Category: Cybersecurity

You wouldn’t run your blue team once a year, so why accept this substandard schedule for your offensive side?

Your cybersecurity teams are under intense pressure to be proactive and to find your network’s weaknesses before adversaries do. But in many organizations, offensive security is still treated as a one-time event: an annual pentest, a quarterly red team engagement, maybe an audit sprint before a compliance deadline.

That’s not defense. It’s a theater.

In the real world, adversaries don’t operate in bursts. Their recon is continuous, their tools and tactics are always evolving, and new vulnerabilities are often reverse-engineered into working exploits within hours of a patch release.

So, if your offensive validation isn’t just as dynamic, you’re not just lagging, you’re exposed.

It’s time to move beyond the once a year pentest.

It’s time to build an Offensive Security Operations Center.

Why annual pentesting falls short

Point-in-time penetration tests still serve a role, and are here to remain a compliance requirement. But they fall short in environments that change faster than they can be assessed. This is true for a number of reasons:

• The scope is limited. Most enterprise pentests are scoped to avoid business disruption, but we all know that attackers don’t care about your scope, or unless they’re in stealth mode, disrupting your business.
• Controls decay silently. Drift is constant. An EDR policy gets loosened. A SIEM rule breaks. And annual pentests are not built to catch these problems. The security control that “passed” in the test may very well fail when it really matters, two weeks later.
• Access escalates quietly. In Active Directory environments, misconfigurations accumulate silently over time, nested groups, stale accounts, over-privileged service identities, and well-known privilege escalation paths are commonplace. These aren’t just theoretical risks; they’ve been actively leveraged for decades. Attackers don’t need zero-days to succeed. They rely on weak trust relationships, configuration drift, and a lack of visibility.
• Timing lags. By the time a pentest report is delivered, your environment has already changed. You’re chasing what was, not what is. It’s like looking at last month’s video from your door camera to see what’s happening today.

However, this is not a call to abolish pentesting.

Quite the opposite, manual pentests bring human creativity, contextual awareness, and adversarial thinking that no automation can replicate.

But relying on them alone, especially when performed only once or twice a year, limits their impact.

Breach and Attack Simulation (BAS) doesn’t guess. It simulates real-world TTPs mapped to industry-recognized frameworks like MITRE ATT&CK® across the kill chain.

BAS answers a series of practical yet high-stakes questions:

• Can your SIEM catch a credential dumping attack?
• Will your EDR block known ransomware?
• Does your WAF stop critical web attacks like Citrix Bleed or IngressNightmare?

BAS is about controlled, safe, production-aware testing and executing the same techniques attackers use, against your actual controls without actually putting your data, bottom line, and reputation at risk. BAS will show you exactly what works, what fails, and where to best focus your efforts.

3. Exploit Chain Testing with Automated Pentesting

Sometimes individual vulnerabilities may not be harmful on their own. However, adversaries carefully chain multiple vulnerabilities and misconfigurations together to achieve their objectives. With Automated Penetration Testing, security teams can validate how a real compromise could unfold, step by step, end to end.

Automated Pentesting simulates an assumed breach from a domain-joined system, starting with access to a low-privileged or system-level user. From this foothold, it discovers and validates the shortest, stealthiest attack paths to critical assets, such as domain admin privileges, by chaining real techniques like credential theft, lateral movement, and privilege escalation.

Here’s an example:

• Initial access to an HR workstation exposes a Kerberoasting opportunity, triggered by misconfigured service account permissions.
• Offline password cracking reveals plaintext credentials.
• Those credentials enable lateral movement to another machine.
• Eventually, the simulation captures a domain admin’s NTLM hash, with no alerts triggered and no controls intervening.

This is just one scenario among thousands, but it mirrors the real tactics adversaries use to escalate their privileges inside your network.

4. Drift Detection and Posture Tracking

Security isn’t static. Rules change. Configurations shift. Controls fail quietly.

The Offensive SOC keeps score over time. It tracks when your prevention and detection layer solutions start to slip, like:

• An EDR policy update that disables known malware signatures
• A SIEM alert that quietly stops firing after a rule modification
• A firewall rule that’s altered during maintenance, leaving a port exposed

The Offensive SOC doesn’t just tell you what failed, it tells you when it started failing.

And this is how you stay ahead: not by reacting to alerts, but by catching your vulnerabilities before they’re exploited.

Where Picus fits in

Picus helps security teams operationalize the Offensive SOC, with a unified platform that continuously validates exposures across prevention, detection, and response layers.

We combine:

• BAS to test how your controls respond to real-world threats.
• Automated penetration testing to simulate attacker movement post-access, and identify high-risk paths.
• Known threat and mitigation libraries to simulate attacks and close gaps faster.
• Seamless integration with your existing SOC stack.

And Picus isn’t just making promises. The Blue Report 2024 found that:

• Organizations using Picus reduced critical vulnerabilities by over 50%.
• Customers doubled their prevention effectiveness in 90 days.
• Teams mitigated security gaps 81% faster using Picus.

With Picus, you can boldly move beyond assumptions and make decisions backed by validation.

That’s the value of an Offensive SOC: focused, efficient, and continuous security improvement.

Final thought: Validation isn’t a report, it’s a practice

Building an Offensive SOC isn’t about adding more dashboards, solutions, or noise; it’s about turning your reactive security operations center into a continuous validation engine.

It means proving what’s exploitable, what’s protected, and what needs attention.

Picus helps your security teams do exactly that, operationalizing validation across your entire stack.

Ready to explore the details?

Download The CISO’s Guide for Security and Exposure Validation to:

• Understand the complementary roles of Breach and Attack Simulation and Automated Penetration Testing
• Learn how to prioritize risk based on exploitability, not just severity
• See how to embed Adversarial Exposure Validation into your CTEM strategy for continuous, measurable improvement

🔗 Get the Exposure Validation Guide and make validation part of your everyday SOC operations, not just something you check off a list once a year.

Jul 24, 2025The Hacker News

Is Managing Customer Logins and Data Giving You Headaches? You’re Not Alone!

Today, we all expect super-fast, secure, and personalized online experiences. But let’s be honest, we’re also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it’s a whole new ball game!

If you’re dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you.

Join us for “Navigating Customer Identity in the AI Era,” where we’ll dive into the Auth0 2025 Customer Identity Trends Report. We’ll show you what’s working, what’s not, and how to tweak your strategy for the year ahead.

In just one session, you’ll get practical answers to real-world challenges like:

• How AI is changing what users expect – and where they’re starting to push back.
• The new identity threats on the rise – and how to stop them early.
• Making logins smoother and easier – without sacrificing security.
• Where AI can help you big time – and where you still need that human touch.
• What top digital companies are doing differently to stay ahead.

This session is perfect for anyone focused on making customer experiences better, boosting security, or driving digital innovation. Whether you’re an IT or security leader, a product team member, or part of marketing and customer experience, you’ll find valuable takeaways. Even if you’re leading digital transformation, this webinar offers key guidance to align AI with what customers truly want.

Watch this Webinar

“Navigating Customer Identity in the AI Era” is your chance to get ahead with insights from the Auth0 2025 CIAM Trends Report.

The webinar is on July 28, 2025, and with an expert from Auth0 by Okta, a trusted name in secure identity solutions. Registration is free, but spots are limited! Don’t miss out on future-proofing your identity strategy, staying compliant, and building massive digital trust.

As AI keeps evolving, your customer identity strategy needs to evolve with it. This webinar gives you the data, the trends, and the expert insights to make smarter decisions – starting now.

Don’t get left behind. Join us and become a leader in customer trust!

Jul 24, 2025Ravie LakshmananVulnerability / Ransomware

Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems.

The tech giant, in an update shared Wednesday, said the findings are based on an “expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603.”

The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that’s known to drop Warlock and LockBit ransomware in the past.

The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload.

“This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint,” Microsoft said. “Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels.”

The attacks are characterized by the use of cmd.exe and batch scripts as the threat actor burrows deeper into the target network, while services.exe is abused to turn off Microsoft Defender protections by modifying the Windows Registry.

In addition to leveraging spinstall0.aspx for persistence, Storm-2603 has been observed creating scheduled tasks and modifying Internet Information Services (IIS) components to launch what Microsoft described as suspicious .NET assemblies. These actions are designed to ensure ongoing access even if the victims take steps to plug the initial access vectors.

Some of the other noteworthy aspects of the attacks include the deployment of Mimikatz to harvest credentials by targeting the Local Security Authority Subsystem Service (LSASS) memory, and then proceeding to conduct lateral movement using PsExec and the Impacket toolkit.

“Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments,” Microsoft said.

As mitigations, users are urged to follow the steps below –

• Upgrade to supported versions of on-premises Microsoft SharePoint Server
• Apply the latest security updates
• Ensure the Antimalware Scan Interface is turned on and configured correctly
• Deploy Microsoft Defender for Endpoint, or equivalent solutions
• Rotate SharePoint Server ASP.NET machine keys
• Restart IIS on all SharePoint servers using iisreset.exe (If AMSI cannot be enabled, it’s advised to rotate the keys and restart IIS after installing the new security update)
• Implement incident response plan

The development comes as the SharePoint Server flaws have come under large-scale exploitation, already claiming at least 400 victims. Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31) are two other Chinese hacking groups that have been linked to the malicious activity. China has denied the allegations.

“Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” China’s Foreign Ministry Spokesperson Guo Jiakun said. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”

Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform.

The arrest, which took place in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The action is the result of an investigation that was launched by the French Police in July 2021.

Coupled with the arrest, law enforcement has also taken control of the clearnet domain of XSS.is, greeting visitors with a seizure notice, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department.”

“The forum, which had more than 50,000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services,” the law enforcement agency said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.”

The forum’s administrator, besides engaging in the technical operations of the service, is said to have enabled criminal activity by acting as a trusted third-party to arbitrate disputes between criminals and guarantee the security of transactions.

The unnamed individual is also believed to have run thesecure.biz, a private messaging platform specially built to cater to the needs of cybercriminals. Through these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in profits from advertising and facilitation fees.

“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol added.

According to the Paris Prosecutor, XSS.is has been active since 2013, acting as a hub for all this cybercrime, ranging from access to compromised systems and ransomware-related services. It also offered an encrypted Jabber messaging server that let cybercriminals communicate anonymously.

XSS.is, along with Exploit, has served as the backbone of the Russian-speaking cybercriminal ecosystem, with the threat actors on these forums primarily singling out non-Russian-speaking countries. Data shared by KELA shows that XSS currently has 48,750 registered users and more than 110,000 threads.

“To facilitate illicit transactions, the forum has a built-in reputation system,” KELA said. “Members can use a forum-appointed escrow service to ensure that deals are completed without scams, as well as add a deposit, contributing to their reputation.”

The development comes a week after a Europol-led operation disrupted the online infrastructure associated with a pro-Russian hacktivist group known as NoName057(16) and the arrest of two people for conducting distributed denial-of-service (DDoS) attacks against Ukraine and its allies using a volunteer-driven Go-based tool called DDoSia.

Recorded Future’s Insikt Group, in a report published this week, said the group targeted 3,776 unique hosts between July 1, 2024, and July 14, 2025, primarily government, public-sector, transportation, technology, media, and financial entities in European nations opposing Russia’s invasion of Ukraine.

Ukrainian organizations accounted for the largest share of targets (29.47%), followed by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the United Kingdom (3.30%). The United States is a notable exclusion, despite its support for Ukraine.

An extensive analysis of NoName057(16)’s infrastructure has laid bare a resilient, multi-tiered architecture consisting of rapidly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by access control lists (ACLs) to limit upstream access and maintain reliable C2 functionality. As many as 275 unique Tier 1 have been identified during the time period.

