CyberSecurity news
FlagThis
|
@socprime.com
//
References:
industrialcyber.co
, socprime.com
The Billbug espionage group, also known as Lotus Blossom, Lotus Panda, and Bronze Elgin, is actively targeting government and critical sectors in Southeast Asia through a coordinated cyber intrusion campaign. Security researchers at Symantec have uncovered that this China-linked group compromised multiple organizations within a single Southeast Asian country between August 2024 and February 2025. The campaign marks a continuation of previously documented attacks in the region, showcasing the persistent threat posed by state-sponsored actors.
The attackers are employing sophisticated techniques, including DLL sideloading, to infiltrate systems. They are exploiting legitimate software from reputable vendors like Trend Micro and Bitdefender to load malicious loaders. Specifically, a Trend Micro binary named tmdbglog.exe is being used to sideload a malicious DLL named tmdglog.dll, which decrypts and executes further malicious code. Similarly, a Bitdefender binary, bds.exe, is abused to sideload a harmful file called log.dll. This DLL decrypts another file, winnt.config, and injects its payload into a Windows system process, systray.exe. The targets of this campaign include a government ministry, an air traffic control organization, a telecommunications provider, and a construction company. Additionally, the group has targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country. The attackers are using new custom tools, including loaders, credential stealers, and a reverse SSH tool. Indicators of compromise (IOCs) related to Billbug activity have been identified, linking this campaign to the group's known tactics and infrastructure. These findings underscore the need for robust security measures and threat intelligence sharing to defend against such advanced cyber espionage efforts. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Russian threat actors are aggressively targeting individuals and organizations with ties to Ukraine and human rights, initiating these campaigns since early March 2025. Cybersecurity firm Volexity has uncovered sophisticated cyberattacks where these actors are exploiting Microsoft's OAuth 2.0 authentication workflows to gain unauthorized access to Microsoft 365 (M365) accounts. This marks a shift from previously observed attacks that utilized device code phishing, demonstrating the adversaries' continuous refinement of their tactics to evade detection. Volexity is tracking at least two suspected Russian threat actors, UTA0352 and UTA0355, believed to be behind these attacks, though a connection to APT29, UTA0304, and UTA0307 hasn't been ruled out.
These threat actors are employing highly targeted social engineering operations, impersonating officials from various European nations and, in one instance, leveraging a compromised Ukrainian Government account. They are using messaging apps like Signal and WhatsApp to contact potential victims, enticing them with invitations to join private meetings with European political figures or events related to Ukraine. These conversations are designed to lead victims to click links hosted on Microsoft 365 infrastructure, furthering the attack. The primary tactic involves tricking victims into providing Microsoft Authorization codes, which the attackers then use to gain account access, join attacker-controlled devices to Entra ID, and download emails and other account-related data. In one observed technique associated with UTA0352, the attackers lure users into granting access via OAuth workflows tied to Visual Studio Code and other Microsoft applications, exploiting URLs that redirect through official Microsoft services. UTA0355 uses a multi-stage approach, starting with emails sent from a compromised Ukrainian government account followed by social engineering via messaging apps. Recommended read:
References :
@cyberpress.org
//
New Lumma Stealer Variant with Enhanced Evasion - A new variant of the Lumma Stealer malware has been identified, featuring code flow obfuscation and complex infection chains to steal sensitive information.
ImgSrc: blogger.googleu
A new variant of the Lumma Stealer malware has been identified, showing significant advancements in its stealth and persistence. Researchers at the Trellix Advanced Research Center analyzed the new variant, discovering features such as code flow obfuscation and dynamic API resolution that help it evade detection. Lumma Stealer, originally introduced in 2022, has rapidly evolved and poses a serious threat to personal and organizational data by targeting sensitive information stored on infected systems.
Lumma Stealer, also known as LummaC2, has gained popularity in underground forums with over a thousand active subscribers as of March 2025. The malware uses deceptive methods such as fake CAPTCHA pages, mimicking Google reCAPTCHA or Cloudflare challenges, to trick users into executing malicious commands. These fraudulent pages are often hosted on compromised websites offering pirated content or cryptocurrency services, enticing unsuspecting users to initiate the infection chain. The malware's infection chain is complex and difficult to detect. It involves downloading a .zip file, extracting the malware, and establishing persistence through the Windows Registry's Run key. More advanced attacks hide the malware within seemingly harmless .mp3 or .png files, triggered via the mshta.exe HTML application engine, deploying layers of encryption, anti-debugging techniques, and detection evasion mechanisms. The stealer targets sensitive data, including cryptocurrency wallet credentials, 2FA codes, browser-stored passwords, and financial information, which it transmits to attacker-controlled domains. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.
