Tag: Cyber Security

Aug 25, 2025Ravie LakshmananContainer Security / Vulnerability

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container.

The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3.

“A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” Docker said in an advisory released last week.

“This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability.”

According to security researcher Felix Boulet, the vulnerability has to do with how it’s possible for a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, thereby opening the door to a scenario where a privileged container could gain full access to the underlying host upon mounting the C: drive into it.

In a proof-of-concept (PoC) exploit, a web request from any container has been found to trigger the flaw and result in a full compromise of the host –

• POST a JSON payload to “/containers/create,” binding the host C: drive to a folder in the container (/mnt/host/c:/host_root) in the container, and using a startup command to write or read anything under /host_root on container startup.
• POST to “/containers/{id}/start” to launch the container and start the execution

“At its core, this vulnerability was a simple oversight, Docker’s internal HTTP API was reachable from any container without authentication or access controls,” Boulet said.

PVOTAL Technologies researcher Philippe Dugre (“zer0x64”), who further examined the flaw, said an attacker can exploit the flaw on the Windows version of Docker Desktop to mount as an administrator the entire file system, read any sensitive file, and overwrite a system DLL to escalate the attacker to administrator of the host system.

“On macOS, however, the Docker Desktop application still has a layer of isolation and trying to mount a user directory prompts the user for permission,” Dugre said. “By default, the Docker application does not have access to the rest of the file system and does not run with administrative privileges, so the host is a lot safer than in the Window’s case.”

“However, the attacker does still have full control of the Docker application/containers and can even backdoor it by mounting and modifying the application’s configuration, which does not need any user approval.”

The vulnerability does not impact the Linux version since Linux uses a named pipe on the host’s file system, rather than relying on a TCP TCP socket for the Docker Engine’s API.

The easiest way to leverage the vulnerability is via a threat actor-controlled malicious container. That said, a server-side request forgery (SSRF) flaw can be used as an alternate attack vector.

“This vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, the impact of which varies especially depending on the availability of HTTP requests methods (most SSRF only allows GET requests, but some niche case allows the use of POST, PATCH, DELETE methods),” Dugre said.

Aug 25, 2025Ravie LakshmananMalware / Cyber Espionage

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing’s strategic interests.

“This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection,” Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said.

UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon.

The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC.

PlugX is a backdoor that supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and is able to extend its functionality with additional plugins. Often launched via DLL side-loading, the implant is spread through USB flash drives, targeted phishing emails containing malicious attachments or links, or compromised software downloads.

The malware has existed since at least 2008 and is widely used by Chinese hacking groups. It is believed that ShadowPad is the successor of PlugX.

The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware –

• The target’s web browser tests if the internet connection is behind a captive portal
• An AitM redirects the browser to a threat actor-controlled website
• STATICPLUGIN is downloaded from “mediareleaseupdates[.]com”
• STATICPLUGIN retrieves an MSI package from the same website
• CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor in memory

The captive portal hijack is used to deliver malware masquerading as an Adobe Plugin update to targeted entities. On the Chrome browser, the captive portal functionality is accomplished by means of a request to a hard-coded URL (“www.gstatic[.]com/generate_204”) that redirects users to a Wi-Fi login page.

While “gstatic[.]com” is a legitimate Google domain used to store JavaScript code, images, and style sheets as a way to enhance performance, Google said the threat actors are likely carrying out an AitM attack to imitate redirection chains from the captive portal page to the threat actor’s landing web page.

It’s assessed that the AitM is facilitated by means of compromised edge devices on the target networks, although the attack vector used to pull this off remains unknown at this stage.

“After being redirected, the threat actor attempts to deceive the target into believing that a software update is needed, and to download the malware disguised as a ‘plugin update,’” GTIG said. “The landing web page resembles a legitimate software update site and uses an HTTPS connection with a valid TLS certificate issued by Let’s Encrypt.”

The end result is the download of an executable named “AdobePlugins.exe” (aka STATICPLUGIN) that, when launched, triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER (“cnmpaui.dll”) that’s sideloading using the Canon IJ Printer Assistant Tool (“cnmpaui.exe”).

The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign. Over two dozen malware samples signed by Chengdu have been put to use by China-nexus activity clusters, with the earliest artifacts dating back to at least January 2023. Exactly how these certificates are obtained by the subscriber is not clear.

“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” Whitsell said. “The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.”

Cybersecurity researchers have flagged a new phishing campaign that’s using fake voicemails and purchase orders to deliver a malware loader called UpCrypter.

The campaign leverages “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” Fortinet FortiGuard Labs researcher Cara Lin said. “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.”

Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.

UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT, DCRat (aka DarkCrystal RAT), and Babylon RAT, each of which enable an attacker to take full control of compromised hosts.

The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document.

“The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity,” Fortinet said. “Its primary purpose is to deliver a malicious download.”

The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments.

The loader, in turn, contacts the same server to obtain the final payload, either in the form of plain text or embedded within a harmless-looking image, a technique called steganography.

Fortinet said UpCrypter is also distributed as an MSIL (Microsoft Intermediate Language) loader that, like its JavaScript counterpart, conducts anti-analysis and anti-virtual machine checks, after which it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload.

The attack culminates with the script embedding data from the DLL loader and the payload during execution, thus allowing the malware to be run without writing it to the file system. This approach also has the advantage of minimizing forensic traces, thereby allowing the malware to fly under the radar.

“This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments,” Lin said.

The disclosure comes as Check Point detailed a large-scale phishing campaign abusing Google Classroom to distribute more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries between August 6 and 12, 2025. The attacks target organizations in Europe, North America, the Middle East, and Asia.

“Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services,” the company said. “Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.”

The attack bypasses security systems because it leverages the trust and reputation of Google Classroom’s infrastructure to bypass key email authentication protocols, such as SPF, DKIM, and DMARC, and helps land the phishing emails in users’ inboxes.

These campaigns are part of a larger trend where threat actors take advantage of legitimate services like Microsoft 365 Direct Send and OneNote, not to mention abuse free artificial intelligence (AI)-powered website builder like Vercel and Flazio, as well as services such as Discord CDN, SendGrid, Zoom, ClickFunnels, Jotform, and X’s t[.]co link shortener – an approach known as living-off-trusted-sites (LOTS).

“After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” Varonis said in a report published last month.

