2025-09-11 AI创业新闻

Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme . “This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News. “The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.” The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei. The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines.

The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent. EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to - Get drive information Start cmd.exe and establish communication via pipes Gracefully close all connections and shutdown Read a file from server and save it to disk Read a local file from a given path and transmit its content Send the external IP address by making a request to myexternalip[.]com/raw Dump the in-memory configuration to disk Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call ( gRPC ) protocol. It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).

“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted. “This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.” The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

“This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat,” Bitdefender said. “The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware that’s attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.

According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware. The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.

Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators. To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file. A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.

“If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command,” Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said. CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd” and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server. “Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape.” “Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned.” The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts.

Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families. Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution - /fs_list, to enumerate directories /fs_get, to exfiltrate files from the host /metrics, to perform system profiling /proc_list, to run the “ps” Linux command /proc_kill, to kill a specific process by passing the PID as input /capture_display, to take screenshots /persist, to establish persistence ZynorRAT’s Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress.

“Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot,” Sysdig researcher Alessandra Rizzo said . “Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.” Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have “infected” their own machines to test out the functionality. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats. “Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch,” Rizzo said.

“ZynorRAT’s customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month , 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Satnam Narang, senior staff research engineer at Tenable, said. “Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.” The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser. The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB. “SMB Server might be susceptible to relay attacks depending on the configuration,” Microsoft said.

“An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.” The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures . “The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options,” Adam Barnett, lead software engineer at Rapid7, said. Mike Walters, president and co-founder of Action, said the vulnerability stems from the fact that SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and Extended Protection for Authentication, are not in place. “This gap opens the door to man-in-the-middle relay attacks, where attackers can capture and forward authentication material to gain unauthorized access,” Walters added.

“It can easily become part of a larger campaign, moving from phishing to SMB relay, credential theft, lateral movement, and eventually data exfiltration.” The CVE with the highest CVSS score for this month is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it’s a cloud-related vulnerability. Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack ( CVE-2025-55232 , CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM ( CVE-2025-54918 , CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges. “From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Kev Breen, senior director of threat research at Immersive, said.

“The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.” Lastly, the update also remediates a security flaw ( CVE-2024-21907 , CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker ( CVE-2025-54911 , CVSS score: 7.3, and CVE-2025-54912 , CVSS score: 7.8). Microsoft’s Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two flaws add to four other vulnerabilities (collectively called BitUnlocker) in the full-disk encryption feature that were patched by Microsoft in July 2025 - CVE-2025-48003 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation CVE-2025-48800 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing CVE-2025-48804 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing CVE-2025-48818 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data. “To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication,” Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month.

“This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.” “To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation . This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot.” The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker. BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.

“The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host,” Purple Team said. “In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation.” Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including — Adobe Arm Broadcom (including VMware) Cisco Commvault Dell Drupal F5 Fortra FUJIFILM Gigabyte GitLab Google Android and Pixel Google Chrome Google Cloud Google Wear OS Hikvision Hitachi Energy HP HP Enterprise (including Aruba Networking) IBM Ivanti Jenkins Juniper Networks Lenovo Linux distributions AlmaLinux , Alpine Linux, Amazon Linux , Arch Linux , Debian , Gentoo , Oracle Linux , Mageia , Red Hat , Rocky Linux , SUSE , and Ubuntu MediaTek Mitsubishi Electric Moxa Mozilla Firefox, Firefox ESR, and Thunderbird NVIDIA QNAP Qualcomm Rockwell Automation Salesforce Samsung SAP Schneider Electric Siemens Sitecore Sophos Spring Framework Supermicro Synology TP-Link , and Zoom Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Apple iPhone Air and iPhone 17 Feature A19 Chips With Spyware-Resistant Memory Safety

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that’s built into its newly introduced iPhone models, including iPhone 17 and iPhone Air. MIE, per the tech giant, offers “always-on memory safety protection” across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and A19 Pro chips, keeping this aspect in mind. “Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies,” the company noted . The effort is an aim to improve memory safety and prevent bad actors, specifically those leveraging mercenary spyware , from weaponizing such flaws in the first place to break into devices as part of highly-targeted attacks.

The technology that underpins MIE is EMTE, an improved version of the Memory Tagging Extension ( MTE ) specification released by chipmaker Arm in 2019 to flag memory corruption bugs either synchronously or asynchronously. EMTE was released by Arm in 2022 following a collaboration with Apple. It’s worth noting that Google’s Pixel devices already have support for MTE as a developer option starting with Android 13. Similar memory integrity features have also been introduced by Microsoft in Windows 11.

How MIE blocks use-after-free access “The ability of MTE to detect memory corruption exploitation at the first dangerous access is a significant improvement in diagnostic and potential security effectiveness,” Google Project Zero researcher Mark Brand said in October 2023, coinciding with the release of Pixel 8 and Pixel 8 Pro. “The availability of MTE on a production handset for the first time is a big step forward, and I think there’s real potential to use this technology to make 0-day harder.” Apple said MIE transforms MTE from a “helpful debugging tool” into a groundbreaking new security feature, offering security protection against two common vulnerability classes – buffer overflows and use-after-free bugs – that could result in memory corruption. How MIE blocks buffer overflows This essentially involves blocking out-of-bounds requests to access adjacent memory that has a different tag, and retagging memory as it gets reused for other purposes after it has been freed and reallocated by the system. As a result, requests to access retagged memory with an older tag (indicating use-after-free scenarios) also get blocked.

“A key weakness of the original MTE specification is that access to non-tagged memory, such as global variables, is not checked by the hardware,” Apple explained. “This means attackers don’t have to face as many defensive constraints when attempting to control core application configuration and state.” “With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, making it significantly harder for attackers to turn out-of-bounds bugs in dynamic tagged memory into a way to sidestep EMTE by directly modifying non-tagged allocations.” Enabling MTE on Google Pixel Cupertino said it has also developed what it calls Tag Confidentiality Enforcement (TCE) to secure the implementation of memory allocators against side-channel and speculative execution attacks like TikTag that MTE was found susceptible to last year, resulting in the leak of an MTE tag associated with an arbitrary memory address by exploiting the fact that tag checks generate cache state differences during speculative execution. “The meticulous planning and implementation of Memory Integrity Enforcement made it possible to maintain synchronous tag checking for all the demanding workloads of our platforms, delivering groundbreaking security with minimal performance impact, while remaining completely invisible to users,” it added. Found this article interesting?

The Time-Saving Guide for Service Providers: Automating vCISO and Compliance Services

Introduction Managed service providers (MSPs) and managed security service providers (MSSPs) are under increasing pressure to deliver strong cybersecurity outcomes in a landscape marked by rising threats and evolving compliance requirements. At the same time, clients want better protection without managing cybersecurity themselves. Service providers must balance these growing demands with the need to work efficiently, deliver consistent results, and scale their offerings. Yet, many service providers still rely on manual processes that slow down delivery, make it harder to maintain consistency across clients, and limit the time teams have to focus on more strategic initiatives.

Even experienced service providers can find themselves stretched thin as they try to meet rising client expectations while managing operational complexity. In this environment, automation offers an opportunity to work more effectively and deliver greater value. By streamlining repetitive tasks, improving consistency, and freeing up time and resources, automation helps providers expand their services, strengthen client relationships, and grow sustainably. We created The Service Provider’s Guide to Automating Cybersecurity and Compliance Management to help providers navigate the transition to automation.

Inside, you’ll find a practical overview of current challenges, real-world examples, and guidance for identifying where automation can have the biggest impact. The Hidden Costs of Manual Work Tasks like risk assessments, policy development, framework mapping, remediation planning, and executive reporting often require 13 to 15 hours of manual work each. This level of effort places mounting pressure on internal teams, extends project timelines, and delays client outcomes all of which can restrict growth. Over time, these inefficiencies quietly erode both profitability and service quality, making it harder to scale and compete effectively.

Key hidden costs include: Time delays that impact client satisfaction and slow down revenue cycles Inconsistencies across assessments and documentation, undermining trust Talent inefficiency as senior staff handle administrative work instead of strategic tasks Missed revenue opportunities due to limited capacity for upselling or onboarding new clients Manual processes also create specific bottlenecks across five critical areas of service delivery: Onboarding & Assessments – Repetitive, slow, and often inconsistent Framework Mapping – Labor-intensive and prone to errors Remediation Management – Hard to scale and standardize Progress Reporting – Time-consuming and lacks consistency and clarity Service Customization – Manual adjustments reduce repeatability Automation is key to overcoming these barriers and unlocking scalable, high-margin service delivery. How Automation Can Help: 5 Key Use Cases According to The State of the Virtual CISO 2025 Report , vCISO providers using AI or automation report a 68% average reduction in cybersecurity and compliance workload over the past year. AI-powered technologies like Cynomi’s vCISO Platform automate and standardize vCISO workflows end-to-end, cutting manual efforts by up to 70%. Here are five key areas where automation can make a measurable impact: Risk Assessments & Onboarding: Interactive, guided questionnaires and centralized data capture replace emails and interviews, cutting hours from onboarding timelines.

