Tag: Cyber Security

Nov 05, 2025Ravie LakshmananCybercrime / Ransomware

The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley.

“By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security. The Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.”

The names of sanctioned individuals and entities are listed below –

• Jang Kuk Chol (Jang) and Ho Jong Son, who are said to have helped manage funds, including $5.3 million in cryptocurrency, on behalf of First Credit Bank (aka Cheil Credit Bank), which was previously subjected to sanctions in September 2017 for facilitating North Korea’s missile programs
• Korea Mangyongdae Computer Technology Company (KMCTC), an IT company based in North Korea that has dispatched two IT worker delegations to the Chinese cities of Shenyang and Dandong, and has used Chinese nationals as banking proxies to conceal the origin of funds generated as part of the fraudulent employment scheme
• U Yong Su, KMCTC’s current president
• Ryujong Credit Bank, which has provided financial assistance in sanctions avoidance activities between China and North Korea
• Ho Yong Chol, Han Hong Gil, Jong Sung Hyok, Choe Chun Pom, and Ri Jin Hyok, who are representatives of North Korean financial institutions in Russia and China and are said to have facilitated transactions worth millions of dollars on behalf of the sanctioned banks

A portion of $5.3 million has been linked to a North Korean ransomware actor known to have targeted U.S. victims in the past and handled revenue from IT worker operations.

Describing North Korean cyber actors as orchestrating espionage, disruptive attacks, and financial theft at a scale “unmatched” by any other country, the Treasury said the Pyongyang-affiliated cybercriminals have stolen over $3 billion, mostly in digital assets, over the past three years using sophisticated malware and social engineering.

The department also accused the regime of leveraging its IT army located across the world to gain employment at companies by obfuscating their nationality and identities, and funneling back a huge chunk of their income back to the Democratic People’s Republic of Korea (DPRK).

“In some instances, DPRK IT workers engage other foreign freelance programmers to establish business partnerships,” it added. “They collaborate with these non-North Korean freelance workers on projects which were originally commissioned to those workers and split the revenue.”

According to TRM Labs, the cryptocurrency wallet addresses linked to First Credit Bank show “consistent inbound flows resembling salary payments” and that “these flows likely represent income from IT workers employed abroad under false identities.”

In all, the wallets controlled by the bank are said to have received more than $12.7 million between June 2023 and May 2025, indicating sustained activity spanning over two years.

“Together, these individuals and entities form a central component of Pyongyang’s sanctions-evasion architecture, enabling the regime to move millions of dollars through both traditional and digital channels, including cryptocurrency, to fund weapons programs and cyber operations,” the blockchain intelligence firm said.

Behind every alert is an analyst; tired eyes scanning dashboards, long nights spent on false positives, and the constant fear of missing something big. It’s no surprise that many SOCs face burnout before they face their next breach. But this doesn’t have to be the norm. The path out isn’t through working harder, but through working smarter, together.

Here are three practical steps every SOC can take to prevent burnout and build a healthier, more resilient team.

Step 1: Reduce Alert Overload with Real-Time Context

SOC burnout often starts with alert fatigue. Analysts waste hours dissecting incomplete data because traditional systems provide only fragments of the story. By giving teams the full behavioral context behind alerts, leaders can help them prioritize faster and act with confidence.

Leading SOCs are already turning to advanced solutions like ANY.RUN’s interactive sandbox to cut through the noise. Instead of static logs, they see the full attack chain unfold in real time, from the first process execution to network connections, registry changes, and data exfiltration attempts. Every action is visualized step by step, giving analysts instant clarity on what’s malicious and what’s safe.

Check recent attack fully exposed in real-time

Real-time analysis of Clickup abuse fully exposed in 60 seconds

For instance, in this analysis session, analysts exposed the entire phishing attack chain in just 60 seconds, uncovering how attackers abused ClickUp to deliver a fake Microsoft 365 login page. This fast, real-time detection turned what could have been hours of log review into a clear, actionable case.

Here’s what SOC teams gain from real-time interactive analysis:

1. Safe, hands-on investigation: Analysts can interact with live samples inside an isolated environment, reducing the risk of human error in production systems.
2. Full attack chain exposure: Visibility into every process, file, and network action helps identify the threat’s origin, intent, and lateral movement.
3. IOC extraction in seconds: Behavioral data is automatically captured, making it easy to feed verified indicators directly into detection systems.
4. Fewer false positives: Clear behavioral evidence allows teams to confirm or dismiss alerts faster, improving confidence and focus.

Result: Faster triage, reduced noise, and a calmer, more efficient SOC.

Step 2: Automate Repetitive Work to Protect Analyst Focus

Even the best SOCs lose countless hours to manual, low-impact tasks, collecting logs, exporting reports, copying IOCs, and updating tickets. These repetitive duties might seem small, but together they drain focus, slow investigations, and feed the burnout cycle.

Automation breaks this pattern. When systems take care of the routine, analysts can dedicate their time to higher-value work; investigation, detection tuning, and incident response.

The real breakthrough comes from combining automation with interactive analysis. This pairing saves enormous time while keeping analysts in control. In fact, some sandboxes like ANY.RUN now include automated interactivity; a feature that performs human-like actions such as solving CAPTCHAs, uncovering hidden malicious links behind QR codes, and executing tasks that traditional tools can’t handle without manual input.

QR code–based phishing fully exposed inside ANY.RUN sandbox; the hidden malicious link and full attack chain revealed in under 60 seconds.

The sandbox behaves as an analyst would, interacting with the sample autonomously while still allowing experts to step in whenever needed.

As a result, SOC teams gain both efficiency and flexibility, scaling their capacity without sacrificing precision. According to ANY.RUN’s latest survey, teams using this combination of automation and interactivity achieved remarkable results:

• 95% of SOC teams sped up threat investigations.
• Up to 20% decrease in workload for Tier 1 analysts.
• 30% reduction in Tier 1 → Tier 2 escalations.
• 3× higher SOC efficiency through faster triage and automated evidence collection.

Result: A focused, high-performing SOC where automation handles the dull work, and analysts handle what truly matters.

Step 3: Integrate Real-Time Threat Intelligence to Cut Manual Work

One of the most exhausting parts of a SOC analyst’s job is chasing outdated data, verifying domains that are already inactive, checking expired IOCs, or switching between disconnected tools just to confirm what’s real. This constant context-switching drains focus and leads straight to burnout.

The solution is smarter integration. When fresh, verified threat intelligence flows directly into existing tools, analysts spend less time hunting for context and more time acting on it.

That’s why leading teams use ANY.RUN’s Threat Intelligence Feeds, which gather live IOCs from more than 15 000 SOCs and 500 000 analysts worldwide. Each indicator comes straight from real-time sandbox investigations, meaning the data reflects current phishing kits, redirect chains, and active infrastructure, not last month’s reports.

Because these feeds integrate smoothly with existing SOC platforms, analysts can:

1. Access continuously updated data without leaving their familiar environment.
2. See how threats actually behave by tracing each IOC back to its live sandbox analysis.
3. Avoid repetitive manual checks for outdated domains or expired indicators.
4. Act faster with confidence, using evidence backed by current global activity.

Result: Fewer context switches, faster validation, and analysts who stay sharp instead of overwhelmed.

Prevent Analyst Burnout with Real-Time Insight and Smarter Workflows

SOC burnout doesn’t come from the workload alone; it comes from slow tools, outdated data, and constant context switching. When teams gain real-time visibility, automated workflows, and connected intelligence, they move faster, think clearer, and stay motivated longer.

With these improvements, SOCs can:

• Stay ahead of evolving threats with always-fresh intelligence
• Eliminate repetitive manual work through automation
• Investigate incidents faster with full behavioral context
• Keep analysts focused, confident, and engaged

Talk to ANY.RUN experts to discover how your SOC can replace fatigue with focus and transform burnout into better performance.

Nov 05, 2025Ravie LakshmananCybersecurity / Cyber Espionage

A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.

“UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the Islamic Revolutionary Guard Corps (IRGC),” Proofpoint security researcher Saher Naumaan said in a new report shared with The Hacker News.

The enterprise security company said the campaign shares tactical similarities with that of prior attacks mounted by Iranian cyber espionage groups like TA455 (aka Smoke Sandstorm or UNC1549), TA453 (aka Mint Sandstorm or Charming Kitten), and TA450 (aka MuddyWater or Mango Sandstorm).

The email messages bear all hallmarks of a classic Charming Kitten attack, with the threat actors reeling in prospective targets by engaging with them in benign conversations before attempting to phish for their credentials.

In some cases, the emails have been found to contain malicious URLs to trick victims into downloading an MSI installer that, while masquerading as Microsoft Teams, ultimately deploys legitimate Remote Monitoring and Management (RMM) software like PDQ Connect, a tactic often embraced by MuddyWater.

Proofpoint said the digital missives have also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute to lend them a veneer of legitimacy and increase the likelihood of success of the attack.

Targets of these efforts are over 20 subject matter experts of a U.S.-based think tank who focus on Iran-related policy matters. In at least one case, the threat actor, upon receiving a response, is said to have insisted on verifying the identity of the target and the authenticity of the email address before proceeding further for any collaboration.

“I am reaching out to confirm whether a recent email expressing interest in our institute’s research project was indeed sent by you,” read the email. “The message was received from an address that does not appear to be your primary email, and I wanted to ensure the authenticity before proceeding further.”

Subsequently, the attackers sent a link to certain documents that they claimed would be discussed in an upcoming meeting. Clicking the link, however, takes the victim to a bogus landing page that’s designed to harvest their Microsoft account credentials.

In another variant of the infection chain, the URL mimics a Microsoft Teams login page along with a “Join now” button. However, the follow-on stages activated after clicking the supposed meeting button are unclear at this stage.

Proofpoint noted that the adversary removed the password requirement on the credential harvesting page after the target “communicated suspicions,” instead directly taking them to a spoofed OnlyOffice login page hosted on “thebesthomehealth[.]com.”

“UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity,” Naumaan said. “TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025.”

Hosted on the counterfeit OnlyOffice site is a ZIP archive containing an MSI installer that, in turn, launches PDQ Connect. The other documents, per the company, are assessed to be decoys.

There is evidence to suggest that UNK_SmudgedSerpent engaged in possible hands-on-keyboard activity to install additional RMM tools like ISL Online through PDQ Connect. The reason behind the sequential deployment of two distinct RMM programs is not known.

Other phishing emails sent by the threat actor have targeted a U.S.-based academic, seeking assistance in investigating the IRGC, as well as another individual in early August 2025, soliciting a potential collaboration on researching “Iran’s Expanding Role in Latin America and U.S. Policy Implications.”

“The campaigns align with Iran’s intelligence collection, focusing on Western policy analysis, academic research, and strategic technology,” Proofpoint said. “The operation hints at evolving cooperation between Iranian intelligence entities and cyber units, marking a shift in Iran’s espionage ecosystem.”

Nov 05, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The vulnerabilities in question are listed below –

• CVE-2025-11371 (CVSS score: 7.5) – A vulnerability in files or directories accessible to external parties in Gladinet CentreStack and Triofox that could result in unintended disclosure of system files.
• CVE-2025-48703 (CVSS score: 9.0) – An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) that results in unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request.

The development comes weeks after cybersecurity company Huntress said it detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors leveraging the flaw to run reconnaissance commands (e.g., ipconfig /all) passed in the form of a Base64-encoded payload.

However, there are currently no public reports on how CVE-2025-48703 is being weaponized in real-world attacks. However, technical details of the flaw were shared by security researcher Maxime Rinaudo in June 2025, shortly after it was patched in version 0.9.8.1205 following responsible disclosure on May 13.

“It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server,” Rinaudo said.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks.

The addition of the two flaws to the KEV catalog follows reports from Wordfence about the exploitation of critical security vulnerabilities impacting three WordPress plugins and themes –

• CVE-2025-11533 (CVSS score: 9.8) – A privilege escalation vulnerability in WP Freeio that makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration.
• CVE-2025-5397 (CVSS score: 9.8) – An authentication bypass vulnerability in Noo JobMonster that makes it possible for unauthenticated attackers to sidestep standard authentication and access administrative user accounts, assuming social login is enabled on a site.
• CVE-2025-11833 (CVSS score: 9.8) – A lack of authorization checks in Post SMTP that makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, allowing site takeover.

