Google Threat Intelligence Group (GTIG) reports that PRCânexus threat actor APT24 has run a threeâyear espionage campaign delivering a heavily obfuscated firstâstage downloader named BADAUDIOâoften using strategic web compromises, supplyâchain compromise of a Taiwanese marketing firm, and targeted phishing to deploy AESâencrypted payloads such as Cobalt Strike Beacon. The report details BADAUDIOâs controlâflow flattening, DLL sideloading execution chain, fingerprintingâbased targeting, extensive infrastructure churn, and provides IOCs and YARA rules for detection. #BADAUDIO #APT24 #CobaltStrikeBeacon #twisinbeth.com
Tag: INITIAL ACCESS
CVE-2024-1086 is a decade-old use-after-free vulnerability in the Linux kernel’s netfilter (nftables) component that allows attackers to gain root privileges and is being actively exploited in ransomware campaigns. Public PoC availability and default-enabled features like unprivileged user namespaces have expanded the attack surface, putting legacy and cloud Linux systems at high risk. #CVE-2024-1086 #nftables
Security researchers identified Android.Backdoor.Baohuo.1.origin embedded in tainted Telegram X builds, capable of stealing logins, passwords, and chat histories. The backdoor conceals connections from third-party devices in Telegram sessions, hijacks channels⌅
Group-IB Threat Intelligence details a MuddyWater espionage campaign targeting international organizations worldwide, using compromised mailboxes accessed via NordVPN to dispatch phishing emails that deliver malicious Word documents. The operation deploys Phoe⌅
An exploitation campaign has emerged, targeting a recent RCE vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute the ShadowPad backdoor used by Chinese state-aligned APT groups. Immediate patching and security measures are crucial to prevent further breaches. #CVE202559287 #ShadowPad…
Compromised VPN credentials are the leading initial access point for ransomware attacks, with nearly half of incidents involving VPN abuse. The report highlights the importance of multi-factor authentication (MFA) and dark web monitoring to prevent credential leaks and cyberattacks. #SonicWall #AkiraRansomware…
Acronis TRU tracked a global malvertising and SEO-driven campaign named “TamperedChef” that distributes digitally signed fake installers which persist via scheduled tasks and execute heavily obfuscated JavaScript backdoors with remote code execution and HTTPS-based C2. The operators use U.S.-registered shell companies to acquire and rotate code-signing certificates, short-lived domain registrations, and malvertising/SEO to hide infrastructure and quickly recover after takedowns. #TamperedChef #Obfuscator_io
AhnLab ASC and SentinelOne reporting show CVE-2025-59287 in WSUS was exploited to deliver ShadowPad by chaining PowerCat for shell access and using certutil/curl to fetch and decode payloads. Observed artifacts include ETDApix.dll sideloading with ETDCtrlHelper.exe, tmp file configs for persistence, and C2 at 163.61.102[.]245; remediation: apply Microsoft update and restrict WSUS…
A Bitcoin-themed sample of the DarkComet RAT was distributed inside a RAR archive and, once executed, unpacks to a UPX-packed executable that installs persistence, keylogs, and attempts to beacon to a hardcoded C2 at kvejo991.ddns.net:1604. File hashes, install path, mutex, and captured keystroke logs were recovered during analysis. #DarkComet #kvejo991.ddns.net
ESET analyzed PlushDaemonâs use of a MIPS32 network implant named EdgeStepper that forwards DNS queries to attacker-controlled nodes to hijack legitimate software updates and deliver downloaders that deploy the SlowStepper backdoor. The report also details LittleDaemon and DaemonicLogistics â two Windows downloaders used in the update-hijacking chain â and provides IoCs including files, domains, and IPs. #EdgeStepper #SlowStepper
DoorDash experienced a cybersecurity breach caused by a social engineering attack that compromised some user contact information. The company responded quickly by shutting down access, enhancing security, and notifying affected users. #SocialEngineering #DataBreach…
Cybercrime has evolved into a subscription-based economy where services like phishing, OTP bots, infostealer data feeds, initial access, and advanced malware are rented on pay-as-you-go models, lowering the barrier to entry for low-skill attackers. Notable named services and tools in the article include SpamGPT, MatrixPDF, Atroposia, and Telegram-based OTP bots. #SpamGPT…
Sarcoma is a fast-emerging ransomware group (late 2024) that combines data theft with encryption and aggressive double-extortion tactics, targeting mid-market and larger organizationsâespecially in manufacturing, technology and constructionâprimarily in the United States, Italy and Canada. The group operates a controlled RaaS-style model, targets Windows, Linux and ESXi environments, and uses techniques including credential theft, zero-day exploits, anti-recovery steps and public leak pressure. #Sarcoma #ChaCha20
Sandworm (also tracked as APT44, Seashell Blizzard, and Voodoo Bear) conducted intrusions against Ukrainian organizations using exploited web services and a custom webshell called LocalOlive, then relied on living-off-the-land techniques to conduct reconnaissance, persistence, and credential theft. The campaign and associated emulation highlight specific TTPsâincluding LSASS dumping, scheduled task persistence, and…
Cybersecurity researchers uncovered a sophisticated attack targeting a U.S.-based real estate company using the new Tuoni command-and-control framework. The exploit involved social engineering, steganography, and AI-influenced code delivery, highlighting innovative misuse of red team tools. #Tuoni #RedTeamFramework…