CyberSecurity news

FlagThis - #windows

@cyberpress.org //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.

Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.

The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.

Recommended read:
References :
  • securityaffairs.com: Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
  • www.morphisec.com: Reporting on Iranian CyberWarfare
  • newsinterpretation.com: Iranian ransomware gang Pay2Key/I2P returns, offers huge rewards for attacks on U.S. and Israel.
  • Matthew Rosenquist: Iran sponsored Pay2Key Ransomware-as-a-Service (RaaS)
  • securityonline.info: Iranian Ransomware “Pay2Key.I2P†Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
  • The Hacker News: Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • cyberpress.org: CyberPress: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • industrialcyber.co: Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • gbhackers.com: gbhackers: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks

Rescana@Rescana //
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • www.scworld.com: DHS: Attacks on US critical infrastructure likely following Iran strikes
  • Arctic Wolf: Cybersecurity Risks Amid Rising Iran–U.S. Tensions
  • : Sysdig Threat Bulletin: Iranian Cyber Threats
  • Tidal Cyber Blog: Iran Cyber Threat Assessment and Defensive Guidance
  • arcticwolf.com: Cybersecurity risks amid rising Iran-U.S. tensions after US strikes.
  • Metacurity: DHS warns of likely Iranian cyberattacks following US missile strikes.
  • nsfocusglobal.com: The Hacktivist Cyber Attacks in the Iran-Israel Conflict
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • Security Risk Advisors: Iran-Linked Cyber Fattah Leaks Saudi Games Athletes and Visitors Data
  • abcnews.go.com: Iranian-backed hackers at work after US strikes
  • news.sky.com: Businesses urged to strengthen cyber defences amid increase in Iran-adjacent attacks
  • Unit 42: Threat Brief: Escalation of Cyber Risk Related to Iran
  • Tenable Blog: Cybersecurity Snapshot: U.S. Gov’t Urges Adoption of Memory-Safe Languages and Warns About Iran Cyber Threat

@blog.redteam-pentesting.de //
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.

Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.

The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.

Recommended read:
References :
  • bsky.app: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • Catalin Cimpanu: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • securityonline.info: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • blog.redteam-pentesting.de: Reflective Kerberos Relay Attack
  • www.synacktiv.com: NTLM reflection is dead, long live NTLM reflection: An in-depth analysis of CVE-2025
  • Daily CyberSecurity: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • infosecwriteups.com: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation

@research.checkpoint.com //
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.

The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file.

Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update.

Recommended read:
References :
  • isc.sans.edu: Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
  • BleepingComputer: Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
  • Tenable Blog: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
  • cyberinsider.com: Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Cisco Talos Blog: Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
  • borncity.com: Summarizes the Microsoft security updates for June 10, 2025, noting the zero-day classification.
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
  • hackread.com: June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day
  • CyberInsider: Summary of the June 2025 Patch Tuesday release.
  • research.checkpoint.com: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • gbhackers.com: Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day
  • cyberscoop.com: Reports on Microsoft patching 66 vulnerabilities, including an actively exploited zero-day.
  • bsky.app: This month, Microsoft patched 67 vulnerabilities, including one actively exploited zero-days—CVE-2025-33053, a WebDAV RCE discovered by Check Point
  • gbhackers.com: Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
  • www.helpnetsecurity.com: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • Kaspersky official blog: CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
  • The Hacker News: Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
  • blog.checkpoint.com: Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
  • Check Point Blog: Inside Stealth Falcon's Espionage Campaign Using a Microsoft Zero-Day
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Blog: Microsoft’s June addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
  • go.theregister.com: Microsoft warns of 66 flaws to fix for this Patch Tuesday, and two are under active attack
  • arcticwolf.com: Arctic Wolf's blog covering the June 2025 Microsoft Patch Tuesday, mentioning CVE-2025-33053.
  • socprime.com: A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory.
  • www.bleepingcomputer.com: An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
  • arcticwolf.com: Arctic Wolf observes that Microsoft Patch Tuesday: June 2025 includes CVE-2025-33053.
  • Virus Bulletin: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • borncity.com: Microsoft Security Update Summary (June 10, 2025)
  • www.threatdown.com: June 2025 Microsoft Patch Tuesday fixes two zero-days
  • Arctic Wolf: Microsoft Patch Tuesday: June 2025
  • Help Net Security: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • thecyberexpress.com: Microsoft Patch Tuesday June 2025: One Zero-Day, Nine High-risk Flaws Fixed
  • infosecwriteups.com: (CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…
  • Action1: June 2025 Vulnerability Digest Recording
  • 0patch Blog: Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)
  • Check Point Research: CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

@blogs.microsoft.com //
Microsoft has launched the European Security Program (ESP), a new initiative aimed at significantly strengthening cybersecurity across Europe. The program provides critical resources to governments within the European Union, the United Kingdom, EU accession countries, and members of the European Free Trade Association. Microsoft Vice Chair Brad Smith unveiled the ESP in Berlin, emphasizing the need for enhanced cyber protection amidst growing sophistication and scope of cyber threats.

