Tag: Cyber Security

In the era of rapidly advancing artificial intelligence (AI) and cloud technologies, organizations are increasingly implementing security measures to protect sensitive data and ensure regulatory compliance. Among these measures, AI-SPM (AI Security Posture Management) solutions have gained traction to secure AI pipelines, sensitive data assets, and the overall AI ecosystem. These solutions help organizations identify risks, control security policies, and protect data and algorithms critical to their operations.

However, not all AI-SPM tools are created equal. When evaluating potential solutions, organizations often struggle to pinpoint which questions to ask to make an informed decision. To help you navigate this complex space, here are five critical questions every organization should ask when selecting an AI-SPM solution:

1: Does the solution offer comprehensive visibility and control over AI and associated data risk?

With the proliferation of AI models across enterprises, maintaining visibility and control over AI models, datasets, and infrastructure is essential to mitigate risks related to compliance, unauthorized use, and data exposure. This ensures a clear understanding of what needs to be protected. Any gaps in visibility or control can leave organizations exposed to security breaches or compliance violations.

An AI-SPM solution must be capable of seamless AI model discovery, creating a centralized inventory for complete visibility into deployed models and associated resources. This helps organizations monitor model usage, ensure policy compliance, and proactively address any potential security vulnerabilities. By maintaining a detailed overview of models across environments, businesses can proactively mitigate risks, protect sensitive data, and optimize AI operations.

2: Can the solution identify and remediate AI-specific risks in the context of enterprise data?

The integration of AI into business processes introduces new, unique security challenges beyond traditional IT systems. For example:

• Are your AI models vulnerable to adversarial attacks and exposure?
• Are AI training datasets sufficiently anonymized to prevent leakage of personal or proprietary information?
• Are you monitoring for bias or tampering in predictive models?

An effective AI-SPM solution must tackle risks that are specific to AI systems. For instance, it should protect training data used in machine learning workflows, ensure that datasets remain compliant under privacy regulations, and identify anomalies or malicious activities that might compromise AI model integrity. Make sure to ask whether the solution includes built-in features to secure every stage of your AI lifecycle—from data ingestion to deployment.

3: Does the solution align with regulatory compliance requirements?

Regulatory compliance is a top concern for businesses worldwide, given the growing complexity of data protection laws such as GDPR (General Data Protection Regulation), NIST AI, HIPAA (Health Insurance Portability and Accountability Act), and more. AI systems magnify this challenge by rapidly processing sensitive data in ways that can increase the risk of accidental breaches or non-compliance.

When evaluating an AI-SPM solution, ensure that it automatically maps your data and AI workflows to governance and compliance requirements. It should be capable of detecting non-compliant data and providing robust reporting features to enable audit readiness. Additionally, features like automated policy enforcement and real-time compliance monitoring are critical to keeping up with regulatory changes and preventing hefty fines or reputational damage.

4: How well does the solution scale in dynamic cloud-native and multi-cloud architectures?

Modern cloud-native infrastructures are dynamic, with workloads scaling up or down depending on demand. In multi-cloud environments, this flexibility brings a challenge: maintaining consistent security policies across different providers (e.g., AWS, Azure, Google Cloud) and services. Adding AI and ML tools to the mix introduces even more variability.

An AI-SPM solution needs to be designed for scalability. Ask whether the solution can handle dynamic environments, continuously adapt to changes in your AI pipelines, and manage security in distributed cloud infrastructures. The best tools offer centralized policy management while ensuring that each asset, regardless of its location or state, adheres to your organization’s security requirements.

5: Will the solution integrate with our existing security tools and workflow?

A common mistake organizations make when adopting new technologies is failing to consider how well those technologies will integrate with their existing systems. AI-SPM is no exception. Without seamless integration, organizations may face operational disruptions, data silos, or gaps in their security posture.

Before selecting an AI-SPM solution, verify whether it integrates with your existing data security tools like DSPM or DLP, identity governance platforms, or DevOps toolchains. Equally important is the solution’s ability to integrate with AI/ML platforms like Amazon Bedrock or Azure AI. Strong integration ensures consistency and allows your security, DevOps, and AI teams to collaborate effectively.

