Surge in MOVEit Transfer Scanning Activity Could Signal Emerging Threat Activity
GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. 682 unique IPs have triggered GreyNoise’s MOVEit Transfer Scanner tag over the past 90 days. The surge began on May 27 — prior activity was near-zero. 303 IPs (44%) originate from Tencent Cloud (ASN 132203) — by far the most active infrastructure. Other source providers include Cloudflare (113 IPs), Amazon (94), and Google (34). Top destination countries include the United Kingdom, United States, Germany, France, and Mexico. * The overwhelming majority of scanner IPs geolocate to the United States.
Join Ido Kringel and the Deep Instinct Threat Research Team in this deep dive into a recently discovered, Office-based regex evasion technique Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware. Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks. This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion. Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily: Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog
In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a […]
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia
The team at CYFIRMA analyzed a malicious Android sample designed to target high-value assets in Southern Asia. This sample, attributed to an unknown threat actor, was generated using the Spynote Remote Administration Tool. While the specifics of the targeted asset remain confidential, it is likely that such a target would attract the interest of APT groups. However, we are restricted from disclosing further details about the actual target and its specific region. For a comprehensive analysis, please refer to the detailed report
iVerify Mobile Threat Investigation Uncovers New Pegasus Samples
iVerify’s Mobile Threat Hunting finds Pegasus spyware is more prevalent and capable of infecting a wide range of devices, not just devices of high-risk users.
Since February 2024, the World Watch Cyber Threat Intelligence team has been working on an extensive study of the private and public relationships within the Chinese cyber offensive ecosystem. This includes: An online map showcasing the links between 300+ entities; Historical context on the Chinese state entities dedicated to cyber offensive operations; An analysis of the role of universities and private companies in terms of capacity building; A focus on the ecosystem facilitating the acquisition of vulnerabilities for government use in cyber espionage campaigns.
Routers from China-based TP-Link a national security threat, US lawmakers claim
The two members of Congress called on the Commerce Department to investigate risks related to TP-Link routers amid concerns over state-backed Chinese hacking operations.
SEKOIA.IO presents its Ransomware threat landscape for the first semester of 2022, with the following key points: Ransomware victimology – recent evolutions A busy first half of the year – several newcomers in the ransomware neighborhood Cross-platform ransomware features trend New extortion techniques State-nexus groups carrying out ransomware campaigns Ransomware threat groups’ Dark Web activities * A shift towards extortion without encryption?
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
SEKOIA.IO presents its Ransomware threat landscape for the first semester of 2022, with the following key points: Ransomware victimology – recent evolutions A busy first half of the year – several newcomers in the ransomware neighborhood Cross-platform ransomware features trend New extortion techniques State-nexus groups carrying out ransomware campaigns Ransomware threat groups’ Dark Web activities * A shift towards extortion without encryption?
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
SEKOIA.IO presents its Ransomware threat landscape for the first semester of 2022, with the following key points: Ransomware victimology – recent evolutions A busy first half of the year – several newcomers in the ransomware neighborhood Cross-platform ransomware features trend New extortion techniques State-nexus groups carrying out ransomware campaigns Ransomware threat groups’ Dark Web activities * A shift towards extortion without encryption?
ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat
Earlier this year Malwarebytes released its 2022 Threat Review, a review of the most important threats and cybersecurity trends of 2021, and what they could mean for 2022. Among other things it covers the year’s alarming rebound in malware detections, and a significant shift in the balance of email threats.
Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.
As Threats in Space Mount, U.S. Lags in Protecting Key Services
The United States and China are locked in a new race, in space and on Earth, over a fundamental resource: time itself. And the United States is losing. Global positioning satellites serve as clocks in the sky, and their signals have become fundamental to the global economy — as essential for telecommunications, 911 services and financial exchanges as they are for drivers and lost pedestrians.
SEKOIA.IO presents its Ransomware threat landscape for the first semester of 2022, with the following key points: Ransomware victimology – recent evolutions A busy first half of the year – several newcomers in the ransomware neighborhood Cross-platform ransomware features trend New extortion techniques State-nexus groups carrying out ransomware campaigns Ransomware threat groups’ Dark Web activities * A shift towards extortion without encryption?