WordPress site users relying on the aforementioned plugins and themes are recommended to update them to the latest version as soon as possible, use strong passwords, and audit the sites for signs of malware or the presence of unexpected accounts.

Nov 04, 2025Ravie LakshmananCybercrime / Money Laundering

Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).

According to a statement released by Eurojust today, the action took place between October 27 and 29 across Cyprus, Spain, and Germany, with the suspects arrested on charges of involvement in money laundering from fraudulent activities.

In addition to the arrests of the individuals from their homes, authorities conducted searches that led to the seizure of €800,000 ($918,000) in bank accounts, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash.

Participating nations in the “synchronized” effort alongside Eurojust were agencies from France, Belgium, Cyprus, Germany, and Spain.

“The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” Eurojust said. “They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles, and fake testimonials from celebrities or successful investors.”

Once victims invested their funds in the bogus platforms, the crypto assets were laundered using blockchain, netting them about €600 million in illicit revenue.

Eurojust said an investigation into the money laundering and scam network was initiated after victims complained of not being able to recover their investments, eventually culminating in the raids that occurred last week.

In tandem, the Paris Prosecutor’s Office said in a post on LinkedIn that the probe started in 2023 and that there were “several hundreds of victims” in France and across Europe who were lured into deporting their assets in the fake cryptocurrency platforms and promising attractive gains.

The disclosure comes as Europol revealed that the criminal use of cryptocurrency and blockchain is becoming increasingly professionalized, sophisticated, and organized, and that countering the “borderless nature” of the threat requires a similar response.

“Law enforcement, private sector partners, and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering,” the agency said. “Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.”

The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025.

“Since its debut, the group’s Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption,” Trustwave SpiderLabs, a LevelBlue company, said in a report shared with The Hacker News.

Scattered LAPSUS$ Hunters (SLH) emerged in early August, launching data extortion attacks against organizations, including those using Salesforce in recent months. Chief among its offerings is an extortion-as-a-service (EaaS) that other affiliates can join to demand a payment from targets in exchange for using the “brand” and notoriety of the consolidated entity.

All three groups are assessed to be affiliated with a loose-knit and federated cybercriminal enterprise referred to as The Com that’s marked by “fluid collaboration and brand-sharing.” The threat actors have since exhibited their associations with other adjacent clusters tracked as CryptoChameleon and Crimson Collective.

Telegram, according to the cybersecurity vendor, continues to be the central place for its members to coordinate and bring visibility to the group’s operations, embracing a style akin to hacktivist groups. This serves a fold purpose: turning its channels into a megaphone for the threat actors to disseminate their messaging, as well as market their services.

“As activity matured, administrative posts began to include signatures referencing the ‘SLH/SLSH Operations Centre,’ a self-applied label carrying symbolic weight that projected the image of an organized command structure that lent bureaucratic legitimacy to otherwise fragmented communications,” Trustwave noted.

Observed Telegram channels and activity periods

Members of the group have also used Telegram to accuse Chinese state actors of exploiting vulnerabilities allegedly targeted by them, while simultaneously taking aim at U.S. and U.K. law enforcement agencies. Furthermore, they have been found to invite channel subscribers to participate in pressure campaigns by finding the email addresses of C-suite executives and relentlessly emailing them in return for a minimum payment of $100.

Some of the known threat clusters part of the crew are listed below, highlighting a cohesive alliance that brings together several semi-autonomous groups within The Com network and their technical capabilities under one umbrella –

• Shinycorp (aka sp1d3rhunters), who acts as a coordinator and manages brand perception
• UNC5537 (linked to Snowflake extortion campaign)
• UNC3944 (associated with Scattered Spider)
• UNC6040 (linked to recent Salesforce vishing campaign)

Also part of the group are identities like Rey and SLSHsupport, who are responsible for sustaining engagement, along with yuka (aka Yukari or Cvsp), who has a history of developing exploits and presents themselves as an initial access broker (IAB).

Consolidated administrative and affiliated personas

While data theft and extortion continue to be Scattered LAPSUS$ Hunters’ mainstay, the threat actors have hinted at a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r) to rival LockBit and DragonForce, suggesting possible ransomware operations in the future.

