Found 555 bookmarks
Custom sorting
New TorNet backdoor seen in widespread campaign
New TorNet backdoor seen in widespread campaign
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware. The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions. We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion.
#talosintelligence#EN#2025#TorNet#backdoor#campaign#Poland#Germany#analysis#malware
·blog.talosintelligence.com·
New TorNet backdoor seen in widespread campaign
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.
#tenable#EN#2025#Salt-Typhoon#Analysis#vulnerabilies#State-Sponsored
·tenable.com·
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Introduction In the ever-evolving world of cybercrime, IntelBroker has emerged as one of its most prominent figures. Known for his high-profile breaches, IntelBroker’s actions have shaken both corporations and government entities alike. At KELA, our deep dive into his online presence has revealed valuable insights, with OSINT traces playing a pivotal role in uncovering his […]
#kelacyber#EN#2025#Analysis#IntelBroker#Unmasked
·kelacyber.com·
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Backdooring Your Backdoors - Another $20 Domain, More Governments
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
#watchtowr#EN#2025#backdoor#infrastructure#abandoned#access#analysis#hack#research#hackback
·labs.watchtowr.com·
Backdooring Your Backdoors - Another $20 Domain, More Governments
Inside FireScam : An Information Stealer with Spyware Capabilities
Inside FireScam : An Information Stealer with Spyware Capabilities
  • FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
#cyfirma#EN#2025#FireScam#Telegram#Premium#analysis#fake#apk#android#malware
·cyfirma.com·
Inside FireScam : An Information Stealer with Spyware Capabilities
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
We agree - modern security engineering is hard - but none of this is modern. We are discussing vulnerability classes - with no sophisticated trigger mechanisms that fuzzing couldnt find - discovered in the 1990s, that can be trivially discovered via basic fuzzing, SAST (the things product security teams do with real code access). As an industry, should we really be communicating that these vulnerability classes are simply too complex for a multi-billion dollar technology company that builds enterprise-grade, enterprise-priced network security solutions to proactively resolve?
#watchtowr#EN#2024#CVE-2025-0282#analysis#Ivanti#criticism#Connect#Secure
·labs.watchtowr.com·
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
FunkSec – Alleged Top Ransomware Group Powered by AI
FunkSec – Alleged Top Ransomware Group Powered by AI
  • The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month. FunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to quickly produce and refine advanced tools. The group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their true motivations. Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the authenticity of their disclosures. Current methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need for more objective evaluation techniques.
#checkpoint#EN#2024#FunkSec#analysis#ransomware
·research.checkpoint.com·
FunkSec – Alleged Top Ransomware Group Powered by AI
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024. On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.
#Mandiant#EN#2025#CVE-2025-0282#CVE-2025-0283#IoC#exploitation#analysis#postexploitation#Ivanti
·cloud.google.com·
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
DoubleClickjacking: A New Era of UI Redressing
DoubleClickjacking: A New Era of UI Redressing
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click . This technique is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can frame another website, the framed site would be unauthenticated, because cross-site cookies are not sent. This significantly reduces the risk of successful clickjacking attacks, as most interesting functionality on websites typically requires authentication.
#paulosyibelo#EN#2024#DoubleClickjacking#analysis#technique
·paulosyibelo.com·
DoubleClickjacking: A New Era of UI Redressing
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
An analysis of benign internet scanner behavior across 24 new sensors in November 2024, examining discovery speed, port coverage, and vulnerability scanning capabilities of major services like ONYPHE, Censys, and ShadowServer. The study reveals most scanners found new assets within 5 minutes, with Censys leading in port coverage and ShadowServer in vulnerability detection.
#greynoise#EN#2024#analysis#Benign#Internet#Scanners
·greynoise.io·
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
Effective Phishing Campaign Targeting European Companies and Organizations
Effective Phishing Campaign Targeting European Companies and Organizations
A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover. A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover.
#unit42#EN#2024#Phishing#Campaign#EU#Azure#takeover#HubSpot#analysis
·unit42.paloaltonetworks.com·
Effective Phishing Campaign Targeting European Companies and Organizations
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
Introduction Telegram, as previously reported by KELA, is a popular and legitimate messaging platform that has evolved in the past few years into a major platform for cybercriminal activities. Its lack of strict content moderation has made the platform cybercriminals’ playground. They use the platform for distribution of stolen data and hacking tools, publicizing their […]
#kelacyber#EN#2024#Telegram#analysis#KELA#platform#cybercriminals
·kelacyber.com·
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to […]
#volexity#EN#VPN#analysis#FortiClient#Vulnerability#BrazenBamboo#DEEPDATA#stealer
·volexity.com·
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA