UDPGangster is a UDP-based backdoor attributed to the MuddyWater group that is distributed via macro-enabled Microsoft Word documents to gain initial access and establish C2 over UDP. The malware uses extensive anti-analysis checks, persistence via registry startup, and capabilities for remote command execution and file exfiltration to target users in Turkey, Israel, and Azerbaijan. #UDPGangster #MuddyWater
Tag: INITIAL ACCESS
A critical unauthenticated deserialization vulnerability in React Server Components (CVE-2025-55182, “React2Shell”) has been exploited in the wild to deliver cryptominers, a BitTorrent-DHT‑backed Linux backdoor (PeerBlight), a reverse-proxy tunnel (CowTunnel), a Go post-exploitation implant (ZinFoq), and a Kaiji botnet variant across multiple organizations. Immediate patching of affected react-server-dom packages and Next.js mitigations are recommended to prevent these automated exploitation campaigns. #React2Shell #PeerBlight #CowTunnel #ZinFoq
U.S. and international agencies assess that pro‑Russia hacktivist groups—including Cyber Army of Russia Reborn (CARR), NoName057(16), Z‑Pentest, and Sector16—are conducting opportunistic intrusions against critical infrastructure by scanning for internet‑facing VNC services and exploiting default or weak credentials to access HMI/OT devices. These unsophisticated but impactful operations involve VPS‑based brute‑force attacks, GUI…
The rise of initial access brokers has significantly expanded the cyberattack ecosystem, enabling both state-backed and criminal groups to conduct large-scale intrusion campaigns with greater ease and sophistication. This trend emphasizes the increasing importance of prioritizing identity security, supply chain protection, and operational technology hardening for national security and organizational resilience….
Storm-0249 is shifting from initial access provisioning to more sophisticated tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. These methods enable stealthy infiltration, persistence, and exploitation of trust in signed processes, potentially aiding ransomware groups such as LockBit and ALPHV. #Storm0249 #SentinelOne #LockBit #ALPHV #C2…
Makop ransomware continues to exploit exposed RDP services and weak credentials, then stages network scanners, LPE exploits, AV killers and credential dumpers before deploying its encryptor. Recent activity shows the operators have added loader-based delivery (GuLoader) and tailored AV uninstallers to evade defenses and increase success rates. #Makop #GuLoader
Storm-0249 has evolved from mass phishing to targeted post-exploitation operations that weaponize trusted EDR processes—notably abusing SentinelOne’s SentinelAgentWorker.exe via DLL sideloading, fileless PowerShell execution, and Microsoft domain spoofing to hide C2 and reconnaissance. Organizations need behavior-based detection, DNS monitoring for newly registered domains, and automated response playbooks to detect and isolate anomalies like DLL sideloading and curl-to-PowerShell piping before ransomware affiliates exploit pre-staged access. #Storm-0249 #SentinelOne
React2Shell (CVE-2025-55182) is a critical RCE in React Server Components that enables arbitrary code execution via improperly deserialized RSC payloads and has been widely exploited against internet-facing Next.js and other RSC-enabled platforms. In the wild activity includes opportunistic cryptomining, large-scale credential harvesting (including cloud metadata access), and operator-driven backdoors using Sliver implants. #React2Shell #Nextjs
Sysdig TRT discovered EtherRAT, a sophisticated persistent implant deployed via the React2Shell vulnerability CVE-2025-55182 that uses Ethereum smart contracts for C2 resolution, downloads a legitimate Node.js runtime from nodejs.org, and installs five independent Linux persistence mechanisms. The sample shows overlap with DPRK-linked Contagious Interview tooling while introducing novel techniques like RPC-endpoint consensus for blockchain C2 and a self-rewriting update mechanism. #EtherRAT #CVE-2025-55182
GrayBravo (formerly TAG-150) operates a malware-as-a-service ecosystem centered on CastleLoader and CastleRAT, supporting multiple customer clusters that employ targeted ClickFix phishing, malvertising, fake updates, and platform impersonation (notably logistics and Booking.com themes). Defensive recommendations include blocking identified IPs/domains, monitoring unusual legitimate internet services (LISs) like Pastebin/Steam, and deploying YARA, Snort, and Sigma detection rules to detect current and historical infections. #GrayBravo #CastleLoader
React2Shell (CVE-2025-55182) is a critical unauthenticated RCE in React Server Components and Next.js App Router that was weaponized within hours of disclosure, prompting urgent mitigations and inclusion in CISA’s Known Exploited Vulnerabilities catalog. China-nexus groups including Earth Lamia and Jackpot Panda rapidly scanned and exploited vulnerable deployments, forcing providers like Cloudflare to apply emergency defenses. #React2Shell #CVE-2025-55182
Companies paid over $2.1 billion to ransomware gangs between 2022 and 2024, with 2023 experiencing a peak payout of $1.1 billion. The report highlights the prominence of gangs like ALPHV/BlackCat and LockBit, and details targeted sectors such as finance, manufacturing, and healthcare. #ALPHV #LockBit #BlackBasta #RansomwarePayments #CyberThreats…
U.S. companies paid over $2 billion in ransomware demands between 2022 and 2024, with a significant increase in incidents in 2023. Law enforcement actions against groups like ALPHV/BlackCat and LockBit have temporarily reduced total ransomware payments. #BlackCat #LockBit…
Seqrite Labs identified Operation FrostBeacon, a multi-cluster campaign delivering Cobalt Strike beacons to Russian B2B organizations via malicious archives and weaponized Word documents. The attackers use LNK/HTA and CVE-2017-0199/CVE-2017-11882 chains with multi-layered obfuscated PowerShell loaders and Russian-controlled C2 infrastructure to execute in-memory shellcode. #OperationFrostBeacon #CobaltStrike
This article discusses the discovery of critical vulnerabilities in Microsoft’s SharePoint software exploited by multiple Chinese hacking groups, leading to widespread cyberattacks. It highlights the importance of patching and the suspicious cooperation between state-linked groups and cybercriminals, raising concerns about escalation and motives behind these operations. #ToolShell #SharePointVulnerabilities…