Found 507 bookmarks
Custom sorting
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Introduction In the ever-evolving world of cybercrime, IntelBroker has emerged as one of its most prominent figures. Known for his high-profile breaches, IntelBroker’s actions have shaken both corporations and government entities alike. At KELA, our deep dive into his online presence has revealed valuable insights, with OSINT traces playing a pivotal role in uncovering his […]
#kelacyber#EN#2025#Analysis#IntelBroker#Unmasked
·kelacyber.com·
IntelBroker Unmasked: KELA’s In-Depth Analysis of a Cybercrime Leader
Backdooring Your Backdoors - Another $20 Domain, More Governments
Backdooring Your Backdoors - Another $20 Domain, More Governments
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
#watchtowr#EN#2025#backdoor#infrastructure#abandoned#access#analysis#hack#research#hackback
·labs.watchtowr.com·
Backdooring Your Backdoors - Another $20 Domain, More Governments
Inside FireScam : An Information Stealer with Spyware Capabilities
Inside FireScam : An Information Stealer with Spyware Capabilities
  • FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
#cyfirma#EN#2025#FireScam#Telegram#Premium#analysis#fake#apk#android#malware
·cyfirma.com·
Inside FireScam : An Information Stealer with Spyware Capabilities
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
We agree - modern security engineering is hard - but none of this is modern. We are discussing vulnerability classes - with no sophisticated trigger mechanisms that fuzzing couldnt find - discovered in the 1990s, that can be trivially discovered via basic fuzzing, SAST (the things product security teams do with real code access). As an industry, should we really be communicating that these vulnerability classes are simply too complex for a multi-billion dollar technology company that builds enterprise-grade, enterprise-priced network security solutions to proactively resolve?
#watchtowr#EN#2024#CVE-2025-0282#analysis#Ivanti#criticism#Connect#Secure
·labs.watchtowr.com·
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)
FunkSec – Alleged Top Ransomware Group Powered by AI
FunkSec – Alleged Top Ransomware Group Powered by AI
  • The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month. FunkSec operators appear to use AI-assisted malware development which can enable even inexperienced actors to quickly produce and refine advanced tools. The group’s activities straddle the line between hacktivism and cybercrime, complicating efforts to understand their true motivations. Many of the group’s leaked datasets are recycled from previous hacktivism campaigns, raising doubts about the authenticity of their disclosures. Current methods of assessing ransomware group threats often rely on the actors’ own claims, highlighting the need for more objective evaluation techniques.
#checkpoint#EN#2024#FunkSec#analysis#ransomware
·research.checkpoint.com·
FunkSec – Alleged Top Ransomware Group Powered by AI
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
Zero-day exploitation of Ivanti Connect Secure VPN vulnerabilities since as far back as December 2024. On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.
#Mandiant#EN#2025#CVE-2025-0282#CVE-2025-0283#IoC#exploitation#analysis#postexploitation#Ivanti
·cloud.google.com·
Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation
DoubleClickjacking: A New Era of UI Redressing
DoubleClickjacking: A New Era of UI Redressing
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click . This technique is becoming less practical as modern browsers set all cookies to “SameSite: Lax” by default. Even if an attacker site can frame another website, the framed site would be unauthenticated, because cross-site cookies are not sent. This significantly reduces the risk of successful clickjacking attacks, as most interesting functionality on websites typically requires authentication.
#paulosyibelo#EN#2024#DoubleClickjacking#analysis#technique
·paulosyibelo.com·
DoubleClickjacking: A New Era of UI Redressing
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
An analysis of benign internet scanner behavior across 24 new sensors in November 2024, examining discovery speed, port coverage, and vulnerability scanning capabilities of major services like ONYPHE, Censys, and ShadowServer. The study reveals most scanners found new assets within 5 minutes, with Censys leading in port coverage and ShadowServer in vulnerability detection.
#greynoise#EN#2024#analysis#Benign#Internet#Scanners
·greynoise.io·
Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition
Effective Phishing Campaign Targeting European Companies and Organizations
Effective Phishing Campaign Targeting European Companies and Organizations
A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover. A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover.
#unit42#EN#2024#Phishing#Campaign#EU#Azure#takeover#HubSpot#analysis
·unit42.paloaltonetworks.com·
Effective Phishing Campaign Targeting European Companies and Organizations
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
Introduction Telegram, as previously reported by KELA, is a popular and legitimate messaging platform that has evolved in the past few years into a major platform for cybercriminal activities. Its lack of strict content moderation has made the platform cybercriminals’ playground. They use the platform for distribution of stolen data and hacking tools, publicizing their […]
#kelacyber#EN#2024#Telegram#analysis#KELA#platform#cybercriminals
·kelacyber.com·
Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives? • KELA Cyber Threat Intelligence
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to […]
#volexity#EN#VPN#analysis#FortiClient#Vulnerability#BrazenBamboo#DEEPDATA#stealer
·volexity.com·
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
Gaming Engines: An Undetected Playground for Malware Loaders
Gaming Engines: An Undetected Playground for Malware Loaders
  • Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. Check Point identified GodLoader, a loader that employs this new technique. The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware. This new technique allows threat actors to target and infect devices across multiple platforms, such as Windows, macOS, Linux, Android, and iOS. Check Point Research demonstrates how this multi-platform technique can successfully drop payloads in Linux and MacOS. * A potential attack can target over 1.2 million users of Godot-developed games. These scenarios involve taking advantage of legitimate Godot executables to load malicious scripts in the form of mods or other downloadable content.
#checkpoint#EN#2024#GodLoader#Godot#Engine#game#payloads#analysis
·research.checkpoint.com·
Gaming Engines: An Undetected Playground for Malware Loaders
When Guardians Become Predators: How Malware Corrupts the Protectors
When Guardians Become Predators: How Malware Corrupts the Protectors
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? Our Trellix Advanced Research Center team recently uncovered a malicious campaign that does just that. Instead of bypassing defenses, this malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda. The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system.
#trellix#EN#2024#research#Avast#Anti-Rootkit#driver#malware#aswArPot.sys#analysis
·trellix.com·
When Guardians Become Predators: How Malware Corrupts the Protectors
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
#microsoft#EN#2024#CYBERWARCON#DPRK#North-Korea#China#analysis#intlligence
·microsoft.com·
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications.
#unit42.paloaltonetworks#FrostyGoop#EN#2024#analysis#malware
·unit42.paloaltonetworks.com·
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications