Category: Cybersecurity

Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets. According to reports such as the Verizon DBIR, attackers are more commonly using stolen credentials to gain their initial foothold, rather than exploiting a vulnerability or misconfiguration.

Attackers are not just after human identities that they can assume, though. More commonly, they are after Non-Human Identities (NHIs), which outnumber human identities in the enterprise by at least 50 to one. Unlike humans, machines have no good way to achieve multi-factor authentication, and we, for the most part, have been relying on credentials alone, in the form of API keys, bearer tokens, and JWTs.

Traditionally, identity and access management (IAM) has been built on the idea of persistent human traits over time. It is rare for a person to change their name, fingerprints, or DNA. We can assume that if you went through an identity verification process, you are confirmed to be the human you claim to be. Based on this, you can obtain certain permissions dependent on your role within the organization and your level of trust.

Securing machine identities means getting a handle on the unique trait that bad actors actually care about, namely, their access keys. If we treat these highly valued secrets as the way to uniquely identify the identities we are protecting, then we can leverage that into true observability around how access is granted and used throughout your enterprise.

Accounting For NHIs Through A Fractured Lens

Before we take a deeper look at secrets as unique identifiers, let’s first consider how we currently talk about NHIs in the enterprise.

Most teams struggle with defining NHIs. The canonical definition is simply “anything that is not a human,” which is necessarily a wide set of concerns. NHIs manifest differently across cloud providers, container orchestrators, legacy systems, and edge deployments. A Kubernetes service account tied to a pod has distinct characteristics compared to an Azure managed identity or a Windows service account. Every team has historically managed these as separate concerns. This patchwork approach makes it nearly impossible to create a consistent policy, let alone automate governance across environments.

The exponential growth of NHIs has left a gap in traditional asset inventory tools, and access reviewers can’t keep pace. Enforcement of consistent permissions or security controls across such a wildly varied set of identities seems near impossible. This is on top of aging legacy systems that have not had their passwords rotated or audited in years.

Compounding this issue is the lack of metadata and ownership around NHIs. Questions like “What is this identity for?” or “Who owns this token?” frequently go unanswered, as the person who created and released that identity into the system has moved on. This vacuum of accountability makes it difficult to apply basic lifecycle practices such as rotation or decommissioning. NHIs that were created for testing purposes often persist long after the systems they were tied to are discontinued, accumulating risk silently.

The UUIDs Of Your Zero Trust Protect Surface

No matter what form or shape an NHI takes, in order to do work as part of an application or system, it needs to authenticate to access data and resources and do its work.

Most commonly, this takes the form of secrets, which look like API keys, certificates, or tokens. These are all inherently unique and can act as cryptographic fingerprints across distributed systems. When used in this way, secrets used for authentication become traceable artifacts tied directly to the systems that generated them. This allows for a level of attribution and auditing that’s difficult to achieve with traditional service accounts. For example, a short-lived token can be directly linked to a specific CI job, Git commit, or workload, allowing teams to answer not just what is acting, but why, where, and on whose behalf.

This access-as-the-identifier model can bring clarity to your inventory, offering a unified view of all your machines, workloads, task runners, and even agent-based AI systems. Secrets offer a consistent and machine-verifiable method of indexing NHIs, letting teams centralize visibility into what exists, who owns it, and what it can access, regardless of whether it’s running on Kubernetes, GitHub Actions, or a public cloud.

Critically, this model also supports lifecycle management and Zero Trust principles more naturally than legacy identity frameworks. A secret is only valid when it can be used, which is a provable state, which means unused or expired secrets can be automatically flagged for cleanup. This can stop identity sprawl and ghost accounts, which are endemic in NHI-heavy environments.

The Security Ramifications Of Secrets At NHI Identifiers

If we are going to talk about secrets as the unique identifier for machines and workloads, we do need to address the fact that they have a nasty tendency to leak. According to our State of Secrets Sprawl 2025 research, almost 23.8 million secrets were leaked on public GitHub repositories in 2024, a 25% year-over-year increase. Worse yet, a full 35% of the private repositories we researched contained secrets, 8 times as many as we found in public repositories.

