2025-08-01 AI创业新闻

Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle ( AitM ) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow. “ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News. The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia. Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity community under the monikers Blue Python, Iron Hunter, Pensive Ursa, Snake, SUMMIT, Uroburos, Turla, Venomous Bear, and Waterbug.

In December 2024, Microsoft and Lumen Technologies Black Lotus Labs disclosed the hacking group’s use of a Pakistan-based threat actor’s command-and-control (C2) infrastructure to carry out its own attacks as a way to cloud attribution efforts. The adversary has also been observed piggybacking on malware associated with other threat actors to deliver its Kazuar backdoor on target devices located in Ukraine. The Windows maker noted that the AitM position is likely facilitated by lawful intercept and includes the installation of root certificates under the guise of Kaspersky antivirus to obtain elevated access to the system. Initial access is achieved by redirecting target devices to threat actor-controlled infrastructure by putting them behind a captive portal , leading to the download and execution of the ApolloShadow malware.

“Once behind a captive portal, the Windows Test Connectivity Status Indicator is initiated—a legitimate service that determines whether a device has internet access by sending an HTTP GET request to hxxp://www.msftconnecttest[.]com/redirect, which should direct to msn[.]com,” Microsoft said. “Once the system opens the browser window to this address, the system is redirected to a separate actor-controlled domain that likely displays a certificate validation error, which prompts the target to download and execute ApolloShadow.” The malware then beacons host information to the C2 server and runs a binary called CertificateDB.exe should the device not be running on default administrative settings, and retrieves as a second-stage payload an unknown Visual Basic Script. In the last step, the ApolloShadow process launches itself again and presents the user with a user access control (UAC) pop-up window and instructs them to grant it the highest privileges available to the user. ApolloShadow’s execution path varies if the running process is already running with sufficient elevated privileges, abusing them to set all networks to Private via registry profile changes and create an administrative user with the username UpdatusUser and a hard-coded password, allowing persistent access to the machine.

“This induces several changes, including allowing the host device to become discoverable, and relaxing firewall rules to enable file sharing,” the company said. “While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network.” Once this step is successfully completed, victims are displayed a window showing that the deployment of the digital certificates is in progress, causing two root certificates to be installed on the machine using the certutil utility. Also dropped is a file called “wincert.js” that allows Mozilla Firefox to trust the root certificates. To defend against Secret Blizzard activity, diplomatic entities operating in Moscow are urged to implement the principle of least privilege (PoLP), periodically review privileged groups, and route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. “Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” the Cloudflare Email Security team said . “While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.” The activity, observed over the last two months, once again illustrates how threat actors find different ways to leverage legitimate features and trusted tools to their advantage and perform malicious actions, in this case, redirecting victims to Microsoft 365 phishing pages. It’s noteworthy that the abuse of link wrapping involves the attackers gaining unauthorized access to email accounts that already use the feature within an organization, so that any email message containing a malicious URL sent from that account is automatically rewritten with the wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=).

Another important aspect concerns what Cloudflare calls “multi-tiered redirect abuse,” in which the threat actors first cloak their malicious links using a URL shortening service like Bitly, and then send the shortened link in an email message via a Proofpoint-secured account, causing it to be obscured a second time. This behavior effectively creates a redirection chain, where the URL passes through two levels of obfuscation – Bitly and Proofpoint’s URL Defense – before taking the victim to the phishing page. In the attacks observed by the web infrastructure company, the phishing messages masquerade as voicemail notifications, urging recipients to click on a link to listen to them, ultimately directing them to a bogus Microsoft 365 phishing page designed to capture their credentials. Alternate infection chains employ the same technique in emails that notify users of a supposed document received on Microsoft Teams and trick them into clicking on booby-trapped hyperlinks.

A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the “Reply in Teams” button embedded in the messages to redirect them to credential harvesting pages. “By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” Cloudflare said. The development comes amid a spike in phishing attacks that weaponize Scalable Vector Graphics ( SVG ) files to get around traditional anti-spam and anti-phishing protections and initiate multi-stage malware infections. “Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) said last month.

“They can contain scripts, hyperlinks, and interactive elements, which can be exploited by embedding malicious code within harmless SVG files.” Phishing campaigns have also been observed embedding fake Zoom videoconferencing links in emails that, when clicked, trigger a redirection chain to a fake page that mimics a realistic-looking interface, after which they are served a “meeting connection timed out” message and taken to a phishing page that prompts them to enter their credentials to rejoin the meeting. “Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor,” Cofense said in a recent report. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto

The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. “Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations,” Google’s cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025. UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries.

Notably, the hacking group has been implicated in significant cryptocurrency heists , including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion). Another example that highlights its sophistication is the suspected exploitation of JumpCloud’s infrastructure to target downstream customers within the cryptocurrency vertical. According to DTEX, TraderTraitor is affiliated with the Third Bureau (or Department) of North Korea’s Reconnaissance General Bureau and is the most prolific of any of the Pyongyang hacking groups when it comes to cryptocurrency theft. Attacks mounted by the threat actor have entailed leveraging job-themed lures or uploading malicious npm packages , and then approaching employees at target companies with a lucrative opportunity or asking them to collaborate on a GitHub project that would then lead to the execution of the rogue npm libraries.