Key takeaway: Make AI security proactive, not reactive

Remember, AI-SPM is not just about protecting data—it’s about safeguarding the future of your business. As AI continues to reshape industries, having the proper tools and technologies in place will empower organizations to innovate confidently while staying ahead of emerging threats.

Learn more at zscaler.com/security

About the Company

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange™ is the world’s largest in-line cloud security platform. Learn more at zscaler.com.

Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day

A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.

Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files, resulting in arbitrary code execution.

“When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including e-mail redirection and data exfiltration.”

The vulnerability was addressed by Zimbra as part of versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. The advisory, however, makes no mention of it having been exploited in real-world attacks.

However, according to a report published by StrikeReady Labs on September 30, 2025, the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy’s Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.

The ICS file contained a JavaScript code that’s designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server (“ffrk[.]net”). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name “Correo” to forward the messages to spam_to_junk@proton.me.

As a way to avoid detection, the script is fashioned such that it hides certain user interface elements and detonates only if more than three days have passed since the last time it was executed.

It’s currently not clear who is behind the attack, but earlier this year, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions from Roundcube, Horde, MDaemon, and Zimbra to obtain unauthorized access.

A similar modus operandi has also been adopted by other hacking groups like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.

Oct 06, 2025Ravie LakshmananVulnerability / Threat Intelligence

Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.

The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.

“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle said in an advisory. “If successfully exploited, this vulnerability may result in remote code execution.”

In a separate alert, Oracle’s Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to “provide updates against additional potential exploitation that were discovered during our investigation.”

As indicators of compromise (IoCs), the technology shared the following IP addresses and artifacts, indicating the likely involvement of the Scattered LAPSUS$ Hunters group as well in the exploit –

News of the Oracle zero-day comes days after reports emerged of a new campaign likely undertaken by the Cl0p ransomware group targeting Oracle E-Business Suite. Google-owned Mandiant described the ongoing activity as a “high-volume email campaign” launched from hundreds of compromised accounts.

In a post shared on LinkedIn, Charles Carmakal, CTO of Mandiant at Google Cloud, said “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” adding “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”

“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal noted.

(This is a developing story. Please check back for more details.)

Oct 04, 2025Ravie LakshmananAgentic AI / Enterprise Security

Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity’s agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.

The sneaky prompt injection attack plays out in the form of a malicious link that, when clicked, triggers the unexpected behavior unbeknownst to the victims.

“CometJacking shows how a single, weaponized URL can quietly flip an AI browser from a trusted co-pilot to an insider threat,” Michelle Levy, Head of Security Research at LayerX, said in a statement shared with The Hacker News.

“This isn’t just about stealing data; it’s about hijacking the agent that already has the keys. Our research proves that trivial obfuscation can bypass data exfiltration checks and pull email, calendar, and connector data off-box in one click. AI-native browsers need security-by-design for agent prompts and memory access, not just page content.”

The attack, in a nutshell, hijacks the AI assistant embedded in the browser to steal data, all while bypassing Perplexity’s data protections using trivial Base64-encoding tricks. The attack does not include any credential theft component because the browser already has authorized access to Gmail, Calendar, and other connected services.

It takes place over five steps, activating when a victim clicks on a specially crafted URL, either sent in a phishing email or present in a web page. Instead of taking the user to the “intended” destination, the URL instructs the Comet browser’s AI to execute a hidden prompt that captures the user’s data from, say, Gmail, obfuscates it using Base64-encoding, and transmits the information to an endpoint under the attacker’s control.

The crafted URL is a query string directed at the Comet AI browser, with the malicious instruction added using the “collection” parameter of the URL, causing the agent to consult its memory rather than perform a live web search.

While Perplexity has classified the findings as having “no security impact,” they once again highlight how AI-native tools introduce new security risks that can get around traditional defenses, allow bad actors to commandeer them to do their bidding, and expose users and organizations to potential data theft in the process.

In August 2020, Guardio Labs disclosed an attack technique dubbed Scamlexity wherein browsers like Comet could be tricked by threat actors into interacting with phishing landing pages or counterfeit e-commerce storefronts without the human user’s knowledge or intervention.