The ESP is a three-pronged strategy that includes AI-enhanced threat intelligence, direct collaboration with Europol, and automated disruption of malicious infrastructure. This program aims to counter the rising tide of cyberattacks from nation-state actors, specifically those originating from Russia, China, Iran, and North Korea. Microsoft is offering these AI-powered defense tools and threat intelligence resources free of charge, to the 27 EU nations.

By offering these resources, Microsoft intends to bolster digital sovereignty and address the operational complexities faced by European governments in defending against cyber threats. The initiative underscores Microsoft's commitment to sharing threat intelligence, strengthening cybersecurity capacity, and expanding partnerships to effectively disrupt malicious cyber activities. The free cyber security support will help European governments combat state-sponsored hackers as attacks continue to intensify across the continent.

Recommended read:
References :
  • ComputerWeekly.com: Microsoft outlines three-pronged European cyber strategy
  • www.csoonline.com: Microsoft launches European Security Program to counter nation-state threats
  • Tech Monitor: Microsoft unveils ‘European Security Program’ initiative to enhance cyber defences
  • BleepingComputer: Microsoft unveils free EU cybersecurity program for governments

@blog.checkpoint.com //
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.

Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals.

In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats.

Recommended read:
References :
  • www.microsoft.com: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  • Catalin Cimpanu: Mastodon: The developers of the Lumma Stealer malware are making significant efforts to restore servers and return online.
  • blog.checkpoint.com: Lumma infostealer: Down but not out
  • community.emergingthreats.net: Summary: 46 new OPEN, 153 new PRO (46 + 107) Added rules: Open: 2062667 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (acoustpbns .run) (malware.rules)
  • Catalin Cimpanu: -New npm and PyPI malware (of course) -New DataCarry ransomware gang -Lumma Stealer infrastructure is returning online -Haozi PhaaS returns -T-Rex cryptominer infects South Korean internet cafes -Profiles on Ukrainian hacker group BO Team and Russian cyber unit GRU Unit 29155

@securityonline.info //
A new Rust-based infostealer, EDDIESTEALER, is being spread using the ClickFix social engineering technique, according to a report by Elastic Security Labs on May 30, 2025. This method leverages fake CAPTCHA prompts on compromised websites. Users are tricked into copying and pasting a PowerShell command into their Windows terminal, believing they are verifying they aren't a robot. This command then downloads and executes a malicious JavaScript file, gverify.js, which in turn retrieves the final EDDIESTEALER payload.

The EDDIESTEALER malware is designed to steal sensitive information from infected hosts. Written in Rust, it avoids static analysis through various obfuscation techniques, including XOR string encryption and stripping of function symbols. The malware dynamically retrieves a task list from the attacker's command-and-control (C2) server, enabling it to adapt its behavior over time. Elastic Security Labs has observed it targeting a range of cryptocurrency wallets, web browsers, password managers, FTP clients, and the Telegram messaging app.

EDDIESTEALER also employs several evasion techniques, including a basic anti-sandbox check, a self-deletion mechanism, and a custom Windows API lookup method to avoid static analysis of its API interactions. The dynamic C2 tasking method allows attackers to update the list of targeted apps as needed, providing greater flexibility and adaptability. Security experts emphasize the continued popularity of the ClickFix social engineering method and the increasing use of the Rust programming language among malware developers in campaigns like this.

Recommended read:
References :
  • Anonymous ???????? :af:: “Prove you're not a robot” — turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
  • securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
  • The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
  • www.scworld.com: ClickFix used to spread novel Rust-based infostealer

info@thehackernews.com (The@The Hacker News //
A new Windows Remote Access Trojan (RAT) has been discovered that employs a novel technique to evade detection. The malware corrupts its own DOS and PE headers, making it significantly more difficult for security tools to analyze and reconstruct the malicious code. This method obstructs forensic analysis and allows the RAT to operate stealthily on compromised Windows machines for extended periods, in some cases, for weeks before being detected. The FortiGuard Incident Response Team conducted a detailed investigation into this malware.

The Fortinet team managed to obtain a memory dump of the live malware process (dllhost.exe process PID 8200) and a complete 33GB memory dump of the compromised system. By meticulously replicating the compromised environment, they were able to revive the dumped malware in a controlled setting. This allowed them to observe its operations and communication patterns. The researchers had to manually identify the malware's entry point, allocate memory, and resolve API addresses through debugging, address relocation, and parameter adjustments to emulate the malware's behaviour in a lab setting.

Once operational, the malware was found to communicate with a command-and-control (C2) server at rushpaperscom over port 443, utilizing TLS encryption. Fortinet analysts identified the malware's use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic, along with an additional layer of custom encryption. Analysis confirms that the malware is a RAT, allowing attackers to capture screenshots, manipulate system services, and establish connections with other clients.

Recommended read:
References :
  • ciso2ciso.com: New Malware Spotted Corrupts Its Own Headers to Block Analysis – Source:hackread.com
  • hackread.com: New Windows Malware Spotted Corrupts Its Own Headers to Block Analysis
  • The Hacker News: New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers
  • ciso2ciso.com: The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks.