2025-10-19 AI创业新闻

New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs

Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor . According to Seqrite Labs , the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection. The cybersecurity company’s analysis is based on the ZIP artifact that was uploaded to the VirusTotal platform on October 3, 2025. Present with the archive is a decoy Russian-language document that purports to be a notification related to income tax legislation and a Windows shortcut (LNK) file.

The LNK file, which has the same name as the ZIP archive (i.e., “Перерасчет заработной платы 01.10.2025”), is responsible for the execution of the .NET implant (“adobe.dll”) using a legitimate Microsoft binary named “ rundll32.exe ,” a living-off-the-land (LotL) technique known to be adopted by threat actors. The backdoor, Seqrite noted, comes with functions to check if it’s running with administrator-level privileges, gather a list of installed antivirus products, and open the decoy document as a ruse, while it stealthily connects to a remote server (“91.223.75[.]96”) to receive further commands for execution. The commands allow CAPI Backdoor to steal data from web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox; take screenshots; collect system information; enumerate folder contents; and exfiltrate the results back to the server. It also attempts to run a long list of checks to determine if it’s a legitimate host or a virtual machine, and makes use of two methods to establish persistence, including setting up a scheduled task and creating a LNK file in the Windows Startup folder to automatically launch the backdoor DLL copied to the Windows Roaming folder.

Seqrite’s assessment that the threat actor is targeting the Russian automobile sector is down to the fact that one of the domains linked to the campaign is named carprlce[.]ru, which appears to impersonate the legitimate “carprice[.]ru.” “The malicious payload is a .NET DLL that functions as a stealer and establishes persistence for future malicious activities,” researchers Priya Patel and Subhajeet Singha said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT

The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). “The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard Labs, said in a report shared with The Hacker News. “These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.” Winos 4.0 is a malware family that’s often spread via phishing and search engine optimization (SEO) poisoning, directing unsuspecting users to fake websites masquerading as popular software like Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek, among others. The use of Winos 4.0 is primarily linked to an “aggressive” Chinese cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

Last month, Check Point attributed the threat actor to the abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disabling security software installed on compromised hosts. Then weeks later, Fortinet shed light on another campaign that took place in August 2025, leveraging SEO poisoning to distribute HiddenGh0st and modules associated with the Winos malware. Silver Fox’s targeting of Taiwan and Japan with HoldingHands RAT was also documented by the cybersecurity company and a security researcher named somedieyoungZZ back in June, with the attackers employing phishing emails containing booby-trapped PDF documents to activate a multi-stage infection that ultimately deploys the trojan. It’s worth noting at this stage that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware referred to as Gh0st RAT , which had its source code leaked in 2008 and has since been widely adopted by various Chinese hacking groups.

Fortinet said it identified PDF documents posing as a tax regulation draft for Taiwan that included a URL to a Japanese language web page (“twsww[.]xin/download[.]html”), from where victims are prompted to download a ZIP archive responsible for delivering HoldingHands RAT. Further investigation has uncovered attacks targeting China that have utilized taxation-themed Microsoft Excel documents as lures, some dating back to March 2024, to distribute Winos. Recent phishing campaigns, however, have shifted their focus to Malaysia, using fake landing pages to deceive recipients into downloading HoldingHands RAT. The starting point is an executable claiming to be an excise audit document.

It’s used to sideload a malicious DLL, which functions as a shellcode loader for “sw.dat,” a payload that’s designed to run anti-virtual machine (VM) checks, enumerate active processes against a list of security products from Avast, Norton, and Kaspersky, and terminate them if found, escalate privileges, and terminate the Task Scheduler. It also drops several other files in the system’s C:\Windows\System32 folder - svchost.ini, which contains the Relative Virtual Address (RVA) of VirtualAlloc function TimeBrokerClient.dll, the legitimate TimeBrokerClient.dll renamed as BrokerClientCallback.dll. msvchost.dat, which contains the encrypted shellcode system.dat, which contains the encrypted payload wkscli.dll, an unused DLL “The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run,” Fortinet said. “The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.” “When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll.

This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.” The primary function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode within “msvchost.dat” by invoking the VirtualAlloc() function using the RVA value specified in “svchost.ini.” In the next stage, “msvchost.dat” decrypts the payload stored in “system.dat” to retrieve the HoldingHands payload. HoldingHands is equipped to connect to a remote server, send host information to it, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process attacker-issued commands on the infected system. These commands allow the malware to capture sensitive information, run arbitrary commands, and download additional payloads. A new feature addition is a new command that makes it possible to update the command-and-control (C2) address used for communications via a Windows Registry entry.

Operation Silk Lure Targets China with ValleyRAT The development comes as Seqrite Labs detailed an ongoing email-based phishing campaign that has leveraged C2 infrastructure hosted in the U.S., targeting Chinese companies in the fintech, cryptocurrency, and trading platform sectors to ultimately deliver Winos 4.0. The campaign has been codenamed Operation Silk Lure, owing to its China-related footprint. “The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” researchers Dixit Panchal, Soumen Burma, and Kartik Jivani said . “These emails often contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés or portfolio documents.

When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.” The LNK file, when launched, runs PowerShell code to download a decoy PDF resume, while stealthily dropping three additional payloads to the “C:\Users<user>\AppData\Roaming\Security” location and executing it. The PDF resumes are localized and tailored for Chinese targets so as to increase the likelihood of success of the social engineering attack. The payloads dropped are as follows - CreateHiddenTask.vbs, which creates a scheduled task to launch “keytool.exe” every day at 8:00 a.m. keytool.exe, which uses DLL side-loading to load jli.dll jli.dll, a malicious DLL that launches the Winos 4.0 malware encrypted and embedded within keytool.exe “The deployed malware establishes persistence within the compromised system and initiates various reconnaissance operations,” the researchers said.

