2025-10-18 AI创业新闻

North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots. The activity is attributed to a threat cluster that’s tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi. The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor’s use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server.

It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups. Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency. In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.

BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host. The activity detected by Cisco Talos concerns an organization headquartered in Sri Lanka. It’s assessed that the company was not intentionally targeted by the threat actors, but rather they had one of their systems infected, likely after a user fell victim to a fake job offer that instructed them to install a trojanized Node.js application called Chessfi hosted on Bitbucket as part of the interview process.

Interestingly, the malicious software includes a dependency via a package called “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a user named “trailer.” The package attracted a total of 306 downloads , before it was taken down by the npm maintainers six days later. It’s also worth noting that the npm package in question is one of the 338 malicious Node libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign. The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that’s configured to run a custom script called “skip” so as to launch a JavaScript payload (“index.js”), which, in turn, loads another JavaScript (“file15.js”) responsible for executing the final-stage malware. Further analysis of the tool used in the attack has found that “it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two,” security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like “ node-global-key-listener “ and “ screenshot-desktop “ to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.

At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution. Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret. Some of the other modules present in OtterCookie are listed below - Remote shell module , which sends system information and clipboard content to the C2 server and installs the “ socket.io-client “ npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution File uploading module , which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server Cryptocurrency extensions stealer module , which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail) Furthermore, Talos said it detected Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.

“The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs,” the researchers noted. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Identity Security: Your First and Last Line of Defense

The danger isn’t that AI agents have bad days — it’s that they never do. They execute faithfully, even when what they’re executing is a mistake. A single misstep in logic or access can turn flawless automation into a flawless catastrophe. This isn’t some dystopian fantasy—it’s Tuesday at the office now.

We’ve entered a new phase where autonomous AI agents act with serious system privileges. They execute code, handle complex tasks, and access sensitive data with unprecedented autonomy. They don’t sleep, don’t ask questions, and don’t always wait for permission. That’s powerful.

That’s also risky. Because today’s enterprise threats go way beyond your garden-variety phishing scams and malware. The modern security perimeter? It’s all about identity management.

Here’s the million-dollar question every CISO should be asking: Who or what has access to your critical systems, can you secure and govern that access, and can you actually prove it? How identity became the new security perimeter Remember those old-school security models built around firewalls and endpoint protection? They served their purpose once — but they weren’t designed for the distributed, identity-driven threats we face today. Identity has become the central control point, weaving complex connections between users, systems, and data repositories.

The 2025-2026 SailPoint Horizons of Identity Security report shows that identity management has evolved from a back-office control to mission-critical for the modern enterprise. The explosion of AI agents, automated systems, and non-human identities has dramatically expanded our attack surfaces. These entities are now prime attack vectors. Here’s a sobering reality check: Fewer than 4 in 10 AI agents are governed by identity security policies, leaving a significant gap in enterprise security frameworks.

Organizations without comprehensive identity visibility? They’re not just vulnerable—they’re sitting ducks. The strategic goldmine of mature identity security But here’s where it gets interesting. Despite these mounting challenges, there’s a massive opportunity for organizations that get identity security right.

The Horizons of Identity Security report reveals something fascinating: Organizations consistently achieve their highest ROI from identity security programs compared to every other security domain. They rank Identity and Access Management as their top-ROI security investment at twice the rate of other security categories. Why? Because mature identity security pulls double duty—it prevents breaches while driving operational efficiency and enabling new business capabilities.

Organizations with mature identity programs, especially those using AI-driven capabilities and real-time identity data sync, show dramatically better cost savings and risk reduction. Mature organizations are four times more likely to have AI-enabled capabilities like Identity Threat Detection and Response. The great identity divide Here’s where things get concerning: There’s a growing chasm between organizations with mature identity programs and those still playing catch-up. The Horizons of Identity Security report shows that 63% of organizations are stuck in early-stage identity security maturity (Horizons 1 or 2).

These organizations aren’t just missing out—they are facing more risk against modern threats. This gap keeps widening because the bar keeps rising. The 2025 framework added seven new capability requirements to address emerging threat vectors. Organizations that aren’t advancing their identity capabilities aren’t just standing still—they’re effectively moving backward.

Organizations experiencing capability regression show significantly lower adoption rates for AI agent identity management. This challenge goes beyond just technology. Only 25% of organizations position IAM as a strategic business enabler—the rest see it as just another security checkbox or compliance requirement. This narrow view severely limits transformative potential and keeps organizations vulnerable to sophisticated attacks.

Time for a reality check The threat landscape is evolving at breakneck speed, with unprecedented risk levels across all sectors. Identity security has evolved from just another security component into the core of enterprise security. Organizations need to honestly assess their readiness for managing extensive AI agent deployments and automated system access. A proactive assessment of your current identity security posture provides critical insight into organizational readiness and competitive positioning.

Ready to dive deeper? Get the full analysis and strategic recommendations in the 2025-2026 SailPoint Horizons of Identity Security report . Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices

Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. “An out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code,” WatchGuard said in an advisory released last month. “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.” It has been addressed in the following versions - 2025.1 - Fixed in 2025.1.1 12.x - Fixed in 12.11.4 12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update3 (B722811) 12.5.x (T15 & T35 models) - Fixed in 12.5.13) 11.x - Reached end-of-life A new analysis from watchTowr Labs has described CVE-2025-9242 as “all the characteristics your friendly neighbourhood ransomware gangs love to see,” including the fact that it affects an internet-exposed service, is exploitable sans authentication, and can execute arbitrary code on a perimeter appliance.

The vulnerability, per security researcher McCaulay Hudson, is rooted in the function “ike2_ProcessPayload_CERT” present in the file “src/ike/iked/v2/ike2_payload_cert.c” that’s designed to copy a client “identification” to a local stack buffer of 520 bytes, and then validate the provided client SSL certificate. The issue arises as a result of a missing length check on the identification buffer, thereby allowing an attacker to trigger an overflow and achieve remote code execution during the IKE_SA_AUTH phase of the handshake process used to establish a virtual private network (VPN) tunnel between a client and WatchGuard’s VPN service via the IKE key management protocol. “The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,” Hudson said . WatchTowr noted that while WatchGuard Fireware OS lacks an interactive shell such as “/bin/bash,” it’s possible to for an attacker to weaponize the flaw and gain control of the instruction pointer register (aka RIP or program counter) to ultimately spawn a Python interactive shell over TCP by leveraging an mprotect() system call , effectively bypassing NX bit (aka no-execute bit) mitigations.

Once the remote Python shell, the foothold can be escalated further through a multi-step process to obtain a full Linux shell - Directly executing execve within Python in order to remount the filesystem as read/write Downloading a BusyBox busybox binary onto the target Symlinking /bin/sh to the BusyBox binary The development comes as watchTowr demonstrated that a now-fixed denial-of-service (DoS) vulnerability impacting Progress Telerik UI for AJAX ( CVE-2025-3600 , CVSS score: 7.5) can also enable remote code execution depending on the targeted environment. The vulnerability was addressed by Progress Software on April 30, 2025. “Depending on the target codebase – for example, the presence of particular no-argument constructors, finalizers, or insecure assembly resolvers – the impact can escalate to remote code execution,” security researcher Piotr Bazydlo said . Earlier this month, watchtower’s Sina Kheirkhah also shed light on a critical pre-authenticated command injection flaw in Dell UnityVSA ( CVE-2025-36604 , CVSS score: 9.8/7.3) that could result in remote command execution.

