Author: Mark

Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.

The 14 vulnerabilities, collectively named Vault Fault, affect CyberArk Secrets Manager, Self-Hosted, and Conjur Open Source and HashiCorp Vault, according to a report from an identity security firm Cyata. Following responsible disclosure in May 2025, the flaws have been addressed in the following versions –

These include authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft. The most severe of the issues allows for remote code execution, allowing attackers to takeover the vault under certain conditions without any valid credentials –

• CVE-2025-49827 (CVSS score: 9.1) – Bypass of IAM authenticator in CyberArk Secrets Manager
• CVE-2025-49831 (CVSS score: 9.1) – Bypass of IAM authenticator in CyberArk Secrets Manager via a misconfigured network device
• CVE-2025-49828 (CVSS score: 8.6) – Remote code execution in CyberArk Secrets Manager
• CVE-2025-6000 (CVSS score: 9.1) – Arbitrary remote code execution via plugin catalog abuse in HashiCorp Vault
• CVE-2025-5999 (CVSS score: 7.2) – Privilege escalation to root via policy normalization in HashiCorp Vault

Two other shortcomings identified by the Israeli company made it possible to weaken lockout enforcement and bypass multi-factor authentication (MFA) controls when username_as_alias=true in the LDAP auth configuration and MFA enforcement is applied at the EntityID or IdentityGroup level.

In the attack chain detailed by the cybersecurity company, it’s possible to leverage a certificate entity impersonation issue (CVE-2025-6037) with CVE-2025-5999 and CVE-2025-6000 to break the authentication layer, escalate privileges, and achieve code execution. CVE-2025-6037 and CVE-2025-6000 are said to have existed for over eight and nine years, respectively.

Armed with this capability, a threat actor could further weaponize the access to delete the “core/hsm/_barrier-unseal-keys” file, effectively turning a security feature into a ransomware vector. What’s more, the Control Group feature can be undermined to send HTTP requests and receive responses without being audited, creating a stealthy communication channel.

“This research shows how authentication, policy enforcement, and plugin execution can all be subverted through logic bugs, without touching memory, triggering crashes, or breaking cryptography,” security researcher Yarden Porat said.

In a similar vein, the vulnerabilities discovered in CyberArk Secrets Manager/Conjur allow for authentication bypass, privilege escalation, information disclosure, and arbitrary code execution, effectively opening the door to a scenario where an attacker can craft an exploit chain to obtain unauthenticated access and run arbitrary commands.

The attack sequence unfolds as follows –

• IAM authentication bypass by forging valid-looking GetCallerIdentity responses
• Authenticate as a policy resource
• Abuse the Host Factory endpoint to create a new host that impersonates a valid policy template
• Assigned a malicious Embedded Ruby (ERB) payload directly to the host
• Trigger the execution of the attached ERB by invoking the Policy Factory endpoint

“This exploit chain moved from unauthenticated access to full remote code execution without ever supplying a password, token, or AWS credentials,” Porat noted.

The disclosure comes as Cisco Talos detailed security flaws in Dell’s ControlVault3 Firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware.

Together, these vulnerabilities create a potent remote post-compromise persistence method for covert access to high-value environments. The identified vulnerabilities are as follows –

• CVE-2025-25050 (CVSS score: 8.8) – An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality that could lead to an out-of-bounds write
• CVE-2025-25215 (CVSS score: 8.8) – An arbitrary free vulnerability exists in the cv_close functionality that could lead to an arbitrary free
• CVE-2025-24922 (CVSS score: 8.8) – A stack-based buffer overflow vulnerability exists in the securebio_identify functionality that could lead to arbitrary code execution
• CVE-2025-24311 (CVSS score: 8.4) – An out-of-bounds read vulnerability exists in the cv_send_blockdata functionality that could lead to an information leak
• CVE-2025-24919 (CVSS score: 8.1) – A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality that could lead to arbitrary code execution

The vulnerabilities have been codenamed ReVault. More than 100 models of Dell laptops running Broadcom BCM5820X series chips are affected. There is no evidence that the vulnerabilities have been exploited in the wild.

The cybersecurity company also pointed out that a local attacker with physical access to a user’s laptop could pry it open and access the Unified Security Hub (USH) board, allowing an attacker to exploit any of the five vulnerabilities without having to log in or possess a full-disk encryption password.

