Calisto (aka ColdRiver/Star Blizzard), an intrusion set attributed to Russia’s FSB, resumed spear-phishing campaigns in May–June 2025 targeting NGOs, researchers, and institutions supporting Ukraine using impersonation, compromised redirectors and an AiTM phishing kit that can relay 2FA. The group used ProtonMail-themed decoys, PHP redirectors on compromised sites, and a homemade JavaScript-based kit hosted on domains such as simleasip[.]org to capture credentials. #Calisto #ReportersWithoutBorders
Tag: EDR
Matanbuchus is a C++ malicious downloader/backdoor offered as MaaS since 2020 that downloads and executes second-stage payloads and supports hands-on-keyboard activity, often observed in ransomware-linked operations. Version 3.0 introduced Protobuf-based serialized network communication and extensive ChaCha20-based encryption and obfuscation methods. #Matanbuchus #Rhadamanthys
A surge of at least 420 likely automated, malicious npm packages following an “elf-stats-*” naming pattern was identified, many containing low-effort command execution or exfiltration code and rapid publish cadences. The packages are being removed by npm as investigators track payloads, authors, C2 endpoints, and related indicators. #elf-stats #npm
FortiGuard Labs observed the Mirai-based botnet variant “ShadowV2” spreading via multiple IoT vulnerabilities during a global AWS connectivity disruption, impacting devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK across many countries and industries. The campaign delivered a downloader (binary.sh) and the shadow-prefixed payloads (e.g., shadow.x86_64) connecting to the C2 silverpath.shadowstresser.info (81.88.18.108), and is assessed as likely a test run for future attacks. #ShadowV2 #DLinkDNS320
Shadow AI refers to GenAI-powered tools, browser extensions, and agentic browsers that run inside the browser, creating an unmanaged AI execution environment with security visibility gaps. The article outlines six risks, a real-world Perplexity Comet Attack example, and recommended defenses such as browser session monitoring, clear AI-use policies, identity controls, and employee education. #ShadowAI #PerplexityCometAttack
ESET reports that MuddyWater (TA450) conducted a focused cyberespionage campaign primarily against organizations in Israel and one confirmed target in Egypt using new custom tools including the Fooder loader and the MuddyViper backdoor to improve evasion and persistence. The campaign also deployed credential stealers (CE-Notes, LP-Notes), browser stealers (Blub), go‑socks5 reverse tunnels, and adopted the CNG API for encryption to exfiltrate credentials and browser data. #MuddyWater #MuddyViper
The Water Saci campaign in Brazil leverages multi-format delivery via WhatsApp (HTA, ZIP, PDF) and a layered MSI/AutoIt loader to deploy a banking trojan with persistence and process-hollowing techniques. The actors also automated propagation via WhatsApp using a Python port of a PowerShell automation (whatsz.py / tadeu.ps1), employed IMAP-based C2 retrieval…
New 2025 samples of eBPF-abusing malware show continued evolution: Symbiote uses UDP port-hopping on high ports for stealthy C2 while BPFDoor added IPv6 support and hides C2 in DNS (UDP/53). Fortinet detects these families (Linux/Symbiote.B!tr, Linux/BpfDoor.F!tr) and provides antivirus and IPS signatures to block reverse shells and C2 traffic. #Symbiote #BPFDoor
Cybersecurity researchers have uncovered a malicious npm package called eslint-plugin-unicorn-ts-2 that aims to interfere with AI-driven security tools and exfiltrate sensitive information. This development highlights the evolving tactics of threat actors who are now targeting AI analysis and leveraging underground markets for malicious language models. #eslint-plugin-unicorn-ts-2 #AI-manipulation…
TAG-150 is a growing Malware-as-a-Service operator active since March 2025 that uses two custom families, CastleLoader (a loader) and CastleRAT (a RAT), to run large-scale, modular, multi-stage campaigns primarily targeting the United States. Darktrace observed and contained an early-stage CastleLoader infection that connected to C2 infrastructure at 173.44.141[.]89 by using Autonomous Response to block external connections and enforce a group pattern of life. #TAG-150 #CastleLoader
Threat hunting is a proactive, human-driven process that searches networks and endpoints to identify hidden or emerging threats missed by automated defenses. Combining intelligence, data analysis, and skilled hunters—supported by tools like Huntress Managed SIEM—enables organizations to detect and contain threats earlier and convert successful hunts into automated detections. #Huntress #HuntressManagedSIEM
The 2025 Cyber Threat Intelligence Report provides a detailed analysis of global malicious infrastructure, highlighting increased use of Sliver and Brute Ratel frameworks and ongoing dominance of Cobalt Strike. It also covers significant trends in information stealers and ransomware ecosystems, emphasizing evolving adversary tactics and geographic hosting distributions. #CobaltStrike #Sliver #BruteRatel #LummaStealer #RedlineStealer #FogRansomware
A threat actor used the Evilginx adversary-in-the-middle (AITM) phishing framework to target student SSO portals at least 18 U.S. universities since April 2025, delivering personalized TinyURL emails that redirected victims to short-lived subdomain phishing URLs that proxied legitimate login flows and bypassed MFA. Passive DNS analysis and initial web server fingerprinting uncovered nearly 70 domains and multiple dedicated IPs that enabled tracking despite evasion measures like Cloudflare proxies and JavaScript obfuscation; #Evilginx #UniversityOfSanDiego
CYFIRMA uncovered an APT36 campaign delivering a Python-based RAT to BOSS Linux systems via weaponized .desktop shortcut files inside a malicious archive that staged downloads from lionsdenim[.]xyz and 185[.]235[.]137[.]90. The campaign establishes persistence (systemd user services), supports remote command execution, file exfiltration, screenshots, and cross-platform control for sustained espionage. #APT36 #BOSS
BlueNorroff targeted tech executives, venture capitalists, and Web3 developers with two interrelated campaigns—GhostCall (macOS-focused via malicious Zoom updates) and GhostHire (GitHub-based malware disguised as recruitment tests)—that exfiltrated wallets, keychains, API keys, notes, and other sensitive data. Analysis of 39 IoC domains, related IPs, and WHOIS/DNS history revealed bulk registrations, typosquatting clusters, and hundreds of infected client IPs and historical resolutions tied to malicious infrastructure. #BlueNorroff #GhostCall