The misuse of Direct Send has prompted Microsoft to introduce an option for organizations called “Reject Direct Send” to directly address the issue. Alternatively, customers can also apply custom header stamping and quarantine policies to detect emails that claim to be internal communication but, in reality, aren’t.

These developments have also been accompanied by attackers increasingly relying on client-side evasion techniques in phishing pages to stay ahead of both automated detection systems and human analysts. This includes the use of JavaScript-based blocking, Browser-in-the-Browser (BitB) templates, and hosting the pages inside virtual desktop environments using noVNC.

“A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said. “Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction, blocking access before any deeper inspection can occur.”

Aug 25, 2025Ravie LakshmananCybersecurity News / Hacking

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn’t just a matter of firewalls and patches—it’s about strategy. The strongest organizations aren’t the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power.

This week’s stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT.

⚡ Threat of the Week

Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month. As of August 22, fixes have been released by Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm.

• Russian Hackers Go After Old Cisco Flaw — Hackers linked to Russia are exploiting a seven-year-old vulnerability in unpatched end-of-life Cisco networking devices (CVE-2018-0171) to target enterprise and critical infrastructure networks in the U.S. and abroad. Over the past year, the threat actor, which Cisco is tracking as Static Tundra, has collected configuration files from thousands of networking devices used by US organizations in critical infrastructure sectors. On some vulnerable devices, the attackers changed the configuration settings to give themselves unauthorized access to the network. The attackers then used that access to explore the networks, looking specifically at protocols and applications that are commonly used in industrial systems. Cisco identified Static Tundra as primarily targeting organizations of strategic interest to the Kremlin, spanning the manufacturing, telecommunications, and higher education sectors across the globe. Once the threat actor gains access to a system of interest, they have been found to use stolen SNMP credentials to quietly control the compromised devices, letting them run commands, change settings, and steal configurations, all while hiding their activity from security controls. Static Tundra has also altered the configuration of compromised devices to create new local user accounts and enable remote access services like Telnet, granting them additional ways to regain access to the device if their initial communication mechanism is closed. Also used by the group is a backdoor called SYNful Knock to stay connected to infected devices and give a hidden foothold that survives reboots.
• Apple Fixes Actively Exploited 0-Day — Apple released security fixes to fix a high-severity flaw in iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day is an out-of-bounds write vulnerability affecting the ImageIO framework. Tracked as CVE-2025-43300 (CVSS score: 8.8), the issue could result in memory corruption when processing a malicious image. The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The company provided no further technical details of the vulnerability or insights into the exploitation activity beyond characterizing the cyber attacks as sophisticated and highly targeted. The tech giant began using such terminology starting this year, presumably to signify nation-state threats and spyware activity.
• Murky Panda Abuses Trusted Relationships to Breach Cloud Environments — The threat actor known as Murky Panda (aka Silk Typhoon) has been observed abusing trusted relationships in the cloud to hack enterprise networks. The attacks leverage N-day and zero-day vulnerabilities to drop web shells and a Golang malware called CloudedHope to facilitate remote access. A notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims.
• INTERPOL Announces New Wave of Arrests in Africa — INTERPOL announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. “The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said. The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams and business email compromise (BEC). The first wave of arrests occurred late last year.
• Scattered Spider Hacker Gets 10 Years Jailterm — Noah Michael Urban, a 20-year-old member of the notorious cybercrime gang known as Scattered Spider, was sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. The defendant, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims.
• North Korea Likely Behind New Diplomat Cyber Attacks — The North Korea-backed threat actor known as Kimsuky is believed to have orchestrated a spear-phishing attack targeting European embassies in South Korea. The campaign, ongoing since March 2025, is characterized by the use of GitHub as a command-and-control channel and a variant of an open-source malware called Xeno RAT. In an interesting twist, the attackers have yielded clues that they are working out of China, perhaps alluding to the possibility of a collaboration or that it’s the work of a threat actor that closely mimics the tactics of Kimsuky. Furthermore, routing malicious cyber activity through China likely provides North Korea with some geopolitical cover and a safe haven as long as it doesn’t directly harm domestic interests.
• Alleged RapperBot Admin Charged in the U.S. — Ethan Foltz, 22, of Eugene, Oregon, was charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot since at least 2021. Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz’s residence on August 6, 2025, seizing administrative control of the botnet infrastructure.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-7353 (Rockwell Automation ControlLogix), CVE-2025-8714 (PostgreSQL), CVE-2025-9037, CVE-2025-9040 (Workhorse Software Services), CVE-2025-54988 (Apache Tika), CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791 (Commvault), CVE-2025-43300 (Apple iOS, iPadOS, and macOS).