“The threat group maintains a high operational tempo, averaging 50 unique targets daily, with intense bursts of activity correlating to geopolitical and military developments in Ukraine,” the Mastercard-owned cybersecurity company said.

“NoName057(16) uses a mixture of network and application-layer DDoS attacks, selecting methods designed to overwhelm server resources and disrupt availability. The threat group’s attack methodology is straightforward yet effective, prioritizing high-volume floods and resource exhaustion techniques.”

Jul 24, 2025Ravie LakshmananCybersecurity / Web Security

Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the “mu-plugins” directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.

Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the “wp-content/mu-plugins” directory by default.

What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory.

As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags.

In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory (“wp-index.php”) serves as a loader to fetch a next-stage payload and save it in the WordPress database within the wp_options table under _hdra_core.

The remote payload is retrieved from a URL that’s obfuscated using ROT13, a simple substitution cipher that replaces a letter with the 13th letter after it (i.e., A becomes N, B becomes O, C becomes P, and so forth).

“The fetched content is then temporarily written to disk and executed,” security researcher Puja Srivastava said. “This backdoor gives the attacker persistent access to the site and the ability to run any PHP code remotely.

Specifically, it injects a hidden file manager into the theme directory as “pricing-table-3.php,” permitting threat actors to browse, upload, or delete files. It also creates an administrator user named “officialwp” and then downloads a malicious plugin (“wp-bot-protect.php”) and activates it.

Besides reinstating the infection in the event of deletion, the malware incorporates the ability to change the passwords of common administrator usernames, such as “admin,” “root,” and “wpsupport,” to a default password set by the attacker. This also extends to its own “officialwp” user.

In doing so, the threat actors can enjoy persistent access to the sites and perform malicious actions, while effectively locking out other administrators. This can range from data theft to injecting code that can serve malware to site visitors or redirect them to other scammy sites.

“The attackers gain full administrator access and a persistent backdoor, allowing them to do anything on the site, from installing more malware to defacing it,” Srivastava said. “The remote command execution and content injection features mean the attackers can change the malware’s behavior.”

To mitigate against these threats, it’s essential that site owners update WordPress, themes, and plugins periodically, secure accounts using two-factor authentication, and regularly audit all sections of the site, including theme and plugin files.

Jul 23, 2025Ravie LakshmananMalware / Cryptocurrency

The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances.

The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners.

“Although Mimo’s primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities,” Datadog Security Labs said in a report published this week.

Mimo’s exploitation of CVE-2025-32432, a critical security flaw in Craft CMS, for cryptojacking and proxyjacking was documented by Sekoia in May 2025.

Newly observed attack chains associated with the threat actor involve the abuse of undetermined PHP-FPM vulnerabilities in Magento e-commerce installations to obtain initial access, and then using it to drop GSocket, a legitimate open-source penetration testing tool, to establish persistent access to the host by means of a reverse shell.

“The initial access vector is PHP-FPM command injection via a Magento CMS plugin, indicating that Mimo possesses multiple exploit capabilities beyond previously observed adversarial tradecraft,” researchers Ryan Simon, Greg Foss, and Matt Muir said.

In an attempt to sidestep detection, the GSocket binary masquerades as a legitimate or kernel-managed thread so that it blends in with other processes that may be running on the system.

Another notable technique employed by the attackers is the use of in-memory payloads using memfd_create() so as to launch an ELF binary loader called “4l4md4r” without leaving any trace on disk. The loader is then responsible for deploying the IPRoyal proxyware and the XMRig miner on the compromised machine but not before modifying the “/etc/ld.so.preload” file to inject a rootkit to conceal the presence of these artifacts.

The distribution of a miner and proxyware underscores a two-pronged approach adopted by Mimo to maximize financial gain. The distinct revenue generation streams ensure that compromised machines’ CPU resources are hijacked to mine cryptocurrency, while the victims’ unused internet bandwidth is monetized for illicit residential proxy services.

“Furthermore, the use of proxyware, which typically consumes minimal CPU, enables stealthy operation that prevents detection of the additional monetization even if the crypto miner’s resource usage is throttled,” the researchers said. “This multi-layered monetization also enhances resilience: even if the crypto miner is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor.”

