CyberSecurity news

FlagThis

@The GreyNoise Blog //
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.

The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals.

Recommended read:
References :
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • BleepingComputer: Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans
  • The GreyNoise Blog: Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats

Bill Mann@CyberInsider //
References: bsky.app , CyberInsider , The Apple Post ...
Apple has released a series of critical security updates for its operating systems, including iOS 18.4 and macOS Sequoia 15.4. These updates address a total of 145 vulnerabilities, including several zero-day exploits that may have been actively exploited. Users of iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode are urged to update their devices immediately to safeguard against potential security threats. Notably, watchOS was missing from this patch lineup.

Apple pushed emergency updates targeting three zero-day vulnerabilities identified as CVE-2025-24200 (Accessibility) and CVE-2025-24201 (WebKit). These patches have been backported to older iOS and iPadOS versions, specifically 15.8.4 and 16.7.11, ensuring that users on older devices are also protected from these actively exploited flaws. The updates include fixes for bugs in WebKit, Siri, Safari, and libxpc, along with numerous other security enhancements, underscoring Apple's commitment to addressing security vulnerabilities across its product ecosystem.

Recommended read:
References :
  • bsky.app: EMERGENCY UPDATES Apple pushed additional updates for 3 zero-days that may have been actively exploited. CVE-2025-24200 (Accessibility) additional patches, CVE-2025-24201 (WebKit) additional patches: - iOS and iPadOS 15.8.4 - iOS and iPadOS 16.7.11
  • CyberInsider: Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws.
  • isc.sans.edu: Apple Patches Everything: March 31st 2025 Edition, (Mon, Mar 31st)
  • The Apple Post: Apple releases iOS 18.4 with Priority Notifications feature, Control Center updates, new emoji, more

@The DefendOps Diaries //
References: bsky.app , The DefendOps Diaries , Rescana ...
A critical authentication bypass vulnerability, identified as CVE-2025-2825, is actively being exploited in CrushFTP file transfer software. Attackers are leveraging publicly available proof-of-concept code to gain unauthenticated access to unpatched devices. The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, with security analysts confirming that a significant number of instances remain unpatched despite the availability of patches since March 26, 2025. Project Discovery has published a technical write-up and PoC for the bypass.

The vulnerability stems from improper handling of HTTP requests utilizing S3-style authorization headers. Attackers can craft malicious AWS S3-style authorization headers containing a valid username, bypassing password verification. Once access is gained, attackers can execute administrative commands, download sensitive files, create new administrator accounts, and upload malicious payloads, potentially leading to complete system compromise. CrushFTP has addressed this in version 11.3.1 by introducing a new security parameter, s3_auth_lookup_password_supported, set to false by default.

Recommended read:
References :
  • bsky.app: Project Discovery has published a technical write-up and PoC for a recent CrushFTP authentication bypass tracked as CVE-2025-2825
  • The DefendOps Diaries: Understanding the CrushFTP Authentication Bypass Vulnerability: A Critical Cybersecurity Threat
  • BleepingComputer: Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
  • Rescana: CrushFTP CVE-2025-2825 Vulnerability: Critical Authentication Bypass Exploit and Mitigation Strategies
  • community.emergingthreats.net: CrushFTP Authentication Bypass (CVE-2025-2825) (web_specific_apps.rules)
  • securityaffairs.com: CrushFTP CVE-2025-2825 flaw actively exploited in the wild
  • www.cybersecuritydive.com: Critical vulnerability in CrushFTP file transfer software under attack

Dissent@DataBreaches.Net //
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.

Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches.

Recommended read:
References :
  • DataBreaches.Net: Here’s today’s reminder of the insider threat (well, this, and the fact that U.S. government officials continue to deny any problem with discussing attack plans on Signal).
  • The Register - Security: Not exactly Snowden levels of skill A student at Britain's top eavesdropping government agency has pleaded guilty to taking sensitive information home on the first day of his trial.…
  • www.itpro.com: A former GCHQ intern has pleaded guilty to transferring data from a top-secret computer onto his work phone.

Microsoft Threat@Microsoft Security Blog //
Microsoft has uncovered 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders using its AI-powered Security Copilot. These bootloaders are critical components, with GRUB2 commonly used in Linux distributions like Ubuntu, and U-Boot and Barebox prevalent in embedded and IoT devices. The identified vulnerabilities include integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison, potentially enabling threat actors to gain control and execute arbitrary code.

Water Gamayun, a suspected Russian hacking group, has been linked to the exploitation of CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism and DarkWisp. The group uses malicious provisioning packages, signed .msi files, and Windows MSC files to deliver information stealers and backdoors. These backdoors, SilentPrism and DarkWisp, enable persistence, system reconnaissance, data exfiltration, and remote command execution. The threat actors transitioned to their own infrastructure for staging and command-and-control purposes after using a GitHub repository to push various kinds of malware families.

Recommended read:
References :
  • The Hacker News: The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of
  • Microsoft Security Blog: Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders. The post appeared first on .
  • bsky.app: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/
  • BleepingComputer: Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders

@upguard.com //
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.

The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.

The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."

Recommended read:
References :
  • Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
  • techcrunch.com: API testing firm APIsec exposed customer data during security lapse
  • www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
  • CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data

do son@securityonline.info //
Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively using bulletproof hosting infrastructures to conduct cyberattacks globally. These networks, often obscured by offshore shell companies, provide a shield for malicious activities including espionage, financial theft, and psychological operations. Intrinsec analysts have uncovered campaigns blending cyber espionage, financial theft, and psychological warfare, primarily targeting Ukraine and its allies with tactics like bomb threats and fake banking transactions.

These threat groups heavily rely on bulletproof hosting providers to evade detection. Entities like Global Connectivity Solutions LLP and Railnet LLC act as legal fronts, using offshore shell companies in jurisdictions like Seychelles to make attribution and legal action difficult. This infrastructure also supports ransomware groups like Black Basta and RansomHub and involves frequent IP migrations across autonomous systems, further complicating efforts to block malicious activities. UAC-0050 has also engaged in psychological operations, such as sending bomb threats to Ukrainian institutions under the guise of the "Fire Cells Group."

Recommended read:
References :
  • securityonline.info: Bulletproof Hosting Fuels Russia-Linked Intrusion Sets’ Global Cyber Campaign
  • Cyber Security News: Russian Hackers Use Bulletproof Network Infrastructure to Evade Detection
  • gbhackers.com: Russian Hackers Leverage Bulletproof Hosting to Shift Network Infrastructure

do son@securityonline.info //
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.

The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.

Recommended read:
References :
  • bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
  • BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
  • Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
  • gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
  • Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
  • Osint10x: Fake Zoom Ends in BlackSuit Ransomware
  • securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
  • bsky.app: Lazarus adopts ClickFix technique.
  • Cyber Security News: Lazarus Hackers Use Fake Interviews “ClickFake†to Infect Windows & macOS with GO Malware
  • : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
  • gbhackers.com: Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware
  • BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.

info@thehackernews.com (The@The Hacker News //
Security researchers have uncovered a rise in hackers exploiting WordPress mu-plugins to inject malicious code. The mu-plugins directory, designed for automatically loading essential plugins, is being used to conceal malware, enabling persistent remote access and site redirection. Because these plugins are automatically enabled and not visible in the standard WordPress plugin interface, attackers can maintain a stealthy foothold, bypassing typical security checks. This allows them to inject spam, hijack site images, and maintain long-term control over compromised sites.

Researchers at Sucuri have identified three distinct types of malicious code being deployed. One variant redirects site visitors to external malicious websites, often disguised as browser updates serving malware. Another executes a webshell, providing attackers with remote code execution capabilities. The third injects spam onto the website, replacing images with explicit content and hijacking outbound links to malicious popups. The goal of this spam injection is often to promote scams or manipulate SEO rankings. These tactics are used to target website visitors while evading detection by search engines and administrators.

Website administrators are advised to include the mu-plugins directory in their regular security scans to detect and remove any unrecognized or suspicious files. Security experts recommend ensuring WordPress, plugins, and themes are updated and employing strong passwords with two-factor authentication. If a compromise is suspected, all unauthorized admin accounts and malicious files should be removed to prevent reinfection. These measures are crucial to securing WordPress sites against this evolving threat.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the Threat: WordPress MU-Plugins and Security Risks
  • The Hacker News: Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images
  • BleepingComputer: Hackers abuse WordPress MU-Plugins to hide malicious code
  • www.scworld.com: WordPress attackers hide malware in overlooked plugins directory
  • Vulnerable U: Stealthy WordPress Malware Exploits Mu-Plugins Directory
  • bsky.app: Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
  • Cyber Security News: Threat Actors Hide Malware in WordPress Sites to Execute Remote Code
  • gbhackers.com: Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution
  • bsky.app: Hackers exploit little-known WordPress MU-plugins feature to hide malware
  • Malware ? Graham Cluley: Hackers exploit little-known WordPress MU-plugins feature to hide malware
  • securityaffairs.com: Hiding WordPress malware in the mu-plugins directory to avoid detection

Lenart Bermejo@feeds.feedburner.com //
Earth Alux, a China-linked advanced persistent threat (APT) group, has been identified launching cyberespionage attacks aimed at critical industries. Since the second quarter of 2023, this group has been targeting organizations in the Asia-Pacific (APAC) and Latin American regions, with a focus on sectors including government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Trend Micro's monitoring and investigation efforts have uncloaked the group's stealthy activities and advanced techniques, highlighting the significant risk they pose to sensitive data and operational continuity.

Earth Alux primarily employs the VARGEIT malware as its main backdoor and control tool. VARGEIT is utilized at multiple stages of an attack to maintain persistence, collect data, and execute malicious operations. The malware operates as a multi-channel configurable backdoor with capabilities such as drive information collection, process monitoring, file manipulation, and command line execution. It can also inject additional tools into processes like mspaint.exe for fileless operations, making detection challenging. The group uses sophisticated techniques, including DLL sideloading, timestomping, and encrypted communication channels, to ensure stealth and evade conventional security systems.

Recommended read:
References :
  • Cyber Security News: Earth Alux Hackers Deploy VARGIET Malware in Targeted Organizational Attacks
  • Cyber Security News: The cybersecurity landscape has been disrupted by Earth Alux, a China-linked advanced persistent threat (APT) group actively conducting espionage operations since the second quarter of 2023. Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in
  • gbhackers.com: Earth Alux Hackers Use VARGIET Malware to Target Organizations
  • Osint10x: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data. The post appeared first on .
  • www.trendmicro.com: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • securityonline.info: Earth Alux APT Group: Unveiling Its Espionage Toolkit
  • The Hacker News: China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions
  • The Hacker News: China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions
  • www.scworld.com: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • Vulnerable U: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
  • Vulnerable U: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk.

Pierluigi Paganini@Security Affairs //
Sam's Club, the membership warehouse club chain owned by Walmart, is currently investigating claims of a Clop ransomware breach. The Clop ransomware group has reportedly taken responsibility for the alleged security incident. The investigation aims to determine the scope and nature of the potential data compromise, with Sam's Club stating they are actively looking into the matter.

The alleged breach is tied to the Clop ransomware operation's exploitation of vulnerabilities in Cleo file transfer software. Cybernews reports that Sam's Club is among the numerous organizations purportedly affected. Sam's Club has acknowledged the situation and initiated an internal investigation, though specific details regarding the alleged compromise remain limited. The company has affirmed its commitment to protecting the privacy and security of its members' information.

Recommended read:
References :
  • securityaffairs.com: The Walmart-owned membership warehouse club chain Sam’s Club is investigating claims of a Cl0p ransomware security breach.
  • bsky.app: Sam's Club investigates Clop ransomware breach claims
  • BleepingComputer: Retail giant Sam’s Club investigates Clop ransomware breach claims
  • cyberinsider.com: Walmart has confirmed to CyberInsider it launched an internal investigation following claims by the Clop ransomware group that it compromised Sam’s Club, a membership-based retail warehouse chain owned and operated by Walmart Inc.
  • www.scworld.com: Cybernews reports that Walmart's membership-only warehouse chain Sam's Club was among the hundreds of other organizations most recently claimed to have been breached by the Clop ransomware operation as part of its attacks leveraging a Cleo file transfer software vulnerability.
  • securityaffairs.com: Sam’s Club Investigates Alleged Cl0p Ransomware Breach

rohansinhacyblecom@cyble.com //
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.

Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.

Recommended read:
References :
  • cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
  • gbhackers.com: “Crocodilusâ€� A New Malware Targeting Android Devices for Full Takeover
  • securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
  • cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
  • Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
  • www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
  • Metacurity: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
  • Blog: New Crocodilus malware snaps up crypto wallets
  • BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
  • thecyberexpress.com: Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications.
  • securityonline.info: Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator

@www.infosecurity-magazine.com //
References: The Hacker News , , ciso2ciso.com ...
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.

CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families.

Recommended read:
References :
  • The Hacker News: Researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
  • : Security firm spots stealthy CoffeeLoader used in attacks
  • www.scworld.com: Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads, Cybernews reports.
  • ciso2ciso.com: Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
  • bsky.app: Zscaler has spotted a new malware loader named CoffeeLoader, used in the wild since September of last year. The malware was used together and appears to bear similarities with SmokeLoader.
  • securityaffairs.com: CoffeeLoader uses a GPU-based packer to evade detection
  • securityonline.info: GPU-Powered Evasion: Unpacking the Sophisticated CoffeeLoader Malware

do son@Daily CyberSecurity //
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.

RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

Recommended read:
References :
  • securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
  • Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
  • bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
  • thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
  • securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
  • Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
  • The Stack: It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
  • www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
  • : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
  • thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
  • Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.

@itpro.com //
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.

Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.

Recommended read:
References :
  • PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
  • www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
  • securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
  • The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
  • thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
  • www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation

Pierluigi Paganini@Security Affairs //
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.

The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
  • Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
  • Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
  • gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
  • buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
  • securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
  • The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
  • securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
  • Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
  • OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
  • Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
  • Cisco Talos Blog: Talos researchers warn that Russia-linked APT group Gamaredon targets Ukraine with a phishing campaign.
  • securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
  • www.scworld.com: Ongoing Gamaredon phishing campaign targets Ukraine with Remcos RAT

info@thehackernews.com (The@The Hacker News //
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.

Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.

Recommended read:
References :
  • ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
  • The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
  • www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
  • Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
  • Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
  • gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
  • Sophos News: PJobRAT makes a comeback, takes another crack at chat apps
  • Sophos X-Ops: We can’t confirm how users were directed to these sites, but PJobRAT previously used a variety of tricks, including third-party app stores, link shortening, phishing pages, fictitious personae, and posting links on forums. Once on a user’s device, the malware requests various permissions, and can steal SMS messages, phone contacts, device and app info, documents, and media files. The latest variant does not have a built-in function for stealing WhatsApp messages. But it does have a new functionality – running shell commands. This greatly increases the malware’s capabilities.

info@thehackernews.com (The@The Hacker News //
A massive malware campaign, identified as ZuizhongJS, has compromised over 150,000 websites through JavaScript injection to promote Chinese gambling platforms. Threat actors are breaching websites to drive traffic to illicit gambling sites. This campaign which injects obfuscated JavaScript and PHP code into the compromised sites hijacks browser windows. The primary goal is to generate revenue by redirecting users to full-screen overlays of fake betting websites, including impersonations of legitimate platforms like Bet365.

The attackers are believed to be linked to the Megalayer exploit, known for distributing Chinese-language malware and employing similar domain patterns and obfuscation tactics. The injected code is often hidden using HTML entity encoding and hexadecimal to evade detection. This campaign underscores the growing threat of client-side attacks and the need for robust website security measures, including regular script audits and strict Content Security Policies, to protect users from malicious redirects and potential financial harm.

Recommended read:
References :
  • Cyber Security News: Hackers Breach 150,000 Websites to Drive Traffic to Chinese Gambling Sites
  • gbhackers.com: Threat Actors Compromise 150,000 Websites to Promote Chinese Gambling Platforms
  • The Hacker News: 150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
  • www.techradar.com: Thousands of websites have now been hijacked by this devious, and growing, malicious scheme