Tag: Cyber Threats

Aug 16, 2025Ravie LakshmananAndroid / Malware

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators’ infrastructure.

“The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications,” Hunt.io said in a report.

ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it’s assessed to be an evolution of Cerberus and BlackRock.

Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations.

Hunt.io said it managed to obtain the complete source code associated with the malware-as-a-service (MaaS) offering from an open directory on 141.164.62[.]236:443, right down to its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.

The functions of each of the components are listed below –

• Backend C2 server – Provides operators the ability to manage victim devices and access compromised data, such as SMS logs, stolen accounts, and device data
• Frontend panel – Allows operators to interact with connected devices by issuing commands, managing overlays, and accessing stolen data
• Exfiltration server – A Golang server used for exfiltrating stolen data and managing information related to compromised devices
• ERMAC backdoor – An Android implant written in Kotlin that offers the ability to control the compromised device and collect sensitive data based on incoming commands from the C2 server, while ensuring that the infections don’t touch devices located in the Commonwealth of Independent States (CIS) nations
• ERMAC builder – A tool to help customers configure and create builds for their malware campaigns by providing the application name, server URL, and other settings for the Android backdoor

Besides an expanded set of app targets, ERMAC 3.0 adds new form injection methods, an overhauled command-and-control (C2) panel, a new Android backdoor, and AES-CBC encrypted communications.

“The leak revealed critical weaknesses, such as a hardcoded JWT secret and a static admin bearer token, default root credentials, and open account registration on the admin panel,” the company said. “By correlating these flaws with live ERMAC infrastructure, we provide defenders with concrete ways to track, detect, and disrupt active operations.”

Aug 16, 2025Ravie LakshmananMalware / Vulnerability

The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.

Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.

“These activities are part of a broad, ongoing wave of malicious activity that blends social engineering with technical exploitation to bypass security defenses and gain control over internal environments,” Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi said.

EncryptHub, also tracked as LARVA-208 and Water Gamayun, is a Russian hacking group that first gained prominence in mid-2024. Operating at a high tempo, the financially motivated crew is known for leveraging several methods, including fake job offers, portfolio review, and even compromising Steam games, to infect targets with stealer malware.

The threat actor’s abuse of CVE-2025-26633 was previously documented by Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.

The latest attack sequence involves the threat actor claiming to be from the IT department and sending a Microsoft Teams request to the target with the goal of initiating a remote connection and deploying secondary payloads by means of PowerShell commands.

Among the files dropped are two MSC files with the same name, one benign and the other malicious, that’s used to trigger CVE-2025-26633, ultimately resulting in the execution of the rogue MSC file when its innocuous counterpart is launched.

The MSC file, for its part, fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub command-and-control (C2) server to receive and run malicious payloads, including a stealer called Fickle Stealer.

“The script receives AES-encrypted commands from the attacker, decrypts them, and runs the payloads directly on the infected machine,” the researchers said.

Also deployed by the threat actor over the course of the attack is a Go-based loader codenamed SilentCrystal, which abuses Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware – a ZIP archive containing the two MSC files to weaponize CVE-2025-26633.

What makes this significant is that uploading file attachments on the Brave Support platform is restricted for new users, indicating that the attackers somehow managed to obtain unauthorized access to an account with upload permissions to pull off the scheme.

Some of the other tools deployed include a Golang backdoor that operates in both client and server mode to send system metadata to the C2 server, as well as set up C2 infrastructure by making use of the SOCKS5 proxy tunneling protocol.

There is also evidence that the threat actors are continuing to rely on videoconferencing lures, this time setting up phony platforms like RivaTalk to deceive victims into downloading an MSI installer.

Running the installer leads to the delivery of several files: the legitimate Early Launch Anti-Malware (ELAM) installer binary from Symantec that’s used to sideload a malicious DLL that, in turn, launches a PowerShell command to download and run another PowerShell script.

It’s engineered to gather system information and exfiltrate it to the C2 server, and await encrypted PowerShell instructions that are decoded and executed to give attackers full control of the system. The malware also displays a fake “System Configuration” pop-up message as a ruse, while launching a background job to generate fake browser traffic by making HTTP requests to popular websites so as to blend C2 communications with normal network activity.