Dell remediated the vulnerability in July 2025 following responsible disclosure on March 28. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said in a post shared on X. The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware.

Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that’s assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the years. Oyster (aka Broomstick and CleanUpLoader), on the other hand, is a backdoor that’s often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using bogus websites that users stumble upon when searching for the programs on Google and Bing. “In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top,” Microsoft said. “Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.” To sign these installers and other post-compromise tools, the threat actor is said to have used Trusted Signing , as well as SSL[.]com, DigiCert, and GlobalSign code signing services.

Details of the campaign were first disclosed by Blackpoint Cyber last month, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. “This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,” the company said. “Threat actors are exploiting user trust in search results and well-known brands to gain initial access.” To mitigate such risks, it’s advised to download software only from verified sources and avoid clicking on suspicious links served via search engine ads. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts

A threat actor with ties to the Democratic People’s Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342 , which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro). The attack wave is part of a long-running campaign codenamed Contagious Interview , wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. The end goal of these efforts is to gain unauthorized access to developers’ machines, steal sensitive data, and siphon cryptocurrency assets – consistent with North Korea’s twin pursuit of cyber espionage and financial gain.

Google said it has observed UNC5342 incorporating EtherHiding – a stealthy approach that involves embedding nefarious code within a smart contract on a public blockchain like BNB Smart Chain (BSC) or Ethereum – since February 2025. In doing so, the attack turns the blockchain into a decentralized dead drop resolver that’s resilient to takedown efforts. Besides resilience, EtherHiding also abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract. Complicating matters further, the technique is also flexible in that it allows the attacker who is in control of the smart contract to update the malicious payload at any time (albeit costing an average of $1.37 in gas fees), thereby opening the door to a wide spectrum of threats.

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google Cloud, said in a statement shared with The Hacker News. The infection chain triggered following the social engineering attack is a multi-stage process that’s capable of targeting Windows, macOS, and Linux systems with three different malware families - An initial downloader that manifests in the form of npm packages BeaverTail, a JavaScript stealer that’s responsible for exfiltrating sensitive information, such as cryptocurrency wallets, browser extension data, and credentials JADESNOW, a JavaScript downloader that interacts with Ethereum to fetch InvisibleFerret InvisibleFerret, a JavaScript variant of the Python backdoor deployed against high-value targets to allow remote control of the compromised host, as well as long-term data theft by targeting MetaMask and Phantom wallets and credentials from password managers like 1Password In a nutshell, the attack coaxes the victim to run code that executes the initial JavaScript downloader that interacts with a malicious BSC smart contract to download JADESNOW, which subsequently queries the transaction history associated with an Ethereum address to fetch the third-stage payload, in this case the JavaScript version of InvisibleFerret. The malware also attempts to install a portable Python interpreter to execute an additional credential stealer component stored at a different Ethereum address. The findings are significant because of the threat actor’s use of multiple blockchains for EtherHiding activity.

Wallace told The Hacker News that they have not observed DPRK actors distribute fake installers (such as those for video conferencing software like FreeConference as has happened in the past) in conjunction with utilizing smart contracts as a stager for malicious code. “EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google said. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites

A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems. “UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. As of June 2025, Google said it flagged about 14,000 web pages containing injected JavaScript that exhibit behavior associated with an UNC5142, indicating indiscriminate targeting of vulnerable WordPress sites. However, the tech giant noted that it has not spotted any UNC5142 activity since July 23, 2025, either signaling a pause or an operational pivot.

EtherHiding was first documented by Guardio Labs in October 2023, when it detailed attacks that involved serving malicious code by utilizing Binance’s Smart Chain (BSC) contracts via infected sites serving fake browser update warnings. A crucial aspect that underpins the attack chains is a multi-stage JavaScript downloader dubbed CLEARSHORT that enables the distribution of the malware via the hacked sites. The first stage is a JavaScript malware that’s inserted into the websites to retrieve the second-stage by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain. The first stage malware is added to plugin-related files, theme files, and, in some cases, even directly into the WordPress database.

The smart contract, for its part, is responsible for fetching a CLEARSHORT landing page from an external server that, in turn, employs the ClickFix social engineering tactic to deceive victims into running malicious commands on the Windows Run dialog (or the Terminal app on Macs), ultimately infecting the system with stealer malware. The landing pages, typically hosted on a Cloudflare .dev page, are retrieved in an encrypted format as of December 2024. CLEARSHORT infection chain On Windows systems, the malicious command entails the execution of an HTML Application (HTA) file downloaded from a MediaFire URL, which then drops a PowerShell script to sidestep defenses, fetch the encrypted final payload from either GitHub or MediaFire, or their own infrastructure in some cases, and run the stealer directly in memory without writing the artifact to disk. In attacks targeting macOS in February and April 2025, the attackers have been found to utilize ClickFix decoys to prompt the user to run a bash command on Terminal that retrieved a shell script.

The script subsequently uses the curl command to obtain the Atomic Stealer payload from the remote server. UNC5142 final payload distribution over time CLEARSHORT is assessed to be a variant of ClearFake , which was the subject of an extensive analysis by French cybersecurity company Sekoia in March 2025. ClearFake is a rogue JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. It’s known to be active since July 2023, with the attacks adopting ClickFix around May 2024.

The abuse of blockchain offers several advantages, as the clever technique not only blends in with legitimate Web3 activity, but also increases the resiliency of UNC5142’s operations against detection and takedown efforts. Google said the threat actor’s campaigns have witnessed considerable evolution over the past year, shifting from a single-contract system to a more sophisticated three-smart contract system beginning in November 2024 for better operational agility, with further refinements observed earlier this January. “This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” it explained. “The setup functions as a highly efficient Router-Logic-Storage architecture where each contract has a specific job.

This design allows for rapid updates to critical parts of the attack, such as the landing page URL or decryption key, without any need to modify the JavaScript on compromised websites. As a result, the campaigns are much more agile and resistant to takedowns.” UNC5142’s accomplishes this by taking advantage of the mutable nature of a smart contract’s data (it’s worth noting that the program code is immutable once it’s deployed) to alter the payload URL, costing them anywhere between $0.25 and $1.50 in network fees to perform these updates. Further analysis has determined the threat actor’s use of two distinct sets of smart contract infrastructures to deliver stealer malware via the CLEARSHORT downloader. The Main infrastructure is said to have been created on November 24, 2024, whereas the parallel Secondary infrastructure was funded on February 18, 2025.

