Iranian cyber operatives linked to the Revolutionary Guard are conducting sophisticated campaigns targeting elections, critical infrastructure, and international events using AI and cover personas. The U.S. State Department has issued a reward of up to $10 million for information on their location, highlighting their impact on sectors across the US, Europe,…
Tag: CRITICAL INFRASTRUCTURE
ESET reports that MuddyWater (TA450) conducted a focused cyberespionage campaign primarily against organizations in Israel and one confirmed target in Egypt using new custom tools including the Fooder loader and the MuddyViper backdoor to improve evasion and persistence. The campaign also deployed credential stealers (CE-Notes, LP-Notes), browser stealers (Blub), go‑socks5 reverse tunnels, and adopted the CNG API for encryption to exfiltrate credentials and browser data. #MuddyWater #MuddyViper
The ransomware claim by threat actor coinbasecartel targeted R* E* with a sophisticated attack. The incident impacted the country of #UnitedStates.
MuddyWater, an Iran-linked threat actor, is targeting critical infrastructure in Egypt and Israel with sophisticated spyware disguised as the Snake game. The campaign involves spearphishing, customized malware, and credential theft tools, demonstrating increased technical evolution and evasion techniques. #MuddyWater #SnakeGameSpyware…
Australia is establishing the AI Safety Institute with a $29.9 million fund to oversee AI risks and ensure compliance under existing legal frameworks. The institute emphasizes addressing both upstream AI risks and downstream harms through international collaboration and regulatory support. #AIrisks #AIsafety #Australia…
A cybersecurity breach targeting ExeVision resulted in the theft of proprietary source code and exposure of critical development repositories in November 2025. The compromised data includes key platforms, construction management modules, and field operations applications used by State Departments of Transportation. #ExeVision #DarkWebBreach…
![Threat Research | Weekly Recap [30 Nov 2025]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [30 Nov 2025]")
Cybersecurity Threat Research ‘Weekly’ Recap: The report highlights a broad wave of risk from supply-chain and developer-ecosystem abuse—including npm worm campaigns like Shai-Hulud 2.0, OtterCookie, and PyPI domain-takeover vectors—alongside ongoing nation-state operations from Lazarus, Kimsuky, Gamaredon, Tomiris, and related actors. It also covers infostealers, loaders, vulnerabilities (CVE-2025-61882, CVE-2025-64446), breaches, and e-commerce fraud, with defensive guidance on threat intelligence integration, automated security validation, phishing simulations, and AI risk mitigation.
#ShaiHulud #OtterCookie #Kimsuky #Lazarus #Gamaredon #Tomiris #WaterGamayun #BerserkBear #ShinySp1d3r #Gainsight
CYFIRMA uncovered an APT36 campaign delivering a Python-based RAT to BOSS Linux systems via weaponized .desktop shortcut files inside a malicious archive that staged downloads from lionsdenim[.]xyz and 185[.]235[.]137[.]90. The campaign establishes persistence (systemd user services), supports remote command execution, file exfiltration, screenshots, and cross-platform control for sustained espionage. #APT36 #BOSS
An engineering firm in Germany, IBL, was targeted by the Brotherhood ransomware group, which exfiltrated sensitive data including legal, financial, and technical documents. The attack highlights the risks faced by companies handling critical infrastructure and confidential client information. #Brotherhood #IBL #EnergySecurity #FCSchalke04…
A new wave of cyberattacks targeting US infrastructure employs criminal tools like SocGholish and RomCom to obscure attribution and hinder response efforts. These attacks aim to gather intelligence on critical systems, facilitated by third-party contractors and linked to Russian threat actors. #SocGholish #RomCom #USInfrastructure #CyberEspionage…
ByteToBreach is a financially motivated data‑leak trader and access broker active since mid‑2025 who sells corporate datasets and access from banks, telecoms, IT providers, and other large enterprises across multiple countries. On November 14, 2025 the actor claimed a breach of Eurofiber’s GLPI service‑management platform, exfiltrating roughly 10,000 password hashes and configuration/ticket data using rented VPS infrastructure to run time‑based SQL extraction. #ByteToBreach #Eurofiber
The Qilin ransomware group has claimed responsibility for breaching multiple organizations worldwide, including government agencies, private companies, and educational institutions. The group has leaked substantial data volumes from its victims, highlighting the growing threat of targeted ransomware attacks. #Qilin #RansomwareLeak…
The Lazarus Group deployed a new C++ in-memory RAT called ScoringMathTea in the “Gotta Fly” phase of Operation DreamJob to target defense contractors supplying UAV technology to Ukraine. ScoringMathTea uses chained polyalphabetic string decryption, API hashing, PEB walking, full reflective DLL injection of plugins, and TEA/XTEA-CBC encrypted HTTP/S C2 with spoofed User-Agent to evade detection #ScoringMathTea #LazarusGroup
A 23-year-old Russian citizen was arrested in Poland for unauthorized access to e-commerce databases, affecting nearly one million customer records. The investigation is linked to broader cybercrime activities and escalating Russian-backed cyberattacks targeting European infrastructure. #RussianCyberCrime #PolishCyberattacks…
Gainsight is investigating suspicious API activity through its Salesforce-integrated applications after Salesforce detected non-allowlisted API calls and revoked related access tokens, temporarily disabling several integrations and prompting other vendors to disable connectors. Analysis links some involved IPs to a previous UNC6040 campaign and to malware families including SmokeLoader and Vidar, underscoring supply-chain risk from trusted SaaS integrations. #Gainsight #UNC6040