Cephalus ransomware surfaced in mid‑August 2025, targets Windows endpoints via exposed RDP accounts lacking MFA, and performs stealthy local encryption, data exfiltration, and Volume Shadow Copy deletion to hinder recovery. The article demonstrates detection and automated response using Wazuh (Sysmon integration, custom detection rules, File Integrity Monitoring, YARA rules, and Active…
Tag: INITIAL ACCESS
ownCloud urges users to enable multi-factor authentication following reports of credential theft attacks on its platform. The attacks involved infostealer malware like RedLine, Lumma, and Vidar, which compromised user credentials. #ownCloud #HudsonRock #RedLine #CredentialTheft
Howler Cell identified a multi-stage campaign distributing a new CountLoader v3.2 variant via cracked software sites that ultimately delivers an in-memory ACR Stealer payload. The loader expands capabilities (nine task types), employs MSHTA/PowerShell fileless execution, removable-media propagation, custom XOR+Base64 C2 encoding, and persistence via scheduled tasks. #CountLoader #ACRStealer
Phishing actors exploit complex mail routing and misconfigured spoof protections to send emails that appear to originate from an organization’s own domain, increasing success of credential phishing and invoice/financial scams. Microsoft observed widespread use of PhaaS platforms like Tycoon2FA in these opportunistic campaigns and recommends enforcing strict SPF/DMARC, properly configuring third-party connectors, and deploying phishing-resistant MFA to mitigate risk. #Tycoon2FA #Office365
Researchers discovered exposed Sliver C2 databases and logs in open directories, linking a threat actor that exploited multiple FortiWeb appliances and used React2Shell (CVE-2025-55182) to deploy Sliver and FRP to expose local services. Analysis shows Sliver implants, C2 domains, FRP and a renamed microsocks proxy (cups-lpd) persisted via systemd/supervisord on outdated FortiWeb devices, highlighting a major visibility blindspot. #Sliver #FortiWeb
Organizations are increasingly interviewing and hiring people who don’t exist, enabling synthetic identities to gain legitimate credentials and access. The article outlines why traditional defenses fail and proposes five practical mitigations to harden interviews, verify identity earlier, treat resumes as claims, integrate security into recruiting, and continuously monitor new hires. #Deepfake #NorthKorean
Cybersecurity researchers have uncovered the PHALT#BLYX campaign targeting European hospitality organizations using fake BSoD errors and phishing lures to deploy DCRat. The attackers employ sophisticated techniques, including living-off-the-land tactics, to evade detection and establish persistent access. #DCRat #PhishingLures…
The ransomware ecosystem in 2025 fragmented rather than collapsed: affiliates became more independent, groups blurred their boundaries, and operators shifted toward identity abuse, supply-chain compromise, and data-first extortion. Long dwell times, widespread exploitation of enterprise software, and high victim impact (with Fortinet reporting 73% of organizations hit and low full-recovery rates) show the threat evolved into quieter, more targeted campaigns. #ScatteredLapsusHunters #OracleEBS
The Sophos Annual Threat Report 2025 reveals ransomware remains the top threat to small and midsized businesses, with compromised network edge devices and evolving social engineering tactics posing significant risks. Key findings include rising costs of attacks, increased business email compromise, and the exploitation of unpatched vulnerabilities like CVE-2024-40711. #SophosAnnualThreatReport #CVE202440711
Threat actor Zestix is selling stolen corporate data from dozens of companies, likely after breaching cloud platforms like ShareFile, Nextcloud, and OwnCloud. The breaches often involve credentials obtained through infostealers such as RedLine, Lumma, and Vidar, highlighting significant security gaps. #Zestix #Infostealers
A threat actor named Zestix, also known as Sentap, exploits infected employee devices and weak security practices to access and sell corporate cloud credentials. This campaign highlights the importance of enforcing Multi-Factor Authentication and monitoring for compromised credentials in preventing data breaches. #Zestix #Sentap #Infostealer #ShareFile #Nextcloud
Recent attacks exploit the React2Shell vulnerability (CVE-2025-55182) affecting Next.js servers, enabling remote code execution and botnet infections. The RondoDox botnet has actively targeted these vulnerable systems, deploying malicious payloads and establishing persistence across various architectures. #React2Shell #RondoDox…
A threat actor is exploiting multiple vulnerabilities in Adobe ColdFusion through a coordinated campaign, primarily during Christmas 2025. The activity involves sophisticated attack techniques and originates mainly from Japanese infrastructure, affecting systems nationwide. #ColdFusion #JNDIInjection…
Cybersecurity experts have revealed a nine-month-long campaign targeting IoT devices and web apps, involving the exploitation of React2Shell vulnerability to build the RondoDox botnet. The campaign progressed through advanced phases, including malware deployment and infection persistence tactics, emphasizing the importance of timely updates and network segmentation. #React2Shell #RondoDox #IoTThreats #NextjsVulnerability…
A threat actor named Solonik offered access to an employee email account from Vietnam’s General Department of Taxation on BreachForums. The listing included credentials for an active inbox with sensitive government and tax data, highlighting a significant security breach. #Solonik #VietnamTaxDepartment…