Breaches over the past several years, from Uber to the U.S. Department of the Treasury, have shown that when secrets are scattered across pipelines, codebases, containers, and cloud configs without consistent management, they become a silent invitation to attackers. These leaked or stolen credentials offer attackers a low-friction path to compromise.

A leaked API key or NHI token allows anyone who attempts to use it to establish a valid session, with no mechanism in place to verify its legitimacy or the context of its use. If the secret is tied to a long-lived, over-permissioned bot or service account, the attacker instantly inherits all that trust.

The problem is amplified further when secrets outlive their purpose. Orphaned secrets, credentials forgotten about and never decommissioned, abandoned CI/CD jobs, or one-off projects, linger quietly, often with dangerous levels of access and zero visibility. Without ownership, expiration, or revocation processes, they become ideal entry points for attackers looking for stealth and persistence.

GitGuardian Can Inventory All Your Secrets, Not Just The Leaked Ones

Secrets can only live in two possible places: where they belong, safely stored in a secrets management vault, or leaked elsewhere. We have been helping people find the secrets leaked where they are not supposed to be for years now, with our internally focused Secrets Detection offering and our Public Monitoring platform.

Now, GitGuardian can act as your cross-environment NHI inventory platform, helping you gain visibility into what secrets are in your vaults, along with metadata around how they are used. GitGuardian builds a unified, contextualized inventory of every secret, regardless of origin or format. Whether it’s injected via Kubernetes, embedded in an Ansible playbook, or retrieved from a vault like HashiCorp, each secret is fingerprinted and monitored.

This cross-environment awareness allows teams to quickly see

• Which NHIs have keys leaked publicly.
• If any internal leaks happened for those same secrets.
• Any secrets redundantly stored in multiple vaults
• If the secret is long lived and needs rotation

The GitGuardian NHI Governance Inventory dashboard showing policy violations and risk scores.

Crucially, GitGuardian also detects “zombie” credentials, secrets that persist without authorization or oversight. Rich metadata, like creator attribution, secret lifespan, permissions scope, and context, empower governance over these non-human actors, enabling real-time inventory alignment and accountability.

This visibility isn’t just operational, it’s strategic. GitGuardian enables centralized policy enforcement across all secret sources, transforming reactive secrets detection into proactive identity governance. By mapping secrets to NHIs and enforcing lifecycle policies like expiration, rotation, and revocation, GitGuardian closes the loop between discovery, vaulting, and enforcement

Beyond Inventory And Towards NHI Governance

The rise of non-human identities has reshaped the identity landscape, and with it, the attack surface. Credentials aren’t just access keys. Secrets are the mechanism that allows an attacker to assume an identity that already has persistent access to your data and resources. Without visibility into where those credentials live, how they’re used, and whether they’re still valid, organizations are left vulnerable to silent compromise.

GitGuardian’s Secrets Security + NHI Governance = Non-Human Identity Security

Treating secrets as the UUIDs of modern workloads is the clearest path to scalable, cross-platform NHI governance. But that approach only works if you can see the full picture: vaults, pipelines, ephemeral infrastructure, and everything in between.

GitGuardian delivers that visibility. We are turning fragmented credential sprawl into a unified, actionable inventory. By anchoring NHI identity to its authenticating secret, and layering in rich metadata and lifecycle controls, GitGuardian enables security teams to detect issues early, identify over-permissioned and orphaned credentials, and enforce revocation before a breach occurs.

We are helping complex modern enterprises reduce the likelihood of successful identity-based attacks. When credentials are monitored, scoped, and managed in real time, they’re no longer low-hanging fruit for attackers.

We would love to give you a full demo of the capabilities of the GitGuardian NHI Security platform and help you get unparalleled insight into your NHIs and secrets security. And if you’d rather explore on your own, take a guided tour of GitGuardian with our interactive demo!

The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector.

To that end, the agency said it’s actively working with aviation and industry partners to combat the activity and help victims.

“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI said in a post on X. “These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.”

Scattered Spider attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware.

In a statement shared on LinkedIn, Palo Alto Networks Unit 42’s Sam Rubin confirmed the threat actor’s attacks against the aviation industry, urging organizations to be on “high alert” for advanced social engineering attempts and suspicious multi-factor authentication (MFA) reset requests

Google-owned Mandiant, which recently warned of Scattered Spider’s targeting of the U.S. insurance sector, also echoed the warning, stating it’s aware of multiple incidents in the airline and transportation verticals that resemble the modus operandi of the hacking crew.

“We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks,” Mandiant’s Charles Carmakal said.

One reason Scattered Spider continues to succeed is how well it understands human workflows. Even when technical defenses like MFA are in place, the group focuses on the people behind the systems—knowing that help desk staff, like anyone else, can be caught off guard by a convincing story.

This isn’t about brute-force hacking; it’s about building trust just long enough to sneak in. And when time is short or pressure is high, it’s easy to see how a fake employee request could slip through. That’s why organizations should look beyond traditional endpoint security and rethink how identity verification happens in real time.

The activity tracked as Scattered Spider overlaps with threat clusters such as Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Star Fraud, and UNC3944. The group, originally known for its SIM swapping attacks, counts social engineering, helpdesk phishing, and insider access among its roster of initial access techniques to penetrate hybrid environments.

“Scattered Spider represents a major evolution in ransomware risk, combining deep social engineering, layered technical sophistication, and rapid double‑extortion capabilities,” Halcyon said. “In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”

What makes this group especially dangerous is its mix of patient planning and sudden escalation. Scattered Spider doesn’t just rely on stolen credentials—it spends time gathering intel on its targets, often combining social media research with public breach data to impersonate people with scary accuracy. This kind of hybrid threat, blending business email compromise (BEC) techniques with cloud infrastructure sabotage, can fly under the radar until it’s too late.

Scattered Spider is part of an amorphous collective called the Com (aka Comm), which also counts other groups like LAPSUS$. It’s assessed to be active at least since 2021.

“This group evolved in the Discord and Telegram communication platforms, drawing in members from diverse backgrounds and interests,” Unit 42 said. “The loose-knit and fluid nature of this group makes it inherently difficult to disrupt.”

In a report published Friday, ReliaQuest detailed how Scattered Spider actors breached an unnamed organization late last month by targeting its chief financial officer (CFO), and abused their elevated access to conduct an extremely precise and calculated attack.

The threat actors have been found to carry out extensive reconnaissance to single out high-value individuals, especially impersonating the CFO in a call to the company’s IT help desk and persuading them to reset the MFA device and credentials tied to their account.

The attackers also leveraged the information obtained during reconnaissance to enter the CFO’s date of birth and the last four digits of their Social Security Number (SSN) into the company’s public login portal as part of their login flow, ultimately confirming their employee ID and validating the gathered information.

“Scattered Spider favors C-Suite accounts for two key reasons: They’re often over-privileged, and IT help-desk requests tied to these accounts are typically treated with urgency, increasing the likelihood of successful social engineering,” the company said. “Access to these accounts gives Scattered Spider a pathway into critical systems, making reconnaissance a cornerstone of its tailored attack plans.”

Armed with access to the CFO’s account, Scattered Spider actors performed a series of actions on the target environment that demonstrated its ability to adapt and rapidly escalate their attack –

• Conduct Entra ID enumeration on privileged accounts, privileged groups, and service principals for privilege escalation and persistence
• Perform SharePoint discovery to locate sensitive files and collaborative resources, and gain deeper insights about the organization’s workflows and IT and cloud architectures so as to tailor their attack
• Infiltrate the Horizon Virtual Desktop Infrastructure (VDI) platform using the CFO’s stolen credentials and compromising two additional accounts via social engineering, extract sensitive information, and establish a foothold in the virtual environment
• Breach the organization’s VPN infrastructure to secure uninterrupted remote access to internal resources
• Reinstate previously decommissioned virtual machines (VMs) and create new ones to access the VMware vCenter infrastructure, shut down a virtualized production domain controller, and extract the contents of the NTDS.dit database file
• Use their elevated access to crack open CyberArk password vault and obtain more than 1,400 secrets
• Advance the intrusion further using the privileged accounts, including assigning administrator roles to compromised user accounts
• Use legitimate tools like ngrok to set up persistence to VMs under their control
• Resort to a “scorched-earth” strategy after its presence was detected by the organization’s security team, prioritizing “speed over stealth” to deliberately delete Azure Firewall policy rule collection groups, hampering regular business operations

ReliaQuest also described what was essentially a tug-of-war between the incident response team and the threat actors for the control of the Global Administrator role within the Entra ID tenant, a battle that only ended after Microsoft itself stepped in to restore control over the tenant.