“The Main infrastructure stands out as the core campaign infrastructure, marked by its early creation and steady stream of updates,” GTIG said. “The Secondary infrastructure appears as a parallel, more tactical deployment, likely established to support a specific surge in campaign activity, test new lures, or simply build operational resilience.” “Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro , according to findings from Synacktiv. “This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a ‘magic packet,’” security researcher Théo Letailleur said . The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 (CVSS score: 9.8) as the starting point, following which a malicious Docker Hub image named “kvlnt/vv” (now removed) was deployed on several Kubernetes clusters. The Docker image consists of a Kali Linux base along with a folder called “app” containing three files - start.sh, a shell script to start the SSH service and execute the remaining two files link, an open-source program called vnt that acts as a VPN server and provides proxy capabilities by connecting to vnt.wherewego[.]top:29872, allowing the attacker to connect to the compromised server from anywhere and use it as a proxy to reach other servers app, a Rust-based downloader referred to as vGet that receives an encrypted VShell payload from an S3 bucket, which then proceeds to communicate with its own command-and-control (C2) server (56.155.98[.]37) over a WebSocket connection Also delivered to the Kubernetes nodes were two other malware strains, a dropper embedding another vShell backdoor, and LinkPro, a rootkit written in Golang.

The stealthy malware can operate in either passive (aka reverse) or active (aka forward) mode, depending on its configuration, allowing it to listen for commands from the C2 server only upon receiving a specific TCP packet or directly initiate contact with the server. While the forward mode supports five different communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS, the reverse mode only uses the HTTP protocol. The overall sequence of events unfolds as follows - Install the “Hide” eBPF module, which contains eBPF programs of the Tracepoint and Kretprobe types to hide its processes and network activity If the “Hide” module installation fails, or if it has been disabled, install the shared library “libld.so” in /etc/ld.so.preload If reverse mode is used, install the “Knock” eBPF module, which contains two eBPF programs of the eXpress Data Path (XDP) and Traffic Control (TC) types to ensure that the C2 communication channel is fired only upon the receipt of the magic packet Achieve persistence by setting up a systemd service Execute C2 commands On interruption (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF modules and delete the modified /etc/libld.so and restore it back to its original version To achieve this, LinkPro modifies the “/etc/ld.so.preload” configuration file to specify the path of the libld.so shared library embedded within it with the main objective of concealing various artifacts that could reveal the backdoor’s presence. “Thanks to the presence of the /etc/libld.so path in /etc/ld.so.preload, the libld.so shared library installed by LinkPro is loaded by all programs that require /lib/ld-linux.so14,” Letailleur explained.

“This includes all programs that use shared libraries, such as glibc.” “Once libld.so is loaded at the execution of a program, for example /usr/bin/ls, it hooks (before glibc) several libc functions to modify results that could reveal the presence of LinkPro.” The magic packet, per Synacktiv, is a TCP packet with a window size value of 54321. Once this packet is detected, the Knock module saves the source IP address of the packet and an associated expiration date of one hour as its value. The program then keeps an eye out for additional TCP packets whose source IP address matches that of the already saved IP. In other words, the core functionality of LinkPro is to wait for a magic packet to be sent, after which the threat actor has a one-hour window to send commands to a port of their choice.

The Knock module is also designed to modify the incoming TCP packet’s header to replace the original destination port with LinkPro’s listening port (2333), and alter the outgoing packet to replace the source port (2233) with the original port. “The purpose of this maneuver is to allow the operator to activate command reception for LinkPro by going through any port authorized by the front-end firewall,” Synacktiv said. “This also makes the correlation between the front-end firewall logs and the network activity of the compromised host more complex.” The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.

“For its concealment at the kernel level, the rootkit uses eBPF programs of the tracepoint and kretprobe types to intercept the getdents (file hiding) and sys_bpf (hiding its own BPF programs) system calls. Notably, this technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE),” the company said. “If the latter is not present, LinkPro falls back on an alternative method by loading a malicious library via the /etc/ld.so.preload file to ensure the concealment of its activities in user space.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Architectures, Risks, and Adoption: How to Assess and Choose the Right AI-SOC Platform

Scaling the SOC with AI - Why now? Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR’s AI-SOC Market Landscape 2025 , the average organization now faces around 960 alerts per day , while large enterprises manage more than 3,000 alerts daily from an average of 28 different tools . Nearly 40% of those alerts go uninvestigated , and 61% of security teams admit to overlooking alerts that later proved critical.

The takeaway is clear: the traditional SOC model can’t keep up. AI has now moved from experimentation to execution inside the SOC. 88% of organizations that don’t yet run an AI-driven SOC plan to evaluate or deploy one within the next year. But as more vendors promote “AI-powered SOC automation,” the challenge for security leaders has shifted from awareness to evaluation.

The key question is no longer whether AI belongs in the SOC, but how to measure its real impact and select a platform that delivers value without introducing significant risks. This article provides a practical framework for doing just that. It explores AI-SOC architectures, implementation models, and risks, while outlining phased adoption strategies and the essential questions every organization should ask before choosing a platform. The Mindset Shift: From Legacy to a Modern SOC Building an AI-augmented SOC starts with a mindset shift, not a technology purchase.

Legacy SOCs depend on static rules, manual triage, and reactive workflows. Analysts spend hours chasing alerts and fine-tuning detections to manage noise — a model that doesn’t scale and fuels alert fatigue. Modern SOCs operate differently. Analysts move from doing the work to guiding the system —overseeing outcomes, validating AI decisions, and setting the policies that govern automation.

Leaders must also adapt, learning to trust AI to assist analysts without replacing their judgment. The motivation for this shift is straightforward: Reduce alert fatigue and prevent missed incidents Ensure every alert is investigated Improve productivity and scale SOC capacity without expanding headcount The first step isn’t selecting a platform. It’s evolving the SOC model itself — and defining why the change is necessary. AI-SOC Architectural Models and Delivery Framework SACR’s AI-SOC Market Landscape 2025 defines the emerging market across four key dimensions — what the platform automates, how it’s delivered, how it integrates, and where it runs.

1. Functional Domain - What it automates The first dimension describes what part of the SOC life-cycle the platform targets and how advanced its automation is. Automation / Orchestration (SOAR+) & Agentic SOC These systems function as the SOC’s central nervous system , coordinating actions across SIEM, EDR, cloud, and ticketing tools. They combine deterministic rules with agentic AI that can reason, enrich alerts, and execute containment steps automatically.

Unlike traditional SOAR tools, they move beyond static playbooks — dynamically sequencing responses across multiple systems. Their strength lies in scale and consistency, making them well-suited for complex enterprise or MSSP environments. Pure-Play Agentic Alert Triage Focused on the SOC’s most persistent challenge: alert overload. These platforms deploy Agentic AI analysts to triage, investigate, and prioritize alerts, filtering false positives and escalating only validated threats.

This approach delivers immediate operational value by reducing Tier-1 workload and ensuring that every alert receives at least an initial level of investigation. For many teams, it represents the most practical starting point for adopting AI in the SOC, as it integrates easily with existing tools. Analyst Co-Pilot / Investigation Assist Acts as a digital assistant for human analysts. It helps generate queries, summarize evidence, and assemble context during investigations, improving speed and accuracy while keeping human judgment central.

