Leaked internal documents show Knownsec operates as a state-aligned cyber contractor supplying a vertically integrated espionage stack—ZoomEye/TargetDB reconnaissance, o_data_* identity correlation, GhostX/Un‑Mail exploitation and mailbox takeover, and Passive Radar PCAP-based internal mapping—to Chinese public‑security, military, and regulator customers. The corpus includes organizational charts, employee emails, high‑confidence IOCs targeting Taiwanese critical infrastructure, and detailed tradecraft emphasizing persistence, anti‑forensics, and APT‑style operational workflows. #Knownsec #GhostX
Tag: INITIAL ACCESS
APT28 is a long-running, GRU-linked espionage group that prioritizes stealthy credential access, targeted phishing, and long-term intelligence collection across Europe, North America, and Ukraine. Recent reporting through 2025 highlights new tooling like the LAMEHUG AI-assisted malware and sustained credential/token harvesting campaigns against services such as UKR[.]net. #APT28 #LAMEHUG
Cybersecurity researchers have uncovered a new social media-based phishing campaign that uses DLL sideloading and legitimate open-source tools to deploy remote access Trojans and maintain persistent access. This highlights the growing threat of social media channels as attack surfaces for cybercriminals. #LOTUSLITE #PDFSIDER…
Seqrite Labs uncovered “Operation Covert Access,” a targeted spear-phishing campaign that abuses authentic Argentine federal court documents to deliver a multi-stage Rust-based Remote Access Trojan (CovertRAT) via a weaponized LNK, BAT loader, and a GitHub-hosted second-stage binary. The implant demonstrates extensive anti-VM/anti-debug checks, IPv4/IPv6 C2 fallback (default 181.231.253.69:4444), and a modular command set for persistence, data theft, file transfer, encryption, and privilege escalation. #CovertRATCiR #ArgentinaJudicialSector
A Jordanian man pleaded guilty to operating as an access broker, selling network access to over 50 companies for fraudulent purposes. This case highlights the role of initial access brokers in facilitating cyberattacks and the ongoing threats to corporate networks. #AccessBroker #InitialAccess #CyberCrime
A recent Palo Alto Networks study highlights the increased cyber threats targeting the upcoming Milan Cortina 2026 Winter Olympics, focusing on potential attacks across the event’s digital ecosystem. Threat actors, motivated by financial gain, espionage, or activism, are expected to target ticketing systems, public infrastructure, and attendees. #PyeongChang2018 #Tokyo2024 #Paris2024 #Ransomware…
A new espionage campaign targeting U.S. government entities has been identified, involving a custom backdoor called LOTUSLITE likely linked to Mustang Panda. The campaign uses spear-phishing with geopolitical lures and DLL sideloading to establish persistence, highlighting ongoing targeted cyber espionage efforts. #MustangPanda #LOTUSLITE…
Ukrainian and German authorities have identified suspects linked to the Black Basta ransomware group, with the group’s alleged leader added to international wanted lists. The group, responsible for cyberattacks on over 500 companies since 2022, appears to have disbanded after leaks exposed its inner workings and leader connections to Russian intelligence….
A Jordanian national pleaded guilty to selling network access and malware that disables endpoint detection tools, affecting numerous companies and linked to a ransomware attack. The case highlights the role of initial access brokers and the ongoing threat posed by the “r1z” cybercrime forum account. #CVE-2022-26134 #CobaltStrike…
An advanced China-linked threat actor, UAT-8837, has been targeting North American critical infrastructure by exploiting vulnerabilities, including a recent zero-day in Sitecore. Researchers link this activity to broader Chinese espionage efforts, with tools aimed at credential theft and network reconnaissance. #UAT-8837 #SitecoreCVE2025-53690
Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate – CYFIRMA
CYFIRMA assesses Mamba 2FA is a scalable adversary-in-the-middle phishing framework that automates realistic Microsoft authentication flows to capture credentials, bypass MFA, and relay sessions with minimal user interaction. The report highlights encoded URL parameters, Microsoft-style password prompts, client-side password capture, rapid redirection to legitimate sites, and recommends hardened identity controls such as FIDO2/WebAuthn and continuous monitoring to mitigate risk. #Mamba2FA #Microsoft365
Cyble’s analysis describes deVixor, an evolving Android banking RAT distributed via fake automotive websites that deploy malicious APKs to Iranian users to harvest SMS-based financial data, capture credentials, perform keylogging, and surveil devices. The malware now includes WebView-based JavaScript injection, a remotely triggered ransomware module, and uses Telegram and Firebase for command-and-control and large-scale administration. #deVixor #IranianBanks
Acronis TRU identified a targeted campaign delivering a DLL-sideloaded backdoor, tracked as LOTUSLITE, via a politically themed ZIP archive aimed at U.S. government and policy-related entities. The implant uses a simple loader/DLL execution chain, hard-coded IP-based C2, basic persistence via a Run key and ProgramData directory, and shows behavioral overlaps with Mustang Panda. #LOTUSLITE #MustangPanda
The Gootloader malware now employs highly sophisticated obfuscation techniques by concatenating up to 1,000 ZIP archives to evade detection. Researchers highlight how these methods challenge analysis tools and can be identified through specific ZIP header anomalies. #Gootloader #WinRAR #YARA
Chinese hackers, affiliated with Chinese government-backed groups, have successfully infiltrated critical infrastructure in North America by exploiting vulnerabilities and compromised credentials. Their campaigns involve sophisticated tools like Earthworm and zero-day exploits such as CVE-2025-53690. #UAT8837 #Earthworm…