Trustwave has characterized the threat actors as positioned somewhere in the spectrum of financially motivated cybercrime and attention-driven hacktivism, commingling monetary incentives and social validation to fuel their activities.

“Through theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the actors behind SLH have shown a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem,” it added.

“Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers.”

Cartelization of Another Kind

The disclosure comes as Acronis revealed that the threat actors behind DragonForce have unleashed a new malware variant that uses vulnerable drivers such as truesight.sys and rentdrv2.sys (part of BadRentdrv2) to disable security software and terminate protected processes as part of a bring your own vulnerable driver (BYOVD) attack.

DragonForce, which launched a ransomware cartel earlier this year, has since also partnered with Qilin and LockBit in an attempt to “facilitate the sharing of techniques, resources, and infrastructure” and bolster their own individual capabilities.

“Affiliates can deploy their own malware while using DragonForce’s infrastructure and operating under their own brand,” Acronis researchers said. “This lowers the technical barrier and allows both established groups and new actors to run operations without building a full ransomware ecosystem.”

The ransomware group, per the Singapore headquartered company, is aligned with Scattered Spider, with the latter functioning as an affiliate to break into targets of interest through sophisticated social engineering techniques like spear-phishing and vishing, followed by deploying remote access tools like ScreenConnect, AnyDesk, TeamViewer, and Splashtop to conduct extensive reconnaissance prior to dropping DragonForce.

“DragonForce used the Conti leaked source code to forge a dark successor crafted to carry its own mark,” it said. “While other groups made some changes to the code to give it a different spin, DragonForce kept all functionality unchanged, only adding an encrypted configuration in the executable to get rid of command-line arguments that were used in the original Conti code.”

Nov 04, 2025Ravie LakshmananCybercrime / Money Laundering

Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).

According to a statement released by Eurojust today, the action took place between October 27 and 29 across Cyprus, Spain, and Germany, with the suspects arrested on charges of involvement in money laundering from fraudulent activities.

In addition to the arrests of the individuals from their homes, authorities conducted searches that led to the seizure of €800,000 ($918,000) in bank accounts, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash.

Participating nations in the “synchronized” effort alongside Eurojust were agencies from France, Belgium, Cyprus, Germany, and Spain.

“The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” Eurojust said. “They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles, and fake testimonials from celebrities or successful investors.”

Once victims invested their funds in the bogus platforms, the crypto assets were laundered using blockchain, netting them about €600 million in illicit revenue.

Eurojust said an investigation into the money laundering and scam network was initiated after victims complained of not being able to recover their investments, eventually culminating in the raids that occurred last week.

The disclosure comes as Europol revealed that the criminal use of cryptocurrency and blockchain is becoming increasingly professionalized, sophisticated, and organized, and that countering the “borderless nature” of the threat requires a similar response.

“Law enforcement, private sector partners, and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering,” the agency said. “Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.”

Nov 04, 2025Ravie LakshmananVulnerability / Supply Chain Security

Details have emerged about a now-patched critical security flaw in the popular “@react-native-community/cli” npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions.

“The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers,” JFrog Senior Security Researcher Or Peles said in a report shared with The Hacker News.

The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the “@react-native-community/cli-server-api” package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month.

The command-line tools package, which is maintained by Meta, enables developers to build React Native mobile applications. It receives approximately 1.5 million to 2 million downloads per week.

According to the software supply chain security firm, the vulnerability arises from the fact that the Metro development server used by React Native to build JavaScript code and assets binds to external interfaces by default (instead of localhost) and exposes an “/open-url” endpoint that is susceptible to OS command injection.

“The server’s ‘/open-url’ endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function provided by the open NPM package, which will cause OS command execution,” Peles said.

As a result, an unauthenticated network attacker could weaponize the flaw to send a specially crafted POST request to the server and run arbitrary commands. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be abused to execute arbitrary binaries with limited parameter control.

While the issue has since been addressed, developers who use React Native with a framework that doesn’t rely on Metro as the development server are not impacted.

“This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface,” Peles said. “It also exposes the critical risks hidden in third-party code.”

“For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organization.”

Nov 04, 2025Ravie Lakshmanan

Cybersecurity researchers have disclosed details of four security flaws in Microsoft Teams that could have exposed users to serious impersonation and social engineering attacks.

