CyberSecurity news

FlagThis - #multiple

@gbhackers.com //
Cybercriminals are increasingly leveraging adversary-in-the-middle (AiTM) attacks with reverse proxies to bypass multi-factor authentication (MFA), a security measure widely adopted to protect against unauthorized access. This sophisticated technique allows attackers to intercept user credentials and authentication cookies, effectively neutralizing the added security that MFA is designed to provide. Instead of relying on simple, fake landing pages, attackers position reverse proxies between the victim and legitimate web services, creating an authentic-looking login experience. This method has proven highly effective in capturing sensitive information, as the only telltale sign might be a subtle discrepancy in the browser's address bar.

The proliferation of Phishing-as-a-Service (PhaaS) toolkits has significantly lowered the barrier to entry for executing these complex attacks. Platforms like Tycoon 2FA and Evilproxy offer ready-made templates for targeting popular services and include features like IP filtering and JavaScript injection to evade detection. Open-source tools such as Evilginx, originally intended for penetration testing, have also been repurposed by malicious actors, further exacerbating the problem. These tools provide customizable reverse proxy capabilities that enable even novice cybercriminals to launch sophisticated MFA bypass campaigns.

To combat these evolving threats, security experts recommend that organizations reassess their current MFA strategies and consider adopting more robust authentication methods. WebAuthn, a passwordless authentication standard utilizing public key cryptography, offers a potential solution by eliminating password transmission and rendering server-side authentication databases useless to attackers. Additionally, organizations should implement measures to detect unusual session behavior, monitor for newly registered domains, and analyze TLS fingerprints to identify potential AiTM activity. By staying vigilant and adapting their security strategies, organizations can better defend against these advanced phishing techniques and protect their valuable assets.

Recommended read:
References :
  • gbhackers.com: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • malware.news: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • securityonline.info: AiTM Attacks Bypass MFA Despite Widespread Adoption
  • cyberpress.org: CyberPress reports on AiTM attacks with reverse proxies enable threat actors to bypass MFA.
  • Cyber Security News: Cybersercurity news reports new MintsLoader drops GhostWeaver.
  • gbhackers.com: Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA
  • Daily CyberSecurity: AiTM Attacks Bypass MFA Despite Widespread Adoption

Shivani Tiwari@cysecurity.news //
Cybersecurity firm Bitdefender has issued a warning about a significant increase in subscription scams that are cleverly disguised as legitimate online stores and enticing mystery boxes. This new wave of scams is characterized by its unprecedented sophistication, employing high-quality website design, targeted advertising, and social media exploitation to deceive unsuspecting users. Over 200 fake retail sites have been identified as part of this operation, all designed to harvest credit card data and personal information from victims globally. These sites offer a wide range of products, including clothing, electronics, and beauty items, making it harder for users to distinguish them from genuine e-commerce platforms.

This scam network leverages social media platforms, particularly Facebook, where cybercriminals deploy sponsored ads and impersonate content creators to lure victims. A key component of this fraud is the evolution of the "mystery box" scam, which promises surprise items for a nominal fee but conceals hidden subscription models in the fine print. Victims are often unknowingly enrolled in recurring payment plans, with charges ranging up to 44 EUR every 14 days, disguised as loyalty benefits or exclusive shopping privileges. The scammers exploit the human fascination with the unknown, offering boxes supposedly left at post offices or bags found at airports, requiring a small payment to claim ownership, with the primary objective being collecting financial information.

Bitdefender's investigation reveals that these schemes utilize complex payment structures and convoluted terms to confuse users, transforming a seemingly one-time purchase into recurring charges. To evade detection, scammers employ techniques such as multiple ad versions, Google Drive-hosted images for easy replacement, cropped visuals to bypass pattern recognition, and homoglyph tactics to obscure malicious intent. Many of these fraudulent sites remain active, continuously targeting users globally, with specific campaigns observed in Romania, Canada, and the United States. The connection between these scams and a Cyprus-registered address raises suspicions of a coordinated operation involving offshore entities.