Datadog said it also observed the threat actors abusing misconfigured Docker instances that are publicly accessible to spawn a new container, within which a malicious command is executed to fetch an additional payload from an external server and execute it.

Written in Go, the modular malware comes fitted with capabilities to achieve persistence, conduct file system I/O operations, terminate processes, perform in-memory execution. It also serves as a dropper for GSocket and IPRoyal, and attempts to propagate to other systems via SSH brute-force attacks.

“This demonstrates the threat actor’s willingness to compromise a diverse range of services – not just CMS providers – to achieve their objectives,” Datadog said.

Jul 23, 2025Ravie LakshmananWindows Security / Cryptocurrency

The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information.

“The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” Akamai security researcher Tomer Peled said in an analysis.

Coyote, first revealed by Kaspersky in 2024, is known for targeting Brazilian users. It comes with capabilities to log keystrokes, capture screenshots, and serve overlays on top of login pages associated with financial enterprises.

Part of the Microsoft .NET Framework, UIA is a legitimate feature offered by Microsoft to allow screen readers and other assistive technology products to programmatically access user interface (UI) elements on a desktop.

That UIA can be a potential pathway for abuse, including data theft, was previously demonstrated as a proof-of-concept (PoC) by Akamai in December 2024, with the web infrastructure company noting that it could be used to steal credentials or execute code.

In some ways, Coyote’s latest modus operandi mirrors the various Android banking trojans that have been spotted in the wild, which often weaponize the operating system’s accessibility services to obtain valuable data.

Akamai’s analysis found that the malware invokes the GetForegroundWindow() Windows API in order to extract the active window’s title and compare it against a hard-coded list of web addresses belonging to targeted banks and cryptocurrency exchanges.

“If no match is found Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars,” Peled explained. “The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison.”

As many as 75 different financial institutions are targeted by the latest version of the malware, up from 73 documented by Fortinet FortiGuard Labs earlier this January.

“Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai added. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.”

“Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials.”

Jul 20, 2025Ravie LakshmananDevOps / Threat Intelligence

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below –

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)
• got-fetch (versions 5.1.11 and 5.1.12)
• is (versions 3.3.1 and 5.0.0)

“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.

The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.

The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.

Further analysis of the malware embedded within these packages has uncovered that the DLL, dubbed Scavenger Loader, is designed to bypass detection and deliver from an external server a stealer component codenamed Scavenger Stealer that’s capable of gathering sensitive data from web browsers, per researchers Cedric Brisson and Josh Reynolds.

But what makes the attack targeting “is” significant is that, unlike the Scavenger malware that only affects Windows systems, the payload fitted within it is wholly written in JavaScript, meaning it can run on Windows, Linux, and macOS machines. The malicious module captures system information and environment variables, and exfiltrate the details over a WebSocket connection.

“The campaign is deploying multiple payload families to maximize reach,” Socket said. “The ‘is’ variant drops no DLL; instead, it remains entirely in JavaScript, and maintains a live command-and-control (C2) channel.”

“Every message received over the socket is treated as executable JavaScript, giving the threat actor an instant, interactive remote shell. The payload executes with the same privileges as the host process, allowing unrestricted file system and network access.”

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.

The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.

However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.

“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.

Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware

It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.

The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.

“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”

(The story was updated after publication on July 23, 2025, to include more information about the npm supply chain attack.)

Security experts have been talking about Kerberoasting for over a decade, yet this attack continues to evade typical defense methods. Why? It’s because existing detections rely on brittle heuristics and static rules, which don’t hold up for detecting potential attack patterns in highly variable Kerberos traffic. They frequently generate false positives or miss “low-and-slow” attacks altogether.

Is there a better and more accurate way for modern organizations to detect subtle anomalies within irregular Kerberos traffic? The BeyondTrust research team sought to answer this question by combining security research insights with advanced statistics. This article offers a high-level look into the driving forces behind our research and our process of developing and testing a new statistical framework for improving Kerberos anomaly detection accuracy and reducing false positives.

