In late October 2025, CIS CTI observed increased detections of a fake PDF converter called Crystal PDF on U.S. SLTT endpoints; analysis shows it is a managed .NET (F#) staged loader that performs in-memory execution, process injection, sandbox/VM checks, and contacts likely C2 domains. CIS links its spread to malvertising and…
Tag: INITIAL ACCESS
MuddyWater, an Iranian threat actor, has launched a spear-phishing campaign using Rust-based implants called RustyWater to target Middle Eastern entities. This evolution in their tactics enhances their malware capabilities with modular, resilient features. #MuddyWater #RustyWater #IranianThreatActor…
CrazyHunter is a Go-based ransomware forked from the Prince builder that targets Windows environments—primarily healthcare organizations in Taiwan—using GPO abuse, BYOVD with a vulnerable Zemana driver, memory loaders, and multiple AV-killing components to rapidly propagate and evade defenses. The Trellix analysis details the full attack lifecycle, technical artifacts (including go.exe/go2.exe/go3.exe, bb.exe, crazyhunter.sys), mitigation recommendations, and IOCs for detection and response. #CrazyHunter #SharpGPOAbuse
Leaked internal Knownsec documents show the company functions as a state-aligned cyber contractor providing an integrated espionage stack—ZoomEye, TargetDB, GhostX, Un‑Mail, and Passive Radar—supporting PLA/MPS/public-security and critical-infrastructure targeting worldwide. The corpus includes massive breach datasets (o_data_*), detailed TargetDB asset mappings (notably Taiwan telecom/finance/energy), and tooling for browser exploitation, mailbox takeover, PCAP-driven network reconstruction, persistence, and OPSEC/anti-forensics. #Knownsec #GhostX
Chinese-speaking threat groups exploited a compromised SonicWall VPN to deploy a VMware ESXi zero-day exploit, potentially leading to a hypervisor compromise and a ransomware attack. The sophisticated multi-stage attack used multiple vulnerabilities and advanced evasion techniques, highlighting the importance of securing VPNs and hypervisors. #SonicWallVPN #VMwareESXi #ZeroDayExploit…
Chinese-speaking threat actors exploited a SonicWall VPN to deliver a VMware ESXi exploit toolkit developed over a year before vulnerabilities became public. The attack involved sophisticated VM escape techniques using multiple zero-day vulnerabilities, potentially allowing attackers to compromise hypervisors and extract data. #SonicWallVPN #VMwareZeroDays
A sophisticated China-linked threat actor, UAT-7290, is expanding its cyber-espionage operations into Southeastern Europe, targeting telecommunications organizations. The group utilizes Linux-based malware, initial access techniques, and operational relay infrastructure to compromise edge network devices. #UAT7290 #CyberEspionage #LinuxMalware #ChinaThreatActors #SoutheasternEurope
A China-nexus threat actor dubbed UAT-7290 has been active since 2022, primarily targeting telecommunications in South Asia and Southeastern Europe with a focus on espionage and network reconnaissance. Their operations involve deploying sophisticated malware like RushDrop, DriveSwitch, and SilentRaid, and establishing infrastructure for ongoing malicious activities. #UAT-7290 #StonePanda #RedFoxtrot #SilentRaid…
CloudSEK TRIAD uncovered a MuddyWater spearphishing campaign that used icon‑spoofed Word documents to deploy a Rust-based implant (referred to as RustyWater) against diplomatic, maritime, financial, and telecom targets in the Middle East. The implant is delivered via VBA macros that drop a hex‑encoded PE (reddit.exe / CertificationKit.ini) and provides asynchronous HTTP C2, registry persistence, anti-analysis, process injection, and modular post-compromise capability. #MuddyWater #RustyWater
This week’s cybersecurity news highlights active threat actors using honeypots and exploiting known vulnerabilities to distribute malware. Key developments include a fake hack trap by Resecurity, cryptocurrency miners exploiting GeoServer flaws, and a surge in Chinese-backed attacks on Taiwan’s infrastructure. #LAPSUS$ Hunters #GeoServer #MuddyWater…
GoBruteforcer is a modular Go-based botnet that brute-forces FTP, MySQL, PostgreSQL and phpMyAdmin credentials to compromise Linux servers and recruit them as scanning and brute-force nodes. The 2025 variant adds an obfuscated Go IRC bot, downloader modules, process-masking and cron persistence, and has been observed targeting crypto project databases and legacy stacks like XAMPP that expose weak defaults #GoBruteforcer #XAMPP
A cybersecurity firm revealed a data breach involving Iberia, where threat actor Zestix stole sensitive aviation and customer data using infostealer malware. The incident highlights ongoing risks from organized cybercriminal groups operating within Russian-language forums. #Zestix #Funksec #Iberia #InfostealerMalware…
SafePay emerged in late 2024 as a centralized, closed ransomware group that escalated rapidly into a global threat, using double-extortion by stealing financial and intellectual property data and pressuring victims via a Tor data leak site. Its modular Windows PE32 DLL employs compromised credentials, backdoors (e.g., QDoor), PowerShell discovery scripts, LOLBins (PsExec, regsvr32/rundll32), archiving and exfiltration tools (WinRAR, FileZilla, Rclone), defense evasion (killing AV/backup services, deleting Volume Shadow Copies, modifying boot settings), and a Cyrillic-language kill switch. #SafePay #QDoor
December 2025 closed with multiple high-impact disclosures and incidents, including the unauthenticated React2Shell RCE (CVE-2025-55182), the resurfacing of the BRICKSTORM backdoor, widespread MongoBleed data exposure (CVE-2025-14847), and a novel EtherRAT campaign using Ethereum smart contracts for C2. Organizations were urged to patch vulnerable software, audit and segment MongoDB deployments, apply published IOCs and detections from NSA/CISA and Sysdig, and strengthen visibility and resilience heading into 2026. #React2Shell #BRICKSTORM
Zscaler ThreatLabz discovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that deploy a Node.js remote access trojan named NodeCordRAT which uses Discord for command-and-control. The malware exfiltrates Chrome credentials, .env files, and MetaMask data (including LevelDB .ldb files and seed phrases) and was distributed via postinstall scripts and PM2; #NodeCordRAT #bip40