“These include capturing screenshots, harvesting clipboard contents, and exfiltrating critical system metadata.” The trojan also comes with various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, or 360 Total Security to interfere with their regular functions. “This exfiltrated information significantly elevates the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing a serious threat to both organizational infrastructure and individual privacy,” the researchers added. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware

The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming closer to each other more than ever, even as the latter has been fitted with a new module for keylogging and taking screenshots. The activity is attributed to a threat cluster that’s tracked by the cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, PurpleBravo, Tenacious Pungsan, UNC5342, and Void Dokkaebi. The development comes as Google Threat Intelligence Group (GTIG) and Mandiant revealed the threat actor’s use of a stealthy technique known as EtherHiding to fetch next-stage payloads from the BNB Smart Chain (BSC) or Ethereum blockchains, essentially turning decentralized infrastructure into a resilient command-and-control (C2) server.

It represents the first documented case of a nation-state actor utilizing the method that has been otherwise adopted by cybercrime groups. Contagious Interview refers to an elaborate recruitment scam that began sometime around late 2022, with the North Korean threat actors impersonating hiring organizations to target job seekers and deceiving them into installing information-stealing malware as part of a supposed technical assessment or coding task, resulting in the theft of sensitive data and cryptocurrency. In recent months, the campaign has undergone several shifts, including leveraging ClickFix social engineering techniques for delivering malware strains such as GolangGhost, PylangGhost, TsunamiKit, Tropidoor, and AkdoorTea. Central to the attacks, however, are malware families known as BeaverTail, OtterCookie, and InvisibleFerret.

BeaverTail and OtterCookie are separate but complementary malware tools, with the latter first spotted in real-world attacks in September 2024. Unlike BeaverTail, which functions as an information stealer and downloader, initial interactions of OtterCookie were designed to contact a remote server and fetch commands to be executed on the compromised host. The activity detected by Cisco Talos concerns an organization headquartered in Sri Lanka. It’s assessed that the company was not intentionally targeted by the threat actors, but rather they had one of their systems infected, likely after a user fell victim to a fake job offer that instructed them to install a trojanized Node.js application called Chessfi hosted on Bitbucket as part of the interview process.

Interestingly, the malicious software includes a dependency via a package called “node-nvm-ssh” published to the official npm repository on August 20, 2025, by a user named “trailer.” The package attracted a total of 306 downloads , before it was taken down by the npm maintainers six days later. It’s also worth noting that the npm package in question is one of the 338 malicious Node.js libraries flagged earlier this week by software supply chain security company Socket as connected to the Contagious Interview campaign. The package, once installed, triggers the malicious behavior by means of a postinstall hook in its package.json file that’s configured to run a custom script called “skip” so as to launch a JavaScript payload (“index.js”), which, in turn, loads another JavaScript (“file15.js”) responsible for executing the final-stage malware. Further analysis of the tool used in the attack has found that “it had characteristics of BeaverTail and of OtterCookie, blurring the distinction between the two,” security researchers Vanja Svajcer and Michael Kelley said, adding it incorporated a new keylogging and screenshotting module that uses legitimate npm packages like “ node-global-key-listener “ and “ screenshot-desktop “ to capture keystrokes and take screenshots, respectively, and exfiltrate the information to the C2 server.

At least one version of this new module comes equipped with an auxiliary clipboard monitoring feature to siphon clipboard content. The emergence of the new version of OtterCookie paints a picture of a tool that has evolved from basic data-gathering to a modular program for data theft and remote command execution. Also present in the malware, codenamed OtterCookie v5, are functions akin to BeaverTail to enumerate browser profiles and extensions, steal data from web browsers and cryptocurrency wallets, install AnyDesk for persistent remote access, as well as download a Python backdoor referred to as InvisibleFerret. Some of the other modules present in OtterCookie are listed below - Remote shell module , which sends system information and clipboard content to the C2 server and installs the “ socket.io-client “ npm package to connect to a specific port on the OtterCookie C2 server and receive further commands for execution File uploading module , which systematically enumerates all drives and traverses the file system in order to find files matching certain extensions and naming patterns (e.g., metamask, bitcoin, backup, and phrase) to be uploaded to the C2 server Cryptocurrency extensions stealer module , which extracts data from cryptocurrency wallet extensions installed on Google Chrome and Brave browsers (the list of extensions targeted partially overlaps with that of BeaverTail) Furthermore, Talos said it detected a Qt-based BeaverTail artifact and a malicious Visual Studio Code extension containing BeaverTail and OtterCookie code, raising the possibility that the group may be experimenting with new methods of malware delivery.

“The extension could also be a result of experimentation from another actor, possibly even a researcher, who is not associated with Famous Chollima, as this stands out from their usual TTPs,” the researchers noted. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Identity Security: Your First and Last Line of Defense

The danger isn’t that AI agents have bad days — it’s that they never do. They execute faithfully, even when what they’re executing is a mistake. A single misstep in logic or access can turn flawless automation into a flawless catastrophe. This isn’t some dystopian fantasy—it’s Tuesday at the office now.

We’ve entered a new phase where autonomous AI agents act with serious system privileges. They execute code, handle complex tasks, and access sensitive data with unprecedented autonomy. They don’t sleep, don’t ask questions, and don’t always wait for permission. That’s powerful.

That’s also risky. Because today’s enterprise threats go way beyond your garden-variety phishing scams and malware. The modern security perimeter? It’s all about identity management.

Here’s the million-dollar question every CISO should be asking: Who or what has access to your critical systems, can you secure and govern that access, and can you actually prove it? How identity became the new security perimeter Remember those old-school security models built around firewalls and endpoint protection? They served their purpose once — but they weren’t designed for the distributed, identity-driven threats we face today. Identity has become the central control point, weaving complex connections between users, systems, and data repositories.