“TraderTraitor has demonstrated a sustained interest in cloud-centric and cloud-adjacent attack surfaces, often with a final goal of compromising companies that are customers of cloud platforms rather than the platforms themselves,” cloud security firm Wiz said in a detailed report of TraderTraitor this week. The attacks observed by Google Cloud targeted the respective organizations’ Google Cloud and Amazon Web Services (AWS) environments, paving the way for a downloader called GLASSCANNON that’s then used to serve backdoors like PLOTTWIST and MAZEWIRE that can establish connections with an attacker-controlled server. In the incident involving the Google Cloud environment, the threat actors have been found to employ stolen credentials to interact remotely using Google Cloud CLI over an anonymous VPN service, carrying out extensive reconnaissance and credential theft activities. However, they were thwarted in their efforts due to the multi-factor authentication (MFA) configuration applied to the victim’s credentials.

“UNC4899 eventually determined the victim’s account had administrative privileges to the Google Cloud project and disabled the MFA requirements,” Google said. “After successfully gaining access to the targeted resources, they immediately re-enabled MFA to evade detection.” The intrusion targeting the second victim’s AWS environment is said to have followed a similar playbook, only this time the attackers used long-term access keys obtained from an AWS credential file to interact remotely via AWS CLI. Although the threat actors ran into access control roadblocks that prevented them from performing any sensitive actions, Google said it found evidence that likely indicated the theft of the user’s session cookies. These cookies were then used to identify relevant CloudFront configurations and S3 buckets.

UNC4899 “leveraged the inherent administrative permissions applied to their access to upload and replace existing JavaScript files with those containing malicious code, which were designed to manipulate cryptocurrency functions and trigger a transaction with the cryptocurrency wallet of a target organization,” Google said. The attacks, in both cases, ended with the threat actors successfully withdrawing several million worth of cryptocurrency, the company added. The development comes as Sonatype said it flagged and blocked 234 unique malware npm and PyPI packages attributed to North Korea’s Lazarus Group between January and July 2025. Some of these libraries are configured to drop a known credential stealer referred to as BeaverTail , which is associated with a long-running campaign dubbed Contagious Interview.

“These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure,” the software supply chain security firm said . “The surge of activity in H1 2025 demonstrates a strategic pivot: Lazarus is now embedding malware directly into open source package registries, namely npm and PyPI, at an alarming rate.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Master SaaS AI Risk: Your Complete Governance Playbook

AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne’s steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn’t just about detection—it’s about operational continuity under pressure.

For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. These capabilities are especially critical in industries like healthcare or finance, where seconds can mean regulatory penalties or breached patient records. Gartner recently named SentinelOne a Leader in the 2025 Gartner® Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive year. This recognition builds on the Singularity Platform’s momentum in innovation as the first solution with an AI analyst and the first unified platform delivering EDR, CNAPP, Hyperautomation, and SIEM to be FedRAMP High (the highest level of U.S.

federal cloud security authorization) Authorized. SentinelOne provides protection for organizations of all sizes—from small businesses to global governments and enterprises—meeting their unique needs in the face of an increasingly complex cyber landscape. The Singularity Platform secures organizations across any device, any OS, and any cloud, providing industry-leading signal-to-noise so SOC teams can focus on responding as quickly as possible. With advanced XDR, AI SIEM, and CNAPP capabilities, a lightweight agent, and responsible architecture, SentinelOne offers a solution designed for both security and operational resiliency.

Organizations using Singularity Endpoint and Purple AI detect threats 63% faster, reduce MTTR by 55% , and lower the likelihood of a security incident by 60%. Customers have reported a 338% ROI over three years, maximizing the value of their security investments while strengthening their endpoint security. For example, a healthcare provider using SentinelOne reported cutting incident response time by over 50% during a phishing-induced ransomware outbreak, thanks to automated rollback and unified visibility across cloud workloads and endpoints. Many teams searching for EDR or XDR platforms are trying to answer: “Will this reduce alert fatigue?” or “Can it integrate with my SIEM or SOAR stack without more overhead?” This is where automation must go beyond buzzwords—reducing manual triage, stitching disconnected signals, and working with existing tools instead of replacing them.

SentinelOne has set the standard in modern endpoint protection since entering the market more than a decade ago, disrupting both traditional antivirus and early next-gen AV approaches. Unlike signature-based protection and cloud-dependent defenses, the platform pioneered the use of static and behavioral AI and machine learning to detect even novel techniques, solve for both online and air-gapped environments, and automate response. These innovations differentiate SentinelOne from traditional AV and even next-gen EDR solutions, offering deeper automation and on-device intelligence compared to competitors that rely heavily on cloud lookups or manual workflows. This innovation, architecture, and design philosophy continues to evolve through Purple AI, advanced behavioral detection models, automated remediation and rollback, XDR capabilities, and more.

The security platform now offers solutions spanning Identity, Cloud, AI SIEM, Hyperautomation, expert-managed detection and response, and a range of threat services. Accelerating the SOC and staying ahead of attacks in the age of AI requires platforms that harness innovation in AI and automation to radically improve detection, triage, and response. SentinelOne’s platform has long embedded AI and automation as a foundational element. The company continues to develop accessible, compliant AI and automation to transform the SOC.

Behavioral AI and the Future of Cyber Threat Detection Over the last decade, SentinelOne has advanced behavioral AI detections, automated remediation, and introduced agentic AI for security. Rather than merely assisting analysts, agentic AI—defined as a class of autonomous AI systems capable of initiating and executing security actions without human prompting—autonomously takes action, handles routine tasks, and accelerates decision making while keeping the human operator in control. Purple AI, the platform’s AI security analyst , translates natural language questions into powerful threat hunting queries, suggests follow-up questions, recommends next steps, and generates reports and email summaries to accelerate remediation. Built on the Open Cybersecurity Schema Framework (OCSF), a vendor-agnostic standard for unifying data models, Purple AI ensures unified visibility across all security data, enabling fast, precise threat detection.

Figure 2: A natural language query using Purple AI to hunt for Privilege Escalation activity This capability is integrated into Singularity Complete, SentinelOne’s EDR solution, positioning Purple AI as a transformative force in SOC operations. By combining human insight with AI-level reasoning and automation, it enables faster, more accurate triage, investigation, threat management, and response. How Endpoint Security Has Evolved in the Age of AI Product innovation remains central to SentinelOne’s strategy, driven by customer feedback, cost and time savings, and deep integration of AI and automation. Detects suspicious and malicious patterns in real time using behavioral and static AI models across servers, workstations, and workloads Correlates telemetry data from endpoints, cloud workloads, and identity sources into detailed, visual Storylines Figure 3: Storyline helps security teams understand, investigate, and respond to threats faster and more effectively Offers one-click rollback to a pre-attack state, drastically reducing remediation time Enables custom workflows and incident response via Singularity Hyperautomation’s no-code, drag-and-drop canvas SentinelOne also plays a central role in Zero Trust architectures, supporting identity-based segmentation and continuous trust evaluation across cloud, hybrid, and air-gapped environments.

By aligning with frameworks like MITRE ATT&CK, OCSF, and NIST 800-207, the platform enables cohesive telemetry correlation and policy enforcement—positioning it as more than just endpoint protection, but a pillar in enterprise-wide cyber resilience. Balancing Control and Stability in Modern Cybersecurity Platforms The Singularity Platform delivers simplicity, stability, and ease of use across various deployment environments—on-premises, hybrid, air-gapped, or fully cloud-based. SentinelOne offers comprehensive OS support, including legacy systems such as Windows XP, 2008, and 2012, and spans more than 20 years of Windows Server coverage. Customer control is a cornerstone of the platform’s philosophy.

The multi-tenant management console emphasizes analyst experience, with streamlined deployment, configuration, and management. Updates are rigorously tested, responsibly deployed, and controlled by the customer to ensure stability and autonomy. As recognized by Gartner in this year’s evaluation, the unified agent and intuitive console deliver deep enterprise visibility while reducing overhead and administrative burden, allowing security teams to focus on high-priority tasks. Earning Industry Trust Through Proven Performance SentinelOne continues to lead in endpoint cybersecurity, earning trust from nearly 15,000 customers—including Fortune 10, Fortune 500, Global 2000 companies, and major government agencies.

The company consistently achieves top results in MITRE ATT&CK Enterprise Evaluations, delivering an industry-leading signal-to-noise ratio. In addition to being named a Leader in the 2025 Gartner Magic Quadrant for Endpoint Protection Platforms , SentinelOne’s Singularity Platform has been recognized as a 2025 Customers’ Choice in the Voice of the Customer for Extended Detection and Response (XDR), a 2024 Customers’ Choice for Cloud-Native Application Protection Platforms (CNAPP), and a 2024 Customers’ Choice for Managed Detection and Response (MDR). SentinelOne was also named a Strong Performer in the 2025 Gartner Peer Insights Voice of the Customer for Cloud Security Posture Management tools (CSPM). To see how SentinelOne can transform endpoint security within an organization, stakeholders can request a tailored demo or download the full Gartner report for detailed evaluation insights.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, July 14, 2025. Gartner, Voice of the Customer for Extended Detection and Response, Peer Contributors, 23 May 2025. Gartner, Voice of the Customer for Cloud-Native Application Protection Platforms, Peer Contributors, 27 December 2024. Gartner, Voice of the Customer for Managed Detection and Response, Peer Contributors, 28 November 2024.

Gartner, Voice of the Customer for Cloud Security Posture Management Tools, Peer Contributors, 30 May 2025. Gartner Disclaimer GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc.

and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact.

Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud

The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network, Group-IB said. It’s currently not known how this access was obtained. “The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data,” security researcher Nam Le Phuong said in a Wednesday report.

“Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.” UNC2891 was first documented by Google-owned Mandiant in March 2022, linking the group to attacks targeting ATM switching networks to carry out unauthorized cash withdrawals at different banks using fraudulent cards. Central to the operation was a kernel module rootkit dubbed CAKETAP that’s designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud. The hacking crew is assessed to share tactical overlaps with another threat actor called UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries.

Describing the threat actor as possessing extensive knowledge of Linux and Unix-based systems, Group-IB said its analysis uncovered backdoors named “lightdm” on the victim’s network monitoring server that are designed to establish active connections to the Raspberry Pi and the internal Mail Server. The attack is significant for the abuse of bind mounts to hide the presence of the backdoor from process listings and evade detection. The end goal of the infection, as seen in the past, is to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. However, the Singaporean company said the campaign was disrupted before the threat actor could inflict any serious damage.

“Even after the Raspberry Pi was discovered and removed, the attacker maintained internal access through a backdoor on the mail server,” Group-IB said. “The threat actor leveraged a Dynamic DNS domain for command-and-control.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Alert Fatigue, Data Overload, and the Fall of Traditional SIEMs

Security Operations Centers (SOCs) are stretched to their limits. Log volumes are surging, threat landscapes are growing more complex, and security teams are chronically understaffed. Analysts face a daily battle with alert noise, fragmented tools, and incomplete data visibility. At the same time, more vendors are phasing out their on-premises SIEM solutions, encouraging migration to SaaS models.

But this transition often amplifies the inherent flaws of traditional SIEM architectures. T he Log Deluge Meets Architectural Limits SIEMs are built to process log data—and the more, the better, or so the theory goes. In modern infrastructures, however, log-centric models are becoming a bottleneck. Cloud systems, OT networks, and dynamic workloads generate exponentially more telemetry, often redundant, unstructured, or in unreadable formats.

SaaS-based SIEMs in particular face financial and technical constraints: pricing models based on events per second (EPS) or flows-per-minute (FPM) can drive exponential cost spikes and overwhelm analysts with thousands of irrelevant alerts. Further limitations include protocol depth and flexibility. Modern cloud services like Azure AD frequently update log signature parameters, and static log collectors often miss these changes—leaving blind spots. In OT environments, proprietary protocols like Modbus or BACnet defy standard parsers, complicating or even preventing effective detection.

False Positives: More Noise, Less Security Up to 30% of a SOC analyst’s time is lost chasing false positives. The root cause? Lack of context. SIEMs can correlate logs, but they don’t “understand” them.

A privileged login could be legitimate—or a breach. Without behavioral baselines or asset context, SIEMs either miss the signal or sound the alarm unnecessarily. This leads to analyst fatigue and slower incident response times. The SaaS SIEM Dilemma: Compliance, Cost, and Complexity While SaaS-based SIEMs are marketed as a natural evolution, they often fall short of their on-prem predecessors in practice.

Key gaps include incomplete parity in rule sets, integrations, and sensor support. Compliance issues add complexity, especially for finance, industry, or public sector organizations where data residency is non-negotiable. And then there’s cost. Unlike appliance-based models with fixed licensing, SaaS SIEMs charge by data volume.

Every incident surge becomes a billing surge—precisely when SOCs are under maximum stress. Modern Alternatives: Metadata and Behavior Over Logs Modern detection platforms focus on metadata analysis and behavioral modeling rather than scaling log ingestion. Network flows (NetFlow, IPFIX), DNS requests, proxy traffic, and authentication patterns can all reveal critical anomalies like lateral movement, abnormal cloud access, or compromised accounts without inspecting payloads. These platforms operate without agents, sensors, or mirrored traffic.

They extract and correlate existing telemetry, applying adaptive machine learning in real time—an approach already embraced by newer, lightweight Network Detection & Response (NDR) solutions purpose-built for hybrid IT and OT environments. The result is fewer false positives, sharper alerts, and significantly less pressure on analysts. A New SOC Blueprint: Modular, Resilient, Scalable The slow decline of traditional SIEMs signals the need for structural change. Modern SOCs are modular, distributing detection across specialized systems and decoupling analytics from centralized logging architectures.

By integrating flow-based detection and behavior analytics into the stack, organizations gain both resilience and scalability—allowing analysts to focus on strategic tasks like triage and response . Conclusion Classic SIEMs—whether on-prem or SaaS—are relics of a past that equated log volume with security. Today, success lies in smarter data selection, contextual processing, and intelligent automation. Metadata analytics, behavioral modeling, and machine-learning-based detection are not just technically superior—they represent a new operational model for the SOC.

One that protects analysts, conserves resources, and exposes attackers sooner—especially when powered by modern, SIEM-independent NDR platforms. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Threat actors are actively exploiting a critical security flaw in “ Alone – Charity Multipurpose Non-profit WordPress Theme “ to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 , carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3.