Recommended read:
References :
  • securityonline.info: Bitdefender researchers have uncovered a sprawling web of subscription-based scams that blend professional-looking websites, social media manipulation, and
  • www.cysecurity.news: Cybersecurity researchers at Bitdefender have uncovered a sharp increase in deceptive online subscription scams, with fraudsters disguising themselves as legitimate e-commerce platforms and mystery box vendors.
  • Cyber Security News: Subscription-Based Scams Exploit Users to Harvest Credit Card Data
  • hackread.com: Bitdefender uncovers a massive surge in sophisticated subscription scams disguised as online shops and evolving mystery boxes. Learn…
  • gbhackers.com: Subscription-Based Scams Targeting Users to Steal Credit Card Information
  • cyberpress.org: Subscription-Based Scams Exploit Users to Harvest Credit Card Data
  • cybersecuritynews.com: A significant wave of subscription-based scams is sweeping across the internet, specifically designed to steal credit card information from unsuspecting users.
  • Daily CyberSecurity: Bitdefender Exposes Sophisticated Subscription-Based Mystery Box Scams
  • gbhackers.com: Subscription-Based Scams Targeting Users to Steal Credit Card Information

@cyble.com //
Recent cyberattacks have targeted major UK retailers, prompting a call for increased vigilance and stronger defenses from the National Cyber Security Centre (NCSC). High-profile organizations such as Harrods, Marks & Spencer (M&S), and Co-op have been affected, causing significant operational disruptions. These attacks have led to restricted internet access, pauses in online order processing, and in some instances, potential data extraction, highlighting the severity and broad impact of these cyber incidents on the retail sector.

The NCSC has issued an urgent warning to UK firms, emphasizing the escalating risk of ransomware attacks, particularly within the retail industry. The agency anticipates a potential increase in similar attacks in the coming days. In response, the NCSC has released a comprehensive set of guidelines designed to assist businesses in bolstering their defenses against these threats and minimizing potential financial losses. This includes reviewing password reset policies, being cautious of senior employees with escalated priviledges such as Domain Admin, Enterprise Admin and Cloud Admin accounts.

The NCSC's guidelines emphasize proactive measures such as isolating and containing threats quickly by severing internet connectivity to prevent malware spread and ensuring backup servers remain unaffected. It also highlights leveraging backup systems for recovery and implementing multi-factor authentication (MFA) across the board. The NCSC advises businesses to constantly be on the look out for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. Furthermore, the agency urges organizations to assess their cyber resilience and adopt best practices for both prevention and recovery to mitigate future attacks.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call
  • industrialcyber.co: Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub
  • phishingtackle.com: Rise In Cyberattacks On UK Retailers Sparks National Alert

Bill Toulas@BleepingComputer //
References: bsky.app , BleepingComputer , bsky.app ...
The FBI has released a comprehensive list of 42,000 phishing domains linked to the LabHost cybercrime platform. LabHost, a major phishing-as-a-service (PhaaS) platform, was dismantled in April 2024. The extensive list is designed to aid cybersecurity professionals and organizations in strengthening their defenses against phishing attacks. The domains were registered between November 2021 and April 2024, providing a historical record for threat detection.

This release offers a unique opportunity to bolster cybersecurity defenses and enhance threat detection strategies. By integrating these domains into existing security frameworks, organizations can proactively thwart potential threats. Retrospective analysis of logs from November 2021 to April 2024 can uncover previously undetected breaches, allowing organizations to address vulnerabilities. The list serves as a valuable resource for training phishing detection models, improving their accuracy and effectiveness.

The release of the 42,000 domains allows for the creation of comprehensive blocklists to mitigate the risk of threat actors reusing or re-registering these domains. Cybersecurity experts can analyze domain patterns to gain insights into the operations of PhaaS platforms like LabHost. This correlation of intelligence can aid in understanding the tactics, techniques, and procedures (TTPs) employed by cybercriminals, thereby enhancing the ability to predict and counter future threats.

Recommended read:
References :
  • bsky.app: The FBI released a list of 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform
  • BleepingComputer: The FBI released a list of 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform that was dismantled in April 2024.
  • The DefendOps Diaries: FBI shares massive list of 42,000 LabHost phishing domains, boosting cybersecurity defenses and enhancing threat detection strategies.
  • bsky.app: The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024.
  • malware.news: Thousands of LabHost PhaaS domains exposed by FBI
  • securityaffairs.com: FBI shared a list of phishing domains associated with the LabHost PhaaS platform
  • Talkback Resources: FBI shared a list of phishing domains associated with the LabHost PhaaS platform [net] [social]
  • www.sentinelone.com: FBI shares 42,000 domains linked to seized PhaaS

@cloud.google.com //
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.

Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.

Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.

Recommended read:
References :
  • Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
  • securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
  • techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
  • The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
  • The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
  • cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
  • securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
  • www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
  • thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
  • cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
  • socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
  • Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products

@www.microsoft.com //
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.

The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups.

To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments.

Recommended read:
References :
  • www.microsoft.com: Understanding the threat landscape for Kubernetes and containerized assets
  • Cyber Security News: Cyberpress: Unsecured Kubernetes Clusters Targeted by Threat Actors for Crypto Mining
  • The Hacker News: Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals
  • Microsoft Security Blog: Understanding the threat landscape for Kubernetes and containerized assets

Stu Sjouwerman@blog.knowbe4.com //
Cybercriminals are increasingly exploiting the power of artificial intelligence to enhance their malicious activities, marking a concerning trend in the cybersecurity landscape. Reports, including Microsoft’s Cyber Signals, highlight a surge in AI-assisted scams and phishing attacks. Guardio Labs has identified a specific phenomenon called "VibeScamming," where hackers leverage AI to create highly convincing phishing schemes and functional attack models with unprecedented ease. This development signifies a "democratization" of cybercrime, enabling individuals with limited technical skills to launch sophisticated attacks.

Cybersecurity researchers at Guardio Labs conducted a benchmark study that examined the capabilities of different AI models in facilitating phishing scams. While ChatGPT demonstrated some resistance due to its ethical guardrails, other platforms like Claude and Lovable proved more susceptible to malicious use. Claude provided detailed, usable code for phishing operations when prompted within an "ethical hacking" framework, while Lovable, designed for easy web app creation, inadvertently became a haven for scammers, offering instant hosting solutions, evasion tactics, and even integrated credential theft mechanisms. The ease with which these models can be exploited raises significant concerns about the balance between AI functionality and security.

To combat these evolving threats, security experts emphasize the need for organizations to adopt a proactive and layered approach to cybersecurity. This includes implementing zero-trust principles, carefully verifying user identities, and continuously monitoring for suspicious activities. As threat actors increasingly blend social engineering with AI and automation to bypass detection, companies must prioritize security awareness training for employees and invest in advanced security solutions that can detect and prevent AI-powered attacks. With improved attack strategies, organizations must stay ahead of the curve by continuously refining their defenses and adapting to the ever-changing threat landscape.

Recommended read:
References :

Stu Sjouwerman@blog.knowbe4.com //
A widespread smishing campaign targeting toll road users across the United States has been uncovered by cybersecurity researchers. The campaign, active since October 2024, involves attackers sending fraudulent SMS messages claiming that victims owe small amounts, typically under $5, for unpaid tolls. These messages warn of late fees and redirect recipients to spoofed websites designed to mimic legitimate toll service platforms like E-ZPass. The goal is to steal sensitive user information, including personal details and credit card information.

These fraudulent websites prompt victims to solve a fake CAPTCHA before being redirected to a webpage displaying a fabricated bill. The bill includes the victim’s name and warns of a $35 late payment fee, urging them to proceed with payment. Once victims click “Proceed Now,” they are taken to another fake page where they are asked to provide personal details such as their name, address, phone number, and credit card information. This data is then stolen by the threat actors. The campaign spans at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing state-specific abbreviations observed in the SMS messages.

Cisco Talos attributes this campaign to multiple financially motivated threat actors using smishing kits developed by an individual known as “Wang Duo Yu.” These kits have been previously linked to large-scale smishing attacks targeting mail services like USPS and financial institutions. Wang Duo Yu operates several Telegram channels and forums promoting smishing kits and offering tutorials on phishing techniques. His kits are priced between $20 and $50 depending on the features and support provided. The typosquatted domains used in the campaign resolve to specific IP addresses: 45[.]152[.]115[.]161, 82[.]147[.]88[.]22, and more recently 43[.]156[.]47[.]209.

