Sicarii is a newly observed RaaS operation that combines functional ransomware capabilities (data exfiltration, credential harvesting, LSASS dumping, network reconnaissance, Fortinet exploitation, and AES-GCM encryption adding a .sicarii extension) with unusually explicit Israeli/Jewish branding and geo-fencing that prevents execution on Israeli systems. The group’s public behavior, linguistic inconsistencies, performative identity signaling, and early-stage testing artifacts (VirusTotal uploads, Project3.exe, ransomawre.cs) suggest an immature or possibly false-flag operation rather than a mature ideologically driven actor. #Sicarii #CVE-2025-64446
Tag: INITIAL ACCESS
Microsoft Threat Intelligence exposed RedVDS, a criminal VDS marketplace operated by the actor tracked as Storm-2470 that sold cloned Windows Server 2022 RDP hosts and enabled mass phishing, BEC, account takeover, and large-scale financial fraud across multiple countries and sectors. Microsoft, in coordination with law enforcement, disrupted RedVDS infrastructure and published detections, IOCs, and mitigation guidance to reduce impact and harden defenses. #RedVDS #Storm-2470
CloudSEK STRIKE’s HUMINT uncovered a false-flag campaign by an actor using the alias “RedLineCyber” who distributes a PyInstaller-packed clipboard hijacker via Discord and Telegram, targeting cryptocurrency streamers and gambling communities. The malware, distributed as Pro.exe (also peeek.exe), monitors the Windows clipboard and silently replaces copied crypto addresses with attacker-controlled wallets for six cryptocurrencies while persisting via an HKCU Run key. #RedLineCyber #Pro.exe
Iru researchers uncovered a Mach-O binary named Portfolio_Review.exe that masquerades as a Windows .exe and contains a PyInstaller CArchive bundling a portfolio_app.pyc payload researchers named MonetaStealer. MonetaStealerāstill in early development and relying heavily on AI codeātargets Chrome credentials/cookies/history, crypto wallets, macOS Keychain and WiāFi credentials, stages data to STOLEN{sessionID}.zip and uses api.telegram.org for reporting while remaining undetected on VirusTotal. #MonetaStealer #Iru
The 2025 cyber-extortion epidemic reached record levels driven by a rise in encryptionless extortionāattackers increasingly steal data (often via zero-days or supply-chain weaknesses) and threaten leaks instead of using encryption. This trend coexists with persistent ransomware activity and the rapid expansion of actors such as Akira and Qilin following the disruption of LockBit and RansomHub. #Snakefly #OracleEBS
A threat actor named “timcookapple” is offering vast quantities of compromised access credentials, including webshells, WHMCS hosting, and cPanel control panels, impacting over 50,000 domains worldwide. These supplies are targeted at malicious activities such as SEO manipulation and cyber attacks, with prices ranging from thousands of dollars in cryptocurrency. #timcookapple #webshells…
Medusa Ransomware is a rapidly expanding RaaS operation (also known as Storm-1175/Spearwing) that has abused unpatched RMM and public-facing application vulnerabilities to gain initial access, perform data exfiltration, and carry out file encryption across diverse sectors. Darktrace and other vendors have observed the group exploiting SimpleHelp and GoAnywhere flaws, abusing legitimate RMM tooling for C2 and persistence, and exfiltrating data to domains such as erp.ranasons[.]com. #Medusa #SimpleHelp
ANY.RUN performed a full dynamic and static analysis of CastleLoader, revealing a multi-stage delivery (Inno Setup ā AutoIt ā process hollowing into jsc.exe) that injects a PE-only-in-memory payload used to deliver information stealers and RATs against government and critical infrastructure targets. The report includes an automated parser to extract configuration strings,…
The article shows that widely available large language models are being used by attackers as rapid authoring tools to produce PowerShell and other scripts, accelerating the tempo of commodity attacks without introducing fundamentally new exploitation techniques. Multiple Huntress case studies ā including RDP brute force, WinRM lateral movement, browser credential harvesters, Veeam-focused attempts, and a malicious Chrome extension beaconing to 172.86.105[.]237:5000 ā were stopped by basic telemetry, MFA, segmentation, and tuned detections. #Veeam #Huntress
A new wave of GoBruteforcer attacks targets cryptocurrency and blockchain project databases to build botnets for brute-forcing various Linux server services. These campaigns exploit weak defaults, legacy web stacks, and misconfigured servers to infect hosts and facilitate cybercriminal activities such as blockchain balance querying. #GoBruteforcer #LinuxServers…
Dr. Amit Chaubey discusses the expanding ā2026 Business Blast Radius,ā emphasizing how external dependencies and geopolitical risks threaten global infrastructure and organizational resilience. The rising cyber threats, including AI-enabled identity attacks and cloud exploits, demand a collective, proactive security approach. #ChakraX #GlobalCyberThreats…
Threat actors abused Cloudflare’s free-tier TryCloudflare tunnels and legitimate Python environments to host WebDAV servers and deliver the AsyncRAT remote access trojan, using double-extension phishing lures and living-off-the-land techniques for persistence. The campaign installs an embedded Python runtime, executes ne.py to APC-inject shellcode from new.bin into explorer.exe, and persists via startup…
North Korean APT group Kimsuky has been using spear-phishing campaigns involving malicious QR codes to target government agencies, think tanks, and strategic firms worldwide. The FBI warns that these Quishing attacks are highly effective, bypass traditional security measures, and can lead to credential theft, malware deployment, and persistent access. #Kimsuky #Quishing…
Cisco Talos has exposed UAT-7290, a Chinese-nexus threat actor focusing on critical infrastructure, especially telecom networks in South Asia and Southeastern Europe. This group builds long-term attack infrastructure and acts both as spies and facilitators for other hacker groups. #UAT-7290 #ChinaNexus #CriticalInfrastructure #SoutheasternEurope…
MuddyWater APT group has shifted from scripting tools to a new Rust-based malware called āRustyWaterā to evade detection and target critical sectors in the Middle East. This sophisticated attack involves spearphishing campaigns using malicious Word documents to deploy resilient, modular implants. #MuddyWater #RustyWater…