Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Ransomware Roundup – Black Basta


Black Basta operates a Ransomware-as-a-Service (RaaS) model, in which the developers offer a service such as ransomware, an infrastructure for payment processing and ransom negotiation, and technical support to its affiliates. Read more.

Fortinet Reverses Flutter-based Android Malware “Fluhorse”


What sets this malware apart is its utilization of Flutter, an open-source SDK (software development kit) renowned among developers for its ability to build applications compatible with Android, iOS, Linux, and Windows platforms using a single codebase. Read more.

Microsoft Azure AD flaw can lead to account takeover

Source: Malwarebytes LABS

Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. They will automatically get logged into the account associated with the provided email address. Which was the one that belongs to the victim and not to the actual operator. Read more.

Malware Delivered Through .inf File

Source: SANS Internet Storm Center

The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. Note that .inf files cannot be executed “as is”. Read more.



The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality. Read more.

China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks

Source: Security Affairs

Crowdstrike reported that the group employed ManageEngine Self-service Plus exploits to gain initial access, then the attackers rely on custom webshells to achieve persistent access, and living-off-the-land (LOTL) techniques for lateral movement. Read more.

Grafana warns of critical auth bypass due to Azure AD integration


Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication. Read more.

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID

Source: deep instinct

Deep Instinct’s Threat Research Lab recently noticed a new strain of a JavaScript-based dropper that is delivering Bumblebee and IcedID. The dropper contains comments in Russian and employs the unique user-agent string “PindOS”, which may be a reference to current (and past) anti-American sentiment in Russia. Read more.

New Research: 90% Of Portuguese Domains Are Vulnerable to Phishing and Spoofing


New research has discovered that spoofing and phishing protection is lacking in Portugal. Only 9.1% of the researched sample for Portuguese domains had correctly implemented and configured security policies to flag, report, and remove outbound phishing emails. Read more.

MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans

Source: The Hacker News

A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems. Read more.

IoT devices and Linux-based systems targeted by OpenSSH trojan campaign

Source: Microsoft

Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware. Read more.

Banking and Retail Top the List of Industries Targeted by Social Media Phishing Attacks

Source: KnowBe4

While phishing continues to be the leading initial attack vector, the use of social media presents attackers with a medium where the victim’s defenses are lowered, the content is less scrutinized, little to no security solutions stand in the way, and attackers can impersonate just about anyone they want. Read more.

Open-Source RATs Leveraged By APT Groups

Source: SOC Radar

Open-source RATs offer APT groups several advantages that make their work easier and increase their attack techniques. Read more.

Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns


Each of the three categories (Abused, Compromised, Created) has different tradeoffs that affect both the threat actor’s choice and the network defenders’ ability to detect and defend. The following sections will break down some statistics, what network defenders and reporters should look for, and some of the potential reasons that threat actors might choose each option. Read more.