CyberSecurity news

FlagThis - #apt

CISO2CISO Editor 2@ciso2ciso.com - 50d

Ivanti Zero-Day Actively Exploited For RCE - A zero-day vulnerability, CVE-2025-0282, is being exploited in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, allowing remote code execution.
A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.

Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations.

Recommended read:
References :
  • forums.ivanti.com: Security Advisory: Ivanti Connect Secure, Policy Secure, ZTA Gateways - CVE-2025-0282, CVE-2025-0283
  • www.helpnetsecurity.com: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
  • ciso2ciso.com: CISO2CISO - CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • The Hacker News: The Hacker News - Ivanti Flaw CVE-2025-0282 Actively Exploited
  • ciso2ciso.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • Kevin Beaumont: Ivanti Connect Secure, Policy Secure & ZTA Gateways customers, it's time to upgrade again as there's another two zero days already being exploited in the wild - CVE-2025-0282 and CVE-2025-0283 Unauth code execution.
  • gbhackers.com: Ivanti 0-Day Vulnerability Exploited in Wild-Patch Now
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • : CISA : So hot off the press that it's not live yet 🥵🔥🔥 ( 9.0 critical ) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
  • Pyrzout :vm:: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityboulevard.com: Alert of Buffer Overflow Vulnerabilities in Multiple Ivanti Products (CVE-2025-0282)
  • Pyrzout :vm:: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Techmeme: Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
  • techcrunch.com: hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks
  • www.tenable.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • ciso2ciso.com: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Latest from TechRadar: Ivanti warns another critical security flaw is being attacked
  • www.bleepingcomputer.com: Banshee stealer evades detection using apple xprotect
  • : watchTowr : Absolutely scathing review and rightful criticism of Ivanti as watchTowr successfully reproduces ( 9.0 critical ) Ivanti Connect Secure Buffer Overflow Vulnerability.
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • www.scworld.com: Active exploitation of Ivanti Connect Secure zero-day ongoing
  • ciso2ciso.com: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com
  • Kevin Beaumont: WatchTowr have a good look at the latest Ivanti Pulse Secure zero day. Honestly? Don’t buy this product. It isn’t secure and they’re hiding problems.
  • securityaffairs.com: U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • fortiguard.fortinet.com: Ivanti Connect Secure Zero-Day Vulnerability
  • labs.watchtowr.com: Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - watchTowr Labs
  • Pyrzout :vm:: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com 's
  • www.helpnetsecurity.com: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • Pyrzout :vm:: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • thecyberexpress.com: Ivanti Vulnerabilities Patches Roll Out - The Cyber Express
  • thecyberexpress.com: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • arcticwolf.com: CVE-2025-0282: Critical Zero-Day Remote Code Execution Vulnerability Impacts Several Ivanti Products
  • Help Net Security: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • gbhackers.com: Gbhackers article about PoC release for Ivanti RCE vulnerability.
@gbhackers.com - 16d

North Korean Hackers Exploit PowerShell Trick - The North Korea-linked APT group Kimsuky is tricking targets into running PowerShell as an administrator and executing malicious code, using a browser-based remote desktop tool for data exfiltration.
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@cyberscoop.com - 14d

Salt Typhoon's Ongoing Telecom Attacks - Chinese nation-state actor Salt Typhoon targets telecommunications providers, breaching five firms between December 2024 and January 2025, exploiting Cisco vulnerabilities despite sanctions.
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
@www.bleepingcomputer.com - 9d

Microsoft Application Virtualization Injector Abuse - Chinese-linked threat actor "Mustang Panda" uses Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into running processes, evading antivirus software.
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.

Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.

Recommended read:
References :
  • www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
  • securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
  • Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
  • Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
  • securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
  • aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
  • The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
  • www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
  • Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
  • BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
  • BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
  • aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Pandaâ€� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
@Techmeme - 48d

Silk Typhoon Breaches US Treasury, CFIUS - Chinese state-sponsored hacking group 'Silk Typhoon' breached a US Treasury agency and the Committee on Foreign Investment, stealing sensitive information via a stolen API key.
The Chinese state-sponsored hacking group known as "Silk Typhoon," also referred to as Hafnium, is reportedly behind a significant cyber breach targeting the US Treasury Department in December 2024. The hackers are believed to have exploited a stolen Remote Support SaaS API key, obtained through third-party cybersecurity vendor BeyondTrust, to access and steal data from workstations within the Office of Foreign Assets Control (OFAC). Silk Typhoon is known for its cyber espionage activities, typically using tools like the China Chopper Web shell, and has previously targeted sectors including education, healthcare, defense, and non-governmental organizations. The group also targeted the Treasury Department’s Office of Financial Research in the attack.

The same group is also implicated in breaching the Committee on Foreign Investment in the United States (CFIUS), which is a government office tasked with assessing national security risks associated with foreign investments. According to reports, the attackers gained access to CFIUS systems and are suspected of stealing sensitive information. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the exploits appear to be isolated to this specific agency, with no indication of other federal agencies being impacted. This coordinated attack highlights an escalation in the sophistication and scope of Silk Typhoon's cyber-espionage campaigns.

Recommended read:
References :
  • ciso2ciso.com: Hacking Group ‘Silk Typhoon’ Linked to US Treasury Breach – Source: www.darkreading.com
  • Pyrzout :vm:: Hacking Group ‘Silk Typhoon’ Linked to US Treasury Breach – Source: www.darkreading.com
  • ciso2ciso.com: Hacking Group ‘Silk Typhoon’ Linked to US Treasury Breach – Source: www.darkreading.com
  • BleepingComputer: Treasury hackers also breached US foreign investments review office
  • Patrick C Miller :donor:: Chinese hackers breached US government office that assesses foreign investments for national security risks | CNN Politics
  • bsky.app: Chinese hackers, part of the state-backed Silk Typhoon threat group, have reportedly breached the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments to determine national security risks.
  • BleepingComputer: Chinese hackers, part of the state-backed Silk Typhoon threat group, have reportedly breached the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments to determine national security risks.
  • www.cnn.com: Chinese hackers breached US government office that assesses foreign investments for national security risks | CNN Politics
  • : Screaming Goat : Get it while it's still hot: I created an APT profile on "Silk Typhoon" (aka HAFNIUM) which is publicly attributed to the People's Republic of China (PRC) Ministry of State Security (MSS) by the . They've recently become popular again due to the hack of the U.S. Department of the Treasury via stolen API key from the BeyondTrust breach in December 2024.
  • techcrunch.com: China hacked US Treasury's CFIUS, which reviews foreign investments for national security risks | TechCrunch
  • infosec.press: Screaming Goat : APT profile on "Silk Typhoon" (aka HAFNIUM).
  • techcrunch.com: China hacked US Treasury’s CFIUS, which reviews foreign investments for national security risks
  • Techmeme: Sources: Chinese hackers breached CFIUS, the US government office that reviews foreign investments for national security risks (Sean Lyngaas/CNN)
  • Patrick C Miller :donor:: China hacked US Treasury's CFIUS, which reviews foreign investments for national security risks | TechCrunch
  • Metacurity: Chinese hackers breached US government office that assesses foreign investments for national security risks
@securityonline.info - 37d

Silver Fox APT Deploys PNGPlug, ValleyRAT Malware - The Silver Fox APT group is targeting Chinese-speaking regions using a multi-stage loader to deliver the ValleyRAT malware via phishing websites.
A sophisticated cyber-espionage campaign is targeting organizations in Chinese-speaking regions, including China, Hong Kong, and Taiwan. The attacks, attributed to the Silver Fox APT group, employ a multi-stage loader called PNGPlug to deliver the ValleyRAT malware. The attack chain initiates with phishing websites that trick victims into downloading malicious Microsoft Installer (MSI) packages disguised as legitimate software. Once executed, the installers deploy benign applications to maintain the illusion of legitimacy while extracting an encrypted archive containing the malware payload. The MSI package uses Windows Installer’s CustomAction feature to execute malicious code, including a DLL that decrypts an archive using a hardcoded password, extracting core components.

The PNGPlug loader is a key component of the attack, utilizing files disguised as PNG images to conceal malicious payloads. These encoded PNG files inject components into memory, allowing the attack to bypass security mechanisms. The loader decrypts payloads, injects malicious processes and patches ntdll.dll to enable memory injection. The ValleyRAT malware, a remote access trojan, is designed for stealth and persistence, using memory-based shellcode execution and privilege escalation. It establishes persistence through scheduled tasks and registry modifications, and fetches additional components from its command-and-control server. This campaign highlights the adaptability and sophistication of the Silver Fox APT group.

