A new trojan named ChrimeraWire is being leveraged to artificially boost search engine rankings by simulating real user activity in Google Chrome. Researchers from Doctor Web detailed its infection process, capabilities, and potential for future expansion. #ChrimeraWire #SEOManipulation…
Tag: EDR
Cybersecurity researchers have reported a significant rise in ransomware attacks targeting hypervisors, with the Akira group leading this trend. These attacks threaten virtualized infrastructure by bypassing traditional security measures, emphasizing the need for enhanced defenses. #AkiraRansomware #HypervisorAttacks…
Makop ransomware continues to exploit exposed RDP services and weak credentials, then stages network scanners, LPE exploits, AV killers and credential dumpers before deploying its encryptor. Recent activity shows the operators have added loader-based delivery (GuLoader) and tailored AV uninstallers to evade defenses and increase success rates. #Makop #GuLoader
Storm-0249 has evolved from mass phishing to targeted post-exploitation operations that weaponize trusted EDR processes—notably abusing SentinelOne’s SentinelAgentWorker.exe via DLL sideloading, fileless PowerShell execution, and Microsoft domain spoofing to hide C2 and reconnaissance. Organizations need behavior-based detection, DNS monitoring for newly registered domains, and automated response playbooks to detect and isolate anomalies like DLL sideloading and curl-to-PowerShell piping before ransomware affiliates exploit pre-staged access. #Storm-0249 #SentinelOne
GrayBravo (formerly TAG-150) operates a malware-as-a-service ecosystem centered on CastleLoader and CastleRAT, supporting multiple customer clusters that employ targeted ClickFix phishing, malvertising, fake updates, and platform impersonation (notably logistics and Booking.com themes). Defensive recommendations include blocking identified IPs/domains, monitoring unusual legitimate internet services (LISs) like Pastebin/Steam, and deploying YARA, Snort, and Sigma detection rules to detect current and historical infections. #GrayBravo #CastleLoader
Multiple ransomware gangs utilize the Shanya packer-as-a-service platform to obfuscate malicious payloads and disable endpoint detection solutions. Sophos’s analysis reveals how Shanya compounds its effectiveness by encrypting payloads in memory and disrupting security tools in targeted regions. #Shanya #Medusa #Crytox #Akira #endpointdetection
Seqrite Labs identified Operation FrostBeacon, a multi-cluster campaign delivering Cobalt Strike beacons to Russian B2B organizations via malicious archives and weaponized Word documents. The attackers use LNK/HTA and CVE-2017-0199/CVE-2017-11882 chains with multi-layered obfuscated PowerShell loaders and Russian-controlled C2 infrastructure to execute in-memory shellcode. #OperationFrostBeacon #CobaltStrike
Lyra Rebane uncovered a novel SVG and CSS-based clickjacking attack that can bypass traditional web security measures. This technique manipulates cross-origin data leakage and has been demonstrated to exfiltrate sensitive information, highlighting ongoing vulnerabilities in web application security. #SVGClickjacking #CrossOriginLeaks…
Keith McCammon’s career in cybersecurity was shaped by self-education, problem-solving, and experience in national security, despite lacking formal training. His insights highlight the importance of communication and composure in cybersecurity leadership, as well as the evolving threats posed by professionalized cybercriminals. #CarbonBlack #RedCanary…
React2Shell (CVE-2025-55182) is a critical unauthenticated remote code execution vulnerability in React Server Components that allows attackers to deliver malicious Flight payloads and achieve code execution on servers running React 19.x with Server Components. It was rapidly weaponized with public PoCs, Metasploit modules, large-scale scanning, confirmed compromises, and nation-state exploitation—forcing KEV listing and causing operational impacts reported by providers like Cloudflare. #React2Shell #CVE-2025-55182
![Cybersecurity News | Daily Recap [06 Dec 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [06 Dec 2025]")
Daily Recap, Active exploitation of the critical React2Shell flaw pushed it onto the CISA KEV list, with Chinese actors and Amazon researchers reporting widespread abuse that even triggered a Cloudflare outage. The report also highlights CVE-2025-66516 in Apache Tika enabling XXE and possible RCE, a Barts Health NHS data breach caused by an Oracle zero-day, a resurgence of LockBit activity, EU penalties on X under the Digital Services Act, and the Agentic Wiper threat capable of auto-deleting Google Drive.
#React2Shell #CISAKEV #CloudflareOutage #ApacheTika #CVE-2025-66516 #BartsHealthNHS #LockBit #AgenticWiper #GoogleDrive #X #DigitalServicesAct
Shanya is a packer-as-a-service (crypter) widely used in 2025 to obfuscate loaders and payloads, enable AMSI and UAC bypasses, perform DLL side-loading, and deliver EDR-killing components that facilitate ransomware and backdoor deployments. The service has been linked to multiple malware families and operations—including CastleRAT and Akira—and associated IOCs include packed sample hashes, malicious domains, and side-loaded DLL/file names. #Shanya #CastleRAT
A new agentic browser attack exploits natural language prompts to automatically delete Google Drive contents without user confirmation, posing significant security risks. The attack leverages excessive agency in AI-powered assistants and URL fragment manipulation, highlighting vulnerabilities in AI browser security. #GoogleDriveWiper #HashJack #Perplexity #AIvulnerabilities…
Sophos linked nearly 40 STAC6565 intrusions (Feb 2024–Aug 2025) to the GOLD BLADE group, which has evolved from espionage into a hybrid operation that mixes targeted data theft with selective ransomware deployment using a custom locker called QWCrypt. The group refines RedLoader delivery chains, abuses recruitment platforms to deliver weaponized resumes, leverages BYOVD drivers and modified Terminator tools for EDR evasion, and uses RPivot/Chisel for tunneled C2. #GOLD_BLADE #QWCrypt
CISA has revealed details of BRICKSTORM, a sophisticated backdoor used by Chinese state-sponsored threat actors to maintain long-term access on VMware vSphere and Windows systems. The malware is employed in targeting government and IT sectors, supporting covert command-and-control operations through various protocols and concealment techniques. #BRICKSTORM #WarpPanda…