🧠 Threat Intel
Latest Threat Intel coverage curated from trusted cybersecurity sources.
-
Offline Decryption Messenger: Concept Proposal and Request for Constructive Feedback
Technical Information Security Content & Discussion — 2025-12-13T16:01:11.000ZHello everybody, Some activist friends and I have been discussing a problematic gap in the current landscape of secure messaging tools: the lack of user‑friendly communication systems that remain secure even in the presence of spyware. Standard E2E encrypted messengers such as Signal or Element become ineffective...
-
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Unit 42 — Fri, 12 Dec 2025 21:40:55 +0000We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182. The post Exploitation of Critical Vulnerability in React Server Components (Updated December 12) appeared first on Unit 42.
-
The FreePBX Rabbit Hole: CVE-2025-66039 & More
Technical Information Security Content & Discussion — 2025-12-12T13:56:46.000Zsubmitted by /u/scopedsecurity [link] [comments]
-
One newsletter to rule them all
Cisco Talos Blog — Thu, 11 Dec 2025 19:00:52 GMTHazel embarks on a creative fitness journey, virtually crossing Middle-earth via The Conqueror app while sharing key cybersecurity insights.
-
A modern tale of blinkenlights
Technical Information Security Content & Discussion — 2025-12-11T18:08:28.000Zsubmitted by /u/smaury [link] [comments]
-
5 Cybersecurity Predictions for 2026: An Industry Insider’s Analysis
Security Archives - TechRepublic — Thu, 11 Dec 2025 13:00:35 +0000Explore the top cybersecurity predictions for 2026, from AI-driven threats to predictive SOCs and new risks to trust, identity, and critical systems. The post 5 Cybersecurity Predictions for 2026: An Industry Insider’s Analysis appeared first on TechRepublic.
-
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
Unit 42 — Thu, 11 Dec 2025 11:00:38 +0000Hamas-affiliated threat actor Ashen Lepus (aka WIRTE) is conducting espionage with its new AshTag malware suite against Middle Eastern government entities. The post Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite appeared first on Unit 42.
-
OT Security Lessons from 2025: Why Essential Eight Needs an OT Lens
Security Archives - TechRepublic — Thu, 11 Dec 2025 08:03:12 +0000OT security risks are rising as attackers target the IT–OT boundary. See why Essential Eight uplift needs an OT translation and what CIOs should focus on in 2026. The post OT Security Lessons from 2025: Why Essential Eight Needs an OT Lens appeared first on TechRepublic.
-
HTTPS certificate industry phasing out less secure domain validation methods
Google Online Security Blog — 2025-12-10T20:00:00.001ZPosted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by...
-
Ransom & Dark Web Issues Week 2, December 2025
ASEC — Wed, 10 Dec 2025 15:00:00 +0000ASEC Blog publishes Ransom & Dark Web Issues Weeks 2, December 2025. Source code from a South Korean camping reservation platform sold on DarkForums LockBit 5.0 targets 25 companies worldwide with ransomware attack Agencies from USA and Europe escalate pressure on pro-Russian hacktivists
-
VITAS Healthcare Breach Exposes 319K Patient Records
Security Archives - TechRepublic — Wed, 10 Dec 2025 14:35:50 +0000Hackers maintained undetected access to patient systems for over a month, methodically downloading personal and medical information. The post VITAS Healthcare Breach Exposes 319K Patient Records appeared first on TechRepublic.
-
Google Chrome’s New AI Security Aims to Stop Hackers Cold
Security Archives - TechRepublic — Wed, 10 Dec 2025 13:23:37 +0000Google is also backing these measures with a $20,000 bounty for researchers who can demonstrate successful breaches of the new security boundaries. The post Google Chrome’s New AI Security Aims to Stop Hackers Cold appeared first on TechRepublic.
-
Essential Eight: What Organisations Should Expect in 2026
Security Archives - TechRepublic — Wed, 10 Dec 2025 12:54:27 +0000Explore how the Essential Eight may shift in 2026, why ACSC expectations could rise, and what Australian organisations should do for greater resilience. The post Essential Eight: What Organisations Should Expect in 2026 appeared first on TechRepublic.
-
01flip: Multi-Platform Ransomware Written in Rust
Unit 42 — Wed, 10 Dec 2025 11:00:12 +000001flip is a new ransomware family fully written in Rust. Activity linked to 01flip points to alleged dark web data leaks. The post 01flip: Multi-Platform Ransomware Written in Rust appeared first on Unit 42.
-
Microsoft Patch Tuesday for December 2025 — Snort rules and prominent vulnerabilities
Cisco Talos Blog — Tue, 09 Dec 2025 23:29:51 GMTThe Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” Microsoft assessed that exploitation of the two “critical” vulnerabilities is “less likely.”
-
Further Hardening Android GPUs
Google Online Security Blog — 2025-12-09T17:00:00.008ZPosted by Liz Prucka, Hamzeh Zawawy, Rishika Hooda, Android Security and Privacy Team Last year, Google's Android Red Team partnered with Arm to conduct an in-depth security analysis of the Mali GPU, a component used in billions of Android devices worldwide. This collaboration was a significant step in proactively...
-
New BYOVD loader behind DeadLock ransomware attack
Cisco Talos Blog — Tue, 09 Dec 2025 11:00:25 GMTCisco Talos has uncovered a new DeadLock ransomware campaign using a previously unknown BYOVD loader to exploit a Baidu Antivirus driver vulnerability, letting threat actors disable EDR defenses and escalate attacks.
-
New in Snort3: Enhanced rule grouping for greater flexibility and control
Cisco Talos Blog — Tue, 09 Dec 2025 11:00:00 GMTToday, Cisco Talos is introducing new capabilities for Snort3 users within Cisco Secure Firewall to give you greater flexibility in how you manage, organize, and prioritize detection rules.
-
Architecting Security for Agentic Capabilities in Chrome
Google Online Security Blog — 2025-12-08T18:03:00.001ZPosted by Nathan Parker, Chrome security team Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the...
-
The State of the 2025 Cyber Workforce: Skills Gaps, AI Opportunity and Economic Strain
Lohrmann on Cybersecurity — Sun, 07 Dec 2025 10:12:00 GMTThe “2025 ISC2 Cybersecurity Workforce Study” was just released, and eye-opening cybersecurity trends are developing that are worth close attention. Let’s explore.
-
New Prompt Injection Attack Vectors Through MCP Sampling
Unit 42 — Fri, 05 Dec 2025 23:00:59 +0000Model Context Protocol connects LLM apps to external data sources or tools. We examine its security implications through various attack vectors. The post New Prompt Injection Attack Vectors Through MCP Sampling appeared first on Unit 42.
-
Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities
Cisco Talos Blog — Thu, 04 Dec 2025 20:23:15 GMTCisco Talos’ Vulnerability Discovery & Research team recently disclosed an out-of-bounds read vulnerability in PDF XChange Editor, and ten vulnerabilities in Socomec DIRIS Digiware M series and Easy Config products. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all...
-
Mobile Security & Malware Issue 1st Week of December, 2025
ASEC — Thu, 04 Dec 2025 15:00:00 +0000ASEC Blog publishes “Mobile Security & Malware Issue 1st Week of December, 2025”
-
Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme
Malware Analysis - ANY.RUN's Cybersecurity Blog — Thu, 04 Dec 2025 11:51:50 +0000Editor’s note: This work is a collaboration between Mauro Eldritch from BCA LTD, a company dedicated to threat intelligence and hunting, Heiner García from NorthScan, a threat intelligence initiative uncovering North Korean IT worker infiltration, and ANY.RUN, the leading company in malware analysis and threat...
-
Android expands pilot for in-call scam protection for financial apps
Google Online Security Blog — 2025-12-03T16:59:00.000ZPosted by Aden Haussmann, Associate Product Manager and Sumeet Sharma, Play Partnerships Trust & Safety Lead Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle. Over the last few years, we’ve launched industry-leading features to detect scams and protect...