Recommended read:
References :
  • cyberpress.org: Hackers Weaponize MSI packages & PNG Files to Deliver Multi-stage Malware
  • gbhackers.com: Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware
  • securityonline.info: Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
  • gbhackers.com: Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware
  • securityonline.info: Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
  • intezer.com: Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations
  • The Hacker News: PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers
  • intezer.com: Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations
  • Cyber Security News: Hackers Weaponize MSI packages & PNG Files to Deliver Multi-stage Malware
@www.bleepingcomputer.com - 19d

Kimsuky Hackers Employ Custom RDP Wrapper for Access - Kimsuky APT employs custom RDP wrappers and proxy tools with spear-phishing tactics to gain unauthorized access for persistent cyber espionage.
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.

These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.

Recommended read:
References :
  • asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
  • cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
  • www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
  • BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
  • Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
  • Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
  • Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
  • ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
  • ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
  • BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
  • securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
Veronika Telychko@SOC Prime Blog - 10d

RedCurl APT Targets Legal Sector using Adobe Executable - The RedCurl/EarthKapre APT group is targeting organizations, particularly in the legal sector, for corporate espionage using Indeed-themed phishing emails and a legitimate Adobe executable to sideload the EarthKapre loader, which exfiltrates data through Cloudflare Workers.
The RedCurl/EarthKapre APT group is actively engaged in corporate espionage, particularly targeting the legal sector. The group uses sophisticated techniques to infiltrate organizations, beginning with phishing emails disguised as Indeed-themed job applications. These emails contain malicious attachments designed to trick victims into downloading ZIP archives containing ISO image files that mimic CVs. Once the ISO image is mounted, the victim unknowingly executes a signed Adobe executable, which then sideloads the EarthKapre loader.

This loader, delivered via a legitimate Adobe executable, is the core of the attack. It establishes command and control through Cloudflare Workers. The malware uses encryption to protect its payloads and sets up a scheduled task to maintain persistence on the compromised system. The eSentire Threat Response Unit (TRU) identified this attack targeting law firms and legal services.

Recommended read:
References :
  • Information Security Buzz: eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader.
  • SOC Prime Blog: The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing.
  • Virus Bulletin: Infosec Exchange post summarizing eSentire's investigation into RedCurl/EarthKapre APT targeting legal services.
  • Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre...
  • Know Your Adversary: 046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
  • socprime.com: RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader
  • www.esentire.com: eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage.
  • securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
  • Talkback Resources: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
  • securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
  • Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal]
  • securityaffairs.com: eSentire report on the RedCurl/EarthKapre APT's campaign targeting law firms, using a legitimate Adobe executable for the loader.
  • Kim Zetter: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News - 7d

Salt Typhoon Group Expands Espionage Using JumbledPath - Chinese cyber espionage group Salt Typhoon is expanding its espionage campaign by compromising telecom networks globally using a custom malware called JumbledPath to monitor network traffic, gaining access through stolen credentials and exploiting Cisco router vulnerabilities.
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants
@www.bleepingcomputer.com - 7d

Chinese APT Groups Target Telecom (and) Healthcare - Chinese APT groups are targeting U.S. telecom providers and European healthcare organizations using custom malware and exploiting vulnerabilities to steal data and potentially deploy ransomware.
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :
@www.bleepingcomputer.com - 18d

Kimsuky APT Group Uses Custom RDP Wrapper - The Kimsuky hacking group uses custom RDP Wrapper and proxy tools to access infected machines, bypass security, and maintain persistent access via spear-phishing emails and malware.
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.

Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.

Recommended read:
References :
Help Net Security@Help Net Security - 28d

Lazarus Group Clones Open Source Projects - The Lazarus Group uses a React-based admin panel, called "Phantom Circuit," for centralized control of their global cyberattacks, targeting cryptocurrency entities and software developers by embedding backdoors into legitimate software packages, with over 233 victims between September 2024 and January 2025.
Researchers have uncovered that the Lazarus Group, a North Korean state-sponsored hacking group, is using a web-based administrative panel built with React and Node.js to manage their global cyber operations. This platform gives them a centralized control point for overseeing compromised systems, organizing stolen data, and delivering malicious payloads. The administrative layer, dubbed "Phantom Circuit," is consistent across the group's command-and-control servers, allowing them to orchestrate campaigns with precise control, even while varying their payloads and obfuscation techniques.

This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.

Recommended read:
References :
  • ciso2ciso.com: The ongoing investigation into recent attacks by the Lazarus Group on cryptocurrency entities and software developers.
  • The Hacker News: The Lazarus Group uses React application for C2 control.
  • Pyrzout :vm:: North Koreans clone open source projects to plant backdoors, steal credentials – Source: go.theregister.com
  • gbhackers.com: Reporting on the Lazarus Group's targeting of developers through malicious NPM packages

Blogs

Research Tools