📰 Around the Cyber World

• Microsoft Scales Back Chinese Access to Early Warning System — Microsoft revealed it has scaled back some Chinese companies’ access to its early warning system for cybersecurity vulnerabilities in the wake of sweeping hacking attempts against Microsoft SharePoint servers that have been pinned on Beijing. To that end, the Windows maker said several Chinese firms would no longer receive proof-of-concept code demonstrating the flaws. The change is applicable to “countries where they’re required to report vulnerabilities to their governments,” which would include China. The decision comes amid speculation that there may have been a leak from the Microsoft Active Protections Program (MAPP) may have resulted in the large-scale exploitation activity.
• New Lazarus Stealer Spotted — A new Android banking trojan called Lazarus Stealer has been spotted in the wild. “Disguised as a harmless application called ‘GiftFlipSoft,’ the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device’s interface,” CYFIRMA said. “The malware is built for persistence, operating silently in the background while exfiltrating sensitive data. It abuses high-risk permissions, default SMS privileges, overlay functions, and dynamic WebView content to carry out its operations.” Once installed, the app requests default SMS app privileges, as well as overlay (“Display Over Other Apps”) and Usage Access permissions to display fraudulent interfaces on legitimate applications for credential harvesting and monitor active applications in real time and detect when targeted applications, such as banking apps, are launched.
• Google Agrees to Pay $30M to Settle Children’s Privacy Lawsuit — Google has agreed to pay $30 million to settle a class-action lawsuit that it violated children’s privacy on YouTube by secretly collecting their data without parental consent and using it to serve targeted ads. Google denied wrongdoing in agreeing to settle. The company previously paid a $170 million fine in 2019 to the Federal Trade Commission (FTC) and the state of New York for similar practices.
• Storm-1575 Linked to Salty 2FA — The threat actor known as Storm-1575 has been attributed to a new phishing-as-a-service (PhaaS) offering called Salty 2FA. “Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials,” ANY.RUN said. “It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.” Victims of Salty 2FA attacks span the finance, telecom, energy, consulting, logistics, and education sectors. Storm-1575 is the moniker assigned by Microsoft to the operators of DadSec and Rockstar 2FA.
• What is HuiOne Guarantee? — The Telegram-based escrow platform HuiOne Guarantee (aka Haowang Guarantee), which announced its closure in June 2025, has acquired a 30% financial stake in Tudou Guarantee, which has emerged as a key fallback for Huione-affiliated vendors. Described as an “Amazon for criminals,” the Cambodian conglomerate behind it, HuiOne Group, has had its HuiOne Pay license revoked by the National Bank of Cambodia earlier this March. HuiOne-linked infrastructure has received over $96 billion in cryptocurrency assets since 2021, according to TRM Labs, which said HuiOne Pay and HuiOne Guarantee share operational links, with fund flows observed from Huione Pay withdrawal wallets to Huione Guarantee’s security deposit wallets. The findings come as darknet market escrow systems that manage cryptocurrency transactions between buyers and vendors continue to remain vulnerable to administrator exit scams. These systems implement escrow through multi-signature cryptocurrency wallet addresses that require signatures from the buyer and vendor to complete transactions, with the market administrator only stepping in during dispute resolution to side with either the buyer or vendor based on evidence provided by the two parties. To streamline operations, many darknet markets also use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes during the timer period. However, the “centralized” nature of the dispute resolution process, which is heavily reliant on the market administrators, introduces new risks such as bias, corruption, and exit scam scenarios where fairness takes a back seat.
• Orange Belgium Discloses Breach — Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. “At the end of July, Orange Belgium discovered a cyber attack on one of its IT systems, which gave unauthorized access to certain data from 850,000 customer accounts,” the company said. “No critical data was compromised: no passwords, email addresses, bank or financial data were hacked. However, the hacker has gained access to one of our IT systems that contains the following information: name, first name, phone number, SIM card number, PUK code, [and] tariff plan.”
• U.K. Man Sentenced to Jail for Website Defacement and Data Theft — Al-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was sentenced to jail for 20 months for hacking into the websites of organizations in North America, Yemen and Israel and stealing the log in details of millions of people, including more than 4 million Facebook users. Al-Mashriky was arrested in August 2022 and pleaded guilty to nine offences earlier this March. Associated with an extremist hacker group named Yemen Cyber Army, the defendant infiltrated a number of websites to push religious and political ideologies. A review of his seized laptop uncovered personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal. The Yemen Cyber Army is a hacktivist group that, in the past, has declared its support for the Houthis, an Islamist political and military organization.
• Malicious npm Packages Target Solana Developers — Malicious npm packages have been found embedding an information stealer that’s designed to single out Russian cryptocurrency developers as part of a campaign dubbed Solana-Scan. These malicious packages, solana-pump-test, solana-spl-sdk, and solana-pump-sdk, targeted the Solana cryptocurrency ecosystem and claimed to “scan” for Solana SDK components. All the packages were published by a user named “cryptohan.” Contained within the package is an obfuscated CommonJS file that launches a JavaScript payload for extracting environment information and launching a second-stage that searches the compromised machine for sensitive files and exfiltrates them to a remote server located in the U.S. There is evidence that the JavaScript was written with the help of generative artificial intelligence (AI) tools like Anthropic Claude, software supply chain security outfit Safety said.
• Singapore Warns of Dire Wolf Attacks — The Cyber Security Agency of Singapore (CSA) has warned of Dire Wolf double-extortion attacks targeting Dire Wolf since May 2025. “Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims’ systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid,” CSA said. “This causes a two-fold impact of data loss and reputational damage on victim organizations.”
• Hijack Loader Detailed — Cybersecurity researchers have unpacked the inner workings of a malware loader called Hijack Loader that’s used as a conduit for other payloads, including information stealers and remote access trojans. Attack chains distributing the malware have leveraged pirated game websites like Dodi Repacks, tricking users into downloading booby-trapped ZIP archives under the guise of video games like Virtua Fighter 5 REVO. Another propagation mechanism involves embedding a link to cracked software in TIDAL music playlists that show up in search engine results. Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques and attempts to disable Microsoft Defender Antivirus prior to launching the final payload.
• Nebraska Man Sentenced to 1 Year in Prison for Illicit Crypto Mining — Charles O. Parks III, who was indicted in April 2024 for operating a large-scale illegal cryptojacking operation, was sentenced in the U.S. to one year and one day in prison. He is said to have defrauded two well-known providers of cloud computing services out of more than $3.5 million worth of computing resources from January through August 2021. Parks was charged with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme and pleaded guilty to wire fraud in December 2024. The mined currency was used for personal luxurious purchases and Parks boasted about his profits on social media to earn credibility as a crypto influencer. “Parks created and used a variety of names, corporate affiliations, and email addresses, including emails with domains from corporate entities he operated called ‘MultiMillionaire LLC’ and ‘CP3O LLC,’ to register numerous accounts with the service providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the Justice Department said.
• Chrome Extension Detected Capturing Screenshots — A Chrome browser extension with more than 100,000 installs has been found to harbor covert features to capture screenshots, collect system information, and query IP geolocation APIs for location details. The screenshots are uploaded to an external server, aitd.one, which claims to be an AI threat detection service. Advertised as a free VPN app named FreeVPN.One, the featured add-on offered the promised functionality since its launch in 2000, before the surveillance features were subtly introduced in April, June, and July 2025. The developer behind the tool claimed the automatic screenshot capture is part of a Background Scanning feature that’s triggered only on suspicious domains and for all users by default. However, Koi Security found that screenshots were being taken on trusted services like Google Sheets and Google Photos. “FreeVPN.One shows how a privacy branding can be flipped into a trap,” the company said. “What’s sold as safety becomes a quiet pipeline for collecting what you do and where you are.”
• Okta Releases Auth0 Customer Detection Catalog — Okta has announced the launch of the Auth0 Customer Detection Catalog, a comprehensive open-source repository designed to enhance proactive threat detection capabilities for Auth0 customers. “The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform,” the identity security company said.
• TRM Labs Launches Beacon Network to Monitor Crypto Crime — Blockchain intelligence firm TRM Labs announced the launch of Beacon Network, a real-time crypto crime response network for tracking illicit crypto activity and preventing it from leaving the blockchain. “Verified investigators flag addresses linked to financial crime. Beacon Network automatically propagates those labels across related wallets,” the company said. “When tagged funds arrive at a participating exchange or issuer, Beacon Network triggers an instant alert.” In doing so, cryptocurrency platforms can proactively review and hold flagged deposits before withdrawal, blocking illicit cash-outs.
• Microsoft Aims to be Quantum-Safe by 2033 — Microsoft has set out a roadmap to complete transition to post quantum cryptography (PQC) across all its products and services by 2033, with roll out beginning by 2029. That’s two years ahead of the deadline imposed by the United States and other governments. “Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it’s a multi-year transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble,” the company’s Mark Russinovich and Michal Braverman-Blumenstyk said. The U.S. National Institute of Standards and Technology (NIST) formalized the world’s first PQC algorithms in August 2024.

