2025-09-08 AI创业新闻

Noisy Bear Targets Kazakhstan Energy Sector With BarrelFire Phishing Campaign

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. “The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said .

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.” The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025. The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell. Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group , which was sanctioned by the U.S.

in July 2025 for enabling malicious activities. The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation. “These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said . “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.” Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive.

The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server. The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu. At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity. “These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns. The intrusions, per Kaspersky , involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts. Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium , to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer .

According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others. “This is likely later used for ‘sextortion,’” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.” In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas , PhantomCore , and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower , PhantomRAT , and PhantomRShell. Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses.

The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation. First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services. “The app’s interface provides only one language – Russian,” Doctor Web said .

“Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. “The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher Kush Pandya said in an analysis. The packages were uploaded to npm by a user named “ flashbotts ,” with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025.

The packages in question, all of which are still available for download as of writing, are listed below - @flashbotts/ethers-provider-bundle (52 Downloads) flashbot-sdk-eth (467 Downloads) sdk-ethers (90 Downloads) gram-utilz (83 Downloads) The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of Maximal Extractable Value ( MEV ) on the Ethereum network, such as sandwich, liquidation, backrunning, front-running, and time-bandit attacks. The most dangerous of the identified libraries is “@flashbotts/ethers-provider-bundle,” which uses its functional cover to conceal the malicious operations. Under the guise of offering full Flashbots API compatibility, the package incorporates stealthy functionality to exfiltrate environment variables over SMTP using Mailtrap. In addition, the npm package implements a transaction manipulation function to redirect all unsigned transactions to an attacker-controlled wallet address and log metadata from pre-signed transactions.

sdk-ethers, per Socket, is mostly benign but includes two functions to transmit mnemonic seed phrases to a Telegram bot that are only activated when they are invoked by unwitting developers in their own projects. The second package to impersonate Flashbots, flashbot-sdk-eth, is also designed to trigger the theft of private keys, while gram-utilz offers a modular mechanism for exfiltrating arbitrary data to the threat actor’s Telegram chat. With mnemonic seed phrases serving as the “master key” to recover access to cryptocurrency wallets, theft of these sequences of words can allow threat actors to break into victims’ wallets and gain complete control over their wallets. The presence of Vietnamese language comments in the source code suggest that the financially-motivated threat actor may be Vietnamese-speaking.

The findings indicate a deliberate effort on part of the attackers to weaponize the trust associated with the platform to conduct software supply chain attacks, not to mention obscure the malicious functionality amidst mostly harmless code to sidestep scrutiny. “Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets,” Pandya pointed out. “A compromised private key in this environment can lead to immediate, irreversible theft of funds.” “By exploiting developer trust in familiar package names and padding malicious code with legitimate utilities, these packages turn routine Web3 development into a direct pipeline to threat actor-controlled Telegram bots.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. “Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said .

“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.” Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group. “The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said . The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the keys to deliver the Godzilla post-exploitation framework.

Two months later, a similar zero-day vulnerability in Gladinet’s CentreStack, tracked as CVE-2025-30406 (CVSS score: 9.0), came under exploitation . It stemmed from an improperly protected machineKey that could expose internet-accessible servers to remote code execution attacks. Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers. As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.

In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance. The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py. With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft.

Some of the tools used during these phases are listed below - EarthWorm for network tunneling using SOCKS DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network SharpHound for Active Directory reconnaissance GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens Remote Desktop Protocol (RDP) for lateral movement The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP. “With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods,” Mandiant added. To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise. “The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances,” Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.

“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we’ve seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet.” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE),” Dewhurst added. “Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted.

The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT . “Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said . The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader (aka CastleBot) was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. A subsequent analysis from IBM X-Force last month found that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software. “Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said. “The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.” Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.

CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to point to the actual C2 servers (“programsbookss[.]com”). Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking the same malware under the name NightshadeC2.