The 2025-2026 SailPoint Horizons of Identity Security report shows that identity management has evolved from a back-office control to mission-critical for the modern enterprise. The explosion of AI agents, automated systems, and non-human identities has dramatically expanded our attack surfaces. These entities are now prime attack vectors. Here’s a sobering reality check: Fewer than 4 in 10 AI agents are governed by identity security policies, leaving a significant gap in enterprise security frameworks.

Organizations without comprehensive identity visibility? They’re not just vulnerable—they’re sitting ducks. The strategic goldmine of mature identity security But here’s where it gets interesting. Despite these mounting challenges, there’s a massive opportunity for organizations that get identity security right.

The Horizons of Identity Security report reveals something fascinating: Organizations consistently achieve their highest ROI from identity security programs compared to every other security domain. They rank Identity and Access Management as their top-ROI security investment at twice the rate of other security categories. Why? Because mature identity security pulls double duty—it prevents breaches while driving operational efficiency and enabling new business capabilities.

Organizations with mature identity programs, especially those using AI-driven capabilities and real-time identity data sync, show dramatically better cost savings and risk reduction. Mature organizations are four times more likely to have AI-enabled capabilities like Identity Threat Detection and Response. The great identity divide Here’s where things get concerning: There’s a growing chasm between organizations with mature identity programs and those still playing catch-up. The Horizons of Identity Security report shows that 63% of organizations are stuck in early-stage identity security maturity (Horizons 1 or 2).

These organizations aren’t just missing out—they are facing more risk against modern threats. This gap keeps widening because the bar keeps rising. The 2025 framework added seven new capability requirements to address emerging threat vectors. Organizations that aren’t advancing their identity capabilities aren’t just standing still—they’re effectively moving backward.

Organizations experiencing capability regression show significantly lower adoption rates for AI agent identity management. This challenge goes beyond just technology. Only 25% of organizations position IAM as a strategic business enabler—the rest see it as just another security checkbox or compliance requirement. This narrow view severely limits transformative potential and keeps organizations vulnerable to sophisticated attacks.

Time for a reality check The threat landscape is evolving at breakneck speed, with unprecedented risk levels across all sectors. Identity security has evolved from just another security component into the core of enterprise security. Organizations need to honestly assess their readiness for managing extensive AI agent deployments and automated system access. A proactive assessment of your current identity security posture provides critical insight into organizational readiness and competitive positioning.

Ready to dive deeper? Get the full analysis and strategic recommendations in the 2025-2026 SailPoint Horizons of Identity Security report . Found this article interesting? This article is a contributed piece from one of our valued partners.

Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices

Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. “An out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code,” WatchGuard said in an advisory released last month. “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.” It has been addressed in the following versions - 2025.1 - Fixed in 2025.1.1 12.x - Fixed in 12.11.4 12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update3 (B722811) 12.5.x (T15 & T35 models) - Fixed in 12.5.13) 11.x - Reached end-of-life A new analysis from watchTowr Labs has described CVE-2025-9242 as “all the characteristics your friendly neighbourhood ransomware gangs love to see,” including the fact that it affects an internet-exposed service, is exploitable sans authentication, and can execute arbitrary code on a perimeter appliance.

The vulnerability, per security researcher McCaulay Hudson, is rooted in the function “ike2_ProcessPayload_CERT” present in the file “src/ike/iked/v2/ike2_payload_cert.c” that’s designed to copy a client “identification” to a local stack buffer of 520 bytes, and then validate the provided client SSL certificate. The issue arises as a result of a missing length check on the identification buffer, thereby allowing an attacker to trigger an overflow and achieve remote code execution during the IKE_SA_AUTH phase of the handshake process used to establish a virtual private network (VPN) tunnel between a client and WatchGuard’s VPN service via the IKE key management protocol. “The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,” Hudson said . WatchTowr noted that while WatchGuard Fireware OS lacks an interactive shell such as “/bin/bash,” it’s possible to for an attacker to weaponize the flaw and gain control of the instruction pointer register (aka RIP or program counter) to ultimately spawn a Python interactive shell over TCP by leveraging an mprotect() system call , effectively bypassing NX bit (aka no-execute bit) mitigations.

Once the remote Python shell, the foothold can be escalated further through a multi-step process to obtain a full Linux shell - Directly executing execve within Python in order to remount the filesystem as read/write Downloading a BusyBox busybox binary onto the target Symlinking /bin/sh to the BusyBox binary The development comes as watchTowr demonstrated that a now-fixed denial-of-service (DoS) vulnerability impacting Progress Telerik UI for AJAX ( CVE-2025-3600 , CVSS score: 7.5) can also enable remote code execution depending on the targeted environment. The vulnerability was addressed by Progress Software on April 30, 2025. “Depending on the target codebase – for example, the presence of particular no-argument constructors, finalizers, or insecure assembly resolvers – the impact can escalate to remote code execution,” security researcher Piotr Bazydlo said . Earlier this month, watchtower’s Sina Kheirkhah also shed light on a critical pre-authenticated command injection flaw in Dell UnityVSA ( CVE-2025-36604 , CVSS score: 9.8/7.3) that could result in remote command execution.

Dell remediated the vulnerability in July 2025 following responsible disclosure on March 28. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said in a post shared on X. The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware.

Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that’s assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the years. Oyster (aka Broomstick and CleanUpLoader), on the other hand, is a backdoor that’s often distributed via trojanized installers for popular software such as Google Chrome and Microsoft Teams using bogus websites that users stumble upon when searching for the programs on Google and Bing. “In this campaign, Vanilla Tempest used fake MSTeamsSetup.exe files hosted on malicious domains mimicking Microsoft Teams, for example, teams-download[.]buzz, teams-install[.]run, or teams-download[.]top,” Microsoft said. “Users are likely directed to malicious download sites using search engine optimization (SEO) poisoning.” To sign these installers and other post-compromise tools, the threat actor is said to have used Trusted Signing , as well as SSL[.]com, DigiCert, and GlobalSign code signing services.

Details of the campaign were first disclosed by Blackpoint Cyber last month, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. “This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,” the company said. “Threat actors are exploiting user trust in search results and well-known brands to gain initial access.” To mitigate such risks, it’s advised to download software only from verified sources and avoid clicking on suspicious links served via search engine ads. Found this article interesting?

North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts

A threat actor with ties to the Democratic People’s Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342 , which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro). The attack wave is part of a long-running campaign codenamed Contagious Interview , wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. The end goal of these efforts is to gain unauthorized access to developers’ machines, steal sensitive data, and siphon cryptocurrency assets – consistent with North Korea’s twin pursuit of cyber espionage and financial gain.

Google said it has observed UNC5342 incorporating EtherHiding – a stealthy approach that involves embedding nefarious code within a smart contract on a public blockchain like BNB Smart Chain (BSC) or Ethereum – since February 2025. In doing so, the attack turns the blockchain into a decentralized dead drop resolver that’s resilient to takedown efforts. Besides resilience, EtherHiding also abuses the pseudonymous nature of blockchain transactions to make it harder to trace who has deployed the smart contract. Complicating matters further, the technique is also flexible in that it allows the attacker who is in control of the smart contract to update the malicious payload at any time (albeit costing an average of $1.37 in gas fees), thereby opening the door to a wide spectrum of threats.

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement take-downs and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google Cloud, said in a statement shared with The Hacker News. The infection chain triggered following the social engineering attack is a multi-stage process that’s capable of targeting Windows, macOS, and Linux systems with three different malware families - An initial downloader that manifests in the form of npm packages BeaverTail, a JavaScript stealer that’s responsible for exfiltrating sensitive information, such as cryptocurrency wallets, browser extension data, and credentials JADESNOW, a JavaScript downloader that interacts with Ethereum to fetch InvisibleFerret InvisibleFerret, a JavaScript variant of the Python backdoor deployed against high-value targets to allow remote control of the compromised host, as well as long-term data theft by targeting MetaMask and Phantom wallets and credentials from password managers like 1Password In a nutshell, the attack coaxes the victim to run code that executes the initial JavaScript downloader that interacts with a malicious BSC smart contract to download JADESNOW, which subsequently queries the transaction history associated with an Ethereum address to fetch the third-stage payload, in this case the JavaScript version of InvisibleFerret. The malware also attempts to install a portable Python interpreter to execute an additional credential stealer component stored at a different Ethereum address. The findings are significant because of the threat actor’s use of multiple blockchains for EtherHiding activity.

Wallace told The Hacker News that they have not observed DPRK actors distribute fake installers (such as those for video conferencing software like FreeConference as has happened in the past) in conjunction with utilizing smart contracts as a stager for malicious code. “EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends,” Google said. “This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites

A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems. “UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. As of June 2025, Google said it flagged about 14,000 web pages containing injected JavaScript that exhibit behavior associated with an UNC5142, indicating indiscriminate targeting of vulnerable WordPress sites. However, the tech giant noted that it has not spotted any UNC5142 activity since July 23, 2025, either signaling a pause or an operational pivot.

EtherHiding was first documented by Guardio Labs in October 2023, when it detailed attacks that involved serving malicious code by utilizing Binance’s Smart Chain (BSC) contracts via infected sites serving fake browser update warnings. A crucial aspect that underpins the attack chains is a multi-stage JavaScript downloader dubbed CLEARSHORT that enables the distribution of the malware via the hacked sites. The first stage is a JavaScript malware that’s inserted into the websites to retrieve the second-stage by interacting with a malicious smart contract stored on the BNB Smart Chain (BSC) blockchain. The first stage malware is added to plugin-related files, theme files, and, in some cases, even directly into the WordPress database.

The smart contract, for its part, is responsible for fetching a CLEARSHORT landing page from an external server that, in turn, employs the ClickFix social engineering tactic to deceive victims into running malicious commands on the Windows Run dialog (or the Terminal app on Macs), ultimately infecting the system with stealer malware. The landing pages, typically hosted on a Cloudflare .dev page, are retrieved in an encrypted format as of December 2024. CLEARSHORT infection chain On Windows systems, the malicious command entails the execution of an HTML Application (HTA) file downloaded from a MediaFire URL, which then drops a PowerShell script to sidestep defenses, fetch the encrypted final payload from either GitHub or MediaFire, or their own infrastructure in some cases, and run the stealer directly in memory without writing the artifact to disk. In attacks targeting macOS in February and April 2025, the attackers have been found to utilize ClickFix decoys to prompt the user to run a bash command on Terminal that retrieved a shell script.

The script subsequently uses the curl command to obtain the Atomic Stealer payload from the remote server. UNC5142 final payload distribution over time CLEARSHORT is assessed to be a variant of ClearFake , which was the subject of an extensive analysis by French cybersecurity company Sekoia in March 2025. ClearFake is a rogue JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. It’s known to be active since July 2023, with the attacks adopting ClickFix around May 2024.

The abuse of blockchain offers several advantages, as the clever technique not only blends in with legitimate Web3 activity, but also increases the resiliency of UNC5142’s operations against detection and takedown efforts. Google said the threat actor’s campaigns have witnessed considerable evolution over the past year, shifting from a single-contract system to a more sophisticated three-smart contract system beginning in November 2024 for better operational agility, with further refinements observed earlier this January. “This new architecture is an adaptation of a legitimate software design principle known as the proxy pattern, which developers use to make their contracts upgradable,” it explained. “The setup functions as a highly efficient Router-Logic-Storage architecture where each contract has a specific job.

This design allows for rapid updates to critical parts of the attack, such as the landing page URL or decryption key, without any need to modify the JavaScript on compromised websites. As a result, the campaigns are much more agile and resistant to takedowns.” UNC5142’s accomplishes this by taking advantage of the mutable nature of a smart contract’s data (it’s worth noting that the program code is immutable once it’s deployed) to alter the payload URL, costing them anywhere between $0.25 and $1.50 in network fees to perform these updates. Further analysis has determined the threat actor’s use of two distinct sets of smart contract infrastructures to deliver stealer malware via the CLEARSHORT downloader. The Main infrastructure is said to have been created on November 24, 2024, whereas the parallel Secondary infrastructure was funded on February 18, 2025.

“The Main infrastructure stands out as the core campaign infrastructure, marked by its early creation and steady stream of updates,” GTIG said. “The Secondary infrastructure appears as a parallel, more tactical deployment, likely established to support a specific surge in campaign activity, test new lures, or simply build operational resilience.” “Given the frequent updates to the infection chain coupled with the consistent operational tempo, high volume of compromised websites, and diversity of distributed malware payloads over the past year and a half, it is likely that UNC5142 has experienced some level of success with their operations.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro , according to findings from Synacktiv. “This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a ‘magic packet,’” security researcher Théo Letailleur said . The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 (CVSS score: 9.8) as the starting point, following which a malicious Docker Hub image named “kvlnt/vv” (now removed) was deployed on several Kubernetes clusters. The Docker image consists of a Kali Linux base along with a folder called “app” containing three files - start.sh, a shell script to start the SSH service and execute the remaining two files link, an open-source program called vnt that acts as a VPN server and provides proxy capabilities by connecting to vnt.wherewego[.]top:29872, allowing the attacker to connect to the compromised server from anywhere and use it as a proxy to reach other servers app, a Rust-based downloader referred to as vGet that receives an encrypted VShell payload from an S3 bucket, which then proceeds to communicate with its own command-and-control (C2) server (56.155.98[.]37) over a WebSocket connection Also delivered to the Kubernetes nodes were two other malware strains, a dropper embedding another vShell backdoor, and LinkPro, a rootkit written in Golang.

The stealthy malware can operate in either passive (aka reverse) or active (aka forward) mode, depending on its configuration, allowing it to listen for commands from the C2 server only upon receiving a specific TCP packet or directly initiate contact with the server. While the forward mode supports five different communication protocols, including HTTP, WebSocket, UDP, TCP, and DNS, the reverse mode only uses the HTTP protocol. The overall sequence of events unfolds as follows - Install the “Hide” eBPF module, which contains eBPF programs of the Tracepoint and Kretprobe types to hide its processes and network activity If the “Hide” module installation fails, or if it has been disabled, install the shared library “libld.so” in /etc/ld.so.preload If reverse mode is used, install the “Knock” eBPF module, which contains two eBPF programs of the eXpress Data Path (XDP) and Traffic Control (TC) types to ensure that the C2 communication channel is fired only upon the receipt of the magic packet Achieve persistence by setting up a systemd service Execute C2 commands On interruption (SIGHUP, SIGINT, and SIGTERM signals), uninstall the eBPF modules and delete the modified /etc/libld.so and restore it back to its original version To achieve this, LinkPro modifies the “/etc/ld.so.preload” configuration file to specify the path of the libld.so shared library embedded within it with the main objective of concealing various artifacts that could reveal the backdoor’s presence. “Thanks to the presence of the /etc/libld.so path in /etc/ld.so.preload, the libld.so shared library installed by LinkPro is loaded by all programs that require /lib/ld-linux.so14,” Letailleur explained.

“This includes all programs that use shared libraries, such as glibc.” “Once libld.so is loaded at the execution of a program, for example /usr/bin/ls, it hooks (before glibc) several libc functions to modify results that could reveal the presence of LinkPro.” The magic packet, per Synacktiv, is a TCP packet with a window size value of 54321. Once this packet is detected, the Knock module saves the source IP address of the packet and an associated expiration date of one hour as its value. The program then keeps an eye out for additional TCP packets whose source IP address matches that of the already saved IP. In other words, the core functionality of LinkPro is to wait for a magic packet to be sent, after which the threat actor has a one-hour window to send commands to a port of their choice.

The Knock module is also designed to modify the incoming TCP packet’s header to replace the original destination port with LinkPro’s listening port (2333), and alter the outgoing packet to replace the source port (2233) with the original port. “The purpose of this maneuver is to allow the operator to activate command reception for LinkPro by going through any port authorized by the front-end firewall,” Synacktiv said. “This also makes the correlation between the front-end firewall logs and the network activity of the compromised host more complex.” The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.

“For its concealment at the kernel level, the rootkit uses eBPF programs of the tracepoint and kretprobe types to intercept the getdents (file hiding) and sys_bpf (hiding its own BPF programs) system calls. Notably, this technique requires a specific kernel configuration (CONFIG_BPF_KPROBE_OVERRIDE),” the company said. “If the latter is not present, LinkPro falls back on an alternative method by loading a malicious library via the /etc/ld.so.preload file to ensure the concealment of its activities in user space.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Architectures, Risks, and Adoption: How to Assess and Choose the Right AI-SOC Platform

Scaling the SOC with AI - Why now? Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR’s AI-SOC Market Landscape 2025 , the average organization now faces around 960 alerts per day , while large enterprises manage more than 3,000 alerts daily from an average of 28 different tools . Nearly 40% of those alerts go uninvestigated , and 61% of security teams admit to overlooking alerts that later proved critical.

