The article analyzes an adaptive phishing email that spoofed an internal sender and delivered an active HTML attachment which emulates a login page to harvest credentials. The stolen credentials and contextual metadata (public IP, hostname, timestamp) were exfiltrated to an attacker-controlled Telegram bot using the Telegram Bot API. #TelegramBotAPI #DMARC
Tag: SSO
Google’s Threat Intelligence Group has attributed attacks against Ukrainian defense, military, government, and energy organizations to a previously undocumented threat actor that deploys the obfuscated JavaScript malware CANFAIL. The group, possibly linked to Russian intelligence, uses LLMs to craft reconnaissance and social‑engineering lures that deliver CANFAIL via spoofed phishing emails and…
Foxveil is a newly identified initial-stage loader active since August 2025 that retrieves Donut-generated shellcode from trusted hosting platforms (Cloudflare Pages, Netlify) and occasionally Discord attachments, operating in two variants with different injection and persistence techniques. It uses in-memory injection (Early Bird APC in v1, self-injection in v2), service/SysWOW64-based persistence, and a runtime string-mutation routine to frustrate analysis; Cato’s SASE platform blocks the loader before staged payloads execute. #Foxveil #Cloudflare
The defense industrial base faces sustained, multi-vector cyber threats from state-sponsored groups and hacktivists targeting personnel, supply chains, edge devices, and battlefield technologies such as UAS and secure messaging apps. Notable tactics include phishing and job-themed lures, exploitation of edge device zero-days, mobile malware, supply-chain compromises, and hack-and-leak or DDoS operations by pro-Russia and pro-Iran hacktivists. #UNC5221 #CANFAIL
DomainTools Investigations | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign
Investigators determined the Notepad++ update mechanism (WinGUp/GUP.exe) was subverted for roughly six months to selectively deliver trojanized installers to a narrow set of high-value targets without modifying the project’s source code. The operation is attributed with moderate–high confidence to the China-aligned espionage cluster Lotus Blossom, which deployed bespoke implants (notably Chrysalis), DLL sideloading, and API-style HTTPS C2 to enable long-term intelligence collection. #LotusBlossom #Chrysalis
Acronis TRU analyzed LockBit 5.0, a cross‑platform ransomware family (Windows, Linux, ESXi) that uses XChaCha20 and Curve25519 encryption, random per‑file extensions, and shared execution/encryption logic while applying extensive defense‑evasion techniques on Windows. The report also links LockBit infrastructure to a SmokeLoader‑associated IP and documents double‑extortion exfiltration and enterprise/virtualization targeting (including Proxmox and ESXi). #LockBit #SmokeLoader
Attackers can bypass application whitelisting and executable restrictions by converting managed .NET assemblies into JScript loaders that execute in memory via Windows Script Host. The technique demonstrated uses DotNetToJScript to run x64 Meterpreter shellcode over HTTPS, blending into trusted components and evading binary-focused defenses. #DotNetToJScript #Meterpreter
Mispadu is a long-standing Latin American banking Trojan that has surged in use since 2019 and is now primarily delivered via dynamically generated HTA→JS→VBS chains often embedded in password-protected PDFs and executed with a legitimate AutoIT interpreter to evade detection. The single APT group behind Mispadu (tracked as TA2725/Malteiro/Manipulated Caiman) has added self-propagation via Outlook contacts, geofencing, advanced obfuscation, and credential theft capabilities while primarily targeting Spanish-speaking countries such as Mexico and Brazil. #Mispadu #TA2725
Threat actors are sending physical letters that impersonate Trezor and Ledger, urging recipients to complete bogus “Authentication Check” or “Transaction Check” steps by scanning QR codes. Those phishing sites prompt users to enter wallet recovery phrases, which are transmitted to attackers and enable theft of the victims’ funds. #Trezor #Ledger
Two critical Ivanti Endpoint Manager Mobile vulnerabilities, CVE-2026-21962 and CVE-2026-24061, are being actively exploited for unauthenticated remote code execution, with vendor hotfixes released and full patches promised in EPMM 12.8.0.0. Most exploitation activity (over 83%) traces to a single IP hosted on bulletproof infrastructure, prompting recommendations to apply temporary RPM mitigations or migrate to a rebuilt EPMM instance. #IvantiEPMM #PROSPERO_OOO
In Q4 2025, GTIG observed threat actors escalate from experimental prompts to systematic exploitation of LLMs like Gemini for reconnaissance, phishing, malware development, and post-compromise activity. Model extraction and AI-powered frameworks such as HONESTCUE and COINBAIT, along with misuse by actors like UNC6418 and APT42, underscore growing abuse of commercial AI…
An alleged Uzbekistan cyberattack originally claimed to have exposed personal data of 15 million citizens actually involved roughly 60,000 individual data units, not 60,000 people. Digital Technologies Minister Sherzod Shermatov said three government information systems were accessed in late January and authorities have strengthened controls, including added OneID authorization, to limit…
Between June and December 2025, the state-sponsored group Lotus Blossom compromised the shared hosting environment for Notepad++ updates and intercepted update traffic to serve malicious installers that delivered the Chrysalis backdoor and Cobalt Strike beacons. The campaign used DLL side-loading, Lua script injection and an adversary-in-the-middle filtering capability to selectively target…
Datadog observed an active campaign using fake GitHub repositories and ClickFix landing pages to social-engineer victims into pasting commands that install macOS infostealers and (in some builds) Windows components. The actor iterates on MacSync and a persistent SHub Stealer v2.0—adding credential validation, broad file and wallet collection, dynamic anti-analysis, and a LaunchAgent-based beacon for remote command execution. #SHub #MacSync
CloudSEK researchers infiltrated a newly launched Gunra affiliate program in January 2026, obtaining RaaS management panel credentials and a live ransomware sample for detailed technical analysis. The Gunra locker is an offline-capable, multi-threaded encryptor that uses per-file ChaCha20 keys protected with RSA-4096, selective system exclusions, .ENCRT renaming, and a Tor-based payment portal. #Gunra #CloudSEK