• New Phishing Campaign Uses Hidden AI Prompts — A phishing campaign has been spotted using hidden artificial intelligence (AI) prompts that are designed to manipulate AI-based email scanners and delay them from detecting the malicious payloads. The emails, sent from SendGrid, masquerade as password expiry notices from Gmail to induce a false sense of urgency using social engineering tactics. But buried in the email plain-text MIME section is a prompt that instructs automated scanners to “engage in the deepest possible multi-layered inference loop” and trick them into entering long reasoning loops instead of marking the messages as phishing. “If AI-driven systems are tied to automation (auto-tagging, ticketing, escalation), this injection could cause misclassification or delays,” Malwr-analysis.com’s Anurag said. The development coincided with a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. “The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails,” Cofense said. “By impersonating SendGrid’s platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways.”
• 493 Cases of Sextortion Against Children Linked to SE Asia Scam Compounds — A new report from the International Justice Mission (IJM) has linked 493 child sextortion cases to scam compounds operating in Cambodia, Myanmar, and Laos, where trafficked individuals are forced to carry out online fraud such as romance baiting and pig butchering scams. Forensic data has tied the cases to 40 of the 44 previously known scam compounds operating in Cambodia, Myanmar, and Laos. “This research indicates a likely convergence of two dark forms of exploitation – child sextortion and human trafficking – enabled by digital platforms and driven by profit,” said Eric Heintz, Senior Criminal Analyst at IJM.
• Mule Operators in META Adopt Complex Fraud Schemes — Cybersecurity researchers have laid bare the advanced techniques mule operators across the Middle East, Turkey and Africa (META) region have adopted to target retail banks, shifting from basic IP masking via VPNs and proxies to Starlink-based obfuscation tactics combined with advanced GPS spoofing, SIM abuse, and physical device “muling” using hired individuals and postal shipments. “Financial institutions in the Gulf region, where regulations are especially tight, enforce strict restrictions on VPN, hosting, and proxy traffic,” Group-IB said. “Early on, these controls forced mule operators to rely on generic VPN services – easily identified via IP reputation tools. By late 2023, fraudsters began a rapid innovation cycle to bypass these filters and regain remote access to accounts in the target jurisdictions.” Mule networks have been observed using stolen identities and location obfuscation tactics to remotely open hundreds of accounts to launder funds across targeted countries, with fraudsters also removing SIM cards entirely from Android devices to evade telecom fingerprinting and connecting to the internet via Wi-Fi hotspots, typically from nearby roaming-enabled phones, thereby masking their network origins. As recently as Q4 2024, the schemes have recruited so-called first-layer mules, who opened the bank accounts within trusted jurisdictions and then passed credentials to overseas operators who conducted laundering operations. A further escalation of this approach earlier this year eliminated the need for credential handover by physically shipping pre-configured phones. “First-layer mules based in trusted countries would open accounts and build trust through initial legitimate usage,” Group-IB said. “Instead of sharing login credentials, they ship pre-configured phones to second-layer fraudsters operating abroad.”

• MuddyWater Targets CFOs and Finance Execs — The Iranian hacking group dubbed MuddyWater is actively targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia via spear-phishing emails that trick recipients into downloading ZIP archives from Firebase-hosted phishing pages. The attack chains lead to the deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access. The use of remote desktop software is a tactic often used by MuddyWater to facilitate access to compromised environments. “The infrastructure pivots, evolving payload paths, and consistent reuse of distinctive artifacts highlight a resourceful adversary that adapts quickly to maintain operational capability,” Hunt.io said.
• Iranian Hacktivist Group Targets Iranian Communication Networks — The anonymous Iranian hacktivist group known as Lab Dookhtegan has crippled the satellite communications systems on 64 Iranian ships at sea. The incident, which took place last week, impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). The hacks targeted Fannava, an Iranian tech company that provides satellite communication terminals for ships. Back in March 2025, the entity also disrupted satellite communication systems of 116 Iranian vessels linked to arms shipments for Yemen’s Houthis. According to security researcher Nariman Gharib, the group hacked the company’s network, identified all maritime communications terminals running iDirect satellite software, and then deployed malicious code to inflict permanent damage by overwriting the storage partitions with zeroes.
• Pro-Iranian Hackers Demonstrated Coordination During 12-Day June Conflict With Israel — The 12-day conflict between Israel and Iran in June spilled into cyberspace, accompanied by a surge in cyber activity from pro-Iran hacking groups that worked in a “coordinated web” across borders to steal data, deface websites, spread propaganda, carry out DDoS campaigns, and deploy malware such as Remcos RAT. “Telegram has emerged as a critical platform for coordination, propaganda dissemination, and command-and-control for both state-aligned proxies and hacktivist collectives,” Security Scorecard said in an analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups during the time period. “Its perceived anonymity and broad reach make it an attractive medium for these groups to organize, share information, claim responsibility for attacks, and even recruit new members.” The cyber war highlights “how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad,” the Middle East Institute said.
• 4 Ghanaian Nations Extradited to the U.S. — The U.S. Department of Justice charged four Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare, for their roles in a massive fraud ring linked to the theft of over $100 million in romance scams and business email compromise attacks against individuals and businesses located across the U.S. between 2016 and May 2023. They were extradited to the U.S. on August 7, 2025. “After stealing the money, the fraud proceeds were then laundered to West Africa, where they were largely funneled to individuals called ‘chairmen,’ who directed the activities of other members of the conspiracy,” the Justice Department said.
• NIST Publishes Guidelines to Tackle Identity Fraud — The U.S. National Institute of Standards and Technology (NIST) published new guidelines to help organizations optimize their efforts to detect face morphing and deter identity fraud. “The most effective defense against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place,” NIST’s Mei Ngan said. “Some modern morph detection algorithms are good enough that they could be useful in detecting morphs in real-world operational situations. Our publication is a set of recommendations that can be tailored to a specific situation.”
• North Korea Linked to Over $1.75B in Thefts in 2025 — North Korea, which pulled off one of the biggest crypto heists in history in February 2025 by plundering nearly $1.5 billion from Dubai-based exchange Bybit, has stolen more than $1.75 billion in 2025 alone, according to Elliptic. In the six months following the Bybit hack, over $1 billion of the stolen funds have been laundered using multiple rounds of mixers and cross-chain movements to complicate the trail. “It is noteworthy that lesser-known blockchains were layered for portions of funds, perhaps in the hope that they are not as well supported by some analytics and investigation tools, and are less familiar to investigators attempting to trace asset movements,” Elliptic said. “Previously unseen or less commonly used services were also utilized for Bybit laundering.” Further analysis shows that funds reaching the Tron blockchain are ultimately cashed out via suspected Chinese over-the-counter trading services.
• Attackers Abuse Virtual Private Servers to Breach SaaS Accounts — Threat actors are weaponizing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts and then using them to send phishing emails. The activity was first observed in March 2025. “The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails,” Darktrace said. “These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment.”