“The EncryptHub threat actor represents a well-resourced and adaptive adversary, combining social engineering, abuse of trusted platforms, and the exploitation of system vulnerabilities to maintain persistence and control,” Trustwave said.

“Their use of fake video conferencing platforms, encrypted command structures, and evolving malware toolsets underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training.”

Aug 15, 2025Ravie LakshmananMalware / Open Source

A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.

The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237, which is believed to be active since at least 2022. The hacking group is assessed to be a sub-group of UAT-5918, which is known to be attacking critical infrastructure entities in Taiwan as far back as 2023.

“UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise,” Talos said.

The attacks are characterized by the use of a bespoke shellcode loader dubbed SoundBill that’s designed to decode and launch secondary payloads, such as Cobalt Strike.

Despite the tactical overlaps with UAT-5918, UAT-7237’s tradecraft exhibits notable deviations, including its reliance on Cobalt Strike as a primary backdoor, the selective deployment of web shells after initial compromise, and the incorporation of direct remote desktop protocol (RDP) access and SoftEther VPN clients for persistent access.

The attack chains begin with the exploitation of known security flaws against unpatched servers exposed to the internet, followed by conducting initial reconnaissance and fingerprinting to determine if the target is of interest to the threat actors for follow-on exploitation.

“While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP,” researchers Asheer Malhotra, Brandon White, and Vitor Ventura said.

Once this step is successful, the attacker pivots to other systems across the enterprise to expand their reach and carry out further activities, including the deployment of SoundBill, a shellcode loader based on VTHello, for launching Cobalt Strike.

Also deployed on compromised hosts is JuicyPotato, a privilege escalation tool widely used by various Chinese hacking groups, and Mimikatz to extract credentials. In an interesting twist, subsequent attacks have leveraged an updated version of SoundBill that embeds a Mimikatz instance into it in order to achieve the same goals.

Besides using FScan to identify open ports against IP subnets, UAT-7237 has been observed attempting to make Windows Registry changes to disable User Account Control (UAC) and turn on storage of cleartext passwords.

“UAT-7237 specified Simplified Chinese as the preferred display language in their [SoftEther] VPN client’s language configuration file, indicating that the operators were proficient with the language,” Talos noted.

The disclosure comes as Intezer said it discovered a new variant of a known backdoor called FireWood that’s associated with a China-aligned threat actor called Gelsemium, albeit with low confidence.

FireWood was first documented by ESET in November 2024, detailing its ability to leverage a kernel driver rootkit module called usbdev.ko to hide processes, and run various commands sent by an attacker-controlled server.

“The core functionality of the backdoor remains the same but we did notice some changes in the implementation and the configuration of the backdoor,” Intezer researcher Nicole Fishbein said. “It is unclear if the kernel module was also updated as we were not able to collect it.”

We used to think of privacy as a perimeter problem: about walls and locks, permissions, and policies. But in a world where artificial agents are becoming autonomous actors — interacting with data, systems, and humans without constant oversight — privacy is no longer about control. It’s about trust. And trust, by definition, is about what happens when you’re not looking.

Agentic AI — AI that perceives, decides, and acts on behalf of others — isn’t theoretical anymore. It’s routing our traffic, recommending our treatments, managing our portfolios, and negotiating our digital identity across platforms. These agents don’t just handle sensitive data — they interpret it. They make assumptions, act on partial signals, and evolve based on feedback loops. In essence, they build internal models not just of the world, but of us.

And that should give us pause.

Because once an agent becomes adaptive and semi-autonomous, privacy isn’t just about who has access to the data; it’s about what the agent infers, what it chooses to share, suppress, or synthesize, and whether its goals remain aligned with ours as contexts shift.

Take a simple example: an AI health assistant designed to optimize wellness. It starts by nudging you to drink more water and get more sleep. But over time, it begins triaging your appointments, analyzing your tone of voice for signs of depression, and even withholding notifications it predicts will cause stress. You haven’t just shared your data — you’ve ceded narrative authority. That’s where privacy erodes, not through a breach, but through a subtle drift in power and purpose.

This is no longer just about Confidentiality, Integrity, and Availability, the classic CIA triad. We must now factor in authenticity (can this agent be verified as itself?) and veracity (can we trust its interpretations and representations?). These aren’t merely technical qualities — they’re trust primitives.

And trust is brittle when intermediated by intelligence.

If I confide in a human therapist or lawyer, there are assumed boundaries — ethical, legal, psychological. We have expected norms of behavior on their part and limited access and control. But when I share with an AI assistant, those boundaries blur. Can it be subpoenaed? Audited? Reverse-engineered? What happens when a government or corporation queries my agent for its records?

We have no settled concept yet of AI-client privilege. And if jurisprudence finds there isn’t one, then all the trust we place in our agents becomes retrospective regret. Imagine a world where every intimate moment shared with an AI is legally discoverable — where your agent’s memory becomes a weaponized archive, admissible in court.

It won’t matter how secure the system is if the social contract around it is broken.

Today’s privacy frameworks — GDPR, CCPA — assume linear, transactional systems. But agentic AI operates in context, not just computation. It remembers what you forgot. It intuits what you didn’t say. It fills in blanks that might be none of its business, and then shares that synthesis — potentially helpfully, potentially recklessly — with systems and people beyond your control.

So we must move beyond access control and toward ethical boundaries. That means building agentic systems that understand the intent behind privacy, not just the mechanics of it. We must design for legibility; AI must be able to explain why it acted. And for intentionality. It must be able to act in a way that reflects the user’s evolving values, not just a frozen prompt history.

But we also need to wrestle with a new kind of fragility: What if my agent betrays me? Not out of malice, but because someone else crafted better incentives — or passed a law that superseded its loyalties?

In short: what if the agent is both mine and not mine?

This is why we must start treating AI agency as a first-order moral and legal category. Not as a product feature. Not as a user interface. But as a participant in social and institutional life. Because privacy in a world of minds — biological and synthetic — is no longer a matter of secrecy. It’s a matter of reciprocity, alignment, and governance.

If we get this wrong, privacy becomes performative — a checkbox in a shadow play of rights. If we get it right, we build a world where autonomy, both human and machine, is governed not by surveillance or suppression, but by ethical coherence.

Agentic AI forces us to confront the limits of policy, the fallacy of control, and the need for a new social contract. One built for entities that think — and one that has the strength to survive when they speak back.

Learn more about Zero Trust + AI.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019.

The Treasury said it’s also imposing sanctions on Garantex’s successor, Grinex, as well as three executives of Garantex and six associated companies in Russia and the Kyrgyz Republic that have enabled these activities –

• Sergey Mendeleev (Co-founder)
• Aleksandr Mira Serda (Co-founder)
• Pavel Karavatsky (Co-founder)
• Independent Decentralized Finance Smartbank and Ecosystem (InDeFi Bank)
• Exved
• Old Vector
• A7 LLC
• A71 LLC
• A7 Agent LLC

“Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence, John K. Hurley.

“Exploiting cryptocurrency exchanges to launder money and facilitate ransomware attacks not only threatens our national security, but also tarnishes the reputations of legitimate virtual asset service providers.”

Garantex was first sanctioned by the U.S. in April 2022 for facilitating transactions from darknet markets and illicit actors such as Hydra and Conti. The cryptocurrency exchange’s website was seized as part of a coordinated law enforcement operation back in March 2025, and its co-founder, Aleksej Besciokov, was arrested in India.

Merely months later, TRM Labs revealed that Garantex may have rebranded as Grinex, likely in an effort to evade sanctions, with the former continuing to process more than $100 million in transactions since the sanctions were levied. Eighty-two percent of its total volume was linked to sanctioned entities worldwide.

“Days after Garantex’s takedown, Telegram channels affiliated with the exchange began promoting Grinex, a platform with a nearly identical interface, registered in Kyrgyzstan in December 2024,” TRM Labs noted in May.

The U.S. Treasury said criminal users use Garantex to launder their ill-gotten funds, processing funds from those related to Conti, Black Basta, LockBit, NetWalker, and Phoenix Cryptolocker ransomware variants. It also said Garantex moved its infrastructure and customer deposits to Grinex shortly after the March law enforcement actions.

