The U.S. CISA has added CVE-2021-26829, a cross-site scripting vulnerability in OpenPLC ScadaBR, to its KEV catalog due to active exploitation. The threat actor TwoNet exploited this flaw to deface a honeypot and gain initial access, highlighting ongoing industrial system targeting. #CISA #OpenPLC #TwoNet #CVE202126829 #Honeypot…
Tag: INITIAL ACCESS
CYFIRMA uncovered an APT36 campaign delivering a Python-based RAT to BOSS Linux systems via weaponized .desktop shortcut files inside a malicious archive that staged downloads from lionsdenim[.]xyz and 185[.]235[.]137[.]90. The campaign establishes persistence (systemd user services), supports remote command execution, file exfiltration, screenshots, and cross-platform control for sustained espionage. #APT36 #BOSS
ByteToBreach is a financially motivated data‑leak trader and access broker active since mid‑2025 who sells corporate datasets and access from banks, telecoms, IT providers, and other large enterprises across multiple countries. On November 14, 2025 the actor claimed a breach of Eurofiber’s GLPI service‑management platform, exfiltrating roughly 10,000 password hashes and configuration/ticket data using rented VPS infrastructure to run time‑based SQL extraction. #ByteToBreach #Eurofiber
SEQRITE APT-Team identified “Operation Hanoi Thief,” a spear‑phishing campaign using fake resumes and a pseudo‑polyglot document to deliver a multi‑stage infection chain targeting Vietnamese IT and recruitment professionals. The campaign abuses trusted Windows binaries (ftp.exe, DeviceCredentialDeployment.exe, ctfmon.exe) to decode and sideload a DLL implant named LOTUSHARVEST that steals browser credentials and exfiltrates them to attacker-controlled endpoints. #LOTUSHARVEST #OperationHanoiThief
Tomiris carried out targeted phishing campaigns in early 2025 against foreign ministries, intergovernmental organizations, and government entities, deploying multi-language reverse shells and dropper implants to deliver post-exploitation frameworks such as AdaptixC2 and Havoc. The actors increasingly used public services (Discord, Telegram) as C2 channels and employed registry persistence, script-based downloaders, and reverse SOCKS proxies to maintain stealth and lateral movement. #Tomiris #AdaptixC2 #Havoc #JLORAT #Discord #Telegram
Arctic Wolf Labs identified RomCom threat actors delivering Mythic Agent via SocGholish to a U.S. company, highlighting sophisticated nation-state targeting linked to Russia’s GRU. This marks the first known instance of RomCom using SocGholish for their operations, emphasizing evolving malware delivery tactics. #RomCom #MythicAgent #SocGholish #GRUUnit29155…
Bloody Wolf is a cyber threat group targeting Central Asian countries like Kyrgyzstan and Uzbekistan using sophisticated social engineering techniques and malware. Their campaigns primarily focus on impersonating government agencies to deploy NetSupport RAT and establish persistence on infected systems. #BloodyWolf #NetSupportRAT…
North Korean state-sponsored operators running the Contagious Interview campaign have injected at least 197 malicious npm packages that act as loaders to fetch OtterCookie payloads from a Vercel staging endpoint and a threat actor-controlled GitHub account. The campaign uses typosquatted utilities and polished crypto lures to deliver a multi-platform infostealer/RAT that targets developer systems and crypto wallets. #OtterCookie #ContagiousInterview
Zscaler reconstructed a multi-stage intrusion attributed to the Water Gamayun APT that used a compromised BELAY Solutions site and a lookalike domain to deliver a double-extension RAR disguised as a PDF, exploit MSC EvilTwin (CVE-2025-26633) via mmc.exe, and chain hidden PowerShell stages to deploy a final ItunesC loader. Zscaler attributed the campaign to Water Gamayun based on unique TTPs including MSC EvilTwin exploitation, nested Base64/UTF-16LE PowerShell obfuscation, trusted-binary proxy execution via mmc.exe, window-hiding tradecraft, and dual-path infrastructure patterns #WaterGamayun #CVE-2025-26633
Kimsuky and Lazarus operate as a coordinated pair — Kimsuky conducts precise espionage via academic-themed spearphishing to collect network maps and credentials, while Lazarus exploits zero-day vulnerabilities to escalate privileges and steal cryptocurrency. The collaboration uses shared C2 infrastructure, bespoke backdoors (e.g., FPSpy, InvisibleFerret) and evasive techniques to exfiltrate intelligence and millions in crypto with minimal detection. #Kimsuky #Lazarus
A new Mirai-based botnet named ShadowV2 targets vulnerable IoT devices from D-Link, TP-Link, and other vendors, exploiting known security flaws. Its global activity during a major AWS outage suggests it might have been a test, with potential for launching large-scale DDoS attacks. #ShadowV2 #MiraiVariant
NTLM remains widely present in modern Windows environments and continues to be exploited through both long-standing and newly disclosed vulnerabilities that leak authentication hashes and enable relay/reflection attacks. Notable 2024–2025 flaws (CVE-2024-43451, CVE-2025-24054/24071, CVE-2025-33073) have been weaponized by groups such as BlindEagle and Head Mare to deliver Remcos, PhantomCore, and AveMaria, prompting recommendations to disable/limit NTLM, enable signing and EPA, and monitor NTLM traffic. #Remcos #BlindEagle
South Korea’s financial sector was targeted in a sophisticated supply chain attack involving Qilin ransomware, linked to North Korean threat actors. The campaign, called “Korean Leaks,” involved data leaks, propaganda, and financial extortion, highlighting vulnerabilities in MSP security. #Qilin #MoonstoneSleet…
The OnSolve CodeRED emergency alert system was targeted in a cyberattack by the INC Ransom group, exposing personal data of users. U.S. local governments are transitioning to new systems and implementing contingency plans to maintain alert capabilities. #INC Ransom #CodeRED #cyberattack # emergencyalert #USgovernments…
Automated Security Validation (ASV) continuously simulates real-world attacker tactics to validate whether flagged vulnerabilities are actually exploitable in an organization’s specific environment and to measure control effectiveness in real time. Adversarial Exposure Validation technologies—Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT)—help reduce remediation backlogs, speed up MTTR, and provide continuous compliance and remediation validation with platforms such as Picus Security. #Log4j #PicusSecurity