The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions. “As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.” That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.

eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, makes use of techniques like UAC Prompt Bombing to sidestep security protections. The Canadian cybersecurity company said it also identified variants equipped with features to extract passwords and cookies from Chromium- and Gecko-based web browsers. In a nutshell, the process involves running a PowerShell command in a loop that attempts to add an exclusion in Windows Defender for the final payload (i.e., NightshadeC2), after which the loader verifies the exit code of the PowerShell process to ascertain if it’s 0 (meaning success). If the exclusion is successfully added, the loader proceeds to deliver the malware.

If any other exit code other than 0 is returned, the loop keeps executing repeatedly, forcing the user to approve the User Account Control (UAC) prompt. “A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop,” eSentire said, adding the method enables a bypass of multiple sandbox solutions. Given the absence of any dark web advertisements related to TAG-150, it’s currently not clear how the services are distributed to other actors. But it’s possible that they are being promoted within a trusted circle of affiliates.

Needless to say, the emergence of CastleRAT is a sign that the operators may be looking to build an end-to-end toolset, allowing them to not only charge more for a subscription, but also fine-tune their operations at a faster pace. The development comes as Hunt.io detailed another malware loader codenamed TinyLoader that has been used to serve Redline Stealer and DCRat. Besides establishing persistence by modifying Windows Registry settings, the malware monitors the clipboard and instantly replaces copied crypto wallet addresses. Its C2 panels are hosted across Latvia, the U.K., and the Netherlands.

“TinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack transactions,” the company said . “It spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.” The findings also coincide with the discovery of two new malware families, a Windows-based keylogger called TinkyWinkey and a Python information stealer referred to as Inf0s3c Stealer , that can collect keyboard input and gather extensive system information, respectively. Further analysis of Inf0s3c Stealer has identified points of similarity with Blank Grabber and Umbral-Stealer, two other publicly available malware families, suggesting that the same author could be responsible for all three strains. “TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information,” CYFIRMA said.

Inf0s3c Stealer “systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots. It enumerates running processes and generates hierarchical views of user directories, such as Desktop, Documents, Pictures, and Downloads.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.

Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes. SecurityBridge Threat Research Labs, in an alert issued Thursday, said it has observed active exploitation of the flaw, stating the issue impacts both on-premise and Private Cloud editions. “Exploitation requires access only to a low-privileged user to fully compromise an SAP system,” the company said.

“A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.” It also noted that while widespread exploitation has not yet been detected, threat actors possess the knowledge to use it, and that reverse engineering the patch to create an exploit is “relatively easy.” As a result, organizations are advised to apply the patches as soon as possible, monitor logs for suspicious RFC calls or new admin users, and ensure appropriate segmentation and backups are in place. “Consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02,” it also said. Update Cybersecurity vendor Pathlock has also revealed it “detected outlier activity consistent with exploitation attempts of CVE-2025-42957,” warning “any organization that has not yet applied SAP’s August 2025 security notes is at risk.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Automation Is Redefining Pentest Delivery

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem?

These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work. Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows.

(No waiting for the final report!) The Static Delivery Problem in a Dynamic World Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle. Benefits of automating pentest delivery include: Real-time actionability: Act on findings immediately, not after the report is finalized Faster response: Accelerate remediation, retesting and validation Standardized operations: Ensure every finding follows a consistent process Less manual work: Free teams to focus on strategic initiatives Improved focus: Keep teams focused on what matters Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR). 5 Key Components of Automated Pentest Delivery
Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.

Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.

Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform. Avoid Common Pitfalls Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems.

Watch out for:
Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success. Treating automation as a one-time setup; Your workflows should evolve alongside your tools, team structure, and priorities.
Failing to iterate leads to stale processes that no longer align with how teams operate. Automating without clearly defined workflows:
Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves. How to get started
Here’s how to begin automating pentest delivery:
Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down. Start small : Automate one or two high-impact steps first , like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline. Choose the right platform; Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts. The Future of Pentest Delivery Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively. For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead.

For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats. Conclusion Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes. Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools , enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle. Found this article interesting? This article is a contributed piece from one of our valued partners.

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal , are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia. The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed.