-
Ransom & Dark Web Issues Week 1, December 2025
ASEC — Wed, 03 Dec 2025 15:00:00 +0000ASEC Blog publishes Ransom & Dark Web Issues Week 1, December 2025. Source code from a South Korean AI solution company, shared on DarkForums Nova (RALord) targets a South Korean industrial equipment manufacturer with ransomware attack PLAY targets a South Korean auto parts manufacturer with ransomware attack
-
We're at Black Hat Europe
EclecticIQ Blog — Wed, 03 Dec 2025 13:31:15 GMTEclecticIQ is proud to sponsor and exhibit at Black Hat Europe 2025, one of the world’s leading cybersecurity and threat intelligence conferences. This year’s event brings more than 3,000 security professionals from over 70 countries to London’s ExCeL for two days of technical briefings, hands-on research, and...
-
The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen
Unit 42 — Wed, 03 Dec 2025 00:00:04 +000085% of daily work occurs in the browser. Unit 42 outlines key security controls and strategies to make sure yours is secure. The post The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen appeared first on Unit 42.
-
Salty2FA & Tycoon2FA Hybrid: A New Phishing Threat to Enterprises
Malware Analysis - ANY.RUN's Cybersecurity Blog — Tue, 02 Dec 2025 10:56:08 +0000Phishing kits usually have distinct signatures in their delivery methods, infrastructure, and client-side code, which makes attribution fairly predictable. But recent samples began showing traits from two different kits at once, blurring those distinctions. That’s exactly what ANY.RUN analysts saw with Salty2FA and...
-
Security Incident Reported in Ad-Free YouTube App SmartTube: Users Advised to Stay Alert
ASEC — Mon, 01 Dec 2025 15:00:00 +0000The signature key information of the SmartTube app, which allows users to watch YouTube videos on Android smart TVs and set-top boxes without ads, has been leaked. This incident was identified as multiple users received Play Protect warning messages and had their apps blocked. Figure 1. User report The developer...
-
r/netsec monthly discussion & tool thread
Technical Information Security Content & Discussion — 2025-12-01T14:29:43.000ZQuestions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links. Rules & Guidelines Always maintain civil discourse. Be awesome to one another - moderator intervention will occur if necessary. Avoid NSFW content unless absolutely necessary. If used, mark it as being...
-
2025 Ransomware Threat Landscape: Impact on Korean Enterprises
ASEC — Sun, 30 Nov 2025 15:00:00 +0000Overview and Background The number of ransomware attacks has been increasing worldwide in recent years, and Korean companies are not exempt from this trend. The situation is particularly acute in Asia, where ransomware attacks have surged since 2023. This growing trend has prompted a need for a systematic analysis...
-
Cyber Budgets Slow, AI Surges: What the Data Says About 2026
Lohrmann on Cybersecurity — Sun, 30 Nov 2025 10:51:00 GMTIn a mixed economic environment, how are cybersecurity budgets competing among business priorities, and what may be ahead for 2026?
-
Major Cyber Attacks in November 2025: XWorm, JSGuLdr Loader, Phoenix Backdoor, Mobile Threats, and More
Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 26 Nov 2025 09:52:56 +0000Stealers, loaders, and targeted campaigns dominated November’s activity. ANY.RUN analysts examined cases ranging from PNG-based in-memory loading used to deploy XWorm to JSGuLdr, a three-stage JavaScript-to-PowerShell loader pushing PhantomStealer. Alongside these public cases, three Threat Intelligence Reports...
-
When AI Goes Rogue, Science Fiction Meets Reality
Lohrmann on Cybersecurity — Sun, 23 Nov 2025 10:48:00 GMTThe new movie Tron: Ares isn’t just sci-fi entertainment — it’s a mirror for today’s AI risks and realities. What happens when artificial intelligence systems don't work as intended?
-
Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharing
Google Online Security Blog — 2025-11-20T17:00:00.001ZPosted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay...
-
Autumn Dragon: China-nexus APT Group Targets South East Asia
Blaze's Security Blog — 2025-11-19T22:52:00.001ZIn this report, we describe how we tracked for several months a sustained espionage campaign against the government, media, and news sectors in several countries including Laos, Cambodia, Singapore, the Philippines and Indonesia. Since early 2025, China’s involvement in the Indo-Pacific has been more prolific, from...
-
LOLBin Attacks Explained with Examples: Everything SOC Teams Need to Know
Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 19 Nov 2025 08:38:24 +0000Some attacks smash the door open. LOLBins just borrow your keys and walk right in. They’re tricky because tools everyone trusts suddenly start doing things that don’t match their usual job; loading odd-looking modules, decoding files that shouldn’t need decoding, or quietly handing work off to hidden PowerShell...
