Alyssa Hughes (2ADAPTIVE LLC dba 2A Consulting)@Microsoft Research
//
Microsoft has announced two major advancements in both quantum computing and artificial intelligence. The company unveiled Majorana 1, a new chip containing topological qubits, representing a key milestone in its pursuit of stable, scalable quantum computers. This approach uses topological qubits, which are less susceptible to environmental noise, aiming to overcome the long-standing instability issues that have challenged the development of reliable quantum processors. The company says it is on track to build a new kind of quantum computer based on topological qubits.
Microsoft is also introducing Muse, a generative AI model designed for gameplay ideation. Described as a first-of-its-kind World and Human Action Model (WHAM), Muse can generate game visuals and controller actions. The company says it is on track to build a new kind of quantum computer based on topological qubits. Microsoft’s team is developing research insights to support creative uses of generative AI models.
Recommended read:
References :
- blogs.microsoft.com: Microsoft unveils Majorana 1
- Microsoft Research: Introducing Muse: Our first generative AI model designed for gameplay ideation
- www.technologyreview.com: Microsoft announced today that it has made significant progress in its 20-year quest to make topological quantum bits, or qubits—a special approach to building quantum computers that could make them more stable and easier to scale up.
- blogs.microsoft.com: Microsoft unveils Majorana 1
- The Quantum Insider: Microsoft's Majorana topological chip is an advance 17 years in the making.
- Microsoft Research: Microsoft announced the creation of the first topoconductor and first QPU architecture with a topological core. Dr. Chetan Nayak, a technical fellow of Quantum Hardware at the company, discusses how the breakthroughs are redefining the field of quantum computing.
- www.theguardian.com: Chip is powered by world’s first topoconductor, which can create new state of matter that is not solid, liquid or gas Quantum computers could be built within years rather than decades, according to Microsoft, which has unveiled a breakthrough that it said could pave the way for faster development.
- www.microsoft.com: Introducing Muse: Our first generative AI model designed for gameplay ideation
- thequantuminsider.com: Microsoft’s Majorana Topological Chip — An Advance 17 Years in The Making
- www.analyticsvidhya.com: Microsoft’s Majorana 1: Satya Nadella’s Bold Bet on Quantum Computing
- PCMag Middle East ai: Microsoft: Our 'Muse' Generative AI Can Simulate Video Games
- arstechnica.com: Microsoft builds its first qubits lays out roadmap for quantum computing
- WebProNews: Microsoft unveils quantum computing breakthrough with Majorana 1 chip.
- Analytics Vidhya: Microsoft’s Majorana 1: Satya Nadella’s Bold Bet on Quantum Computing
- venturebeat.com: Microsoft’s Muse AI can design video game worlds after watching you play
- THE DECODER: Microsoft's new AI model Muse can generate gameplay and might preserve classic games.
- blogs.microsoft.com: Microsoft unveiled Majorana 1, the world's first quantum processor powered by topological qubits.
- the-decoder.com: Microsoft's new AI model "Muse" can generate gameplay and might preserve classic games
- : A couple reflections on the quantum computing breakthrough we just announced…
- www.it-daily.net: Microsoft presents Majorana 1 quantum chip
- techinformed.com: Microsoft announces quantum computing chip it says will bring quantum sooner
- cyberinsider.com: Microsoft Unveils First Quantum Processor With Topological Qubits
- Cybersecurity News: Microsoft's Quantum Breakthrough: Majorana 1 and the Future of Computing
- heise online English: Microsoft calls new Majorana chip a breakthrough for quantum computing Microsoft claims that Majorana 1 is the first quantum processor based on topological qubits. It is designed to enable extremely powerful quantum computers.
- www.eweek.com: On Wednesday, Microsoft introduced Muse, a generative AI model designed to transform how games are conceptualized, developed, and preserved.
- www.verdict.co.uk: Microsoft debuts Majorana 1 chip for quantum computing
- singularityhub.com: The company believes devices with a million topological qubits are possible.
- techvro.com: This article discusses Microsoft’s quantum computing chip and its potential to revolutionize computing.
- Talkback Resources: Microsoft claims quantum breakthrough with Majorana 1 computer chip [crypto]
- TechInformed: Microsoft has unveiled its new quantum chip, Majorana 1, which it claims will enable quantum computers to solve meaningful, industrial-scale problems within years rather than… The post appeared first on .