The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods. In all, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025. “Looking deeper, we saw that the earliest samples were larger, around 25 MB, and the size decreased over time, suggesting the attackers were evolving their payloads,” VirusTotal said. The disclosure comes as cracked versions of legitimate software and ClickFix-style tactics are being used to lure users into infecting their Apple macOS systems with an information stealer called Atomic macOS Stealer ( AMOS ), exposing businesses to credential stuffing, financial theft, and other follow-on attacks.

“AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders,” Trend Micro said . “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.” The attack chain essentially involves targeting users looking for cracked software on sites like haxmac[.]cc, redirecting them to bogus download links that provide installation instructions designed to trick them into running malicious commands on the Terminal app, thus triggering the deployment of AMOS. It’s worth noting that Apple prevents the installation of .dmg files lacking proper notarization due to macOS’s Gatekeeper protections, which require the application packages to be signed by an identified developer and notarized by Apple.

“With the release of macOS Sequoia, attempts to install malicious or unsigned .dmg files, such as those used in AMOS campaigns, are blocked by default,” the company added. “While this doesn’t eliminate the risk entirely, especially for users who may bypass built-in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods.” This is why threat actors are increasingly banking on ClickFix, as it allows the stealer to be installed on the machine using Terminal by means of a curl command specified in the software download page. “While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” Trend Micro said. “This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.” The development also follows the discovery of a “sprawling cyber campaign” that’s targeting gamers on the lookout for cheats with StealC stealer and crypto theft malware, netting the threat actors more than $135,000.

Per CyberArk , the activity is notable for leveraging StealC’s loader capabilities to download additional payloads, in this case, a cryptocurrency stealer that can siphon digital assets from users on infected machines. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said . “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.” The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.

The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading. This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections. Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.

It then proceeds to create a folder at the path %TEMP%\Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed. The malware supports four different commands - cmd, to execute commands and return the standard output as an email attachment cmdno, to execute commands dwn, to exfiltrate files from the victim’s computer by sending them as email attachments upl, to drop files to the victim’s computer “Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.” The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon ‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.

The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth. “This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said . “Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.” Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK , which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads. “This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.

Update Kroll, in a separate analysis published on September 5, 2025, said it observed the NotDoor malware in a cyber espionage campaign targeting an unnamed entity. The risk advisory firm’s threat intelligence team is tracking the cluster under the name KTA007 and the malware as GONEPOSTAL. “The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control,” researchers Marc Messer and Dave Truman said . “Interception of email communications and a platform for tool ingress over legitimate means enables a stealthy manner of access which could be difficult to detect.” Found this article interesting?

GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” ESET researcher Fernando Tavella said in a report shared with The Hacker News.

“Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites.” Some of the other targets of the hacking group include Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology, and retail sectors singled out. Initial access to target networks is accomplished by exploiting a vulnerability, likely an SQL injection flaw, after which PowerShell is used to deliver additional tools hosted on a staging server (“868id[.]com”). “This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a machine,” ESET said.

Rungan is designed to await incoming requests from a URL matching a predefined pattern (i.e., “https://+:80/v1.0/8888/sys.html”), and then proceeds to parse and execute the commands embedded in them. It supports four different commands - mkuser, to create a user on the server with the username and password provided listfolder, to collect information from a provided path (unfinished) addurl, to register new URLs that the backdoor can listen on cmd, to run a command on the server using pipes and the CreateProcessA API Written in C/C++, Gamshen is an example of an IIS malware family called “ Group 13 ,” which can act both as a backdoor and conduct SEO fraud. It functions similar to IISerpent, another IIS-specific malware that was documented by ESET back in August 2021. IISerpent , configured as a malicious extension for Microsoft’s web server software, allows it to intercept all HTTP requests made to the websites hosted by the compromised server, specifically those originating from search engine crawlers, and change the server’s HTTP responses with the goal of redirecting the search engines to a scam website of the attacker’s choosing.