“The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls,” Cisco Talos researcher Philippe Laulheret said. “The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges.”

To mitigate the risk posed by these flaws, users are advised to apply the fixes provided by Dell; disable ControlVault services if peripherals like fingerprint readers, smart card readers, and near-field communication (NFC) readers are not being used; and turn off fingerprint login in high-risk situations.

Cybersecurity researchers are drawing attention to a new campaign that’s using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign.

The activity involves the creation of lookalike sites imitating Brazil’s State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country’s PIX payment system, Zscaler ThreatLabz said.

These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack.

“Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors,” Zscaler’s Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas said.

The end goal of the attacks is to serve bogus forms that collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer identification numbers, residential addresses, and convince them to make a one-time payment of 87.40 reals ($16) to the threat actors via PIX under the guise of completing a psychometric and medical exam or secure a job offer.

To further increase the legitimacy of the campaign, the phishing pages are designed such that they employ staged data collection by progressively requesting additional information from the victim, mirroring the behavior of the authentic websites. The collected CPF numbers are also validated on the backend by means of an API created by the threat actor.

“The API domain identified during analysis is registered by the threat actor,” Zscaler said. “The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.”

That said, the company noted that it’s possible the attackers may have acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key, and then used the information to increase the credibility of their phishing attempts.

“While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage,” Zscaler noted.

Mass mailing Campaign Distributes Efimer Trojan to Steal Crypto

Brazil has also become the focus of a malspam campaign that impersonates lawyers from a major company to deliver a malicious script called Efimer and steal a victim’s cryptocurrency. Russian cybersecurity company Kaspersky said it detected the mass mailing campaign in June 2025, with early iteration of the malware dating all the way back to October 2024 and spread via infected WordPress websites.

“These emails falsely claimed the recipient’s domain name infringed on the sender’s rights,” researchers Vladimir Gursky and Artem Ushkov said. “This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.”

Efimer, besides propagating via compromised WordPress sites and email, leverages malicious torrents as distribution vector, while communicating with its command-and-control (C2) server via the TOR network. Furthermore, the malware can extend its capabilities with additional scripts that can brute-force passwords for WordPress sites and harvest email addresses from specified websites for future email campaigns.

“The script receives domains [from the C2 server] and iterates through each one to find hyperlinks and email addresses on the website pages,” Kaspersky said, noting it also serves as a spam module engineered to fill out contact forms on target websites.

In the attack chain documented by Kaspersky, the emails come fitted with ZIP archives containing another password-protected archive and an empty file with a name specifying the password to open it. Present within the second ZIP file is a malicious Windows Script File (WSF) that, when launched, infects the machine with Efimer.

At the same time, the victim is displayed an error message stating the document cannot be opened on the device as a distraction mechanism. In reality, the WSF script saves two other files, “controller.js” (the trojan component) and “controller.xml,” and creates a scheduled task on the host using configuration extracted from “controller.xml.”

The “controller.js” is a clipper malware that’s designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the wallet address under the attacker’s control. It can also capture screenshots and execute additional payloads received from the C2 server by connecting over the TOR network after installing a TOR proxy client on the infected computer.

Kaspersky said it also discovered a second version of Efimer that, along with clipper features, also incorporates anti-VM features and scans web browsers like Google Chrome and Brave for cryptocurrency wallet extensions related to Atomic, Electrum, and Exodus, among others, and exfiltrates the results of the search back to the C2 server.

The campaign is estimated to have impacted 5,015 users, based on its telemetry, with a majority of the infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

“While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam,” the researchers said. “This allows it to establish a complete malicious infrastructure and spread to new devices.”

“Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.”

A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users.

The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times.

That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it’s possible several of these gems have been downloaded to a single machine.

“Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver,” security researcher Kirill Boychenko said.

While the identified gems offered the promised functionality, such as bulk posting or engagement, they also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor’s control by displaying a simple graphical user interface to enter users’ credentials.

Some of the gems, such as njongto_duo and jongmogtolon, are notable for focusing on financial discussion platforms, with the libraries marketed as tools to flood investment-related forums with ticker mentions, stock narratives, and synthetic engagement to amplify visibility and manipulate public perception.

