Source: G Data
In the ever-evolving landscape of advanced persistent threats (APTs), the notorious financial cybercrime group FIN7 has added another sophisticated tool to their arsenal. We have recently discovered a new Python-based backdoor, called “AnubisBackdoor”, being deployed in their latest campaigns. Read more.
Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation
Source: Sygnia
Sygnia details Weaver Ant, a China-nexus threat actor infiltrating a major telecom provider. Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage. Read more.
Over 150 US Government Database Servers Vulnerable to Internet Exposure
Source: GB Hackers
The investigation, conducted using data from Shodan, a tool often referred to as the “Google of internet-connected devices,” identified over 2,000 instances of exposed government database servers since early 2025. Read more.
Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations
Source: Trend Micro
Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations. Read more.
AI-Generated Zoom Impersonation Attack Exploits Tax Season to Deploy Remote Desktop Tool
Source: Abnormal
Disguised as a routine Zoom meeting invitation related to the 2024 tax season, a campaign recently stopped by Abnormal leveraged generative AI to construct a highly convincing phishing page. However, unlike traditional credential-harvesting scams, these attacks attempted to deceive targets into downloading a RMM tool—granting threat actors full control over their devices. Read more.
UAT-5918 Targets Taiwan’s Critical Infrastructure Using Web Shells and Open-Source Tools
Source: The Hacker News
“UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting,” Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said. Read more.
VanHelsing Ransomware
Source: Cyfirma
This new ransomware strain encrypts files and demands payment for decryption. It also employs double extortion tactics, threatening to leak stolen data to pressure victims into paying. Once executed, VanHelsing appends the “.vanhelsing” extension to encrypted files, modifies the desktop wallpaper, and drops a ransom note named “README.txt” on the victim’s system. Read more.
Operation FishMedley
Source: Welivesecurity
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States. Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors. We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group. Read more.
Feb 26, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail
Source: Malwarebytes LABS
A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending. Read more.
Android trojan TgToxic updates its capabilities
Source: Intel471
This new version of the trojan abused 25 community forums to host encrypted malware configurations. The actors created user accounts on these forums and embedded specific encrypted strings within the user profiles, serving as dead drop locations from which malware bots could retrieve the final command-and-control (C2) URL. Read more.
Phishing Campaigns Targeting Higher Education Institutions
Source: Google Cloud
These attacks exploit trust within academic institutions to deceive students, faculty, and staff, and have been timed to coincide with key dates in the academic calendar. The beginning of the school year, with its influx of new and returning students combined with a barrage of administrative tasks, as well as financial aid deadlines, can create opportunities for attackers to carry out phishing attacks. Read more.
Auto-Color: An Emerging and Evasive Linux Backdoor
Source: Unit42
Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation. Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software. Read more.
The Bybit Incident: When Research Meets Reality
Source: CHECKPOINT
The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that ByBit cold wallet got hacked, resulting in the theft of approximately $1.5 billion worth of digital assets, primarily in Ethereum tokens. This incident marks one of the largest thefts in the history of the digital asset industry. Read more.
Beware: PayPal “New Address” feature abused to send phishing emails
Source: BLEEPING COMPUTER
An ongoing PayPal email scam exploits the platform’s address settings to send fake purchase notifications, tricking users into granting remote access to scammers. The email includes the new address that was allegedly added to your PayPal account, a message claiming to be a purchase confirmation for a MacBook M4, and to call the enclosed PayPal number if you did not authorize the purchase. Read more.
Angry Likho: Old beasts in a new forest
Source: SECURE LIST
Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. Read more.
FBI and CISA Warn of Ghost Ransomware: A Threat to Firms Worldwide
Source: HACK READ
FBI and CISA warn of Ghost ransomware, a China-based cyber threat targeting businesses, schools, and healthcare worldwide by exploiting software vulnerabilities. Read more.
LummaC2 malware distributed disguised as Total Commander Crack
Source: ASEC
ASEC discovered LummaC2 malware that is being distributed disguised as a tool called Total Commander. Total Commander is a file manager for Windows that supports various file formats and provides convenient overall file management, including copy and move functions, advanced search functions using strings within files, folder synchronization, and FTP/SFTP functions. Read more.
