Threat Research

ZionSiphon is a Windows-based .NET implant disguised as SCADA_SecurityPatch_v8.4.exe that targets Israeli water and desalination infrastructure, but a critical XOR bug prevents its geographic validation from ever succeeding. The malware includes host-level persistence, privilege escalation, USB propagation logic, and sabotage-oriented strings for chlorine dosing and reverse osmosis control, yet it lacks working ICS-native execution, C2, and PLC interaction. #ZionSiphon #SCADA_SecurityPatch_v8.4.exe #Mekorot #Sorek #Hadera #Ashdod #Palmachim #Shafdan #Eilat

Unit 42 attributes a multi-stage espionage campaign to the Iran-nexus APT group Screening Serpens, which deployed six new RAT variants against targets in the U.S., Israel, the UAE, and other Middle Eastern entities. The group used highly tailored recruitment and meeting-themed lures, DLL sideloading, and AppDomainManager hijacking to deliver MiniUpdate and…

Cloud Atlas conducted widespread SSH tunnel activity through 2025 into 2026 against government and commercial targets in Russia and Belarus, using phishing archives, malicious LNK files, PowerShell loaders, and multiple backup access tools. The campaign added VBCloud, PowerShower, RevSocks, Tor, and PowerCloud to support theft, reconnaissance, persistence, and covert remote access. #CloudAtlas #VBCloud #PowerShower #RevSocks #PowerCloud

Huntress investigated two The Gentlemen ransomware incidents in April and May 2025 that involved Scheduled Tasks, PowerShell, event log clearing, and attempts to disable Microsoft Defender. A leaked internal database also exposed the group’s infrastructure, negotiation details, and security-evasion tradecraft, including links to #TheGentlemen #MicrosoftDefender #Huntress

NetSPI analyzed a UEFI PNG decoder from BIOS firmware and found a buffer over-read caused by spoofing the PNG IDAT chunk length, even though the code already included a LogoFail-style size check. By emulating the module with Qiling, they showed the flaw can force reads past the image buffer during boot and potentially leak sensitive data from memory or NVRAM. #NetSPI #Qiling #PngDecoderDxe #LogoFail

CVE-2021-25740 affects Kubernetes clusters where users who can modify Endpoint or EndpointSlice objects can redirect shared ingress or LoadBalancer traffic to unauthorized pods in another namespace. The issue highlights a multi-tenant networking weakness in Kubernetes and can be mitigated by avoiding shared load balancers, using Gateway API, and restricting direct user access to EndpointSlice objects. #CVE-2021-25740 #EndpointSlice #GatewayAPI #Kubernetes

EclecticIQ reports a financially motivated infostealer campaign that impersonates Gemini CLI, Claude Code, Node.js, Chocolatey, and other developer tools to trick users into running a hidden PowerShell installer. The malware steals credentials, OAuth tokens, session cookies, files, and system data from Windows endpoints, then exfiltrates them to command-and-control servers and can also execute operator-supplied follow-on payloads. #GeminiCLI #ClaudeCode #Nodejs #Chocolatey #MIRhosting #RedLine #LummaC2

The article highlights phishing, backdoor-downloader-dropper, and infostealer-ransomware activity targeting the financial sector, with Korean-language lure files, Telegram-based credential theft, and confirmed exploitation of the WGear RCE vulnerability. It also covers dark web sales of financial data and access, plus ransomware activity linked to groups such as Andariel, BlueNoroff, ShinyHunters, Everest, Prinz…

Acronis telemetry across 11,500 organizations shows that automation is highly concentrated, with most script activity coming from a small set of organizations and most teams relying on scheduled PowerShell tasks. AI-generated scripts are increasingly reaching production, while abandoned automation and embedded credentials create operational and security risks that make script governance essential. #Acronis #PowerShell #GitGuardian #GitHubCopilot

A solo Russian-speaking threat actor tracked as bandcampro ran the MAGA-themed Telegram channel @americanpatriotus and, starting in September 2025, used jailbroken Google Gemini and other AI tools to automate influence content, credential theft, and crypto fraud against American audiences. The operation included a fake QFS bot, a Stellar-based wallet scam, WordPress…