The servers that are used to receive the captured information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr. These domains have been found to advertise bulk messaging, phone number scraping, and automated social media tools.

Victims of the campaign are likely to be grey-hat marketers who rely on such tools to run spam, search engine optimization (SEO), and engagement campaigns that artificially boost engagement.

“Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains,” Socket said. “The campaign evolved across multiple aliases and infrastructure waves, suggesting a mature and persistent operation.”

“By embedding credential theft functionality within gems marketed to automation-focused grey-hat users, the threat actor covertly captures sensitive data while blending into activity that appears legitimate.”

The development comes as GitLab detected multiple typosquatting packages on the Python Package Index (PyPI) that are designed to steal cryptocurrency from Bittensor wallets by hijacking the legitimate staking functions. The names of the Python libraries, which mimic bittensor and bittensor-cli, are below –

• bitensor (versions 9.9.4 and 9.9.5)
• bittenso-cli
• qbittensor
• bittenso

“The attackers appear to have specifically targeted staking operations for calculated reasons,” GitLab’s Vulnerability Research team said. “By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations.”

The disclosure also follows new restrictions imposed by PyPI maintainers to secure Python package installers and inspectors from confusion attacks arising from ZIP parser implementations.

Put differently, PyPI said it will reject Python packages “wheels” (which are nothing but ZIP archives) that attempt to exploit ZIP confusion attacks and smuggle malicious payloads past manual reviews and automated detection tools.

“This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module,” the Python Software Foundation’s (PSF) Seth Michael Larson said.

PyPI credited Caleb Brown from the Google Open Source Security Team and Tim Hatch from Netflix for reporting the issue. It also said it will warn users when they publish wheels whose ZIP contents don’t match the included RECORD metadata file.

“After 6 months of warnings, on February 1st, 2026, PyPI will begin rejecting newly uploaded wheels whose ZIP contents don’t match the included RECORD metadata file,” Larsen said.

When an organization’s credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password.

According to Verizon’s 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That’s nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door.

This quiet and persistent threat has been growing. New data compiled by Cyberint—an external risk management and threat intelligence company recently acquired by Check Point—shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled The Rise of Leaked Credentials, provides a look into not just the volume of these leaks, but how they are exploited and what organizations can do to get ahead of them. It’s worth reading in full for those responsible for risk reduction.

A Surge Fueled by Automation and Accessibility

The rise in leaked credentials is not just about volume. It’s also about speed and accessibility. In one month alone, Cyberint identified more than 14,000 corporate credential exposures tied to organizations whose password policies were still intact—implying active use and real threat potential.

Automation has made credential theft easier. Infostealer malware, often sold as a service, allows even low-skilled attackers to harvest login data from browsers and memory. AI-generated phishing campaigns can mimic tone, language, and branding with uncanny accuracy. Once credentials are gathered, they are either sold on underground marketplaces or offered in bundles on Telegram channels and illicit forums.

As outlined in the ebook, the average time it takes to remediate credentials leaked through GitHub repositories is 94 days. That’s a three-month window where an attacker could exploit access, undetected.

Seeing What Others Miss

Cyberint, now part of Check Point, uses automated collection systems and AI agents to monitor a wide range of sources across the open, deep, and dark web. These systems are designed to detect leaked credentials at scale, correlating details like domain patterns, password reuse, and organizational metadata to identify likely exposure—even when credentials are posted anonymously or bundled with others. Alerts are enriched with context that supports rapid triage, and integrations with SIEM and SOAR platforms enable immediate action, such as revoking credentials or enforcing password resets.

Then, Cyberint’s analysts step in. These teams conduct targeted investigations in closed forums, assess the credibility of threat actor claims, and piece together identity and attribution signals. By combining machine-driven coverage with direct access to underground communities, Cyberint provides both scale and precision—allowing teams to act before leaked credentials are actively used.

Credential leaks don’t only occur on monitored workstations. According to Cyberint data, 46% of the devices tied to corporate credential leaks were not protected by endpoint monitoring. These include personal laptops or unmanaged devices where employees access business applications, which can serve as blind spots for many teams.

Cyberint’s threat detection stack integrates with SIEM and SOAR tools, allowing automated responses like revoking access or forcing password resets the moment a breach is identified. This closes the gap between detection and action—a crucial factor when every hour counts.

The full report dives deeper into how these processes work, and how organizations can operationalize this intelligence across teams. You can read the full report here for details.

Exposure Detection Is Now a Competitive Advantage

Even with secure password policies, MFA, and modern email filtering, credential theft remains a statistical likelihood. What differentiates organizations is how fast they detect exposure and how tightly their remediation workflows are aligned.

Two playbooks featured in the ebook show how teams can respond effectively, both for employee and third-party vendor credentials. Each outlines procedures for detection, source validation, access revocation, stakeholder communication, and post-incident review.

But the key takeaway is this: proactive discovery matters more than reactive forensics. Waiting for threat actors to make the first move extends dwell time and increases the scope of damage.

The ability to identify credentials shortly after they appear in underground forums—before they’ve been packaged up or weaponized in automated campaigns—is what separates successful defense from reactive cleanup.

If you’re wondering whether your organization has exposed credentials floating in the deep or dark web, you don’t need to guess. You can check.

Mitigation Isn’t Just About Prevention

No single control can fully eliminate the risk of credential exposure, but multiple layers can reduce the impact:

• Strong Password Policy: Enforce regular password changes and prohibit reuse across platforms.
• SSO and MFA: Add barriers beyond the password. Even basic MFA makes credential stuffing far less effective.
• Rate Limiting: Set thresholds for login attempts to disrupt brute-force and credential spraying tactics.
• PoLP: Limit user access to only what’s needed, so compromised accounts don’t provide broader entry.
• Phishing Awareness Training: Educate users about social engineering techniques to reduce initial leaks.
• Monitoring Exposure: Implement detection across forums, marketplaces, and paste sites to flag mentions of corporate credentials.

Each of these controls is helpful, but even together, they aren’t enough if exposure goes unnoticed for weeks or months. That’s where detection intelligence from Cyberint comes in.

You can learn more methods by reading the full report.

Before the Next Password is Stolen

It’s not a matter of if an account associated with your domain will be exposed—it’s already happened. The real question is: has it been found?

Thousands of credentials tied to active accounts are currently being passed around marketplaces, forums, and Telegram chats. Many belong to users who still have access to corporate resources. Some are bundled with metadata like device type, session cookies, or even VPN credentials. Once shared, this information spreads fast and becomes impossible to retract.

Identifying exposures before they’re used is one of the few meaningful advantages defenders have. And it starts with knowing where to look.

Threat intelligence plays a central role in detection and response, especially when it comes to exposed credentials. Given their widespread circulation across criminal networks, credentials require focused monitoring and clear processes for mitigation.

Check if your company’s credentials are exposed across the open, deep, and dark web. The earlier they’re found, the fewer incidents there will be to respond to later.

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets.

The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said.

What makes the activity notable is the threat actor’s use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It’s worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week.

“Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching,” Admoni said in a report published Thursday.

To achieve this, the attackers first create a publisher account in the marketplace, upload innocuous extensions with no actual functionality to sidestep initial reviews, post fake positive reviews to create an illusion of credibility, and modify their innards with malicious capabilities.

The fake extensions are designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server. It also gathers victims’ IP addresses for likely tracking purposes.

The campaign is assessed to be an extension of a previous iteration called Foxy Wallet that involved the threat actors publishing no less than 40 malicious browser extensions for Mozilla Firefox with similar goals in mind. The latest spike in the number of extensions indicates the growing scale of the operation.

The fake wallet cryptocurrency draining attacks are augmented by campaigns that distribute malicious executables through various Russian sites that peddle cracked and pirated software, leading to the deployment of information stealers and even ransomware.

The GreedyBear actors have also found setting up scam sites that pose as cryptocurrency products and services, such as wallet repair tools, to possibly trick users into parting with their wallet credentials, or payment details, resulting in credential theft and financial fraud.

Koi Security said it was able to link the three attack verticals to a single threat actor based on the fact that the domains used in these efforts all point to a lone IP address: 185.208.156[.]66, which acts as a command-and-control (C2) server for data collection and management.

There is evidence to suggest that the extension-related attacks are branching out to target other browser marketplaces. This is based on the discovery of a Google Chrome extension named Filecoin Wallet that has used the same C2 server and the underlying logic to pilfer credentials.