Workflow / Knowledge Replication Captures how experienced analysts investigate incidents and replays those workflows as repeatable automation. This model scales institutional knowledge and ensures consistency across teams, though it requires time and expert input to train effectively. 2. Implementation Model (How It’s Delivered) This dimension defines how much control an organization retains over how automation is built, tuned, and maintained.

SACR identifies two primary implementation models. User-Defined / Configurable These platforms offer partial to full flexibility. Security teams can design and adjust agents, detection logic, and workflows using scripting or low-to-no-code interfaces. The result is a SOC environment customized to internal processes — but one that requires skilled personnel and ongoing maintenance.

This model is typically favored by mature enterprises or managed service providers that value adaptability and ownership over simplicity. Pre-Packaged / Black-Box Delivered as ready-to-run solutions with vendor-managed agents and prebuilt workflows. These platforms can be deployed quickly, provide fast time-to-value, and benefit from continuous vendor R&D. The trade-off is limited visibility into decision logic and less ability to customize.

They are best suited for teams prioritizing ease of use and rapid modernization over granular control. 3. Architecture Type (How It Integrates) AI-SOC platforms differ in how they integrate into the broader SOC life-cycle and where they source and process data. SACR’s AI-SOC Market Landscape 2025 identifies three primary integration models, with Integrated AI-SOC Platforms emerging as the most comprehensive approach.

Integrated AI-SOC Platforms These platforms ingest and analyze raw security logs directly, functioning as both an AI-SOC and, in many cases, a SIEM alternative. By maintaining their own data stores, they enable historical baselines, anomaly detection, and retrospective investigation, all within a unified system. The key advantage is full visibility and analytical depth. Integrated platforms reduce dependence on external SIEMs, consolidate triage and response in one control plane, and significantly lower log-storage and licensing costs.

This model aligns closely with the industry’s move toward unified operations — where detection, investigation, and response happen in a single workflow instead of across stitched-together tools. Connected & Overlay Model (on Existing SOC/SIEM) It adds an intelligent AI layer to current systems via APIs. The platform ingests alerts from tools such as SIEMs, EDRs, and cloud services, then enriches, triages, and reports results back to analysts. Its appeal lies in speed.

It delivers value quickly and requires no data migration or infrastructure changes. However, it relies on the quality of upstream alerts and offers limited behavioral analytics, since it typically lacks access to raw telemetry. Human &Browser-Based Workflow Emulation This approach replicates how analysts work within existing interfaces, observing their actions and replaying investigations automatically. It helps scale expert knowledge and drive consistency, but requires initial setup and validated analyst workflows to perform effectively.

1. Deployment Model (Where It Runs)

   Finally, deployment options determine where the AI-SOC operates and how data is managed. SaaS

   Hosted entirely by the vendor and accessed over the internet. Fastest to deploy and easiest to maintain.

BYOC (Bring Your Own Cloud)

The vendor provides the AI layer, but data and infrastructure remain in the customer’s cloud environment. This is common for teams balancing compliance with flexibility. Air-Gapped On-Prem

Fully isolated deployment for regulated industries or high-security environments where external connectivity is not permitted. Risks and Considerations When Adopting an AI-SOC Platform AI-driven SOCs promise efficiency and speed, but also introduce new categories of potential risks.

SACR highlights several, and additional considerations deserve equal attention. Lack of Standardized Benchmarks - There is currently no universally accepted method for measuring AI-SOC accuracy, efficiency, or ROI. Without standardized metrics, vendor comparisons often rely on marketing claims rather than validated outcomes. Opaque Decision-Making (Explainability Risk) - Some systems operate as black boxes, offering little visibility into how alerts are analyzed or classified.

This limits transparency, makes auditing difficult, and can reduce analyst trust in automated outcomes. Compliance and Data Residency - Cloud-hosted AI systems can raise concerns about where data is processed and stored, particularly in regulated sectors. Teams should verify compliance with frameworks such as GDPR, ISO 27001, and local data residency laws. Vendor Lock-In - Integrated platforms that centralize data storage or detection logic can create migration challenges over time.

Clear data export policies and open APIs are essential for maintaining flexibility. Skill Shift and Change Management - AI-SOCs change how analysts work. Teams shift from manual investigation to automation oversight, which can lead to uncertainty or skill gaps if retraining isn’t planned. Structured onboarding and updated workflows are critical for success.

Integration Complexity - Platforms that don’t integrate cleanly with existing SIEM, EDR, and case management systems can add friction instead of reducing it. Evaluating API coverage and interoperability should be part of the selection process. Over-Reliance on Automation - Treating automation as infallible introduces risk. AI systems should complement, not replace, human judgment, with clear escalation and override mechanisms to prevent blind spots.

Model Drift and Update Frequency - AI performance can degrade over time if models aren’t retrained regularly with new threat intelligence and environmental data. Ongoing monitoring and retraining cadence should be confirmed with vendors. Economic Risk - Pricing models that charge by data volume or event ingestion can quickly erode the cost benefits of automation. Evaluating the total cost of ownership across data, users, and response volume is key to long-term sustainability.

Mitigating these risks starts with transparency — selecting solutions that provide explainability, flexible integration, strong governance, and a clear balance between automation and human control. What to Ask Your AI-SOC Vendor Selecting the right AI-SOC platform requires a structured, evidence-based evaluation. SACR’s AI-SOC Market Landscape 2025 provides a strong foundation for due diligence, highlighting the questions that help security leaders separate proven capabilities from marketing claims. Detection and Triage What percentage of alerts are triaged automatically versus escalated to analysts?

How are low-confidence or ambiguous alerts handled to avoid missed detections? Can the AI’s reasoning and verdicts be audited by analysts for validation? These questions help determine how automation interacts with human oversight and how reliably the system maintains coverage without sacrificing accuracy. Data Ownership and Privacy Who retains ownership of ingested data and alerts once inside the platform?

Where is security data stored, and can customers manage retention, deletion, or export? Clarifying how data is managed, stored, and controlled ensures compliance with internal governance and external regulatory requirements. Explainability and Human Control Can analysts override AI verdicts or modify investigation outcomes? How is analyst feedback incorporated into system retraining or future decisions?

What safeguards exist to prevent incorrect automated actions or over-escalation? These questions help confirm the level of transparency, explainability, and human control within the AI’s decision-making loop. Integration and Tech-stack Fit Does the platform integrate with existing SIEM, EDR, identity, and ticketing systems? Can it operate within the current SOC workflow without introducing additional interfaces or tool sprawl?

Understanding how the platform fits into the existing security stack helps prevent integration friction and avoid replacing one layer of complexity with another. Pricing and Scalability Is pricing based on data volume, alert count, or user capacity? How does cost scale as the organization adds new log sources or increases data velocity? What is the expected time to achieve full operational value post-deployment?

Cost structure, scalability, and deployment timelines are key to understanding both immediate and long-term return on investment. An effective vendor evaluation balances technical depth with operational realism. The most important questions are not just about what the AI can do, but also about how it does it , how it fits into existing workflows , and how its decisions can be understood, verified, and improved over time. AI-SOC Adoption Framework SACR outlines a straightforward, phased approach to AI-SOC adoption that balances speed with operational trust.

Define the AI Strategy - Identify the specific challenges AI should solve, such as alert fatigue, MTTR, or staffing constraints. Align objectives with business outcomes. Select Core Capabilities - Prioritize triage, investigation, response automation, explainability, and data governance. Run a Proof of Concept (POC) - Evaluate performance using real alert data from your environment.

Measure improvements in detection and response times. Trust-Building Phase (1–2 Months) - Allow AI to operate in an “assist” mode, while analysts validate its decisions. Implement feedback loops to fine-tune confidence thresholds. Gradual Automation - Enable autonomous response for low-risk events first, then scale up as trust grows.

Operationalize and Iterate - Continuously review false positives, analyst feedback, and integration efficiency. Periodically recalibrate models and policies. Organizations treating AI as a partner, not a replacement, see the most sustainable outcomes. Measuring Success Over Time Short-Term (0–3 months) Reduction in alert triage length Increased alert coverage percentage Reduction in alerts per analyst Mid-Term (3–9 months) Shorter mean time to respond (MTTR) At least a 35% reduction in false positives and manual investigations Reduced analyst burnout and turnover Long-Term (9 months +) Stable automation performance across incident types Predictable SOC operating costs Improved auditing and compliance reporting Each metric should relate to a business outcome.

Focusing on high-value work can reduce missed alerts, improve response consistency, and increase analyst productivity. Conclusion AI-SOC platforms are reshaping how security teams detect, investigate, and respond to threats at scale. But success depends on more than advanced technology. It requires understanding architectures, evaluating risks, and adopting automation in stages that build trust and transparency.

Teams that balance AI-driven efficiency with explainability and human oversight will be best positioned to achieve faster, more resilient security operations. For deeper insights and vendor evaluations, read the full SACR AI-SOC Market Landscape 2025 Report . It offers detailed benchmarks, architectural comparisons, and adoption guidance for security leaders assessing AI-driven solutions. About Radiant Security Radiant Security is the unified AI-SOC platform that combines agentic triage , automated response , and integrated log management, eliminating the need to stitch tools together.

The platform is the only AI-SOC that can triage 100% of alerts, regardless of the source, providing complete coverage over the IT infrastructure. Radiant is more like an SOC operating system than a point product, and SACR recognized it as the “most unique value proposition.” It helps security teams scale capacity, improve outcomes, and control costs with complete visibility and analyst oversight. Book a demo to see how Radiant enables faster, smarter, and more cost-effective security operations. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in ‘Zero Disco’ Attacks

Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group. The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.

“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881 ) to enable memory access,” researchers Dove Chiu and Lucien Chuang said . The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon ( IOSd ) memory space. IOSd is run as a software process within the Linux kernel. Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar.

In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions. The rootkit is commandeered by means of a UDP controller component that that can serve as listener for incoming UDP packets on any port, toggle or disable log history, create a universal password by modifying IOSd memory, bypass AAA authentication, conceal certain portions of the running configuration, and hide changes made to the configuration by altering the timestamp to give the impression that it was never modified. Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.

The name “Zero Disco” is a reference to the fact that the implanted rootkit sets a universal password that includes the word “disco” in it – a one-letter change from “Cisco.” “The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot,” the researchers noted. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Beware the Hidden Costs of Pen Testing

Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results. The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to an adversary, pen testing can provide reassurance that your IT set-up is secure.

Perhaps more importantly, it can also flag areas for improvement. As the UK’s National Cyber Security Centre (NCSC) notes, it’s comparable to a financial audit . “Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.” While the advantages are obvious, it’s vital to understand the true cost of the process: indeed, the classic approach can often demand significant time and effort from your team.

You need to get your money’s worth. Pen testing hidden costs There’s no one set form of pen test: it depends on what exactly is being tested, how often the pen test occurs, and how it takes place . Nevertheless, there are some common elements of the classic approach that could generate significant costs, both financially and in terms of your employees’ time. Let’s take a look at some of the costs that might not be immediately obvious.

Administrative overheads There can be significant admin involved in arranging a “traditional” pen test. First, you need to coordinate schedules between your own organization and the testers you’ve hired to conduct the test on your behalf. This can cause significant disruption to your employees, distracting them from their day-to-day tasks. What’s more, you’ll need to develop a clear overview of the resources and assets at your disposal before the test can occur, by gathering system inventories, for instance.

You’ll also need to prepare access credentials for the hackers, depending on the type of pen testing approach you intend to take: for example, the testers may need these credentials to develop a scenario based on the risk of a disgruntled employee targeting your systems, for instance. Scoping complexity Again, determining the precise scope of the test is important – what is “in-scope” for the hackers, and what should remain out of scope? This will be determined in-house, and will be built on several factors, depending on the precise needs of the organization; there may be certain applications, for instance, that cannot be included in the test. No matter the reasons, determining the overall scope of the testing will take time.

Of course, this isn’t set in stone: some organizations might deal with highly sophisticated environments, which change over time. You will need to devote resources to assessing the potential impact of these changes – as your environment changes, should you include new elements for the testers to target? All of this raises the risk of “scope creep”, where a pen test grows beyond its original aims, creating additional work – and costs – for both the in-house team and the external testers. Indirect costs As we’ve seen, pen testing by its nature can pose significant risks of disruption for your team, including operational disruptions during the testing window.

It’s vital to keep this under control right from the outset. There’s also the time and costs associated with remediation, a somewhat ill-defined phase that could include consultation with the testers to overcome and solve any issues that might have arisen during the pen testing. This could even involve re-testing – launching yet another pen test to check that everything is now safe and secure. All of this can add up to extra time and money for your organization.

Budget management challenges You’ll also need to consider how you go about paying for the work . For instance, do you opt for a fixed-cost pricing model, where the testers provide a set rate? Or do you go for “time and materials”, where they provide an hourly rate based on estimated hours (or through another measure), but add in anything over these estimates? “There’s a reason it’s so hard to benchmark penetration testing costs: every test with every firm is unique,” notes Network Assured, which provides independent pricing guidance on pen testing and other cybersecurity services.

That being the case, how can you go about getting the best return on investment and optimizing cost effectiveness? Figure 1: Some factors may not be immediately obvious when talking about the overall cost of a penetration test. Pen testing as a service (PTaaS) To ensure you’re getting exactly the pen testing capability you need (at the right cost) an “as-a-service” approach can pay dividends. Such an approach can be customized to your needs, reducing the risks of unnecessary efforts.

For example, Outpost24’s CyberFlex combines the strengths of our Pen-testing-as-a-service (PTaaS) and External Attack Surface Management (EASM) solutions, providing continuous coverage of the application attack service on a flexible consumption model. This enables organizations to have full insight into their costs and capabilities, all while achieving the discovery, prioritization, and reporting needs they require. Pen testing is crucial to defend your organization’s systems, but a cutting-edge capability doesn’t have to cost the world. By taking a smart approach, based on delivering the services you need at the right time, you can discover the vulnerabilities you need to address, without causing undue disruption or incurring unnecessary costs.

Book a live CyberFlex demo today . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it’s become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive. Hackers don’t always break systems anymore — they use them.

They hide inside trusted apps, copy real websites, and trick people into giving up control without even knowing it. It’s no longer just about stealing data — it’s about power, money, and control over how people live and communicate. This week’s ThreatsDay issue looks at how that battle is unfolding — where criminals are getting smarter, where defenses are failing, and what that means for anyone living in a connected world. Crypto empire built on slavery Historic Operation Targets SE Asian Scam Networks with $15B Seizure The U.S.

government has seized $15 billion (approximately 127,271 bitcoin) worth of cryptocurrency assets from one of the world’s largest operators of forced-labor scam compounds across Cambodia, Myanmar, and Laos, which are known to conduct romance baiting (aka pig butchering or Shā Zhū Pán) schemes to defraud victims under the pretext of increased returns. The perpetrators, operating from the scam compounds under the threat of violence, often built relationships with their victims over time, earning their trust before stealing their funds. The Department of Justice (DoJ) unsealed an indictment against the Prince Group and its 38-year-old CEO, Chen Zhi (aka Vincent). “Individuals held against their will in the compounds engaged in cryptocurrency investment fraud schemes, known as ‘pig butchering’ scams, that stole billions of dollars from victims in the United States and around the world,” the DoJ said .

“Trafficked workers were confined in prison-like compounds and forced to carry out online scams on an industrial scale, preying on thousands worldwide.” Zhi, the alleged kingpin behind the sprawling cybercrime empire, is at large. The department also said the seized funds represent “proceeds and instrumentalities of the defendant’s fraud and money laundering schemes” and were stored in unhosted cryptocurrency wallets whose private keys the defendant had in his possession. The compounds operated out of casinos and luxury hotels owned by the Group. Some of the stolen proceeds were spent on luxury goods, including yachts, private jets, art, and even a Picasso painting.

In tandem, the U.S. and the U.K. designated Prince Group as a transnational criminal organization and announced sanctions against the defendant. Other proxy organizations targeted by the sanctions include Jin Bei Group, Golden Fortune Resorts World, and Byex Exchange.

Elliptic said the $15 billion seized by the U.S. was “ stolen “ in 2020 from LuBian, a bitcoin mining business with operations in China and Iran. LuBian, per the blockchain analytics company, was one of the ostensibly legal business enterprises overseen by Prince Group. “Pig butchering has exploded into an industrialized fraud economy generating tens of billions of dollars annually,” Infoblox said .

“Sophisticated Asian crime syndicates have proven adept at spinning up hundreds of disposable websites in minutes, overwhelming governments that cannot detect or block them fast enough to shield victims.” WhatsApp worm fuels banking theft Maverick Banker Targets Brazil in Mass Campaign Kaspersky has revealed that the newly discovered banking trojan dubbed Maverick targeting Brazilian users using a WhatsApp worm named SORVEPOTEL shares many code overlaps with Coyote . “Once installed, the trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts,” the Russian security vendor said . “The Maverick trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.” The malware monitors victims’ access to 26 Brazilian bank websites, six cryptocurrency exchange websites, and one payment platform to facilitate credential theft. It also comes with capabilities to fully control the infected computer, take screenshots, install a keylogger, control the mouse, block the screen when accessing a banking website, terminate processes, and open phishing pages in an overlay.

Kaspersky said it has blocked 62,000 infection attempts using the malicious LNK file shared via WhatsApp in the first 10 days of October, only in Brazil, indicating a large-scale campaign. Unencrypted sky leaks intelligence Scanning Satellites to Steal Secrets A new study from a team of academics from the University of Maryland and the University of California, San Diego has found that it’s possible to intercept and spy on 39 geostationary satellite communications traffic from the U.S. military, telecommunications firms, major businesses, and organizations using a consumer-grade satellite dish installed on the roof of their building. Intercepted data comprised mobile carrier calls and text messages, VoIP call audio, login credentials, corporate emails, inventory records, and ATM networking information belonging to retail, financial, and banking companies, military and government secrets associated with coastal vessel surveillance, and web browsing activities of in-flight Wi-Fi users.

“A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks,” the researchers said . “This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware.” Following disclosure, T-Mobile has moved to encrypt its satellite communications. Old protocols, new breach path Abusing Legacy Windows Protocols for Credential Theft Legacy Windows communication protocols such as NetBIOS Name Service (NBT-NS) and Link-Local Multicast Name Resolution (LLMNR), continue to expose organizations to credential theft, without the need for exploiting software vulnerabilities. “The weakness of LLMNR and NBT-NS is that they accept responses from any device without authentication,” Resecurity said .

“This allows an attacker on the same subnet to respond to name resolution requests and trick a system into sending authentication attempts. Using tools such as Responder, the attacker can capture NTLMv2 hashes, usernames, and domain details, which can then be cracked offline or relayed to other services.” Given that Windows falls back to LLMNR or NBT-NS when it cannot resolve a hostname through DNS, it can open the door to LLMNR and NBT-NS poisoning. “By simply being on the same subnet, an attacker can impersonate trusted systems, capture NTLMv2 hashes, and potentially recover cleartext credentials,” the company added. “From there, they gain the ability to access sensitive data, move laterally, and escalate privileges without ever exploiting a software vulnerability.” To guard against the threat, it’s advised to disable LLMNR and NBT-NS, encore secure authentication methods such as Kerberos, and harden LDAP and Active Directory against NTLM relay attacks.

Checkout code harvests payment data Unity Website Compromised With Skimmer Hundreds of users are estimated to have had their sensitive information stolen through a compromised website belonging to video game software development company Unity Technologies. The malicious skimmer, injected into the checkout page of Unity SpeedTree, was designed to harvest the information entered by individuals who made purchases on the SpeedTree site, including name, address, email address, payment card number, and access code. According to a filing with the Maine Attorney General’s Office, the incident impacted 428 individuals. The affected customers are being notified and offered free credit monitoring and identity protection services.

The breach was discovered on August 26, 2025. Fake texts fund global fraud U.S. Smishing Attacks Prove to Be a Money-Spinner Smishing campaigns carried out by Chinese cybercrime groups that distribute fake SMS messages to U.S. users about package deliveries and toll road payments have made more than $1 billion over the last three years, The Wall Street Journal reported , citing the Department of Homeland Security.

The scam, made possible via phishing kits sold on Telegram, is designed to steal victims’ credit card details and then use them in Google and Apple Wallets in Asia and the U.S. to make unauthorized purchases, such as gift cards, iPhones, clothing, and cosmetics. The messages are sent via SIM farms, with about 200 SIM boxes operating in at least 38 farms across the U.S. According to Proofpoint, as many as 330,000 toll scam messages were sent to Americans in a single day last month.

A previous report from SecAlliance in August 2025 noted that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. The criminal ecosystem has since evolved to include the sale of pre-positioned devices loaded with stolen cards, indicating an evolution of the monetization strategy. Mac users tricked by clones Fake Homebrew Sites Distribute Stealer Malware A sophisticated campaign targeting macOS users has employed fake Homebrew installer websites (homebrewfaq[.]org, homebrewclubs[.]org, and homebrewupdate[.]org) that deliver malicious payloads.

The attack exploits the widespread trust users place in the popular Homebrew package manager by creating pixel-perfect replicas of the official brew[.]sh installation page, and combining it with deceptive clipboard manipulation techniques. The spoofed sites incorporate hidden JavaScript designed to inject additional commands into users’ clipboards without their knowledge during the installation phase when unsuspecting users attempt to copy the command to install the tool. It’s assessed that the attack chain is being used to deliver Odyssey Stealer. Previous campaigns have used fake Homebrew pages to trick users into installing Cuckoo Stealer.

Nation-state hacks surge sharply U.K. Warns of Spike in Significant Cyber Incidents The U.K.’s National Cyber Security Centre (NCSC) reported 204 “national significant” cyber incidents between September 2024 and August 2025. The number represents an 130% increase compared to the previous year, when U.K. organizations faced 89 incidents of such high impact.

Of these, 18 were classified as highly significant incidents. The disclosure comes as Bloomberg revealed that Chinese state actors systemically and successfully compromised classified U.K. government computer systems for more than a decade, accessing low- and medium-level classified information. The data accessed included confidential documents relating to the formulation of government policy, private communications, and some diplomatic cables, the report added.

Signed firmware enables bootkits Framework Systems Affected by BombShell Flaws Around 200,000 Linux computer systems from American computer maker Framework have been found to be shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. An attacker could take advantage of the issues to load bootkits that can evade operating system-level security controls and survive re-installs of the operating system. The vulnerabilities have been codenamed BombShell by Eclypsium. “At the heart of this issue is a seemingly innocent command: mm (memory modify),” the firmware security company said .

“This command, present in many UEFI shells, provides direct read and write access to system memory. While this capability is essential for legitimate diagnostics, it’s also the perfect tool for bypassing every security control in the system.” Framework has released security updates to address the vulnerabilities. Phishing uses SVGs to deliver AsyncRAT in Colombia Colombian Users Targeted by AsyncRAT Cybercriminals have unleashed a sophisticated phishing campaign targeting Colombian users through deceptive judicial notifications, deploying a complex multi-stage malware delivery system that culminates in delivery of AsyncRAT. The attack campaign employs carefully crafted Spanish-language emails impersonating official correspondence from the Colombia court system, informing recipients of purported lawsuits filed against them and tricking them into opening SVG file attachments that lead to fake landing pages so as to download the document, which is an HTML Application responsible for activating a series of interim payloads to deploy AsyncRAT.

Smarter defenses, simpler recovery Google Combats Scams with New Safety Measures Google has added new protections to Google Messages and account recovery methods to secure people against scams. This includes the ability to block users from visiting links shared on Messages that have been flagged as spam, unless users explicitly mark the texts as “not spam.” The company has also added the option to regain access to the Google Account by means of a “Sign in with Mobile Number” option. “All you need is the lock-screen passcode from your previous device for verification, no password needed,” it said. Another new feature includes Recovery Contacts , which allows users to choose trusted friends or family members to make it easier to recover access to the account in case it gets locked out due to a device being stolen.

Last but not least, Google said it’s also making the Key Verifier available to all Android 10+ users for an extra layer of security when chatting via Google Messages by ensuring that users are communicating with the person they intend to and not somebody else. Shipment lures drop stealth loaders PhantomVAI Loader Delivers Malware in Phishing Campaigns A C# malware loader called PhantomVAI Loader is being distributed via phishing emails bearing shipment lures to deliver stealers and remote access trojans like AsyncRAT, XWorm, Formbook, and DCRat. “The loader initially used in these campaigns was dubbed Katz Stealer Loader [aka VMDetectLoader ], for the Katz Stealer malware that it delivers,” Palo Alto Networks Unit 42 said . “Hackers are selling this new infostealer on underground forums as malware as a service (MaaS).” Phishing campaigns deploying PhantomVAI Loader have targeted a wide spectrum of sectors globally, including manufacturing, education, utilities, technology, healthcare, and government.

The phishing emails contain zipped JavaScript or Visual Basic Script files that launch PowerShell, responsible for dropping the loader in the form of a GIF image, which then proceeds to run virtual machine checks, establish persistence, and inject MSBuild.exe with the next-stage payload using a technique called process hollowing . Evolving kit evades MFA New Whisper 2FA Phishing Kit Behind 1 Million Phishing Attempts A nascent toolkit named Whisper 2FA has emerged as the third most common phishing-as-a-service (PhaaS) after Tycoon and EvilProxy. Barracuda said it has detected close to a million Whisper 2FA attacks targeting Microsoft accounts in multiple huge phishing campaigns in the last month. Whisper 2FA has been found to share similarities with another PhaaS kit named Salty 2FA .

“Whisper 2FA’s defining trait is its ability to steal credentials multiple times through a real-time credential exfiltration loop enabled by a web technology known as AJAX (Asynchronous JavaScript and XML),” security researcher Deerendra Prasad said . “The attackers keep the loop going until they obtain a valid multi-factor authentication token.” The phishing kit is assessed to be under active development, with the authors progressively adding more layers of obfuscation and protections to block debugging tools and crash browser inspection tools. “As phishing kits like this continue to evolve, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing,” Prasad added. Teen extortionists plot return Scattered Lapsus$ Hunters Bid Adieu for Now The Scattered Lapsus$ Hunters (SLSH) cybercrime group, comprised primarily of English-speaking teenagers combining elements of Scattered Spider, LAPSUS$, and ShinyHunters, has announced it will go dark until 2026 following the FBI’s seizure of its clearnet data leak site .

“As per the exceptional circumstances by which the FBI tried to obliterate our legacy, we’ve exceptionally decided to temporarily renounce to oblivion [sic] and promptly hack them back,” one member wrote on October 11. “We shall now dissolve again in the ether. Good night.” In a follow-up message, it said: “I promise you, you will feel our wrath.” The extortion crew has since published data allegedly belonging to six of the 39 targeted companies, including Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources, per DataBreaches.net. Legit software, criminal control How Threat Actors Abuse RMM Tools Cybersecurity researchers have documented a rise in cyber attacks exploiting remote monitoring and management (RMM) tools for initial access via phishing email alerts warning of fake login to recipients’ ConnectWise ScreenConnect instances.

Advanced persistent threat (APT) groups and ransomware crews have leveraged legitimate RMM platforms, including AnyDesk, ScreenConnect, UltraViewer, AppAnywhere, RustDesk, CloneDesk, Splashtop, and TightVNC, to gain unauthorized control of systems. The researchers found that threat actors are also exploiting ScreenConnect’s legitimate features, such as unattended access and interactive desktop control, to establish persistence and move laterally within compromised networks. “Their administrative power, combined with custom installers, invite links, and public URLs, makes them high-value targets,” DarkAtlas said . Fake exchanges face global takedown Authorities Seize >1K Domains in Connection With Crypto Fraud German and Bulgarian authorities have seized 1,406 websites that were used for perpetrating large-scale financial scams.

