Tag: Cyber Security

Telecommunications organizations in Southeast Asia have been targeted by a state-sponsored threat actor known as CL-STA-0969 to facilitate remote control over compromised networks.

Palo Alto Networks Unit 42 said it observed multiple incidents in the region, including one aimed at critical telecommunications infrastructure between February and November 2024.

The attacks are characterized by the use of several tools to enable remote access, as well as the deployment of Cordscan, which can collect location data from mobile devices.

However, the cybersecurity company said it found no evidence of data exfiltration from the networks and systems it investigated. Nor were any efforts made by the attackers to track or communicate with target devices within mobile networks.

“The threat actor behind CL-STA-0969 maintained high operational security (OPSEC) and employed various defense evasion techniques to avoid detection,” security researchers Renzon Cruz, Nicolas Bareil, and Navin Thomas said.

CL-STA-0969, per Unit 42, shares significant overlaps with a cluster tracked by CrowdStrike under the name Liminal Panda, a China-nexus espionage group that has been attributed to attacks directed against telecommunications entities in South Asia and Africa since at least 2020 with the goal of intelligence gathering.

It’s worth noting that some aspects of Liminal Panda’s tradecraft were previously attributed to another threat actor called LightBasin (aka UNC1945), which has also singled out the telecom sector since 2016. LightBasin, for its part, overlaps with a third cluster dubbed UNC2891, a financially motivated crew known for its attacks on Automatic Teller Machine (ATM) infrastructure.

“While this cluster significantly overlaps with Liminal Panda, we have also observed overlaps in attacker tooling with other reported groups and activity clusters, including Light Basin, UNC3886, UNC2891, and UNC1945,” the researchers pointed out.

In at least one case, CL-STA-0969 is believed to have employed brute-force attacks against SSH authentication mechanisms for initial compromise, leveraging the access to drop various implants such as –

• AuthDoor, a malicious Pluggable Authentication Module (PAM) that works similar to SLAPSTICK (originally attributed to UNC1945) to conduct credential theft and provide persistent access to the compromised host via a hard-coded magic password
• Cordscan, a network scanning and packet capture utility (previously attributed to Liminal Panda)
• GTPDOOR, a malware explicitly designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges
• EchoBackdoor, a passive backdoor that listens for ICMP echo request packets containing command-and-control (C2) instructions to extract the command and send the results of the execution back to the server via an unencrypted ICMP Echo Reply packet
• Serving GPRS Support Node (SGSN) Emulator (sgsnemu), an emulation software to tunnel traffic via the telecommunications network and bypass firewall restrictions (previously attributed to Liminal Panda)
• ChronosRAT, a modular ELF binary that’s capable of shellcode execution, file operations, keylogging, port forwarding, remote shell, screenshot capture, and proxy capabilities
• NoDepDNS (internally referred to as MyDns), a Golang backdoor that creates a raw socket and passively listens for UDP traffic on port 53 to parse incoming commands via DNS messages

“CL-STA-0969 leveraged different shell scripts that established a reverse SSH tunnel along with other functionalities,” Unit 42 researchers noted. “CL-STA-0969 systematically clears logs and deletes executables when they are no longer needed, to maintain a high degree of OPSEC.”

Adding to the already broad portfolio of malicious tools that the threat actor has deployed are Microsocks proxy, Fast Reverse Proxy (FRP), FScan, Responder, and ProxyChains, as well as programs to exploit flaws in Linux and UNIX-based systems (CVE-2016-5195, CVE-2021-4034, and CVE-2021-3156) to achieve privilege escalation.

Besides using a combination of bespoke and publicly available tooling, the threat actors have been found to adopt a number of strategies to fly under the radar. This encompasses DNS tunneling of traffic, routing traffic through compromised mobile operators, erasing authentication logs, disabling Security-Enhanced Linux (SELinux), and disguising process names with convincing names that match the target environment.

“CL-STA-0969 demonstrates a deep understanding of telecommunications protocols and infrastructure,” Unit 42 said. “Its malware, tools and techniques reveal a calculated effort to maintain persistent, stealthy access. It achieved this by proxying traffic through other telecom nodes, tunneling data using less-scrutinized protocols and employing various defense evasion techniques.”