Policy Development: Automated platforms generate client-specific policies mapped to frameworks like NIST and ISO. Compliance Tracking: Tasks are automatically mapped to frameworks and updated as standards evolve, reducing oversight and error risk. Remediation Planning: Tasks are prioritized and assigned automatically, allowing teams to track progress and outcomes in a centralized hub. Progress Reporting: Client-branded, progress reports are generated in clicks, turning security activity into clear, business-focused insights without the usual delays.

Standardizing Service Delivery: Automation streamlines core tasks like onboarding and compliance management, allowing providers to deliver consistent, high-quality services across clients without reinventing the wheel each time. The ROI of Automation One of the most effective ways to measure automation’s value is through work hours saved. Tasks that once took over 13 hours can now be completed in just a few, freeing up nearly 10 hours per task to reinvest elsewhere. Multiply that across clients, and the impact on margins and capacity becomes substantial.

As Steve Bowman, Business Partner at Model Technology Solutions, noted, “When we started, it was four or five months before I’d have somebody doing an assessment on their own. Now it’s down to one month.” This dramatic improvement in ramp-up time underscores the transformative effect automation can have not only on day-to-day operations but also on long-term scalability. Here are some examples of time-consuming tasks and the time savings service providers achieve through automating them: For more real-world insights into how much time automation can save across key cybersecurity functions, explore The Service Provider’s Guide to Automating Cybersecurity and Compliance Management . It includes practical examples and a straightforward formula to calculate ROI in both hours and dollars, so you can instantly see the measurable benefits automation can bring.

How to Implement Security and Compliance Automation Here’s a practical roadmap for managed service providers aiming to integrate automation into their vCISO or compliance operations. Assess Current Processes: Start by mapping your existing workflows, including onboarding, assessments, remediation planning, and reporting. Identify manual, repetitive tasks that slow you down or create inconsistencies. Define Automation Goals: Clarify what you want to achieve through automation, such as reducing task time, increasing capacity, or improving service consistency.

Measurable goals help prioritize efforts and guide platform selection. Select a Deployment Model: Explore three options: build your own tools, use a GRC platform for compliance, or adopt an all-in-one cybersecurity and compliance management platform like Cynomi . Each varies in complexity, scalability, and resource demands. Pilot Before Scaling: Test your automation strategy with a single client or team to identify strengths, challenges, and integration needs before broader rollout.

Train Teams and Clients: Provide tailored training and maintain open communication to ensure smoother adoption and build confidence in the new platform. Measure Impact and Optimize: Track key metrics, such as time saved and reporting turnaround. Use these insights to refine processes and maximize ROI. Conclusion: Automation Is the New Differentiator In today’s cybersecurity landscape, automation through AI has become a strategic necessity.

It empowers service providers to streamline operations, deliver consistent value, and scale without increasing overhead. Those who embrace it, position themselves to move faster, serve more clients, and elevate their role from technical support to trusted business advisor. Whether you’re just starting out or refining your current approach, The Service Provider’s Guide to Automating Cybersecurity and Compliance Management provides practical insights into current challenges, real-world examples, and guidance on what to automate, what to keep manual, and how to choose the right tools to scale effectively. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA , a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses. Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.

Why Salty2FA Raises the Stakes for Enterprises Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches. Who is Being Targeted? ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit .

Region Key Targeted Industries United States Finance, healthcare, government, logistics, energy, IT consulting, education, construction Europe (UK, Germany, Spain, Italy, Greece, Switzerland) Telecom, chemicals, energy (including solar), industrial manufacturing, real estate, consulting Worldwide / Other Logistics, IT, metallurgy (India, Canada, France, LATAM) When Did Salty2FA Start Hitting Enterprises? Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily. Real-World Case: How Salty2FA Exploits Enterprise Employees One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice.

