CyberSecurity news

FlagThis

@socprime.com //
The Billbug espionage group, also known as Lotus Blossom, Lotus Panda, and Bronze Elgin, is actively targeting government and critical sectors in Southeast Asia through a coordinated cyber intrusion campaign. Security researchers at Symantec have uncovered that this China-linked group compromised multiple organizations within a single Southeast Asian country between August 2024 and February 2025. The campaign marks a continuation of previously documented attacks in the region, showcasing the persistent threat posed by state-sponsored actors.

The attackers are employing sophisticated techniques, including DLL sideloading, to infiltrate systems. They are exploiting legitimate software from reputable vendors like Trend Micro and Bitdefender to load malicious loaders. Specifically, a Trend Micro binary named tmdbglog.exe is being used to sideload a malicious DLL named tmdglog.dll, which decrypts and executes further malicious code. Similarly, a Bitdefender binary, bds.exe, is abused to sideload a harmful file called log.dll. This DLL decrypts another file, winnt.config, and injects its payload into a Windows system process, systray.exe.

The targets of this campaign include a government ministry, an air traffic control organization, a telecommunications provider, and a construction company. Additionally, the group has targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country. The attackers are using new custom tools, including loaders, credential stealers, and a reverse SSH tool. Indicators of compromise (IOCs) related to Billbug activity have been identified, linking this campaign to the group's known tactics and infrastructure. These findings underscore the need for robust security measures and threat intelligence sharing to defend against such advanced cyber espionage efforts.

Recommended read:
References :
  • industrialcyber.co: Billbug espionage group targets government, critical sectors in coordinated Southeast Asia cyber intrusion campaign
  • socprime.com: ESET’s Q2-Q3 2024 APT Activity Report highlights China-affiliated groups leading global APT operations, with campaigns aimed at intelligence gathering being among the most common and persistent threats.

info@thehackernews.com (The@The Hacker News //
Russian threat actors are aggressively targeting individuals and organizations with ties to Ukraine and human rights, initiating these campaigns since early March 2025. Cybersecurity firm Volexity has uncovered sophisticated cyberattacks where these actors are exploiting Microsoft's OAuth 2.0 authentication workflows to gain unauthorized access to Microsoft 365 (M365) accounts. This marks a shift from previously observed attacks that utilized device code phishing, demonstrating the adversaries' continuous refinement of their tactics to evade detection. Volexity is tracking at least two suspected Russian threat actors, UTA0352 and UTA0355, believed to be behind these attacks, though a connection to APT29, UTA0304, and UTA0307 hasn't been ruled out.

These threat actors are employing highly targeted social engineering operations, impersonating officials from various European nations and, in one instance, leveraging a compromised Ukrainian Government account. They are using messaging apps like Signal and WhatsApp to contact potential victims, enticing them with invitations to join private meetings with European political figures or events related to Ukraine. These conversations are designed to lead victims to click links hosted on Microsoft 365 infrastructure, furthering the attack.

The primary tactic involves tricking victims into providing Microsoft Authorization codes, which the attackers then use to gain account access, join attacker-controlled devices to Entra ID, and download emails and other account-related data. In one observed technique associated with UTA0352, the attackers lure users into granting access via OAuth workflows tied to Visual Studio Code and other Microsoft applications, exploiting URLs that redirect through official Microsoft services. UTA0355 uses a multi-stage approach, starting with emails sent from a compromised Ukrainian government account followed by social engineering via messaging apps.

Recommended read:
References :
  • cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
  • securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
  • The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
  • www.volexity.com: Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
  • Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.

@cyberpress.org //
A new variant of the Lumma Stealer malware has been identified, showing significant advancements in its stealth and persistence. Researchers at the Trellix Advanced Research Center analyzed the new variant, discovering features such as code flow obfuscation and dynamic API resolution that help it evade detection. Lumma Stealer, originally introduced in 2022, has rapidly evolved and poses a serious threat to personal and organizational data by targeting sensitive information stored on infected systems.

