Author: Mark

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer.

That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.

The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020.

“While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system,” Infoblox said. “We are tracking the threat actor who controls this malware as Detour Dog.”

Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines.

Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit.

Infoblox’s analysis has revealed that at least 69% of the confirmed StarFish staging hosts were under the control of Detour Dog, and that a MikroTik botnet advertised as REM Proxy – which, in turn, is powered by SystemBC, as uncovered by Lumen’s Black Lotus Labs last month — was also part of the attack chain.

Specifically, it has come to light that the spam email messages that distributed Strela Stealer originated from REM Proxy and another botnet dubbed Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past. In both cases, Detour Dog infrastructure hosted the first stage of the attack.

“The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware,” Dr. Renée Burton, vice president of threat intelligence at Infoblox, told The Hacker News.

Detour Dog’s modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections, although the company said the methods have since continued to evolve.

A notable aspect of the attack is that the compromised website functions normally 90% of the time, thereby raising no red flags and allowing the malware to persist for extended periods of time. In select instances (about 9%), however, a site visitor is redirected to a scam via Help TDS or Monetizer TDS; in a much rarer scenario (1%), the site receives a remote file execution command. It’s believed that the redirections are limited in a bid to avoid detection.

The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella.

“We suspect that they evolved from scams to include malware distribution for financial reasons,” Burton said. “There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can’t verify that.”

Complementing these changes is the fact that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.

As of June 2025, the responses have directed the infected site to retrieve the output of PHP scripts from verified Strela Stealer C2 servers to likely distribute the malware — suggesting the dual use of DNS as both a communication channel and a delivery mechanism.

“Responses to TXT record queries are Base64-encoded and explicitly include the word ‘down’ to trigger this new action,” the company noted. “We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.

“A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient, meanwhile serving to mislead threat hunters because the malware isn’t really where the analyzed attachments indicate the stage is hosted.”

The entire sequence of actions unfolds as follows –

• Victim opens a malicious document, launching an SVG file that reaches out to an infected domain
• The compromised site sends a TXT record request to the Detour Dog C2 server via DNS
• The name server responds with a TXT record containing a Strela C2 URL, prefixed with “down”
• The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL
• The compromised site acts as a relay to send the downloader to the client (i.e., the victim)
• The downloader initiates a call to another compromised domain
• The second compromised domain sends a similar DNS TXT query to the Detour Dog C2 server
• The Detour Dog name server responds with a new Strela C2 URL, again prefixed with “down”
• The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish
• The second compromised domain acts as a relay to send the malware to the client (i.e., the victim)

Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

The company also pointed out that the threat actor likely functions as a distribution-as-a-service (DaaS) provider, adding it found evidence of an “apparently unrelated file” propagated through its infrastructure. However, it noted it “couldn’t validate what was delivered.”

The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.

“Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a more ambitious plan to connect with potential customers and build visibility,” Check Point researcher Aleksandra “Hasherezade” Doniec said in a new report.

First advertised by a threat actor named kingcrete2022, Rhadamanthys has emerged as one of the most popular information stealers available under a malware-as-a-service (MaaS) model alongside Lumma, Vidar, StealC, and, more recently, Acreed. The current version of the stealer is 0.9.2.

Over the years, the stealer’s capabilities have extended far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of version 0.7.0 of the malware last October, Recorded Future detailed the addition of a new artificial intelligence (AI) feature for optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.

The latest findings from Check Point show that the threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their offerings as “intelligent solutions for innovation and efficiency.”

Rhadamanthys is available in three tiered packages, starting from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.

“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade noted. “For defenders, this professionalization signals that Rhadamanthys with its growing customer base and an expanding ecosystem is likely here to stay, making it important to track not only its malware updates but also the business infrastructure that sustains it.”

Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes a feature to avoid leaking unpacked artifacts by displaying to the user an alert that allows them to finish the execution of the malware without inflicting any harm to the machine on which it’s running.

This is done so in an attempt to prevent malware distributors from spreading the initial executable in its plain, unprotected form so as to curtail detection efforts, as well as getting their systems infected in the process. That said, while the alert message may be the same in both the stealers, the implementation is completely different, Check Point said, suggesting “surface-level mimicry.”