- shellypalmer.com: Quantum Leap Forward: Microsoft’s Majorana 1 Chip Debuts
- Runtime: Article from Runtime News discussing Microsoft's quantum 'breakthrough'.
- CyberInsider: Microsoft Unveils First Quantum Processor With Topological Qubits
- Shelly Palmer: This article discusses Microsoft's quantum computing breakthrough with the Majorana 1 chip.
- securityonline.info: Microsoft’s Quantum Breakthrough: Majorana 1 and the Future of Computing
- www.heise.de: Microsoft calls new Majorana chip a breakthrough for quantum computing
- SingularityHub: The company believes devices with a million topological qubits are possible.
- www.sciencedaily.com: Microsoft's Majorana 1 is a quantum processor that is based on a new material called Topoconductor.
- Popular Science: New state of matter powers Microsoft quantum computing chip
- eWEEK: Microsoft's announcement of Muse, a generative AI model to help game developers, not replace them.
- Verdict: Microsoft debuts Majorana 1 chip for quantum computing
- The Register: Microsoft says it has developed a quantum-computing chip made with novel materials that is expected to enable the development of quantum computers for meaningful, real-world applications within – you guessed it – years rather than decades.
- news.microsoft.com: Microsoft’s Majorana 1 chip carves new path for quantum computing
- The Microsoft Cloud Blog: News article reporting on Microsoft's Majorana 1 chip.
- thequantuminsider.com: Microsoft’s Topological Qubit Claim Faces Quantum Community Scrutiny
- bsky.app: After 17 years of research, Microsoft unveiled its first quantum chip using topoconductors, a new material enabling a million qubits. Current quantum computers only have dozens or hundreds of qubits. This breakthrough could revolutionize AI, cryptography, and other computation-heavy fields.
- medium.com: Meet Majorana 1: The Quantum Chip That’s Too Cool for Classical Computers
- chatgptiseatingtheworld.com: Microsoft announces Majorana 1 quantum chip
- NextBigFuture.com: Microsoft Majorana 1 Chip Has 8 Qubits Right Now with a Roadmap to 1 Million Raw Qubits
- Dataconomy: Microsoft unveiled its Majorana 1 chip on Wednesday, claiming it demonstrates that quantum computing is "years, not decades" away from practical application, aligning with similar forecasts from Google and IBM regarding advancements in computing technology.
- thequantuminsider.com: Microsoft’s Majorana 1 Chip Carves New Path for Quantum Computing
- Anonymous ???????? :af:: Quantum computing may be just years away, with new chips from Microsoft and Google sparking big possibilities.
- www.sciencedaily.com: Topological quantum processor marks breakthrough in computing
- thequantuminsider.com: The Conversation: Microsoft Just Claimed a Quantum Breakthrough. A Quantum Physicist Explains What it Means
- www.sciencedaily.com: Breakthrough may clear major hurdle for quantum computers
- The Quantum Insider: Microsoft Just Claimed a Quantum Breakthrough. A Quantum Physicist Explains What it Means
Pierluigi Paganini@Security Affairs
//
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.
US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.
Recommended read:
References :
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
- BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
- cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
- Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
- The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
- thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
- gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
- Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
- Microsoft Security Blog: Silk Typhoon targeting IT supply chain
- www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
- Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
- Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
- securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: Targets included the U.S. Treasury Department, journalists, and religious organisations, and the attacks intended to steal data and suppress free speech.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
@www.microsoft.com
//
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
Recommended read:
References :
- www.microsoft.com: Storm-2372 conducts device code phishing campaign
- Volexity :verified:: recently identified multiple Russian threat actors targeting users via + campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success:
- cyberscoop.com: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
- The Register - Security: If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish
- Microsoft Security Blog: Storm-2372 conducts device code phishing campaign
- www.volexity.com: Volexity: Multiple Russian threat actors have been identified targeting Microsoft 365 accounts through Device Code Authentication phishing campaigns, according to Volexity. These attacks, which began in mid-January 2025, involve social engineering and spear-phishing tactics, often masquerading as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence.