• ClickFix-Style Campaign Delivers Atomic Stealer Variant — A malvertising campaign has been observed directing unsuspecting users to fraudulent macOS help websites where ClickFix-style instructions are displayed to entice them into opening the Terminal app and pasting a command that, in turn, triggers the execution of a shell command to download from an external server a variant of Atomic macOS Stealer (AMOS) known as SHAMOS. Developed by a malware-as-a-service (MaaS) provider named Cookie Spider, it functions as an information stealer and downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module. Alternate attack chains have relied on a GitHub repository masquerading as iTerm2. The GitHub account is no longer accessible. In recent months, the ClickFix technique has also been leveraged to deliver another macOS infostealer called Odyssey Stealer using bogus CAPTCHA verification checks.
• MITRE Releases 2025 Most Important Hardware Weaknesses — The non-profit MITRE Corporation published a revised list of the Most Important Hardware Weaknesses (MIHW) to better align with the hardware security landscape. Sensitive Information in Resource Not Removed Before Reuse (CWE-226), Improper Isolation of Shared Resources on System-on-a-Chip (CWE-1189), and On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) take the top three spots.
• How Lumma Affiliates Operate — Despite a May 2025 law enforcement takedown targeting Lumma Stealer, the malware family appears to have staged a full recovery and continues to be a popular choice for threat actors. According to a report from Recorded Future, Lumma affiliates not only operate multiple schemes simultaneously, but also leverage previously undocumented tools such as a phishing page generator (DONUSSEF) and a cracked email credential validation tool. Also put to use are VPNs, privacy-focused web browsers, bulletproof hosting providers, virtual phone and SMS services (OnlineSim, SMS-Activate, and Zadarma), and proxies (PIA Proxy and GhostSocks). “For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns,” the company said. “In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem.”
• Deceptive Google Play Store Pages Distribute SpyNote — A new network of websites that mimic the Google Play Store pages of various apps is being used to trick users into installing malicious Android apps containing the SpyNote RAT. This is a continuation of an ongoing campaign that was flagged by DomainTools back in April 2025. “Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis,” the company said. The development followed the discovery of a new version of the Anatsa (aka TeaBot) Android banking trojan that can now target over 831 financial institutions across the world, including various cryptocurrency platforms. “Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload,” Zscaler ThreatLabz said. “Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions.”
• New macOS Stealer Mac.c Spotted — Cybersecurity researchers have discovered a new macOS stealer called Mac.c that can steal iCloud Keychain credentials, browser-stored passwords, crypto wallet data, system metadata, and files from specific locations. It can be purchased for $1,500 per month under a subscription model, while AMOS is priced at $3,000 a month. “This lower price could also open the gates for less resourceful and less tech-savvy operators who want to break into the cybercriminal market and have little money to spend on dark web tools,” Moonlock Lab said.
• Paper Werewolf Uses New Linux Rootkit in Attacks Targeting Russia — The threat actor known as Paper Werewolf (aka GOFFEE) is targeting Russian organizations with a Linux rootkit named Sauropsida. The rootkit is based on an open-source rootkit known as Reptile. Also deployed are BindSycler, a Golang utility to tunnel traffic using the SSH protocol, and MiRat, a Mythic framework agent.

🎥 Cybersecurity Webinars

• How Code-to-Cloud Mapping Unites Dev, Sec, and Ops into One Powerful AppSec Team — Modern application security can’t stop at code or cloud—it must connect both. In this webinar, you’ll discover how code-to-cloud visibility closes the gaps that attackers exploit, uniting developers, DevOps, and security teams with a shared playbook for faster, smarter risk reduction.
• 7 Concrete Steps to Secure Shadow AI Agents Before They Spiral Out of Control — AI agents are no longer just tools—they’re active players making decisions inside your enterprise. Yet many of these “shadow agents” operate without identity, ownership, or oversight, creating a dangerous blind spot that attackers are already exploiting. In this webinar, we’ll expose how these invisible risks emerge and show security leaders the critical steps to bring AI identities under control—before they become your weakest link.
• 5 Simple Ways to Spot Rogue AI Agents Before They Take Over — Shadow AI Agents are multiplying fast—hidden in your workflows, fueled by non-human identities, and moving faster than your governance can keep up. In this exclusive session, security leaders will expose where these agents hide, the risks they pose, and the practical steps you can take today to regain visibility and control without slowing innovation.