The bigger picture here is that social engineering attacks are no longer just phishing emails—they’ve evolved into full-blown identity threat campaigns, where attackers follow detailed playbooks to bypass every layer of defense. From SIM swapping to vishing and privilege escalation, Scattered Spider shows how quickly attackers can move when the path is clear.

For most companies, the first step isn’t buying new tools—it’s tightening internal processes, especially for things like help desk approvals and account recovery. The more you rely on people for identity decisions, the more important it becomes to train them with real-world examples.

“Scattered Spider’s initial access methods expose a critical weakness in many organizations: Reliance on human-centric workflows for identity verification,” security researchers Alexa Feminella and James Xiang said.

“By weaponizing trust, the group bypassed strong technical defenses and demonstrated how easily attackers can manipulate established processes to achieve their goals. This vulnerability highlights the urgent need for businesses to reevaluate and strengthen ID verification protocols, reducing the risk of human error as a gateway for adversaries.”

Jun 28, 2025Ravie LakshmananMalware / Cyber Warfare

The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool.

“Recent campaigns in June 2025 demonstrate GIFTEDCROOK’s enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and browser secrets,” Arctic Wolf Labs said in a report published this week.

“This shift in functionality, combined with the content of its phishing lures, […] suggests a strategic focus on intelligence gathering from Ukrainian governmental and military entities.”

GIFTEDCROOK was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in early April 2025 in connection with a campaign targeting military entities, law enforcement agencies, and local self-government bodies.

The activity, attributed to a hacking group it tracks as UAC-0226, involves the use of phishing emails containing macro-laced Microsoft Excel documents that act as a conduit to deploy GIFTEDCROOK.

An information stealer at its core, the malware is designed to steal cookies, browsing history, and authentication data from popular web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

Arctic Wolf’s analysis of the artifacts has revealed that the stealer started off as a demo in February 2025, before gaining new features with versions 1.2 and 1.3.

These new iterations include the ability to harvest documents and files below 7 MB in size, specifically looking for files created or modified within the last 45 days. The malware specifically searches for the following extensions: .doc, .docx, .rtf, .pptx, .ppt, .csv, .xls, .xlsx, .jpeg, .jpg, .png, .pdf, .odt, .ods, .rar, .zip, .eml, .txt, .sqlite, and .ovpn.

The email campaigns leverage military-themed PDF lures to entice users into clicking on a Mega cloud storage link that hosts a macro-enabled Excel workbook (“Список оповіщених військовозобов’язаних організації 609528.xlsm”), causing GIFTEDCROOK to be downloaded when the recipient turns on macros. Many users don’t realize how common macro-enabled Excel files are in phishing attacks. They slip past defenses because people often expect spreadsheets in work emails—especially ones that look official or government-related.

The captured information is bundled into a ZIP archive and exfiltrated to an attacker-controlled Telegram channel. If the total archive size exceeds 20 MB, it is broken down into multiple parts. By sending stolen ZIP archives in small chunks, GIFTEDCROOK avoids detection and skips around traditional network filters. In the final stage, a batch script is executed to erase traces of the stealer from the compromised host.

This isn’t just about stealing passwords or tracking online behavior—it’s targeted cyber espionage. The malware’s new ability to sift through recent files and grab documents like PDFs, spreadsheets, and even VPN configs points to a bigger goal: collecting intelligence. For anyone working in public sector roles or handling sensitive internal reports, this kind of document stealer poses a real risk—not just to the individual, but to the entire network they’re connected to.

“The timing of the campaigns discussed in this report demonstrates clear alignment with geopolitical events, particularly the recent negotiations between Ukraine and Russia in Istanbul,” Arctic Wolf said.

“The progression from simple credential theft in GIFTEDCROOK version 1, to comprehensive document and data exfiltration in versions 1.2 and 1.3, reflects coordinated development efforts where malware capabilities followed geopolitical objectives to enhance data collection from compromised systems in Ukraine.”