An Introduction to Kerberoasting Attacks

Kerberoasting attacks take advantage of the Kerberos network authentication protocol within Windows Active Directory environments. The Kerberos authentication process works as follows:

1. AS-REQ: A user logs in and requests a Ticket Granting Ticket (TGT).

2. AS-REP: The Authentication Server verifies the user’s credentials and issues a TGT.

3. TGS-REQ: When the user wants to request access to a service, they request a Ticket Granting Service Ticket (TGS) using the previously received TGT. This action is recorded as Windows Event 4769^[1] on the domain controller.

4. TGS-REP: The TGS verifies the request and issues a TGS, which is encrypted using the password hash of the service account associated with the requested service.

5. KRB-AP-REQ: For the user to authenticate against a service using the TGS ticket, they send it to the application server, which then takes various actions to verify the user’s legitimacy and allow access to the requested service.

Attackers aim to exploit this process because Kerberos service tickets are encrypted with the hash of the service account’s password. To take advantage of Kerberos tickets, attackers first leverage LDAP (Lightweight Directory Access Protocol) to query the directory for any AD accounts that have Service Principal Names (SPNs) associated with them. An attacker will then request Ticket Granting Service (TGS) tickets for these accounts, which can be done without any administrative rights. Once they have requested these service tickets, they can crack the hash offline to uncover the credentials of the service account. Access to a service account can then enable the attacker to move laterally, escalate privileges, or exfiltrate data.

Many organizations have heuristic-based detection methods in place to flag irregular Kerberos behavior. One common method is volume-based detection, which can flag a spike in TGS request activity from a single account. If an attacker requests TGS tickets for all service principal names they can find using LDAP, this detection method will likely identify this spike as suspicious activity. Another method, encryption-type analysis, can detect if an attacker attempts to downgrade the encryption of the requested TGS tickets from the default AES to a weaker type, such as RC4 or DES, in hopes of making their own job easier when they start to crack the hash.

While both of these static rule-based methods can work in some cases, they produce a notorious number of false positives. Additionally, they don’t factor in the user’s behaviors and irregularities unique to each organization’s domain configurations.

A Statistical Model for Detecting Kerberoasting Attacks

With these limitations in mind, the BeyondTrust research team sought to find a method that would both improve anomaly detection capabilities and reduce false positives. We found statistical modeling to be the best method, in which a model would be created that could estimate probability distribution based on contextual data patterns. The ability to predict normal user behavior would be key to flagging any abnormalities.

Our team laid out four constraints for our prospective statistical model, based on existing Kerberoasting research^{[2, 3]}:

1. Explainability: The ability to interpret the output with respect to a recognized, normalized, and easy to explain and track measure.
2. Uncertainty: The ability to reflect sample size and confidence in estimates, as opposed to the output being a simple binary indicator.
3. Scalability: The ability to limit the amount of cloud computing and data storage needed for updating model parameters per run.
4. Nonstationarity: The capacity to adapt to trends or other data changes over time, and incorporating these shifts into how anomalies are defined

The BeyondTrust research team worked to build out a model that aligned with the above constraints, eventually developing a model that groups similar ticket-request patterns into distinct clusters and then uses histogram bins to track the frequency of certain activity levels over time. The goal: to learn what ‘normal’ looks like for each cluster. We aimed to reduce false positives by grouping these like data patterns together, as events that could look suspicious in isolation would become normal when compared to similar data patterns.

