Cyber threats are escalating rapidly, with attacks per organization increasing by 47% in early 2025. Effective leadership must integrate cybersecurity into core business strategies to build resilience and respond swiftly to incidents. #CybercrimeAsAService #AIThreats…
Tag: INITIAL ACCESS
Cyble Research and Intelligence Labs (CRIL) uncovered RelayNFC, an Android malware campaign in Brazil that uses phishing sites to install a React Native app which relays NFC APDU commands in real time over WebSockets to attacker-controlled servers to complete contactless payments. The malware uses Hermes bytecode to hinder static analysis and includes a variant experimenting with Host Card Emulation (HCE); VirusTotal detections are currently zero. #RelayNFC #Hermes
Arctic Wolf Labs uncovered a sophisticated cyber campaign where threat actors collaborated, blending cybercrime with espionage to target a U.S. engineering firm. The campaign involved deploying RomCom payloads via SocGholish, highlighting a dangerous evolution in offensive cyber operations. #SocGholish #RomCom…
Acronis TRU researchers uncovered a novel “JackFix” ClickFix campaign that hijacks the browser to display a convincing full‑screen fake Windows Update prompting victims to run malicious commands. The multistage attack (mshta → PowerShell downloader → final payloads) uses heavy obfuscation, UAC bombardment and a “spray and prey” downloader that executes up to eight payloads including Rhadamanthys and Vidar 2.0, and is detected and blocked by Acronis XDR at the PowerShell stage. #ClickFix #Rhadamanthys
Berserk Bear is an FSB-linked espionage group active since at least 2010 that conducts long-running, stealthy intrusions against critical infrastructure, especially energy, telecom, aviation, and state/local networks. Their campaigns reuse legitimate admin tools, trojanize vendor software, and exploit router vulnerabilities (notably CVE-2018-0171) while deploying implants such as Havex to maintain persistent access. #BerserkBear #Havex
A new cyber campaign, dubbed JackFix, uses Fake Windows updates and adult websites to trick users into executing malicious commands. The attack employs obfuscated scripts, PowerShell payloads, and steganography to deploy various malware, risking data theft and system compromise. #ClickFix #JackFix #PowerShellPayload…
A newly exploited security flaw in Microsoft Windows Server Update Services (WSUS) has been used by threat actors to deploy ShadowPad malware, a sophisticated backdoor associated with Chinese hacking groups. The vulnerability CVE-2025-59287 enables remote code execution, allowing attackers to gain system privileges and establish persistent access. #CVE2025-59287 #ShadowPad #WSUS #ChineseEspionage…
Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by PRC‑nexus actor APT24 that deploys a highly obfuscated first‑stage downloader called BADAUDIO to establish persistent access via strategic web compromises, supply‑chain abuse of a Taiwanese digital marketing firm, and targeted phishing. The report analyzes BADAUDIO’s control‑flow flattening, DLL sideloading, AES‑encrypted payload delivery (including Cobalt Strike Beacon instances), advanced browser fingerprinting for tailored targeting, and shares IOCs and YARA rules to aid detection and mitigation. #APT24 #BADAUDIO
Morphisec discovered a sustained campaign that weaponizes Blender .blend files hosted on 3D asset sites to run embedded Python scripts which chain into PowerShell stages and download StealC V2 components. The operation uses decoy documents, Pyramid C2 with ChaCha20-encrypted payloads, and persistence via hidden LNK files, linking the campaign to previously observed Russian-speaking activity. #StealC #Blender
This article details how Huntress analysts investigated a Qilin ransomware incident using limited post-attack data sources, emphasizing the importance of correlating multiple clues to understand the attack. It highlights the challenges of delayed agent deployment and the value of cross-referencing logs, threat intelligence, and endpoint artifacts. #QilinRansomware #HuntressLabs
The leaked October 2025 APT35 corpus documents a quota-driven, bureaucratic IRGC cyber-intelligence apparatus that weaponized Exchange (ProxyShell, Autodiscover, EWS) and Ivanti vulnerabilities, ran HERV-style phishing seeded from harvested Global Address Lists, and maintained persistent mailbox monitoring backed by centralized KPI reporting and on-premises operator attendance logs. #APT35 #ProxyShell
Cybercriminals are exploiting browser notifications as a new phishing vector using the Matrix Push C2 platform to deliver malicious links and commands. This browser-native, fileless approach allows cross-platform, stealthy attacks that bypass traditional security controls. #MatrixPushC2 #Velociraptor #Phishing…
Huntress observed threat actors exploit a recently patched WSUS RCE vulnerability (CVE-2025-59287) to gain initial access and then install Velociraptor to establish command-and-control on the endpoint. The actors retrieved a malicious MSI from s3.wasabisys[.]com and configured Velociraptor to communicate with update[.]githubtestbak[.]workers[.]dev. #CVE-2025-59287 #Velociraptor
Tycoon 2FA is a rapidly evolving Phishing-as-a-Service platform that leverages real-time Adversary-in-the-Middle techniques to capture credentials, session tokens, and bypass many legacy MFA methods via high-fidelity phishing pages for Microsoft 365, Gmail, and Outlook. CYFIRMA observed rapid infrastructure expansion, extensive domain rotation, advanced obfuscation (Base64, AES/RC4, dynamic JS), and Telegram-based distribution making it widely accessible to varied threat actors. #Tycoon2FA #ifelse.rlcozx.es
A China-linked threat actor known as APT24 has been using sophisticated malware called BADAUDIO to maintain persistent access to compromised networks through a campaign spanning nearly three years. The campaign includes supply chain attacks, web compromises, and spear-phishing, primarily targeting organizations in Taiwan and Southeast Asia. #APT24 #BADAUDIO…