Lumma Stealer, also known as LummaC2, has gained popularity in underground forums with over a thousand active subscribers as of March 2025. The malware uses deceptive methods such as fake CAPTCHA pages, mimicking Google reCAPTCHA or Cloudflare challenges, to trick users into executing malicious commands. These fraudulent pages are often hosted on compromised websites offering pirated content or cryptocurrency services, enticing unsuspecting users to initiate the infection chain.

The malware's infection chain is complex and difficult to detect. It involves downloading a .zip file, extracting the malware, and establishing persistence through the Windows Registry's Run key. More advanced attacks hide the malware within seemingly harmless .mp3 or .png files, triggered via the mshta.exe HTML application engine, deploying layers of encryption, anti-debugging techniques, and detection evasion mechanisms. The stealer targets sensitive data, including cryptocurrency wallet credentials, 2FA codes, browser-stored passwords, and financial information, which it transmits to attacker-controlled domains.

Recommended read:
References :
  • cyberpress.org: A newly discovered variant of the Lumma InfoStealer malware has been analyzed by researchers at the Trellix Advanced Research Center, revealing significant enhancements in its stealth and persistence mechanisms. Originally identified in 2022, Lumma continues to evolve rapidly, posing serious risks to personal and organizational data. The latest analysis highlights the stealer’s aggressive use of
  • Talkback Resources: Lumma Stealer, a sophisticated information stealer introduced by Lumma in 2022, is gaining popularity in underground forums with over a thousand active subscribers as of March 2025, using deceptive delivery methods and complex infection chains to target sensitive data.
  • Virus Bulletin: Trellix researcher Mohideen Abdul Khader analyses a recent version of Lumma infostealer. The malware is capable of exfiltrating sensitive data from web browsers, email applications, cryptocurrency wallets & other PII stored in critical system directories.
  • Securelist: Lumma Stealer – Tracking distribution channels

info@thehackernews.com (The@The Hacker News //
References: hackread.com , Risky.Biz , The Hacker News ...
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.

The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance.

Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats.

Recommended read:
References :
  • hackread.com: Fake Alpine Quest Mapping App Spotted Spying on Russian Military
  • Risky.Biz: Risky Bulletin: Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics
  • Risky Business Media: Risky Bulletin: Russian military personnel targeted with Android spyware
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • bsky.app: Podcast: risky.biz/RBNEWS415/ Newsletter: https://news.risky.biz/risky-bulletin-russian-military-personnel-targeted-with-android-spyware-reminiscent-of-russias-own-tactics/ -Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics -Hegseth involved in 2nd Signalgate scandal -two CISA Secure by Designs execs leave -Asian cyber scam call centers spread worldwide
  • The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
  • BleepingComputer: Russian army targeted by new Android malware hidden in mapping app
  • github.com: Details on trojanized Alpine Quest app version
  • The Register - Security: Booby-trapped Alpine Quest Android app geolocates Russian soldiers
  • www.scworld.com: Spyware-laced app targeted Russian military phones
  • securityaffairs.com: Android spyware hidden in mapping software targets Russian soldiers

Bill Toulas@BleepingComputer //
South Korea's largest mobile operator, SK Telecom, is grappling with the aftermath of a malware attack that has potentially exposed the sensitive Universal Subscriber Identity Module (USIM) data of its customers. The company detected the breach on Saturday, April 19, 2025, at 11 PM local time, prompting immediate action to delete the malware and isolate affected equipment. While SK Telecom has not confirmed any misuse of the compromised data thus far, the incident raises significant concerns about the security of customer information and the potential for identity theft and fraud. Millions of SK Telecom customers are potentially at risk following USIM data compromise.

The compromised USIM data acts as a key to a customer's digital identity, and unauthorized access can enable threat actors to impersonate individuals and access sensitive personal and financial information. This vulnerability extends to the potential for SIM card cloning, where fraudsters can duplicate USIMs to intercept calls, messages, and data for illegal activities. As the largest mobile carrier in South Korea, serving over 29 million subscribers, SK Telecom's breach highlights broader vulnerabilities within the telecommunications infrastructure. The incident has prompted calls for strengthened cybersecurity protocols across the industry to prevent future attacks of this nature.