It has been addressed in version 7.8.5 released on June 16, 2025. CVE-2025-5394 is rooted in a plugin installation function named “alone_import_pack_install_plugin()” and stems from a missing capability check, thereby allowing unauthenticated users to deploy arbitrary plugins from remote sources via AJAX and achieve code execution. “This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence’s István Márton said . Evidence shows that CVE-2025-5394 began to be exploited starting July 12, two days before the vulnerability was publicly disclosed.

This indicates that the threat actors behind the campaign may have been actively monitoring code changes for any newly addressed vulnerabilities. The company said it has already blocked 120,900 exploit attempts targeting the flaw. The activity has originated from the following IP addresses - 193.84.71.244 87.120.92.24 146.19.213.18 185.159.158.108 188.215.235.94 146.70.10.25 74.118.126.111 62.133.47.18 198.145.157.102 2a0b:4141:820:752::2 In the observed attacks, the flaw is averaged to upload a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) containing a PHP-based backdoor to execute remote commands and upload additional files. Also delivered are fully-featured file managers and backdoors capable of creating rogue administrator accounts.

To mitigate any potential threats, WordPress site owners using the theme are advised to apply the latest updates, check for any suspicious admin users, and scan logs for the request “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Use Facebook Ads to Spread JSCEAL Malware via Fake Cryptocurrency Trading Apps

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets. The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones. “The actors separate the installer’s functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites,” the company said in an analysis.

“A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation.” It’s worth noting that some aspects of the activity were previously documented by Microsoft in April 2025 and WithSecure as recently as this month, with the latter tracking it as WEEVILPROXY . According to the Finnish security vendor, the campaign has been active since March 2024. The attack chains have been found to adopt novel anti-analysis mechanisms that rely on script-based fingerprinting, before delivering the final JSC payload. “The threat actors implemented a unique mechanism that requires both the malicious site and the installer to run in parallel for successful execution, which significantly complicates analysis and detection efforts,” the Israeli cybersecurity company noted.

Clicking on the link in the Facebook ads triggers a redirection chain, ultimately leading the victim to a fake landing page mimicking a legitimate service like TradingView or a decoy website, if the target’s IP address is not within a desired range or the referrer is not Facebook. The website also includes a JavaScript file that attempts to communicate with a localhost server on port 30303, in addition to hosting two other JavaScript scripts that are responsible for tracking the installation process and initiating POST requests that are handled by the components within the MSI installer. For its part, the installer file downloaded from the site unpacks a number of DLL libraries, while simultaneously initiating HTTP listeners on localhost:30303 to process incoming POST requests from the phony site. This interdependency also means that the infection chain fails to proceed further if any of these components doesn’t work.

“To ensure the victim does not suspect abnormal activity, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application,” Check Point said. The DLL modules are designed to parse the POST requests from the website and gather system information and commence the fingerprinting process, after which the captured information is exfiltrated to the attacker in the form of a JSON file by means of a PowerShell backdoor. If the victim host is deemed valuable, the infection chain moves to the final stage, leading to the execution of the JSCEAL malware by leveraging Node.js. The malware, besides establishing connections with a remote server to receive further instructions, sets up a local proxy with the goal of intercepting the victim’s web traffic and injecting malicious scripts into banking, cryptocurrency, and other sensitive websites to steal their credentials in real-time.

Other functions of JSCEAL include gathering system information, browser cookies, auto-fill passwords, Telegram account data, screenshots, keystrokes, as well as conducting adversary-in-the-middle (AitM) attacks and manipulating cryptocurrency wallets. It can also act as a remote access trojan. “This sophisticated piece of malware is designed to gain absolute control of the victim machine, while being resilient against conventional security tools,” Check Point said. “The combination of compiled code and heavy obfuscation, while displaying a wide variety of functionality, made analysis efforts challenging and time-consuming.” “Using JSC files allows attackers to simply and effectively conceal their code, helping it evade security mechanisms, and making it difficult to analyze.” Found this article interesting?

FunkSec Ransomware Decryptor Released Free to Public After Group Goes Dormant

Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free. “Because the ransomware is now considered dead, we released the decryptor for public download,” Gen Digital researcher Ladislav Zezula said . FunkSec , which emerged towards the end of 2024, has claimed 172 victims , according to data from Ransomware.live. The vast majority of targeted entities are located in the U.S., India, and Brazil, with technology, government, and education being the top three sectors attacked by the group.

An analysis of FunkSec by Check Point earlier this January found signs that the encryptor was developed with assistance from artificial intelligence (AI) tools. The group has not added any new victims to its data leak site since March 18, 2025, suggesting that the group may no longer be active. It’s also believed that the group consisted of inexperienced hackers seeking visibility and recognition by uploading leaked datasets associated with previous hacktivism campaigns. FunkSec was built using Rust, a fast and efficient programming language that’s now popular among newer ransomware groups.