Jun 28, 2025Ravie LakshmananPrivacy / Data Protection

Facebook, the social network platform owned by Meta, is asking for users to upload pictures from their phones to suggest collages, recaps, and other ideas using artificial intelligence (AI), including those that have not been directly uploaded to the service.

According to TechCrunch, which first reported the feature, users are being served a new pop-up message asking for permission to “allow cloud processing” when they are attempting to create a new Story on Facebook.

“To create ideas for you, we’ll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or themes,” the company notes in the pop-up. “Only you can see suggestions. Your media won’t be used for ads targeting. We’ll check it for safety and integrity purposes.”

Should users consent to their photos being processed on the cloud, Meta also states that they are agreeing to its AI terms, which allow it to analyze their media and facial features.

On a help page, Meta says “this feature isn’t yet available for everyone,” and that it’s limited to users in the United States and Canada. It also pointed out to TechCrunch that these AI suggestions are opt-in and can be disabled at any time.

The development is yet another example of how companies are racing to integrate AI features into their products, oftentimes at the cost of user privacy.

Meta says its new AI feature won’t be used for targeted ads, but experts still have concerns. When people upload personal photos or videos—even if they agree to it—it’s unclear how long that data is kept or who can see it. Since the processing happens in the cloud, there are risks, especially with things like facial recognition and hidden details such as time or location.

Even if it’s not used for ads, this kind of data could still end up in training datasets or be used to build user profiles. It’s a bit like handing your photo album to an algorithm that quietly learns your habits, preferences, and patterns over time.

Last month, Meta began to train its AI models using public data shared by adults across its platforms in the European Union after it received approval from the Irish Data Protection Commission (DPC). The company suspended the use of generative AI tools in Brazil in July 2024 in response to privacy concerns raised by the government.

The social media giant has also added AI features to WhatsApp, the most recent being the ability to summarize unread messages in chats using a privacy-focused approach it calls Private Processing.

This change is part of a bigger trend in generative AI, where tech companies mix convenience with tracking. Features like auto-made collages or smart story suggestions may seem helpful, but they rely on AI that watches how you use your devices—not just the app. That’s why privacy settings, clear consent, and limiting data collection are more important than ever.

Facebook’s AI feature also comes as one of Germany’s data protection watchdogs called on Apple and Google to remove DeepSeek’s apps from their respective app stores due to unlawful user data transfers to China, following similar concerns raised by several countries at the start of the year.

“The service processes extensive personal data of the users, including all text entries, chat histories and uploaded files as well as information about the location, the devices used and networks,” according to a statement released by the Berlin Commissioner for Data Protection and Freedom of Information. “The service transmits the collected personal data of the users to Chinese processors and stores it on servers in China.”

These transfers violate the General Data Protection Regulation (GDPR) of the European Union, given the lack of guarantees that the data of German users in China are protected at a level equivalent to the bloc.

Earlier this week, Reuters reported that the Chinese AI company is assisting the country’s military and intelligence operations, and that it’s sharing user information with Beijing, citing an anonymous U.S. Department of State official.

A couple of weeks ago, OpenAI also landed a $200 million with the U.S. Department of Defense (DoD) to “develop prototype frontier AI capabilities to address critical national security challenges in both warfighting and enterprise domains.”

The company said it will help the Pentagon “identify and prototype how frontier AI can transform its administrative operations, from improving how service members and their families get health care, to streamlining how they look at program and acquisition data, to supporting proactive cyber defense.”

Jun 27, 2025Ravie LakshmananThreat Hunting / Vulnerability

Threat hunters have discovered a network of more than 1,000 compromised small office and home office (SOHO) devices that have been used to facilitate a prolonged cyber espionage infrastructure campaign for China-nexus hacking groups.

The Operational Relay Box (ORB) network has been codenamed LapDogs by SecurityScorecard’s STRIKE team.

“The LapDogs network has a high concentration of victims across the United States and Southeast Asia, and is slowly but steadily growing in size,” the cybersecurity company said in a technical report published this week.

Other regions where the infections are prevalent include Japan, South Korea, Hong Kong, and Taiwan, with victims spanning IT, networking, real estate, and media sectors. Active infections span devices and services from Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology.