-
Can You Future-Proof Your Life in the Age of AI? (Book Review)
Lohrmann on Cybersecurity — Sun, 16 Nov 2025 10:23:00 GMTIn his book Comfort Override: Future-Proof Your Life as AI Flips Your World, Ranan Lachman explores how we can prepare and adapt for unprecedented change and offers practical, hands-on help.
-
TAG Bulletin: Q3 2025
Threat Analysis Group (TAG) — Thu, 13 Nov 2025 16:00:00 +0000Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025.
-
The reality: Bargains bring risk
EclecticIQ Blog — Mon, 10 Nov 2025 07:26:16 GMTFrom Black Friday to Boxing Day, shopping surges and so do cyber scams. Countdown timers and “last chance” offers create urgency that attackers exploit. Every click has consequences if you’re not prepared.
-
Policy Meets AI: Why Broken Rules Break Customer Service
Lohrmann on Cybersecurity — Sun, 09 Nov 2025 10:11:00 GMTAI can streamline how government serves residents, but automating bad processes only accelerates frustration. Here's why fixing policies is the first step to successful AI in customer service.
-
How Workers VPC Services connects to your regional private networks from anywhere in the world
The Cloudflare Blog — Wed, 05 Nov 2025 14:00:00 GMTWorkers VPC Services enter open beta today. We look under the hood to see how Workers VPC connects your globally-deployed Workers to your regional private networks by using Cloudflare's global network, while abstracting cross-cloud networking complexity.
-
Why no business is immune to cyberattacks
EclecticIQ Blog — Mon, 03 Nov 2025 09:57:03 GMTThe reality: every organization is a potential target Cybersecurity is no longer a concern reserved for the world’s largest enterprises or government agencies. In today’s hyperconnected world, every organization — regardless of size, sector, or geography — is a potential target.
-
/r/netsec's Q4 2025 Information Security Hiring Thread
Technical Information Security Content & Discussion — 2025-11-02T16:12:00.000ZOverview If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company. We would also like to encourage you to post internship positions as well. Many of our readers are...
-
Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking
security – Ars Technica — Thu, 30 Oct 2025 20:29:43 +0000Cellebrite can apparently extract data from most Pixel phones, unless they're running GrapheneOS.
-
One IP address, many users: detecting CGNAT to reduce collateral effects
The Cloudflare Blog — Wed, 29 Oct 2025 13:00:00 GMTIPv4 scarcity drives widespread use of Carrier-Grade Network Address Translation, a practice in ISPs and mobile networks that places many users behind each IP address, along with their collected activity and volumes of traffic. We introduce the method we’ve developed to detect large-scale IP sharing globally and...
-
Defending QUIC from acknowledgement-based DDoS attacks
The Cloudflare Blog — Wed, 29 Oct 2025 13:00:00 GMTWe identified and patched two DDoS vulnerabilities in our QUIC implementation related to packet acknowledgements. Cloudflare customers were not affected. We examine the "Optimistic ACK" attack vector and our solution, which dynamically skips packet numbers to validate client behavior.
-
Major Cyber Attacks in October 2025: Phishing via Google Careers & ClickUp, Figma Abuse, LockBit 5.0, and TyKit
Malware Analysis - ANY.RUN's Cybersecurity Blog — Wed, 29 Oct 2025 10:02:04 +0000Phishing campaigns and ransomware families evolved rapidly this October, from fake Google Careers pages and ClickUp redirect chains to Figma-hosted credential theft and LockBit’s move into ESXi and Linux systems. ANY.RUN analysts also uncovered TyKit, a reusable phishing kit hiding JavaScript inside SVG files to...
-
Keeping the Internet fast and secure: introducing Merkle Tree Certificates
The Cloudflare Blog — Tue, 28 Oct 2025 13:00:00 GMTCloudflare is launching an experiment with Chrome to evaluate fast, scalable, and quantum-ready Merkle Tree Certificates, all without degrading performance or changing WebPKI trust relationships.
-
EclecticIQ Intelligence Center 3.6: Built for finished intel, custom data modeling, and faster investigations
EclecticIQ Blog — Tue, 28 Oct 2025 09:55:22 GMTEclecticIQ Intelligence Center 3.6 isn’t just an update - it’s a leap forward. With smarter finished intelligence reporting, flexible intelligence modelling, and next-level AI features, this release helps cybersecurity teams move faster, work smarter, and deliver more value across the organization. Let’s break down...
-
Earth Estries alive and kicking
Blaze's Security Blog — 2025-10-27T22:09:00.004ZEarth Estries, also known as Salt Typhoon and a few other names, is a China-nexus APT actor, and is known to have used multiple implants such as Snappybee (Deed RAT), ShadowPad, and several more. In their latest campaign, the actor leverages one of the latest WinRAR vulnerabilities that will ultimately lead to...
-
Lessons from the BlackBasta Ransomware Attack on Capita
@BushidoToken Threat Intel — 2025-10-18T13:17:00.000ZIntroduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract...
-
Improving the trustworthiness of Javascript on the Web
The Cloudflare Blog — Thu, 16 Oct 2025 14:00:00 GMTThere's no way to audit a site’s client-side code as it changes, making it hard to trust sites that use cryptography. We preview a specification we co-authored that adds auditability to the web.
-
Extending STIX: How Custom objects empower your intelligence work
EclecticIQ Blog — Tue, 14 Oct 2025 07:15:00 GMTIn today’s fast-moving threat landscape, your intelligence doesn’t always fit predefined categories. EclecticIQ Intelligence Center 3.6 gives you Custom objects, built on STIX’s extension capability, so you can capture and operationalize intelligence that goes beyond the standard object types.
-
A biological 0-day? Threat-screening tools may miss AI-designed proteins.
security – Ars Technica — Fri, 03 Oct 2025 20:12:52 +0000Ordering DNA for AI-designed toxins doesn't always raise red flags.
-
Google confirms Android dev verification will have free and paid tiers, no public list of devs
security – Ars Technica — Fri, 03 Oct 2025 18:31:23 +0000Google promises verification will make Android safer, but at what cost?
-
Ransomware Tool Matrix Update: Community Reports
@BushidoToken Threat Intel — 2025-09-13T20:38:00.000ZIntroduction The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such...
-
Former WhatsApp security boss in lawsuit likens Meta’s culture to a “cult”
security – Ars Technica — Mon, 08 Sep 2025 20:26:02 +0000Meta allegedly prioritized user growth over security, lawsuit said.
-
Google says Gmail security is “strong and effective” as it denies major breach
security – Ars Technica — Tue, 02 Sep 2025 18:39:44 +0000Google refutes claims that all 2.5 billion Gmail users are at risk.
-
Three Lazarus RATs coming for your cheese
Fox-IT International blog — Mon, 01 Sep 2025 13:00:00 +0000Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to...
-
TAG Bulletin: Q2 2025
Threat Analysis Group (TAG) — Mon, 21 Jul 2025 17:45:00 +0000Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025.
-
Steam Phishing: popular as ever
Blaze's Security Blog — 2025-06-20T17:20:00.005ZA month or so ago a friend of mine received the following message on Steam from someone in their Friends list (they were already friends): Figure 1 - 'this is for you' The two links are different and refer to a Gift Card on Steam's community platform. As you might have noticed, the domain is not related to Steam at...
-
TAG Bulletin: Q1 2025
Threat Analysis Group (TAG) — Thu, 15 May 2025 17:30:00 +0000This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2025. It was last updated on May 15, 2025.JanuaryWe terminated 12 YouT…
-
Ransomware Tool Matrix Project Updates: May 2025
@BushidoToken Threat Intel — 2025-05-05T22:01:00.000ZIntroduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they...
-
Tracking Adversaries: EvilCorp, the RansomHub affiliate
@BushidoToken Threat Intel — 2025-04-02T15:52:00.000ZIntroduction This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups. The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent...
-
BlackBasta Leaks: Lessons from the Ascension Health attack
@BushidoToken Threat Intel — 2025-02-27T22:43:00.000ZThe BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to...