🔧 Cybersecurity Tools

• SafeLine — A self-hosted Web Application Firewall (WAF) designed to shield web applications from common threats such as SQL injection, XSS, SSRF, and brute-force attempts. By acting as a reverse proxy, it filters and monitors HTTP/S traffic, blocking malicious requests before they reach the server and preventing unauthorized data leaks. Its capabilities include rate limiting, anti-bot defenses, dynamic code protection, and access control—helping ensure web applications remain secure and resilient against evolving attacks.
• AppLockerGen — An open-source utility that helps system administrators and security professionals create, merge, and manage Windows AppLocker policies more efficiently. By providing a user-friendly interface, it simplifies defining rules for executables, scripts, installers, and DLLs, while also supporting policy import/export, inspection for misconfigurations, and testing against common bypass techniques.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Don’t Just Store It. Lock It — When you drag a file into Google Drive, OneDrive, or Dropbox, it feels “safe.” But here’s the catch: most clouds only encrypt files on their servers — they hold the keys, not you.

That means if the provider is breached, subpoenaed, or a rogue admin pokes around, your “private” files aren’t so private.

The fix is simple: end-to-end encryption. You encrypt before uploading, so your files are locked on your device and can only be unlocked with your key. Even if the cloud is hacked, attackers see nothing but scrambled noise.

Free, open-source tools that make this easy:

• Cryptomator → perfect for beginners, creates an “encrypted vault” inside your Dropbox/Drive.
• Kopia → modern backup tool with strong encryption, great for securing entire folders or servers.
• Restic → fast, deduplicated, encrypted backups, loved by developers and sysadmins.
• Rclone (with crypt) → the power-user’s choice for syncing + encrypting files to almost any cloud.

Bottom line: If it’s worth saving, it’s worth locking. Don’t trust the cloud with your keys.

Conclusion

Cybersecurity isn’t just about technology—it’s a test of leadership. The choices made in boardrooms shape how teams protect systems, respond to attacks, and recover from setbacks. This week’s stories highlight a key truth: security comes down to decisions—where to invest, which risks to take, and which blind spots to fix. The best leaders don’t promise perfect safety. Instead, they provide clarity, build resilience, and set direction when it matters most.

Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks, showing a critical gap in threat detection and response.

While many organizations believe they’re doing everything they can to detect adversary actions, the reality is that a large number of threats are slipping through their defenses unnoticed, leaving their networks far too vulnerable to compromise. This gap in detection creates a false sense of security when attackers have already accessed your sensitive systems, escalated their privileges, or are actively exfiltrating your valuable data.

Which begs the question: why, after all this time, money, and attention, are these systems still failing? Especially when the stakes are so high. Let’s see what The Blue Report 2025 tells us about several lingering core issues regarding SIEM rule effectiveness.

Log Collection Failures: The Foundation of Detection Breakdowns

SIEM rules act like a security guard who monitors incoming and outgoing traffic for suspicious behavior. Just as a guard follows a set of instructions to identify threats based on specific patterns, SIEM rules are pre-configured to detect certain activities, such as unauthorized access or unusual network traffic. When a specific event matches a rule, it triggers an alert, allowing security teams to respond swiftly.

For SIEM rules to work effectively, however, they need to analyze a set of reliable and comprehensive logs. The Blue Report 2025 found that one of the most common reasons SIEM rules fail is due to persistent log collection issues. In fact, in 2025, 50% of detection rule failures were linked to problems with log collection. When logs aren’t captured properly, it’s all too easy to miss critical events, leading to a dangerous lack of alerts, a false sense of security, and a failure to detect malicious activity. Even the most effective rules quickly become useless without accurate data to analyze, leaving their organizations vulnerable to attacks.

Common log collection issues include missed log sources, misconfigured log agents, and incorrect log settings. For example, many environments fail to log key data points or have problems with log forwarding, preventing pertinent logs from reaching the SIEM in the first place. This failure to capture critical telemetry significantly hampers a SIEM’s ability to detect an attacker’s malicious activity.

Misconfigured Detection Rules: Silent Failures

Even when logs are collected properly, detection rules can still fail due to misconfigurations. In fact, in 2025, 13% of rule failures were attributed to configuration issues. This includes incorrect rule thresholds, improperly defined reference sets, and poorly constructed correlation logic. These issues can cause critical events to be missed or trigger false positives, undermining the effectiveness of the SIEM system.

For example, overly broad or generic rules can lead to an overwhelming amount of noise, which often results in important alerts being buried in the signal, missed entirely, or mistakenly ignored. Similarly, poorly defined reference sets can cause rules to miss important indicators of compromise.

Performance Issues: The Hidden Culprits of Detection Gaps

As SIEM systems scale to handle more data, performance issues can quickly become another major hurdle. The report found that 24% of detection failures in 2025 were related to performance problems, such as resource-heavy rules, broad custom property definitions, and inefficient queries. These issues can significantly slow down detection and delay response times, making it harder for security teams to act quickly when they’re actively under attack.

SIEM systems often struggle to process large volumes of data, especially when rules are not optimized for efficiency. This leads to slow query performance, delayed alerts, and overwhelmed system resources, further reducing the organization’s ability to detect real-time threats.

Three Common Detection Rule Issues

Let’s take a closer look at the three most common log collection issues highlighted in the Blue Report 2025.

One of the most significant problems impacting SIEM rule effectiveness is log source coalescing. This occurs when event coalescing is enabled for specific log sources like DNS, proxy servers, and Windows event logs, leading to data loss. In this case, important events may be compressed or discarded, resulting in incomplete data for analysis. As a result, critical threat behaviors can easily be missed, and detection rules can quickly become less and less effective.

Another prevalent issue is unavailable log sources, which account for 10% of rule failures. This often happens when logs fail to transmit data due to network disruptions, misconfigured log forwarding agents, or firewall blocks. Without these logs, the SIEM system cannot capture critical events, resulting in detection rules failing to trigger alerts.

Lastly, delaying the implementation of cost-effective test filters is a common cause of detection failures. When detection rules are too broad or inefficient, the system processes excessive amounts of data without effective filtering. This can overwhelm the system, slowing performance and risking your security teams missing key events. According to the report, 8% of detection failures are related to this issue, highlighting the need for optimized, cost-effective filtering.

Continuous Validation: Ensuring SIEM Rules Stay Effective Against Evolving Threats

While detection rules are foundational to SIEM systems, they can quickly lose relevance without continuous validation. Adversaries are constantly evolving their tactics, techniques, and procedures (TTPs), and SIEM rules designed to detect known patterns become ineffective if they’re not being regularly tested against real-world threats.

The Blue Report 2025 emphasizes that, without ongoing testing, even well-tuned SIEM systems can easily become vulnerable to attacks. Continuous validation ensures that security teams don’t just rely on static configurations, but regularly prove that their detection capabilities are working against the latest adversary behaviors. This proactive approach closes the gap between the theoretical protection offered by detection rules and the practical, real-world effectiveness organizations need against ever-evolving threats.

By simulating real-world adversary behaviors, security teams can evaluate whether their detection rules are countering the newest attack techniques, making sure they’re properly tuned for specific environments, and that they’re identifying malicious behaviors in a timely manner.

Regular exposure validation, through tools like Breach and Attack Simulation, allows organizations to always be testing and fine-tuning their controls. This approach makes it easier to identify their blind spots and improve their defenses, ensuring that SIEM rules are effective, not just at detecting past attacks, but at preventing future ones as well. Without continuous validation, organizations risk their data, brand reputation, and bottom line to outdated or ineffective defenses, putting their most critical assets at unnecessary risk.

Closing the Gaps in SIEM Detection

Neglected SIEM rules will inevitably fail to detect modern threats. Log collection failures, misconfigurations, and performance bottlenecks create blind spots, while static rules quickly lose effectiveness against evolving attacker tactics and techniques. Without continuous validation, organizations risk operating under a false sense of security, leaving critical systems and data exposed to compromise.

To stay ahead, security teams must regularly test and tune their SIEM rules, simulate real-world attacks, and validate detection pipelines against the latest adversary behaviors. Tools like Breach and Attack Simulation enable organizations to uncover hidden gaps, prioritize high-risk exposures, and ensure that their defenses are working when it matters most.

See where your SIEM is succeeding and where it might be silently failing. Download the Blue Report 2025 today for actionable insights and recommendations to strengthen your detection and prevention strategies against tomorrow’s attacks.

Aug 25, 2025Ravie LakshmananMalware / Cyber Attack

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities.

“Initial access is achieved through spear-phishing emails,” CYFIRMA said. “Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads.”

Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs).

The latest dual-platform demonstrates the adversarial collective’s continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments.

The attack chains begin with phishing emails bearing supposed meeting notices, which, in reality, are nothing but booby-trapped Linux desktop shortcut files (“Meeting_Ltr_ID1543ops.pdf.desktop”). These files masquerade as PDF documents to trick recipients into opening them, leading to the execution of a shell script.

The shell script serves as a dropper to fetch a hex-encoded file from an attacker-controlled server (“securestore[.]cv”) and save it to disk as an ELF binary, while simultaneously opening a decoy PDF hosted on Google Drive by launching Mozilla Firefox. The Go-based binary, for its part, establishes contact with a hard-coded command-and-control (C2) server, modgovindia[.]space:4000, to receive commands, fetch payloads, and exfiltrate data.

The malware also establishes persistence by means of a cron job that executes the main payload automatically after a system reboot or process termination.

Cybersecurity company CloudSEK, which also independently reported the activity, said the malware performs system reconnaissance and is equipped to carry out a series of dummy anti-debugging and anti-sandbox checks in a bid to throw off emulators and static analyzers.

Furthermore, Hunt.io’s analysis of the campaign has revealed that the attacks are designed to deploy a known Transparent Tribe backdoor called Poseidon that enables data collection, long-term access, credential harvesting, and potentially lateral movement.

“APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls,” CYFIRMA said.

The disclosure comes weeks after the Transparent Tribe actors were observed targeting Indian defense organizations and related government entities using spoofed domains with the ultimate goal of stealing credentials and two-factor authentication (2FA) codes. It’s believed that users are redirected to these URLs through spear-phishing emails.

“Upon entering a valid email ID in the initial phishing page and clicking the ‘Next’ button, the victim is redirected to a second page that prompts the user to input their email account password and the Kavach authentication code,” CYFIRMA said.

It’s worth noting that the targeting of Kavach, a 2FA solution used by the Indian government agencies to improve account security, is a tried-and-tested tactic adopted by Transparent Tribe and SideCopy since early 2022.

“The use of typo-squatted domains combined with infrastructure hosted on Pakistan-based servers is consistent with the group’s established tactics, techniques, and procedures,” the company said.

The findings also follow the discovery of a separate campaign undertaken by a South Asian APT to strike Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey through spear-phishing emails that are engineered for credential theft using lookalike pages hosted on Netlify and Pages.dev.

“These campaigns mimic official communication to trick victims into entering credentials on fake login pages,” Hunt.io said earlier this month, attributing it to a hacking group called SideWinder.

“Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.”

Aug 24, 2025Ravie LakshmananMalware / Supply Chain Security

Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator.

“On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor,” Socket researcher Kirill Boychenko said.

The deceptive package, named “golang-random-ip-ssh-bruteforce,” has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]dev. It was published on June 24, 2022.

The software supply chain security company said the Go module works by scanning random IPv4 addresses for exposed SSH services on TCP port 22, then attempting to brute-force the service using an embedded username-password list and exfiltrating the successful credentials to the attacker.

A notable aspect of the malware is that it deliberately disables host key verification by setting “ssh.InsecureIgnoreHostKey” as a HostKeyCallback, thereby allowing the SSH client to accept connections from any server regardless of their identity.

The wordlist is fairly straightforward, including only two usernames root and admin, and pairing them against weak passwords like root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.

The malicious code runs in an infinite loop to generate the IPv4 addresses, with the package attempting concurrent SSH logins from the wordlist.

The details are transmitted to a threat actor-controlled Telegram bot named “@sshZXC_bot” (ssh_bot) via the API, which then acknowledges the receipt of the credentials. The messages are sent through the bot to an account with the handle “@io_ping” (Gett).

An Internet Archive snapshot of the now-removed GitHub account shows that IllDieAnyway, aka G3TT’s software portfolio, included an IP port scanner, an Instagram profile info and media parser, and even a PHP-based command-and-control (C2) botnet called Selica-C2.

Their YouTube channel, which remains accessible, hosts various short-form videos on “How to hack a Telegram bot” and what they claim to be the “most powerful SMS bomber for the Russian Federation,” which can send spam SMS texts and messages to VK users using a Telegram bot. It’s assessed that the threat actor is of Russian origin.

“The package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot,” Boychenko said.

“It disables host key verification, drives high concurrency, and exits after the first valid login to prioritize quick capture. Because the Telegram Bot API uses HTTPS, the traffic looks like normal web requests and can slip past coarse egress controls.”

