rulesbot@community.emergingthreats.net
//
References:
community.emergingthreats.net
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools. In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors. Recommended read:
References :
Cynthia B@Metacurity
//
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.
Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations. Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.
The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist. Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity. Recommended read:
References :
@Links
//
Spyware maker Paragon has severed ties with the Italian government following a dispute over an investigation into the alleged hacking of journalist Francesco Cancellato’s phone. Paragon stated that it offered its assistance to determine whether its Graphite system was used against the journalist in violation of Italian law and contractual terms. However, the Italian authorities declined Paragon’s offer to independently verify the matter, leading the company to terminate its contracts in Italy. This marks the first instance of a spyware provider publicly acknowledging ending a contract with a government client due to concerns over potential abuse.
The Italian government, through its Department of Information for Security (DIS), rejected Paragon’s proposal, deeming it an “invasive practice” that was “unverifiable in scope, results and method.” The government also expressed concerns that accepting Paragon’s help would compromise national security and expose confidential data to a foreign private company. Several Italian news outlets reported on the government's decision. The Parliamentary Committee for the Security of the Republic (COPASIR) conducted its own investigation, acknowledging that Italian intelligence services had used Paragon’s Graphite spyware to target phones belonging to civil society activists. However, the committee found no evidence that Cancellato was specifically targeted using the technology. This incident has raised questions about the use of spyware by governments and the need for greater transparency and accountability in the industry. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.
Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion. Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities. Recommended read:
References :
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices. Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.
The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance. Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats. Recommended read:
References :
@NCSC News Feed
//
A coalition of governments, including the UK, US, Australia, Canada, Germany, and New Zealand, has issued an alert regarding the use of BADBAZAAR and MOONSHINE spyware. These sophisticated tools are being used to target civil society groups and ethnic minorities, specifically Uyghur, Taiwanese, and Tibetan communities. The spyware is embedded within seemingly legitimate Android applications, effectively acting as Trojan malware to gain unauthorized access to sensitive data. These malicious apps are designed to appear harmless, often mimicking popular apps or catering to specific interests of the targeted groups.
These spyware families are capable of accessing a wide range of information on infected devices, including location data, microphone and camera feeds, messages, photos, and other stored files. The UK's National Cyber Security Centre (NCSC) has stated that the targeted individuals are those connected to topics considered a threat to the Chinese state, such as Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and the Falun Gong spiritual movement. The indiscriminate nature of the spyware's spread raises concerns that infections may extend beyond the intended targets, potentially affecting a broader range of users. The advisory includes a list of over 100 malicious Android apps that have been identified as carrying the BADBAZAAR and MOONSHINE spyware. These apps often masquerade as Muslim and Buddhist prayer apps, chat applications like Signal, Telegram, and WhatsApp, or utility apps like Adobe Acrobat PDF reader. To mitigate the risk, individuals are urged to download apps only from official app stores, keep their devices and apps up to date, avoid rooting or jailbreaking their devices, and carefully review app permissions before installation. The NCSC and its partners continue to monitor the activities of these malicious cyber actors and provide guidance to help individuals protect themselves from these evolving threats. Recommended read:
References :
Alex Lekander@CyberInsider
//
Amnesty International's Security Lab has uncovered evidence that two investigative journalists from the Serbia-based Balkan Investigative Reporting Network (BIRN) were targeted with NSO Group’s Pegasus spyware in February 2025. This marks the third time in two years that Amnesty International has found Pegasus being used against civil society members in Serbia, building upon previous findings detailed in their December 2024 report, "A Digital Prison." The journalists received suspicious text messages, and research confirmed the links led to a domain previously identified as part of NSO Group's infrastructure.
These latest findings reinforce concerns about Serbian authorities abusing invasive spyware to target journalists, activists, and other members of civil society. NSO Group responded to Amnesty International's findings by stating they cannot comment on specific customers or disclose technical information, while reiterating their commitment to respecting human rights and upholding the UN Guiding Principles on Business and Human Rights. Despite this commitment, security researchers are increasingly able to detect Pegasus attacks, suggesting challenges for NSO Group in maintaining operational security and concealing their activities. Recommended read:
References :
|