Other families, like BlackCat and Agenda, also use Rust to help their attacks run quickly and avoid detection. FunkSec relies on the orion-rs library (version 0.17.7) for encryption, using the Chacha20 and Poly1305 algorithms to lock files during its routine. “This hash-based method ensures integrity of encryption parameters: the encryption key, n-once, block lengths, and encrypted data itself,” Zezula noted. “Files are encrypted per-blocks of 128 bytes, adding 48 bytes of extra metadata to each block, which means that encrypted files are about 37% bigger than the originals.” Gen Digital did not disclose how it was able to develop a decryptor and if it entailed the exploitation of a cryptographic weakness that makes it possible to reverse the encryption process.

The decryptor can be accessed via the No More Ransom project. Victims looking to recover their data should first confirm that encrypted files match FunkSec’s signature, typically identified by the .funksec extension or unique metadata padding. The No More Ransom portal provides basic usage steps, but administrators are advised to back up affected files before attempting decryption in case of partial recovery or file corruption. Found this article interesting?

Product Walkthrough: A Look Inside Pillar’s AI Security Platform

In this article, we will provide a brief overview of Pillar Security’s platform to better understand how they are tackling AI security challenges. Pillar Security is building a platform to cover the entire software development and deployment lifecycle with the goal of providing trust in AI systems. Using its holistic approach, the platform introduces new ways of detecting AI threats, beginning at pre-planning stages and going all the way through runtime. Along the way, users gain visibility into the security posture of their applications while enabling safe AI execution.

Pillar is uniquely suited to the challenges inherent in AI security. Co-founder and CEO Dor Sarig comes from a cyber-offensive background, having spent a decade leading security operations for governmental and enterprise organizations. In contrast, co-founder and CTO Ziv Karlinger spent over ten years developing defensive techniques, securing against financial cybercrime and securing supply chains. Together, their red team-blue team approach forms the foundation of Pillar Security and is instrumental in mitigating threats.

The Philosophy Behind the Approach Before diving into the platform, it’s important to understand the underlying approach taken by Pillar. Rather than developing a siloed system where each piece of the platform focuses on a single area, Pillar offers a holistic approach. Each component within the platform enriches the next, creating a closed feedback loop that enables security to adapt to each unique use case. The detections found in the posture management section of the platform are enriched by data detected in the discovery section.

Likewise, adaptive guardrails that are utilized during runtime are built on insights from threat modeling and red teaming. This dynamic feedback loop ensures that live defenses are optimized as new vulnerabilities are discovered. This approach creates a powerful, holistic and contextual-based defense against threats to AI systems - from build to runtime. AI Workbench: Threat Modeling Where AI Begins The Pillar Security platform begins at what they call the AI workbench.

Before any code is written, this secure playground for threat modeling allows security teams to experiment with AI use cases and proactively map potential threats. This stage is crucial to ensure that organizations align their AI systems with corporate policies and regulatory demands. Developers and security teams are guided through a structured threat modeling process, generating potential attack scenarios specific to the application use case. Risks are aligned with the application’s business context, and the process is aligned with established frameworks such as STRIDE, ISO, MITRE ATLAS, OWASP Top Ten for LLMs, and Pillar’s own SAIL framework .

The goal is to build security and trust into the design from day one. AI Discovery: Real-Time Visibility into AI Assets AI sprawl is a complex challenge for security and governance teams. They lack visibility into how and where AI is being used within their development and production environments. Pillar takes a unique approach to AI security that goes beyond the CI/CD pipeline and the traditional SDLC.

By integrating directly with code repositories, data platforms, AI/ML frameworks, IdPs and local environments, it can automatically find and catalog every AI asset within the organization. The platform displays a full inventory of AI apps, including models, tools, datasets, MCP servers, coding agents, meta prompts, and more. This visibility guides teams, helping form the foundation of the organizational security policy and enabling a clear understanding of the business use case, including what the application does and how the organization uses it. Figure 1: Pillar Security automatically discovers all AI assets across the organization and flags unmonitored components to prevent security blind spots.

AI-SPM: Mapping and Managing AI Risk After identifying all AI assets, Pillar is able to understand the security posture by analyzing each of the assets. During this stage, the platform’s AI Security Posture Management (AI-SPM) conducts a robust static and dynamic analysis of all AI assets and their interconnections. By analyzing the AI assets, Pillar creates visual representations of the identified Agentic systems, their components and their associated attack surfaces. Furthermore, it identifies supply chain, data poisoning and model/prompt/tool level risks.

These insights, which appear within the platform, enable teams to prioritize threats, as it show exactly how a threat actor may move through the system. Figure 2: Pillar’s Policy Center provides a centralized dashboard for monitoring enterprise-wide AI compliance posture AI Red Teaming: Simulating Attacks Before They Happen Rather than waiting until the application is fully built, Pillar promotes a trust-by-design approach, enabling AI teams to test as they build. The platform runs simulated attacks that are tailored to the AI system use case, by leveraging common techniques like prompt injections and jailbreaking to sophisticated attacks targeting business logic vulnerabilities. These Red Team activities help identify whether an AI agent can be manipulated into giving unauthorized refunds, leaking sensitive data, or executing unintended tool actions.