Kerberoasting Statistical Model: Results

The team then tested the model across 50 days of data or roughly 1,200 hourly evaluation periods. The model’s results are as follows:

• Consistently achieved processing times under 30 seconds, including histogram updates, clustering operations, score calculations, percentile ranking, and result storage.
• Identified six anomalies with notable temporal patterns, such as uncorrelated spikes in narrow time windows, increased variance, and significant temporary shifts. Two were identified as penetration tests, one was the team’s simulated Kerberoasting attack, and three were related to large changes in Active Directory infrastructure that caused inadvertent spikes in Kerberos service ticket requests.
• Handled extreme variability in heavy-tailed accounts exceptionally well, appropriately down-weighting anomaly scores after observing just two consecutive spikes through dynamic sliding window updates and real-time percentile ranking. This level of adaptability is notably faster than standard anomaly detection methods

After conducting this research, the BeyondTrust research team was able to report early success by combining security expertise with advanced statistical techniques. Because there are inherent limitations of pure anomaly detection methodologies, collaboration between experts in security and data science was necessary for this success. While statisticians can create an adaptive model that takes variable behaviors into consideration, security researchers can offer needed context for identifying notable features within flagged events.

Conclusion

Altogether, this research proves that, even when considering decade-old attack patterns like Kerberoasting, there are clear paths forward in iterating and evolving on detection and response capabilities. Alongside considering the possibilities of novel detection capabilities, such as the ones described in this research, teams should also evaluate proactive identity security measures that reduce Kerberoasting risks before they ever occur.

Some solutions with identity threat detection and response (ITDR) capabilities, such as BeyondTrust Identity Security Insights, can help teams proactively identify accounts that are vulnerable to Kerberoasting due to improper use of service principals and the use of weak ciphers.

Precise, proactive measures, combined with smarter, more context-aware detection models, are essential as security teams continuously work to cut through noise and stay ahead of growing complexity and scale.

About the Authors:

Christopher Calvani, Associate Security Researcher, BeyondTrust

Christopher Calvani is a Security Researcher on BeyondTrust’s research team, where he blends vulnerability research with detection engineering to help customers stay ahead of emerging threats. A recent graduate of the Rochester Institute of Technology with a B.S. in Cybersecurity, Christopher previously supported large‑scale infrastructure at Fidelity Investments as a Systems Engineer intern and advanced DevSecOps practices at Stavvy.

Cole Sodja, Principal Data Scientist, BeyondTrust

Cole Sodja is a Principal Data Scientist at BeyondTrust with over 20 years of applied statistics experience across major technology companies including Amazon and Microsoft. He specializes in time series analysis, bringing deep expertise in forecasting, changepoint detection, and behavioral monitoring to complex business challenges.

Jul 23, 2025Ravie LakshmananSoftware Integrity / DevSecOps

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks.

“As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers,” Matthew Suozzo, Google Open Source Security Team (GOSST), said in a blog post this week.

The project aims to provide build provenance for packages across the Python Package Index (Python), npm (JS/TS), and Crates.io (Rust) package registries, with plans to extend it to other open-source software development platforms.

With OSS Rebuild, the idea is to leverage a combination of declarative build definitions, build instrumentation, and network monitoring capabilities to produce trustworthy security metadata, which can then be used to validate the package’s origin and ensure it has not been tampered with.

“Through automation and heuristics, we determine a prospective build definition for a target package and rebuild it,” Google said. “We semantically compare the result with the existing upstream artifact, normalizing each one to remove instabilities that cause bit-for-bit comparisons to fail (e.g., archive compression).”

Once the package is reproduced, the build definition and outcome is published via SLSA Provenance as an attestation mechanism that allows users to reliably verify its origin, repeat the build process, and even customize the build from a known-functional baseline.

In scenarios where automation isn’t able to fully reproduce the package, OSS Rebuild offers a manual build specification that can be used instead.

OSS Rebuild, the tech giant noted, can help detect different categories of supply chain compromises, including –

• Published packages that contain code not present in the public source repository (e.g., @solana/web3.js)
• Suspicious build activity (e.g., tj-actions/changed-files)
• Unusual execution paths or suspicious operations embedded within a package that are challenging to identify through manual review (e.g., XZ Utils)

Besides securing the software supply chain, the solution can improve Software Bills of Materials (SBOMs), speed up vulnerability response, strengthen package trust, and eliminate the need for CI/CD platforms to be in charge of an organization’s package security.

“Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions,” Google said. “When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.”