- cyberinsider.com: Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts
- Threats | CyberScoop: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
- Security Risk Advisors: Attackers Exploit Device Code Phishing to Hijack Microsoft Accounts in Global Storm-2372 Drive
- The Hacker News: Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts
- www.helpnetsecurity.com: Discussion of the ongoing Microsoft 365 campaign.
- www.infosecurity-magazine.com: More details about the ongoing Microsoft 365 campaign.
- arstechnica.com: Russian spies use device code phishing to hijack Microsoft accounts
- securityaffairs.com: Storm-2372 used the device code phishing technique since August 2024
- Christoffer S.: Volexity report on multiple Russian threat actors targeting Microsoft 365 accounts via Device Code Authentication phishing campaigns
- BleepingComputer: An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing.
- www.bleepingcomputer.com: Microsoft Hackers Steal Emails in Device Code Phishing Attacks
- securityaffairs.com: Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries.
- Graham Cluley: Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks
- Email Security - Blog: Security Alert: Device Code Authentication Phishing Attack
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
Recommended read:
References :
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
- The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
- : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
- www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
- securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.
Recommended read:
References :
- bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
- BleepingComputer: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
- socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
- bsky.app: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
- Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
- gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
- bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and 'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
- gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
- aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
- bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
- Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Amar Ćemanović@CyberInsider
//
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites.
Recommended read:
References :
- The Hacker News: Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide
- Microsoft Security Blog: Malvertising campaign leads to info stealers hosted on GitHub
- CyberInsider: Microsoft has uncovered a large-scale malvertising campaign that compromised nearly one million devices worldwide, distributing information-stealing malware via GitHub. The attack, detected in early December 2024, originated from illegal streaming websites that redirected users through multiple malicious domains before delivering payloads hosted on GitHub, Dropbox, and Discord.
- Hidden Dragon ??: Nearly 1 million Windows devices were targeted in recent months by a sophisticated "malvertising" campaign that surreptitiously stole login credentials, cryptocurrency, and other sensitive information from infected machines.
- hackread.com: Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox
- www.techradar.com: Microsoft reveals over a million PCs hit by malvertising campaign
- www.bleepingcomputer.com: Microsoft says malvertising campaign impacted 1 million PCs
- Tech Monitor: Microsoft neutralises malvertising scheme that affected one million devices
@www.bleepingcomputer.com
//
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
Recommended read:
References :
- www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
- securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
- Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
- Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
- securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
- The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
- www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
- Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
- BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
- aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
info@thehackernews.com (The@The Hacker News
//
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.
The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.
Recommended read:
References :
- bsky.app: After many reports on Ghostwriter's info-ops, SentinelOne has seen the group returning to malware delivery, this time with a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations
- Talkback Resources: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
- The Hacker News: Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware
- Talkback Resources: Talkback post on Excel Macros to Deploy Malware
- Anonymous ???????? :af:: A new malware campaign targets Belarusian activists and the Ukrainian military, using Excel files to deliver PicassoLoader.
- Virus Bulletin: SentinelLABS researcher Tom Hegel writes about an extension of the long-running Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations with weaponized Excel documents lures.
- Information Security Buzz: Cybersecurity researchers at SentinelLABS have uncovered a new campaign linked to the long-running Ghostwriter operation, targeting Belarusian opposition activists and Ukrainian military and government entities.Â
- gbhackers.com: Ghostwriter Malware Targets Government Organizations with Weaponized XLS File
- securityaffairs.com: New Ghostwriter campaign targets Ukrainian Government and opposition activists in Belarus
- Know Your Adversary: 058. Hunting for Ghostwriter
- Cyber Security News: Ghostwriter Malware Attacks Government Organizations Using Weaponized XLS File
@www.microsoft.com
//
A subgroup of the Russian state-sponsored hacking group APT44, also known as Seashell Blizzard and Sandworm, has been conducting a multi-year campaign named BadPilot, targeting critical organizations and governments. Microsoft's Threat Intelligence team has been researching this operation, revealing that the group aims to gain initial access to strategically important organizations across the U.S. and Europe. This campaign has been active since at least 2021, with the threat actor focusing on initial access, persistence, and maintaining presence to allow for tailored network operations.
The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, now including targets in the U.S. and U.K. since early 2024. Sectors affected include energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities. Microsoft assesses that while some targeting is opportunistic, the accumulated compromises offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives and national priorities. The group has been exploiting vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS security software to achieve this broadened access.
Recommended read:
References :
- therecord.media: A subgroup of Russia's Sandworm state-backed hacking group has been running a multi-year campaign to gain initial access to dozens of strategically important organizations across the U.S. and Europe
- www.bleepingcomputer.com: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- The Hacker News: Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries
- Know Your Adversary: Microsoft Threat Intelligence have published a on Seashell Blizzard - a high-impact threat actor that conducts global activities ranged from espionage to information operations and cyber-enabled disruptions.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- securityaffairs.com: Russia-linked APT Seashell Blizzard is behind the long running global access operation BadPilot campaign
- Vulnerable U: Russian Hackers Expand Global Cyber Espionage Campaign with "BadPilot" Operation
- hackread.com: Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK
- Microsoft Security Blog: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- Cybernews: Microsoft researchers expose “BadPilot,� a subgroup aiding Kremlin-backed hackers Seashell Blizzard in global cyberattacks
- Information Security Buzz: Russia-Linked Seashell Blizzard Intensifies Cyber Operations Against Critical Sectors
- Industrial Cyber: Microsoft details Seashell Blizzard BadPilot campaign targeting energy, telecom, government sectors
- Security Risk Advisors: Microsoft Security blog post on the BadPilot campaign.
- BleepingComputer: Infosec.exchange post regarding the BadPilot campaign and its global access operation.
- sra.io: SRA.io post discussing Seashell Blizzard's BadPilot campaign to exploit perimeter systems and expand global access.
Arda Büyükkaya@EclecticIQ Blog
//
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.
EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.
Recommended read:
References :
- bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
- Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
- EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
- Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
- MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
- securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
- ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
- www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
- ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
– Source: socprime.com
- securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
- socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
- securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.
@www.bleepingcomputer.com
//
Microsoft is warning of code injection attacks that leverage publicly exposed ASP.NET machine keys. In December 2024, Microsoft Threat Intelligence observed attackers using publicly available ASP.NET machine keys to inject malicious code and deliver the Godzilla post-exploitation framework. Developers have been found incorporating these keys, which are designed to protect ViewState from tampering, from public resources like code documentation and repositories. This has enabled attackers to perform malicious actions on targeted servers through ViewState code injection attacks.
Microsoft has identified over 3,000 leaked ASP.NET keys that could be used in these attacks. These publicly disclosed keys pose a higher risk compared to compromised or stolen keys previously sold on dark web forums, as they are readily available in multiple code repositories and may have been integrated into development code without modification. Microsoft recommends that organizations avoid copying keys from public sources and regularly rotate their keys.
Recommended read:
References :
- The Hacker News: The Hacker News reports on Microsoft identifying thousands of leaked ASP.NET keys.
- www.bleepingcomputer.com: BleepingComputer reports on Microsoft warning about attackers deploying malware using exposed ASP.NET keys.
- www.helpnetsecurity.com: HelpNetSecurity covers the attack that compromised IIS servers by using exposed ASP.NET machine keys.
- www.microsoft.com: Microsoft's security blog details code injection attacks using publicly disclosed ASP.NET machine keys.
- BleepingComputer: Microsoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP. NET machine keys found online.
- : Microsoft : In December 2024, Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
- Help Net Security: Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys
- cyberinsider.com: Microsoft Threat Intelligence has identified a security risk involving publicly available ASP.NET machine keys, which have been exploited in code injection attacks.
- gbhackers.com: Hackers exploit ASP.NET machine keys to hack IIS web servers remotely
- BleepingComputer: Microsoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP.NET machine keys found online.
- Virus Bulletin: Microsoft researchers observed limited activity by an unattributed threat actor using a publicly available static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
- securityaffairs.com: Attackers used a public ASP.NET machine to conduct ViewState code injection attacks
- CyberInsider: Microsoft warns of code injection via exposed ASP.NET keys
- Thomas Roccia :verified:: New Microsoft Threat Report: "ViewState Code Injection Attacks Using Publicly Disclosed ASP.NET Machine Keys" I wanted to understand deeper how works the attack so I created a detailed overview. Hope that helps
- Techmeme: Techmeme post about Microsoft warning on attackers injecting malware into ViewState.
- Blog: Theat actors observed using exposed ASP.NET keys to deploy malware
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.
These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.
Recommended read:
References :
- asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
- cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
- BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
- Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
- Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
- Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
- securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
- ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
- Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
- Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
- BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
- securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
info@thehackernews.com (The Hacker News)@The Hacker News
//
Microsoft has uncovered a new variant of the XCSSET macOS malware, marking the first major revision since 2022. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware is spread through infected Xcode projects, posing a significant risk to Apple developers.
The new XCSSET variant uses more randomized encoding methods, including Base64 in addition to xxd, and obfuscates module names to make analysis more difficult. The malware also employs a "dock method" where a fake Launchpad application is created, replacing the legitimate Launchpad's path in the dock, ensuring the malicious payload executes every time Launchpad is started. Microsoft advises users to inspect Xcode projects before using them and only install apps from trusted sources.
Recommended read:
References :
- Talkback Resources: Talkback.sh article summarizing Microsoft's discovery of an advanced XCSSET malware variant for macOS.
- The Hacker News: The Hacker News article about Microsoft uncovering a new XCSSET macOS malware variant with advanced obfuscation tactics.
- www.bleepingcomputer.com: Microsoft spots XCSSET macOS malware variant used for crypto theft
- Help Net Security: The XCSSET info-stealing malware is back, targeting macOS users and devs
- securityonline.info: XCSSET Malware Returns with Enhanced Capabilities to Target macOS Users
- www.helpnetsecurity.com: The XCSSET info-stealing malware is back, targeting macOS users and devs
- ciso2ciso.com: Source: thehackernews.com – Author: . Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
- The Register: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- ciso2ciso.com: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics – Source:thehackernews.com
- go.theregister.com: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- BleepingComputer: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics
- securityaffairs.com: New XCSSET macOS malware variant used in limited attacks
@securityonline.info
//
Progress Software has released patches to address multiple high-severity vulnerabilities in its LoadMaster software. These flaws could allow remote, authenticated attackers to execute arbitrary system commands on affected systems. The vulnerabilities stem from improper input validation, where attackers who gain access to the management interface can inject malicious commands via crafted HTTP requests.
The affected software includes LoadMaster versions from 7.2.48.12 and prior, 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.55.0 to 7.2.60.1 (inclusive), as well as Multi-Tenant LoadMaster version 7.1.35.12 and prior. Progress Software has implemented input sanitization to mitigate these vulnerabilities, preventing arbitrary system commands from being executed. Users are advised to update to the latest patched versions to ensure the security of their systems.
Recommended read:
References :
- community.progress.com: Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection Remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate could issue a carefully crafted HTTP request that allows arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.   We have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact on customers.
- securityaffairs.com: Progress Software fixed multiple high-severity LoadMaster flaws - SecurityAffairs
- securityonline.info: Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed - SecurityOnline
- The Hacker News: Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions - The Hacker News
- securityonline.info: Security Online Article about Progress LoadMaster Security Update
- : Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection
@cyberalerts.io
//
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.
The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.
Recommended read:
References :
- bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy
the Havok post-exploitation framework for remote access to compromised devices.
- thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
- BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
- Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
- Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
- bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy
the Havok post-exploitation framework for remote access to compromised devices.
- Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
- Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.
Recommended read:
References :
- Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
- gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
- Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
- www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
- Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
- gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
- securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
info@thehackernews.com (The Hacker News)@The Hacker News
//
A recent surge in cyberattacks has revealed that Microsoft Internet Information Services (IIS) servers are being targeted to deploy the BadIIS malware. This malware is designed for search engine optimization (SEO) fraud and malicious content injection. The campaign has been attributed to a Chinese-speaking group known as DragonRank, and it has been observed primarily in Asia, including India, Thailand, and Vietnam, with potential impact in other regions. Over 35 IIS servers across various industries, including government, universities, technology, telecommunications, and e-commerce sectors, have been compromised.
The BadIIS malware exploits vulnerabilities in unpatched IIS servers, allowing attackers to manipulate HTTP responses. It operates in two primary modes. In SEO fraud mode, it intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites. In injector mode, it embeds obfuscated JavaScript into HTTP responses, redirecting users to attacker-controlled domains hosting malware or phishing schemes. Trend Micro's analysis has linked the malware to Chinese-speaking threat actors through domain names and code patterns written in simplified Chinese, and they also employ batch scripts for automated installation of malicious IIS modules.
Recommended read:
References :
- gbhackers.com: GBHackers article on cybercriminals targeting IIS servers with BadIIS malware.
- The Hacker News: The Hacker News article details DragonRank's exploitation of IIS servers using BadIIS malware.
- Cyber Security News: Hackers Exploiting IIS Servers to Deploy BadIIS Malware on Servers
- gbhackers.com: Cybercriminals Target IIS Servers to Spread BadIIS Malware
- Know Your Adversary: 041. BadIIS: Hunting and Detection
- ciso2ciso.com: Report describing BadIIS malware and its functionalities.
- ciso2ciso.com: Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware.
- www.trendmicro.com: TrendMicro published a report on a Chinese-speaking threat actor using BadIIS malware.
- : InfoSec reports on DragonRank exploiting IIS servers for SEO fraud and gambling redirects.
- Virus Bulletin: Trend Micro's Ted Lee & Lenart Bermejo analyse an SEO manipulation campaign targeting countries in Asia including India, Thailand & Vietnam. Threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers.
@securityonline.info
//
Microsoft has released a PowerShell script designed to help Windows users and administrators update bootable media. The purpose of this update is to utilize the new "Windows UEFI CA 2023" certificate, which is critical for mitigating threats posed by the BlackLotus UEFI bootkit. This bootkit is capable of bypassing Secure Boot and gaining control over the operating system's boot process, potentially disabling crucial Windows security features.
The PowerShell script enables IT administrators to update the Windows Boot Manager’s certificates to align with the latest security standards. It supports various bootable media types, including ISO CD/DVD image files, USB flash drives, local drive paths, and network drive paths. To execute the update, the Windows ADK (Assessment and Deployment Kit) must be installed.
Recommended read:
References :
- BleepingComputer: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
- securityonline.info: Microsoft Releases PowerShell Script for UEFI Certificate Update
- Cybersecurity News: Although support for Windows 8 has long since ended, Windows 11 still retains UEFI digital certificates issued during
- BleepingComputer: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
- www.bleepingcomputer.com: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
- www.bleepingcomputer.com: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year.
- Anonymous ???????? :af:: Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the UEFI bootkit are enforced later this year.
Sergiu Gatlan@BleepingComputer
//
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.
Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.
Recommended read:
References :
- gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
- The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
- BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
- Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
Aman Mishra@gbhackers.com
//
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.
Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures.
Recommended read:
Pierluigi Paganini@Security Affairs
//
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.
Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
- socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
- www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
- Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...
@arcticwolf.com
//
Microsoft has released its February 2025 security update, addressing a total of 63 newly disclosed vulnerabilities. This update, released on February 11th, includes patches for various Microsoft products. Arctic Wolf has highlighted three vulnerabilities in this security bulletin that affect Microsoft Windows and are classified as critical or have been exploited in the wild.
Among the vulnerabilities addressed, two are actively being exploited, including CVE-2025-21418, a Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability, and CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability. Users are strongly advised to apply these updates promptly to mitigate the risk posed by these threats. This month, Microsoft has released patches addressing a total of 141 vulnerabilities.
Recommended read:
References :
- Arctic Wolf: Microsoft Patch Tuesday: February 2025
- isc.sans.edu: Microsoft February 2025 Patch Tuesday, (Tue, Feb 11th)
- Tenable Blog: Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)
@www.bleepingcomputer.com
//
Microsoft has issued a reminder that driver synchronization within Windows Server Update Services (WSUS) will be deprecated on April 18, 2025, which is 90 days from now. This change means that WSUS will no longer provide driver updates, requiring IT administrators to explore alternative methods for managing drivers. Microsoft had previously announced this change in June 2024 and is now reiterating the upcoming deprecation. This move is part of a broader shift towards cloud-based management platforms, and Microsoft is no longer investing in new features for WSUS.
The removal of driver synchronization means that on-premises environments, will need to source driver updates directly from the Microsoft Update Catalog. However, the drivers will not be importable into WSUS, forcing administrators to use alternative solutions like device driver packages, Microsoft Intune, or Windows Autopatch. While the core WSUS functions for distributing other updates will remain active, the change impacts a significant portion of users who rely on WSUS for driver management, although Microsoft states that a majority had already adopted alternative solutions. The remaining WSUS functionality is expected to remain available until around 2034.
Recommended read:
References :
- www.bleepingcomputer.com: Microsoft has reminded Windows administrators that driver synchronization in Windows Server Update Services (WSUS) will be deprecated on April 18, 90 days from now.
- www.heise.de: Only 90 days left: WSUS Driver Synchronization before the end
- TechSpot: Microsoft issues reminder that Windows Server Update Services will soon stop providing driver downloads
- heise online English: Only 90 days left: WSUS Driver Synchronization before the end The distribution of driver updates via WSUS will come to an abrupt end on April 18. Microsoft is now reminding us of this.
Pierluigi Paganini@Security Affairs
//
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities affect Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM), posing significant risks to organizations. The advisory issued by CISA strongly urges immediate remediation to mitigate the threat of potential exploitation.
These vulnerabilities include CVE-2017-3066 in Adobe ColdFusion and CVE-2024-20953 in Oracle Agile PLM. The agency has set a deadline of March 17, 2025, for federal agencies to secure their networks against these flaws. Active exploitation attempts have been reported, highlighting the urgency of applying necessary updates.
Recommended read:
References :
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
- thecyberexpress.com: CISA Warns of Actively Exploited Adobe ColdFusion and Oracle Agile PLM Vulnerabilities
- cyble.com: Overview The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
@securityonline.info
//
A proof-of-concept (PoC) exploit has been released for CVE-2025-21293, a critical elevation of privilege vulnerability affecting Active Directory Domain Services (AD DS). The vulnerability, patched by Microsoft in its January 2025 security update, allows attackers to escalate privileges to SYSTEM. Sebastian Sadeq Birke of ReTest Security ApS discovered and reported the vulnerability. Birke also published the PoC exploit code on his blog to demonstrate the vulnerability's potential impact.
The vulnerability is rooted in Active Directory’s "Network Configuration Operators" group, a default security group created when setting up on-premises domain controllers. This group, intended to grant control over network interfaces without full administrative rights, was found to have excessive privileges, specifically the ability to create registry subkeys for sensitive services. Microsoft addressed this vulnerability in the January security update released on January 14, 2025, and organizations using Active Directory Domain Services are urged to apply the update promptly to mitigate the risk.
Recommended read:
References :
- securityonline.info: Privilege Escalation in Active Directory Domain Services: CVE-2025-21293 Exploit Revealed with PoC Code
- SOC Prime Blog: CVE-2025-21293 Detection: PoC Exploit Released for a Privilege Escalation Vulnerability in Active Directory Domain Services
- securityonline.info: Privilege Escalation in Active Directory Domain Services: CVE-2025-21293 Exploit Revealed with PoC Code
- Pyrzout :vm:: PoC Exploit Released for Active Directory Domain Services Privilege Escalation Vulnerability
- socprime.com: CVE-2025-21293 Detection: PoC Exploit Released for a Privilege Escalation Vulnerability in Active Directory Domain Services
@cloudsecurityalliance.org
//
A critical vulnerability has been discovered in Microsoft's Multi-Factor Authentication (MFA) system, potentially allowing attackers to bypass security measures and gain unauthorized access to Office 365 accounts. The vulnerability, uncovered by Oasis Security, exploited a lack of rate limiting on session creation and a tolerance for time variations in Time-based One-Time Password (TOTP) codes. This flaw enabled attackers to brute-force MFA codes within a 70 minute window. Attackers could rapidly create new sessions and attempt numerous codes, effectively bypassing the MFA security.
The bypass required no user interaction and alarmingly, it did not generate any notifications, leaving the account holder unaware of the breach attempts. Microsoft has since implemented a stricter rate limit to mitigate the vulnerability. The original flaw allowed up to 10 failed attempts, with a single code valid for around 3 minutes due to tolerance for time differences. This extended window increased the chance of guessing a valid code and compromising the account. Microsoft has worked with the discovering organization to resolve the flaw.
Recommended read:
References :
- cloudsecurityalliance.org: This article describes the vulnerability in detail and Microsoft's response to fix it.
- www.infosecurity-magazine.com: Infosecurity Magazine reported on Oasis Security's discovery of the critical vulnerability in Microsoft's MFA, explaining the exploit and Microsoft's response.
|
|
FlagThis - #Microsoft