Socket’s Threat Research Team discovered 10 typosquatted npm packages that execute a multi-stage credential stealer via npm’s postinstall hook, using four layers of JavaScript obfuscation, a fake CAPTCHA prompt, IP fingerprinting, and a downloaded 24MB PyInstaller data_extracter binary to harvest credentials across Windows, Linux, and macOS. The campaign’s packages (published July 4, 2025) accumulated over 9,900 downloads, contact the npm registry was made for takedown, and the actor registered packages under the alias andrew_r1 (parvlhonor@gmx[.]com). #data_extracter #andrew_r1
Tag: EDR
Cofense Intelligence analyzed infection URLs embedded in non-English phishing emails that bypassed secure email gateways, finding that legitimate cloud/file-hosting services (e.g., Google Drive, Dropbox, Amazon AWS) are commonly abused while some languages see more compromised or malicious domains. Malware families show strong language targeting: Remcos and Loda appear across several languages, KrBanker dominates Chinese campaigns, and many Portuguese-specific families (e.g., PeepingTile, Lampion) are almost exclusively delivered in Portuguese. #Remcos #KrBanker
Ransomware threats are accelerating in volume, velocity, and sophistication—driven by RaaS, AI-enabled attacks, and identity-based intrusions—making traditional, signature-based detection insufficient. Organizations need timely, relevant, intelligence-driven data and integrated technologies (threat intelligence, ML/AI, behavioral analytics, automation) to detect and prevent ransomware early. #Ransomware-as-a-Service #RecordedFuture
Acronis TRU analyzed DragonForce, a Conti-derived RaaS active since 2023 that rebranded as a ransomware cartel, uses leaked Conti code and BYOVD attacks via vulnerable drivers (truesight.sys, rentdrv2.sys) to disable security products and terminate protected processes. The group’s affiliate model and partnerships with Scattered Spider (and overlaps with LAPSUS$ and ShinyHunters) have led to over 200 public victims and variants like Devman and Mamona/Global. #DragonForce #Conti #ScatteredSpider #truesight.sys #rentdrv2.sys
Russian hacker group Curly COMrades is leveraging Microsoft Hyper-V to create hidden Linux virtual machines for covert malware operations. Their tactics include bypassing detection and maintaining stealth with custom tools like CurlyShell and CurlCat. #CurlyCOMrades #HyperV #CyberEspionage
The web content highlights the increasing security risks associated with modern browsers, which are often overlooked in enterprise cybersecurity strategies. It emphasizes the limitations of traditional browser sandboxing and presents Keep Aware’s solution for real-time threat detection and prevention. #BrowserSandbox #CredentialTheft #MaliciousExtensions #LateralMovement #KeepAware
Researchers observed the Russian APT COLDRIVER rapidly replace LOSTKEYS with new malware families NOROBOT, YESROBOT, and MAYBEROBOT to target high-value individuals in NGOs, policy advisory roles, and dissidents. The group refined delivery (ClickFix CAPTCHA lure with iamnotarobot.dll executed via rundll32), rotated infrastructure, and shifted from Python-based to PowerShell-based backdoors to improve flexibility and evade detection. #COLDRIVER #NOROBOT
Seqrite Labs’ APT Team exposed the espionage activities of Silent Lynx, a threat group conducting phishing campaigns targeting diplomatic and infrastructure entities in Central and South Asia. Their operations focus on regional summits and strategic projects, with potential expansion to other diplomatic events. #SilentLynx #APT #GeopoliticalEspionage…
Silent Lynx conducted spear-phishing campaigns using malicious RAR archives and LNK shortcuts to deploy multiple implants (PowerShell reverse shells, C++ Laplas, C++/TLS variants, .NET SilentSweeper) targeting diplomatic and infrastructure-related entities in Central Asia, Russia, Azerbaijan, and China. Infrastructure includes GitHub-hosted Base64 blobs, C2s at 206.189.11.142 and Russian hosts, and use of tunneling tools like Ligolo-ng. #SilentLynx #SilentSweeper
Security Operations Centers face challenges including alert fatigue and lack of context, which hinder effective threat detection and response. Integrating continuous exposure management enhances SOC workflows by providing real-time attack surface visibility and contextual threat intelligence. #MITREATTACK #ExposureManagement…
Two sentences summarize the shift from pre-trained AI-SOC to continuously learning, analyst-driven AI that evolves with local context. The article outlines how feedback loops, transparency, usability, and measurable metrics transform SOCs into adaptive, explainable systems that reduce false positives and improve detection and response.
#ShaharBenHador #RadiantSecurity
Datadog observed a rise in supply-chain and developer-tooling attacks in Q3 2025, including widespread npm account compromises via phishing and a self-replicating npm worm (Shai-Hulud) that exfiltrated GitHub tokens and propagated across packages. The report also highlights malicious VS Code extensions, AI-assisted malware (e.g., LameHug) using external LLM APIs, and persistent risks from long-lived cloud credentials and fraudulent deepfake job profiles. #Shai-Hulud #S1ngularity
In October 2025, CRIL discovered a multi-stage backdoor campaign using a weaponized ZIP masquerading as a Belarusian military PDF that used nested archives, LNK-triggered PowerShell, scheduled tasks, and a Tor hidden-service with obfs4 to provide anonymous SSH/RDP/SFTP/SMB access. The TTPs and infrastructure show similarities to the December 2024 Army+ campaign attributed to Sandworm (UAC-0125/APT44), including pre-generated RSA keys and OpenSSH for Windows deployment. #Sandworm #obfs4
Adversaries used stolen AWS credentials to run large-scale credential testing and cloud reconnaissance via an infrastructure named TruffleNet, leveraging TruffleHog and automated AWS API calls to identify valid accounts and probe SES sending capabilities. Compromised accounts were then used to create verified email identities and conduct Business Email Compromise campaigns, including a $50,000 W-9 invoice scam that used domains like cfp-impactaction[.]com. #TruffleNet #TruffleHog #cfp-impactaction[.]com
MITRE ATT&CK v18.0 replaces legacy Detections and Data Sources with a behavior-driven two-tier model of Detection Strategies and Analytics, improving telemetry mapping and cross-tactic correlation to better reflect real-world adversary behavior. The release adds 12 new techniques across Enterprise, Mobile, and ICS and signals future tactic reorganization and expanded coverage while vendors like Picus Security map tests and detections to the new model. #DET0525 #AN0850