To make matters worse, an analysis of the artifacts has uncovered signs that they may have been created using artificial intelligence (AI)-powered tools. This underscores how threat actors are increasingly misusing AI systems to enable attacks at scale and at speed.

“This variety indicates the group is not deploying a single toolset, but rather operating a broad malware distribution pipeline, capable of shifting tactics as needed,” Admoni said.

“The campaign has since evolved the difference now is scale and scope: this has evolved into a multi-platform credential and asset theft campaign, backed by hundreds of malware samples and scam infrastructure.”

Ethereum Drainers Pose as Trading Bots to Steal Crypto

The disclosure comes as SentinelOne flagged a widespread and ongoing cryptocurrency scam that entails distributing a malicious smart contract disguised as a trading bot in order to drain user wallets. The fraudulent Ethereum drainer scheme, active since early 2024, is estimated to have already netted the threat actors more than $900,000 in stolen profits.

“The scams are marketed through YouTube videos which explain the purported nature of the crypto trading bot and explain how to deploy a smart contract on the Remix Solidity Compiler platform, a web-based integrated development environment (IDE) for Web3 projects,” researcher Alex Delamotte said. “The video descriptions share a link to an external site that hosts the weaponized smart contract code.”

The videos are said to be AI-generated and are published from aged accounts that post other sources’ cryptocurrency news as playlists in an effort to build legitimacy. The videos also feature overwhelmingly positive comments, suggesting that the threat actors are actively curating the comment sections and removing any negative feedback.

One of the YouTube accounts pushing the scam was created in October 2022. This either indicates that the fraudsters slowly and steadily boosted the account’s credibility over time or may have purchased it from a service selling such aged YouTube channels off Telegram and dedicated sites like Accs-market and Aged Profiles.

The attack moves to the next phase when the victim deploys the smart contract, after which the victims are instructed to send ETH to the new contract, which then causes the funds to be routed to an obfuscated threat actor-controlled wallet.

“The combination of AI-generated content and aged YouTube accounts available for sale means that any modestly-resourced actor can obtain a YouTube account that the algorithm deems ‘established’ and weaponize the account to post customized content under a false pretext of legitimacy,” Delamotte said.

Aug 07, 2025Ravie LakshmananMalware / Threat Intelligence

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content.

“The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations,” Silent Push said in an analysis.

SocGholish, also called FakeUpdates, is a JavaScript loader malware that’s distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It’s attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.

Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, including Evil Corp (aka DEV-0243), LockBit, Dridex, and Raspberry Robin (aka Roshtyak). Interestingly, recent campaigns have also leveraged Raspberry Robin as a distribution vector for SocGholish.

“SocGholish infections typically originate from compromised websites that have been infected in multiple different ways,” Silent Push said. “Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the related injection.”

Besides redirecting to SocGholish domains via compromised websites, another primary source of traffic involves using third-party TDSes like Parrot TDS and Keitaro TDS to direct web traffic to specific websites or to landing pages after performing extensive fingerprinting of the site visitor and determining if they are of interest based on certain predefined criteria.

Keitaro TDS has long been involved in threat activity going beyond malvertising and scams to deliver more sophisticated malware, including exploit kits, loaders, ransomware, and Russian influence operations. Last year, Infoblox revealed how SocGholish, a VexTrio partner, used Keitaro to redirect victims to VexTrio’s TDSes.

“Because Keitaro also has many legitimate applications, it is frequently difficult or impossible to simply block traffic through the service without generating excessive false positives, although organizations can consider this in their own policies,” Proofpoint noted back in 2019.

Keitaro TDS is believed to be connected to TA2726, which has functioned as a traffic provider for both SocGholish and TA2727 by compromising websites and injecting a Keitaro TDS link, and then selling that to its customers.

“The intermediate C2 [command-and-control] framework dynamically generates payloads that victims download at runtime,” Silent Push noted.

“It is essential to note that across the execution framework, from the initial SocGholish injection to the on-device execution of the Windows implant, the entire process is continuously tracked by SocGholish’s C2 framework. If, at any time, the framework determines that a given victim is not ‘legitimate,’ it will stop the serving of a payload.”

The cybersecurity company has also assessed that there are possibly former members who are involved in Dridex, Raspberry Robin, and SocGholish, given the overlapping nature of the campaigns observed.