LapDogs’ beating heart is a custom backdoor called ShortLeash that’s engineered to enlist infected devices in the network. Once installed, it sets up a fake Nginx web server and generates a unique, self-signed TLS certificate with the issuer name “LAPD” in an attempt to impersonate the Los Angeles Police Department. It’s this reference that has given the ORB network its name.

ShortLeash is assessed to be delivered by means of a shell script to primarily penetrate Linux-based SOHO devices, although artifacts serving a Windows version of the backdoor have also been found. The attacks themselves weaponize N-day security vulnerabilities (e.g., CVE-2015-1548 and CVE-2017-17663) to obtain initial access.

First signs of activity related to LapDogs have been detected as far back as September 6, 2023, in Taiwan, with the second attack recorded four months later, on January 19, 2024. There is evidence to suggest that the campaigns are launched in batches, each of which infects no more than 60 devices. A total of 162 distinct intrusion sets have been identified to date.

The ORB has been found to share some similarities with another cluster referred to as PolarEdge, which was documented by Sekoia earlier this February as exploiting known security flaws in routers and other IoT devices to corral them into a network since late 2023 for an as-yet-undetermined purpose.

The overlaps aside, LapDogs and PolarEdge are assessed as two separate entities, given the differences in the infection process, the persistence methods used, and the former’s ability to also target virtual private servers (VPSs) and Windows systems.

“While PolarEdge backdoor replaces the CGI script of the devices with the operator’s designated webshell, ShortLeash merely inserts itself into the system directory as a .service file, ensuring the persistence of the service upon reboot, with root-level privileges,” SecurityScorecard noted.

What’s more, it has been gauged with medium confidence that the China-linked hacking crew tracked as UAT-5918 used LapDogs in at least one of its operations aimed at Taiwan. It’s currently not known if UAT-5918 is behind the network or is just a client.

Chinese threat actors’ use of ORB networks as a means of obfuscation has been previously documented by Google Mandiant, Sygnia and SentinelOne, indicating that they are being increasingly adopted into their playbooks for highly targeted operations.

“While both ORBs and botnets commonly consist of a large set of compromised, legitimate internet-facing devices or virtual services, ORB networks are more like Swiss Army knives, and can contribute to any stage of the intrusion lifecycle, from reconnaissance, anonymized actor browsing, and netflow collection to port and vulnerability scanning, initiating intrusion cycles by reconfiguring nodes into staging or even C2 servers, and relaying exfiltrated data up the stream,” SecurityScorecard said.

Jun 27, 2025Ravie LakshmananVulnerability / Cyber Espionage

A China-linked threat actor known as Mustang Panda has been attributed to a new cyber espionage campaign directed against the Tibetan community.

The spear-phishing attacks leveraged topics related to Tibet, such as the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and a recently published book by the 14th Dalai Lama, according to IBM X-Force.

The cybersecurity division of the technology company said it observed the campaign earlier this month, with the attacks leading to the deployment of a known Mustang Panda malware called PUBLOAD. It’s tracking the threat actor under the name Hive0154.

The attack chains employ Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Word file, along with articles reproduced by Tibetan websites and photos from WPCT, into opening an executable that’s disguised as a document.

The executable, as observed in prior Mustang Panda attacks, leverages DLL side-loading to launch a malicious DLL dubbed Claimloader that’s then used to deploy PUBLOAD, a downloader malware that’s responsible for contacting a remote server and fetching a next-stage payload dubbed Pubshell.

Pubshell is a “light-weight backdoor facilitating immediate access to the machine via a reverse shell,” security researchers Golo Mühr and Joshua Chung said in an analysis published this week.

At this stage, it’s worth mentioning some of the nomenclature differences: IBM has given the name Claimloader to the custom stager first documented by Cisco Talos in May 2022 and PUBLOAD to the first-stage shellcode downloader, whereas Trend Micro identifies both the stager and the downloader as PUBLOAD. Team T5, similarly, tracks the two components collectively as NoFive.

The development comes weeks after IBM’s activity which it said is the work of a Hive0154 sub-cluster targeting the United States, Philippines, Pakistan, and Taiwan from late 2024 to early 2025.

This activity, like in the case of those targeting Tibet, utilizes weaponized archives originating from spear-phishing emails to target government, military, and diplomatic entities.

