A series of malicious browser extensions, starting with GhostPoster, exploited cloaking techniques to evade detection across multiple platforms, including Firefox, Chrome, and Edge. Over 840,000 users were affected by these extensions, which remained active for years despite being removed from official marketplaces. #GhostPoster #LayerX #BrowserExtensions…
Tag: SSO
A threat actor linked to China is actively targeting North American critical infrastructure using advanced tactics, including zero-day exploits and open-source tools. This group demonstrates a high level of sophistication, potentially enabling future supply chain attacks and persistent infiltration. #UAT-8837 #ChinaNexus…
Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate – CYFIRMA
CYFIRMA assesses Mamba 2FA is a scalable adversary-in-the-middle phishing framework that automates realistic Microsoft authentication flows to capture credentials, bypass MFA, and relay sessions with minimal user interaction. The report highlights encoded URL parameters, Microsoft-style password prompts, client-side password capture, rapid redirection to legitimate sites, and recommends hardened identity controls such as FIDO2/WebAuthn and continuous monitoring to mitigate risk. #Mamba2FA #Microsoft365
Orion Ransomware is a newly observed operation whose public activity is limited to a data leak site listing 13 alleged victims and affiliate recruitment messaging rather than demonstrated ransomware development or independently verified intrusions. Analysis links the operator to prior reputation-driven extortion activity associated with Babuk2, indicating recycled leak material and low confidence in original operational capability. #Orion #Babuk2
A ransomware attack attributed to the threat actor “thegentlemen” has targeted Dongguan HYX Industrial, a leading manufacturer with over 25 years of experience in digital accessories based in China, compromising its operations and data security. The incident underscores the ongoing cybersecurity risks faced by manufacturing companies in China. #China
VoidLink is an advanced, modular Linux command-and-control framework designed for long-term stealthy access in cloud and container environments, featuring a Zig-written core, a web-based C2 dashboard, and a BOF-like plugin API. It includes 30+ plugins (credential harvesting, container escape, persistence), multiple rootkit techniques (LD_PRELOAD, LKM, eBPF), adaptive OPSEC, and multi-protocol C2 capabilities. #VoidLink #Kubernetes
Cybleâs analysis describes deVixor, an evolving Android banking RAT distributed via fake automotive websites that deploy malicious APKs to Iranian users to harvest SMS-based financial data, capture credentials, perform keylogging, and surveil devices. The malware now includes WebView-based JavaScript injection, a remotely triggered ransomware module, and uses Telegram and Firebase for command-and-control and large-scale administration. #deVixor #IranianBanks
Manufacturing companies are being actively targeted with localized invoice-themed phishing that leverages CVE-2024-43451 and WebDAV-based shortcuts to deliver AsyncRAT and XWorm. Proactive, industry- and region-specific threat hunting using ANY.RUNâs sandbox and Threat Intelligence Lookup can identify fresh samples, file hashes, malicious filenames, and hosting infrastructure (Dropbox/WebDAV) before widespread detection occurs. #AsyncRAT…
The Tengu ransomware group has claimed to breach Nordstrom Rack, stealing approximately 50.6 GB of sensitive internal data. This incident involves the exfiltration of confidential files, design sketches, financial records, and more. #TenguRansomware #NordstromRack #DataLeak…
FortiGuard Labs analyzed a phishing campaign that delivers a fileless variant of the Remcos RAT via a malicious Word document that downloads a crafted RTF exploiting CVE-2017-11882 to execute shellcode and launch VBScript and PowerShell loaders. The attack results in in-memory loading of a .NET module and process hollowing to deploy Remcos (version 7.0.4 Pro), with persistence via a scheduled task and C2 communications to 216.9.224.26:51010. #Remcos #CVE_2017_11882
Acronis TRU identified a targeted campaign delivering a DLL-sideloaded backdoor, tracked as LOTUSLITE, via a politically themed ZIP archive aimed at U.S. government and policy-related entities. The implant uses a simple loader/DLL execution chain, hard-coded IP-based C2, basic persistence via a Run key and ProgramData directory, and shows behavioral overlaps with Mustang Panda. #LOTUSLITE #MustangPanda
The Gootloader malware now employs highly sophisticated obfuscation techniques by concatenating up to 1,000 ZIP archives to evade detection. Researchers highlight how these methods challenge analysis tools and can be identified through specific ZIP header anomalies. #Gootloader #WinRAR #YARA
The Kimwolf botnet, a successor to the Aisuru DDoS network, rapidly expanded to over 2 million Android TV devices using residential proxies. Its activities include frequent DDoS attacks, mainly targeting Minecraft servers, posing significant threats if used against critical infrastructure. #Kimwolf #Aisuru #DDoS #AndroidTV #CyberThreats…
The Department of Homeland Security is developing a new advisory body called ANCHOR to replace CIPAC, aiming to improve communication between industry and government on critical infrastructure threats. The initiative seeks to streamline engagement, open some meetings to the public, and maintain important liability protections. #CIPAC #ANCHOR…
Microsoft collaborated with international law enforcement to dismantle the RedVDS cybercrime infrastructure, which facilitated mass phishing, fraud, and account compromises affecting thousands of organizations worldwide. The takedown highlights the importance of coordinated global efforts in combating cybercrime networks using disposable virtual servers. #RedVDS #Storm-2470…