An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism. When opened in the ANY.RUN sandbox, the attack chain unfolded step by step: View real-world case of Salty2FA attack Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox Stage 1: Email lure The email contained a payment correction request disguised as a routine business message. Join 15K+ enterprises worldwide that cut investigation time and stop breaches faster with ANY.RUN Get started now Stage 2: Redirect and fake login The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.

Cloudflare verification completed automatically inside ANY.RUN sandbox Stage 3: Credential theft Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers. Fake Microsoft page, ready to steal credentials from victims Stage 4: 2FA bypass If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification. By running the file in the sandbox, SOC teams could see the full execution chain in real time, from the first click to credential theft and 2FA interception. This level of visibility is critical, because static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent.

Sandbox analysis gives faster confirmation of threats, reduced analyst workload, and better coverage against evolving PhaaS kits like Salty2FA. Stopping Salty2FA: What SOCs Should Do Next Salty2FA shows how fast phishing-as-a-service is evolving and why static indicators alone won’t stop it. For SOCs and security leaders, protection means shifting focus to behaviors and response speed: Rely on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs. Detonate suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.

Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins. Train employees on financial lures: Common hooks like “payment correction” or “billing statement” should always raise suspicion. Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload. By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat.

Boost SOC Efficiency with Interactive Sandboxing Enterprises worldwide are turning to interactive sandboxes like ANY.RUN to strengthen their defenses against advanced phishing kits such as Salty2FA. The results are measurable: 3× SOC efficiency by combining interactive analysis and automation. Up to 50% faster investigations , cutting time from hours to minutes. 94% of users report faster triage , with clearer IOCs and TTPs for confident decision-making.

30% fewer Tier 1–Tier 2 escalations
, as junior analysts gain confidence and senior staff are freed to focus on critical tasks. With visibility into
88% of threats in under 60 seconds
, enterprises get the speed and clarity they need to stop phishing before it leads to a major breach. Try ANY.RUN today: built for enterprise SOCs that need faster investigations, stronger defenses, and measurable results. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations

The House Select Committee on China has formally issued an advisory warning of an “ongoing” series of highly targeted cyber espionage campaigns linked to the People’s Republic of China (PRC) amid contentious U.S.–China trade talks. “These campaigns seek to compromise organizations and individuals involved in U.S.-China trade policy and diplomacy, including U.S. government agencies, U.S. business organizations, D.C.

law firms and think tanks, and at least one foreign government,” the committee said . The committee noted that suspected threat actors from China impersonated Republican Party Congressman John Robert Moolenaar in phishing emails sent to trusted counterparts with an aim to deceive them and trick them into opening files and links that would grant them unauthorized access to their systems and sensitive information without their knowledge. The end goal of the attacks was to steal valuable data by abusing software and cloud services to cover up traces of their activity, a tactic often adopted by state-sponsored hackers to evade detection. “This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” said Moolenaar, who is also the Chairman of the House Select Committee on the Communist Party of China (CCP).

“We will not be intimidated, and we will continue our work to keep America safe.” The statement comes days after a report from The Wall Street Journal, which revealed on September 7, 2025, that several trade groups, law firms, and U.S. government agencies received an email message from Moolenaar asking their input on proposed sanctions against China. “Your insights are essential,” the contents of the message allegedly read, along with an attachment containing a draft version of the legislation that, when launched, deployed malware to gather sensitive data and gain entrenched access to the targeted organizations. The attack is believed to be the work of APT41 , a prolific hacking group known for its targeting of diverse sectors and geographies for cyber espionage.

“China firmly opposes and combats all forms of cyber attacks and cyber crime,” the Chinese embassy in Washington told Reuters in a statement. “We also firmly oppose smearing others without solid evidence.” “By impersonating Rep. Moolenaar (R-MI), a known Beijing critic, the attackers created urgency and legitimacy that encouraged fast responses,” Yejin Jang, vice president of government affairs at Abnormal AI, told The Hacker News. “Political communication extends beyond official government devices or accounts.

Sophisticated adversaries understand this reality and actively exploit it. By masquerading as trusted officials through personal or non-official channels, attackers bypass traditional security controls while amplifying authenticity.” The committee also noted that the campaign follows another spear-phishing campaign in January 2025 that targeted its staffers with emails that falsely claimed to be from the North America representative of ZPMC, a Chinese state-owned crane manufacturer. The attack used fake file-sharing notifications in an attempt to trick the recipients into clicking on a link that’s designed to steal Microsoft 365 login credentials. The adversaries also exploited developer tools to create hidden pathways and covertly exfiltrated data straight to servers under their control.

