CyberSecurity news

FlagThis - #cyberattacks

@gbhackers.com //

North Korean Hackers Exploit PowerShell Trick - The North Korea-linked APT group Kimsuky is tricking targets into running PowerShell as an administrator and executing malicious code, using a browser-based remote desktop tool for data exfiltration.
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
do son@securityonline.info //

Winnti Hackers Deploy Glutton PHP Backdoor - The Winnti hacking group is using a new PHP backdoor called ‘Glutton’ in attacks targeting organizations in China and the United States.
The Chinese hacking group Winnti is using a new PHP backdoor called 'Glutton' in attacks targeting organizations in China and the United States. This sophisticated malware is also being used to target other cybercriminals, marking a notable shift in Winnti's tactics. Glutton is a modular backdoor that injects code into popular PHP frameworks and systems. Once installed, it allows attackers to exfiltrate data, install backdoors, and inject malicious code, all while leaving no file traces, allowing the malware to operate undetected. The group's activities with this new backdoor have been ongoing for over a year, with evidence of its deployment dating back to December 2023.

Cybersecurity experts believe Winnti is not only targeting traditional organizations, such as those in the IT sector, social security and web development, but also the cybercrime market itself. It has been found embedded in various software packages within online criminal forums, allowing Glutton's operators to compromise the systems of other malicious actors, stealing their sensitive information. Despite its sophistication, Glutton has some weaknesses that are atypical for Winnti, such as plaintext samples and simplistic communication protocols, indicating it may still be in early development.

Recommended read:
References :
  • BleepingComputer: ​The Chinese Winnti hacking group is using a new PHP backdoor named 'Glutton' in attacks on organizations in China and the U.S., and also in attacks on other cybercriminals.
  • www.bleepingcomputer.com: Winnti hackers target other threat actors with new 'Glutton' PHP backdoor
  • malware.news: Novel Glutton backdoor deployed by Winnti hackers
  • www.scworld.com: Novel Glutton backdoor deployed by Winnti hackers
  • securityonline.info: The Zero-Detection PHP Backdoor Glutton Exposed
  • bsky.app: Winnti hackers target other threat actors with new Glutton PHP backdoor
  • : QiAnXin : This is very unusual: QiAnXin's XLAB identified a Winnti Linux-variant backdoor campaign (including a new PHP backdoor dubbed Glutton) targeting the cybercrime market.
info@thehackernews.com (The Hacker News)@The Hacker News //

Winnti Group Targets Japanese Organizations with RevivalStone Malware - The China-based Winnti Group (APT41) is targeting Japanese manufacturing, materials, and energy organizations with the RevivalStone campaign, employing an advanced Winnti malware variant with enhanced capabilities and evasion techniques via SQL injection.
The Winnti Group, a China-based threat actor also known as APT41, is actively targeting Japanese organizations within the manufacturing, materials, and energy sectors. Researchers at LAC's Cyber Emergency Center identified a new campaign dubbed "RevivalStone," which employs an advanced version of the Winnti malware. This updated malware exhibits enhanced capabilities and sophisticated evasion techniques, posing a significant threat to the targeted industries.

This RevivalStone campaign initiates by exploiting SQL injection vulnerabilities in web-facing Enterprise Resource Planning (ERP) systems. Attackers deploy web shells like China Chopper to gain initial access, enabling reconnaissance, credential harvesting, and lateral movement within targeted networks. The updated Winnti malware variant features AES and ChaCha20 encryption, device-specific decryption keys using IP and MAC addresses, a kernel-level rootkit for covert data exfiltration, and code obfuscation to evade endpoint detection and response (EDR) systems.

Recommended read:
References :
  • www.lac.co.jp: Researchers from LAC's Cyber Emergency Center analyze the "RevivalStone" campaign operated by China-based threat group Winnti
  • cyberpress.org: Winnti Hackers Target Japanese Organizations with Advanced Malware
  • Talkback Resources: The content provides an in-depth analysis of the Winnti Group's activities, including the RevivalStone campaign, tools used such as WinntiWebShell and China Chopper, and techniques like AES encryption, Winnti RAT, and Winnti Rootkit, with a focus on detection and prevention strategies.
  • Virus Bulletin: Researchers from LAC's Cyber ​​Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti
  • securityaffairs.com: SecurityAffairs: China-linked APT group Winnti targets Japanese organizations since March 2024
  • The Hacker News: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
  • Talkback Resources: China-linked APT group Winnti targeted Japanese organizations
  • Talkback Resources: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
  • www.scworld.com: Winnti attacks set sights on Japan
@securityboulevard.com //

FunkSec ransomware attacks rise to new heights - Ransomware attacks surged to a record high in December 2024 with 574 incidents, with FunkSec group being most active targeting industrial sectors, with other organizations like NYBC, Smiths Group and Tata Technologies also being affected.
Ransomware attacks reached a record high in December 2024, with 574 incidents reported, according to an NCC Group report. A newly identified group called FunkSec, which combines hacktivism and cybercrime, was responsible for over 100 of these attacks, making them the most active group for the month. This represents a significant surge in cybercrime with the industrial sector being targeted most often. It is believed that poor security measures, a lack of awareness and the use of evolving technologies such as Generative AI are partially responsible for this growth in attacks, along with the use of infostealer malware for gaining initial access to networks.

Other organizations have also fallen victim to ransomware attacks. The New York Blood Center Enterprises (NYBC), one of the largest non-profit blood donation organizations, had its IT systems crippled by a ransomware attack. This has caused major disruptions and risks to supplies that are sent to over 400 hospitals. Additionally, British engineering firm Smiths Group is working to restore its systems after suffering a cyberattack that caused unauthorized access, and Indian tech giant Tata Technologies had to temporarily suspend some of its IT services after being targeted by ransomware.

Recommended read:
References :
@ciso2ciso.com //

Cyberattacks Surge in Taiwan and Central Asia - Cyberattacks surge in Taiwan due to rising tensions with China, while Central Asian diplomatic entities are targeted by a Russian malware campaign, with Russian state-aligned APT groups increasingly deploying ransomware.
References: ciso2ciso.com , Pyrzout :vm: ,
Reports indicate a significant rise in cyberattacks targeting both Taiwan and Central Asia. Taiwan is experiencing a surge in attacks amidst increasing tensions with China, while Central Asian diplomatic entities are being hit by a Russian malware campaign. This has highlighted an increase in the use of malicious software and other sophisticated methods by state aligned actors. The attacks on Taiwan are occurring simultaneously with rising political tensions, suggesting a link between geopolitical events and cyber activity.

Additionally, Russian state-aligned APT groups are increasingly deploying ransomware, a trend that is blurring the lines between cybercrime and state-sponsored attacks. A recent campaign linked to the Russia-aligned intrusion group UAC-0063 involved weaponized Microsoft Word documents delivering HatVibe and CherrySpy malware to collect intelligence. The malware was used on Kazakhstan diplomatic files and Kyrgyzstan defense files. These complex attacks are making security harder to manage for diplomatic organizations and critical infrastructure in the targeted regions which should increase their security and monitor their networks.

Recommended read:
References :
  • ciso2ciso.com: Russian Malware Campaign Hits Central Asian Diplomatic Files – Source: www.infosecurity-magazine.com
  • Pyrzout :vm:: As Tensions Mount With China, Taiwan Sees Surge in Cyberattacks – Source: www.darkreading.com
  • www.welivesecurity.com: State-aligned APT groups are increasingly deploying ransomware – and that’s bad news for everyone

Blogs

Research Tools