The takeaway is clear: the traditional SOC model can’t keep up. AI has now moved from experimentation to execution inside the SOC. 88% of organizations that don’t yet run an AI-driven SOC plan to evaluate or deploy one within the next year. But as more vendors promote “AI-powered SOC automation,” the challenge for security leaders has shifted from awareness to evaluation.

The key question is no longer whether AI belongs in the SOC, but how to measure its real impact and select a platform that delivers value without introducing significant risks. This article provides a practical framework for doing just that. It explores AI-SOC architectures, implementation models, and risks, while outlining phased adoption strategies and the essential questions every organization should ask before choosing a platform. The Mindset Shift: From Legacy to a Modern SOC Building an AI-augmented SOC starts with a mindset shift, not a technology purchase.

Legacy SOCs depend on static rules, manual triage, and reactive workflows. Analysts spend hours chasing alerts and fine-tuning detections to manage noise — a model that doesn’t scale and fuels alert fatigue. Modern SOCs operate differently. Analysts move from doing the work to guiding the system —overseeing outcomes, validating AI decisions, and setting the policies that govern automation.

Leaders must also adapt, learning to trust AI to assist analysts without replacing their judgment. The motivation for this shift is straightforward: Reduce alert fatigue and prevent missed incidents Ensure every alert is investigated Improve productivity and scale SOC capacity without expanding headcount The first step isn’t selecting a platform. It’s evolving the SOC model itself — and defining why the change is necessary. AI-SOC Architectural Models and Delivery Framework SACR’s AI-SOC Market Landscape 2025 defines the emerging market across four key dimensions — what the platform automates, how it’s delivered, how it integrates, and where it runs.

Functional Domain - What it automates The first dimension describes what part of the SOC life-cycle the platform targets and how advanced its automation is. Automation / Orchestration (SOAR+) & Agentic SOC These systems function as the SOC’s central nervous system , coordinating actions across SIEM, EDR, cloud, and ticketing tools. They combine deterministic rules with agentic AI that can reason, enrich alerts, and execute containment steps automatically.

Unlike traditional SOAR tools, they move beyond static playbooks — dynamically sequencing responses across multiple systems. Their strength lies in scale and consistency, making them well-suited for complex enterprise or MSSP environments. Pure-Play Agentic Alert Triage Focused on the SOC’s most persistent challenge: alert overload. These platforms deploy Agentic AI analysts to triage, investigate, and prioritize alerts, filtering false positives and escalating only validated threats.

This approach delivers immediate operational value by reducing Tier-1 workload and ensuring that every alert receives at least an initial level of investigation. For many teams, it represents the most practical starting point for adopting AI in the SOC, as it integrates easily with existing tools. Analyst Co-Pilot / Investigation Assist Acts as a digital assistant for human analysts. It helps generate queries, summarize evidence, and assemble context during investigations, improving speed and accuracy while keeping human judgment central.

Workflow / Knowledge Replication Captures how experienced analysts investigate incidents and replays those workflows as repeatable automation. This model scales institutional knowledge and ensures consistency across teams, though it requires time and expert input to train effectively. 2. Implementation Model (How It’s Delivered) This dimension defines how much control an organization retains over how automation is built, tuned, and maintained.

SACR identifies two primary implementation models. User-Defined / Configurable These platforms offer partial to full flexibility. Security teams can design and adjust agents, detection logic, and workflows using scripting or low-to-no-code interfaces. The result is a SOC environment customized to internal processes — but one that requires skilled personnel and ongoing maintenance.

This model is typically favored by mature enterprises or managed service providers that value adaptability and ownership over simplicity. Pre-Packaged / Black-Box Delivered as ready-to-run solutions with vendor-managed agents and prebuilt workflows. These platforms can be deployed quickly, provide fast time-to-value, and benefit from continuous vendor R&D. The trade-off is limited visibility into decision logic and less ability to customize.

They are best suited for teams prioritizing ease of use and rapid modernization over granular control. 3. Architecture Type (How It Integrates) AI-SOC platforms differ in how they integrate into the broader SOC life-cycle and where they source and process data. SACR’s AI-SOC Market Landscape 2025 identifies three primary integration models, with Integrated AI-SOC Platforms emerging as the most comprehensive approach.

Integrated AI-SOC Platforms These platforms ingest and analyze raw security logs directly, functioning as both an AI-SOC and, in many cases, a SIEM alternative. By maintaining their own data stores, they enable historical baselines, anomaly detection, and retrospective investigation, all within a unified system. The key advantage is full visibility and analytical depth. Integrated platforms reduce dependence on external SIEMs, consolidate triage and response in one control plane, and significantly lower log-storage and licensing costs.

This model aligns closely with the industry’s move toward unified operations — where detection, investigation, and response happen in a single workflow instead of across stitched-together tools. Connected & Overlay Model (on Existing SOC/SIEM) It adds an intelligent AI layer to current systems via APIs. The platform ingests alerts from tools such as SIEMs, EDRs, and cloud services, then enriches, triages, and reports results back to analysts. Its appeal lies in speed.

It delivers value quickly and requires no data migration or infrastructure changes. However, it relies on the quality of upstream alerts and offers limited behavioral analytics, since it typically lacks access to raw telemetry. Human &Browser-Based Workflow Emulation This approach replicates how analysts work within existing interfaces, observing their actions and replaying investigations automatically. It helps scale expert knowledge and drive consistency, but requires initial setup and validated analyst workflows to perform effectively.

Deployment Model (Where It Runs)

Finally, deployment options determine where the AI-SOC operates and how data is managed. SaaS

Hosted entirely by the vendor and accessed over the internet. Fastest to deploy and easiest to maintain.