It’s worth noting that the committee, in September 2024, published an investigative report alleging how ZPMC’s dominance in the ship-to-shore (STS) port crane market could “serve as a Trojan horse” and help the CCP and China exploit and manipulate U.S. maritime equipment and technology at their request. “Based on the targeting, timing, and methods, and consistent with outside assessments, the Committee believes this activity to be CCP state-backed cyber-espionage aimed at influencing U.S. policy deliberations and negotiation strategies to gain an advantage in trade and foreign policy,” it said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of any exploits in the wild.

“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe said in an advisory issued today. The issue impacts the following products and versions - Adobe Commerce (all deployment methods): 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier 2.4.4-p15 and earlier Adobe Commerce B2B: 1.5.3-alpha2 and earlier 1.5.2-p2 and earlier 1.4.2-p7 and earlier 1.3.4-p14 and earlier 1.3.3-p15 and earlier Magento Open Source: 2.4.9-alpha2 and earlier 2.4.8-p2 and earlier 2.4.7-p7 and earlier 2.4.6-p12 and earlier 2.4.5-p14 and earlier Custom Attributes Serializable module: Versions 0.1.0 to 0.4.0 Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure. “SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce security company Sansec said . The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability.

“The vulnerability follows a familiar pattern from last year’s CosmicSting attack,” it added. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.” “The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.” Adobe has also shipped fixes to contain a critical path traversal vulnerability in ColdFusion ( CVE-2025-54261 , CVSS score: 9.0) that could lead to an arbitrary file system write. It impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) on all platforms.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SAP Patches Critical NetWeaver (CVSS Up to 10.0) and High-Severity S/4HANA Flaws

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files. The vulnerabilities are listed below - CVE-2025-42944 (CVSS score: 10.0) - A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module , resulting in operating system command execution CVE-2025-42922 (CVSS score: 9.9) - An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file CVE-2025-42958 (CVSS score: 9.1) - A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities “[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said . “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.” Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA ( CVE-2025-42916 , CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild. While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks

Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest. “Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined,” the cybersecurity company said in a report shared with The Hacker News. “Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity.” The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments. ReliaQuest told The Hacker News that there is no evidence to suggest these activities are related, adding that the tool is regularly exploited alongside popular phishing kits.

“The usefulness of Axios means it is almost certainly being adopted by all types of threat actors regardless of sophistication levels or motivation,” the company stated. Similarly, phishing campaigns have also been observed increasingly using a legitimate feature in Microsoft 365 (M365) called Direct Send to spoof trusted users and distribute email messages. In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.” The campaign observed by ReliaQuest is said to have commenced in July 2025, initially singling out executives and managers in finance, health care, and manufacturing sectors, before expanding its focus to target all users.

Calling the approach a game changer for attackers, the company pointed out that the campaign not only is successful at bypassing traditional security defenses with improved precision, but also enables them to mount phishing operations at an unprecedented scale. In these attacks, Axios is used to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources. “Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows,” ReliaQuest said. “The customizability offered by Axios lets attackers tailor their activity to further mimic legitimate workflows.” The email messages involve using compensation-themed lures to trick recipients into opening PDF documents containing malicious QR codes, which, when scanned, direct users to fake login pages mimicking Microsoft Outlook to facilitate credential theft.

As an extra layer of defense evasion, some of these pages are hosted on Google Firebase infrastructure to capitalize on the reputation of the app development platform. Besides lowering the technical barrier for sophisticated attacks, Axios’s prevalence in enterprise and developer setups also means that it offers attackers a way to blend in with regular traffic and fly under the radar. To mitigate the risk posed by this threat, organizations are advised to secure Direct Send and disable it if not required, configure appropriate anti-spoofing policies on email gateways, train employees to recognize phishing emails, and block suspicious domains. “Axios amplifies the impact of phishing campaigns by bridging the gap between initial access and full-scale exploitation.