Recommended read:
References :
  • Cyber Security News: "$5 SMS Scam Alert: Toll Road Users Targeted in New Phishing Campaign"
  • gbhackers.com: Smishing Campaign Hits Toll Road Users with $5 Payment Scam
  • Daily CyberSecurity: Nationwide Smishing Scam Targets Toll Road Users, Stealing Payment Data
  • blog.knowbe4.com: China Cybercriminals Behind Toll-Themed Smishing Attacks Surge in the US and UK
  • krebsonsecurity.com: Chinese Innovations Spawn Wave of Toll Phishing Via SMS
  • The Hacker News: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

Sathwik Ram@seqrite.com //
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.

Recommended read:
References :
  • Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.

@slashnext.com //
A new AI platform called Xanthorox AI has emerged in the cybercrime landscape, advertised as a full-spectrum hacking assistant and is circulating within cybercrime communities on darknet forums and encrypted channels. First spotted in late Q1 2025, this tool is marketed as the "killer of WormGPT and all EvilGPT variants," suggesting its creators intend to supplant earlier malicious AI models. Unlike previous malicious AI tools, Xanthorox AI boasts an independent, multi-model framework, operating on private servers and avoiding reliance on public cloud infrastructure or APIs, making it more difficult to trace and shut down.

Xanthorox AI provides a modular GenAI platform for offensive cyberattacks, offering a one-stop shop for developing a range of cybercriminal operations. This darknet-exclusive tool uses five custom models to launch advanced, autonomous cyberattacks, marking a new era in AI-driven threats. The toolkit includes Xanthorox Coder for automating code creation, script development, malware generation, and vulnerability exploitation. Xanthorox Vision adds visual intelligence by analyzing uploaded images or screenshots to extract data, while Reasoner Advanced mimics human logic to generate convincing social engineering outputs.

Furthermore, Xanthorox AI supports voice-based interaction through real-time calls and asynchronous messaging, enabling hands-free command and control. The platform emphasizes data containment and operates offline, ensuring users can avoid third-party AI telemetry risks. SlashNext refers to it as “the next evolution of black-hat AI” because Xanthorox is not based on existing AI platforms like GPT. Instead, it uses five separate AI models, and everything runs on private servers controlled by the creators, meaning it has few ways for defenders to track or shut it down.

Recommended read:
References :
  • cybersecuritynews.com: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
  • hackread.com: Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant
  • slashnext.com: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
  • www.esecurityplanet.com: Xanthorox AI, a darknet-exclusive tool, uses five custom models to launch advanced, autonomous cyberattacks, ushering in a new AI threat era.
  • Cyber Security News: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
  • SlashNext: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
  • eSecurity Planet: Xanthorox AI: A New Breed of Malicious AI Threat Hits the Darknet
  • www.scworld.com: AI tool claims advanced capabilities for criminals without jailbreaks

info@thehackernews.com (The@The Hacker News //
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.

Recommended read:
References :
  • Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
  • gbhackers.com: PoisonSeed uses advanced phishing techniques.
  • www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
  • securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
  • securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
  • Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks

@gbhackers.com //
References: gbhackers.com , Malwarebytes ,
Cybercriminals are increasingly employing sophisticated tactics to bypass traditional security measures and ensnare unsuspecting users in phishing scams. One notable trend is the use of benign-worded email subjects such as "request," "forward," and "report" to lower suspicion. Additionally, attackers are leveraging URL shorteners and QR codes to mask malicious links, making it harder for users and security systems to identify threats. These techniques allow cybercriminals to evade detection and increase the likelihood of successful attacks aimed at stealing personal and financial information.

Tax-themed phishing campaigns are surging as the United States approaches Tax Day on April 15th. Microsoft has observed threat actors exploiting tax-related anxieties through emails containing malicious attachments. These attachments frequently include QR codes that redirect users to fake login pages designed to steal credentials. In other instances, attackers embed DoubleClick URLs in PDF attachments that redirect users through shortened links to fake DocuSign pages, serving either malicious JavaScript files leading to malware installation or benign decoy files based on filtering rules.

The malware families being deployed in these campaigns are becoming increasingly advanced. Latrodectus, for example, features dynamic command-and-control configurations and anti-analysis capabilities, allowing attackers to execute Windows commands remotely and establish persistence through scheduled tasks. BruteRatel C4 (BRc4), originally designed for red-teaming exercises, is being exploited for post-exploitation activities, enabling attackers to bypass security defenses. According to Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, phishing scams are constantly evolving to maintain their effectiveness.