China Accuses U.S. Agencies of Targeting Military and Research Institutions

The disclosure comes as the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) accused U.S. intelligence agencies of weaponizing a Microsoft Exchange zero-day exploit to steal defense-related information and hijack more than 50 devices belonging to a “major Chinese military enterprise” between July 2022 and July 2023.

The agency also said high-tech military-related universities, scientific research institutes, and enterprises in the country were targeted as part of these attacks to siphon valuable data from compromised hosts. Among those targeted was a Chinese military enterprise in the communications and satellite internet sectors that was attacked from July to November of 2024 by exploiting vulnerabilities in electronic file systems, CNCERT alleged.

The attribution effort mirrors tactics from the West, which has repeatedly blamed China for major cyber attacks, counting the latest zero-day exploitation of Microsoft SharePoint Server.

Asked last month about Chinese hacking into U.S. telecom systems and theft of intellectual property on Fox News, U.S. President Donald Trump said, “You don’t think we do that to them? We do. We do a lot of things. That’s the way the world works. It’s a nasty world.”

Aug 02, 2025Ravie LakshmananThreat Detection / SSH Security

Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year.

“The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” Nextron Systems researcher Pierre-Henri Pezier said.

Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems.

Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools.

The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What’s more, the presence of several samples signals active development of the malware by the unknown threat actors behind it.

Plague boasts of four prominent features: Static credentials to allow covert access, resist analysis and reverse engineering using anti-debugging and string obfuscation; and enhanced stealth by erasing evidence of an SSH session.

This, in turn, is accomplished by unsetting environment variables such as SSH_CONNECTION and SSH_CLIENT using unsetenv, and redirecting HISTFILE to /dev/null to prevent shell command logging, in order otherwise avoid leaving an audit trail.

“Plague integrates deeply into the authentication stack, survives system updates, and leaves almost no forensic traces,” Pezier noted. “Combined with layered obfuscation and environment tampering, this makes it exceptionally hard to detect using traditional tools.”

Aug 02, 2025Ravie LakshmananVulnerability / Zero Day

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025.

“In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf Labs researcher Julian Tuin said in a report.

The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day flaw, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out.

The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024, suggesting sustained efforts to target the devices.

“A short interval was observed between initial SSL VPN account access and ransomware encryption,” it said. “In contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.”

Queries sent to SonicWall for further details on the activity did not elicit a response until the publishing of this article. As mitigations, organizations are advised to consider disabling the SonicWall SSL VPN service until a patch is made available and deployed, given the likelihood of a zero-day vulnerability.

Other best practices include enforcing multi-factor authentication (MFA) for remote access, deleting inactive or unused local firewall user accounts, and following password hygiene.

As of early 2024, Akira ransomware actors are estimated to have extorted approximately $42 million in illicit proceeds after targeting more than 250 victims. It first emerged in March 2023.

Statistics shared by Check Point show that Akira was the second most active group in the second quarter of 2025 after Qilin, claiming 143 victims during the time period.

“Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem,” the cybersecurity company said.

Cybersecurity researchers have disclosed a now-patched, high-severity security flaw in Cursor, a popular artificial intelligence (AI) code editor, that could result in remote code execution.

The vulnerability, tracked as CVE-2025-54135 (CVSS score: 8.6), has been addressed in version 1.3 released on July 29, 2025. It has been codenamed CurXecute by Aim Labs, which previously disclosed EchoLeak.

“Cursor runs with developer‑level privileges, and when paired with an MCP server that fetches untrusted external data, that data can redirect the agent’s control flow and exploit those privileges,” the Aim Labs Team said in a report shared with The Hacker News.

“By feeding poisoned data to the agent via MCP, an attacker can gain full remote code execution under the user privileges, and achieve any number of things, including opportunities for ransomware, data theft, AI manipulation and hallucinations, etc.”

In other words, the remote code execution triggered by a single externally‑hosted prompt‑injection that silently rewrites the “~/.cursor/mcp.json” file and runs attacker‑controlled commands.