“In Lumma, opening and reading the file is implemented via raw syscalls, and the message box is executed via NtRaiseHardError,” it noted. “In Rhadamanthys, raw syscalls aren’t used, and the same message box is displayed by MessageBoxW. Both loaders are obfuscated, but the obfuscation patterns are different.”

Other updates to Rhadamanthys concern slight tweaks to the custom XS format used to ship the executable modules, the checks executed to confirm if the malware should continue its execution on the host, and the obfuscated configuration embedded into it. The modifications also extend to obfuscating the names of the modules to fly under the radar.

One of the modules, previously referred to as Strategy, is responsible for a series of environment checks to ensure that it’s not running in a sandboxed environment. Furthermore, it checks running processes against a list of forbidden ones, gets the current wallpaper, and verifies it against a hard-coded one that represents the Triage sandbox.

It also runs a check to confirm if the current username matches anything that resembles those used for sandboxes, and compares the machine’s HWID (hardware identifier) against a predefined list, once again to ascertain the presence of a sandbox. It’s only when all these checks are passed that the sample proceeds to establish a connection with a command-and-control (C2) server to fetch the core component of the stealer.

The payload is concealed using steganographic techniques, either as a WAV, JPEG, or PNG file, from where it’s extracted, decrypted, and launched. It’s worth noting that decrypting the package from the PNG requires a shared secret that’s agreed upon during the initial phase of the C2 communication.

The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.

“The latest variant represents an evolution rather than a revolution. Analysts should update their config parsers, monitor PNG-based payload delivery, track changes in mutex and bot ID formats, and expect further churn in obfuscation as tooling catches up,” Check Point said.

“Currently, the development is slower and steadier: the core design remains intact, with changes focused on refinements – such as new stealer components, changes in obfuscation, and more advanced customization options.”

Oct 03, 2025Ravie LakshmananMalware / Online Security

Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp.

The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.

“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.

“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”

Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.

The vast majority of the infections — 457 of the 477 cases — are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.

The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.

That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.

Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).

The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it’s automatically launched following a system start. It’s also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.

Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim’s compromised account, allowing it to spread rapidly.

“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.

“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”

Passwork is positioned as an on-premises unified platform for both password and secrets management, aiming to address the increasing complexity of credential storage and sharing in modern organizations. The platform recently received a major update that reworks all the core mechanics.

Passwork 7 introduces significant changes to how credentials are organized, accessed, and managed, reflecting feedback from real-world users. The redesign prioritizes usability and security, with a focus on streamlining workflows and making key features more accessible.

Passwork isn’t trying to reinvent the wheel. Instead, it focuses on solving a very real problem: how do businesses keep credentials organized, secure, and accessible without adding complexity or risk? In this article, we’ll look at what Passwork 7 delivers, how it fits into a business environment, and what makes it different. Below is a walkthrough of its main features and workflows.

Getting started: User experience and onboarding

The first thing you notice with Passwork 7 is its new interface that immediately signals its focus on simplicity. The dashboard provides a clear overview of vaults, folders, passwords, and recent activity. The idea is simple: streamline onboarding and avoid distracting users from their core tasks.

This approach is especially important in sectors like public service, education, and healthcare, where staff often have limited time or technical expertise. By reducing the learning curve, Passwork helps organizations roll out secure password management quickly and efficiently, without disrupting daily operations or requiring extensive user education.

Search and filtering options are simple, ensuring users can locate the right password without unnecessary complexity.

Vaults, folders, and password

Passwork 7 uses a hierarchical structure for organizing data:

• Vaults are the main containers for credentials
• Folders help organize related passwords within a vault
• Password cards store individual credentials, including username, password, URL, notes, 2FA codes, and attachments

To add a new password, users select the appropriate vault, create a folder (if needed), and fill out a password card with the required details.

The system is flexible: organizations can build a structure or hierarchy of vaults and folders to reflect their internal company layout and security requirements. This approach allows businesses to align credential management with their own processes, whether that means mirroring a strict departmental separation or supporting cross-functional teams.

Vault types: Data segmentation

Solution introduces a flexible vault architecture designed to improve security and management. Administrators can define custom vault types that align with an organization’s structure, making it easier to control data access across large teams.

