Seqrite Labs uncovered a Russian-language phishing campaign that uses ZIP->ISO->EXE staged attachments and an ISO-mounted executable to deliver the Phantom stealer, targeting finance and accounting roles. The campaign harvests browser credentials, crypto wallets, Discord tokens, clipboard data, keylogs and exfiltrates data via Telegram, Discord webhooks and FTP. #PhantomStealer #TorFX
Tag: INITIAL ACCESS
Zscaler ThreatLabz identified BlackForce, a commercially marketed phishing kit first seen in August 2025 that steals credentials and performs Man‑in‑the‑Browser attacks to capture one‑time tokens and bypass MFA. The kit employs evasion techniques (user‑agent/ISP blocklists, mobile‑only filtering, and obfuscated client code in later versions), persistent sessionStorage state, and a dual C2/Telegram exfiltration architecture while impersonating brands like Netflix and Disney. #BlackForce #Telegram
Attackers poisoned search results to surface malicious ChatGPT and Grok conversations that instruct macOS users to copy-paste a Terminal one-liner which downloads and deploys an AMOS stealer. The campaign abuses platform and format trust to harvest credentials, escalate to root, persist via a LaunchDaemon, and exfiltrate wallet, browser, and keychain data. #AMOS #macOS
Notepad++ version 8.8.9 was updated to fix a security vulnerability involving hijacked update processes and malicious executables. Threat actors targeted the update mechanism, potentially leading to remote access breaches, especially in East Asian organizations. #NotepadPlusPlus #WinGUpSecurity #EastAsiaThreats
CYFRIMA uncovered a WhatsApp-distributed fraud campaign using a malicious “RTO Challan / e-Challan” Android app that employs a two-stage dropper, heavy obfuscation, and a custom VPN to persistently control devices and exfiltrate data. The malware harvests Aadhaar/PAN, SMS/OTP, telephony and banking credentials via a fake payment interface and communicates with obfuscated C2 domains to enable real-time financial fraud and identity theft. #RTOChallan #jsonserv_xyz
Cybersecurity researchers have identified NANOREMOTE, a new Windows backdoor that uses the Google Drive API for covert command-and-control activities. It shares code similarities with the FINALDRAFT malware, attributed to the REF7707 Chinese threat cluster targeting sectors across Southeast Asia and South America. #NANOREMOTE #FINALDRAFT #REF7707…
GOLD SALEM used SharePoint exploits (including the ToolShell zero-day chain) and attacker-hosted Cloudflare Workers subdomains to stage tools and gain access to networks, later deploying Velociraptor as a precursor to ransomware activity. These intrusions led to Warlock, LockBit, and Babuk encryptions, with tool-staging domains such as files[.]qaubctgg[.]workers[.]dev and C2 infrastructure like velo[.]qaubctgg[.]workers[.]dev observed in the activity. #Warlock #GOLDSALEM
![Cybersecurity News | Daily Recap [10 Dec 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [10 Dec 2025]")
Daily Recap, Microsoft released its December security updates addressing 56–57 flaws, including 3 zero-days and active exploits, while Adobe patched nearly 140 vulnerabilities and SAP and other vendors issued urgent fixes. Threat actors and incidents highlighted include North Korea-linked React2Shell operators exploiting to deploy new EtherRAT variants, CastleLoader/CastleRAT under GrayBravo expanding its infrastructure targeting logistics and transport, Storm-0249’s stealthy ransomware tactics, and high-profile breaches and investigations involving Coupang, HSE, and the Khashoggi spyware allegations. #EtherRAT #CastleLoader
A highly sophisticated cyber-espionage campaign, WARP PANDA, has infiltrated major U.S. organizations using advanced techniques targeting virtualization infrastructure. The group demonstrates stealth, long-term persistence, and a focus on intelligence gathering aligned with Chinese strategic interests. #WARP_PANDA #BRICKSTORM…
zLabs researchers identified a new Android ransomware campaign, DroidLock, that spreads via phishing sites and uses a dropper to install a secondary payload which abuses Accessibility and Device Admin permissions to fully takeover devices. The malware supports overlays to steal credentials and lock patterns, screen recording, VNC remote control, and communicates with C2 servers over HTTP and websockets. #DroidLock #Zimperium
Researchers identified a new Rust-based ransomware family named 01flip that targets Windows and Linux systems in the Asia-Pacific region and is tracked as part of cluster CL-CRI-1036. The campaign involved manual activity, use of Sliver implants, exploitation attempts against CVE-2019-11580, and an alleged data leak posted to a dark web forum….
Group123 is a North Korean state-sponsored APT active since at least 2012 that conducts espionage across East and Southeast Asia, the Middle East, and beyond using spear‑phishing, malicious documents (including HWP), drive‑by exploits, and a large toolkit of loaders and implants to gain persistent access. Recent campaigns show intensified Windows-focused intrusions, advanced defense-evasion (DLL sideloading, hollowing, sandbox checks), cloud‑based C2, and a partial shift toward revenue generation including use of Maui ransomware. #Group123 #ROKRAT
In late November 2025 a malicious Visual Studio Code extension named “prettier-vscode-plus” was published to the official Marketplace and used as a supply-chain entry point to deliver a multi-stage attack targeting developers. The chain deployed an Anivia loader (AES-encrypted in-memory decryption and process hollowing into vbc.exe) which dropped the OctoRAT remote access toolkit with extensive data-theft, persistence, privilege‑escalation and C2 capabilities. #Anivia #OctoRAT
CVE-2025-55182 (React2Shell) is a critical (CVSS 10.0) pre-authentication remote code execution in React Server Components that allows attackers to craft Flight payload chunks to reach the Function constructor and execute arbitrary Node.js commands. Trend observed widespread in-the-wild exploitation and multiple campaigns (e.g., emerald, nuts) delivering Cobalt Strike, Mirai variants, Nezha, Sliver,…
Cloud security threats are evolving with attackers exploiting misconfigurations, AI masking, and overprivileged permissions. The upcoming Palo Alto Networks webinar will provide in-depth technical insights and practical strategies to identify and mitigate these sophisticated risks. #AWSIdentityMisconfigurations #AIModels #KubernetesPermissions…