That IIS extensions can covertly open persistent backdoors into servers was acknowledged by Microsoft back way back in July 2022, stating they are also “harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” “GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” Tavella said. It’s currently not known where these backlinks redirect unsuspecting users to, but it’s believed that the SEO fraud scheme is being used to promote various gambling websites. Also dropped alongside Rungan and Gamshen are various other tools - GoToHTTP to establish a remote connection that’s accessible from a web browser BadPotato or EfsPotato for creating a privileged user in the Administrators group Zunput to collect information about websites hosted on the IIS server and drop ASP, PHP, and JavaScript web shells It’s assessed with medium confidence that GhostRedirector is a China-aligned threat actor based on the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., to sign the privilege escalation artifacts, and the use of the password “huang” for one of the GhostRedirector-created users on the compromised server. That said, GhostRedirector is not the first China-linked threat actor to use malicious IIS modules for SEO fraud.

Over the past year, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank that has engaged in SEO manipulation via BadIIS malware. “Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website – potentially a paying client participating in an SEO fraud as-a-service scheme,” the company said. “GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercriminals Exploit X’s Grok AI to Bypass Ad Protections and Spread Malware to Millions

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok. The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking. The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.

To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player by taking advantage of the fact that it’s not scanned by the social media platform. It’s worth mentioning here that the “From:” field is typically used to indicate the original poster of the video, but has been repurposed by the scammers in this campaign to share a link instead. In the next step, the fraudsters tag Grok in replies to the post using a throwaway account, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response. “Adding to that, it is now amplified in SEO and domain reputation - after all, it was echoed by Grok on a post with millions of impressions,” Tal said.

“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!” Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams , information-stealing malware, and other suspicious content via direct link (aka smartlink ) monetization. The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content. The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts. “They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added.

“So there are definitely many of them and it looks very organized.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Simple Steps for Attack Surface Reduction

Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencing ™ can eliminate entire categories of risk. From disabling Office macros to blocking outbound server traffic, these simple but strategic moves create a hardened environment that attackers can’t easily penetrate. Whether you’re securing endpoints or overseeing policy rollouts, adopting a security-by-default mindset can reduce complexity, shrink your attack surface, and help you stay ahead of evolving threats.

Cybersecurity has changed dramatically since the days of the “Love Bug” virus in 2001. What was once an annoyance is now a profit-driven criminal enterprise worth billions. This shift demands proactive defense strategies that don’t just respond to threats—they prevent them from ever reaching your network. CISOs, IT admins, and MSPs need solutions that block attacks by default , not just detect them after the fact.

Industry frameworks like NIST, ISO, CIS, and HIPAA provide guidance, but they often lack the clear, actionable steps needed to implement effective security. For anyone starting a new security leadership role, the mission is clear: Stop as many attacks as possible, frustrate threat actors, and do it without alienating the IT team. That’s where a security-by-default mindset comes in—configuring systems to block risks out of the gate. As I’ve often said, the attackers only have to be right once.

We have to be right 100% of the time. Here’s how setting the right defaults can eliminate entire categories of risk. Require multi-factor authentication (MFA) on all remote accounts Enabling MFA across all remote services—including SaaS platforms like Office 365 and G Suite, as well as domain registrars and remote access tools—is a foundational security default. Even if a password is compromised, MFA can prevent unauthorized access.

Try to avoid using text messages for MFA as it can be intercepted. While it may introduce some friction, the security benefits far outweigh the risk of data theft or financial loss. Deny-by-default One of the most effective security measures nowadays is application whitelisting or allowlisting. This approach blocks everything by default and only allows known, approved software to run.

The result: Ransomware and other malicious applications are stopped before they can execute. It also blocks legitimate-but-unauthorized remote tools like AnyDesk or similar, which attackers often try to sneak in through social engineering. Users can still access what they need via a pre-approved store of safe applications, and visibility tools make it easy to track everything that runs—including portable apps. Quick wins through secure configuration Small changes to default settings can close major security gaps on Windows and other platforms: Turn off Office macros: It takes five minutes and blocks one of the most common attack vectors for ransomware.

