Acronis TRU identified a targeted campaign delivering a DLL-sideloaded backdoor, tracked as LOTUSLITE, via a politically themed ZIP archive aimed at U.S. government and policy-related entities. The implant uses a simple loader/DLL execution chain, hard-coded IP-based C2, basic persistence via a Run key and ProgramData directory, and shows behavioral overlaps with Mustang Panda. #LOTUSLITE #MustangPanda
Tag: EDR
Cybersecurity researchers have revealed a new attack technique called Reprompt that enables attackers to exfiltrate sensitive data from AI chatbots like Microsoft Copilot with a single click, bypassing security controls. Microsoft has addressed the vulnerability, which primarily affects consumer-facing versions, while enterprise users remain protected. #Reprompt #AIChatbots…
Intelligence-driven detection that combines endpoint/XDR, network detection, and threat intelligence enables earlier identification of ransomware precursor behaviors like reconnaissance, credential theft, and data staging before encryption occurs. Recorded Future and similar platforms strengthen detection by providing organization-specific, real-time context on active campaigns, attacker infrastructure, and vulnerabilities prioritized by what ransomware operators are actually exploiting. #LockBit #RecordedFuture
Many SOCs are struggling to adapt to the evolving cyber threat landscape due to outdated practices and disjointed tools. Modern solutions like automation, dynamic analysis, and integrated workflows can significantly improve incident response times and detection rates. #ANY.RUN #SOCautomation…
CloudSEK STRIKE’s HUMINT uncovered a false-flag campaign by an actor using the alias “RedLineCyber” who distributes a PyInstaller-packed clipboard hijacker via Discord and Telegram, targeting cryptocurrency streamers and gambling communities. The malware, distributed as Pro.exe (also peeek.exe), monitors the Windows clipboard and silently replaces copied crypto addresses with attacker-controlled wallets for six cryptocurrencies while persisting via an HKCU Run key. #RedLineCyber #Pro.exe
Iru researchers uncovered a Mach-O binary named Portfolio_Review.exe that masquerades as a Windows .exe and contains a PyInstaller CArchive bundling a portfolio_app.pyc payload researchers named MonetaStealer. MonetaStealerāstill in early development and relying heavily on AI codeātargets Chrome credentials/cookies/history, crypto wallets, macOS Keychain and WiāFi credentials, stages data to STOLEN{sessionID}.zip and uses api.telegram.org for reporting while remaining undetected on VirusTotal. #MonetaStealer #Iru
The article discusses the novel ConsentFix attack technique that hijacks Microsoft accounts by exploiting OAuth consent phishing combined with social engineering. It highlights community responses, vulnerabilities in Microsoft apps, and recommended defenses to detect and prevent this emerging threat. #ConsentFix #OAuthPhishing
VoidLink is an advanced, cloud-native Linux malware framework designed for modern cloud and container environments, featuring modular plugins and sophisticated anti-forensics capabilities. It is likely developed for commercial use or by a specific customer, with active development and Chinese-speaking developers. #VoidLink #LinuxMalware
Validinās 2025 recap highlights major research, community growth, product updates, and collaborations that expanded platform capabilities and researcher access. The companyās research exposed campaigns such as the FreeDrain crypto-theft network and phishing infrastructure tied to Scattered Spider. #FreeDrain #ScatteredSpider
ANY.RUN performed a full dynamic and static analysis of CastleLoader, revealing a multi-stage delivery (Inno Setup ā AutoIt ā process hollowing into jsc.exe) that injects a PE-only-in-memory payload used to deliver information stealers and RATs against government and critical infrastructure targets. The report includes an automated parser to extract configuration strings,…
Cybersecurity researchers have uncovered VoidLink, a sophisticated malware framework targeting Linux-based cloud environments for long-term stealthy access. The malware’s modular and adaptive design, linked to Chinese threat actors, demonstrates a focus on cloud services like AWS, Azure, and Google Cloud. #VoidLink #CloudThreats…
The article shows that widely available large language models are being used by attackers as rapid authoring tools to produce PowerShell and other scripts, accelerating the tempo of commodity attacks without introducing fundamentally new exploitation techniques. Multiple Huntress case studies ā including RDP brute force, WinRM lateral movement, browser credential harvesters, Veeam-focused attempts, and a malicious Chrome extension beaconing to 172.86.105[.]237:5000 ā were stopped by basic telemetry, MFA, segmentation, and tuned detections. #Veeam #Huntress
Cyber Insights 2026 predicts a rapidly evolving cybersecurity landscape where CISOs face increasing complexity, AI-induced risks, regulatory pressures, and burnout. The role will transform into a broader executive position, emphasizing AI governance, personal liability, and organizational resilience. #CISO #AIThreats…
Threat actors abused Cloudflare’s free-tier TryCloudflare tunnels and legitimate Python environments to host WebDAV servers and deliver the AsyncRAT remote access trojan, using double-extension phishing lures and living-off-the-land techniques for persistence. The campaign installs an embedded Python runtime, executes ne.py to APC-inject shellcode from new.bin into explorer.exe, and persists via startup…
North Korean APT group Kimsuky has been using spear-phishing campaigns involving malicious QR codes to target government agencies, think tanks, and strategic firms worldwide. The FBI warns that these Quishing attacks are highly effective, bypass traditional security measures, and can lead to credential theft, malware deployment, and persistent access. #Kimsuky #Quishing…