CastleRAT is a Remote Access Trojan first observed in March 2025 that exists in two main builds (Python and compiled C), the latter being stealthier and capable of keystroke capture, screen/video capture, plugin loading, and UAC bypass. Splunk Threat Research Team analyzed the C variant, documenting RC4‑based C2 communication, system info…
Tag: EDR
FortiGuard IR discovered historical evidence of deleted malware and attacker activity inside the AutoLogger-Diagtrack-Listener.etl ETW file on a compromised Windows Server, revealing that KernelProcess → ProcessStarted events can retain command-line and execution details for binaries that were later removed. The AutoLogger-Diagtrack-Listener.etl file’s population appears controlled by undocumented DiagTrack triggers and is inconsistently populated across Windows builds, limiting its immediate reliability as a forensic source. #AutoLogger-Diagtrack-Listener.etl #GMER
Microsoft expands its bug bounty program to include all online services and third-party dependencies, incentivizing security research on critical vulnerabilities. This initiative aims to enhance safety across Microsoft’s ecosystem, supported by significant bounty payouts and aligned with their Secure Future strategy. #MicrosoftSecurityResponseCenter #BugBountyProgram
This week’s cyber stories highlight the rapid evolution of digital threats, from malware in movie downloads to sophisticated botnets exploiting system vulnerabilities. The Threatsday Bulletin provides a concise overview of major security incidents and emerging risks in the cyber landscape. #Mirai #LummaStealer…
A former senior manager at a government contractor has been charged with lying about security compliance for a cloud platform used in federal contracts. The case highlights ongoing issues of cybersecurity fraud and the importance of adherence to federal security standards. #FedRAMP #DepartmentofDefense…
GOLD SALEM used SharePoint exploits (including the ToolShell zero-day chain) and attacker-hosted Cloudflare Workers subdomains to stage tools and gain access to networks, later deploying Velociraptor as a precursor to ransomware activity. These intrusions led to Warlock, LockBit, and Babuk encryptions, with tool-staging domains such as files[.]qaubctgg[.]workers[.]dev and C2 infrastructure like velo[.]qaubctgg[.]workers[.]dev observed in the activity. #Warlock #GOLDSALEM
A former government contractor manager, Danielle Hillmer, faces charges of fraud and obstruction for misrepresenting a cloud platform’s security compliance to federal agencies. The case underscores concerns about cybersecurity standards and oversight in government contracting. #FedRAMP #DoDImpactLevels5…
A highly sophisticated cyber-espionage campaign, WARP PANDA, has infiltrated major U.S. organizations using advanced techniques targeting virtualization infrastructure. The group demonstrates stealth, long-term persistence, and a focus on intelligence gathering aligned with Chinese strategic interests. #WARP_PANDA #BRICKSTORM…
Researchers linked a series of long-running, targeted cyberattacks against Russia’s IT sector (2024–2025) to APT31 and recovered unique samples of the group’s tools and methods. The attackers disguised malware as legitimate software, abused social network profiles and other online services for encrypted bidirectional C2, and used a keylogger that captured commands pasted from the clipboard. #APT31 #LocalPlugx
Check Point Research dissects the modular ValleyRAT (aka Winos/Winos4.0) backdoor, reverse engineering leaked builder artifacts and mapping all main plugins including an embedded kernel‑mode rootkit. The analysis highlights APC-based user‑mode injection, kernel-level forced deletion of AV/EDR drivers, valid-signed drivers loadable on Windows 11, and a rapid surge in in‑the‑wild samples since the builder leak. #ValleyRAT #SilverFox
Threat actors are exploiting NoteGPT to host malicious files and lure recipients with OneDrive-branded phishing emails that redirect users to credential-harvesting pages. The campaign spoofs a trusted sender and uses a NoteGPT link that ultimately leads to a fake Microsoft login (arc[.]stylized[.]it[.]com) to capture professional credentials. #NoteGPT #OneDrive
Microsoft issued patches for 56 security flaws in Windows and other products at the end of 2025, including one actively exploited vulnerability. The update addresses multiple critical and important flaws, with emphasis on the use-after-free CVE-2025-62221 affecting file system filter drivers used by major cloud storage services. #CVE-2025-62221 #WindowsSecurity #PatchTuesday…
UDPGangster is a UDP-based backdoor attributed to the MuddyWater group that is distributed via macro-enabled Microsoft Word documents to gain initial access and establish C2 over UDP. The malware uses extensive anti-analysis checks, persistence via registry startup, and capabilities for remote command execution and file exfiltration to target users in Turkey, Israel, and Azerbaijan. #UDPGangster #MuddyWater
![Cybersecurity News | Daily Recap [09 Dec 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [09 Dec 2025]")
Daily Recap, AI and browser security dominate this edition as NCSC warns about prompt injection and Google layers defenses in Chrome/Gemini to curb indirect prompts and agentic browsing, while Zero Trust guidance promotes safer AI integrations via the Shared Signals Framework.
Meanwhile, the threat landscape features a high-severity XXE in Apache Tika raising CVE risk to 10.0, new CSS/SVG clickjacking bypass techniques, ValleyRAT deliveries by Silver Fox APT, JS#SMUGGLER-driven NetSupport RAT and malicious VSCode extensions, Shanya EXE packing for stealthy payloads, Broadside botnet activity, STAC6565 targeting Canada, a multi-billion ransomware extortion wave with billions paid and a US bounty on Iranian hackers, plus regulatory and industry shifts impacting AI, data sharing, and outsourced security.
#ValleyRAT #JS#Smuggler #NetSupportRAT #ShanyaEXE #BroadsideBotnet #STAC6565 #Canada #IranianHackers #Chrome #Gemini
Microsoft has released important cumulative updates for Windows 11 versions 25H2/24H2 and 23H2, addressing security vulnerabilities, bugs, and including new features. These mandatory updates incorporate December 2025 Patch Tuesday security patches and introduce enhancements like enhanced File Explorer dark mode, Virtual Workspaces, and new gaming features.
#Windows11 #PatchTuesday #FileExplorer #VirtualWorkspaces #WindowsSecurity
Microsoft has released Windows 11 KB5072033 and KB5071417 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features.
Today’s updates are mandatory as they contain the December 2025 Patch Tuesday security patches for vulnerabilities discovered in previous months.
You can install today’s update by going to Start > Settings > Windows Update and clicking on ‘Check for Updates.’
December 2025 Update