The Operation Holding Hands campaign employs a stolen digital certificate to distribute a backdoor malware named “給与制度改定のお知らせ.exe” targeting Japanese users, utilizing multi-stage payload delivery and runtime decryption to evade detection. The malware’s complex behaviors include privilege escalation, in-memory execution, and connections to China-linked APT group Silver Fox via Winos 4.0 framework. #HoldingHands #Winos4.0 #SilverFox
Category: Threat Research
A threat group is targeting blockchain users via a malicious zip file distributed through Telegram, which contains a decoy Lnk file that deploys the DcRat remote access Trojan. The attack uses digitally signed DLLs and a multi-stage payload delivery with different C2 servers to evade detection. #DcRat #AsyncRat #Qi’anxin #Telegram
Malicious browser extensions from trusted stores are increasingly exploited to hijack user sessions, redirect traffic, and manipulate social media metrics, posing significant security risks. A notable example includes a malicious Chrome extension sold for $100,000 enabling comprehensive attacks such as credential theft and cryptocurrency draining. #ShellShockersIO #rivemks
Insikt Group uncovered new infrastructure and infection methods employed by GrayAlpha, a cybercriminal group overlapping with FIN7, including custom loaders PowerNet and MaskBat leading to NetSupport RAT infections. The report highlights three primary infection vectors and emphasizes the importance of application allow-lists, employee training, and updated detection rules to combat these threats. #GrayAlpha #FIN7 #NetSupportRAT #PowerNet #MaskBat
Elastic enhances Windows endpoint security by leveraging call stacks to identify malicious activities with greater precision, distinguishing the actor behind behaviors rather than just the actions themselves. The approach enriches call stacks with contextual data to aid detection, triage, and hunting, while addressing challenges like spoofing and limitations of stack walking. #CallStacks #ElasticDefend #SilentMoonwalk
Ransomware actors have been exploiting a path traversal vulnerability (CVE-2024-57727) in SimpleHelp Remote Monitoring and Management (RMM) version 5.5.7 and earlier to target downstream customers, particularly in the utility billing sector. CISA urges immediate mitigation steps including software upgrades, system isolation, and threat hunting to prevent and respond to these attacks….
Malicious open source packages targeting blockchain developers are increasingly used to steal cryptowallet credentials, drain funds, mine cryptocurrency, and hijack clipboard data. Threat actors, including nation-state groups, exploit supply chain vulnerabilities in registries like npm and PyPI, impacting ecosystems such as Ethereum, Solana, TRON, and TON. #ContagiousInterview #BeaverTail #InvisibleFerret #XMRig #ClipboardHijackers
Today’s threat actors are increasingly sophisticated, necessitating proactive cybersecurity strategies like threat intelligence and threat hunting to defend against advanced adversaries. Operationalizing these practices within security operations enables organizations to detect unknown threats earlier and improve response times. #eSentire #ThreatHunting #ThreatIntelligence
In May 2025, an unusual ransomware attack using the Fog ransomware targeted a financial institution in Asia, employing rare tools such as Syteca employee monitoring software and open-source pentesting utilities like GC2, Adaptix, and Stowaway. The attackers also established persistence on the network post-ransomware deployment, indicating possible espionage motives beyond typical ransomware objectives. #FogRansomware #Syteca #GC2 #Adaptix #Stowaway
This article reveals that multiple malware actors dependent on the VexTrio traffic distribution system (TDS) migrated to the Help TDS, which is closely linked to VexTrio rather than being independent. The research exposes complex affiliations among malicious adtech companies like Los Pollos, Partners House, BroPush, and RichAds, highlighting their role in facilitating widespread cybercrime via compromised websites and push notification scams. #VexTrio #LosPollos #HelpTDS #PartnersHouse #BroPush
Check Point Research discovered a sophisticated malware campaign exploiting expired and deleted Discord invite links to hijack users and deliver payloads like AsyncRAT and a modified Skuld Stealer targeting cryptocurrency wallets. The attackers use multi-stage loaders, trusted cloud services, and evasion techniques, including ChromeKatz, to steal data while maintaining stealth. #AsyncRAT #SkuldStealer #DiscordInviteHijacking #ChromeKatz
The CERT-AGID has observed a significant rise in phishing campaigns exploiting the PagoPA theme to target Italian users, primarily via deceptive emails requesting fraudulent payments for alleged traffic fines. These campaigns use conditional redirection techniques to display fraudulent content only to mobile users and sometimes filter victims by IP address, increasing the sophistication of the attacks. #CERTAGID #PagoPA #PhishingCampaigns
Predator spyware operations continue despite sanctions and public exposure, with a resurgence noted including a new operator in Mozambique. The spyware’s infrastructure involves multi-tiered, evasive tactics linked to known Predator operators and a Czech entity associated with the Intellexa Consortium. #Predator #Intellexa #Mozambique
Spectra Ransomware is a new threat emerging since April 2025, believed to have evolved from the Chaos ransomware family. It specifically targets Windows systems by encrypting files and demanding $5,000 in Bitcoin, using double extortion tactics. #SpectraRansomware #ChaosRansomware
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) released an updated advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) related to the Play ransomware group, active since 2022 and responsible for widespread attacks. The advisory includes new behaviors such as…