The development comes as Zscaler detailed an updated version of Raspberry Robin that features improved obfuscation methods, changes to its network communication process, and embeds pointing to intentionally corrupted TOR C2 domains, signaling continued efforts to avoid detection and hinder reverse engineering efforts.

“The network encryption algorithm has changed from AES (CTR mode) to Chacha-20,” the company said. “Raspberry Robin has added a new local privilege escalation (LPE) exploit (CVE-2024-38196) to gain elevated privileges on targeted systems.”

The disclosure also follows an evolution of DarkCloud Stealer attacks that employ phishing emails to deliver a ConfuserEx-protected version of the stealer payload written in Visual Basic 6, which is launched and executed using a technique called process hollowing.

“DarkCloud Stealer is typical of an evolution in cyberthreats, leveraging obfuscation techniques and intricate payload structures to evade traditional detection mechanisms,” Unit 42 said. “The shift in delivery methods observed in April 2025 indicates an evolving evasion strategy.”

Aug 07, 2025Ravie LakshmananVulnerability / Threat Intelligence

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.

“The attack results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds,” Claroty researcher Noam Moshe said.

“Furthermore, using internet scans of exposed Axis.Remoting services, an attacker can enumerate vulnerable servers and clients, and carry out granular, highly targeted attacks.”

The list of identified flaws is below –

• CVE-2025-30023 (CVSS score: 9.0) – A flaw in the communication protocol used between client and server that could lead to an authenticated user performing a remote code execution attack (Fixed in Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32)
• CVE-2025-30024 (CVSS score: 6.8) – A flaw in the communication protocol used between client and server that could be leveraged to execute an adversary-in-the-middle (AitM) attack (Fixed in Device Manager 5.32)
• CVE-2025-30025 (CVSS score: 4.8) – A flaw in the communication protocol used between the server process and the service control that could lead to a local privilege escalation (Fixed in Camera Station Pro 6.8 and Device Manager 5.32)
• CVE-2025-30026 (CVSS score: 5.3) – A flaw in the Axis Camera Station Server that could lead to an authentication bypass (Fixed in Camera Station Pro 6.9 and Camera Station 5.58)

Successful exploitation of the aforementioned vulnerabilities could allow an attacker to assume an AitM position between the Camera Station and its clients, effectively making it possible to alter requests/responses and execute arbitrary actions on either the server or client systems. There is no evidence that the issues have been exploited in the wild.

Claroty said it found more than 6,500 servers that expose the proprietary Axis.Remoting protocol and its services over the internet, out of which nearly 4,000 of them are located in the U.S.

“Successful exploits give attackers system-level access on the internal network and the ability to control each of the cameras within a specific deployment,” Moshe noted. “Feeds can be hijacked, watched, and/or shut down. Attackers can exploit these security issues to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices.”

Aug 07, 2025Ravie LakshmananVulnerability / Threat Intelligence

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.

“The attack results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds,” Claroty researcher Noam Moshe said.

“Furthermore, using internet scans of exposed Axis.Remoting services, an attacker can enumerate vulnerable servers and clients, and carry out granular, highly targeted attacks.”

The list of identified flaws is below –

• CVE-2025-30023 (CVSS score: 9.0) – A flaw in the communication protocol used between client and server that could lead to an authenticated user performing a remote code execution attack (Fixed in Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32)
• CVE-2025-30024 (CVSS score: 6.8) – A flaw in the communication protocol used between client and server that could be leveraged to execute an adversary-in-the-middle (AitM) attack (Fixed in Device Manager 5.32)
• CVE-2025-30025 (CVSS score: 4.8) – A flaw in the communication protocol used between the server process and the service control that could lead to a local privilege escalation (Fixed in Camera Station Pro 6.8 and Device Manager 5.32)
• CVE-2025-30026 (CVSS score: 5.3) – A flaw in the Axis Camera Station Server that could lead to an authentication bypass (Fixed in Camera Station Pro 6.9 and Camera Station 5.58)

Successful exploitation of the aforementioned vulnerabilities could allow an attacker to assume an AitM position between the Camera Station and its clients, effectively making it possible to alter requests/responses and execute arbitrary actions on either the server or client systems. There is no evidence that the issues have been exploited in the wild.

