Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.



During the past few months, we have been monitoring a new unknown stealer/bot, we dubbed BundleBot, spreading under the radar and abusing dotnet bundle (single-file), self-contained format. This format of dotnet compilation has been supported for about four years, from .net core 3.0+ to dotnet8+, and there are already some known malware families abusing it (e.g., Ducktail). Read more.

Over 20,000 Citrix Appliances Vulnerable to New Exploit


A new exploit technique targeting a recent Citrix Application Delivery Controller (ADC) and Gateway vulnerability can be used against thousands of unpatched devices, cybersecurity firm Bishop Fox claims. Read more.

Ransomware Roundup – Cl0p


Recently, the Cl0p ransomware group received a lot of media attention for compromising a large number of organizations by exploiting a recently-unpatched vulnerability in MOVEit Transfer (CVE-2023-34362), a managed file transfer (MFT) solution. Although there is no evidence that the threat actor used the encryptor in this particular incident, the group exfiltrated data from victims and threatened them with ransom in exchange for not exposing the stolen information. Read more.

Docker Images: Why are Many Cyber Attacks Originating Here?

Source: Check Point

A new report revealed that over 1,600 publicly available images on Docker Hub hid malicious behavior, including DNS hijackers, cryptocurrency miners, and embedded secrets used as backdoors. Unfortunately, due to the size of the Docker Hub public library, its administrators cannot review every upload on a daily basis, which means that many malicious images go unreported. Read more.

DangerousPassword attacks targeting developers’ Windows, macOS, and Linux environments


At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js installed on the machine. Read more.

First Known Targeted OSS Supply Chain Attacks Against the Banking Sector

Source: Checkmarx

On the 5th and 7th of April, a threat actor leveraged the NPM platform to upload a couple of packages containing within them a preinstall script that executed its malicious objective upon installation. Interestingly, the contributor behind these packages was linked to a LinkedIn profile page of an individual that was posing as an employee of the targeted bank. Read more.

Multiple DDoS botnets were observed targeting Zyxel devices


Fortinet FortiGuard Labs researchers warned of multiple DDoS botnets exploiting a vulnerability impacting multiple Zyxel firewalls. The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection issue that could potentially allow an unauthorized attacker to execute arbitrary code on vulnerable devices. Read more.

Unmasking HotRat: The hidden dangers in your software downloads

Source: Avast

These cyber party crashers can weaponize any illegal software turning it into a delivery vehicle for their malware. They often target popular software from big-name companies like Adobe and Microsoft, as well as popular video games and system tools. Read more.

North Korean Cyberspies Target GitHub Developers

Source: DARK Reading

The North Korean state-sponsored Lazarus advanced persistent threat (APT) group is back with yet another impersonation scam, this time posing as developers or recruiters with legitimate GitHub or social media accounts. Read more.

‘China’ Azure Breach: MUCH Worse Than Microsoft Said

Source: Security Boulevard

The nasty hack ‘by China’ I covered 11 days ago is even nastier than we were told. Far from being limited to a couple of email apps, the hackers stole a key cracking open any Azure Active Directory (AAD) mixed-audience, multi-tenant application. People are using words like “shoddy” and “fiasco.” Read more.

Cisco Disclosed Vulnerabilities In SPA500 Series IP Phones – Won’t Fix

Source: Latest Hacking News

Heads up, Cisco users! Cisco recently disclosed numerous vulnerabilities in SPA500 series IP phones, confirming that no workarounds exist for the flaws. Also, the firm has no plans to address the issues as these devices have reached their end-of-life. Therefore, users must consider getting rid of the vulnerable devices at the earliest. Read more.

Email users warned about new DHL email phishing scam

Source: 7news.com.au

Scammers are sending emails purporting to be from DHL, asking people to view the status of an incoming shipment, according to MailGuard. The fake email in question is sent from an address with the sender name ExpressDHL and has a subject line: “MyDHL+(New Package Notification)”. Read more.

Hacked Microsoft Keys Let Attackers Access a Wide Range of Azure Applications

Source: GBHackers

The threat actor may have been able to forge access tokens for a variety of Azure Active Directory applications, including any that supports personal account authentication, such as SharePoint, Teams, or OneDrive, as well as customer applications that support the “login with Microsoft” feature and multi-tenant applications under specific circumstances. Read more.

QILIN Ransomware Report

Source: Security Boulevard

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. Read more.