There are two primary vault categories:

• User vaults: Private by default, accessible only to their creator. These can be shared with others as needed.
• Company vaults: Accessible to the creator and corporate administrators, who are automatically included to maintain oversight.

Beyond these standard options, administrators have the ability to set up custom vault types for specific departments or projects — such as IT, finance, or HR. For each vault type, it’s possible to assign designated administrators, configure access levels, and set rules about who can create new vaults of that type. This approach ensures that department heads or IT leads maintain control over sensitive data, supports granular permission management, and simplifies auditing.

Managing access: Roles and groups

Access control in Passwork 7 is role-based. Administrators assign roles to users, defining what actions they can take within the system. There’s no limit on the number of roles you can create, so it’s possible to tailor permissions as granularly as needed.

You can grant specific users rights to manage certain roles and groups or access activity logs, give other administrators control over SSO and LDAP settings while blocking access to other system configurations, or create specialized departmental roles with precisely tailored permissions.

Groups further streamline permission management: by adding users to a group, they automatically inherit the group’s permissions across relevant vaults and folders — such as viewing, editing, or managing credentials.

This structure helps organizations maintain security and compliance by ensuring only authorized users have access to sensitive information.

All sharing activities are logged, providing a transparent audit trail for compliance and incident investigation.

Password and secrets management: DevOps-ready tools

One notable feature is Passwork’s integration of secrets management and a comprehensive API. Beyond passwords, the platform stores keys, database logins, SSH keys, tokens, and certificates. Secrets can be managed alongside passwords, in dedicated encrypted vaults.

In other words, the latest release now combines two fully developed solutions under one roof:

• Password manager: A user-friendly interface designed for secure storage and sharing of credentials within a team.
• Secrets management system: This side caters to developers and administrators, offering programmatic access via REST API, Python connector, CLI, and Docker container. These tools make it possible to automate secret handling in scripts, services, and DevOps workflows.

The Passwork API supports all system actions, providing complete programmatic control over password and secrets management operations. This unified approach simplifies workflows for end-users, IT, and DevOps teams, reducing tool sprawl and centralizing oversight. Secrets are accessible via the web interface, API, CLI, and Python-connector, enabling integration with automated systems.

Security monitoring and incident response

Comprehensive logging now provides detailed records of every action and system change, ensuring administrators have complete visibility over the environment. Real-time tracking and instant alerts enable rapid detection of suspicious activity, supporting both security and regulatory compliance requirements. Whether monitoring access attempts, credential updates, or changes in permissions, the system delivers timely, actionable information.

Administrators have access to detailed audit logs and a security dashboard. In the event of a breach or suspicious activity, compromised users can be blocked and credentials rotated. These features support rapid incident response and ongoing risk management.

Integration with corporate systems

For enterprise environments, Passwork offers SSO and LDAP integration. Users authenticate with existing credentials, and user management synchronizes with Active Directory. This streamlines onboarding, offboarding, and ongoing access control.

Deployment

To start with, the system uses a zero-knowledge architecture — credentials aren’t stored on user devices. Instead, everything, including change logs and notes, lives in a dedicated MongoDB instance and is encrypted using end-to-end AES-256. This setup keeps sensitive data out of reach, even from the platform itself. It supports both single-server and multi-server setups for those needing redundancy or fault tolerance.

For everyday use, there’s a browser extension compatible with all major browsers. The mobile app is available for both Android and iOS, so users aren’t tied to their desktops. There’s also a dedicated 2FA app for added authentication, also supporting both platforms.

For organizations with stricter security requirements, there’s the option to switch on client-side encryption right from the start. In practice, this means every piece of data (moving or stored) is locked down using a master password unique to each user. By combining password and secrets management, Passwork can help businesses reduce their total cost of ownership.

Conclusion

Passwork offers a practical, unified solution for managing both passwords and secrets. Its emphasis on usability, flexible data organization, and granular access control makes it suitable for diverse environments and businesses of any size. By combining password and secret management in one solution, Passwork streamlines workflows, adapts to internal processes, and simplifies secure collaboration across teams.

Passwork has ISO 27001 certification, ensuring compliance with international information security management standards — a critical requirement for organizations operating in regulated industries or handling sensitive data.