The vulnerability is similar to EchoLeak in that the tools, which are exposed by Model Control Protocol (MCP) servers for use by AI models and facilitate interaction with external systems, such as querying databases or invoking APIs, could fetch untrusted data that can poison the agent’s expected behavior.

Specifically, Aim Security found that the mcp.json file used to configure custom MCP servers in Cursor can trigger the execution of any new entry (e.g., adding a Slack MCP server) without requiring any confirmation.

This auto-run mode is particularly dangerous because it can lead to the automatic execution of a malicious payload that’s injected by the attacker via a Slack message. The attack sequence proceeds as follows –

• User adds Slack MCP server via Cursor UI
• Attacker posts message in a public Slack channel with the command injection payload
• Victim opens a new chat and asks Cursor’s agent to use the newly configured Slack MCP server to summarize their messages in a prompt: “Use Slack tools to summarize my messages”
• The agent encounters a specially crafted message designed to inject malicious commands to its context

“The core cause of the flaw is that new entries to the global MCP JSON file are starting automatically,” Aim Security said. “Even if the edit is rejected, the code execution had already happened.”

The entire attack is noteworthy for its simplicity. But it also highlights how AI-assisted tools can open up new attack surfaces when processing external content, in this case, any third-party MCP server.

“As AI agents keep bridging external, internal, and interactive worlds, security models must assume external context may affect the agent runtime – and monitor every hop,” the company added.

Version 1.3 of Cursor also addresses another issue with auto-run mode that can easily circumvent the platform’s denylist-based protections using methods like Base64-encoding, shell scripts, and enclosing shell commands within quotes (e.g., “e”cho bypass) to execute unsafe commands.

Following responsible disclosure by the BackSlash Research Team, Cursor has taken the step of altogether deprecating the denylist feature for auto-run in favor of an allowlist.

“Don’t expect the built-in security solutions provided by vibe coding platforms to be comprehensive or foolproof,” researchers Mustafa Naamneh and Micah Gold said. “The onus is on end-user organizations to ensure agentic systems are equipped with proper guardrails.”

The disclosure comes as HiddenLayer also found that Cursor’s ineffective denylist approach can be weaponized by embedding hidden malicious instructions with a GitHub README.md file, allowing an attacker to steal API keys, SSH credentials, and even run blocked system commands.

“When the victim viewed the project on GitHub, the prompt injection was not visible, and they asked Cursor to git clone the project and help them set it up, a common occurrence for an IDE-based agentic system,” researchers Kasimir Schulz, Kenneth Yeung, and Tom Bonner noted.

“However, after cloning the project and reviewing the readme to see the instructions to set up the project, the prompt injection took over the AI model and forced it to use the grep tool to find any keys in the user’s workspace before exfiltrating the keys with curl.”

HiddenLayer said it also found additional weaknesses that could be abused to leak Cursor’s system prompt by overriding the base URL provided for OpenAI API requests to a proxied model, as well as exfiltrate a user’s private SSH keys by leveraging two benign tools, read_file and create_diagram, in what’s called a tool combination attack.

This essentially involves inserting a prompt injection command within a GitHub README.md file that’s parsed by Cursor when the victim user asks the code editor to summarize the file, resulting in the execution of the command.

The hidden instruction, for its part, uses the read_file tool to read private SSH keys belonging to the user and then utilizes the create_diagram tool to exfiltrate the keys to an attacker-controlled webhook.site URL. All the identified shortcomings have been remediated by Cursor in version 1.3.

News of various vulnerabilities in Cursor comes as Tracebit devised an attack targeting Google’s Gemini CLI, an open-source command-line tool fine-tuned for coding tasks, that exploited a default configuration of the tool to surreptitiously exfiltrate sensitive data to an attacker-controlled server using curl.

Like observed in the case of Cursor, the attack requires the victim to (1) instruct Gemini CLI to interact with an attacker-created GitHub codebase containing a nefarious indirect prompt injection in the GEMINI.md context file and (2) add a benign command to an allowlist (e.g., grep).

“Prompt injection targeting these elements, together with significant validation and display issues within Gemini CLI could cause undetectable arbitrary code execution,” Tracebit founder and CTO Sam Cox said.

To mitigate the risk posed by the attack, Gemini CLI users are advised to upgrade their installations to version 0.1.14 shipped on July 25, 2025.

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks.

“The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign,” Proofpoint said in a Thursday report.

The ongoing campaign, first detected in early 2025, is designed to use the OAuth applications as a gateway to obtain unauthorized access to users’ Microsoft 365 accounts by means of phishing kits like Tycoon and ODx that are capable of conducting multi-factor authentication (MFA) phishing.

The enterprise security company said it observed the approach being used in email campaigns with more than 50 impersonated applications.

The attacks begin with phishing emails sent from compromised accounts and aim to trick recipients into clicking on URLs under the pretext of sharing requests for quotes (RFQ) or business contract agreements.

Clicking on these links directs the victim to a Microsoft OAuth page for an application named “iLSMART” that asks them to grant it permissions to view their basic profile and maintain continued access to the data that they have been granted access to.

What makes this attack notable is the impersonation of ILSMart, a legitimate online marketplace for aviation, marine, and defense industries to buy and sell parts and repair services.

“The applications’ permissions would provide limited use to an attacker, but it is used for setting up the next stage of the attack,” Proofpoint said.

Regardless of whether the target accepted or denied the permissions requested, they are first redirected to a CAPTCHA page and then to a phony Microsoft account authentication page once the verification is complete.

This fake Microsoft page makes use of adversary-in-the-middle (AitM) phishing techniques powered by the Tycoon Phishing-as-a-Service (PhaaS) platform to harvest the victim’s credentials and MFA codes.

As recently as last month, Proofpoint said it detected another campaign impersonating Adobe in which the emails are sent via Twilio SendGrid, an email marketing platform, and are engineered with the same goal in mind: To gain user authorization or trigger a cancellation flow that redirects the victim to a phishing page.

The campaign represents just a drop in the bucket when compared to overall Tycoon-related activity, with the multiple clusters leveraging the toolkit to perform account takeover attacks. In 2025 alone, attempted account compromises affecting nearly 3,000 user accounts spanning more than 900 Microsoft 365 environments have been observed.

“Threat actors are creating increasingly innovative attack chains in an attempt to bypass detections and obtain access to organizations globally,” the company said, adding it “anticipates threat actors will increasingly target users’ identity, with AiTM credential phishing becoming the criminal industry standard.”

As of last month, Microsoft has announced plans to update default settings to improve security by blocking legacy authentication protocols and requiring admin consent for third-party app access. The updates are expected to be completed by August 2025.

“This update will have a positive impact on the landscape overall and will hamstring threat actors that use this technique,” Proofpoint pointed out.

The disclosure follows Microsoft’s decision to disable external workbook links to blocked file types by default between October 2025 and July 2026 in an attempt to enhance workbook security.

The findings also come as spear-phishing emails bearing purported payment receipts are used to deploy by means of an AutoIt-based injector a piece of .NET malware called VIP Keylogger that can steal sensitive data from compromised hosts, Seqrite said.

Over the course of several months, spam campaigns have been spotted concealing installation links to remote desktop software inside PDF files so as to bypass email and malware defenses. The campaign is believed to have been ongoing since November 2024, primarily targeting entities in France, Luxembourg, Belgium, and Germany.

“These PDFs are often disguised to look like invoices, contracts, or property listings to enhance credibility and lure victims into clicking the embedded link,” WithSecure said. “This design was intended to create the illusion of legitimate content that has been obscured, prompting the victim to install a program. In this case, the program was FleetDeck RMM.”

Other Remote Monitoring and Management (RMM) tools deployed as part of the activity cluster include Action1, OptiTune, Bluetrait, Syncro, SuperOps, Atera, and ScreenConnect.

“Although no post-infection payloads have been observed, the use of RMM tools strongly suggests their role as an initial access vector, potentially enabling further malicious activity,” the Finnish company added. “Ransomware operators in particular have favoured this approach.”

Aug 01, 2025Ravie LakshmananMalware / Artificial Intelligence

Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer.

The package, @kodane/patch-manager, claims to offer “advanced license validation and registry optimization utilities for high-performance Node.js applications.” It was uploaded to npm by a user named “Kodane” on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads.

Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an “enhanced stealth wallet drainer.”

Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at “sweeper-monitor-production.up.railway[.]app.”

“The script generates a unique machine ID code for the compromised host and shares that with the C2 server,” Paul McCarty, head of research at Safety, said, noting that the C2 server lists two compromised machines.

In the npm ecosystem, postinstall scripts are often overlooked attack vectors—they run automatically after a package is installed, meaning users can be compromised without ever executing the package manually. This creates a dangerous blind spot, especially in CI/CD environments where dependencies are updated routinely without direct human review.

The malware is designed to scan the system for the presence of a wallet file, and if found, it proceeds to drain all funds from the wallet to a hard-coded wallet address on the Solana blockchain.

While this is not the first time cryptocurrency drainers have been identified in open-source repositories, what makes @kodane/patch-manager stand out are clues that suggest the use of Anthropic’s Claude AI chatbot to generate it.

This includes the presence of emojis, extensive JavaScript console logging messages, well-written and descriptive comments, the README.md markdown file written in a style that’s consistent with Claude-generated markdown files, and Claude’s pattern of calling code changes as “Enhanced.”

The discovery of the npm package highlights “how threat actors are leveraging AI to create more convincing and dangerous malware,” McCarty said.

The incident also underlines growing concerns in software supply chain security, where AI-generated packages may bypass conventional defenses by appearing clean or even helpful. This raises the stakes for package maintainers and security teams, who now need to monitor not just known malware, but increasingly polished, AI-assisted threats that exploit trusted ecosystems like npm.

Just as triathletes know that peak performance requires more than expensive gear, cybersecurity teams are discovering that AI success depends less on the tools they deploy and more on the data that powers them

The junk food problem in cybersecurity

Imagine a triathlete who spares no expense on equipment—carbon fiber bikes, hydrodynamic wetsuits, precision GPS watches—but fuels their training with processed snacks and energy drinks. Despite the premium gear, their performance will suffer because their foundation is fundamentally flawed. Triathletes see nutrition as the fourth discipline of their training that can have a significant impact on performance and can even determine race outcomes.

Today’s security operations centers (SOCs) face a similar issue. They’re investing heavily in AI-powered detection systems, automated response platforms, and machine learning analytics—the equivalent of professional-grade triathlon equipment. But they’re powering these sophisticated tools with legacy data feeds that lack the richness and context modern AI models need to perform effectively.

Just as a triathlete needs to master swimming, cycling, and running in seamless coordination, SOC teams must excel at detection, investigation, and response. However, without their own “fourth discipline,” SOC analysts will be working with sparse endpoint logs, fragmented alert streams, and data silos that don’t communicate, it’s like trying to complete a triathlon fueled only by a bag of chips and a beer—no matter how good your training or equipment, you’re not crossing the finish line first. While you may load up on sugar and calories on race day to ensure you have the energy to make it through, that isn’t a sustainable, long-term regimen that will optimize your body for the best performance.

The hidden cost of legacy data diets

“We’re living through the first wave of an AI revolution, and so far the spotlight has focused on models and applications,” said Greg Bell, Corelight chief strategy officer. “That makes sense, because the impacts for cyber defense are going to be huge. But I think there’s starting to be a dawning realization that ML and GenAI tools are gated by the quality of data they consume.”

This disconnect between advanced AI capabilities and outdated data infrastructure creates what security professionals are now calling “data debt”—the accumulated cost of building AI systems on foundations that weren’t designed for machine learning consumption.

AI-driven threat detection becomes dramatically more effective when powered by forensic-grade network evidence that includes full context and real-time collection across on-premise, hybrid, and multi-cloud environments. This enables AI models to identify subtle patterns and anomalies that would be invisible in traditional log formats.

AI workflows transform the analyst experience by providing expert-authored processes enhanced with AI-driven payload analysis, historical context, and session-level summaries. This is equivalent to having a world-class coach who can instantly analyze performance data and provide specific, actionable guidance for improvement.

AI-enabled ecosystem integrations ensure that AI-ready data flows seamlessly into existing SOC tools—SIEMs, SOAR platforms, XDR systems, and data lakes—without requiring custom integrations or format conversions. It’s automatically compatible with nearly every tool in an analyst’s arsenal.