“AI browsers are the next enterprise battleground,” Or Eshed, CEO of LayerX, said. “When an attacker can direct your assistant with a link, the browser becomes a command-and-control point inside the company perimeter. Organizations must urgently evaluate controls that detect and neutralize malicious agent prompts before these PoCs become widespread campaigns.”

Oct 04, 2025Ravie LakshmananVulnerability / Network Security

Threat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals.

The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.

As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.

The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia.

“This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,” GreyNoise noted. “In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used.”

“Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.”

In April 2025, GreyNoise reported a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software.

The development comes as GreyNoise noted in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.

In early September, Greynoise warned about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S.

Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like RayInitiator and LINE VIPER.

Data from the Shadowserver Foundation shows that over 45,000 Cisco ASA/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities.

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer.

That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.

The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020.

“While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system,” Infoblox said. “We are tracking the threat actor who controls this malware as Detour Dog.”

Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines.

Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit.

Infoblox’s analysis has revealed that at least 69% of the confirmed StarFish staging hosts were under the control of Detour Dog, and that a MikroTik botnet advertised as REM Proxy – which, in turn, is powered by SystemBC, as uncovered by Lumen’s Black Lotus Labs last month — was also part of the attack chain.

Specifically, it has come to light that the spam email messages that distributed Strela Stealer originated from REM Proxy and another botnet dubbed Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past. In both cases, Detour Dog infrastructure hosted the first stage of the attack.

“The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware,” Dr. Renée Burton, vice president of threat intelligence at Infoblox, told The Hacker News.

What’s more, Detour Dog has been found to facilitate the distribution of the stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from the compromised sites and to respond to them with remote code execution commands.

Detour Dog’s modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections, although the company said the methods have since continued to evolve.

A notable aspect of the attack is that the compromised website functions normally 90% of the time, thereby raising no red flags and allowing the malware to persist for extended periods of time. In select instances (about 9%), however, a site visitor is redirected to a scam via Help TDS or Monetizer TDS; in a much rarer scenario (1%), the site receives a remote file execution command. It’s believed that the redirections are limited in a bid to avoid detection.

The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella.

“We suspect that they evolved from scams to include malware distribution for financial reasons,” Burton said. “There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can’t verify that.”

Complementing these changes is the fact that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.

As of June 2025, the responses have directed the infected site to retrieve the output of PHP scripts from verified Strela Stealer C2 servers to likely distribute the malware — suggesting the dual use of DNS as both a communication channel and a delivery mechanism.

“Responses to TXT record queries are Base64-encoded and explicitly include the word ‘down’ to trigger this new action,” the company noted. “We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.

“A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient, meanwhile serving to mislead threat hunters because the malware isn’t really where the analyzed attachments indicate the stage is hosted.”

The entire sequence of actions unfolds as follows –

• Victim opens a malicious document, launching an SVG file that reaches out to an infected domain
• The compromised site sends a TXT record request to the Detour Dog C2 server via DNS
• The name server responds with a TXT record containing a Strela C2 URL, prefixed with “down”
• The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL
• The compromised site acts as a relay to send the downloader to the client (i.e., the victim)
• The downloader initiates a call to another compromised domain
• The second compromised domain sends a similar DNS TXT query to the Detour Dog C2 server
• The Detour Dog name server responds with a new Strela C2 URL, again prefixed with “down”
• The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish
• The second compromised domain acts as a relay to send the malware to the client (i.e., the victim)

Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

The company also pointed out that the threat actor likely functions as a distribution-as-a-service (DaaS) provider, adding it found evidence of an “apparently unrelated file” propagated through its infrastructure. However, it noted it “couldn’t validate what was delivered.”

The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.

“Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a more ambitious plan to connect with potential customers and build visibility,” Check Point researcher Aleksandra “Hasherezade” Doniec said in a new report.

First advertised by a threat actor named kingcrete2022, Rhadamanthys has emerged as one of the most popular information stealers available under a malware-as-a-service (MaaS) model alongside Lumma, Vidar, StealC, and, more recently, Acreed. The current version of the stealer is 0.9.2.

Over the years, the stealer’s capabilities have extended far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of version 0.7.0 of the malware last October, Recorded Future detailed the addition of a new artificial intelligence (AI) feature for optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.

The latest findings from Check Point show that the threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their offerings as “intelligent solutions for innovation and efficiency.”

Rhadamanthys is available in three tiered packages, starting from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.

“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade noted. “For defenders, this professionalization signals that Rhadamanthys with its growing customer base and an expanding ecosystem is likely here to stay, making it important to track not only its malware updates but also the business infrastructure that sustains it.”

Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes a feature to avoid leaking unpacked artifacts by displaying to the user an alert that allows them to finish the execution of the malware without inflicting any harm to the machine on which it’s running.

This is done so in an attempt to prevent malware distributors from spreading the initial executable in its plain, unprotected form so as to curtail detection efforts, as well as getting their systems infected in the process. That said, while the alert message may be the same in both the stealers, the implementation is completely different, Check Point said, suggesting “surface-level mimicry.”

“In Lumma, opening and reading the file is implemented via raw syscalls, and the message box is executed via NtRaiseHardError,” it noted. “In Rhadamanthys, raw syscalls aren’t used, and the same message box is displayed by MessageBoxW. Both loaders are obfuscated, but the obfuscation patterns are different.”

Other updates to Rhadamanthys concern slight tweaks to the custom XS format used to ship the executable modules, the checks executed to confirm if the malware should continue its execution on the host, and the obfuscated configuration embedded into it. The modifications also extend to obfuscating the names of the modules to fly under the radar.

One of the modules, previously referred to as Strategy, is responsible for a series of environment checks to ensure that it’s not running in a sandboxed environment. Furthermore, it checks running processes against a list of forbidden ones, gets the current wallpaper, and verifies it against a hard-coded one that represents the Triage sandbox.

It also runs a check to confirm if the current username matches anything that resembles those used for sandboxes, and compares the machine’s HWID (hardware identifier) against a predefined list, once again to ascertain the presence of a sandbox. It’s only when all these checks are passed that the sample proceeds to establish a connection with a command-and-control (C2) server to fetch the core component of the stealer.

The payload is concealed using steganographic techniques, either as a WAV, JPEG, or PNG file, from where it’s extracted, decrypted, and launched. It’s worth noting that decrypting the package from the PNG requires a shared secret that’s agreed upon during the initial phase of the C2 communication.

The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.

“The latest variant represents an evolution rather than a revolution. Analysts should update their config parsers, monitor PNG-based payload delivery, track changes in mutex and bot ID formats, and expect further churn in obfuscation as tooling catches up,” Check Point said.

“Currently, the development is slower and steadier: the core design remains intact, with changes focused on refinements – such as new stealer components, changes in obfuscation, and more advanced customization options.”

Oct 03, 2025Ravie LakshmananMalware / Online Security

Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp.

The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.

“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.

“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”

Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.

The vast majority of the infections — 457 of the 477 cases — are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.

The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.

That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.

Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).

The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it’s automatically launched following a system start. It’s also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.

Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim’s compromised account, allowing it to spread rapidly.

“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.

“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”

Passwork is positioned as an on-premises unified platform for both password and secrets management, aiming to address the increasing complexity of credential storage and sharing in modern organizations. The platform recently received a major update that reworks all the core mechanics.

Passwork 7 introduces significant changes to how credentials are organized, accessed, and managed, reflecting feedback from real-world users. The redesign prioritizes usability and security, with a focus on streamlining workflows and making key features more accessible.

Passwork isn’t trying to reinvent the wheel. Instead, it focuses on solving a very real problem: how do businesses keep credentials organized, secure, and accessible without adding complexity or risk? In this article, we’ll look at what Passwork 7 delivers, how it fits into a business environment, and what makes it different. Below is a walkthrough of its main features and workflows.

Getting started: User experience and onboarding

The first thing you notice with Passwork 7 is its new interface that immediately signals its focus on simplicity. The dashboard provides a clear overview of vaults, folders, passwords, and recent activity. The idea is simple: streamline onboarding and avoid distracting users from their core tasks.

This approach is especially important in sectors like public service, education, and healthcare, where staff often have limited time or technical expertise. By reducing the learning curve, Passwork helps organizations roll out secure password management quickly and efficiently, without disrupting daily operations or requiring extensive user education.

