RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2, windows: 2, code: 2, table: 1

#threatreport #MediumCompleteness NetMedved and the Summer Campaign Against Russian Organizations | 25-06-2026 Source: habr.com/ru/companies/p… Key details below ↓ 🧑‍💻Actors/Campaigns: Netmedved 💀Threats: Netsupportmanager_rat, Spear-phishing_technique, 🎯Victims: Russian organizations, Procurement, Contracts, Document management 🌐Geo: Russian 📚TTPs: ⚔️Tactics: 5 🛠️Technics: 18 🧨IOCs: - File: 11 - Domain: 7 - Registry: 6 - Path: 1 - IP: 5 - Hash: 12 💽Software: Windows COM, Windows Task Scheduler 🔢Algorithms: zip, aes, aes-cbc, base64, aes-128-cbc 🔠Functions: Get-Command 🗂️Win API: Base64 ⚙️Win Services: WebClient 📜Programming Languages: javascript, powershell, jscript #threatreport: The NetMedved hacker group has initiated a new phishing campaign targeting Russian organizations, utilizing business-themed decoy documents and the remote administration tool NetSupport Manager. This campaign builds upon previous tactics employed by the group, which have involved various methods such as LNK files, PowerShell loaders, and scripts leveraging the `finger` command, among others. In this latest attack, LNK files masquerade as procurement requests, with filenames crafted in a professional style to deceive employees handling document management. Upon execution, these LNK files initiate a PowerShell script that retrieves AES-encrypted payloads from a remote server. The attackers implement sophisticated techniques to obfuscate the execution, using `Get-Command` to dynamically resolve the `Invoke-Expression` cmdlet and relying on the COM object MSXML2.ServerXMLHTTP for payload retrieval, circumventing traditional PowerShell signatures that might be flagged during static analysis. Once the LNK file is executed, it connects to a remote server to obtain an encrypted PowerShell script embedded within, which is then decrypted using AES-128-CBC. The decrypted stage acts as a loader that downloads a ZIP archive containing NetSupportRAT, extracted and launched from a temporary directory on the victim's machine. The threat establishes persistence by creating an autostart entry in the Windows Registry to ensure that it runs upon user login. Additionally, another delivery method was observed involving a ZIP archive containing a malicious JScript file. The JScript serves as a dropper, executing Windows COM commands to decode and invoke the embedded decoy document while simultaneously launching the NetSupportRAT on the victim's system. This method arguably enhances stealth, as all components are contained within the script, requiring no external calls that might trigger detection. The JScript variant shares key characteristics with previous 2024 campaigns, indicating a consistent operational approach by the NetMedved group. Consistency is observed in the social engineering tactics, delivery mechanisms, and the deployment of the same RAT. The infrastructure behind the campaign showcases clustering, with multiple command-and-control domains registered simultaneously, suggesting a deliberate strategy for resilience and domain rotation to sustain malicious operations.

#threatreport #MediumCompleteness Breaking Out of Chrome’s Sandbox: A Native Messaging Backdoor Observed in Italy | 25-06-2026 Source: d3lab.net/breaking-out-o… Key details below ↓ 💀Threats: Dll_sideloading_technique, 🎯Victims: Italy 🌐Geo: Italy, Italian 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1041, T1059.001, T1059.007, T1071.001, T1083, T1112, T1176, T1564.003, ... 🧨IOCs: - File: 9 - BrowserExtension: 1 - Registry: 3 - Domain: 2 - Hash: 4 - IP: 1 - Url: 1 💽Software: Chrome, Google Chrome 🔢Algorithms: md5, sha256, sha1 📜Programming Languages: php, javascript, powershell #threatreport: In June 2026, a malware campaign targeting Italian users was observed, which utilized phishing emails disguised as invoices. The emails featured the subject line “Fattura #2818999851” and contained what appeared to be a PDF document. However, the file that victims downloaded was an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js, with the unusual file extension likely designed to mimic that of a PDF. Upon execution by Windows Script Host, the JavaScript file decoded and created two significant files in the user's temporary directory: a legitimate executable named client_124578.exe from Epic Games, and a malicious DLL named d3d11.dll. This represents a DLL side-loading technique where a trusted executable loads a malicious library due to how Windows resolves dependencies. The DLL subsequently initiated a hidden PowerShell process that prepared a malicious Google Chrome extension and altered Chrome’s policy settings to facilitate the extension’s installation. The malware exploited Chrome's policy keys, specifically ExtensionInstallAllowlist and ExtensionInstallSources, making the installation appear as if it were authorized by administrators. Although the extension operated within Chrome's browser permissions and could not execute commands like powershell.exe directly, the use of Native Messaging provided a method to bypass these restrictions. This legitimate feature allows applications to communicate with browser extensions, creating a bridge through which the extension could instruct the local host to execute PowerShell commands outside of the browser’s sandbox. Evidence emerged that the extension and the Native Messaging Host formed a remote-command backdoor, as commands resulted in directory listings and the output was sent via POST requests to the attackers. The combination of components exploited legitimate technologies, including signed applications, enterprise-deployed Chrome extensions, and Native Messaging, which pose significant risks when misused. Detection strategies for this type of attack include monitoring unusual entries in Chrome's enterprise policy keys and correlating changes with processes like Chrome extension installations and hidden PowerShell executions. Investigations should focus on entries leading to localhost connections, and incident response must not only remove the malicious extension but also eliminate its Native Messaging registration, analyze PowerShell activities, and secure affected browser sessions and credentials. This multi-faceted approach addresses both browser and underlying system vulnerabilities effectively.

#threatreport #MediumCompleteness Analysis of Recent APT-C-36 Activities in Colombia | 25-06-2026 Source: ctfiot.com/311957.html Key details below ↓ 🧑‍💻Actors/Campaigns: Blindeagle 💀Threats: Junk_code_technique, Hijackloader, Remcos_rat, 🎯Victims: Financial services, Colombia 🏭Industry: Financial 🌐Geo: Colombia 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1033, T1055, T1059.001, T1059.007, T1082, T1113, T1123, T1140, T1204.002, ... 🧨IOCs: - File: 4 - Command: 1 - Hash: 8 - Url: 2 - Domain: 1 💽Software: Chrome, WeChat 🔢Algorithms: base64, rc4, exhibit 📜Programming Languages: javascript, powershell #threatreport: The recent activities of the APT-C-36 group, also known as Blind Eagle, showcase a notable evolution in their attack techniques, particularly in Colombia. This campaign primarily uses phishing as an initial attack vector, employing SVG file formats enhanced with embedded JavaScript for payload delivery. Notably, unlike prior campaigns where links to malicious payloads were directly embedded, the SVG files in this instance contain an encrypted downloader. This downloader is executed when the victim interacts with the SVG, utilizing an AI-generated script to decrypt and launch the payload without needing internet access. The phishing content demonstrates a shift in focus, with SVG file names and embedded content referencing themes such as banking interactions, indicating a strategic targeting of financial sector employees. When executed, the embedded JavaScript harnesses WScript.exe on Windows systems, employing various obfuscation techniques like hexadecimal strings to conceal its malicious nature. Specifically, the script writes a PowerShell payload to the user environment variable INTERNAL_IO_CACHE, subsequently executing it through Windows Management Instrumentation (WMI) to ensure stealthiness by removing traces post-execution. The payload comprises a malicious dynamic link library, