TA584 increased its operational tempo in 2025, expanded geographic and language targeting, and changed its attack chains to include ClickFix social engineering, layered redirects, rapid domain rotation, and new payloads such as Tsundere Bot alongside XWorm. These changes produced high campaign churn, frequent use of PowerShell/Node.js-based installers and WebSocket/Ethereum-based C2 retrieval,…
Tag: SSO
Initial access broker TA584 has escalated operations, using hundreds of compromised aged accounts sent through SendGrid and Amazon SES to deliver geofenced redirect chains that funnel victims through CAPTCHA and ClickFix pages to run PowerShell loaders that deploy Tsundere Bot or XWorm in memory. Tsundere Bot, a Node.js-based malware-as-a-service that retrieves C2 via the Ethereum blockchain, communicates over WebSockets, checks system locale to avoid CIS languages, and supports data collection, lateral movement, SOCKS proxying and a built-in bot marketplace, is assessed to likely enable ransomware follow-on activity. #TA584 #TsundereBot
Downloading cracks, keygens, or cheat tools can deliver malware or embed critical vulnerabilities into systems, as shown by examples like iOS jailbreaks, Windows cheat drivers, and the macOS AutoHackGUI helper that runs as root. Researchers reversed AutoHackGUI and demonstrated an XPC-based exploit that connects to the Mach service io.github.marlkiller.AutoHackGUIHelper to execute arbitrary commands as root, illustrating how non-malicious cracking tools can enable local privilege escalation. #AutoHackGUI #IDAPro
MicroWorld Technologies confirmed that a regional eScan update server configuration was breached and an unauthorized, malicious update was distributed to customers who downloaded updates during a two-hour window on January 20, 2026. Security firm Morphisec analyzed the incident (identifying a modified Reload.exe and a backdoor CONSCTLX.exe) while eScan says it isolated and rebuilt affected infrastructure, rotated credentials, provided remediation, and disputes aspects of Morphisec’s disclosure. #eScan #CONSCTLX
The FTC, led by Commissioner Mark Meador, is urging age verification online to protect children and promote AI-driven behavioral checks as a privacy-conscious tool. The agency has ramped up COPPA enforcement — including a $10 million Disney settlement and a lawsuit against Sendit — while mixed court rulings, including a Supreme…
Malicious open source packages surged into industrialized, large-scale campaigns in 2025, with researchers identifying more than 454,600 new malicious packages across npm, PyPI, Maven Central, NuGet, and Hugging Face and attacks increasing in sophistication. The report spotlights npm as the primary vector—featuring self-replicating packages like Shai-Hulud, activity from threat actors such…
HoneyMyte (aka Mustang Panda/Bronze President) continues active espionage across Southeast Asia and Europe in 2025, deploying an updated toolset that includes an enhanced CoolClient backdoor, browser credential stealers, USB worms, PlugX, ToneShell, QReverse and multiple data-theft scripts. The report details CoolClient’s DLL sideloading execution flow, new features such as clipboard monitoring and an HTTP proxy credential sniffer, and multiple exfiltration channels including FTP, Pixeldrain and Google Drive. #HoneyMyte #CoolClient
A Slovakian national, Alan Bill (also known as “Vend0r” or “KingdomOfficial”), admitted he helped operate Kingdom Market—a darknet marketplace that sold narcotics, cybercrime tools, fake IDs, and stolen personal information. He pleaded guilty to conspiracy to distribute controlled substances, surrendered the market domains and cryptocurrency assets, and faces sentencing on May 5 with a mandatory minimum five-year term. #KingdomMarket #AlanBill
Researchers at Pillar Security observed over 35,000 attack sessions in 40 days targeting exposed LLM endpoints in a large-scale campaign they named “Bizarre Bazaar.” The operation monetizes unauthorized access—using cryptomining, reselling API access via SilverInc/NeXeonAI, exfiltrating prompts, and attempting lateral movement through MCP servers. #BizarreBazaar #SilverInc
Relying on fully autonomous AI defenses creates a risky closed loop where poor data, model drift, and lack of oversight can produce systemic failure. To stay resilient against accelerating AI-enabled threats, organizations must pair human judgment with transparent governance, auditable models, and human-in-the-loop controls. #UnitedNationsScientificAdvisoryBoard #HumanInTheLoop…
Offensive security and red teaming are shifting from periodic exercises to continuous, AI-augmented programs that combine automation, threat intelligence, and human expertise to find and fix vulnerabilities faster. This evolution includes hybrid in-house and external models, greater collaboration with blue teams, and an urgent focus on combating AI-enhanced social engineering. #Bugcrowd…
Threat actors are actively exploiting a critical insecure-deserialization flaw in React Server Components—tracked as CVE-2025-55182 and dubbed React2Shell—to achieve remote code execution across multiple industries. Exploitation has led to widespread deployment of miners and botnets such as XMRig, RustoBot, Kaiji, Sliver, and EtherRAT, with persistence via systemd/cron, container escape chains, DNS…
The American Hospital Association has released two guides—Strategies for Medical Surge Management During Public Emergencies and Strategies for Cyber Preparedness in Health Care—to help U.S. hospitals strengthen preparedness, support staff, and sustain care during crises. The guidance centers on the “four S’s” (staffing, supply, space, systems) and offers practical measures such…
Fortinet has issued security updates after active exploitation of a critical FortiOS FortiCloud SSO authentication bypass (CVE-2026-24858) that also impacts FortiManager and FortiAnalyzer. The company disabled and re-enabled FortiCloud SSO to block malicious accounts and now requires customers to upgrade firmware, audit configurations, and rotate credentials. #CVE-2026-24858 #FortiCloud…
Chinese espionage group Mustang Panda updated its CoolClient backdoor to a variant that can steal browser login data, monitor the clipboard, and deploy a previously unseen rootkit. The attacks have used legitimate Sangfor software to target government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan while adding new plugins, infostealers for Chromium browsers, and exfiltration via hardcoded Google Drive and Pixeldrain tokens. #MustangPanda #CoolClient #Sangfor #ToneShell #PlugX #LuminousMoth