Zscaler ThreatLabz analyzed the Sheet Attack campaign and identified three new backdoors—SHEETCREEP, FIREPOWER, and MAILCREEP—that abuse Google Sheets, Firebase, and Microsoft Graph API for C2 while using PDF and LNK lures to target Indian government entities. The report also documents signs of generative AI use in malware development and assesses with medium confidence a Pakistan-linked origin or connection to APT36. #SHEETCREEP #APT36
Tag: EDR
Comcast Business’s 2025 Threat Report analyzes 34.6 billion events (including 19.5B botnet resource-development events, 9.7B drive-by compromises, 4.7B phishing attempts, and 44,069 DDoS events) to map evolving attacker tactics such as proxy abuse, living-off-the-land techniques, and AI-enabled social engineering. It urges organizations to adopt multi-layered, AI-augmented defenses—prioritizing patching, phishing-resistant MFA, proactive threat hunting, and managed 24/7 SOC services—to reduce exposure and build enterprise resilience. #SocGholish #ComcastBusiness
Elastic’s Infosec team reduced endpoint event volume and costs by using Event Filtering and Advanced Policy Settings in Elastic Defend across their worldwide distributed workforce. By identifying noisy processes and hosts with ES|QL queries, applying event filters, disabling unnecessary hash calculations, and enabling event aggregation they cut event volume per host by ~75% and saved terabytes of storage per month. #ElasticDefend #Elastic
Multiple state-sponsored and financially motivated actors are actively exploiting the high‑severity CVE-2025-8088 WinRAR path‑traversal vulnerability to gain initial access and deliver varied malicious payloads. The flaw leverages Alternate Data Streams to hide and extract LNK/HTA/BAT/CMD/script files (often into Startup folders) for persistence, with exploitation observed since July 18, 2025, including zero‑day use by RomCom. #CVE-2025-8088 #RomCom
Microsoft is investigating reports that some Windows 11 devices fail to boot with “UNMOUNTABLE_BOOT_VOLUME” stop errors after installing the January 2026 cumulative update KB5074109. Affected systems (Windows 11 25H2 and 24H2) display a black crash screen and require manual recovery; Microsoft is collecting Feedback Hub reports and separately issued OOB fixes for Outlook PST cloud freezes. #UNMOUNTABLE_BOOT_VOLUME #KB5074109
FortiGuard Labs describes a multi-stage Windows-focused campaign that uses social-engineered archives and LNK-triggered PowerShell to deploy staged loaders, abuse Defendnot to disable Microsoft Defender, install Amnesia RAT for extensive data theft and surveillance, and finally deliver Hakuna Matata–derived ransomware and a WinLocker to encrypt and lock victims’ systems. The operation leverages GitHub and Dropbox for modular hosting and the Telegram Bot API for C2 and exfiltration, while using registry and policy manipulation to suppress defenses and destroy recovery options. #Defendnot #AmnesiaRAT
Microsoft released emergency out-of-band updates for Windows 10, Windows 11, and Windows Server to fix an issue that prevented classic Outlook from opening when PST files were stored in cloud-backed storage. The problem appeared after the January 2026 Patch Tuesday updates and affected PSTs on services like OneDrive and Dropbox, prompting KB updates and download links for affected OS versions. #Microsoft #Outlook
North Korean-linked group Konni (Opal Sleet, TA406) is deploying AI-generated PowerShell backdoors to target developers and engineers in the blockchain sector across the Asia-Pacific region. The campaign uses Discord-hosted lures, LNK/DOCX/CAB loaders, UAC bypasses, scheduled tasks, and XOR-encrypted in-memory execution to maintain persistence and execute C2-issued code. #Konni #PowerShell
Check Point Research identified a KONNI-linked phishing campaign targeting blockchain developers across the APAC region that uses Discord-hosted lures and weaponized LNK shortcuts to deploy a multi-stage infection chain. The operation deploys an AI-generated, obfuscated PowerShell backdoor, leverages UAC bypass and scheduled-task persistence, and communicates with a PHP-based C2 protected by a JavaScript/AES challenge. #KONNI #SimpleHelp
CISOs are shifting 2026 cybersecurity budgets from reactive, optimization-driven strategies toward growth-focused, precision investments that prioritize measurable risk reduction and operational efficiency. Adversarial Exposure Validation (AEV) and continuous testing (via platforms like Picus) are emphasized as essential to proving ROI, optimizing tool sprawl, and prioritizing exploitable vulnerabilities. #Picus #Kerberoasting
Spain’s High Court has closed its probe into alleged Pegasus spyware surveillance of senior officials after Israel failed to cooperate with multiple requests for information. Judge José Luis Calama said Israel’s refusal breached international obligations after the court found evidence that Pegasus infections — including five infections of Prime Minister Pedro…
A new, distinct ransomware family called Osiris was used in a November 2025 attack against a major food service franchisee in Southeast Asia, employing hybrid ECC+AES-128-CTR encryption, VSS deletion, and a variety of living-off-the-land and dual-use tools. The intrusion included data exfiltration to Wasabi buckets, use of a Mimikatz build named kaz.exe, and deployment of a malicious signed driver (Poortry/Abyssworker) consistent with a BYOVD defense‑impairment tactic. #Osiris #Poortry
Microsoft Defender researchers uncovered a multi-stage adversary‑in‑the‑middle (AiTM) phishing and BEC campaign that used compromised trusted vendor SharePoint links to harvest credentials, steal session cookies, create malicious inbox rules, and send large‑scale phishing to internal and external contacts, compromising multiple accounts in the energy sector. Remediation requires more than password resets—organizations must revoke active session cookies, remove attacker‑created inbox rules, enforce MFA/conditional access, and use Defender XDR detection and ZAP to contain and remediate the campaign. #AiTM #SharePoint
Recorded Future / Insikt Group documents PurpleBravo, a North Korean-linked campaign that uses fraudulent developer/recruiter personas and malicious GitHub repositories to deliver infostealers and multi-platform RATs (BeaverTail, GolangGhost/PylangGhost, InvisibleFerret) targeting software developers—especially in the cryptocurrency sector and South Asia. The report details obfuscated JavaScript (Base64 + XOR), RC4/MD5 C2 protocols, registry Run-key persistence, Chrome credential-theft techniques (including DPAPI and app-bound bypasses), extensive C2 infrastructure (dozens of IPs and Astrill VPN nodes), and overlap with PurpleDelta activity. #PurpleBravo #BeaverTail
Microsoft has issued a temporary workaround for Outlook users experiencing freezes after installing recent Windows security updates, affecting Windows 10, 11, and Windows Server platforms. The issue causes Outlook to hang, particularly for POP email users with PST files stored on cloud services like OneDrive, and Microsoft is investigating a permanent fix. #OutlookFreeze #WindowsSecurityUpdates