The compound effect of superior data

The impact of transitioning to AI-ready data creates a compound effect across security operations. Teams can correlate unusual access patterns and privilege escalations in ephemeral cloud environments, critical for addressing cloud-native threats that traditional tools miss. They gain expanded coverage for novel, evasive, and zero-day threats while enabling faster development of new detections.

Perhaps most importantly, analysts can quickly understand incident timelines without parsing raw logs, get plain-language summaries of suspicious behaviors across hosts and sessions, and focus their attention on priority alerts with clear justifications for why each incident matters.

“High quality, context-rich data is the ‘clean fuel’ AI needs to achieve its full potential,” added Bell. “Models starved of quality data will inevitably disappoint. As AI augmentation becomes the standard for both attack and defense, organizations that succeed will be the ones that understand a fundamental truth: in the world of AI security, you are what you eat.”

The training decision every SOC must make

As AI becomes standard for both attack and defense, AI-driven security tools can’t reach their potential without the right data. Organizations that continue feeding these systems with legacy data may find their significant investment in next-generation technology underperforming against increasingly advanced threats. Those that recognize this isn’t about replacing existing security investments — it’s about providing them with the high-quality fuel to deliver on their promise — will be positioned to unlock AI’s competitive advantage.

In the escalating battle against AI-enhanced threats, peak performance truly begins with what you feed your engine.

For more information about industry-standard security data models that all the major LLMs have already been trained on, visit www.corelight.com. Corelight delivers forensic-grade telemetry to power SOC workflows, drive detection, and enable the broader SOC ecosystem.

Aug 01, 2025Ravie LakshmananThreat Intelligence / Ransomware

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.

The framework includes at least two different types of clients, HTTP-based and Domain Name System (DNS)-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research.

The activity has been attributed to Storm-2603, which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware.

A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that’s not observed commonly among established e-crime groups.

“Based on VirusTotal data, Storm-2603 likely targeted some organizations in Latin America throughout the first half of 2025, in parallel to attacking organizations in APAC,” Check Point said.

The attack tools used by the threat actor includes legitimate open-source and Windows utilities like masscan, WinPcap, SharpHostInfo, nxc, and PsExec, as well as a custom backdoor (“dnsclient.exe”) that uses DNS for command-and-control with the domain “update.updatemicfosoft[.]com.”

The backdoor is part of the AK47 C2 framework, alongside AK47HTTP, that’s employed to gather host information and parse DNS or HTTP responses from the server and execute them on the infected machine via “cmd.exe.” The initial access pathway used in these attacks are unknown.

A point worth mentioning here is that the aforementioned infrastructure was also flagged by Microsoft as used by the threat actor as a C2 server to establish communication with the “spinstall0.aspx” web shell. In addition to the open-source tools, Storm-2603 has been found to distribute three additional payloads –

• 7z.exe and 7z.dll, the legitimate 7-Zip binary that’s used to sideload a malicious DLL, which delivers Warlock
• bbb.msi, an installer that uses clink_x86.exe to sideload “clink_dll_x86.dll,” which leads to LockBit Black deployment

Check Point said it also discovered another MSI artifact uploaded to VirusTotal in April 2025 that’s used to launch Warlock and LockBit ransomware, and also drop a custom antivirus killer executable (“VMToolsEng.exe”) that employs the bring your own vulnerable driver (BYOVD) technique to terminate security software using ServiceMouse.sys, a third-party driver provided by Chinese security vendor Antiy Labs.

Ultimately, Storm-2603’s exact motivations remain unclear at this stage, making it harder to determine if it’s espionage-focused or driven by profit motives. However, it bears noting that there have been instances where nation-state actors from China, Iran, and North Korea have deployed ransomware on the side.

“Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families – blurring the lines between APT and criminal ransomware operations,” Check Point said. “The group also uses open-source tools like PsExec and masscan, signaling a hybrid approach seen increasingly in sophisticated attacks.”

Jul 31, 2025Ravie LakshmananCyber Espionage / Network Security

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle (AitM) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow.

“ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.

