Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
New “Bring Your Own Installer” EDR bypass used in ransomware attack
Source: Bleeping Computer
A new “Bring Your Own Installer” EDR bypass technique is exploited in attacks to bypass SentinelOne’s tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. Read more.
Mamona: Technical Analysis of a New Ransomware Strain
Source: ANY RUN
Mamona is a newly identified commodity ransomware strain. The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration. All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries. Read more.
Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims
Source: Arctic Wolf
Arctic Wolf® observed a recent campaign by the financially motivated threat group Venom Spider targeting hiring managers with spear-phishing emails. The group abuses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumes that drop a backdoor called More_eggs. Read more.
The Signal Clone the Trump Admin Uses Was Hacked
Source: 404 Media
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. Read more.
Critical Commvault Vulnerability in Attacker Crosshairs
Source: Security Week
A second Commvault flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within a week, signaling increased threat actor interest in the platform. Tracked as CVE-2025-34028 (CVSS score of 10/10), the issue is described as a path traversal flaw in Commvault Command Center that could be exploited without authentication for remote code execution (RCE). Read more.
Revived CryptoJS library is a crypto stealer in disguise
Source: Sonatype
An illicit npm package called ‘crypto-encrypt-ts’ may appear to revive the unmaintained but vastly popular CryptoJS library, but what it actually does is peek into your crypto wallet and exfiltrate your secrets to threat actors. Read more.
Ukrainian Nefilim Ransomware Affiliate Extradited to US
Source: Security Week
A Ukrainian national was extradited from Spain to the US on Wednesday to face charges related to his involvement in Nefilim ransomware attacks. The man, Artem Stryzhak, was arrested in Spain in 2024. He is charged with fraud conspiracy, including extortion, and faces up to five years in prison. Read more.
Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
Source: Wordfence
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. Read more.
Finding Minhook in a sideloading attack – and Sweden too
Source: SOPHOS
The campaign made use of the Minhook DLL (Minhook is a minimalistic API hooking library for Windows) to detour Windows API calls. The clean loader was not part of the sideloading package; instead, it was snatched from the infected system. Read more.
French Foreign Ministry blames Russian GRU-linked APT28 for cyberattacks on national entities; urges global action
Source: Industrial Cyber
The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities. Read more.