This process not only evaluates the model, but also the broader agentic application and its integration with external tools and APIs. Pillar also offers a unique capability through red teaming for tool use. The platform integrates threat modeling with dynamic tool activation, rigorously testing how chained tool and API calls might be weaponized in realistic attack scenarios. This advanced approach reveals vulnerabilities that traditional prompt-based testing methods are unable to detect.

For enterprises using third-party and embedded AI apps, such as copilots, or custom chatbots where they don’t have access to the underlying code, Pillar offers black-box, target-based red teaming. With just a URL and credentials, Pillar’s adversarial agents can stress-test any accessible AI application whether internal or external. These agents simulate real-world attacks to probe data boundaries and uncover exposure risks, enabling organizations to confidently assess and secure third-party AI systems without needing to integrate or customize them. Figure 3: Pillar’s tailored red teaming tests real-world attack scenarios against an AI application’s specific use case and business logic Guardrails: Runtime Policy Enforcement That Learns As AI applications move into production, real-time security controls become essential.

Pillar addresses this need with a system of adaptive guardrails that monitor inputs and outputs during runtime, designed to enforce security policies without interrupting application performance. Unlike static rule sets or traditional firewalls, these guardrails are model agnostic, application-centric and continuously evolve. According to Pillar, they draw on telemetry data, insights gathered during red teaming, and threat intelligence feeds to adapt in real time to emerging attack techniques. This allows the platform to adjust its enforcement based on each application’s business logic and behavior, and be highly precise with alerts.

During the walkthrough, we saw how guardrails can be finely tuned to prevent misuse, such as data exfiltration or unintended actions, while preserving the AI’s intended behavior. Organizations can enforce their AI policy and custom code-of-conduct rules across applications with confidence that security and functionality will coexist. Figure 4: Pillar’s adaptive guardrails monitor runtime activity to detect and flag malicious use and policy violations Sandbox: Containing Agentic Risk One of the most critical concerns is excessive agency. When agents can perform actions beyond their intended scopes, it can lead to unintended consequences.

Pillar addresses this during the Operate phase through secure sandboxing. AI agents, including advanced systems like coding agents and MCP servers, run inside tightly controlled environments. These isolated runtimes apply zero-trust principles to separate agents from critical infrastructure and sensitive data, while still enabling them to operate productively. Any unexpected or malicious behavior is contained without impacting the larger system.

Every action is captured and logged in detail, giving teams a granular forensic trail that can be analyzed after the fact. With this containment strategy, organizations can safely give AI agents the room they need to operate. AI Telemetry: Observability from Prompt to Action Security doesn’t stop once the application is live. Throughout the lifecycle, Pillar continuously collects telemetry data across the entire AI stack.

Prompts, agent actions, tool calls, and contextual metadata are all logged in real time. This telemetry powers deep investigations and compliance tracking. Security teams can trace incidents from symptom to root cause, understand anomalous behavior, and ensure AI systems are operating within policy boundaries. It’s not enough to know what happened.

It’s about understanding why something took place and how to prevent it from happening again. Due to the sensitivity of the telemetry data, Pillar can be deployed on the customer cloud for full data control. Final Thoughts Pillar stands apart through a combination of technical depth, real-world insight, and enterprise-grade flexibility. Founded by leaders in both offensive and defensive cybersecurity, the team has a proven track record of pioneering research that has uncovered critical vulnerabilities and produced detailed real-world attack reports.

This expertise is embedded into the platform at every level. Pillar also takes a holistic approach to AI security that extends beyond the CI/CD pipeline. By integrating security into the planning and coding phases and connecting directly to code repositories, data platforms and local environments, Pillar gains early and deep visibility into the systems being built. This context enables more precise risk analysis and highly targeted red team testing as development progresses.

The platform is powered by the industry’s largest AI threat intelligence feed, enriched by over 10 million real-world interactions. This threat data fuels automated testing, risk modeling, and adaptive defenses that evolve with the threat landscape. Finally, Pillar is built for flexible deployment. It can run on premises, in hybrid environments, or fully in the cloud, giving customers full control over sensitive data, prompts, and proprietary models.

This is a critical advantage for regulated industries where data residency and security are paramount. Together, these capabilities make Pillar a powerful and practical foundation for secure AI adoption at scale, helping innovative organizations manage AI-specific risks and gain trust in their AI systems. Found this article interesting? This article is a contributed piece from one of our valued partners.

Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome

Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser’s ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page. While there are no details on how the issue has been weaponized by threat actors, Google acknowledged that an “exploit for CVE-2025-6558 exists in the wild.” Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the shortcoming. The iPhone maker, in its latest round of software updates, also included patches for CVE-2025-6558, stating the vulnerability impacts the WebKit browser engine that powers its Safari browser.

“This is a vulnerability in open-source code and Apple Software is among the affected projects,” the company said in an advisory, adding it could be exploited to result in an unexpected crash of Safari when processing maliciously crafted web content. The bug has been addressed in the following versions - iOS 18.6 and iPadOS 18.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later iPadOS 17.7.9
iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation macOS Sequoia 15.6
Macs running macOS Sequoia tvOS 18.6
Apple TV HD and Apple TV 4K (all models) watchOS 11.6
Apple Watch Series 6 and later visionOS 2.6
Apple Vision Pro While there is no evidence that the vulnerability has been used to target Apple device users, it’s always a good practice to update to the latest versions of the software for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits

Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. “The flaws, affecting the device’s ONVIF protocol and file upload handlers, allow unauthenticated attackers to execute arbitrary commands remotely, effectively taking over the device,” Bitdefender said in a report shared with The Hacker News. The vulnerabilities, tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS scores: 8.1), affect the following devices running versions with built timestamps before April 16, 2025 - IPC-1XXX Series IPC-2XXX Series IPC-WX Series IPC-ECXX Series SD3A Series SD2A Series SD3D Series SDT2A Series SD2C Series It’s worth noting that users can view the build time by logging in to the web interface of the device and then navigating to Settings -> System Information -> Version . Both shortcomings are classified as buffer overflow vulnerabilities that could be exploited by sending specially crafted malicious packets, resulting in denial-of-service or remote code execution (RCE).

Specifically, CVE-2025-31700 has been described as a stack-based buffer overflow in the Open Network Video Interface Forum (ONVIF) request handler, while CVE-2025-31701 concerns an overflow bug in the RPC file upload handler. “Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation,” Dahua said in an alert released last week. “However, denial-of-service (DoS) attacks remain a concern.” Given that these models are used for video surveillance in retail, casinos, warehouses, and residential settings, the flaws can have significant consequences as they are unauthenticated and exploitable over the local network. “Devices exposed to the internet through port forwarding or UPnP are especially at risk,” the Romanian cybersecurity company said.

“Successful exploitation provides root-level access to the camera with no user interaction. Because the exploit path bypasses firmware integrity checks, attackers can load unsigned payloads or persist via custom daemons, making cleanup difficult.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Chinese Firms Linked to Silk Typhoon Filed 15+ Patents for Cyber Espionage Tools

Chinese companies linked to the state-sponsored hacking group known as Silk Typhoon (aka Hafnium) have been identified as behind over a dozen technology patents, shedding light on the shadowy cyber contracting ecosystem and its offensive capabilities. The patents cover forensics and intrusion tools that enable encrypted endpoint data collection, Apple device forensics, and remote access to routers and smart home devices, SentinelOne said in a new report shared with The Hacker News. “This new insight into the Hafnium-affiliated firms’ capabilities highlights an important deficiency in the threat actor attribution space: threat actor tracking typically links campaigns and clusters of activity to a named actor,” Dakota Cary, China-focused strategic advisor for SentinelLabs, said . “Our research demonstrates the strength in identifying not only the individuals behind attacks, but the companies they work for, the capabilities those companies have, and how those capabilities fortify the initiatives of the state entities who contract with these firms.” The findings build upon the U.S.

Department of Justice’s (DoJ) July 2025 indictment of Xu Zewei and Zhang Yu, who, working on behalf of China’s Ministry of State Security (MSS), are accused of orchestrating the widespread exploitation campaign in 2021 aimed at Microsoft Exchange Server using then-zero-days dubbed ProxyLogon. Court documents alleged that Zewei worked for a company named Shanghai Powerock Network Co. Ltd., while Yu was employed at Shanghai Firetech Information Science and Technology Company, Ltd. Both individuals are said to have operated under the discretion of the Shanghai State Security Bureau (SSSB).

Interestingly, Natto Thoughts reported that Powerock deregistered its business on April 7, 2021, a little over a month after Microsoft pointed fingers at China for the zero-day exploitation activity. Zewei would then go on to join Chaitin Tech, another prominent cybersecurity firm, only to change jobs again and begin working as an IT manager at Shanghai GTA Semiconductor Ltd. It’s worth mentioning at this stage that Yin Kecheng, another hacker tied to Silk Typhoon who was indicted by the U.S. in March 2025 , is said to have been employed at a third Chinese firm named named Shanghai Heiying Information Technology Company, Limited, which was established by Zhou Shuai, a Chinese patriotic hacker and purported data broker.

“Shanghai Firetech worked on specific tasking handed down from MSS officers,” Cary explained. “Shanghai Firetech and co-conspirators earned an on-going, trusting relationship with the MSS’s premier regional office, the SSSB.” “This ‘directed’ nature of the relationship between the SSSB and these two companies contours the tiered system of offensive hacking outfits in China.” Further investigation into the web of connections between the individuals and their companies has uncovered patents filed by Shanghai Firetech and Shanghai Siling Commerce Consulting Center, a firm jointly founded by Yu and Yin Wenji, CEO of Shanghai Firetech to collect “evidence” from Apple devices, routers, and defensive equipment. There is also evidence to suggest that Shanghai Firetech is also engaged in developing solutions that could enable close access operations against individuals of interest. “The variety of tools under the control of Shanghai Firetech exceeds those attributed to Hafnium and Silk Typhoon publicly,” Cary said.

“The capabilities may have been sold to other regional MSS offices, and thus not attributed to Hafnium, despite being owned by the same corporate structure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.