Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts

Source: Guardio

“EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting. Read more.

Hackers Attacking Blockchain Engineers With Novel MacOS Malware

Source: GBHackers

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware. Read more.

CanesSpy Spyware Discovered in Modified WhatsApp Versions

Source: The Hacker News

These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such modded software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts of two million users. Read more.

EleKtra-Leak Campaign Uses AWS Cloud Keys Found on Public GitHub Repositories to Run Cryptomining Operation

Source: TechRepublic

New research from Palo Alto Networks’s Unit 42 exposes an active attack campaign in which a threat actor hunts for Amazon IAM credentials in real time in GitHub repositories and starts using them less than five minutes later. The final payload runs customized Monero cryptomining software on virtual machines deployed on the Amazon instances. Read more.

Apache ActiveMQ vulnerability used in ransomware attacks


The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Read more.

Who killed Mozi? Finally putting the IoT zombie botnet in its grave

Source: welivesecurity

Our investigation into this event led us to the discovery of a kill switch on September 27th, 2023. We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. Read more.

Unveiling a New Threat The Millenium RAT


The analysed malware, Millenium-RAT-2.4, is a sophisticated Remote Access Tool (RAT) targeting Windows systems. This malware exemplifies a sophisticated range of malicious functionalities meticulously crafted to stealthily gather sensitive user data, evade detection through advanced anti-analysis techniques, establish persistence, and enable remote control over the compromised system. Read more.

GhostSec: From Fighting ISIS to Possibly Targeting Israel with RaaS

Source: uptycs

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Read more.

Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)

Source: Unit42 by Palo Alto Networks

While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload. Read more.

MuddyWater eN-Able spear-phishing with new TTPs

Source: deep instinct

Before launching the new campaign during the Israel-Hamas war, MuddyWater reused previously known remote administration tools, utilizing a new file-sharing service called “Storyblok.” On October 30th Deep Instinct identified two archives hosted on “Storyblok” containing a new multi-stage infection vector. Read more.

Arid Viper disguising mobile spyware as updates for non-malicious Android applications

Source: Cisco Talos

Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users. In this campaign, the actors leverage custom mobile malware, also known as Android Package files (APKs), to collect sensitive information from targets and deploy additional malware onto infected devices. Read more.

Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware

Source: Security Affairs

North Korea-linked Lazarus APT group were spotted using new KandyKorn macOS malware in attacks against blockchain engineers, reported Elastic Security Labs. Read more.

StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices

Source: The Hacker News

The Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems. Read more.

Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey


Bitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets. We’ve named this proxy bot malware Socks5Systemz, which is also the name associated with the unique login panel consistently present in all active proxy bot C2 servers. Read more.