The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance. Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats. Recommended read:
References :
Bill Toulas@BleepingComputer
//
South Korea's largest mobile operator, SK Telecom, is grappling with the aftermath of a malware attack that has potentially exposed the sensitive Universal Subscriber Identity Module (USIM) data of its customers. The company detected the breach on Saturday, April 19, 2025, at 11 PM local time, prompting immediate action to delete the malware and isolate affected equipment. While SK Telecom has not confirmed any misuse of the compromised data thus far, the incident raises significant concerns about the security of customer information and the potential for identity theft and fraud. Millions of SK Telecom customers are potentially at risk following USIM data compromise.
The compromised USIM data acts as a key to a customer's digital identity, and unauthorized access can enable threat actors to impersonate individuals and access sensitive personal and financial information. This vulnerability extends to the potential for SIM card cloning, where fraudsters can duplicate USIMs to intercept calls, messages, and data for illegal activities. As the largest mobile carrier in South Korea, serving over 29 million subscribers, SK Telecom's breach highlights broader vulnerabilities within the telecommunications infrastructure. The incident has prompted calls for strengthened cybersecurity protocols across the industry to prevent future attacks of this nature. The SK Telecom malware attack serves as a crucial lesson for the entire telecom industry, underscoring the need for robust security measures and regulatory compliance. The potential risks associated with USIM data exposure, including identity theft, fraud, and broader infrastructure vulnerabilities, emphasize the importance of protecting personal identity information stored on USIMs. This incident highlights the importance of strengthening cybersecurity protocols across the industry to protect against similar threats. In response, government agencies are expected to launch investigations and reassess regulatory frameworks to ensure the security and privacy of customer data in the telecommunications sector. Recommended read:
References :
@cyberalerts.io
//
A massive ad fraud operation dubbed "Scallywag" has been disrupted after researchers uncovered its scheme of generating up to 1.4 billion fraudulent ad requests daily. This operation monetized pirating and URL shortening websites through specially crafted WordPress plugins. These plugins, including Soralink, Yu Idea, WPSafeLink, and the Droplink extension, facilitated the insertion of ad-laden intermediary pages between piracy catalog sites and the desired pirated content, forcing users to interact with numerous ads and wait times.
HUMAN, a bot and fraud detection company, played a critical role in dismantling Scallywag's operations. The researchers identified anomalous traffic patterns, such as elevated ad impression volume and forced user interactions on seemingly innocuous WordPress blogs. By flagging suspicious domains and working with ad providers to block fraudulent bid requests, HUMAN successfully cut off 95% of the Scallywag fraud-as-a-service operation. Scallywag's success relied heavily on cloaking and obfuscation techniques to evade detection. When ad platforms or advertisers directly visited the intermediary pages, they appeared as benign blogs. Only users redirected from piracy catalog sites encountered the ad-heavy, incentive-laden versions. The takedown has prompted many of Scallywag's affiliates to seek other scams, but the threat actors have shown resilience by rotating domains and moving to other monetization models, highlighting the need for continuous vigilance against ad fraud. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.
This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market. In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy. Recommended read:
References :
@securityonline.info
//
Cybercriminals are exploiting a legitimate Microsoft utility called mavinject.exe to inject malicious Dynamic Link Libraries (DLLs) into unsuspecting systems. This technique allows attackers to bypass security measures and execute sophisticated malicious payloads while appearing to be a benign process. Mavinject.exe is a command-line utility designed for Application Virtualization (App-V) environments, intended for injecting DLLs into specific processes. Because it's signed by Microsoft and has been a default component of Windows since version 1607, it is typically whitelisted by security solutions.
The exploitation of mavinject.exe involves using key Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. These APIs allow attackers to retrieve a handle to the target process, allocate memory within it, write the DLL path to the allocated memory, and create a new thread to load and execute the malicious DLL. By leveraging mavinject.exe, threat actors can achieve external code execution while circumventing detection, as the utility is considered a trusted application. This technique is categorized as Signed Binary Proxy Execution. Several Advanced Persistent Threat (APT) groups have been observed using mavinject.exe in real-world attacks. Earth Preta (Mustang Panda), a Chinese government-supported APT group, has used it to inject malicious DLLs, like backdoors, into legitimate processes such as waitfor.exe after initial access through phishing emails. The Lazarus Group has also employed mavinject.exe to inject malware into explorer.exe. Security measures recommended include monitoring mavinject.exe execution with specific arguments and API calls and, when not using App-V, blocking the utility altogether. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Marks & Spencer (M&S), a major British retailer, has confirmed that it is currently managing a cybersecurity incident. This confirmation follows several days of reported service disruptions affecting store operations and customer experiences. The company issued a statement acknowledging the incident and apologized to customers for any inconvenience caused. M&S has implemented operational changes to protect the business and its customers during this time.
Customer impact includes disruptions to contactless payments, online orders, and the Click & Collect service. Some customers reported issues as far back as Saturday through social media platform X, ranging from returns being unavailable to Click & Collect orders being delayed or unavailable. While M&S stated that stores remain open, the website and app are operating normally, and contactless payments are working again, the company is working hard to resolve the remaining technical issues. M&S claims it serves 32 million customers every year. In response to the cyber incident, Marks & Spencer has engaged external cybersecurity experts to investigate the matter and strengthen its network security. The company has also notified the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). While the exact nature of the cyberattack and the extent of any potential data breach have not been fully disclosed, M&S has assured customers that it is taking the situation seriously and will provide updates as appropriate. Customer trust is incredibly important to the company and if the situation changes an update will be provided as appropriate. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
References:
blog.knowbe4.com
, gbhackers.com
Cybercriminals are increasingly exploiting the power of artificial intelligence to enhance their malicious activities, marking a concerning trend in the cybersecurity landscape. Reports, including Microsoft’s Cyber Signals, highlight a surge in AI-assisted scams and phishing attacks. Guardio Labs has identified a specific phenomenon called "VibeScamming," where hackers leverage AI to create highly convincing phishing schemes and functional attack models with unprecedented ease. This development signifies a "democratization" of cybercrime, enabling individuals with limited technical skills to launch sophisticated attacks.
Cybersecurity researchers at Guardio Labs conducted a benchmark study that examined the capabilities of different AI models in facilitating phishing scams. While ChatGPT demonstrated some resistance due to its ethical guardrails, other platforms like Claude and Lovable proved more susceptible to malicious use. Claude provided detailed, usable code for phishing operations when prompted within an "ethical hacking" framework, while Lovable, designed for easy web app creation, inadvertently became a haven for scammers, offering instant hosting solutions, evasion tactics, and even integrated credential theft mechanisms. The ease with which these models can be exploited raises significant concerns about the balance between AI functionality and security. To combat these evolving threats, security experts emphasize the need for organizations to adopt a proactive and layered approach to cybersecurity. This includes implementing zero-trust principles, carefully verifying user identities, and continuously monitoring for suspicious activities. As threat actors increasingly blend social engineering with AI and automation to bypass detection, companies must prioritize security awareness training for employees and invest in advanced security solutions that can detect and prevent AI-powered attacks. With improved attack strategies, organizations must stay ahead of the curve by continuously refining their defenses and adapting to the ever-changing threat landscape. Recommended read:
References :
@Talkback Resources
//
Rogue npm Packages Plant SSH Backdoors - Typosquatted npm packages mimicking the Telegram bot API library plant SSH backdoors on Linux systems and exfiltrate data, accumulating around 300 downloads.
ImgSrc: s3.talkback.sh
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.
The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers. Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.
The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings. To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics. Recommended read:
References :
Nathaniel Morales@feeds.trendmicro.com
//
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.
Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver. The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Microsoft Entra ID Glitch Causes Account Lockouts - Microsoft's new MACE security feature caused widespread account lockouts due to false positives, flagging legitimate user accounts as compromised.
ImgSrc: www.bleepstatic
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.
Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected. The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences. Recommended read:
References :
@github.com
//
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32434, has been discovered in PyTorch, a widely used open-source machine learning framework. This flaw, detected by security researcher Ji’an Zhou, undermines the safety of the `torch.load()` function, even when configured with `weights_only=True`. This parameter was previously trusted to prevent unsafe deserialization, making the vulnerability particularly concerning for developers who relied on it as a security measure. The discovery challenges long-standing security assumptions within machine learning workflows.
This vulnerability affects PyTorch versions 2.5.1 and earlier and has been assigned a CVSS v4 score of 9.3, indicating a critical security risk. Attackers can exploit the flaw by crafting malicious model files that bypass deserialization restrictions, allowing them to execute arbitrary code on the target system during model loading. The impact is particularly severe in cloud-based AI environments, where compromised models could lead to lateral movement, data breaches, or data exfiltration. As Ji'an Zhou noted, the vulnerability is paradoxical because developers often use `weights_only=True` to mitigate security issues, unaware that it can still lead to RCE. To address this critical issue, the PyTorch team has released version 2.6.0. Users are strongly advised to immediately update their PyTorch installations. For systems that cannot be updated immediately, the only viable workaround is to avoid using `torch.load()` with `weights_only=True` entirely. Alternative model-loading methods, such as using explicit tensor extraction tools, are recommended until the patch is applied. With proof-of-concept exploits likely to emerge soon, delayed updates risk widespread system compromises. Recommended read:
References :
Krista Lyons@OpenVPN Blog
//
References:
Blog
, OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.
Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates. Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce. Recommended read:
References :
@detect.fyi
//
The Black Basta ransomware group has demonstrated remarkable resilience and adaptability despite a significant leak of their internal communications, which occurred in the first quarter of 2025. Analysis of the leaked chat logs confirms that key actors within the group, operating under aliases like @usernamegg, @lapa, and @usernameugway, continue to coordinate attacks using shared infrastructure and custom tools. This indicates a high level of operational security and a focus on long-term planning, as the group rotates delivery domains, stages different botnets for specific functions, and carefully avoids detection through staggered attack timing and limited-volume delivery. The group's persistence highlights the challenges faced by defenders in disrupting sophisticated cybercrime enterprises.
Their tactics, techniques, and procedures (TTPs) align closely with those attributed by Microsoft to groups like Storm-1674, Storm-1811, and Storm-2410. These include exploiting vulnerabilities in Citrix and VPN portals, targeting weak authentication on ESXi hypervisors, employing credential stuffing attacks, and leveraging remote access utilities and scripts for payload delivery. Black Basta has also shown an increasing emphasis on social engineering, such as impersonating IT support staff via phone calls, mirroring techniques associated with Storm-2410. This adaptability and willingness to evolve their attack methods underscore the group's sophistication. Black Basta's operations involve a multi-stage attack chain, starting with initial access gained through various methods, including exploiting vulnerabilities in unpatched systems, phishing campaigns, and social engineering tactics such as impersonating IT help desks via Microsoft Teams. The group also employs lightweight downloaders, memory-based loaders, and obfuscated commands via tools like PowerShell and rundll32.exe, indicating a shift toward stealthier and more precise attack delivery. Detection methods for Black Basta include configuring Endpoint Detection and Response (EDR) tools to look for unusual file behavior, command-line activity, registry changes, and network traffic. Recommended read:
References :
@gbhackers.com
//
State-sponsored hacking groups from North Korea, Iran, and Russia are now widely employing the ClickFix social engineering tactic in their espionage campaigns. This technique, previously associated with cybercriminals, involves tricking users into copying, pasting, and running malicious commands, often through fake error messages and instructions. Proofpoint researchers first documented this shift over a three-month period from late 2024 to early 2025, noting that ClickFix has become an effective means of bypassing traditional security measures. This tactic replaces installation and execution stages in existing infection chains.
The adoption of ClickFix has been observed in various campaigns, each tailored to the specific objectives and targets of the respective state-sponsored actors. For instance, the North Korean actor TA427, also known as Kimsuky, utilized ClickFix in phishing campaigns targeting think tanks involved in North Korean affairs. By impersonating diplomatic personnel and leveraging spoofed document sharing platforms, TA427 successfully deployed the Quasar RAT, a remote access trojan. Meanwhile, Iranian group TA450 (MuddyWater) targeted organizations in the Middle East by masquerading as Microsoft security updates, deploying remote management tools for espionage and data exfiltration. Russian-linked groups, including UNK_RemoteRogue and TA422 (APT28), have also experimented with ClickFix, indicating its growing appeal across different nation-state actors. The simplicity and effectiveness of ClickFix, which relies on user interaction rather than sophisticated technical exploits, makes it a valuable tool for these groups. While not all groups have persistently used ClickFix after initial tests, its adoption by multiple state-sponsored actors underscores the evolving threat landscape and the need for heightened vigilance against social engineering tactics. This trend suggests that ClickFix, and similar user-interactive attack methods, will continue to pose a significant threat in the future. Recommended read:
References :
sila.ozeren@picussecurity.com (Sıla@Resources-2
//
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.
The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally. Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface. Recommended read:
References :
|