Claroty said it found more than 6,500 servers that expose the proprietary Axis.Remoting protocol and its services over the internet, out of which nearly 4,000 of them are located in the U.S.

“Successful exploits give attackers system-level access on the internal network and the ability to control each of the cameras within a specific deployment,” Moshe noted. “Feeds can be hijacked, watched, and/or shut down. Attackers can exploit these security issues to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices.”

Aug 07, 2025Ravie LakshmananMalware / Threat Intelligence

Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems.

“At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory,” Socket security researcher Olivia Brown said.

The list of identified packages is below –

• github.com/stripedconsu/linker
• github.com/agitatedleopa/stm
• github.com/expertsandba/opt
• github.com/wetteepee/hcloud-ip-floater
• github.com/weightycine/replika
• github.com/ordinarymea/tnsr_ids
• github.com/ordinarymea/TNSR_IDS
• github.com/cavernouskina/mcp-go
• github.com/lastnymph/gouid
• github.com/sinfulsky/gouid
• github.com/briefinitia/gouid

“Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise,” Brown said.

Complicating matters is the decentralized nature of the Go ecosystem, which allows modules to be directly imported from GitHub repositories, causing significant developer confusion when searches for a package on pkg.go.dev can return several similarly named modules, although they may not necessarily be malicious in nature.

“Attackers exploit the confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects,” Socket said.

It’s assessed that the packages are the work of a single threat actor due to C2 reuse and the format of the code. The findings underscore the continued supply chain risks arising from the cross-platform nature of Go to push malware.

The development coincides with the discovery of two npm packages, naya-flore and nvlore-hsc, that masquerade as WhatsApp socket libraries while incorporating a phone number-based kill switch that can remotely wipe developers’ systems.

The packages, which have been collectively downloaded over 1,110 downloads, continue to remain available on the npm registry as of writing. Both libraries were published by a user named “nayflore” in early July 2025.

Central to their operations is their ability to retrieve a remote database of Indonesian phone numbers from a GitHub repository. Once the package is executed, it first checks if the current phone is in the database, and, if not, proceeds to recursively delete all files using the command “rm -rf *” following a WhatsApp pairing process.

The packages have also been found to contain a function to exfiltrate device information to an external endpoint, but calls to the function have been commented out, suggesting that the threat actor behind the scheme is signaling ongoing development.

“naya-flore also contains a hardcoded GitHub Personal Access Token that provides unauthorized access to private repositories,” security researcher Kush Pandya said. “The purpose of this token remains unclear from the available code.”

“The presence of an unused GitHub token could indicate incomplete development, planned functionality that was never implemented, or usage in other parts of the codebase not included in these packages.”

Open-source repositories continue to be an attractive malware distribution channel in software supply chains, with the packages designed to steal sensitive information and even targeting cryptocurrency wallets in some cases.

“While overall tactics have not evolved significantly, attackers continue to rely on proven techniques, such as minimizing file count, using installation scripts, and employing discreet data exfiltration methods that maximize impact,” Fortinet FortiGuard Labs said.

“A continued rise in obfuscation also further notes the importance of vigilance and ongoing monitoring required by users of these services. And as OSS continues to grow, so too will the attack surface for supply chain threats.”

Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden:

1. Secure AI embedded in every part of the business.
2. Use AI to defend faster and smarter.
3. Fight AI-powered threats that execute in minutes—or seconds.

Security is no longer about balancing speed and safety. In today’s cloud-native world, real-time, context-aware defense is a baseline expectation, not a competitive edge. The recent Sysdig Cloud Defense Report 2025 breaks down this tectonic shift. Below, we unpack its key insights for security practitioners aiming to stay ahead of an accelerating threat landscape.

AI: The Double-Edged Sword of Cloud Security

AI is transforming the security paradigm. It’s both empowering defenders while creating entirely new attack surfaces.

AI for Security: Fighting Fire with Fire

Attackers are automating faster. In campaigns like CRYSTALRAY, adversaries chain together open-source tools to perform reconnaissance, lateral movement, and credential harvesting. These attacks show a level of coordination and speed that would be impossible without automation. Security teams are responding in kind.

Tools like Sysdig Sage™, a fully integrated AI cloud security analyst, are driving mean time to respond down by 76%. More than half of Sysdig customers now use Sysdig Sage, with the software and business services sectors leading adoption.