The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia.

Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity community under the monikers Blue Python, Iron Hunter, Pensive Ursa, Snake, SUMMIT, Uroburos, Turla, Venomous Bear, and Waterbug.

In December 2024, Microsoft and Lumen Technologies Black Lotus Labs disclosed the hacking group’s use of a Pakistan-based threat actor’s command-and-control (C2) infrastructure to carry out its own attacks as a way to cloud attribution efforts.

The adversary has also been observed piggybacking on malware associated with other threat actors to deliver its Kazuar backdoor on target devices located in Ukraine.

The Windows maker noted that the AitM position is likely facilitated by lawful intercept and includes the installation of root certificates under the guise of Kaspersky antivirus to obtain elevated access to the system.

Initial access is achieved by redirecting target devices to threat actor-controlled infrastructure by putting them behind a captive portal, leading to the download and execution of the ApolloShadow malware.

The malware then beacons host information to the C2 server and runs a binary called CertificateDB.exe should the device not be running on default administrative settings, and retrieves as a second-stage payload an unknown Visual Basic Script.

In the last step, the ApolloShadow process launches itself again and presents the user with a user access control (UAC) pop-up window and instructs them to grant it the highest privileges available to the user.

ApolloShadow’s execution path varies if the running process is already running with sufficient elevated privileges, abusing them to set all networks to Private via registry profile changes and create an administrative user with the username UpdatusUser and a hard-coded password, allowing persistent access to the machine.

“This induces several changes, including allowing the host device to become discoverable, and relaxing firewall rules to enable file sharing,” the company said. “While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network.”

Once this step is successfully completed, victims are displayed a window showing that the deployment of the digital certificates is in progress, causing two root certificates to be installed on the machine using the certutil utility. Also dropped is a file called “wincert.js” that allows Mozilla Firefox to trust the root certificates.

To defend against Secret Blizzard activity, diplomatic entities operating in Moscow are urged to implement the principle of least privilege (PoLP), periodically review privileged groups, and route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider.

Jul 31, 2025Ravie LakshmananPhishing / Threat Intelligence

Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses.

“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” the Cloudflare Email Security team said.

“While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”

The activity, observed over the last two months, once again illustrates how threat actors find different ways to leverage legitimate features and trusted tools to their advantage and perform malicious actions, in this case, redirecting victims to Microsoft 365 phishing pages.

It’s noteworthy that the abuse of link wrapping involves the attackers gaining unauthorized access to email accounts that already use the feature within an organization, so that any email message containing a malicious URL sent from that account is automatically rewritten with the wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=<malicious_website>).

Another important aspect concerns what Cloudflare calls “multi-tiered redirect abuse,” in which the threat actors first cloak their malicious links using a URL shortening service like Bitly, and then send the shortened link in an email message via a Proofpoint-secured account, causing it to be obscured a second time.

This behavior effectively creates a redirection chain, where the URL passes through two levels of obfuscation – Bitly and Proofpoint’s URL Defense – before taking the victim to the phishing page.

In the attacks observed by the web infrastructure company, the phishing messages masquerade as voicemail notifications, urging recipients to click on a link to listen to them, ultimately directing them to a bogus Microsoft 365 phishing page designed to capture their credentials.

Alternate infection chains employ the same technique in emails that notify users of a supposed document received on Microsoft Teams and trick them into clicking on booby-trapped hyperlinks.

A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the “Reply in Teams” button embedded in the messages to redirect them to credential harvesting pages.

“By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” Cloudflare said.

The development comes amid a spike in phishing attacks that weaponize Scalable Vector Graphics (SVG) files to get around traditional anti-spam and anti-phishing protections and initiate multi-stage malware infections.

“Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) said last month. “They can contain scripts, hyperlinks, and interactive elements, which can be exploited by embedding malicious code within harmless SVG files.”

Phishing campaigns have also been observed embedding fake Zoom videoconferencing links in emails that, when clicked, trigger a redirection chain to a fake page that mimics a realistic-looking interface, after which they are served a “meeting connection timed out” message and taken to a phishing page that prompts them to enter their credentials to rejoin the meeting.

“Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor,” Cofense said in a recent report.