CrowdStrike tracked a China-nexus adversary dubbed WARP PANDA conducting persistent, stealthy intrusions against VMware vCenter and ESXi environments across U.S. legal, technology, and manufacturing organizations, deploying BRICKSTORM, JSP web shells, and two new Golang implants named Junction and GuestConduit. The actor exploited internet-facing edge device and vCenter vulnerabilities, tunneled traffic and…
Tag: EDR
Attackers exploited a GitHub Actions injection vulnerability in Nxās workflow to steal an NPM publishing token, push malicious Nx packages, and use those packages to harvest credentials, SSH keys, and crypto wallets from developer systems. The campaign evolved into a self-replicating NPM supply-chain worm called Shai-Hulud that registers compromised hosts as self-hosted GitHub Actions runners and uses GitHub Discussions as a stealthy C2 channel. #ShaiHulud #Nx
DigitStealer is a macOS information stealer delivered as an unsigned DynamicLake.dmg that runs almost entirely in memory and abuses JavaScript for Automation (JXA) and AppleScript to harvest high-value data. It enforces geographic and Apple Silicon M2+ hardware checks, fetches four in-memory payloads (AppleScript stealer, two obfuscated JXA modules, and a LaunchAgent backdoor using DNS TXT for C2), and tampers with Ledger Live to enable seed-phrase exfiltration. #DigitStealer #LedgerLive
Anthropic disclosed that a China-nexus group, tracked as GTG-1002, used an AI agent to run roughly 80ā90% of a live cyber-espionage campaign that targeted about 30 entities and produced several confirmed intrusions. The operation chained thousands of small, routine-looking tasks through a Claude Code + MCP-based orchestrator, enabling high-speed reconnaissance, exploitation, credential abuse, lateral movement, and exfiltration. #GTG-1002 #PromptLock
Microsoft Deputy CISO Damon Becknel outlines four immediate security prioritiesābasic cyber hygiene, modern standards and protocols, fingerprinting to identify bad actors, and increased collaborationāto reduce common, preventable online attacks. The post emphasizes practical actions like inventorying assets, enforcing phishing-resistant MFA, patching, network segmentation, DNS and SMTP hardening, and using fingerprinting and threat intelligence sharing to raise the cost for attackers. #Microsoft #EWS
7AI, a Boston-based cybersecurity firm, has raised $130 million in its Series A funding round to expand its AI-driven security solutions. The company’s autonomous AI agents are designed to automate threat detection and response, significantly improving security operation efficiency. #7AI #AIThreatDetection…
Recent cybersecurity incidents highlight the evolving tactics of hackers targeting DeFi protocols, malware, phishing campaigns, and critical infrastructure. Staying aware of these threats is essential to protect sensitive data, financial assets, and online trust. #YearnFinance #BPFDoor…
WithSecure STINGR released a technical analysis of a previously undocumented Windows packer named TangleCrypt that hides payloads inside PE resources using base64, LZ78 compression, and XOR, and that delivered STONESTOP payloads which leverage the ABYSSWORKER malicious driver. The packer supports executing payloads in-process or in a child process, employs string encryption…
The article explains how red teamers perform full post-exploitation operations by “living off the land” ā abusing built-in Windows utilities (PowerShell, WMI, certutil, regsvr32, mshta, MSBuild, netsh, etc.) for reconnaissance, credential harvesting, lateral movement, persistence, and exfiltration without uploading custom binaries. It also stresses that by 2025 many classic LOLBin techniques…
A multi-stage ClickFix socialāengineering campaign uses mshta to launch PowerShell which reflectively loads .NET assemblies that AESādecrypt an embedded PNG and extract Donutāpacked shellcode via a custom steganography routine, ultimately delivering infostealers such as LummaC2 and Rhadamanthys. #LummaC2 #Rhadamanthys…
Nimbus Manticore is a highly obfuscated 64-bit PE malware built to escalate privileges, move laterally via RPC, dynamically load components, and evade sandboxes using timing checks. Deep Instinct was the only vendor on VirusTotal to detect it for a full week, highlighting detection gaps against this threat. #NimbusManticore #DeepInstinct
ReliaQuest attributes an ongoing Microsoft Teams SEO-poisoning campaign to the Chinese APT group Silver Fox, which uses a modified ValleyRAT loader (including Cyrillic false flags) to target Chinese-speaking users and Western organizations with operations in China. The campaign leverages typo-squatted domains and Alibaba Cloud hosting to deliver ValleyRAT via a trojanized Teams installer, enabling rundll32-based Binary Proxy Execution, C2 communications, data exfiltration, and financial theft to fund operations. #SilverFox #ValleyRAT
SeedSnatcher (distributed as the āCoinā APK com.pureabuladon.auxes/Coin.apk) is an Android crypto-mnemonic stealer that uses WebView overlays, dynamic class loading, integer-based WebSocket C2 commands, and broad permission abuse to harvest seed phrases, SMS, call logs, contacts, screenshots, and other device data. The campaign is distributed via affiliate links on social platforms (notably Telegram), tracks installs with agent identifiers, and communicates with C2 apivbe685jf829jf[.]a2decxd8syw7k[.]top to exfiltrate stolen assets and control infected devices. #SeedSnatcher #TrustWallet
Huntress investigated three incidents between September and November where threat actors leveraged SharePoint ToolShell and other vulnerabilities to install Velociraptor and establish tunneled C2 using legitimate tools like Visual Studio Code and Cloudflare. One incident culminated in a Warlock ransomware compromise and showed overlapping IOCs (for example royal-boat-bf05.qgtxtebl.workers[.]dev) and technique reuse that links some activity to Storm-2603. #Velociraptor #Warlock
Cyble Research & Intelligence Labs (CRIL) uncovered an active Linux campaign delivering a Mirai-derived V3G4 botnet that performs raw-socket SSH scanning, C2 DNS resolution, and process masquerading before deploying a runtime-configured XMRig Monero miner. The campaign uses an architecture-aware downloader, tmpfs staging, UPX-packed binaries, and fileless miner configuration fetched from C2 to maximize stealth and evasion. #V3G4 #XMRig