Use password-protected screensavers: Auto-lock your screen after a short break to stop anyone from snooping around. Disable SMBv1: This old-school protocol is outdated and has been used in big attacks like WannaCry. Most systems don’t need it anymore. Turn off the Windows keylogger: It’s rarely useful and could be a security risk if left on.

Control network and application behavior for organizations Remove local admin rights: Most malware doesn’t need admin access to run, but taking it away stops users from messing with security settings or even installing malicious software. Block unused ports and limit outbound traffic: Shut down SMB and RDP ports unless absolutely necessary—and only allow trusted sources. Stop servers from reaching the internet unless they need to. This helps avoid attacks like SolarWinds.

Control application behaviors: Tools like ThreatLocker Ringfencing ™ can stop apps from doing sketchy things —like Word launching PowerShell (yes, that’s a real attack method). Secure your VPN: If you don’t need it, turn it off. If you do, limit access to specific IPs and restrict what users can access. Strengthen data and web controls Block USB drives by default: They’re a common way for malware to spread.

Only allow secure managed, encrypted ones if needed. Limit file access: Apps shouldn’t be able to poke around in user files unless they really need to. Filter out unapproved tools: Block random SaaS or cloud apps that haven’t been vetted. Let users request access if they need something.

Track file activity: Keep an eye on who’s doing what with files—both on devices and in the cloud. It’s key for spotting shady behavior. Go beyond defaults with monitoring and patching Strong defaults are just the beginning. Ongoing vigilance is critical: Regular patching: Most attacks use known bugs.

Keep everything updated—including portable apps. Automated threat detection: EDR tools are great, but if no one’s watching alerts 24/7, threats can slip through. MDR services can jump in fast, even after hours. Security by default isn’t just smart, it’s non-negotiable.

Blocking unknown apps, using strong authentication, locking down networks and app behavior can wipe out a ton of risk. Attackers only need one shot, but solid default settings keep your defenses ready all the time. The payoff? Fewer breaches, less hassle, and a stronger, more resilient setup.

Note: This article is expertly written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules. Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision.

“When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google’s services,” the CNIL noted . The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it added. It’s worth noting that while this was the default behavior until October 2023, when the company added an option to refuse cookies, “the lack of informed consent still persisted.” Google has also been called out for placing advertisements in the form of emails among other emails in the “Promotions” and “Social” tabs of Gmail, stating that the display of such ads required users’ explicit consent in accordance with the French Postal and Electronic Communications Code (CPCE). French telecommunications operator Orange was fined €50 million back in December 2024 for similarly displaying ads between actual email messages without users’ consent.

Google has been ordered to bring its systems into compliance within six months, or risk facing penalties of €100,000 per day. The development comes as a U.S. jury found Google to have violated users’ privacy by collecting their data even after they opted out of Web & App Activity tracking. The decision, which awards $425 million in compensatory damages, is the culmination of a class action lawsuit filed against the company in July 2020.

In a statement shared with Reuters, the tech giant said the ruling “misunderstands how [their] products work,” adding the company’s privacy tools give users control over their data and emphasized that their choice to turn off personalization are honored. It also said it plans to appeal. In related privacy-related announcements, the U.S. Federal Trade Commission (FTC) said Disney has agreed to pay $10 million to settle allegations that it collected personal data from children watching YouTube videos without parental notification or consent, thus violating the U.S.

Children’s Online Privacy Protection Rule (COPPA). The agency said Disney failed to properly label some videos that it uploaded to YouTube as “Made for Kids,” thus allowing it to gather data from children under 13 who watched that content and use it to serve targeted ads. In addition to the $10 million fine, the proposed settlement requires Disney to begin alerting parents before collecting personal data from children under age 13 and obtain their consent in accordance with COPPA. Disney is also required to start a program to ensure that videos it uploads to YouTube are properly designated as intended for kids.

Separately, the FTC is also taking action against a China-based robot toy maker, Apitor Technology, over allegedly permitting a third-party called JPush to collect children’s geolocation data without their knowledge and parental consent in violation of COPPA. “Apitor integrated a third-party software development kit called JPush into its [Android] app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising,” FTC said . “After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.