Attackers compromised the official JDownloader website and replaced selected download links with trojanized installers that delivered a Python bot, an r77 rootkit stager, and a WDAC policy designed to disable security tools. The campaign used dead-drop resolvers, DGA fallback domains, and encrypted C2 communications to maintain control, while affecting users who downloaded fresh installers during the compromise window. #JDownloader #r77 #PyArmor #WDAC

A compromised npm package, art-template, was used to inject a Coruna-like iOS exploit delivery framework through a watering-hole chain that redirected victims to utaq[.]cfww[.]shop and targeted Safari on iOS 11.0 through 17.2. The implant fingerprinted devices, beaconed victim IP and device version to l1ewsu3yjkqeroy[.]xyz, and used version-specific WebAssembly and architecture checks to route payloads such as cassowary and other Coruna-linked exploit chains. #art-template #Coruna #UNC6691 #utaqcfwwshop #l1ewsu3yjkqeroyxyz

ESET researchers tracked Webworm, a China-aligned APT group that shifted from Asia to Europe in 2025 and expanded its toolkit with Discord-based EchoCreep and Microsoft Graph API-based GraphWorm backdoors. The group also relied on GitHub staging, custom proxy tools, and compromised cloud infrastructure such as an Amazon S3 bucket to support spying, exfiltration, and multi-hop proxying. #Webworm #EchoCreep #GraphWorm #SoftEtherVPN #MicrosoftGraphAPI #Discord #GitHub #AmazonS3

Sysdig TRT found that Azure VM password reset telemetry can be evaded because VM extension names are caller-controlled, letting an attacker rename VMAccess deployments and reset credentials without triggering expected detections. Microsoft said this is not a security vulnerability, but the report shows the issue affects Azure VMAccess, Azure Portal, Azure CLI, and the Azure Threat Matrix guidance. #Azure #VMAccess #SysdigTRT #AzurePortal #AzureCLI #AzureThreatMatrix

Seqrite Labs identified a targeted spear-phishing campaign against Changzhou University that used a fake 2026 fitness testing notice to trick students and staff into opening a malicious ZIP archive. The infection chain used a disguised LNK file, obfuscated VBScript, DLL sideloading via Bandizip, and a final Cobalt Strike Beacon that connected to infrastructure on Alibaba Cloud. #ChangzhouUniversity #Bandizip #CobaltStrike #UNG0002

CloudSEK mapped the online IPL betting ecosystem for IPL 2026, showing how illegal betting platforms, tipper networks, and supporting criminal services work together to exploit cricket fans. The investigation found over 1,200 domains promoting betting sites, more than 9,300 rejected withdrawals worth an estimated ₹4.65 crore in losses, and growing use of AI deepfakes, compromised .gov.in sites, money mules, and fake loan apps to sustain the operation. #IPL2026 #CloudSEK #Telegram #Instagram #YouTubeShorts #govin #RanveerAllahbadia #SmritiMandhana

This article describes multiple TamperedChef-style campaigns that distribute trojanized productivity apps such as PDF editors, calendars, and file tools, with activity clustered under CL-CRI-1089, CL-UNK-1090, and CL-UNK-1110. The campaigns use malvertising, code signing, delayed activation, and persistent C2 to deliver second-stage payloads like RATs, infostealers, proxy tooling, and browser hijackers. #TamperedChef…

Socket’s Threat Research Team identified a typosquatted Go module, github.com/shopsprint/decimal, that mimics the legitimate github.com/shopspring/decimal library and was weaponized in v1.3.3 with a DNS TXT-based backdoor. The malicious release remains fetchable through proxy.golang.org and pkg.go.dev even after the GitHub repository and owner account were removed, creating ongoing supply chain risk for any project that imports it. #githubcomshopsprintdecimal #githubcomshopspringdecimal #freemyipcom

Fake Microsoft Teams download sites were used to distribute a trojanized ZIP archive that installs a multistage loader chain ending in ValleyRAT. The campaign abuses GameBox.exe for DLL sideloading, evades Windows Defender, steals clipboard and log data, and communicates with a C2 server at 103.215.77.17. #ValleyRAT #GameBox.exe #SilverFoxAPT #MicrosoftTeams