Curl disclosed a high-severity heap buffer overflow in its SOCKS5 handling (CVE-2023-38545) that can overflow a heap buffer during the SOCKS5 proxy handshake and potentially lead to undefined behavior or RCE. Detection is difficult when libcurl is embedded in …
Category: Threat Research
An attacker (pseudonym “kohlersbtuh15”) uploaded multiple typosquatted and starjacked Python packages to PyPI in September 2023 to target developers using Telegram, AWS, and Alibaba Cloud; the packages hide malicious logic inside library functions so the code …
Talos Incidents Response reports active exploitation of Cisco IOS XE Web UI vulnerabilities CVE-2023-20198 and CVE-2023-20273, delivering a Lua-based implant named BadCandy to compromised devices. The operation includes unauthorized local user creation, privil…
Symantec Threat Hunter Team attributes a new APT group, Grayling, to a campaign targeting multiple organizations in Taiwan’s manufacturing, IT, and biomedical sectors, with additional victims in the Pacific Islands government, Vietnam, and the U.S. The operati…
Two QR-code-based phishing campaigns are analyzed, showing attackers bypass email security by using images of text and QR codes in emails and attachments instead of readable URLs. The campaigns employ layered evasion (redirection, anti-bot checks, CAPTCHA evas…
FortiGuard Labs observed the IZ1H9 Mirai-based campaign expand with 13 exploit payloads targeting numerous router, camera, and device vendors to achieve remote code execution and grow its botnet. The campaign uses shell-script downloaders (e.g., l.sh), XOR-obf…
Dark Angels Linux ESXi ransomware targeted Johnson Controls’ VMware ESXi servers in September 2023 and encrypts files using AES-256. SentinelOne’s analysis finds substantial overlap with RagnarLocker’s ESXi variant, suggesting shared code and victimology betwe…
Threat researchers uncovered a fake Android APK masquerading as the RedAlert – Rocket Alerts app, hosted on a deceptive site and designed to harvest extensive device data. The malware collects sensitive information and sends it to the attacker’s server, using …
Wordfence warns of a critical unauthenticated vulnerability in Royal Elementor Addons and Templates for WordPress that lets attackers upload PHP files and achieve remote code execution, risking a full site compromise. Attacks have been active since mid-2023 wi…
MedusaLocker ransomware targets the hospital and healthcare sectors and uses AES and RSA encryption to lock victims’ data. The analysis outlines its techniques for persistence, privilege escalation, service/process termination, shadow copy deletion, network pr…
The advisory describes active exploitation of CVE-2023-22515 in Atlassian Confluence Data Center and Server, enabling threat actors to create unauthorized Confluence administrator accounts and gain initial access. It also covers post-exploitation data exfiltra…
The article analyzes multi-stage supply-chain infections where threat actors trojanize GitHub repositories and malicious PyPi packages to deliver Python-based droppers and information stealers. Key techniques include a novel “exec smuggling” pattern (whitespac…
Phylum detected a typosquatted NuGet package that delivered the SeroXen RAT, demonstrating how open-source ecosystems can be abused. The post details the typosquatted package, its obfuscated payload chain (PowerShell, batch scripts, DLLs), and download-count a…
Recent AgentTesla campaigns show the malware spreading via CHM and PDF attachments, using a Gzip-compressed CHM lure that downloads a PowerShell script to start the infection. The chain employs layered Base64-encoded payloads and a .NET loader DLL to inject Ag…
The article analyzes Lazarus Group’s Volgmer backdoor and Scout downloader, detailing how Volgmer operated from 2014 and how Scout began replacing Volgmer around 2022, including their C2, encryption, and anti-forensic techniques. It also covers dropper behavio…