@gbhackers.com
//
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.
At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow. Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM. Recommended read:
References :
Graham Cluley@Blog RSS Feed
//
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.
Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks. This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world. Recommended read:
References :
@www.helpnetsecurity.com
//
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).
Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures. The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors. Recommended read:
References :
Threat Hunter@Broadcom Software Blogs
//
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.
Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect. This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers. Recommended read:
References :
Matt Burgess,@WIRED
//
References:
arstechnica.com
, WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.
The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information. Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations. Recommended read:
References :
@www.microsoft.com
//
References:
www.microsoft.com
, PPC Land
,
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.
As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents. To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots. Recommended read:
References :
@cyble.com
//
References:
securityaffairs.com
, ciso2ciso.com
,
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.
The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches. The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.
Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource. The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking. Recommended read:
References :
@securityonline.info
//
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes. The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures. Recommended read:
References :
|