Search and filtering options are simple, ensuring users can locate the right password without unnecessary complexity.

Vaults, folders, and password

Passwork 7 uses a hierarchical structure for organizing data:

• Vaults are the main containers for credentials
• Folders help organize related passwords within a vault
• Password cards store individual credentials, including username, password, URL, notes, 2FA codes, and attachments

To add a new password, users select the appropriate vault, create a folder (if needed), and fill out a password card with the required details.

The system is flexible: organizations can build a structure or hierarchy of vaults and folders to reflect their internal company layout and security requirements. This approach allows businesses to align credential management with their own processes, whether that means mirroring a strict departmental separation or supporting cross-functional teams.

Vault types: Data segmentation

Solution introduces a flexible vault architecture designed to improve security and management. Administrators can define custom vault types that align with an organization’s structure, making it easier to control data access across large teams.

There are two primary vault categories:

• User vaults: Private by default, accessible only to their creator. These can be shared with others as needed.
• Company vaults: Accessible to the creator and corporate administrators, who are automatically included to maintain oversight.

Beyond these standard options, administrators have the ability to set up custom vault types for specific departments or projects — such as IT, finance, or HR. For each vault type, it’s possible to assign designated administrators, configure access levels, and set rules about who can create new vaults of that type. This approach ensures that department heads or IT leads maintain control over sensitive data, supports granular permission management, and simplifies auditing.

Managing access: Roles and groups

Access control in Passwork 7 is role-based. Administrators assign roles to users, defining what actions they can take within the system. There’s no limit on the number of roles you can create, so it’s possible to tailor permissions as granularly as needed.

You can grant specific users rights to manage certain roles and groups or access activity logs, give other administrators control over SSO and LDAP settings while blocking access to other system configurations, or create specialized departmental roles with precisely tailored permissions.

Groups further streamline permission management: by adding users to a group, they automatically inherit the group’s permissions across relevant vaults and folders — such as viewing, editing, or managing credentials.

This structure helps organizations maintain security and compliance by ensuring only authorized users have access to sensitive information.

Sharing credentials: Internal and external workflows

Passwork offers several methods for sharing credentials:

• Internal sharing: Credentials can be shared with individuals or groups within the organization (internal sharing system, shortcuts and access sharing). Permissions (view, edit, manage) are set per user or group.
• External sharing: Time-limited, secure links can be generated to share passwords with contractors outside the organization.

All sharing activities are logged, providing a transparent audit trail for compliance and incident investigation.

Password and secrets management: DevOps-ready tools

One notable feature is Passwork’s integration of secrets management and a comprehensive API. Beyond passwords, the platform stores keys, database logins, SSH keys, tokens, and certificates. Secrets can be managed alongside passwords, in dedicated encrypted vaults.

In other words, the latest release now combines two fully developed solutions under one roof:

• Password manager: A user-friendly interface designed for secure storage and sharing of credentials within a team.
• Secrets management system: This side caters to developers and administrators, offering programmatic access via REST API, Python connector, CLI, and Docker container. These tools make it possible to automate secret handling in scripts, services, and DevOps workflows.

The Passwork API supports all system actions, providing complete programmatic control over password and secrets management operations. This unified approach simplifies workflows for end-users, IT, and DevOps teams, reducing tool sprawl and centralizing oversight. Secrets are accessible via the web interface, API, CLI, and Python-connector, enabling integration with automated systems.

Security monitoring and incident response

Comprehensive logging now provides detailed records of every action and system change, ensuring administrators have complete visibility over the environment. Real-time tracking and instant alerts enable rapid detection of suspicious activity, supporting both security and regulatory compliance requirements. Whether monitoring access attempts, credential updates, or changes in permissions, the system delivers timely, actionable information.

Administrators have access to detailed audit logs and a security dashboard. In the event of a breach or suspicious activity, compromised users can be blocked and credentials rotated. These features support rapid incident response and ongoing risk management.

Integration with corporate systems

For enterprise environments, Passwork offers SSO and LDAP integration. Users authenticate with existing credentials, and user management synchronizes with Active Directory. This streamlines onboarding, offboarding, and ongoing access control.