Furthermore, Garantex is said to have worked with affected customers to regain access to their accounts using a ruble-backed stablecoin called A7A5 token, which is issued by a Kyrgyzstani firm called Old Vector. The token’s creator is A7 LLC.

According to a report from Elliptic, A7A5 has been used to transfer no less than $1 billion per day, with the aggregate value of A7A5 transfers pegged at $41.2 billion. In all, Grinex is estimated to have facilitated the transfer of billions of dollars in cryptocurrency transactions within the few months it has been operational.

“Garantex has also provided account and exchange services to actors associated with the Ryuk ransomware gang,” the agency said. “Ekaterina Zhdanova, a prolific money launderer, exchanged over $2 million in Bitcoin for Tether (USDT) via Garantex.”

Garantex’s outgoing funds from September 2024 through May 2025

Zhdanova was previously sanctioned by the U.S. in November 2023 for laundering virtual currency for the country’s elites and cybercriminal crews, including Ryuk.

“Garantex’s senior executives have supported its ability to enable cybercrime and sanctions evasion by procuring computer infrastructure for Garantex, registering its trademarks, and engaging in business development efforts to make its activities appear legitimate,” the Treasury added. “Garantex’s network of partner companies has also enabled it to move money, including illicit funds, outside of Russia.”

The U.S. Department of State has announced a $5 million reward for information leading to the arrest of Serda and $1 million for information on other key leaders of Garantex. It’s worth noting that A7 was sanctioned by the U.K. in May 2025 and by the European Union last month.

“The March 2025 multinational takedown did not halt these activities,” TRM Labs said. “Instead, Garantex’s leadership quickly activated a contingency plan that appears to have been in place for months.”

“The integration of A7A5 into Grinex represents only the most recent chapter in Garantex’s long-standing role in illicit finance. Both before and after its designation by the U.S. Treasury, Garantex operated as a key conduit for ransomware laundering, darknet market transactions, sanctions evasion, and the movement of funds through high-risk Russian financial networks.”

The new wave of sanctions comes as the U.S. Department of Justice (DoJ) unsealed six warrants authorizing the seizure of over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle.

The cryptocurrency, the DoJ said, was seized from a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been charged in the U.S. for allegedly using Zeppelin ransomware to target individuals, businesses, and organizations worldwide.

“The cryptocurrency and other assets are proceeds of (or were involved in laundering the proceeds of) ransomware activity,” according to the DoJ.

“Those assets were laundered in various ways, including by using the cryptocurrency mixing service ChipMixer, which was taken down in a coordinated international operation in 2023. Antropenko also laundered cryptocurrency by exchanging cryptocurrency for cash and depositing the cash in structured cash deposits.”

In a related development, more than $300 million in cryptocurrency assets linked to cybercrime and fraud schemes, including romance baiting (aka pig butchering) scams, have been frozen as part of an ongoing effort to identify and disrupt criminal networks.

Aug 15, 2025Ravie LakshmananVulnerability / Network Security

Cisco has released security updates to address a maximum-severity security flaw in Secure Firewall Management Center (FMC) Software that could allow an attacker to execute arbitrary code on affected systems.

The vulnerability, assigned the CVE identifier CVE-2025-20265 (CVSS score: 10.0), affects the RADIUS subsystem implementation that could permit an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device.

The networking equipment major said the issue stems from a lack of proper handling of user input during the authentication phase, as a result of which an attacker could send specially crafted input when entering credentials that get authenticated at the configured RADIUS server.

“A successful exploit could allow the attacker to execute commands at a high privilege level,” the company said in a Thursday advisory. “For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both.”

The shortcoming impacts Cisco Secure FMC Software releases 7.0.7 and 7.7.0 if they have RADIUS authentication enabled. There are no workarounds other than applying the patches provided by the company. Brandon Sakai of Cisco has been credited with discovering the issue during internal security testing.