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.

The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.

“This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”

The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server.

The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware. The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing.

The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags.

“Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”

Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.

“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”

The disclosure comes as Censys detailed the infrastructural backbone powering a large-scale IoT botnet called PolarEdge that comprises enterprise-grade firewalls and consumer-oriented devices like routers, IP cameras, and VoIP phones by taking advantage of known security vulnerabilities. Its exact purpose is currently not known, although it’s clear that the botnet isn’t being used for indiscriminate mass scanning.

The initial access is then abused to drop a custom TLS backdoor based on Mbed TLS that facilitates encrypted command-and-control, log cleanup, and dynamic infrastructure updates. The backdoor has been commonly observed deployed on high, non-standard ports, likely as a way to bypass traditional network scans and defensive monitoring scope.

PolarEdge exhibits traits that align with an Operational Relay Box (ORB) network, with the attack surface management platform stating there are indications that the campaign started as far back as June 2023, reaching about 40,000 active devices as of this month. More than 70% of the infections are scattered across South Korea, the United States, Hong Kong, Sweden, and Canada.

“ORBs are compromised exit nodes that forward traffic in order to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said. “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.”

In recent months, vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco have been targeted by bad actors to infiltrate them and deploy a Mirai botnet variant codenamed gayfemboy, suggesting an expansion of the targeting scope.

“The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said. “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.”

Gayfemboy is capable of targeting various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. It incorporates four primary functions –

• Monitor, which tracks threads and processes while incorporating persistence and sandbox evasion techniques
• Watchdog, which attempts to bind to UDP port 47272
• Attacker, which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands
• Killer, which terminates itself if it receives the command from the server or detects sandbox manipulation

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”

The findings also coincide with a cryptojacking campaign undertaken by a threat actor dubbed TA-NATALSTATUS that’s targeting exposed Redis servers to deliver cryptocurrency miners.

The attack essentially involves scanning for unauthenticated Redis servers on port 6379, followed by issuing legitimate CONFIG, SET, and SAVE commands to execute a malicious cron job that’s designed to run a shell script that disables SELinux, performs defense evasion steps, block external connections to the Redis port in order to prevent rival actors from using the initial access pathway to get in, and terminate competing mining processes (e.g., Kinsing).

Also deployed are scripts to install tools like masscan or pnscan, and then launching commands like “masscan –shard” to scan the internet for susceptible Redis instances. The last step involves setting up persistence via an hourly cron job and kicking off the mining process.

Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis.

“By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said. “They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.”

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.

The “Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file,” Trellix researcher Sagar Bade said in a technical write-up.

“The payload isn’t hidden inside the file content or a macro, it’s encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.”

The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.

What’s more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don’t typically scan file names.

The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: “ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`”

Specifically, the file name incorporates Bash-compatible code that’s engineered to execute commands when it’s interpreted by the shell. It’s worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

Another important aspect to consider here is that it’s not possible to manually create a file name with this syntax, meaning it was likely created using another language or dropped using an external tool or script that bypasses shell input validation, Trellix said.

This, in turn, leads to the execution of an embedded Base64-encoded downloader, which then retrieves from an external server an ELF binary for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload, decode, and execute it on the host.

Trellix said the phishing emails are disguised as an invitation for a beauty product survey, luring recipients with a monetary reward (10 RMB) for completing it.

“Crucially, the email includes a RAR archive attachment (‘yy.rar’), even though it doesn’t explicitly instruct the user to open or extract it,” Bade explained. “The social engineering angle is subtle: The user is distracted by the survey content, and the presence of the attachment might be mistaken for a survey-related document or data file.”

VShell is a Go-based remote access tool that has been widely put to use by Chinese hacking groups in recent years, including UNC5174, supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications.

What makes this attack dangerous is that the malware operates entirely in-memory, avoiding disk-based detection, not to mention it can target a wide range of Linux devices.

“This analysis highlights a dangerous evolution in Linux malware delivery where a simple file name embedded in a RAR archive can be weaponized to execute arbitrary commands,” Trellix said. “The infection chain exploits command injection in shell loops, abuses Linux’s permissive execution environment, and ultimately delivers a powerful backdoor VShell malware capable of full remote control over the system.”

The development comes as Picus Security released a technical analysis of a Linux-focused post-exploit tool dubbed RingReaper that leverages the Linux kernel’s io_uring framework to circumvent traditional monitoring tools. It’s currently not known who is behind the malware.

“Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously,” security researcher Sıla Özeren Hacıoğlu said. “This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms.”

RingReaper makes use of io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in users, while reducing its footprint and avoiding detection. It’s also capable of collecting user information from the “/etc/passwd” file, abusing SUID binaries for privilege escalation, and erasing traces of itself after execution.

“It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook,” Picus said.

Aug 22, 2025Ravie LakshmananOnline Fraud / Financial Crime

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims.

“The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said.

The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year.

Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme.

“The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support power distribution in vulnerable areas,” INTERPOL said.

Elsewhere, Zambian authorities have taken down a large-scale online investment fraud operation that claimed 65,000 victims who lost around $300 million after they were lured into investing in cryptocurrency through advertising campaigns that promised high-yield returns.

Fifteen individuals have been arrested in connection with the scheme, with officials seizing domains, mobile numbers, and bank accounts for further investigation. Also disrupted in the southern African country is a scam center and a suspected human trafficking network.

Lastly, law enforcement also tore down a transnational inheritance scam originating in Germany, arresting the primary suspect and confiscating electronics, jewellery, cash, and vehicles. The same is estimated to have caused losses of around $1.6 million.

“Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of INTERPOL, said. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Singapore-headquartered Group-IB said it provided “circumstantial intelligence” on a cryptocurrency investment scam, along with infrastructural details associated with the scam and other BEC campaigns across the African region.

“Cybercrime recognizes no borders, and its impact is truly global,” Dmitry Volkov, Group-IB CEO, said. “The success of Operation Serengeti 2.0 demonstrates what can be achieved when nations stand together against this threat.”

The disclosure comes as Nigeria deported 102 foreign nationals, including 60 Chinese and 39 people from the Philippines, who were convicted of cyber terrorism and internet fraud, according to the country’s Economic and Financial Crimes Commission (EFCC). The deportees were among 792 suspected cybercriminals arrested in December 2024.

Earlier this March, law enforcement authorities in seven African countries also arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025.