Its ability to manipulate authentication workflows and replay HTTP requests allows attackers to weaponize stolen credentials in ways that are both scalable and precise.” “This makes Axios integral to the rising success of Direct Send phishing campaigns, showing how attackers are evolving beyond traditional phishing tactics to exploit authentication systems and APIs at a level that traditional defenses are ill-equipped to handle.” The development comes as Mimecast detailed a large-scale credential harvesting campaign targeting hospitality industry professionals by impersonating trusted hotel management platforms Expedia Partner Central and Cloudbeds in emails that claim to be guest booking confirmations and partner central notifications. “This credential harvesting operation leverages the routine nature of hotel booking communications,” the company said . “The campaign employs urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.” The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens. The attack chain is notable for leveraging services like Aha[.]io to stage initial landing pages that masquerade as OneDrive sharing notifications to deceive email recipients and trick them into clicking on fake links that redirect to credential harvesting pages, but not before completing a Cloudflare Turnstile verification check to filter automated security tools and sandboxes.

The phishing pages also include other advanced features like geofencing and IP filtering to block traffic from known security vendor IP address ranges and cloud providers, disable shortcuts to launch developer tools in web browsers, and assign new subdomains for each victim session. In incorporating these techniques, the end goal is to complicate analysis efforts. These findings illustrate how phishing attacks have matured into enterprise-grade operations, utilizing advanced evasion tactics and convincing MFA simulations, while exploiting trusted platforms and mimicking corporate portals to make it harder to distinguish between real and fraudulent activity. “The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness,” Ontinue said .

“Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains.” “Salty 2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems. What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities

A new Android malware called RatOn has evolved from a basic tool capable of conducting Near Field Communication ( NFC ) relay attacks to a sophisticated remote access trojan with Automated Transfer System ( ATS ) capabilities to conduct device fraud. “RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today. The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic. Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking.

It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages. The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators. RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.

Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services. The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality. This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but NFSkate (aka NGate), a variant of a legitimate research tool called NFCGate that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented by ESET in August 2024.

“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware. That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours. It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening one of the targeted cryptocurrency apps and complete the transaction, thereby allowing the attackers to capture the device PIN code in the process and use it to hijack the accounts without the users’ knowledge.

“Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases,” ThreatFabric said, detailing its account takeover features. The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims’ accounts and steal cryptocurrency assets. Some notable commands that are processed by RatOn are listed below - send_push, to send fake push notifications screen_lock, to change the device lock screen timeout to a specified value WhatsApp, to launch WhatsApp app_inject, to change the list of targeted financial applications update_device, to send a list of installed apps with device fingerprint send_sms, to send a SMS message using accessibility services Facebook, to launch Facebook nfs, to download and run the NFSkate APK malware transfer, perform ATS using George Česko lock, to lock the device using device administration access add_contact, to create a new contact using a specified name and phone number record, to launch a screen casting session display, to turn on/off screen casting “The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus,” ThreatFabric said. “The reason behind concentrating on a single banking application remains unclear.

However, the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

[Webinar] Shadow AI Agents Multiply Fast — Learn How to Detect and Control Them

⚠️ One click is all it takes. An engineer spins up an “experimental” AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes.

Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security’s line of sight, tied to identities you don’t even know exist. And here’s the uncomfortable truth: every one of them carries infinite risk. Agents impersonating trusted users.

Non-human identities with access you didn’t approve. Data leaking across boundaries you thought were locked down. This isn’t a futuristic threat. It’s happening today, across enterprises everywhere.

And they’re multiplying faster than your governance can catch up. That’s why you can’t miss our upcoming panel: Shadow AI Agents Exposed. Secure your seat now - Register Here . Why Shadow AI is Exploding From identity providers to PaaS platforms, it takes almost nothing to spin up an AI Agent—and attackers know it.

That leaves security teams scrambling to answer urgent questions: Who’s launching them? What identities are they tied to? Where are they operating—often in the shadows? The Panel You Can’t Afford to Miss Join us for “Shadow AI Agents Exposed — and the Identities that Pull the Strings,” an exclusive panel of experts dissecting the most pressing risks in AI operations.

We’ll break down: ✅ What really counts as an AI Agent (and what doesn’t) ✅ The non-human identities (NHIs) fueling Shadow AI ✅ How and why rogue agents multiply—and where they hide ✅ Detection methods that actually work: from IP tracing to code-level analysis ✅ Simple governance wins that won’t kill innovation Watch this Webinar Now This isn’t theory—it’s a playbook for finding, stopping, and bringing Shadow AI into the light. 👉 Reserve your place now and be part of the conversation before Shadow AI outpaces your defenses. Whether you’re chasing rogue agents today or preparing for the storm tomorrow, you’ll walk away with actionable steps to improve visibility and control—before Shadow AI controls you. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.