The digital missives contain links to Google Drive URLs that download the booby-trapped ZIP or RAR archives upon clicking, ultimately resulting in the deployment of TONESHELL in 2024 and PUBLOAD starting this year via Claimloader.

TONESHELL, another oft-used Mustang Panda malware, functions similarly to Pubshell in that it’s also used to create a reverse shell and execute commands on the compromised host.

“The Pubshell implementation of the reverse shell via anonymous pipes is almost identical to TONESHELL,” the researchers said. “However, instead of running a new thread to immediately return any results, Pubshell requires an additional command to return command results. It also only supports running ‘cmd.exe’ as a shell.”

“In several ways, Pubload and Pubshell appear to be an independently developed ‘lite version’ of TONESHELL, with less sophistication and clear code overlaps.”

The attacks targeted Taiwan have been characterized by the use of a USB worm called HIUPAN (aka MISTCLOAK or U2DiskWatch), which is then leveraged to spread Claimloader and PUBLOAD through USB devices.

“Hive0154 remains a highly capable threat actor with multiple active sub-clusters and frequent development cycles,” the researchers said.

“China-aligned groups like Hive0154 will continue to refine their large malware arsenal and retain a focus on East Asia-based organizations in the private and public sectors. Their wide array of tooling, frequent development cycles, and USB worm-based malware distribution highlights them as a sophisticated threat actor.”

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today’s security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending.

At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent. This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats.

In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused.

Enter the Agentic AI SOC Analyst

The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team and technology they already have. By automating repetitive investigations and reducing time wasted on false positives, Agentic AI helps organizations redirect human expertise to the threats and initiatives that matter most, aligning security operations with core business goals of resilience, efficiency, and growth.

Addressing the Skilled Analyst Shortage

A key driver behind the business case for agentic AI in the SOC is the acute shortage of skilled security analysts. The global cybersecurity workforce gap is now estimated at 4 million professionals, but the real bottleneck for most organizations is the scarcity of experienced analysts with the expertise to triage, investigate, and respond to modern threats. One ISC2 survey report from 2024 shows that 60% of organizations worldwide reported staff shortages significantly impacting their ability to secure the organizations, with another report from the World Economic Forum showing that just 15% of organizations believe they have the right people with the right skills to properly respond to a cybersecurity incident.

Given these realities, simply adding more headcount is neither feasible nor sustainable. Instead, organizations must focus on maximizing the impact of their existing skilled staff. The AI SOC Analyst addresses this by automating routine Tier 1 tasks, filtering out noise, and surfacing the alerts that truly require human judgment. This not only drives faster investigations and incident response, but also helps retain top talent by reducing burnout and enabling more meaningful, strategic work.

AI SOC Analysts enable security teams to reduce risk, control cost, and deliver more with less. By automating triage, investigation, and even remediation, they directly improve operational efficiency, reduce the burden on human analysts, and ensure threats are handled before they escalate.

Reducing noise, focusing on what matters

AI SOC Analysts apply context and behavioral analysis to understand the threat level of an alert, suppressing low-value alerts and elevating high-risk activity. This drastically reduces alert fatigue and ensures analyst time is spent on real threats, not redundant noise. The result: stronger coverage and faster action, without scaling headcount. Organizations that deploy agentic AI SOC Analysts can see upwards of a 90% reduction in false positive alerts that need analyst review.

Increasing analyst efficiency and throughput

Traditional investigation workflows are filled with repetitive, time-consuming tasks: pulling logs, linking evidence, and writing summaries. AI SOC Analysts automate this work, mirroring how experienced analysts think and investigate. The result is a dramatic increase in productivity. Teams can process more cases faster, and focus on strategic tasks like threat hunting and tuning detections.

Learning and adapting over time

AI-driven systems do not remain static. Unlike SOAR playbooks, agentic AI continuously improves based on analyst feedback, historical data, and threat intelligence. This means investigation accuracy increases, false positives are reduced, and the SOC becomes more efficient over time. What starts as an automation tool becomes a compounding asset that grows more effective with use. They can even surface insights for detection engineers to create new rules or tune existing ones.

