The Android app Hicas (package com.apptool.hicash.newhicash) is distributed as a travel utility but dynamically switches on Indian devices to a fully web-based, coercive loan platform delivered via remote WebView and aggressive UI pressure. Static and dynamic analysis revealed heavy obfuscation, runtime XOR string decryption, contact harvesting, excessive permissions, and remote configuration hosted at in-h5.oss-ap-southeast-1.aliyuncs.com and bksn515.vercel.app, indicating a Chinese-operated loan ecosystem with coercive repayment tactics. #Hicas #hicas.tech
Tag: INITIAL ACCESS
Attackers compromised a contractor’s mailbox and hijacked an active executive approval thread to deliver a phishing link that led through multi-step redirects and Cloudflare Turnstile gates to an EvilProxy AiTM Microsoft credentialâtheft page. ANY.RUN researchers detonated the message in a sandbox, revealed the full execution chain, and linked the incident to…
IClickFix is a widespread malicious JavaScript framework that has been injected into over 3,800 compromised WordPress sites since at least December 2024 to display a fake Cloudflare Turnstile (ClickFix) lure and deliver downstream payloads. The framework uses a YOURLS-based Traffic Distribution System, multi-stage obfuscated JavaScript, and clipboard-based social engineering to install NetSupport RAT via a PowerShell dropper. #IClickFix #NetSupportRAT
FortiGuard Labs discovered a Base64-encoded PHP web shell named EncystPHP deployed by exploiting FreePBX Endpoint Manager vulnerability CVE-2025-64328, enabling remote command execution, persistence, and telephony abuse. The campaign, attributed to INJ3CTOR3, delivered droppers from 45[.]234[.]176[.]202 (crm[.]razatelefonia[.]pro), created a root-level user and SSH backdoor, and maintained persistence via cron jobs and widespread web shell copies. #EncystPHP #FreePBX
Check Point Research’s Cyber Security Report 2026 synthesizes findings from 2025 showing AI is embedded across the attack lifecycle, accelerating reconnaissance, social engineering, and malware development while introducing new governance risks. The report also highlights fragmented, data-only ransomware extortion, exploitation of unmonitored edge and perimeter devices, geopolitically aligned cyber activity, and measurable vulnerabilities in Model Context Protocols and ungoverned AI usage. #ModelContextProtocols #UnmonitoredDevices
TA584 increased its operational tempo in 2025, expanded geographic and language targeting, and changed its attack chains to include ClickFix social engineering, layered redirects, rapid domain rotation, and new payloads such as Tsundere Bot alongside XWorm. These changes produced high campaign churn, frequent use of PowerShell/Node.js-based installers and WebSocket/Ethereum-based C2 retrieval,…
Initial access broker TA584 has escalated operations, using hundreds of compromised aged accounts sent through SendGrid and Amazon SES to deliver geofenced redirect chains that funnel victims through CAPTCHA and ClickFix pages to run PowerShell loaders that deploy Tsundere Bot or XWorm in memory. Tsundere Bot, a Node.js-based malware-as-a-service that retrieves C2 via the Ethereum blockchain, communicates over WebSockets, checks system locale to avoid CIS languages, and supports data collection, lateral movement, SOCKS proxying and a built-in bot marketplace, is assessed to likely enable ransomware follow-on activity. #TA584 #TsundereBot
Dragos attributes a late-December 2025 coordinated cyber attack on multiple sites in the Polish power grid to the Russian state-sponsored crew ELECTRUM with medium confidence, calling it the first major incident targeting distributed energy resources (DERs). The attackers breached RTUs and communications at about 30 distributed generation sites, disabling some OT…
The GTIG reported widespread exploitation of CVE-2025-8088 in WinRAR using Alternate Data Streams and path traversal to drop payloads into the Windows Startup folder for persistence across state-sponsored and financially motivated campaigns. Defenders are urged to patch immediately and hunt for indicators such as malicious RAR archives, LNK/HTA/BAT/CMD payloads, and the provided SHA-256 hashes. #CVE-2025-8088 #WinRAR
Zscaler ThreatLabz uncovered two recent cyberespionage campaignsâGopher Strike and Sheet Attackâtargeting Indian government entities and deploying custom Golang tools while using legitimate infrastructure to evade detection. The operations introduce new malware like GOGITTER, GOSHELL, and GITSHELLPAD and suggest experimentation with generative AI, pointing to a possible Pakistan-linked subgroup. #GopherStrike #GITSHELLPAD…
Zscaler ThreatLabz analyzed the Sheet Attack campaign and identified three new backdoorsâSHEETCREEP, FIREPOWER, and MAILCREEPâthat abuse Google Sheets, Firebase, and Microsoft Graph API for C2 while using PDF and LNK lures to target Indian government entities. The report also documents signs of generative AI use in malware development and assesses with medium confidence a Pakistan-linked origin or connection to APT36. #SHEETCREEP #APT36
Comcast Businessâs 2025 Threat Report analyzes 34.6 billion events (including 19.5B botnet resource-development events, 9.7B drive-by compromises, 4.7B phishing attempts, and 44,069 DDoS events) to map evolving attacker tactics such as proxy abuse, living-off-the-land techniques, and AI-enabled social engineering. It urges organizations to adopt multi-layered, AI-augmented defensesâprioritizing patching, phishing-resistant MFA, proactive threat hunting, and managed 24/7 SOC servicesâto reduce exposure and build enterprise resilience. #SocGholish #ComcastBusiness
Ransomware in 2025 has evolved from a file-encryption problem into systematized extortion that weaponizes stolen data, legal liability, and psychological pressure. Defenders must shift from backup-driven recovery to legal and communications readiness, intelligence-driven vulnerability prioritization, and targeted configuration audits to detect and mitigate data exposure. #SafePay #Cl0p
Multiple state-sponsored and financially motivated actors are actively exploiting the highâseverity CVE-2025-8088 WinRAR pathâtraversal vulnerability to gain initial access and deliver varied malicious payloads. The flaw leverages Alternate Data Streams to hide and extract LNK/HTA/BAT/CMD/script files (often into Startup folders) for persistence, with exploitation observed since July 18, 2025, including zeroâday use by RomCom. #CVE-2025-8088 #RomCom
North Koreaâaligned cyber spies are abusing Visual Studio Code tunnels to hide command-and-control traffic and maintain prolonged access to South Korean systems. The campaign uses spear-phishing JSE scripts disguised as Hangul documents that impersonate the Ministry of Personnel Management and coordinates via a compromised site (yespp[.]co[.]kr). #DPRK #VisualStudioCode…