The vulnerabilities “allowed attackers to manipulate conversations, impersonate colleagues, and exploit notifications,” Check Point said in a report shared with The Hacker News.

Following responsible disclosure in March 2024, some of the issues were addressed by Microsoft in August 2024 under the CVE CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025.

In a nutshell, these shortcomings make it possible to alter message content without leaving the “Edited” label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives.

The attack, which covers both external guest users and internal malicious actors, poses grave risks, as it undermines security boundaries and enables prospective targets to perform unintended actions, such as clicking on malicious links sent in the messages or sharing sensitive data.

On top of that, the flaws also made it possible to change the display names in private chat conversations by modifying the conversation topic, as well as arbitrarily modify display names used in call notifications and during the call, permitting an attacker to forge caller identities in the process.

“Together, these vulnerabilities show how attackers can erode the fundamental trust that makes collaboration workspace tools effective, turning Teams from a business enabler into a vector for deception,” the cybersecurity company said.

Microsoft has described CVE-2024-38197 (CVSS score: 6.5) as a medium-severity spoofing issue impacting Teams for iOS, which could allow an attacker to alter the sender’s name of a Teams message and potentially trick them into disclosing sensitive information through social engineering ploys.

The findings come as threat actors are abusing Microsoft’s enterprise communication platform in various ways, including approaching targets and persuading them to grant remote access or run a malicious payload under the guise of support personnel.

Microsoft, in an advisory released last month, said the “extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors” and that its messaging (chat), calls, and meetings, and video-based screen-sharing features are weaponized at different stages of the attack chain.

“These vulnerabilities hit at the heart of digital trust,” Oded Vanunu, head of product vulnerability research at Check Point, told The Hacker News in a statement. “Collaboration platforms like Teams are now as critical as email and just as exposed.”

“Our research shows that threat actors don’t need to break in anymore; they just need to bend trust. Organizations must now secure what people believe, not just what systems process. Seeing isn’t believing anymore, verification is.”

Nov 04, 2025Ravie LakshmananMalware / Cyber Espionage

Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus.

According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation.

The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain.

“They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain,” security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding the archive files were uploaded from Belarus to the VirusTotal platform in October 2025.

One such intermediate module is a PowerShell stager that’s responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address (“yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion” to a file named “hostname” in the “C:Users<Username>AppDataRoaminglogicprosocketExecutingLoggingIncrementalCompiler” location.

As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution.

“These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations,” Cyble said.

Once these environmental checks are satisfied, the script proceeds to display a PDF decoy document stored in the aforementioned “logicpro” folder, while setting up persistence on the machine using a scheduled task under the name “githubdesktopMaintenance” that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC.

The scheduled task is designed to launch “logicpro/githubdesktop.exe,” which is nothing but a renamed version of “sshd.exe,” a legitimate executable associated with OpenSSH for Windows,” allowing the threat actor to establish an SSH service that restricts communications to pre-deployed authorized keys stored in the same “logicpro” folder.

Besides enabling file transfer capabilities using SFTP, the malware also creates a second scheduled task that’s configured to execute “logicpro/pinterest.exe,” a customized Tor binary used to create a hidden service that communicates with the attacker’s .onion address by obfuscating the network traffic using obfs4. Furthermore, it implements port forwarding for multiple critical Windows services such as RDP, SSH, and SMB to facilitate access to system resources through the Tor network.

Once the connection is successfully established, the malware exfiltrates system information, in addition to a unique .onion URL hostname identifying the compromised system by means of a curl command. The threat actor ultimately gains remote access capabilities to the compromised system upon receipt of the victim’s .onion URL through the command-and-control channel.

While it’s currently not clear who is behind the campaign, both security vendors said it’s consistent with Eastern European-linked espionage activity targeting defense and government sectors. Cyble has assessed with medium confidence that the attack shares tactical overlaps with a prior campaign mounted by a threat actor tracked by CERT-UA under the moniker UAC-0125.

“Attackers access SSH, RDP, SFTP, and SMB via concealed Tor services, enabling full system control while preserving anonymity,” the company added. “All communications are directed through anonymous addresses using pre-installed cryptographic keys.”