Metrics that matter to SOC leaders

AI SOC Analysts drive improvements in the key metrics used to evaluate SOC performance and business impact:

• Mean time to investigate and mean time to respond: Automated investigations reduce the time from hours to minutes, limiting exposure and enabling faster containment.
• Dwell time: Faster triage and detection shrinks the window in which attackers can move, steal data, or escalate.
• Alert closure rates: Higher rates of resolution reflect stronger SOC throughput and fewer ignored alerts.
• Analyst productivity: When analysts spend less time on repetitive tasks and more time on proactive work, team value increases without growing headcount.

Unlocking value from your existing stack and team

AI SOC Analysts enhance the ROI of your existing security stack. By ingesting data from your SIEM, EDR, cloud, and identity platforms, AI ensures every signal is investigated. This closes the loop on alerts that would otherwise be ignored, turning your existing stack into a higher-value investment.

AI also helps develop internal talent. Clear, consistent investigations act as on-the-job training for junior analysts. They gain exposure to advanced investigative methods without needing years of experience. The result is a more capable team, built faster and at lower cost.

How Prophet Security Aligns Security with Business Outcomes

Prophet Security helps organizations move beyond manual investigations and alert fatigue by delivering an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across your existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and drives faster, more consistent security outcomes.

Security leaders use Prophet AI to get more value from the people and tools they already have, improve their security posture, and turn day-to-day SOC operations into measurable business results. Visit Prophet Security today to request a demo and see firsthand how Prophet AI can elevate your SOC operations.

Jun 27, 2025Ravie LakshmananMalware / Cyber Attack

A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit.

The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor.

The phishing websites (“wpsice[.]com”) have been found to distribute malicious MSI installers in the Chinese language, indicating that the targets of the campaign are Chinese speakers.

“The malware payloads include the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Threat Labs researcher Leandro Fróes said.

This is not the first time the threat actor has resorted to this modus operandi. In July 2024, eSentire detailed a campaign that targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT.

Then earlier this February, Morphisec disclosed another campaign that also leveraged bogus sites advertising the web browser that distributed ValleyRAT (aka Winos 4.0), a different version of Gh0st RAT.

ValleyRAT was first documented by Proofpoint in September 2023 as part of a campaign that also singled out Chinese-speaking users with Sainbox RAT and Purple Fox.

In the latest attack wave spotted by Netskope, the malicious MSI installers downloaded from the websites are designed to launch a legitimate executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” using DLL side-loading techniques.

The DLL’s primary objective is to extract shellcode from a text file (“1.txt”) present in the installer and then run it, ultimately resulting in the execution of another DLL payload, a remote access trojan called Sainbox.

“The .data section of the analyzed payload contains another PE binary that may be executed, depending on the malware’s configuration,” Fróes explained. “The embedded file is a rootkit driver based on the open-source project Hidden.”

While Sainbox comes fitted with capabilities to download additional payloads and steal data, Hidden offers attackers an array of stealthy features to hide malware-related processes and Windows Registry keys on compromised hosts.

“Using variants of commodity RATs, such as Gh0st RAT, and open-source kernel rootkits, such as Hidden, gives the attackers control and stealth without requiring a lot of custom development,” Netskope said.

Jun 27, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat intelligence firm GreyNoise is warning of a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.

MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data securely. Because it often handles high-value information, it has become a favorite target for attackers.

“Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day,” the company said. “But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.”

Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, GreyNoise added, stating it marks a “significant deviation” from usual behavior.

As many as 682 unique IPs have been flagged in connection with the activity over the past 90 days, with 449 IP addresses observed in the past 24 hours alone. Of the 449 IPs, 344 have been categorized as suspicious and 77 have been marked malicious.

A majority of the IP addresses geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.

GreyNoise also said it detected low-volume exploitation attempts to weaponize two known MOVEit Transfer flaws (CVE-2023-34362 and CVE-2023-36934) on June 12, 2025. It’s worth noting that CVE-2023-34362 was abused by Cl0p ransomware actors as part of a widespread campaign in 2023, impacting more than 2,770 organizations.

The spike in scanning activity is an indication that MOVEit Transfer instances are once again under the threat actor’s scanner, making it essential that users block the offending IP addresses, make sure the software is up-to-date, and avoid publicly exposing them over the internet.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not benefited formally attributed to any known threat actor or group.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”