Key ways security teams are leveraging AI include:

• Contextual enrichment: AI quickly correlates related events and aggregates data that makes alerts understandable.
• Summarization and deduplication: AI links alerts to previous incidents and helps focus on what’s relevant.
• Workflow automation: AI handles repetitive tasks like ticket creation, vulnerability analysis, and escalation logic.
• Decision acceleration: By acting as a tier-one analyst, AI allows human defenders to move faster and make informed decisions.

The lesson is simple: in a cloud world where attacks happen at machine speed, defense must be equally agile.

Security for AI: Protecting the New Digital Crown Jewels

But here’s the flip side: AI itself is now a prime target that needs to be protected. The Sysdig Threat Research Team has been identifying and reporting more attacks against LLMs and other AI tools since mid-2024. Sysdig observed a 500% surge in cloud workloads containing AI/ML packages in 2024, indicating massive adoption. However, a recent 25% decline suggests teams are buckling down on security and improving governance.

Recommendations to secure AI systems include securing APIs by authenticating and restricting access to public endpoints, hardening configurations by disabling open defaults like unauthenticated admin panels, enforcing least privilege to control root access and limit elevated permissions, monitoring for shadow AI through workload audits for unauthorized models and packages, and implementing data guardrails to filter prompts and outputs for sensitive information. The bottom line: AI requires the same level of rigor and protection as any other business-critical system, especially as it becomes deeply embedded across both customer-facing and back-end operations.

Runtime Security: No Longer Optional, But Foundational

Prevention may reign supreme, but in today’s cloud-native, ephemeral world, runtime visibility is your best shot at catching in motion that slips through the cracks.

The Case for Real-Time Threat Detection

Runtime detection isn’t just a defensive layer—it’s a strategic necessity in today’s cloud-native environments. With 60% of containers living for one minute or less and CI/CD pipelines emerging as high-value targets due to misconfigurations and insecure defaults, the window to detect and respond is incredibly narrow. Cloud attacks now unfold in 10 minutes or less, prompting the creation of the 555 Cloud Detection and Response Benchmark: a framework that guides security teams to detect threats in 5 seconds, investigate in 5 minutes, and respond within the next 5 minutes.

Why Runtime Context Matters

Traditional vulnerability scans bury teams under noise. But less than 6% of high and critical vulnerabilities are active in production. That means the rest are distractions.

Runtime insights help security teams:

• Prioritize real risks: Focus remediation on vulnerabilities loaded into memory.
• Reduce noise: Cut vulnerability lists by up to 99%.
• Collaborate better: Provide developers with clear, contextual remediation steps.

The CI/CD Pipeline: A Growing Target

CI/CD workflows sit at the heart of modern DevOps, enabling rapid, automated delivery. But in 2025, they’ve also emerged as an attractive and increasingly exploited attack surface. From repository compromises to misconfigured automation, attackers are finding creative ways to infiltrate build systems—often before code even reaches production.

Several high-impact vulnerabilities uncovered this year reveal just how exposed the CI/CD pipeline can be. These incidents serve as a wake-up call: your build system is part of your attack surface—and without real-time visibility, you might not spot an attack until it’s too late.

Tools like Falco and Falco Actions are helping defenders stay one step ahead by detecting threats as they execute, not after the damage is done.

Open Source: The Heart of Modern Security Innovation

Security has always been about community. Attackers share tools, and defenders must too. Open source tools now power much of the modern cloud defense strategy.

Falco has evolved from a basic intrusion detection system (IDS) into a powerful real-time detection engine, now supporting eBPF for deeper visibility into cloud-native environments, all with the support of the open source community. It integrates with tools like Falco Actions, Falcosidekick, and Falco Talon to provide broader control, automation, and workflow customization. This makes Falco especially valuable in regulated sectors such as finance, health care, and government, where self-hosted deployments and custom detection rules are critical for compliance and control.

The EU Data Act and the Rise of Sovereign Security

With regulations like the EU Data Act taking effect in September 2025, organizations are required to control and localize their data. Open source plays a critical role in meeting these requirements by enabling self-hosted deployments, offering transparent codebases for audit and compliance, and fostering community-driven innovation that supports trust and flexibility.