CyberSecurity news

FlagThis - #organizations

@gbhackers.com //
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.

At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.

Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.

Recommended read:
References :
  • unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
  • Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.

Graham Cluley@Blog RSS Feed //
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.

Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks.

This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world.

Recommended read:
References :
  • securityonline.info: Ransomware gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
  • www.tripwire.com: Qilin offers “Call a lawyer†button for affiliates attempting to extort ransoms from victims who won’t pay
  • DataBreaches.Net: Qilin Offers “Call a lawyer†Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • bsky.app: The Qilin ransomware-as-a-service operation is now offering their affiliates a “Call a Lawyer†button. Yes, really.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims
  • Security Risk Advisors: Qilin Ransomware Emerges as Leading Global Threat Through Rust-Based Encryption and VMware ESXi Targeting
  • www.redpacketsecurity.com: [QILIN] – Ransomware Victim: Estes Forwarding Worldwide NOTE: No files or stolen information are...

@www.helpnetsecurity.com //
References: Help Net Security , Tenable Blog , AppOmni ...
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).

Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors.

Recommended read:
References :
  • Help Net Security: 19 ways to build zero trust: NIST offers practical implementation guide
  • Tenable Blog: Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents
  • cyberpress.org: New NIST Guide Outlines 19 Approaches to Zero Trust Architecture
  • AppOmni: 19 ways to build zero trust: NIST offers practical implementation guide
  • www.helpnetsecurity.com: 19 ways to build zero trust: NIST offers practical implementation guide

Threat Hunter@Broadcom Software Blogs //
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.

Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.

This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.

Recommended read:
References :
  • @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
  • BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
  • SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
  • Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
  • www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
  • Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
  • www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
  • securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
  • securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
  • ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
  • Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networks FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
  • securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack

Matt Burgess,@WIRED //
References: arstechnica.com , WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.

The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information.

Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations.

Recommended read:
References :
  • arstechnica.com: German police say they’ve identified Trickbot ransomware kingpin
  • WIRED: Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin

@www.microsoft.com //
References: www.microsoft.com , PPC Land ,
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :
  • www.microsoft.com: How to deploy AI safely
  • PPC Land: Microsoft debuts free AI video generation tool powered by OpenAI's Sora, rolling out globally on mobile devices today.
  • www.microsoft.com: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.

info@thehackernews.com (The@The Hacker News //
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Recommended read:
References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.

@securityonline.info //
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.

The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.

The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.

Recommended read:
References :
  • securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
  • The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
  • The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
  • BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
  • www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
  • securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
  • bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
  • www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
  • www.scworld.com: Windows CLFS zero-day leveraged in Play ransomware attacks