-
TAG Bulletin: Q4 2024
Threat Analysis Group (TAG) — Tue, 17 Dec 2024 22:00:00 +0000This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2024. It was last updated on February 19, 2024.OctoberWe terminated 11…
-
Decrypting Full Disk Encryption with Dissect
Fox-IT International blog — Wed, 11 Dec 2024 07:30:00 +0000Author: Guus Beckers Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. Since then it has been adopted by many different companies in their regular workflow. For those of you who are not yet familiar with Dissect, it is an incident response framework built with...
-
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
Fox-IT International blog — Wed, 25 Sep 2024 10:36:12 +0000Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory...
-
TAG Bulletin: Q3 2024
Threat Analysis Group (TAG) — Thu, 12 Sep 2024 23:30:00 +0000This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on January 14, 2025.JulyWe terminated 89 You…
-
Microsoft Word and Sandboxes
Blaze's Security Blog — 2024-08-14T17:35:00.001ZToday's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun. Collect user name from Microsoft Office Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and...
-
New North Korean based backdoor packs a punch
Blaze's Security Blog — 2024-06-20T21:10:00.001ZIn recent months, North Korean based threat actors have been ramping up attack campaigns in order to achieve a myriad of their objectives, whether it be financial gain or with espionage purposes in mind. The North Korean cluster of attack groups is peculiar seeing there is quite some overlap with one another, and...
-
The State of Go Fuzzing - Did we already reach the peak?
Low-level adventures — Wed, 15 May 2024 12:11:10 GMTDuring one of the recent working days, I was tasked with fuzzing some Go applications. That's something I had not done in a while, so my first course of action was to research the current state of the art of the tooling landscape. After like a couple of
-
Sifting through the spines: identifying (potential) Cactus ransomware victims
Fox-IT International blog — Thu, 25 Apr 2024 04:00:00 +0000Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group...
-
Android Malware Vultur Expands Its Wingspan
Fox-IT International blog — Thu, 28 Mar 2024 10:00:15 +0000Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by...
-
DarkGate - Threat Breakdown Journey
Toxin Labs — 2023-08-06T00:00:00.000ZIntro Over the past month, a widespread phishing campaign has targeted individuals globally. The campaigns execution chain ends with the deployment of a malware known as: DarkGate. A loader type malware. DarkGate is exclusively sold on underground online forums and the developer keeps a very tight amount of seats...
-
Kraken - The Deep Sea Lurker Part 2
Toxin Labs — 2023-05-26T00:00:00.000ZIntro In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken. here What we have? Let’s start with what we currently have and how can we pivot with it: C2: thereccorp.com Payload fetching domain:...
-
Kraken - The Deep Sea Lurker Part 1
Toxin Labs — 2023-05-20T00:00:00.000ZIntro In this first part we will be going through a recent phishing campaign delivering a never seen before “KrakenKeylogger” malware. The Phish The mail sent to the victim is a simple malspam mail with archive attachment: The archive is a .zip archive that contains .lnk file: LNK Analysis LEcmd Tool In order to...
-
PlutoCrypt - A CryptoJoker Ransomware Variant
Toxin Labs — 2023-04-14T00:00:00.000ZIntro In This blog I will deep dive into a variant of CryptoJoker Ransomware alongside with analyzing the multi stage execution chain. BRACE YOURSELVES! The Phish Our story begins with a spear phishing email, targeting Turkish individuals and organizations. These attacks often begin with an email that appears to be...
-
LummaC2 - Stealer Features BreakDown
Toxin Labs — 2023-04-09T00:00:00.000ZIntro This blog will be a bit different from my ususal blogs, it will mainly contain scripts and some research I’ve spent on finding some of the things you’ll read through the blog. I’ve tried to cover things that weren’t covered in previous blogs that can be found on Lumma Stealer Malpedia entry The Phish The...
-
WannaCry: The Most Preventable Ransomware is Still at Large
Malicious History - ANY.RUN's Cybersecurity Blog — Tue, 17 Jan 2023 07:47:38 +0000The WannaCry attack of 2017 is the perfect example of why you should always install security updates as soon as they’re released. This was, probably, the most avoidable ransomware incident. And, at the same time, one of the most damaging and rapidly spreading malware outbreaks. This is the story of the WannaCry...
-
Vulnerability Research Digest - Issue 1 (macOS/iOS in 2022)
Blog — 2022-12-29T00:00:00.000ZIn the past few years I created some twitter threads (e.g. Windows Kernel Security Linux Kernel Security) on a number of publications I found the most interesting within the vulnerability research space, this didn’t really give me that much space to actually provide detail or allow this to be stored within a format...
-
The End of Sodinokibi: the Infamous Ransomware Goes Down
Malicious History - ANY.RUN's Cybersecurity Blog — Tue, 13 Dec 2022 05:50:08 +0000Sodinokibi was, perhaps, the most ill-renowned ransomware. While it was active, it netted crooks hundreds of millions of dollars, hitting prominent targets such as Apple, Acer, Donald Trump’s lawyers, and most recently, HX5, a US defense company. It took a law enforcement operation coordinated between 17 countries...
-
Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
Low-level adventures — Mon, 09 May 2022 11:56:35 GMTContinuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
-
Demystifying Security Research - Part 1
Blog — 2022-04-24T00:00:00.000ZThere are a number of key questions which are always asked by people wanting to get into security research, find out more about how others go about it or just generally improve their processes. In this post I want to highlight some of things which work for me and some guidance which may help for others. This is a...
-
Learning Linux kernel exploitation - Part 1 - Laying the groundwork
Low-level adventures — Tue, 01 Mar 2022 08:47:34 GMTTable fo contents Disclaimer: This post will cover basic steps to accomplish a privilege escalation based on a vulnerable driver. The basis for this introduction will be a challenge from the hxp2020 CTF called "kernel-rop". There's (obviously) write-ups for this floating around the net (check
-
Overview of GLIBC heap exploitation techniques
Low-level adventures — Sun, 13 Feb 2022 15:15:47 GMTOverview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way
-
MISC study notes about ARM AArch64 Assembly and the ARM Trusted Execution Environment (TEE)
Low-level adventures — Sat, 12 Feb 2022 15:44:31 GMTDisclaimer: These are unfiltered study notes mostly for myself. Guaranteed not to be error free. So if you did land here, managed to get to the end of it and found some mistakes just hit me up, I'd love to know what's wrong :) AArch64 - Preface
-
CVE-2021-30660 - XNU Kernel Memory Disclosure
Blog — 2021-06-01T00:00:00.000ZThe msgrcv_nocancel syscall could disclose uninitialized memory from kernel space into userspace. This is due to an incorrect calculation being performed when copying the memory. The vulnerability was patched in the following releases: macOS 11.3 iOS 14.5 Vulnerability Details (sysv_msg.c) The msgrcv_nocancel...
-
Rise and Fall of Emotet
Malicious History - ANY.RUN's Cybersecurity Blog — Fri, 05 Feb 2021 06:02:36 +0000Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down. Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced...
-
CVE-2020-9967 - Apple macOS 6LowPAN Vulnerability
Blog — 2020-12-22T00:00:00.000ZInspired by Kevin Backhouse’s great work on finding XNU remote vulnerabilities I decided to spend some time looking at CodeQL and performing some variant analysis. This lead to the discovery of a local root to kernel (although documented by Apple as remote) vulnerability within the 6LowPAN code of macOS 10.15.4....
-
Time Bombs: Malware with Delayed Execution
Malicious History - ANY.RUN's Cybersecurity Blog — Thu, 17 Sep 2020 13:38:00 +0000Did you know that there’s malware that behaves just like cliched ticker-bombs from Hollywood blockbusters? It enters the system and waits there, sometimes for ages, with the timer slowly but inevitably counting towards the destructive explosion. Or in our case — execution. Once the time comes, a cyber-bomb like...
-
Malware History: MyDoom
Malicious History - ANY.RUN's Cybersecurity Blog — Wed, 16 Sep 2020 11:37:00 +0000MyDoom, sometimes also called Novarg, W32.MyDoom@mm, Shimgapi, and Mimail.R is a worm type malware that infects Windows PCs. After infecting machines, the malware gets access to all files and distributes itself to the email contacts of the victim. It also features a countback timer that starts DOS attacks on...
-
Coverage Guided Fuzzing in Go
Blog — 2020-07-27T00:00:00.000ZRecently I had the need to explore coverage guided fuzzing in Go. Whilst there is a bit of information scattered around on multiple different sites, as someone who is fairly new to Go, I couldn’t find a good concise source of information on what is already out there and the current state of play of fuzzer tooling...