@The DefendOps Diaries
//
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.
Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.
Recommended read:
References :
- isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
- The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
- BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
- CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
- Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
- bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
- krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
- Blog RSS Feed: March 2025 Patch Tuesday Analysis
- Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
- The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
- hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
- www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
- Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
- socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities
- Security | TechRepublic: Microsoft's March 2025 Patch Tuesday includes six actively exploited zero-day vulnerabilities. Learn about the critical vulnerabilities and why immediate updates are essential.
- Davey Winder: Microsoft has confirmed that no less than six zero-day vulnerabilities are exploiting Windows users in the wild. Here’s what you need to know and do.
- : Microsoft Patches a Whopping Seven Zero-Days in March
- Blog: As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- Talkback Resources: Microsoft's Patch Tuesday reports 6 flaws already under fire [app] [sys]
- ESET Research: has discovered a zero day exploit abusing -2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges ( ).
- The DefendOps Diaries: Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability
- BleepingComputer: Microsoft patches Windows Kernel zero-day exploited since 2023
- PCWorld: Big March patch fixes dozens of security flaws in Windows and Office
- securityaffairs.com: Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days
- www.threatdown.com: The March 2025 Patch Tuesday update contains an unusually large number of zero-day vulnerabilities that are being actively exploited.
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- www.computerworld.com: For March’s Patch Tuesday, 57 fixes — and 7 zero-days
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Microsoft Incident@Microsoft Security Blog
//
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections.
Recommended read:
References :
- bsky.app: ​MicrosoftÂ
has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- BleepingComputer: Microsoft: New RAT malware used for crypto theft, reconnaissance
- Microsoft Security Blog: StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
- BleepingComputer: Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data.
- hackread.com: StilachiRAT: Sophisticated malware targets crypto wallets & credentials. Undetected, it maps systems & steals data. Microsoft advises strong security measures.
- Virus Bulletin: Microsoft researchers uncovered a novel remote access trojan (RAT) named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
- securityaffairs.com: New StilachiRAT uses sophisticated techniques to avoid detection
- The DefendOps Diaries: Understanding StilachiRAT: A New Cyber Threat Targeting Cryptocurrency
- CyberInsider: Microsoft Uncovers New Stealthy Malware ‘StilachiRAT’ Targeting User Data
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- The Hacker News: Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets
- Tech Monitor: New remote access trojan ‘StilachiRAT’ identified
- Help Net Security: Stealthy StilachiRAT steals data, may enable lateral movement
- www.techradar.com: Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
- The Record: A previously unreported remote access trojan that Microsoft researchers dubbed StilachiRAT is designed to steal a wide range of data, including information about cryptocurrency wallet extensions for Google's Chrome browser.
- Blog: New ‘StilachiRAT’ found scurrying in crypto wallets
- BleepingComputer: Detailed technical analysis of the StilachiRAT malware and its operational capabilities.
- securityonline.info: Microsoft Uncovers Sophisticated StilachiRAT Malware
- Sophos X-Ops: Microsoft has discovered a new remote access trojan (RAT) dubbed StilachiRAT, which uses sophisticated techniques to avoid detection.
- Cyber Security News: Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data. This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) […] The post appeared first on .
Sergiu Gatlan@BleepingComputer
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
Recommended read:
References :
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
- The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
- : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
- www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
- securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
rohann@checkpoint.com@Check Point Blog
//
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.
CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach.
Recommended read:
References :
- Check Point Blog: The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
- bsky.app: Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
- The Hacker News: The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024.
- bsky.app: The Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
- gbhackers.com: Blind Eagle Hackers Exploit Google Drive, Dropbox & GitHub to Evade Security Measures
- : Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
- Talkback Resources: Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks
- securityonline.info: Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
- gbhackers.com: Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes
@securityonline.info
//
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.
The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.
Recommended read:
References :
- gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
- www.scworld.com: Updated Coyote malware facilitates more extensive compromise
- gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
- The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
- securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
- securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
- securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@PCWorld
//
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.
Recommended read:
References :
- CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
- hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
- cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
- The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
- Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
- The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
- PCWorld: This high-risk keylogger malware is a growing threat to Windows users
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
- www.scworld.com: More advanced Snake Keylogger variant emerges
- Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
Arda Büyükkaya@EclecticIQ Blog
//
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.
EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.
Recommended read:
References :
- bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
- Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
- EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
- Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
- MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
- securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
- ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
- www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
- ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
– Source: socprime.com
- securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
- socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
- securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.
Aman Mishra@gbhackers.com
//
A large-scale malware campaign has been discovered exploiting a vulnerable Windows driver, truesight.sys, associated with Adlice's RogueKiller Antirootkit suite. Attackers are leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy the HiddenGh0st RAT malware. Over 2,500 distinct variants of the truesight.sys driver have been identified, allowing attackers to evade EDR solutions and Microsoft’s Vulnerable Driver Blocklist.
This sophisticated campaign employs a multi-stage infection process, where initial-stage malware samples are disguised as legitimate applications and distributed via deceptive websites and messaging apps. These samples download the vulnerable truesight.sys driver alongside encrypted payloads, ultimately delivering advanced malware such as the Gh0st RAT. The campaign primarily targets victims in China, Singapore, and Taiwan, with infrastructure hosted on public cloud services within China.
Recommended read:
References :
- Cyber Security News: A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
- Talkback Resources: 2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT [exp] [mal]
- The Hacker News: A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.
- Information Security Buzz: Massive Cyberattack Exploits Legacy Windows Driver to Evade Detection
- gbhackers.com: New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.
Recommended read:
References :
- Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
- gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
- Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
- www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
- Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
- gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
- securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
NSFOCUS@nsfocusglobal.com
//
A new vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, potentially exposing users to network spoofing attacks. The vulnerability is triggered by specially crafted .library-ms files embedded within compressed archives like RAR or ZIP. When these files are decompressed, they can trigger an SMB authentication request, leading to the disclosure of the user’s NTLM hash. The vulnerability has a CVSS score of 7.5, indicating a significant risk.
Microsoft has released a security announcement and a patch to address the issue across a range of Windows versions including Windows 10, Windows 11 and Windows Server versions from 2012 R2 to 2022. Users are urged to install the patch as soon as possible to mitigate the risk of exploitation. The vulnerability stems from the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, making it crucial for users to update their systems promptly.
Recommended read:
References :
- nsfocusglobal.com: Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
|
|
FlagThis - #windows