Updated Shadowpad Malware Leads to Ransomware Deployment
Source: TREND MICRO
Two recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese threat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries in Europe, the Middle East, Asia, and South America. Read more.
Jan 29, 2025 | APT, Cybersecurity News, Malware, Phishing, Ransomware, Vulnerability
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Dark Web Profile: FunkSec
Source: SOCRadar
A new ransomware group, FunkSec, has gained attention after taking responsibility for attacks on numerous victims in December 2024. By January 2025, the group continued to target new victims, with the total number surpassing 100. FunkSec seems to be engaged in both hacktivism and ransomware/extortion. Read more.
GamaCopy targets Russia mimicking Russia-linked Gamaredon APT
Source: Security Affairs
The Knownsec 404 Advanced Threat Intelligence team recently analyzed attacks on Russian-speaking targets using military-themed bait, 7z SFX for payloads, and UltraVNC, mimicking Gamaredon’s TTPs. The researchers linked the activity to the APT Core Werewolf (aka Awaken Likho, PseudoGamaredon), it mimics Gamaredon and for this reason, researchers called it GamaCopy. Read more.
Cybersecurity Stop of the Month: E-Signature Phishing Nearly Sparks Disaster for an Electric Company
Source: Proofpoint
In an e-signature phishing attack, bad actors will spoof a trusted brand and send malicious content through legitimate digital channels. Often, they use advanced methods like AitM to bypass MFA in an effort to further extend their access. And when bad actors use combined tactics, such as Adversary-in-the-Middle plus geofencing, they can be extremely successful in evading detection. Read more.
HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code
Source: Sentinel One
Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy. Read more.
Change Healthcare Breach Almost Doubles in Size to 190 Million Victims
Source: Infosecurity Magazine
The largest healthcare data breach on record just got even bigger, after UnitedHealth Group (UHG) confirmed that 90 million additional customers were impacted by a ransomware attack on Change Healthcare last year. Read more.
Invisible Prompt Injection: A Threat to AI Security
Source: TREND MICRO
LLMs can interpret hidden texts that are not visible on the UI; thus, these hidden texts may be used for prompt injection. To protect your AI application, verify if the LLM can respond to invisible text. If it can, do not allow such invisible text to be input. Read more.
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
Source: The Hacker News
A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. Read more.
Threat Spotlight: Tycoon 2FA phishing kit updated to evade inspection
Source: Barracuda
Tycoon became Tycoon 2FA when it evolved to bypass multifactor authentication — in this case 2FA — by collecting and using Microsoft 365 session cookies. The latest version of Tycoon 2FA was first seen in November 2024, and it features advanced tactics designed to obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages. Read more.
7-Zip bug could allow a bypass of a Windows security feature. Update now
Source: Malwarebytes LABS
A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows. The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. Read more.
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Source: SOPHOS
Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users. Read more.
Dec 18, 2024 | APT, Cybersecurity News, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite
Source: Elastic Security Labs
Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE). SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR). GOSAR is a multi-functional backdoor under active development with incomplete features and iterations of improved features observed over time. Read more.
Analysis of TIDRONE attackers’ attacks on domestic companies
Source: ASEC
AhnLab Security Intelligence Center (ASEC) has confirmed that the TIDRONE attacker has recently been conducting attacks against companies. The software exploited in these attacks is ERP, through which a backdoor malware called CLNTEND is installed. Read more.
Declawing PUMAKIT
Source: Elastic Security Labs
PUMAKIT is a sophisticated piece of malware, initially uncovered during routine threat hunting on VirusTotal and named after developer-embedded strings found within its binary. Its multi-stage architecture consists of a dropper (cron), two memory-resident executables (/memfd:tgt and /memfd:wpn), an LKM rootkit module and a shared object (SO) userland rootkit. Read more.
Gamaredon Deploys Android Spyware “BoneSpy” and “PlainGnome” in Former Soviet States
Source: The Hacker News
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. Read more.
Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms
Source: The Hacker News
The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. Read more.
Careto is back: what’s new after 10 years of silence?
Source: SECURE LIST
The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server. These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file. Read more.
Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead
Source: G Data
We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. Read more.