Recommended read:
References :
  • gbhackers.com: Hackers Use URL Shorteners and QR Codes in Tax-Themed Phishing Attacks
  • Malwarebytes: QR codes sent in attachments are the new favorite for phishers
  • www.cysecurity.news: Phishing Scams Are Getting Smarter – And More Subtle : Here’s All You Need to Know

info@thehackernews.com (The@The Hacker News //
The Lucid PhaaS platform, operated by the XinXin group, is being used in sophisticated smishing campaigns targeting 169 entities across 88 countries. This Phishing-as-a-Service (PhaaS) platform leverages legitimate communication channels like Apple iMessage and Android RCS to bypass traditional SMS spam filters, significantly increasing delivery and success rates. Cybercriminals are using Lucid to harvest credit card details and personally identifiable information (PII) for financial fraud.

The platform employs social engineering tactics, including impersonating postal services, courier companies, and tax refund agencies. It offers credit card validation tools and can clone any brand's website to create phishing versions. Telecom providers face challenges in preventing these attacks due to the end-to-end encryption of iMessage and RCS. Cybersecurity experts recommend that users independently verify communications with trusted organizations through official channels to avoid falling victim to these scams.

Recommended read:
References :
  • The Hacker News: Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing
  • www.cysecurity.news: Lucid Faces Increasing Risks from Phishing-as-a-Service
  • www.redhotcyber.com: Phishing come se non ci fosse un domani! Arriva Lucid PhaaS, la piattaforma cinese per truffe globali
  • Blog: XinXin group offers new ‘dreamy’ PhaaS platform
  • blog.knowbe4.com: A phishing-as-a-service (PhaaS) platform dubbed ‘Lucid’ is driving a surge in SMS (smishing) attacks, according to researchers at Prodaft.

Bill Mann@CyberInsider //
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.

Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security.

Recommended read:
References :
  • CyberInsider: CISA Warns of ‘Fast Flux’ Technique Hackers Use for Evasion
  • The Register - Security: For flux sake: CISA, annexable allies warn of hot DNS threat
  • Industrial Cyber: Advisory warns of fast flux national security threat, urges action to protect critical infrastructure
  • Cyber Security News: Hackers Leveraging Fast Flux Technique to Evade Detection & Hide Malicious Servers
  • BleepingComputer: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • BleepingComputer: CISA warns of Fast Flux DNS evasion used by cybercrime gangs
  • The DefendOps Diaries: Understanding and Combating Fast Flux in Cybersecurity
  • bsky.app: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • www.csoonline.com: Cybersecurity agencies urge organizations to collaborate to stop fast flux DNS attacks
  • hackread.com: NSA and Global Allies Declare Fast Flux a National Security Threat
  • : National Security Agencies Warn of Fast Flux Threat Bypassing Network Defenses
  • www.itpro.com: Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
  • Infoblox Blog: Disrupting Fast Flux with Predictive Intelligence
  • www.cybersecuritydive.com: Cybersecurity Dive on CISA FBI warn
  • Threats | CyberScoop: International intelligence agencies raise the alarm on fast flux
  • Infoblox Blog: Disrupting Fast Flux and Much More with Protective DNS
  • blogs.infoblox.com: Disrupting Fast Flux and Much More with Protective DNS
  • The Hacker News: Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
  • thecyberexpress.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international cybersecurity partners, has issued an urgent advisory titled “Fast Flux: A National Security Threat.†The advisory highlights the growing use of fast flux techniques by cybercriminals and potentially nation-state actors to evade detection and establish highly resilient and stealthy infrastructure for malicious activities.
  • Blog: Five Eyes warn threat actors increasing use of ‘fast flux’ technique

Fogerlog@Phishing Tackle //
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
  • securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
  • : Phishing kits going to great lengths to personalise attacks
  • Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
  • securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
  • bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
  • Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
  • Talkback Resources: New Morphing Meerkat PhaaS platform examined
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
  • Phishing Tackle: Phishing-as-a-Service Exposed: DNS-over-HTTPS Fuels the Morphing Meerkat Attack
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.

@The DefendOps Diaries //
References: CyberInsider , Sam Bent , BleepingComputer ...
Vivaldi browser has integrated Proton VPN directly into its system, offering users a seamless way to protect their data from 'Big Tech' surveillance. The integration means users can now access VPN services without the need for external downloads or plugin activations. This move signifies a commitment to enhancing user privacy and challenging the data collection practices of major tech firms. The VPN button is available directly in the toolbar to improve user experience.