The platform’s streamlined onboarding and integration capabilities allow organizations to secure sensitive data without disrupting daily operations. For businesses looking to centralize credential management and improve security posture, Passwork 7 provides a comprehensive toolkit designed for fast, seamless implementation.

To learn more or request a free demo, visit passwork.pro.

Oct 03, 2025Ravie LakshmananCybersecurity / Malware

A threat actor that’s known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT.

Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It’s also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris.

“In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials,” BI.ZONE said. “The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.”

In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell.

Cavalry Werewolf’s ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it’s a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473.

The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT.

In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic’s regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe.

StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and exfiltrate collected data using a Telegram bot. Some of the commands supported by the bot include –

• /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server
• /go [DeviceID] [command], to execute the given command using Invoke-Expression
• /upload [DeviceID], to upload a file to the victim’s device

Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information.

The Russian cybersecurity vendor said it also uncovered various filenames in English and Arabic, suggesting that the targeting focus of Cavalry Werewolf may be broader in scope than previously assumed.

“Cavalry Werewolf is actively experimenting with expanding its arsenal,” BI.ZONE said. “This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks.”

The disclosure comes as the company disclosed that an analysis of publications on Telegram channels or underground forums by both financially motivated attackers and hacktivists over the past year has identified compromises of at least 500 companies in Russia, most of which spanned commerce, finance, education, and entertainment sectors.

“In 86% of cases attackers published data stolen from compromised public‑facing web applications,” it noted. “After gaining access to the public web application, the attackers installed gs‑netcat on the compromised server to ensure persistent access. Sometimes, the attackers would load additional web shells. They also used legitimate tools such as Adminer, phpMiniAdmin, and mysqldump to extract data from databases.”

Oct 03, 2025Ravie LakshmananVulnerability / IoT Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution.

“Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices,” CISA Said.

According to ONEKEY, which discovered and reported the issue in late February 2025, the Meteobridge web interface lets an administrator manage their weather station data collection and control the system through a web application written in CGI shell scripts and C.

Specifically, the web interface exposes a “template.cgi” script through “/cgi-bin/template.cgi,” which is vulnerable to command injection stemming from the insecure use of eval calls, allowing an attacker to supply specially crafted requests to execute arbitrary code –

curl -i -u meteobridge: meteobridge 
'https://192.168.88.138/cgi-bin/template.cgi?$(id>/tmp/a)=whatever'

Furthermore, ONEKEY said the vulnerability can be exploited by unauthenticated attackers due to the fact that the CGI script is hosted in a public directory without requiring any authentication.

“Remote exploitation through a malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” security researcher Quentin Kaiser noted back in May. “Just send a link to your victim and create img tags with the src set to ‘https://subnet.a/public/template.cgi?templatefile=$(command).’”

There are currently no public reports referencing how CVE-2025-4008 is being exploited in the wild. The vulnerability was addressed in Meteobridge version 6.2, released on May 13, 2025.

Also added by CISA to the KEV catalog are four other flaws –

• CVE-2025-21043 (CVSS score: 8.8) – Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so that could allow remote attackers to execute arbitrary code.
• CVE-2017-1000353 (CVSS score: 9.8) – Jenkins contains a deserialization of untrusted data vulnerability that could allow unauthenticated remote code execution, bypassing denylist-based protection mechanisms.
• CVE-2015-7755 (CVSS score: 9.8) – Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.
• CVE-2014-6278, aka Shellshock (CVSS score: 8.8) – GNU Bash contains an OS command injection vulnerability that could allow remote attackers to execute arbitrary commands via a crafted environment.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by October 23, 2025, for optimal protection.

Oct 02, 2025Ravie LakshmananMalware / Cyber Espionage

The threat actor known as Confucius has been attributed to a new phishing campaign that has targeted Pakistan with malware families like WooperStealer and Anondoor.

“Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries — especially in Pakistan – using spear-phishing and malicious documents as initial access vectors,” Fortinet FortiGuard Labs researcher Cara Lin said.

Confucius is a long-running hacking group that’s believed to have been active since 2013 and operating across South Asia. Recent campaigns undertaken by the threat actor have employed a Python-based backdoor called Anondoor, signaling an evolution of the group’s tradecraft and its technical agility.

One of the attack chains documented by Fortinet targeted users in Pakistan sometime in December 2024, tricking recipients into opening a .PPSX file, which then triggers the delivery of WooperStealer using DLL side-loading techniques.