Law enforcement shuts down 27 DDoS booters ahead of annual Christmas attacks
Source: EUROPOL
Law enforcement agencies worldwide have disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks to take websites offline. As part of an ongoing international crackdown known as PowerOFF, authorities have seized 27 of the most popular platforms used to carry out these attacks. Read more.
Inside Zloader’s Latest Trick: DNS Tunneling
Source: Zscaler
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015. Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks. Read more.
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
Source: CADO
“Meeten” is the application that is attempting to scam users into downloading an information stealer. The company regularly changes names, and is currently going by the name Meetio. The threat actors set up full company websites, with AI-generated blog and product content and social media accounts including Twitter and Medium. Read more.
Dec 4, 2024 | APT, Cybersecurity News, Malware, Phishing, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Russia sentences Hydra dark web market leader to life in prison
Source: BLEEPING COMPUTER
Russian authorities have sentenced the leader of the criminal group behind the now-closed dark web platform Hydra Market to life in prison. Additionally, more than a dozen accomplices have been convicted for their involvement in the production and sale of nearly a ton of drugs. Read more.
Threat Assessment: Howling Scorpius (Akira Ransomware)
Source: Unit 42
Akira is a RaaS group we track as Howling Scorpius. This group employs a double extortion strategy, exfiltrating critical data from a network before executing its encryption process. This double extortion tactic allows the group to leak stolen data even if victims recover their systems without paying, maximizing the pressure to comply. Read more.
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks
Source: The Hacker News
The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. Read more.
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
Source: SECURELIST
According to our telemetry, the campaign began around March 2023 and hit more than a thousand private users, retailers and service businesses located primarily in Russia. We dubbed this campaign Horns&Hooves, after a fictitious organization set up by swindlers in the Soviet comedy novel The Golden Calf. Read more.
Guess Who’s Back – The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024
Source: TREND MICRO
The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the recipient to download a ZIP file. Read more.
Hearts Stolen, Wallets Emptied: Insights into CryptoLove Traffer’s Team
Source: TRAC Labs
CryptoLove is a traffer’s group specializing in crypto scams for over two years, recruiting workers to spread stealers through custom launchers and loaders that can track every stage of payload delivery. Read more.
Ransom gang claims attack on NHS Alder Hey Children’s Hospital
Source: The Register
INC Ransom, the group that claimed responsibility for an attack on NHS Scotland in June this year, now claims to have stolen data from Liverpool’s Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust. Read more.
Gaming Engines: An Undetected Playground for Malware Loaders
Source: CHECK POINT
The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware. Read more.
Police bust pirate streaming service making €250 million per month
Source: BLEEPING COMPUTER
Italy’s Postal and Cybersecurity Police Service announced the action, codenamed “Taken Down,” stating they worked with Eurojust, Europol, and many other European countries, making this the largest takedown of its kind in Italy and internationally. Read more.
Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)
Source: Trustwave
We have associated this campaign with a phishing kit called Rockstar 2FA, which is an updated version of the DadSec/Phoenix phishing kit. Microsoft tracks the threat actor behind this as Storm-1575, where ‘Storm-####’ is a temporary label for emerging or unidentified threat clusters. Read more.
Nov 20, 2024 | APT, Cybersecurity News, Malware, Phishing, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
When AI Moderation Blocks Cybersecurity: Challenges of Producing Threat Actor Videos
Source: Malware Patrol
While we fully support preventing #AI from facilitating misinformation, this was clearly not the case here. Cyber threat actors engage in harmful activities, and videos about them will inevitably address such topics. Nevertheless, it is necessary to educate cybersecurity practitioners and the general public about these malicious actions. Read more.
New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers
Source: The Hacker News
Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. Read more.
QuickBooks popup scam still being delivered via Google ads
Source: Malwarebytes LABS
Researchers have seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent. Read more.
Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
Source: UNIT 42
Unit 42 researchers identified a North Korean IT worker activity cluster tracked as CL-STA-0237. This cluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates from Laos, using Lao IP addresses and identities. Read more.
Malware Spotlight: A Deep-Dive Analysis of WezRat
Source: CHECK POINT RESEARCH
The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files. Read more.