Besides CVE-2025-20265, Cisco has also resolved a number of high-severity bugs –

• CVE-2025-20217 (CVSS score: 8.6) – Cisco Secure Firewall Threat Defense Software Snort 3 Denial-of-Service Vulnerability
• CVE-2025-20222 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 2100 Series IPv6 over IPsec Denial-of-Service Vulnerability
• CVE-2025-20224, CVE-2025-20225, CVE-2025-20239 (CVSS scores: 8.6) – Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial-of-Service Vulnerabilities
• CVE-2025-20133, CVE-2025-20243 (CVSS scores: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial-of-Service Vulnerabilities
• CVE-2025-20134 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SSL/TLS Certificate Denial-of-Service Vulnerability
• CVE-2025-20136 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial-of-Service Vulnerability
• CVE-2025-20263 (CVSS score: 8.6) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial-of-Service Vulnerability
• CVE-2025-20148 (CVSS score: 8.5) – Cisco Secure Firewall Management Center Software HTML Injection Vulnerability
• CVE-2025-20251 (CVSS score: 8.5) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial-of-Service Vulnerability
• CVE-2025-20127 (CVSS score: 7.7) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software for Firepower 3100 and 4200 Series TLS 1.3 Cipher Denial-of-Service Vulnerability
• CVE-2025-20244 (CVSS score: 7.7) – Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access VPN Web Server Denial-of-Service Vulnerability

While none of the flaws have come under active exploitation in the wild, with network appliances repeatedly getting caught in the attackers’ crosshairs, it’s essential that users move quickly to update their instances to the latest version.

Aug 14, 2025Ravie LakshmananServer Security / Vulnerability

Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduct powerful denial-of-service (DoS) attacks.

“MadeYouReset bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of simultaneous requests a client can send,” researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel said.

“With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes.”

The vulnerability has been assigned the generic CVE identifier, CVE-2025-8671, although the issue impacts several products, including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

MadeYouReset is the latest flaw in HTTP/2 after Rapid Reset (CVE-2023-44487) and HTTP/2 CONTINUATION Flood that can be potentially weaponized to stage large-scale DoS attacks.

Just like how the other two attacks leverage the RST_STREAM frame and CONTINUATION frames, respectively, in the HTTP/2 protocol to pull off the attack, MadeYouReset builds upon Rapid Reset and its mitigation, which limits the number of streams a client can cancel using RST_STREAM.

Specifically, it takes advantage of the fact that the RST_STREAM frame is used for both client‑initiated cancellation and to signal stream errors. This is achieved by sending carefully crafted frames that trigger protocol violations in unexpected ways, prompting the server to reset the stream by issuing an RST_STREAM.

“For MadeYouReset to work, the stream must begin with a valid request that the server begins working on, then trigger a stream error so the server emits RST_STREAM while the backend continues computing the response,” Bar Nahum explained.

“By crafting certain invalid control frames or violating protocol sequencing at just the right moment, we can make the server send RST_STREAM for a stream that already carried a valid request.”

The six primitives that make the server send RST_STREAM frames include –

• WINDOW_UPDATE frame with an increment of 0
• PRIORITY frame whose length is not 5 (the only valid length for it)
• PRIORITY frame that makes a stream dependent on itself
• WINDOW_UPDATE frame with an increment that makes the window exceed 2^31 − 1 (which is the largest window size allowed)
• HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)
• DATA frame sent after the client has closed the stream (via the END_STREAM flag)

This attack is notable not least because it obviates the need for an attacker to send an RST_STREAM frame, thereby completely bypassing Rapid Reset mitigations, and also achieves the same impact as the latter.

In an advisory, the CERT Coordination Center (CERT/CC) said MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers, resulting in resource exhaustion — something an attacker can exploit to induce a DoS attack.

“The discovery of server-triggered Rapid Reset vulnerabilities highlights the evolving complexity of modern protocol abuse,” Imperva said. “As HTTP/2 remains a foundation of web infrastructure, protecting it against subtle, spec-compliant attacks like MadeYouReset is more critical than ever.”

HTTP/1.1 Must Die

The disclosure of MadeYouReset comes as application security firm PortSwigger detailed novel HTTP/1.1 desync attacks (aka HTTP request smuggling), including a variant of CL.0 called 0.CL, exposing millions of websites to hostile takeover. Akamai (CVE-2025-32094) and Cloudflare (CVE-2025-4366) have addressed the issues.

