This week’s ThreatsDay Bulletin highlights how cyber attackers continuously adapt by modifying familiar tools and tactics, making the threat landscape more dynamic. Key incidents include a large international scam ring, emerging modular info stealers, and increased exploitation of vulnerabilities like React2Shell. #Eurojust #SantaStealer #React2Shell…
Tag: INITIAL ACCESS
Kimsuky, a North Korean threat actor, has launched a campaign distributing Android malware called DocSwap through phishing sites and QR codes, mimicking logistics services like CJ Logistics. The malware features RAT capabilities, credential theft, and can perform extensive device monitoring, underlining sophisticated social engineering tactics. #Kimsuky #DocSwap #CJLogistics #AndroidMalware #RAT…
pathfinding.cloud is an open-source knowledge base that documents over 60 AWS IAM privilege escalation paths with prerequisites, exploitation steps, remediation, and tooling coverage. It standardizes each path with unique IDs and machine-readable YAML so security teams and tool authors can identify detection gaps and contribute fixes. #pathfinding.cloud #AWS
Amazonâs AWS GuardDuty team has identified a crypto-mining campaign that exploits compromised IAM credentials to target EC2 and ECS services, employing persistent methods to hinder incident response. The threat actor used a malicious Docker image and automated scripts to maximize mining operations, causing financial and resource exhaustion for AWS customers. #CryptoMining #IAMCompromise
A Chinese cyber-espionage group called Ink Dragon is transforming compromised servers into active communication nodes using sophisticated relay architecture. Their expansion into European government targets highlights the evolving threat landscape and the importance of patching vulnerabilities. #INKDRAGON #ShadowPad…
Zscaler ThreatLabz attributes a spear-phishing campaign targeting a Colombian government agency to the BlindEagle actor, which used a compromised internal email account, an SVG-smuggled fake judicial portal, nested JavaScript and PowerShell, steganography, the Caminho downloader, and DCRAT as the final RAT. The attack chain involved in-memory execution, Discord-hosted artifacts, process hollowing, and an AES-encrypted DCRAT configuration tied to a certificate-based C2 authentication. #BlindEagle #DCRAT
A recent cybersecurity incident involved hackers exploiting the critical React2Shell vulnerability (CVE-2025-55182) to gain access and deploy Weaxor ransomware rapidly. This attack highlights the urgency for system administrators to review security logs and patch vulnerabilities proactively. #React2Shell #WeaxorRansomware
Operation ForumTroll is a sophisticated phishing campaign targeting individuals in Russia, utilizing zero-day Chrome vulnerabilities to deliver backdoors and spyware. The campaign features personalized emails and uses strategically aged domains to avoid detection, with ongoing threats observed since 2022. #OperationForumTroll #LeetAgent #Dante #Tuoni…
The transportation industry is increasingly experiencing cyber-enabled cargo theft, which often leads to physical theft of goods. Attackers leverage hacking, social engineering, AI, and stolen data to divert shipments, with a growing emphasis on cyber tactics in criminal operations. #NMFTA #CyberEnabledTheft…
A Russia-linked hacker group has been exploiting vulnerabilities in edge devices of critical infrastructure sectors since 2021, focusing on credential harvesting and lateral movement. The campaign is linked to Russiaâs GRU and aims mainly at energy, telecommunications, and cloud organizations in North America, Europe, and the Middle East. #Sandworm #GRU…
Jewelbug, also known as Ink Dragon, is a highly sophisticated threat group targeting government entities across Europe, Asia, and Africa since March 2023. They utilize advanced malware tools like FINALDRAFT and ShadowPad to conduct stealthy intrusions, lateral movements, and data exfiltration, forming a resilient, multi-layered infrastructure. #Jewelbug #InkDragon #FINALDRAFT #ShadowPad #CobaltStrike…
Check Point Research attributes a sustained espionage campaign to the Chinese-aligned cluster Ink Dragon that exploits ASP.NET ViewState deserialization and ToolShell SharePoint vulnerabilities to gain initial access and then deploys ShadowPad IIS listener modules and FinalDraft implants to build a distributed relay and cloud-backed C2 fabric. The operator harvests credentials (LSASS dumps, IIS worker accounts), uses RDP/SMB lateral movement, DLL sideloading, debugger-based loaders, scheduled tasks/services for persistence, and turns victims into active C2 relay nodes. #InkDragon #ShadowPad
This article analyzes RansomHouse, a RaaS operation run by the group tracked as Jolly Scorpius, detailing its attack chain, tooling (MrAgent and Mario), and the scope of its operations. It highlights an upgrade in Mario’s encryption from a single-pass linear method to a two-stage, chunked process using primary and secondary keys…
Episode 4 of the Charming Kitten / APT35 leak shows Iranian cyber operations run like a bureaucratic procurement system, with spreadsheets linking domain registrations, VPS rentals, ProtonMail identities, and Cryptomus payments that tie requests, invoices, and live infrastructure together. The same administrative apparatus mapped in the ledgers also supported Moses Staffâs leak-and-defacement campaignsâdomains such as moses-staff.io, linked ProtonMail addresses, IP allocations, and bitcoin wallets were documentedâexposing operational hygiene failures and reusable supply-chain patterns. #APT35 #MosesStaff
A recent report highlights a strategic shift in Russian state-sponsored cyber operations from exploiting software vulnerabilities to targeting misconfigured network edge devices. This tactic allows persistent access to critical infrastructure sectors such as energy and telecommunications. #Sandworm #GRU…