New Glove infostealer malware bypasses Chrome’s cookie encryption
Source: BLEEPING COMPUTER
During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails. Read more.
New PXA Stealer targets government and education sectors for sensitive information
Source: CISCO TALOS
Researchers discovered a new Python program called PXA Stealer that targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. Read more.
Strela Stealer: Today’s invoice is tomorrow’s phish
Source: Security Intelligence
The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. Read more.
Volt Typhoon rebuilds malware botnet following FBI disruption
Source: BLEEPING COMPUTER
In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Read more.
LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
Source: BlackBerry
The threat actor behind LightSpy, who is believed with a high level of confidence is associated with Chinese cyber-espionage group APT41, has now expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities. Read more.
Oct 9, 2024 | APT, Cybersecurity News, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Large scale Google Ads campaign targets utility software
Source: Malwarebytes LABS
Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking. Read more.
Mind the (air) gap: GoldenJackal gooses government guardrails
Source: welivesecurity
These toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems. Read more.
Awaken Likho is awake: new techniques of an APT group
Source: SECURE LIST
Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. Read more.
How Malware is Evolving: Sandbox Evasion and Brand Impersonation
Source: VERITI
According to the MITRE ATT&CK framework, malware can check for signs of a sandbox by monitoring system behavior, including checking for user actions like mouse clicks or running time-based checks. Once the malware detects it is inside a sandbox, it can change its behavior, often terminating its execution or connecting to benign domains to avoid raising suspicion. Read more.
perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Source: Aqua
During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware. Read more.
Scam Information and Event Management
Source: SECURE LIST
The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. These websites were shown to users in the top search results in Yandex. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. Read more.
Crypto-Stealing Code Lurking in Python Package Dependencies
Source: Checkmarx
On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. Read more.
Stonefly: Extortion Attacks Continue Against U.S. Targets
Source: Symantec
In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. Read more.
Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users
Source: Group-IB
Pig Butchering is a term used to describe a sophisticated and manipulative scam in which cybercriminals lure victims into fraudulent investment schemes, typically involving cryptocurrency or other financial instruments. The name of the scam refers to the practice of fattening a pig before slaughter. Read more.
BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell
Source: G Data
In a complex infection chain that starts with an email containing an ISO image, this malware stands out by its way of compiling C# code directly on the infected machine. It also uses a technique known as AppDomain Manager Injection to advance execution. Read more.
Sep 25, 2024 | APT, Cybersecurity News, Malware, Ransomware
Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Tyson Ransomware
Source: EnigmaSoft
The Tyson Ransomware infiltrates systems, encrypts data, and holds files hostage, demanding payment for decryption. Once installed on a device, it immediately starts locking down files and appends a “.tyson” extension to encrypted files. Read more.
Undetected Android Spyware Targeting Individuals In South Korea
Source: CYBLE
The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos. The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information. Read more.
How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
Source: TREND MICRO
The RansomHub ransomware’s attack chain includes exploiting the Zerologon vulnerability (CVE-2020-1472). Left unpatched, it can enable threat actors to take control of an entire network without needing authentication. Read more.
The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector
Source: Security Affairs
Microsoft Threat Intelligence team revealed that a financially motivated threat actor, tracked as Vanilla Tempest (formerly DEV-0832) is using the INC ransomware for the first time to target the U.S. healthcare sector. Read more.
Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool
Source: UNIT 42
Splinter is developed in Rust, a relatively new programming language that’s recommended for developing memory-safe software. However, it has densely layered runtime code, which amounts for up to 99% of a program’s code. This density makes analysis a real challenge for malware reverse engineers. Read more.
UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Source: Google Cloud
A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. Read more.
Walmart customers scammed via fake shopping lists, threatened with arrest
Source: Malwarebytes LABS
Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site. Read more.
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
Source: TREND MICRO
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. Read more.
An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Source: Google Cloud
UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets. Read more.
Malware locks browser in kiosk mode to steal Google credentials
Source: BLEEPING COMPUTER
Specifically, the malware “locks” the user’s browser on Google’s login page with no obvious way to close the window, as the malware also blocks the “ESC” and “F11” keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to “unlock” the computer. Read more.