A subsequent attack wave observed in March 2025 has been found to employ Windows shortcut (.LNK) files to unleash the malicious WooperStealer DLL, again launched using DLL side-loading, to steal sensitive data from compromised hosts.

Another .LNK file spotted in August 2025 also leveraged similar tactics to sideload a rogue DLL, only this time the DLL paves the way for Anondoor, a Python implant that’s designed to exfiltrate device information to an external server and await further tasks to execute commands, take screenshots, enumerate files and directories, and dump passwords from Google Chrome.

It’s worth noting that the threat actor’s use of Anondoor was documented in July 2025 by Seebug’s KnownSec 404 Team.

“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities,” Fortinet said. “Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness.”

The disclosure comes as K7 Security Labs detailed an infection sequence associated with the Patchwork group that commences with a malicious macro that’s designed to download a .LNK file containing PowerShell code responsible for downloading additional payloads and leveraging DLL side-loading to launch the primary malware while simultaneously displaying a decoy PDF document.

The final payload, for its part, establishes contact with the threat actor’s command-and-control (C2) server, gathers system information, and retrieves an encoded instruction that’s subsequently decrypted for execution using cmd.exe. It’s also equipped to take screenshots, upload files from the machine, and download files from a remote URL and save them locally in a temporary directory.

“The malware waits for a configurable period and retries sending the data up to 20 times, tracking failures to ensure persistent and stealthy data exfiltration without alerting the user or security systems,” the company said.

Oct 02, 2025Ravie LakshmananPython / Malware

Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems.

The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. It was first uploaded by a user named “soodalpie” on September 26, 2025, the same date the account was created.

“While providing this capability, it exhibits behavior as a backdoor proxy server targeting Windows platforms, using automated installation processes via VBScript or an executable version,” JFrog said in an analysis.

The executable (“_AUTORUN.EXE”) is a compiled Go file that, besides including a SOCKS5 implementation as advertised, is also designed to run PowerShell scripts, set firewall rules, and relaunch itself with elevated permissions. It also carries out basic system and network reconnaissance, including Internet Explorer security settings and Windows installation date, and exfiltrates the information to a hard-coded Discord webhook.

“_AUTORUN.VBS,” the Visual Basic Script launched by the Python package in versions 0.2.5 and 0.2.6, is also capable of running a PowerShell script, which then downloads a ZIP file containing the legitimate Python binary from an external domain (“install.soop[.]space:6969”) and generates a batch script that’s configured to install the package using the “pip install” command and run it.

The PowerShell script then invokes the batch script, causing the Python package to be executed, which, in turn, elevates itself to run with administrative privileges (if not already), configure firewall rules to allow UDP and TCP communication via port 1080, install as a service, maintain communication with a Discord webhook, and set up persistence on the host using a scheduled task to make sure it automatically starts upon a system reboot.

“soopsocks is a well-designed SOCKS5 proxy with full bootstrap Windows support,” JFrog said. “However, given the way it performs and actions it takes during runtime, it shows signs of malicious activity, such as firewall rules, elevated permissions, various PowerShell commands, and the transfer from simple, configurable Python scripts to a Go executable with hardcoded parameters, version with reconnaissance capabilities to a predetermined Discord webhook.”

The disclosure comes as npm package maintainers have raised concerns related to a lack of native 2FA workflows for CI/CD, self-hosted workflow support for trusted publishing, and token management following sweeping changes introduced by GitHub in response to a growing wave of software supply chain attacks, Socket said.

Earlier this week, GitHub said it will shortly revoke all legacy tokens for npm publishers and that all granular access tokens for npm will have a default expiration of seven days (down from 30 days) and a maximum expiration of 90 days, which used to be unlimited previously.

“Long-lived tokens are a primary vector for supply chain attacks. When tokens are compromised, shorter lifetimes limit the window of exposure and reduce potential damage,” it said. “This change brings npm in line with security best practices already adopted across the industry.”

It also comes as the software supply chain security firm released a free tool called Socket Firewall that blocks malicious packages at install time across npm, Python, and Rust ecosystems, giving developers the ability to safeguard their environments against potential threats.