The sites, taken offline at the start of the month, lured users to invest in cryptocurrency on fraudulent trading platforms and then disappeared with their funds. Officials said the platforms did not have the necessary permission from BaFin to provide financial or securities services and banking transactions. They also said more than 866,000 attempts to access the sites were recorded over a period of ten days after they were seized on October 3, 2025, underscoring the attackers’ success in pulling off the scheme. In mid-June 2025, around 800 illegal domains were blocked as part of a similar effort.

Kernel exploit chain neutralized Flaws in NVIDIA’s GPU Linux Drivers Fixed NVIDIA has rolled out fixes for two vulnerabilities in NVIDIA’s Display Driver for Linux (CVE-2025-23280 and CVE-2025-23330) that can be triggered by an attacker controlling a local unprivileged process to achieve kernel read and write primitives. Quarkslab, which discovered and reported the flaws in June 2025, has released a complete proof-of-concept exploit. Spyware evolves with builder tools Two New Android RATs Detailed Cyble and iVerify have detailed two new Android malware families called GhostBat RAT and HyperRat that can steal sensitive data from compromised devices. “Operators can fetch logs, send notifications, dispatch an SMS from the infected user’s SIM, download archived messages, inspect the call log, view or modify granted permissions, browse installed applications, and even establish a VNC session,” iVerify security researcher Daniel Kelley said about HyperRat.

The web-based command-and-control (C2) panel supports the ability to create custom APK files using a builder, serve fake login overlays atop installed apps, and an option to facilitate downstream spam or phishing campaigns via a mass messaging button. GhostBat RAT, on the other hand, has been observed targeting Indian Android users via bogus apps distributed via WhatsApp and SMS messages containing links to compromised websites and GitHub. Once installed, the malware uses phishing pages to capture banking credentials and UPI PINs. It can also exfiltrate SMS messages containing banking-related keywords, with select variants including cryptocurrency mining capabilities.

“The GhostBat RAT samples included multi-stage dropper workflows, native binary packing, deliberate corruption/manipulation of ZIP headers, runtime anti-emulation checks, and heavy string obfuscation, complicating reverse engineering,” Cyble noted . Massive laundering ring dismantled Brazil Dismantles $540 Million Crypto Laundering Network Brazilian law enforcement authorities have disrupted a sophisticated criminal network that has been accused of laundering about $540 million. The sweeping operation, codenamed Lusocoin, saw 13 searches and 11 temporary arrests, as well as the seizure of six luxury vehicles and six high-value properties. Assets totaling more than 3 billion Brazilian reais (about $540 million) have been subjected to court-ordered freezes.

Officials said the network operated as an international money-laundering and foreign-exchange evasion scheme, converting illicit profits from drug trafficking, smuggling, tax evasion, and even terrorism financing into cryptocurrency assets to hide the source of funds. In all, the group is believed to have moved more than $9 billion through its ecosystem of shell companies, exchanges, and digital wallets. Cloud tracing repurposed for control Abusing AWS X-Ray for C2 New research has found that it’s possible to leverage Amazon’s distributed application tracing service AWS X-Ray as a covert C2 server, essentially turning cloud monitoring infrastructure to establish bidirectional communication. “AWS X-Ray was designed to help developers understand application performance by collecting traces,” security researcher Dhiraj Mishra said .

“However, X-Ray annotations can store arbitrary key-value data, and the service provides APIs to both write and query this data.” An attacker can weaponize this behavior to implant a beacon on the target system and subsequently control it by issuing an HTTP PUT request containing a Base64 command to the X-Ray service’s “ /TraceSegments “ endpoint, from where the victim machine fetches the malicious trace during the polling phase and then decodes and executes the embedded command within it. The results of the command execution are exfiltrated to the X-Ray service, allowing the attacker to access the result traces by sending an HTTP GET request to the “ /TraceSummaries “ endpoint. CMS bugs expose enterprise data Security Flaws in Adobe Experience Manager Seven security vulnerabilities (from CVE-2025-54246 through CVE-2025-54252) have been disclosed in Adobe Experience Manager that could result in security feature bypass and allow attackers to gain unauthorized read/write access. The issues, which were reported by Searchlight Cyber’s Assetnote team in June 2025, were fixed by Adobe last month.

There is no evidence that they were exploited in the wild. Biometric data misuse resolved Google Settles Privacy Lawsuit Google has reached a settlement agreement over its use of an open-source dataset named Diversity in Faces that allegedly contained images of people from the U.S. state of Illinois for training its facial recognition algorithms in violation of the Biometric Information Privacy Act (BIPA). The dataset was created in 2019 by IBM to address existing biases in overwhelmingly light-skinned and male-dominated facial datasets.

According to plaintiffs, some of the images were pulled from a Flickr dataset that featured biometric data of people from Illinois. The terms of the settlement were not disclosed. The case was originally filed in 2020, with lawsuits also filed against Amazon and Microsoft for similar violations. Dirty crypto saturates blockchain On-Chain Balances Tied to Criminal Activity Exceed $75B A new report from Chainalysis has revealed that cryptocurrency balances linked to illicit activity exceed $75 billion.

This includes about $15 billion held directly by illicit entities and more than $60 billion in wallets with downstream exposure to those entities. “Darknet market administrators and vendors alone control over $40 billion in on-chain value,” the blockchain intelligence firm said. Earlier this year, Chainalysis disclosed that more than $40 billion in cryptocurrency was laundered in 2024 alone, most of it through wallets and mixers that leave no trace in standard compliance systems. The line between safe and exposed online is thinner than ever.

What used to be rare, complex attacks are now everyday events, run by organized groups who treat cybercrime like a business. It’s no longer just about protecting devices — it’s about protecting people, trust, and truth in a digital world that never stops moving. Staying secure doesn’t mean chasing every headline. It means understanding how these threats work, paying attention to the small signs, and not letting convenience replace caution.

The same tools that make life easier can turn against us — but awareness is still the best defense. Stay alert, stay curious, and don’t assume safety — build it. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution. According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier.

It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6). Details of the two vulnerabilities were disclosed by Searchlight Cyber researchers Adam Kues and Shubham Shah in July 2025, describing CVE-2025-54253 as an “authentication bypass to [remote code execution] chain via Struts2 devmode” and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services. The flaw results from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation,” security company FireCompass noted . “The endpoint’s misuse enables attackers to execute arbitrary system commands with a single crafted HTTP request.” There is currently no information publicly available on how the security flaw is being exploited in real-world attacks, although Adobe acknowledged in its advisory that “CVE-2025-54253 and CVE-2025-54254 have a publicly available proof-of-concept.” In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary fixes by November 5, 2025.

The development comes a day after CISA also added a critical improper authentication vulnerability in SKYSEA Client View (CVE-2016-7836, CVSS score: 9.8) to the KEV catalog. Japan Vulnerability Notes (JVN), in an advisory released in late 2016, said “attacks exploiting this vulnerability have been observed in the wild.” “SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program,” the agency said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.