HTTP request smuggling is a security exploit affecting the application layer protocol that abuses the inconsistency in parsing non-RFC-compliant HTTP requests by front-end and back-end servers, permitting an attacker to “smuggle” a request and sidestep security measures.

“HTTP/1.1 has a fatal flaw: Attackers can create extreme ambiguity about where one request ends, and the next request starts,” PortSwigger’s James Kettle said. “HTTP/2+ eliminates this ambiguity, making desync attacks virtually impossible. However, simply enabling HTTP/2 on your edge server is insufficient — it must be used for the upstream connection between your reverse proxy and origin server.”

Aug 14, 2025Ravie LakshmananThreat Intelligence / Linux

Japan’s CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2, which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control.

The agency said the activity was detected between September and December 2024, targeting multiple countries, including Japan, based on an analysis of VirusTotal artifacts.

“The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi said in a report published today.

The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is capable of executing various Cobalt Strike commands after establishing communication with a remote server specified in the configuration.

In the attacks documented by JPCERT/CC, a scheduled task set up by the threat actor on the compromised machine is used to launch the legitimate java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).

Written in the Nim programming language, the loader extracts the content of a text file and executes it directly in memory so as to avoid leaving traces on disk. This loaded content is an open-source shellcode loader dubbed OdinLdr, which ultimately decodes the embedded Cobalt Strike Beacon and runs it, also in memory.

ReadNimeLoader also incorporates various anti-debugging and anti-analysis techniques that are designed to prevent OdinLdr from being decoded unless the route is clear.

JPCERT/CC said the attack campaign shares some level of overlap with BlackSuit/Black Basta ransomware activity reported by Rapid7 back in June 2025, citing overlaps in the command-and-control (C2) domain used and similarly-named files.

Another notable aspect is the presence of several ELF versions of SystemBC, a backdoor that often acts as a precursor to the deployment of Cobalt Strike and ransomware.

“While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network,” Masubuchi said.

“Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required.”

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil.

“PhantomCard relays NFC data from a victim’s banking card to the fraudster’s device,” ThreatFabric said in a report. “PhantomCard is based on Chinese-originating NFC relay malware-as-a-service.”

The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name “Proteção Cartões” (package name “com.nfupay.s145” or “com.rc888.baxi.English”).

The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It’s currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique.

Once the app is installed and opened, it requests victims to place their credit/debit card on the back of the phone to begin the verification process, at which point the user interface displays the message: “Card Detected! Keep the card nearby until authentication is complete.”

In reality, the card data is relayed to an attacker-controlled NFC relay server by taking advantage of the built-in NFC reader built into modern devices. The PhantomCard-laced app then requests the victim to enter the PIN code with the goal of transmitting the information to the cybercriminal so as to authenticate the transaction.

“As a result, PhantomCard establishes a channel between the victim’s physical card and the PoS terminal / ATM that the cybercriminal is next to,” ThreatFabric explained. “It allows the cybercriminal to use the victim’s card as if it was in their hands.”

Similar to SuperCard X, there exists an equivalent app on the mule-side that’s installed on their device to receive the stolen card information and ensure seamless communications between the PoS terminal and the victim’s card.

It’s worth noting that NFU Pay is one of the many illicit services peddled on the underground that offer similar NFC relay capabilities, such as SuperCard X, KingNFC, and X/Z/TX-NFC.

“Such threat actors pose additional risks to local financial organizations as they open the doors for a wider variety of threats from all over the world, which could have potentially stayed away from certain regions due to language and cultural barriers, specifics of financial system, lack of cash-out ways,” ThreatFabric said.

“This, consequently, complicates the threat landscape for local financial organizations and calls out for proper monitoring of the global threats and actors behind it targeting the organization.”

In a report published last month warning of a spike in NFC-enabled fraud in the Philippines, Resecurity said Southeast Asia has become a testing ground for NFC fraud, with bad actors targeting regional banks and financial service providers.

“With tools such as Z-NFC, X-NFC, SuperCard X, and Track2NFC, attackers can clone stolen card data and perform unauthorized transactions using NFC-enabled devices,” Resecurity said.

