Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

FlyingYeti Targets Ukraine Using WinRAR Exploit to Deliver COOKBOX Malware

Source: Security Affairs

The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system. Read more.

DDoS-as-a-Service: The Rebirth Botnet

Source: Sysdig

Upon investigation, we discovered that the domain pertains to a mature and increasingly popular DDoS-as-a-Service botnet. The service is based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io). Read more.

CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

Source: The Hacker News

Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code. Read more.

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader


This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as “PurpleInk,” and two malware loaders we are calling “InkBox” and “InkLoader.” Read more.

PyPI crypto-stealer targets Windows users, revives malware campaign

Source: Sonatype

Sonatype has discovered ‘pytoileur’, a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long “Cool package” campaign. Read more.

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Source: Microsoft Security

Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware. Read more.

2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx


The compromised information includes names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, eligibility data, and insurance identification numbers. No clinical or financial information was compromised in the attack. Read more.

Static Unpacking for the Widespread NSIS-based Malicious Packer Family


The advantage for cybercriminals in using NSIS is that it allows them to create samples that, at first glance, are indistinguishable from legitimate installers. As NSIS performs compression on its own, malware developers do not need to implement compression and decompression algorithms. Read more.

Hackers Exploiting Arc Browser Popularity with Malicious Google Search Ads

Source: Cyber Security News

A search for “arc installer” or “arc browser windows” resulted in the following two ads being shown: Fake Arc Browser Ad Using Google’s Ad Transparency Center I connected them to the following advertiser from Ukraine. Read more.

Beware of HTML Masquerading as PDF Viewer Login Pages

Source: Forcepoint

One such method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages. These deceptive emails lure unsuspecting users into entering their email addresses and passwords, compromising their online security. Read more.