BYOC (Bring Your Own Cloud): The vendor provides the AI layer, but data and infrastructure remain in the customer’s cloud environment. This is common for teams balancing compliance with flexibility. Air-Gapped On-Prem; Fully isolated deployment for regulated industries or high-security environments where external connectivity is not permitted. Risks and Considerations When Adopting an AI-SOC Platform AI-driven SOCs promise efficiency and speed, but also introduce new categories of potential risks.

SACR highlights several, and additional considerations deserve equal attention. Lack of Standardized Benchmarks - There is currently no universally accepted method for measuring AI-SOC accuracy, efficiency, or ROI. Without standardized metrics, vendor comparisons often rely on marketing claims rather than validated outcomes. Opaque Decision-Making (Explainability Risk) - Some systems operate as black boxes, offering little visibility into how alerts are analyzed or classified.

This limits transparency, makes auditing difficult, and can reduce analyst trust in automated outcomes. Compliance and Data Residency - Cloud-hosted AI systems can raise concerns about where data is processed and stored, particularly in regulated sectors. Teams should verify compliance with frameworks such as GDPR, ISO 27001, and local data residency laws. Vendor Lock-In - Integrated platforms that centralize data storage or detection logic can create migration challenges over time.

Clear data export policies and open APIs are essential for maintaining flexibility. Skill Shift and Change Management - AI-SOCs change how analysts work. Teams shift from manual investigation to automation oversight, which can lead to uncertainty or skill gaps if retraining isn’t planned. Structured onboarding and updated workflows are critical for success.

Integration Complexity - Platforms that don’t integrate cleanly with existing SIEM, EDR, and case management systems can add friction instead of reducing it. Evaluating API coverage and interoperability should be part of the selection process. Over-Reliance on Automation - Treating automation as infallible introduces risk. AI systems should complement, not replace, human judgment, with clear escalation and override mechanisms to prevent blind spots.

Model Drift and Update Frequency - AI performance can degrade over time if models aren’t retrained regularly with new threat intelligence and environmental data. Ongoing monitoring and retraining cadence should be confirmed with vendors. Economic Risk - Pricing models that charge by data volume or event ingestion can quickly erode the cost benefits of automation. Evaluating the total cost of ownership across data, users, and response volume is key to long-term sustainability.

Mitigating these risks starts with transparency — selecting solutions that provide explainability, flexible integration, strong governance, and a clear balance between automation and human control. What to Ask Your AI-SOC Vendor Selecting the right AI-SOC platform requires a structured, evidence-based evaluation. SACR’s AI-SOC Market Landscape 2025 provides a strong foundation for due diligence, highlighting the questions that help security leaders separate proven capabilities from marketing claims. Detection and Triage What percentage of alerts are triaged automatically versus escalated to analysts?

How are low-confidence or ambiguous alerts handled to avoid missed detections? Can the AI’s reasoning and verdicts be audited by analysts for validation? These questions help determine how automation interacts with human oversight and how reliably the system maintains coverage without sacrificing accuracy. Data Ownership and Privacy Who retains ownership of ingested data and alerts once inside the platform?

Where is security data stored, and can customers manage retention, deletion, or export? Clarifying how data is managed, stored, and controlled ensures compliance with internal governance and external regulatory requirements. Explainability and Human Control Can analysts override AI verdicts or modify investigation outcomes? How is analyst feedback incorporated into system retraining or future decisions?

What safeguards exist to prevent incorrect automated actions or over-escalation? These questions help confirm the level of transparency, explainability, and human control within the AI’s decision-making loop. Integration and Tech-stack Fit Does the platform integrate with existing SIEM, EDR, identity, and ticketing systems? Can it operate within the current SOC workflow without introducing additional interfaces or tool sprawl?

Understanding how the platform fits into the existing security stack helps prevent integration friction and avoid replacing one layer of complexity with another. Pricing and Scalability Is pricing based on data volume, alert count, or user capacity? How does cost scale as the organization adds new log sources or increases data velocity? What is the expected time to achieve full operational value post-deployment?

Cost structure, scalability, and deployment timelines are key to understanding both immediate and long-term return on investment. An effective vendor evaluation balances technical depth with operational realism. The most important questions are not just about what the AI can do, but also about how it does it , how it fits into existing workflows , and how its decisions can be understood, verified, and improved over time. AI-SOC Adoption Framework SACR outlines a straightforward, phased approach to AI-SOC adoption that balances speed with operational trust.

Define the AI Strategy - Identify the specific challenges AI should solve, such as alert fatigue, MTTR, or staffing constraints. Align objectives with business outcomes. Select Core Capabilities - Prioritize triage, investigation, response automation, explainability, and data governance. Run a Proof of Concept (POC) - Evaluate performance using real alert data from your environment.

Measure improvements in detection and response times. Trust-Building Phase (1–2 Months) - Allow AI to operate in an “assist” mode, while analysts validate its decisions. Implement feedback loops to fine-tune confidence thresholds. Gradual Automation - Enable autonomous response for low-risk events first, then scale up as trust grows.

Operationalize and Iterate - Continuously review false positives, analyst feedback, and integration efficiency. Periodically recalibrate models and policies. Organizations treating AI as a partner, not a replacement, see the most sustainable outcomes. Measuring Success Over Time Short-Term (0–3 months) Reduction in alert triage length Increased alert coverage percentage Reduction in alerts per analyst Mid-Term (3–9 months) Shorter mean time to respond (MTTR) At least a 35% reduction in false positives and manual investigations Reduced analyst burnout and turnover Long-Term (9 months +) Stable automation performance across incident types Predictable SOC operating costs Improved auditing and compliance reporting Each metric should relate to a business outcome.