Deployment

To start with, the system uses a zero-knowledge architecture — credentials aren’t stored on user devices. Instead, everything, including change logs and notes, lives in a dedicated MongoDB instance and is encrypted using end-to-end AES-256. This setup keeps sensitive data out of reach, even from the platform itself. It supports both single-server and multi-server setups for those needing redundancy or fault tolerance.

For everyday use, there’s a browser extension compatible with all major browsers. The mobile app is available for both Android and iOS, so users aren’t tied to their desktops. There’s also a dedicated 2FA app for added authentication, also supporting both platforms.

For organizations with stricter security requirements, there’s the option to switch on client-side encryption right from the start. In practice, this means every piece of data (moving or stored) is locked down using a master password unique to each user. By combining password and secrets management, Passwork can help businesses reduce their total cost of ownership.

Conclusion

Passwork offers a practical, unified solution for managing both passwords and secrets. Its emphasis on usability, flexible data organization, and granular access control makes it suitable for diverse environments and businesses of any size. By combining password and secret management in one solution, Passwork streamlines workflows, adapts to internal processes, and simplifies secure collaboration across teams.

Passwork has ISO 27001 certification, ensuring compliance with international information security management standards — a critical requirement for organizations operating in regulated industries or handling sensitive data.

The platform’s streamlined onboarding and integration capabilities allow organizations to secure sensitive data without disrupting daily operations. For businesses looking to centralize credential management and improve security posture, Passwork 7 provides a comprehensive toolkit designed for fast, seamless implementation.

To learn more or request a free demo, visit passwork.pro.

Oct 03, 2025Ravie LakshmananCybersecurity / Malware

A threat actor that’s known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT.

Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It’s also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga, ShadowSilk, and Tomiris.

“In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials,” BI.ZONE said. “The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises.”

In August 2025, Group-IB revealed attacks mounted by ShadowSilk targeting government entities in Central Asia and Asia-Pacific (APAC), using reverse proxy tools and remote access trojans written in Python and subsequently ported to PowerShell.

Cavalry Werewolf’s ties to Tomiris are significant, not least because it further lends credence to a hypothesis that it’s a Kazakhstan-affiliated threat actor. In a report late last year, Microsoft attributed the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473.

The latest phishing attacks, observed between May and August 2025, involve sending email messages using fake email addresses that impersonate Kyrgyzstan government employees to distribute RAR archives that deliver FoalShell or StallionRAT.

In at least one case, the threat actor is said to have compromised a legitimate email address associated with the Kyrgyz Republic’s regulatory authority to send the messages. FoalShell is a lightweight reverse shell that appears in Go, C++, and C# versions, allowing the operators to run arbitrary commands using cmd.exe.

StallionRAT is no different in that it is written in Go, PowerShell, and Python, and enables the attackers to execute arbitrary commands, load additional files, and exfiltrate collected data using a Telegram bot. Some of the commands supported by the bot include –

• /list, to receive a list of compromised hosts (DeviceID and computer name) connected to the command-and-control (C2) server
• /go [DeviceID] [command], to execute the given command using Invoke-Expression
• /upload [DeviceID], to upload a file to the victim’s device

Also executed on the compromised hosts are tools like ReverseSocks5Agent and ReverseSocks5, as well as commands to gather device information.

The Russian cybersecurity vendor said it also uncovered various filenames in English and Arabic, suggesting that the targeting focus of Cavalry Werewolf may be broader in scope than previously assumed.

“Cavalry Werewolf is actively experimenting with expanding its arsenal,” BI.ZONE said. “This highlights the importance of having quick insights into the tools used by the cluster; otherwise, it would be impossible to maintain up-to-date measures to prevent and detect such attacks.”

The disclosure comes as the company disclosed that an analysis of publications on Telegram channels or underground forums by both financially motivated attackers and hacktivists over the past year has identified compromises of at least 500 companies in Russia, most of which spanned commerce, finance, education, and entertainment sectors.

“In 86% of cases attackers published data stolen from compromised public‑facing web applications,” it noted. “After gaining access to the public web application, the attackers installed gs‑netcat on the compromised server to ensure persistent access. Sometimes, the attackers would load additional web shells. They also used legitimate tools such as Adminer, phpMiniAdmin, and mysqldump to extract data from databases.”