The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) released an updated advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) related to the Play ransomware group, active since 2022 and responsible for widespread attacks. The advisory includes new behaviors such as…
Category: Threat Research
A spoofing vulnerability in the Microsoft Defender for Identity (MDI) sensor related to the Lateral Movement Paths (LMPs) feature allows an unauthenticated local network attacker to capture the Net-NTLM hash of the Directory Service Account (DSA). This vulnerability can be exploited to escalate privileges and establish a foothold in Active Directory environments, especially when combined with other security weaknesses. #CVE2025-26685 #MicrosoftDefenderForIdentity #LateralMovementPaths #DirectoryServiceAccount
This report analyzes recent cyber threats targeting financial companies in Korea and internationally, with a focus on ransomware attacks by groups like Arkana and LockBit. It highlights significant data breaches affecting customer information and emphasizes the need for stronger security measures beyond basic regulatory compliance. #Arkana #LockBit #FinancialSectorBreaches…
A large-scale campaign is compromising legitimate websites by injecting obfuscated JavaScript using the JSFireTruck technique, redirecting users from search engines to malicious pages that deliver malware and unwanted content. The campaign affects hundreds of thousands of webpages and employs type coercion-based obfuscation, making detection and analysis challenging. #JSFireTruck #Unit42 #VirusTotal…
Proofpoint researchers uncovered the UNKSneakyStrike campaign using the TeamFiltration framework to target Microsoft Entra ID accounts through large-scale user enumeration and password spraying. The campaign, active since December 2024, leverages AWS infrastructure and exploits native Microsoft applications for account takeover and data exfiltration. #UNKSneakyStrike #TeamFiltration #MicrosoftEntraID…
Adversary-in-the-Middle (AitM) phishing attacks increasingly target Microsoft 365 and Google accounts, leveraging sophisticated phishing kits offered as Phishing-as-a-Service (PhaaS). These kits harvest session cookies to bypass multi-factor authentication, facilitating financial fraud and Business Email Compromise (BEC) attacks. #Tycoon2FA #Storm1167 #EvilProxy #SekoiaTDR
ClickFix is a social engineering technique exploiting end users by disguising malicious PowerShell commands as routine verification prompts, enabling threat actors to gain network access and exfiltrate data. Since March 2024, various threat actors including APT28 and MuddyWater have leveraged this method to target multiple industries globally. #ClickFix #APT28 #MuddyWater
SoraAI.lnk is an information stealer malware masquerading as OpenAI’s Sora that uses Github to download its malicious payload and exfiltrate data via Telegram. It collects extensive user information including browser data, crypto wallets, game launcher configurations, and system files, before uploading the stolen data to an external hosting site if it exceeds a certain size. #SoraAI #TelegramBot #GoFile.io
Recent phishing attacks increasingly exploit SharePoint links to bypass security tools and harvest credentials through sophisticated multi-step validation processes. Attackers leverage trusted Microsoft platforms and stealthy hosting to evade detection and compromise user accounts with advanced MFA manipulations. #SharePointPhishing #MultiFactorAuthentication #MicrosoftPhishing
Nytheon AI is a Tor-based platform offering a suite of uncensored large language models (LLMs) designed for malicious activities, combining multiple open-source models with disabled safety features. Operated likely by a Russian-speaking individual from a post-Soviet country, it enables diverse attacks such as spear-phishing and turnkey API-driven exploits. #NytheonAI #Llama3 #CatoCTRL
MISSION2025, also known as APT41, is a Chinese state-sponsored threat group active since 2012, focusing on cyberespionage and financially motivated attacks aligned with China’s strategic goals. Their recent campaigns feature sophisticated use of cloud services for command and control and exploitation of software vulnerabilities to target governments and critical infrastructure globally. #MISSION2025 #APT41 #TOUGHPROGRESS #IvantiEPMM
The MITRE Corporation’s April 2025 update introduced seven new threat groups along with associated IoCs, revealing new insights through expanded data analysis by WhoisXML API. The analysis uncovered numerous additional domains, IPs, and email-connected domains linked to these groups, enhancing threat detection capabilities. #APT42 #BlackByte #RedEcho #SeaTurtle #Storm1811 #VelvetAnt
Threat actors have been exploiting the popularity of the DeepSeek-R1 large language model by distributing malware through phishing sites and malvertising campaigns that mimic its official environment. The attacks deploy the BrowserVenom implant, which reroutes browser traffic through a malicious proxy to intercept and manipulate victim data. #DeepSeekR1 #BrowserVenom #app-updater1.app
The ransomware group Black Basta disbanded after internal chat leaks, but its tactics, especially mass email spam and Microsoft Teams phishing, continue to be used by former members and new groups. Emerging attack methods now include Python script execution with cURL for payload delivery, emphasizing the need for strong user education and vigilant defense strategies. #BlackBasta #MicrosoftTeamsPhishing #CactusRaaS
CyberEye, also known as TelegramRAT, is a modular .NET-based Remote Access Trojan that uses Telegram Bot API for command and control, enabling stealthy surveillance and data theft without requiring attacker infrastructure. Its capabilities include credential harvesting, defense evasion by disabling Windows Defender, clipboard hijacking, and persistence via scheduled tasks, making it a significant threat for users and organizations. #CyberEye #TelegramRAT #TelegramBotAPI