Vivaldi's partnership with Proton VPN brings browser-level privacy tools to users, allowing them to encrypt all internet traffic and protect them from persistent tracking. When enabled, browsing activity is transmitted through Proton VPN's encrypted tunnels, which obfuscates the user's IP address. The integration aims to provide enhanced protection against tracking and surveillance and sets new standards in digital security.

Recommended read:
References :
  • CyberInsider: Privacy-focused browser Vivaldi has announced the direct integration of Proton VPN, offering users seamless VPN access without external downloads or plug-ins.
  • Sam Bent: Vivaldi's new partnership with Proton VPN brings browser-level privacy tools into the hands of users, but it's crucial to understand where privacy ends and anonymity begins. This move is a strong statement against Big Tech surveillance, yet the protection it offers is not a blanket solution.
  • The DefendOps Diaries: Discover how Vivaldi's integration of Proton VPN enhances browser privacy and user control, setting new standards in digital security.
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.
  • bsky.app: Vivaldi has released a new version of its browser with built-in support for ProtonVPN, now available as a VPN button in the toolbar https://vivaldi.com/blog/privacy-without-compromise-proton-vpn-is-now-built-into-vivaldi/
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.

Deeba Ahmed@hackread.com //
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.

Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.

Recommended read:
References :
  • hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
  • securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
  • The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
  • thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
  • www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
  • securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
  • Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
  • MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
  • Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
  • BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
  • Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection

@cyberalerts.io //
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.

The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.

The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.

Recommended read:
References :
  • Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
  • gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
  • www.bitdefender.com: Free file converter malware scam “rampantâ€� claims FBI
  • Malwarebytes: Warning over free online file converters that actually install malware
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
  • Help Net Security: FBI: Free file converter sites and tools deliver malware
  • www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
  • securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
  • The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
  • PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
  • www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
  • www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
  • www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
  • www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
  • Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]

@itpro.com //
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

Sunny Yadav@eSecurity Planet //
Cybersecurity experts are warning of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms. Threat intelligence firm GreyNoise reported on March 9, 2025, that approximately 400 unique IP addresses were actively involved in exploiting multiple SSRF vulnerabilities simultaneously. These attacks span several countries, including the United States, Germany, Singapore, India, Japan, and Lithuania, targeting critical systems in cloud environments and enterprise infrastructures.

This alarming trend highlights the persistent risks organizations face from evolving attack methods. The SSRF vulnerabilities being exploited include critical flaws in widely used software platforms like Zimbra Collaboration Suite (CVE-2020-7796), VMware products (CVE-2021-21973 and CVE-2021-22054), and multiple CVEs in GitLab's CE/EE versions, along with targets in DotNetNuke and Ivanti Connect Secure. GreyNoise also observed Grafana path traversal attempts preceding the SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.

Defenders should identify and disrupt early-stage activity by monitoring for reconnaissance behaviors, such as path traversal attempts, which may provide early warning signs before full-scale exploitation occurs. Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. The attacks reflect a shift from opportunistic scanning to more deliberate, coordinated campaigns that aim to breach internal systems and extract valuable data.

Recommended read:
References :
  • securityaffairs.com: Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilities
  • eSecurity Planet: SSRF Exploitation Surge Highlights Evolving Cyberthreats
  • The GreyNoise Blog: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
  • GreyNoise: řŸš¨ 400+ Malicious IPs Targeting SSRF Vulnerabilities. We have detected a coordinated surge in SSRF exploitation, with attackers systematically targeting multiple CVEs across different platforms.
  • Security Risk Advisors: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

@zdnet.com //
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.

Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.

Recommended read:
References :
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
  • www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
  • Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
  • be4sec: Medusa Ransomware is Targeting Critical Infrastructure
  • be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
  • aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
  • www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
  • cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
  • Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
  • techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
  • Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
  • eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
  • Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
  • thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
  • www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
  • www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
  • Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
  • The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
  • www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer

Dhara Shrivastava@cysecurity.news //
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.

Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.

Recommended read:
References :
  • cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
  • The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
  • blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
  • DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
  • Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
  • blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
  • Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
  • Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.