“These tools are widely available in underground forums and private messaging groups. The resulting fraud is difficult to detect, as the transactions appear to originate from trusted, authenticated devices. In markets like the Philippines, where contactless payment usage is rising and low-value transactions often bypass PIN verification, such attacks are harder to trace and stop in real time.”

The disclosure comes as K7 Security uncovered an Android malware campaign dubbed SpyBanker aimed at Indian banking users that’s likely distributed to users via WhatsApp under the guise of a customer help service app.

“Interestingly, this Android SpyBanker malware edits the ‘Call Forward Number’ to a hard-coded mobile number, controlled by the attacker, by registering a service called ‘CallForwardingService’ and redirects the user’s calls,” the company said. “Incoming calls to the victims when left unattended are diverted to the call forwarded number to carry out any desired malicious activity.”

Furthermore, the malware comes fitted with capabilities to collect victims’ SIM details, sensitive banking information, SMS messages, and notification data.

Indian banking users have also been targeted by Android malware that’s designed to siphon financial information, while simultaneously dropping the XMRig cryptocurrency miner on compromised devices. The malicious credit card apps are distributed via convincing phishing pages that use real assets taken from official banking websites.

The list of malicious apps is as follows –

• Axis Bank Credit Card (com.NWilfxj.FxKDr)
• ICICI Bank Credit Card (com.NWilfxj.FxKDr)
• IndusInd Credit Card (com.NWilfxj.FxKDr)
• State Bank of India Credit Card (com.NWilfxj.FxKDr)

The malware is designed to display a bogus user interface that prompts victims to enter their personal information, including names, card numbers, CVV codes, expiry dates, and mobile numbers. A notable aspect of the app is its ability to listen to specific messages sent via Firebase Cloud Messaging (FCM) to trigger the mining process.

“The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload,” McAfee researcher Dexter Shin said. “This technique helps evade static detection and complicates analysis.”

“These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as ‘Get App’ or ‘Download’ buttons, which prompt users to install the malicious APK file.”

The findings also follow a report from Zimperium zLabs detailing how rooting frameworks like KernelSU, APatch, and SKRoot can be used to gain root access and escalate privileges, allowing an attacker to gain full control of Android devices.

The mobile security company said it discovered in mid-2023 a security flaw in KernelSU (version 0.5.7) that it said could allow attackers to authenticate as the KernelSU manager and completely compromise a rooted Android device via a malicious application already installed on it that also bundles the official KernelSU manager APK.

However, an important caveat to pull off this attack is that it’s only effective if the threat actor application is executed before the legitimate KernelSU manager application.

“Because system calls can be triggered by any app on the device, strong authentication and access controls are essential,” security researcher Marcel Bathke said. “Unfortunately, this layer is often poorly implemented – or entirely neglected – which opens the door to serious security risks. Improper authentication can allow malicious apps to gain root access and fully compromise the device.”

You check that the windows are shut before leaving home. Return to the kitchen to verify that the oven and stove were definitely turned off. Maybe even circle back again to confirm the front door was properly closed. These automatic safety checks give you peace of mind because you know the unlikely but potentially dangerous consequences of forgetting – a break-in, fire, or worse.

Your external-facing IT infrastructure deserves the same methodical attention. External Attack Surface Management (EASM) and Digital Risk Protection (DRP) tools provide that same peace of mind for your digital “home,” automating the everyday safety checks that prevent costly incidents.

Why does the external-facing IT infrastructure need the same care?

Just as you secure your physical home prior to leaving, your assets that are exposed to the internet require consistent safety protocols. Think about it this way:

• Locking doors = locking down exposed assets, ensuring only authorized access points remain open.
• Turning off the oven = de-provisioning unused assets and orphaned services that continue consuming resources while expanding your attack surface.

But there is one major difference: your home has physical limits, but your organization’s attack surface can span multiple providers, regions, and development teams, making manual verification nearly impossible. A forgotten cloud instance or misconfigured storage bucket, an abandoned server, or some dev-environment can expose sensitive data for months before discovery.

The hidden assets that keep security teams awake at night

Development teams spin up test servers, DevOps engineers create temporary endpoints, and shadow IT proliferates across departments. Without automated discovery, these assets become invisible until attackers find them first. This makes CMDB-based monitoring of your vulnerabilities and attack surface difficult, as one can never be sure that all exposed assets are accounted for. EASM solutions continuously map your internet-facing assets, discovering resources you may have forgotten existed.

