info@thehackernews.com (The@The Hacker News
//
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.
The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.
Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.
Recommended read:
References :
- The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
- cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
- gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
- securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
- gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
- www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
- industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
@www.silentpush.com
//
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant threat to IT infrastructure and sensitive data. Security experts revealed at the RSAC 2025 Conference that the infiltration extends across virtually every major corporation, with many Fortune 500 companies unknowingly employing North Korean technical workers. This alarming trend raises serious concerns about potential security breaches and data theft. The experts said that dozens of experts and law enforcement at RSA said the campaign is now out of control, impacting thousands of companies.
Even tech giant Google has detected North Korean technical workers in their talent pipeline as job candidates and applicants, although they have not been hired to date. "If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," warned Iain Mulholland, senior director of security engineering at Google Cloud, emphasizing the universality of the threat. Insider risk management firm DTEX corroborated these findings, reporting that 7% of its customer base-representing a cross-section of the Fortune 2000-has been infiltrated by North Korean operatives working as full-time employees with privileged access.
The North Korean IT worker scam has expanded beyond the tech and crypto industries and is now a threat to all companies. One cybersecurity expert even found evidence that a U.S. political campaign in Oregon hired a North Korean IT worker to build its website. Initially, the workers primarily focused on legitimate employment to generate funds for the regime in Pyongyang, but experts are now seeing a tactical shift toward extortion, which has been observed.
Recommended read:
References :
- gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
- iHLS: North Korean Hackers Set Up Fake U.S. Businesses to Target Cryptocurrency Developers
- www.cysecurity.news: Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions.
@cyberscoop.com
//
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant and growing threat to IT infrastructure and sensitive data. Security leaders at Mandiant and Google Cloud have indicated that nearly every major company has either hired or received applications from North Korean nationals working on behalf of the regime. These individuals primarily aim to earn salaries that are then sent back to Pyongyang, contributing to the country's revenue stream. Cybersecurity experts warn that this issue is more pervasive than previously understood, with organizations often unaware of the extent of the infiltration.
Hundreds of Fortune 500 organizations have unknowingly hired these North Korean IT workers, and nearly every CISO interviewed has admitted to hiring at least one, if not several, of these individuals. Google has also detected North Korean technical workers within its talent pipeline, though the company states that none have been hired to date. The risk of North Korean nationals working for large organizations has become so prevalent that security professionals now assume it is happening unless actively detected. Security analysts continue to raise alarms and highlight the expansive ecosystem of tools, infrastructure, and specialized talent North Korea has developed to support this illicit activity.
The FBI and cybersecurity experts are actively working to identify and remove these remote workers. According to Adam Meyers, Head of Country Adversary Operations at CrowdStrike, there have been over 90 incidents in the past 90 days, resulting in millions of dollars flowing to the North Korean regime through high-paying developer jobs. Microsoft is tracking thousands of personas and identities used by these North Korean IT workers, indicating a high-volume operation. Uncovering one North Korean IT worker scam often leads to the discovery of many others, as demonstrated by CrowdStrike's investigation that revealed 30 victim organizations.
Recommended read:
References :
- blog.knowbe4.com: Hundreds of Fortune 500 companies have hired North Korean operatives.
- Threats | CyberScoop: North Korean operatives have infiltrated hundreds of Fortune 500 companies
- PCMag UK security: North Koreans Still Working Hard to Take Your IT Job: 'Any Organization Is a Target'
- cyberscoop.com: North Korean operatives have infiltrated hundreds of Fortune 500 companies
- WIRED: For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.
- gbhackers.com: Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives
- www.scworld.com: Widespread Fortune 500 firm infiltration conducted by North Koreans
Ddos@securityonline.info
//
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.
Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.
The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.
Recommended read:
References :
- The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
- BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
- Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
- thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
- securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
- Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
- www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
- arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- securityonline.info: SecurityOnline
- Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
- arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
- Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
- securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
- securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
- MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
- bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
- Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
- www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
- securityonline.info: SonicWall Issues Patch for SSRF Vulner
- Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
- The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
- hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
- cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
- www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
- watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
- Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
- Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- RedPacket Security: SonicWall Products Multiple Vulnerabilities
- thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
- Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities-Â CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
- bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
- securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
- The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
- BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
- securityonline.info: SonicWall has released a security advisory detailing multiple vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products.
- MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
info@thehackernews.com (The@The Hacker News
//
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.
Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.
Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.
Recommended read:
References :
- The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
- securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
- techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
- securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
- The Register - Software: Open source text editor poisoned with malware to target Uyghur users
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
- The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
- hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- www.scworld.com: Uyghur leaders subjected to malware attack
Swagath Bandhakavi@Tech Monitor
//
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.
France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.
France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.
Recommended read:
References :
- therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
- www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
- The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
- bsky.app: Russian military intelligence cyber operations targeting French entities
- www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
- securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
- Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
- www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
- hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
- Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
- bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
- www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
- Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
- www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
- Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
- industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
- hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
- securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.
Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.
Recommended read:
References :
- Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
- securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
- techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
- The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
- The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
- cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
- securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
- www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
- thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
- cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
- socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
- Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products
@securityonline.info
//
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.
Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.
Recommended read:
References :
- securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
- securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
- The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
- Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
- www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
- Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
- industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
- www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
- Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
- securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
- sra.io: APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents.
- Virus Bulletin: Trend Micro's Nick Dai & Sunny Lu look into the Earth Kurma APT campaign targeting government and telecommunications sectors in Southeast Asia. The campaign used advanced malware, rootkits, and trusted cloud services to conduct cyberespionage.
@www.silentpush.com
//
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.
The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.
The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.
Recommended read:
References :
- hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
- The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
- www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
- Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
- www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
- Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
- www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
- Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
- malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
- www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
- cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
- securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
- Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
@www.ic3.gov
//
The FBI has issued a public appeal for information regarding a widespread cyber campaign targeting US telecommunications infrastructure. The activity, attributed to a hacking group affiliated with the People's Republic of China and tracked as 'Salt Typhoon,' has resulted in the compromise of multiple U.S. telecommunications companies and others worldwide. The breaches, which have been ongoing for at least two years, have led to the theft of call data logs, a limited number of private communications, and the copying of select information subject to court-ordered U.S. law enforcement requests. The FBI is seeking information about the individuals who comprise Salt Typhoon and any details related to their malicious cyber activity.
The FBI, through its Internet Crime Complaint Center (IC3), is urging anyone with information about Salt Typhoon to come forward. The agency's investigation has uncovered a broad and sophisticated cyber operation that exploited access to telecommunications networks to target victims on a global scale. In October, the FBI and CISA confirmed that Chinese state hackers had breached multiple telecom providers, including major companies like AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream, as well as dozens of other telecom companies in numerous countries.
In an effort to incentivize informants, the U.S. Department of State’s Rewards for Justice (RFJ) program is offering a reward of up to US$10 million for information about foreign government-linked individuals participating in malicious cyber activities against US critical infrastructure. The FBI is accepting tips via TOR in a likely attempt to attract potential informants based in China. The agency has also released public statements and guidance on Salt Typhoon activity in collaboration with U.S. government partners, including the publication of 'Enhanced Visibility and Hardening Guidance for Communications Infrastructure.' Salt Typhoon is also known by other names such as RedMike, Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286.
Recommended read:
References :
- bsky.app: The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
- thecyberexpress.com: The FBI has issued a public appeal for information concerning an ongoing cyber campaign targeting US telecommunications infrastructure, attributed to actors affiliated with the People’s Republic of China (PRC).
- www.bleepingcomputer.com: FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches
- BleepingComputer: The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
- The DefendOps Diaries: Explore Salt Typhoon's cyber threats to telecom networks and the advanced tactics used by this state-sponsored group.
- malware.news: The FBI is seeking information from the public about the Chinese Salt Typhoon hacking campaign that, last year, was found to have breached major telecommunications providers and their wiretap request systems over a two-year period.
- Industrial Cyber: The Federal Bureau of Investigation (FBI) is requesting public assistance in reporting information related to the People’s Republic...
- industrialcyber.co: FBI issues IC3 alert on ‘Salt Typhoon’ activity, seeks public help in investigating PRC-linked cyber campaign
- Policy ? Ars Technica: FBI offers $10 million for information about Salt Typhoon members
- www.cybersecuritydive.com: FBI seeks public tips about Salt Typhoon
- www.scworld.com: US intensifies Salt Typhoon crackdown with public info request
@research.checkpoint.com
//
Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, is actively targeting European diplomatic entities with a sophisticated phishing campaign that began in January 2025. The threat actors are using deceptive emails disguised as invitations to wine-tasting events, enticing recipients to download a malicious ZIP file. The ZIP file contains a PowerPoint executable ("wine.exe") and two hidden DLL files, one of which is a malware loader dubbed GRAPELOADER. This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.
GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery. Once executed, GRAPELOADER establishes persistence by modifying the Windows registry, collects basic system information such as the username and computer name, and communicates with a command-and-control (C2) server to fetch additional malicious payloads. The malware copies the contents of the malicious zip archive to a new location on the disk, achieves persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots.
In addition to GRAPELOADER, a new variant of WINELOADER, a modular backdoor previously used by APT29, has been discovered and is likely being used in later stages of the attack. GRAPELOADER employs advanced techniques to avoid detection, such as masking strings in its code and only decrypting them briefly in memory before erasing them. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account.
Recommended read:
References :
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- thehackernews.com: The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
- ciso2ciso.com: Midnight Blizzard Targets European Diplomats with Wine Tasting Phishing Lure – Source: www.infosecurity-magazine.com
- research.checkpoint.com: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- Talkback Resources: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats [social] [mal]
- hackread.com: Russian Cozy Bear’s Wine Lure Drops WineLoader Malware on EU Diplomats
- securityaffairs.com: Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER.
- www.esecurityplanet.com: Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails.
- The Register - Security: Russians lure European diplomats into malware trap with wine-tasting invite
- Blog: Russian state-sponsored hacking group APT29, also known as Cozy Bear or Midnight Blizzard, has launched a sophisticated phishing campaign targeting European diplomatic entities. The attackers are using deceptive emails that mimic invitations to wine-tasting events, enticing recipients to download a malicious ZIP file named wine.zip.
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
- Security Risk Advisors: Russia-Linked APT29 Targets European Diplomats with New GRAPELOADER Malware in Sophisticated Phishing Campaign
|
|
FlagThis - #cyberespionage