The SK Telecom malware attack serves as a crucial lesson for the entire telecom industry, underscoring the need for robust security measures and regulatory compliance. The potential risks associated with USIM data exposure, including identity theft, fraud, and broader infrastructure vulnerabilities, emphasize the importance of protecting personal identity information stored on USIMs. This incident highlights the importance of strengthening cybersecurity protocols across the industry to protect against similar threats. In response, government agencies are expected to launch investigations and reassess regulatory frameworks to ensure the security and privacy of customer data in the telecommunications sector.

Recommended read:
References :

@cyberalerts.io //
A massive ad fraud operation dubbed "Scallywag" has been disrupted after researchers uncovered its scheme of generating up to 1.4 billion fraudulent ad requests daily. This operation monetized pirating and URL shortening websites through specially crafted WordPress plugins. These plugins, including Soralink, Yu Idea, WPSafeLink, and the Droplink extension, facilitated the insertion of ad-laden intermediary pages between piracy catalog sites and the desired pirated content, forcing users to interact with numerous ads and wait times.

HUMAN, a bot and fraud detection company, played a critical role in dismantling Scallywag's operations. The researchers identified anomalous traffic patterns, such as elevated ad impression volume and forced user interactions on seemingly innocuous WordPress blogs. By flagging suspicious domains and working with ad providers to block fraudulent bid requests, HUMAN successfully cut off 95% of the Scallywag fraud-as-a-service operation.

Scallywag's success relied heavily on cloaking and obfuscation techniques to evade detection. When ad platforms or advertisers directly visited the intermediary pages, they appeared as benign blogs. Only users redirected from piracy catalog sites encountered the ad-heavy, incentive-laden versions. The takedown has prompted many of Scallywag's affiliates to seek other scams, but the threat actors have shown resilience by rotating domains and moving to other monetization models, highlighting the need for continuous vigilance against ad fraud.

Recommended read:
References :
  • bsky.app: A large-scale ad fraud operation called 'Scallywag' is monetizing pirating and URL shortening sites through specially crafted WordPress plugins that generate billions of daily fraudulent requests.
  • cyberpress.org: A sprawling ad fraud operation, codenamed “Scallywag,” has been disrupted after generating a staggering 1.4 billion fraudulent ad requests per day at its peak, according to threat intelligence researchers. Built around a suite of WordPress plugins, Scallywag enabled cybercriminals to monetize digital piracy and URL-shortening sites on an industrial scale, all while evading detection through
  • www.bleepingcomputer.com: A large-scale ad fraud operation called 'Scallywag' is monetizing pirating and URL shortening sites through specially crafted WordPress plugins that generate billions of daily fraudulent requests.
  • www.scworld.com: BleepingComputer reports that the wide-reaching Scallywag ad fraud operation that generated up to 1.4 billion fake ad requests daily to monetize pirating and URL shortening websites had its operations nearly dismantled following efforts from bot and fraud detection company HUMAN, prompting most of its affiliates to join other scams.

@securityonline.info //
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.

This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market.

In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy.

Recommended read:
References :
  • bsky.app: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
  • securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
  • The DefendOps Diaries: Explore the critical Active! Mail vulnerability impacting over 11 million accounts, highlighting the need for robust cybersecurity measures.
  • BleepingComputer: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
  • securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild

@securityonline.info //
Cybercriminals are exploiting a legitimate Microsoft utility called mavinject.exe to inject malicious Dynamic Link Libraries (DLLs) into unsuspecting systems. This technique allows attackers to bypass security measures and execute sophisticated malicious payloads while appearing to be a benign process. Mavinject.exe is a command-line utility designed for Application Virtualization (App-V) environments, intended for injecting DLLs into specific processes. Because it's signed by Microsoft and has been a default component of Windows since version 1607, it is typically whitelisted by security solutions.

The exploitation of mavinject.exe involves using key Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. These APIs allow attackers to retrieve a handle to the target process, allocate memory within it, write the DLL path to the allocated memory, and create a new thread to load and execute the malicious DLL. By leveraging mavinject.exe, threat actors can achieve external code execution while circumventing detection, as the utility is considered a trusted application. This technique is categorized as Signed Binary Proxy Execution.

Several Advanced Persistent Threat (APT) groups have been observed using mavinject.exe in real-world attacks. Earth Preta (Mustang Panda), a Chinese government-supported APT group, has used it to inject malicious DLLs, like backdoors, into legitimate processes such as waitfor.exe after initial access through phishing emails. The Lazarus Group has also employed mavinject.exe to inject malware into explorer.exe. Security measures recommended include monitoring mavinject.exe execution with specific arguments and API calls and, when not using App-V, blocking the utility altogether.

Recommended read:
References :
  • ASEC: Mavinject.exe is a legitimate utility provided by Microsoft. It is used to inject DLLs into specific processes in an Application Virtualization (App-V) environment.
  • cyberpress.org: A recent wave of cyberattacks has highlighted how threat actors are increasingly turning to legitimate Windows system utilities to circumvent security measures and execute sophisticated malicious payloads.
  • gbhackers.com: Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into unsuspecting systems.
  • securityonline.info: AhnLab Security Emergency Response Center (ASEC) has reported on the abuse of a legitimate Microsoft utility, mavinject.exe, by The post appeared first on .

Zack Whittaker@techcrunch.com //
Marks & Spencer (M&S), a major British retailer, has confirmed that it is currently managing a cybersecurity incident. This confirmation follows several days of reported service disruptions affecting store operations and customer experiences. The company issued a statement acknowledging the incident and apologized to customers for any inconvenience caused. M&S has implemented operational changes to protect the business and its customers during this time.

Customer impact includes disruptions to contactless payments, online orders, and the Click & Collect service. Some customers reported issues as far back as Saturday through social media platform X, ranging from returns being unavailable to Click & Collect orders being delayed or unavailable. While M&S stated that stores remain open, the website and app are operating normally, and contactless payments are working again, the company is working hard to resolve the remaining technical issues. M&S claims it serves 32 million customers every year.

In response to the cyber incident, Marks & Spencer has engaged external cybersecurity experts to investigate the matter and strengthen its network security. The company has also notified the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). While the exact nature of the cyberattack and the extent of any potential data breach have not been fully disclosed, M&S has assured customers that it is taking the situation seriously and will provide updates as appropriate. Customer trust is incredibly important to the company and if the situation changes an update will be provided as appropriate.

Recommended read:
References :
  • CyberInsider: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • techcrunch.com: The company said it was necessary to make operational changes to protect the business.
  • www.itpro.com: Retail giant Marks & Spencer (M&S) has revealed it has been dealing with a “cyber incident†in recent days and apologized to customers amid disruption complaints.
  • The Register - Security: Retailer tight-lipped on details as digital hiccup disrupts customer orders UK high street mainstay Marks & Spencer told the London Stock Exchange this afternoon it has been managing a "cyber incident" for "the past few days."…
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • Zack Whittaker: New, by me: Marks & Spencer has confirmed a cyber incident, as customers report disruption and outages. The U.K.-headquartered retail giant said it made operational changes to "protect" the business, and has notified data protection authorities.
  • The DefendOps Diaries: The Defend Ops Diaries article on Marks & Spencer Cyberattack: A Wake-Up Call for Retail Cybersecurity
  • securityaffairs.com: Marks & Spencer (M&S) confirmed it’s managing a cyber incident after multiple customer complaints surfaced on social media.
  • techcrunch.com: TechCrunch article on Marks & Spencer confirms cybersecurity incident amid ongoing disruption
  • BleepingComputer: Marks & Spencer confirms a cyberattack as customers face delayed orders
  • ComputerWeekly.com: Cyber attack downs systems at Marks & Spencer
  • www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
  • hackread.com: M&S Cyberattack Disrupts Contactless Payments and Click & Collect Services
  • www.scworld.com: Marks & Spencer disrupted by cyberattack
  • thecyberexpress.com: UK retail giant Marks & Spencer has confirmed it is managing a cybersecurity incident, following several days of service disruption that affected store operations and customer experiences.
  • Tech Monitor: Marks & Spencer hit by cyberattack, services disrupted
  • The Record: In a statement filed to London’s stock exchange on Tuesday afternoon, retailer Marks & Spencer said it made “some minor, temporary changes to our store operations†as soon as it became aware of the incident.
  • bsky.app: Marks & Spencer (M&S) has disclosed that it is responding to a cyberattack over the past few days that has impacted operations, including its Click and Collect service. https://www.bleepingcomputer.com/news/security/marks-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
  • hackread.com: Marks & Spencer (M&S) cyberattack disrupts contactless payments and Click & Collect; investigation launched as retailer apologises and…
  • techinformed.com: TechInformed report on M&S cyber attack impacting click and collect.
  • www.cybersecurity-insiders.com: Mark & Spencer hit by Cyber Attack on Easter
  • TechInformed: M&S cyber attack impacts click and collect and contactless payments
  • The Register - Security: Customers told to expect further delays as contactless payments still down UK high street retailer Marks & Spencer says contactless payments are still down following its "cyber incident" and order delays are likely to continue.…
  • ComputerWeekly.com: M&S systems remain offline days after cyber incident

Stu Sjouwerman@blog.knowbe4.com //
Cybercriminals are increasingly exploiting the power of artificial intelligence to enhance their malicious activities, marking a concerning trend in the cybersecurity landscape. Reports, including Microsoft’s Cyber Signals, highlight a surge in AI-assisted scams and phishing attacks. Guardio Labs has identified a specific phenomenon called "VibeScamming," where hackers leverage AI to create highly convincing phishing schemes and functional attack models with unprecedented ease. This development signifies a "democratization" of cybercrime, enabling individuals with limited technical skills to launch sophisticated attacks.

Cybersecurity researchers at Guardio Labs conducted a benchmark study that examined the capabilities of different AI models in facilitating phishing scams. While ChatGPT demonstrated some resistance due to its ethical guardrails, other platforms like Claude and Lovable proved more susceptible to malicious use. Claude provided detailed, usable code for phishing operations when prompted within an "ethical hacking" framework, while Lovable, designed for easy web app creation, inadvertently became a haven for scammers, offering instant hosting solutions, evasion tactics, and even integrated credential theft mechanisms. The ease with which these models can be exploited raises significant concerns about the balance between AI functionality and security.

To combat these evolving threats, security experts emphasize the need for organizations to adopt a proactive and layered approach to cybersecurity. This includes implementing zero-trust principles, carefully verifying user identities, and continuously monitoring for suspicious activities. As threat actors increasingly blend social engineering with AI and automation to bypass detection, companies must prioritize security awareness training for employees and invest in advanced security solutions that can detect and prevent AI-powered attacks. With improved attack strategies, organizations must stay ahead of the curve by continuously refining their defenses and adapting to the ever-changing threat landscape.

Recommended read:
References :

@Talkback Resources //
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.

The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.

Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.

Recommended read:
References :
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • The Hacker News: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Talkback.sh discusses Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems [app] [net] [mal]
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems – Source:thehackernews.com
  • linuxsecurity.com: We Linux security administrators face a growing challenge with sophisticated supply chain attacks targeting popular development ecosystems, such as npm.
  • securityonline.info: Malicious npm Packages Backdoor Telegram Bot Developers
  • gbhackers.com: Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks
  • gbhackers.com: In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious npm packages that are nefariously exploiting the Telegram Bot API to install backdoors on unsuspecting developers’ Linux systems.

Pierluigi Paganini@Security Affairs //
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.

The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings.

To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.

Recommended read:
References :
  • securityaffairs.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • The Hacker News: Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan
  • gbhackers.com: The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,†linked to the notorious North Korean hacking group Kimsuky.
  • securityonline.info: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • Daily CyberSecurity: A new cybersecurity report from the AhnLab Security intelligence Center (ASEC) has shed light on a recently identified
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan – Source: securityaffairs.com
  • ciso2ciso.com: Kimsuky APT exploited BlueKeep RDP flaw in attacks against South Korea and Japan
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign
  • www.scworld.com: Attacks with BlueKeep, Microsoft Office exploits launched by Kimsuky-linked group
  • www.csoonline.com: North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign

Nathaniel Morales@feeds.trendmicro.com //
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025
  • bsky.app: DOGE-themed ransomware hit 100+ victims since January
  • www.cybersecurity-insiders.com: The Fog Ransomware gang, which has been making headlines over the past week due to its increasingly audacious demands, is now requesting a staggering $1 trillion from its victims.

Lawrence Abrams@BleepingComputer //
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.

Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected.

The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences.

Recommended read:
References :
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • The DefendOps Diaries: Microsoft Entra ID Glitch: Lessons from a Security Feature Misstep
  • www.bleepingcomputer.com: Widespread Microsoft Entra lockouts tied to new security feature rollout
  • bsky.app: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • www.techradar.com: Microsoft appears to have flagged some users’ credentials as being compromised erroneously, locking them out.
  • Blog: Microsoft leaked credentials false positives trigger widespread lockouts
  • www.bleepingcomputer.com: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • cybersecuritynews.com: Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users
  • hackread.com: Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
  • www.bleepingcomputer.com: Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.
  • Anonymous ???????? :af:: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.

@github.com //
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32434, has been discovered in PyTorch, a widely used open-source machine learning framework. This flaw, detected by security researcher Ji’an Zhou, undermines the safety of the `torch.load()` function, even when configured with `weights_only=True`. This parameter was previously trusted to prevent unsafe deserialization, making the vulnerability particularly concerning for developers who relied on it as a security measure. The discovery challenges long-standing security assumptions within machine learning workflows.

This vulnerability affects PyTorch versions 2.5.1 and earlier and has been assigned a CVSS v4 score of 9.3, indicating a critical security risk. Attackers can exploit the flaw by crafting malicious model files that bypass deserialization restrictions, allowing them to execute arbitrary code on the target system during model loading. The impact is particularly severe in cloud-based AI environments, where compromised models could lead to lateral movement, data breaches, or data exfiltration. As Ji'an Zhou noted, the vulnerability is paradoxical because developers often use `weights_only=True` to mitigate security issues, unaware that it can still lead to RCE.

To address this critical issue, the PyTorch team has released version 2.6.0. Users are strongly advised to immediately update their PyTorch installations. For systems that cannot be updated immediately, the only viable workaround is to avoid using `torch.load()` with `weights_only=True` entirely. Alternative model-loading methods, such as using explicit tensor extraction tools, are recommended until the patch is applied. With proof-of-concept exploits likely to emerge soon, delayed updates risk widespread system compromises.

Recommended read:
References :

Krista Lyons@OpenVPN Blog //
References: Blog , OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.

Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates.

Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce.

Recommended read:
References :
  • Blog: Threat actors using new technique to exploit 2023 FortiOS flaw
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN

@detect.fyi //
References: detect.fyi , medium.com , wazuh.com ...
The Black Basta ransomware group has demonstrated remarkable resilience and adaptability despite a significant leak of their internal communications, which occurred in the first quarter of 2025. Analysis of the leaked chat logs confirms that key actors within the group, operating under aliases like @usernamegg, @lapa, and @usernameugway, continue to coordinate attacks using shared infrastructure and custom tools. This indicates a high level of operational security and a focus on long-term planning, as the group rotates delivery domains, stages different botnets for specific functions, and carefully avoids detection through staggered attack timing and limited-volume delivery. The group's persistence highlights the challenges faced by defenders in disrupting sophisticated cybercrime enterprises.

Their tactics, techniques, and procedures (TTPs) align closely with those attributed by Microsoft to groups like Storm-1674, Storm-1811, and Storm-2410. These include exploiting vulnerabilities in Citrix and VPN portals, targeting weak authentication on ESXi hypervisors, employing credential stuffing attacks, and leveraging remote access utilities and scripts for payload delivery. Black Basta has also shown an increasing emphasis on social engineering, such as impersonating IT support staff via phone calls, mirroring techniques associated with Storm-2410. This adaptability and willingness to evolve their attack methods underscore the group's sophistication.

Black Basta's operations involve a multi-stage attack chain, starting with initial access gained through various methods, including exploiting vulnerabilities in unpatched systems, phishing campaigns, and social engineering tactics such as impersonating IT help desks via Microsoft Teams. The group also employs lightweight downloaders, memory-based loaders, and obfuscated commands via tools like PowerShell and rundll32.exe, indicating a shift toward stealthier and more precise attack delivery. Detection methods for Black Basta include configuring Endpoint Detection and Response (EDR) tools to look for unusual file behavior, command-line activity, registry changes, and network traffic.

Recommended read:
References :
  • detect.fyi: Analysis of Black Basta's ransomware resilience and evolution after a data leak.
  • medium.com: Information on Black Basta's use of lightweight downloaders, memory-based loaders, and obfuscated commands.
  • valhalla.nextron-systems.com: Report on Black Basta's ransomware operations.
  • wazuh.com: Analysis of the leaked Black Basta chat logs revealing their operational methods.

@gbhackers.com //
State-sponsored hacking groups from North Korea, Iran, and Russia are now widely employing the ClickFix social engineering tactic in their espionage campaigns. This technique, previously associated with cybercriminals, involves tricking users into copying, pasting, and running malicious commands, often through fake error messages and instructions. Proofpoint researchers first documented this shift over a three-month period from late 2024 to early 2025, noting that ClickFix has become an effective means of bypassing traditional security measures. This tactic replaces installation and execution stages in existing infection chains.

The adoption of ClickFix has been observed in various campaigns, each tailored to the specific objectives and targets of the respective state-sponsored actors. For instance, the North Korean actor TA427, also known as Kimsuky, utilized ClickFix in phishing campaigns targeting think tanks involved in North Korean affairs. By impersonating diplomatic personnel and leveraging spoofed document sharing platforms, TA427 successfully deployed the Quasar RAT, a remote access trojan. Meanwhile, Iranian group TA450 (MuddyWater) targeted organizations in the Middle East by masquerading as Microsoft security updates, deploying remote management tools for espionage and data exfiltration.

Russian-linked groups, including UNK_RemoteRogue and TA422 (APT28), have also experimented with ClickFix, indicating its growing appeal across different nation-state actors. The simplicity and effectiveness of ClickFix, which relies on user interaction rather than sophisticated technical exploits, makes it a valuable tool for these groups. While not all groups have persistently used ClickFix after initial tests, its adoption by multiple state-sponsored actors underscores the evolving threat landscape and the need for heightened vigilance against social engineering tactics. This trend suggests that ClickFix, and similar user-interactive attack methods, will continue to pose a significant threat in the future.

Recommended read:
References :
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware
  • www.scworld.com: Attacks leveraging the ClickFix social engineering technique have been increasingly conducted by state-backed threat operations to facilitate malware infections over the past few months, reports The Hacker News.
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • cyberpress.org: State-Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • cybersecuritynews.com: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • Cyber Security News: State Sponsored Hackers Widely Deploy ClickFix Attack in Espionage Campaigns
  • www.techradar.com: State-sponsored actors spotted using ClickFix hacking tool developed by criminals
  • BleepingComputer: ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks.
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: State-Backed Hackers from North Korea, Iran and Russia Use ClickFix in New Espionage Campaigns
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • www.bleepingcomputer.com: State-sponsored hackers embrace ClickFix social engineering tactic
  • sra.io: Beware of ClickFix: A Growing Social Engineering Threat
  • The DefendOps Diaries: The Rise of ClickFix: A New Social Engineering Threat
  • Anonymous ???????? :af:: ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns.
  • Know Your Adversary: 112. State-Sponsored Threat Actors Adopted ClickFix Technique
  • www.itpro.com: State-sponsored cyber groups are flocking to the ‘ClickFix’ social engineering technique for the first time – and to great success.
  • Proofpoint Threat Insight: Proofpoint researchers discovered state-sponsored actors from North Korea, Iran and Russia experimenting in multiple campaigns with the ClickFix social engineering technique as a stage in their infection chains.

sila.ozeren@picussecurity.com (Sıla@Resources-2 //
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.

The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally.

Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.

Recommended read:
References :
  • watchTowr Labs: Watchtowr description
  • Resources-2: Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 .
  • www.scworld.com: Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
  • blog.criminalip.io: Response Strategy for Ivanti VPN Vulnerability CVE-2025-22457: CTI-Based Attack Surface Detection