Consider the typical scenario: a developer creates a staging environment for testing new features, complete with a snapshot of production data. They complete the project and move on to other priorities, but the staging server remains online. EASM uses automated reconnaissance to identify this orphaned asset before it becomes a security incident – scanning your entire external footprint to find forgotten development servers, open ports that should have been closed after testing, and subdomains pointing to decommissioned services.

The threats lurking beyond your firewall

While EASM focuses on asset discovery, DRP tackles a different but equally important challenge: monitoring external threats that challenge your organization, whether on Facebook or the dark web. Finding all your assets is only half the battle, knowing when criminals are posting leaked credentials for sale, discussing planned attacks against your infrastructure, or impersonating your brand online is the other half.

DRP platforms continuously scan external channels like social media sites, underground forums, and data leak sites for mentions of your organization, providing immediate alerts when threats are detected.

Figure 1: Example View of data leakage overview within Outpost24’s CompassDRP platform.

These external threats develop gradually but can explode quickly. For example, a disgruntled employee may intentionally leak sensitive documents to file-sharing sites, or a hacker may start selling access to your systems on dark web forums. Without ongoing monitoring, threats can continue to grow and gain momentum before you realize they exist.

Early detection tools work like a smoke alarm for your organization’s reputation and cybersecurity posture. It gives you a heads up that something is wrong – hopefully before damage can be caused or the threat can no longer be contained. DRP platforms help detect when cybercriminals discuss your company in attack forums or create fake social media profiles using your branding for phishing campaigns. These early warnings let you immediately respond, protecting your customers and mitigating the threat.

Figure 2: Example details of a ransomware group operating on the dark web with Outpost24’s CompassDRP platform.

Building a “Did I leave anything on?” security ritual

Just like you develop a routine for checking your home before leaving, you need to build operational habits around EASM and DRP. Set up daily or weekly scan summaries based on the continuous scans of the tools that answer that nagging question: “Did I leave anything on?” Regularly generating these reports ensures you can surface newly discovered assets, configuration changes, and potential risks that need your attention.

The beauty lies in making your security systematic rather than reactive. You review high-risk items, quickly approving legitimate resources or shutting down unnecessary ones. Instead of scrambling to find forgotten infrastructure after an incident or patch alert, you prevent the accumulation of risk before it becomes a problem.

Better yet, you can integrate these insights both into your existing Cybersecurity tech-stack as well as any change management workflows. When you make infrastructure changes, EASM validates your external footprint while DRP ensures configurations stay within acceptable parameters. And keep in mind that the tool should automatically create audit trails so that you can demonstrate due diligence without extra paperwork.

Keeping track of changes

Additionally, quantify your security improvements to justify continued investment in easy-to-manage dashboards and customized reports. Track metrics like the number of “virtual ovens” you’ve turned off, your time to detect and react to orphaned services, and your time to remediate critical vulnerabilities. These measurements will help you demonstrate program effectiveness while identifying areas for improvement.

Figure 3: Keep track of your threat and vulnerability landscape within one dashboard.

You’ll also appreciate how automated alerts and customizable workflows prioritize your attention on the most critical issues. Rather than overwhelming you with every discovered asset, intelligent, AI-powered filtering and summaries highlight genuine risks that require your immediate action. The system learns from your responses, reducing false positives while maintaining sensitivity to legitimate threats.

Attack Surface Management for peace of mind

The comfort of knowing nothing’s left unmonitored – whether a physical oven or a misconfigured cloud service – comes from verification, not just hoping for the best. EASM and DRP tools help automate the essential proactive safety monitoring steps that prevent costly security incidents.

Solutions like Outpost24’s CompassDRP combine EASM capabilities with comprehensive Digital Risk Protection and Threat Intelligence, giving you continuous visibility across your entire digital footprint and the risks associated with it. You get automated asset discovery and threat intelligence-based risk prioritization in a single platform, letting you focus on addressing business-critical risks.

Start building a continuous external attack surface and digital risk management today – book your CompassDRP demo.