Focusing on high-value work can reduce missed alerts, improve response consistency, and increase analyst productivity. Conclusion AI-SOC platforms are reshaping how security teams detect, investigate, and respond to threats at scale. But success depends on more than advanced technology. It requires understanding architectures, evaluating risks, and adopting automation in stages that build trust and transparency.

Teams that balance AI-driven efficiency with explainability and human oversight will be best positioned to achieve faster, more resilient security operations. For deeper insights and vendor evaluations, read the full SACR AI-SOC Market Landscape 2025 Report . It offers detailed benchmarks, architectural comparisons, and adoption guidance for security leaders assessing AI-driven solutions. About Radiant Security Radiant Security is the unified AI-SOC platform that combines agentic triage , automated response , and integrated log management, eliminating the need to stitch tools together.

The platform is the only AI-SOC that can triage 100% of alerts, regardless of the source, providing complete coverage over the IT infrastructure. Radiant is more like an SOC operating system than a point product, and SACR recognized it as the “most unique value proposition.” It helps security teams scale capacity, improve outcomes, and control costs with complete visibility and analyst oversight. Book a demo to see how Radiant enables faster, smarter, and more cost-effective security operations. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in ‘Zero Disco’ Attacks

Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group. The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.

“The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881 ) to enable memory access,” researchers Dove Chiu and Lucien Chuang said . The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon ( IOSd ) memory space. IOSd is run as a software process within the Linux kernel. Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar.

In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions. The rootkit is commandeered by means of a UDP controller component that that can serve as listener for incoming UDP packets on any port, toggle or disable log history, create a universal password by modifying IOSd memory, bypass AAA authentication, conceal certain portions of the running configuration, and hide changes made to the configuration by altering the timestamp to give the impression that it was never modified. Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.

The name “Zero Disco” is a reference to the fact that the implanted rootkit sets a universal password that includes the word “disco” in it – a one-letter change from “Cisco.” “The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot,” the researchers noted. “Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Beware the Hidden Costs of Pen Testing

Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results. The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to an adversary, pen testing can provide reassurance that your IT set-up is secure.

Perhaps more importantly, it can also flag areas for improvement. As the UK’s National Cyber Security Centre (NCSC) notes, it’s comparable to a financial audit . “Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.” While the advantages are obvious, it’s vital to understand the true cost of the process: indeed, the classic approach can often demand significant time and effort from your team.

You need to get your money’s worth. Pen testing hidden costs There’s no one set form of pen test: it depends on what exactly is being tested, how often the pen test occurs, and how it takes place . Nevertheless, there are some common elements of the classic approach that could generate significant costs, both financially and in terms of your employees’ time. Let’s take a look at some of the costs that might not be immediately obvious.

Administrative overheads There can be significant admin involved in arranging a “traditional” pen test. First, you need to coordinate schedules between your own organization and the testers you’ve hired to conduct the test on your behalf. This can cause significant disruption to your employees, distracting them from their day-to-day tasks. What’s more, you’ll need to develop a clear overview of the resources and assets at your disposal before the test can occur, by gathering system inventories, for instance.

You’ll also need to prepare access credentials for the hackers, depending on the type of pen testing approach you intend to take: for example, the testers may need these credentials to develop a scenario based on the risk of a disgruntled employee targeting your systems, for instance. Scoping complexity Again, determining the precise scope of the test is important – what is “in-scope” for the hackers, and what should remain out of scope? This will be determined in-house, and will be built on several factors, depending on the precise needs of the organization; there may be certain applications, for instance, that cannot be included in the test. No matter the reasons, determining the overall scope of the testing will take time.

Of course, this isn’t set in stone: some organizations might deal with highly sophisticated environments, which change over time. You will need to devote resources to assessing the potential impact of these changes – as your environment changes, should you include new elements for the testers to target? All of this raises the risk of “scope creep”, where a pen test grows beyond its original aims, creating additional work – and costs – for both the in-house team and the external testers. Indirect costs As we’ve seen, pen testing by its nature can pose significant risks of disruption for your team, including operational disruptions during the testing window.

It’s vital to keep this under control right from the outset. There’s also the time and costs associated with remediation, a somewhat ill-defined phase that could include consultation with the testers to overcome and solve any issues that might have arisen during the pen testing. This could even involve re-testing – launching yet another pen test to check that everything is now safe and secure. All of this can add up to extra time and money for your organization.

Budget management challenges You’ll also need to consider how you go about paying for the work . For instance, do you opt for a fixed-cost pricing model, where the testers provide a set rate? Or do you go for “time and materials”, where they provide an hourly rate based on estimated hours (or through another measure), but add in anything over these estimates? “There’s a reason it’s so hard to benchmark penetration testing costs: every test with every firm is unique,” notes Network Assured, which provides independent pricing guidance on pen testing and other cybersecurity services.

That being the case, how can you go about getting the best return on investment and optimizing cost effectiveness? Figure 1: Some factors may not be immediately obvious when talking about the overall cost of a penetration test. Pen testing as a service (PTaaS) To ensure you’re getting exactly the pen testing capability you need (at the right cost) an “as-a-service” approach can pay dividends. Such an approach can be customized to your needs, reducing the risks of unnecessary efforts.

For example, Outpost24’s CyberFlex combines the strengths of our Pen-testing-as-a-service (PTaaS) and External Attack Surface Management (EASM) solutions, providing continuous coverage of the application attack service on a flexible consumption model. This enables organizations to have full insight into their costs and capabilities, all while achieving the discovery, prioritization, and reporting needs they require. Pen testing is crucial to defend your organization’s systems, but a cutting-edge capability doesn’t have to cost the world. By taking a smart approach, based on delivering the services you need at the right time, you can discover the vulnerabilities you need to address, without causing undue disruption or incurring unnecessary costs.

Book a live CyberFlex demo today . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.