Ransomware operations are increasingly enabled by infostealers that harvest and sell credentials and session tokens to Initial Access Brokers, enabling validated enterprise access and rapid ransomware deployment often within 48 hours. This convergence compresses attacker dwell time, elevates credential-driven extortion risk, and demands stronger credential hygiene, endpoint visibility, and identity-focused defenses. #RedLine #Lumma
Tag: EDR
ESET researchers detailed DynoWiper, a new data-wiping malware deployed against an energy company in Poland that was prevented from fully executing by ESET PROTECT. The activity shows strong TTP overlap with previous Sandworm operations (including similarities to the ZOV wiper and AD/GPO deployment scripts), and ESET attributes DynoWiper to Sandworm with medium confidence. #DynoWiper #Sandworm
Mandiant and Google Threat Intelligence report that ShinyHunters and affiliated clusters are running vishing campaigns that use company-branded phishing sites to steal SSO credentials and MFA codes, allowing attackers to enroll their own devices and maintain access. Compromised accounts provide attackers with centralized access to SaaS dashboards (Okta, Microsoft Entra, Google SSO) to exfiltrate data from services like Salesforce and enable extortion. #ShinyHunters #Okta
A global phishing campaign is sending repeated cloud-storage scam emails that falsely warn recipients their photos, files, and backups will be deleted due to alleged payment failures. The emails use storage.googleapis.com redirectors to lead victims to impersonation pages that push unrelated affiliate products and collect payment details, so users should delete suspicious messages and verify billing only through official provider sites or apps. #GoogleCloud #GoogleDrive
Google-owned Mandiant reported an expansion in extortion-style attacks tied to ShinyHunters that use vishing and fake credential-harvesting sites to steal SSO credentials and MFA codes. The attackers â tracked as UNC6661, UNC6671, and UNC6240 â are targeting cloud SaaS platforms (including Okta, SharePoint, and OneDrive) to exfiltrate sensitive data and extort…
Cyble uncovered ShadowHS, a fileless Linux postâexploitation framework that uses an encrypted, obfuscated POSIX shell loader to reconstruct and execute a weaponized variant of hackshell entirely in memory. The framework emphasizes stealth and operator-driven controlâfingerprinting EDR/AV, enabling covert GSocket-backed rsync exfiltration, credential theft, lateral movement, and onâdemand cryptominingâwhile leaving no persistent disk artifacts. #ShadowHS #hackshell
Google Threat Intelligence Group (GTIG), together with industry partners, disrupted IPIDEA by taking down domains and sharing intelligence on its proxy SDKs, infected-device management, and traffic routing infrastructure. IPIDEA covertly enrolled millions of devices through trojanized Android apps and Windows binaries to sell proxy access to over 550 threat groups and support botnets like Aisuru and Kimwolf. #IPIDEA #BadBox2_0
FortiGuard Labs discovered a Base64-encoded PHP web shell named EncystPHP deployed by exploiting FreePBX Endpoint Manager vulnerability CVE-2025-64328, enabling remote command execution, persistence, and telephony abuse. The campaign, attributed to INJ3CTOR3, delivered droppers from 45[.]234[.]176[.]202 (crm[.]razatelefonia[.]pro), created a root-level user and SSH backdoor, and maintained persistence via cron jobs and widespread web shell copies. #EncystPHP #FreePBX
Enterprises must prioritize actionable, business-specific threat intelligence to reduce dwell time and prevent costly operational downtime. ANY.RUN’s STIX/TAXII-compatible TI Feeds deliver fresh, validated indicators and behavioral context that boost early detection, cut false positives, and shorten MTTD/MTTR for faster incident response. #ANYRUN #TIFeeds…
-is-Abused-for-Credential-Theft_Figure1.PNG "Phishing at Cloud Scale: How AWS is Abused for Credential Theft")
Threat actors are abusing Amazon Web Servicesânotably Amazon S3, Amazon SES, and AWS Amplifyâto host credential-phishing pages and to send obfuscated phishing emails that leverage trusted AWS domains. These capabilities, combined with easy provisioning, free tiers, and weak or misconfigured IAM and logging, enable scalable campaigns that evade some traditional email security controls and complicate takedown and forensics. #AmazonS3 #AmazonSES
Google dismantled a global IPIDEA residential proxy network that had covertly enrolled millions of consumer devices as proxy exit nodes, seizing domains and coordinating with providers and law enforcement to disrupt the infrastructure. The network enabled large-scale espionage and cybercrime through SDKs embedded in benign apps and a two-tier command-and-control system…
TA584 increased its operational tempo in 2025, expanded geographic and language targeting, and changed its attack chains to include ClickFix social engineering, layered redirects, rapid domain rotation, and new payloads such as Tsundere Bot alongside XWorm. These changes produced high campaign churn, frequent use of PowerShell/Node.js-based installers and WebSocket/Ethereum-based C2 retrieval,…
Google Threat Intelligence Group and partners disrupted the IPIDEA residential proxy network by taking down C2 and marketing domains, sharing SDK and infrastructure intelligence, and enforcing Play Protect to remove apps embedding IPIDEA SDKs. The network had enrolled millions of consumer devices via trojanized or monetized SDKs and was abused by numerous threat groups and botnets including BadBox2.0. #IPIDEA #BadBox2.0
The GTIG reported widespread exploitation of CVE-2025-8088 in WinRAR using Alternate Data Streams and path traversal to drop payloads into the Windows Startup folder for persistence across state-sponsored and financially motivated campaigns. Defenders are urged to patch immediately and hunt for indicators such as malicious RAR archives, LNK/HTA/BAT/CMD payloads, and the provided SHA-256 hashes. #CVE-2025-8088 #WinRAR
Proofpoint tracked state-sponsored and financially motivated clusters using SquarePhish2 and Graphish to bypass the OAuth device code authorization process and gain access to victims’ Microsoft 365 accounts, leading to account takeover and data exfiltration. Researchers collated and analyzed 46 IoCs (21 subdomains including four variations, 22 domains, one IP, and two email addresses) and uncovered additional connected artifacts such as 91 email-connected domains and 23 more IPs. #SquarePhish2 #Graphish