“Socket Firewall isn’t limited to protecting you from problematic top-level dependencies. It will also prevent the package manager from fetching any transitive dependency that is known to be malicious,” the company added.

Oct 02, 2025Ravie LakshmananRansomware / Threat Intelligence

Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p.

The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.

“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, told The Hacker News in a statement.

Mandiant CTO Charles Carmakal described the ongoing activity as a “high-volume email campaign” that’s launched from hundreds of compromised accounts, with evidence suggesting that at least one of those accounts has been previously associated with activity from FIN11, which is a subset within the TA505 group.

FIN11, per Mandiant, has engaged in ransomware and extortion attacks as far back as 2020. Previously, it was linked to the distribution of various malware families like FlawedAmmyy, FRIENDSPEAK, and MIXLABEL.

“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS),” Carmakal added. “This move strongly suggests there’s some association with Cl0p, and they are leveraging the brand recognition for their current operation.”

That said, Google said it does not have any evidence on its own to confirm the alleged ties, despite similarities in tactics observed in past Cl0p attacks. The company is also urging organizations to investigate their environments for evidence of threat actor activity.

It’s currently not clear how initial access is obtained. However, according to Bloomberg, it’s believed that the attackers compromised user emails and abused the default password reset function to gain valid credentials of internet-facing Oracle E-Business Suite portals, citing information shared by Halycon.

The Hacker News has reached out to Oracle for further comment about the extortion campaign, and will update the story if we hear back.

In recent years, the highly prolific Cl0p group has been attributed to a number of attack waves exploiting zero-day flaws in Accellion FTA, SolarWinds Serv-U FTP, Fortra GoAnywhere MFT, and Progress MOVEit Transfer platforms, successfully breaching thousands of organizations.

Penetration testing is critical to uncovering real-world security weaknesses. With the shift into continuous testing and validation, it is time we automate the delivery of these results.

The way results are delivered hasn’t kept up with today’s fast-moving threat landscape. Too often, findings are packaged into static reports, buried in PDFs or spreadsheets, and handed off manually to already-overloaded IT and engineering teams. By the time remediation begins, days or even weeks may have passed since the issues were first discovered.

As we explored in our recent article on how automation is redefining pentest delivery, static, manual processes no longer cut it. Security teams need faster insights, cleaner handoffs, and more consistent workflows if they want to keep pace with modern exposure management.

That’s where automation makes the difference, ensuring findings move seamlessly from discovery to remediation in real time.

Where Should You Start?

Knowing automation matters is only the first step. The bigger challenge is understanding where to start. Not every workflow carries equal impact, and trying to automate everything at once can be overwhelming.

This article focuses on the seven key workflows that deliver the greatest immediate value.

By automating these first, security teams can accelerate delivery, reduce friction, and build the foundation for a modern, scalable approach to penetration test delivery.

Platforms like PlexTrac help automate pentest finding delivery in real time through robust, rule-based workflows. (No waiting for the final report!)

1. Create Tickets for Remediation When Findings Are Discovered

One of the most powerful ways to accelerate penetration test delivery is by integrating findings directly into the tools that engineering and IT teams already use. Instead of manually transcribing vulnerabilities into Jira, ServiceNow, or Azure DevOps, automation can create remediation tickets the moment findings are published.

This ensures findings reach the right teams without delay, while eliminating the risk of human error during handoff. For organizations with multiple stakeholders — from internal IT groups to external clients — automated ticketing ensures everyone works within familiar systems, without adding new friction. The result is faster remediation cycles, bidirectional visibility between teams, and ensuring all findings are tracked and resolved promptly.

PlexTrac supports each of these capabilities through its Workflow Automation Engine. Explore their Workflow Automation Playbook for deeper guidance on how these automations work together.

Automation Amplifies the Impact of Penetration Testers

By eliminating repetitive tasks, reducing delays, and ensuring findings reach the right people at the right time, automation frees teams to focus on what matters most: protecting the organization.

The seven workflows we’ve outlined are not only practical starting points, but also building blocks for more advanced automation in the future. Whether it’s auto-assigning findings, streamlining retests, or delivering updates directly to stakeholders, each step helps create a more resilient, efficient, and collaborative security practice.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac help teams unify and accelerate delivery, remediation, and closure in one platform, enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle.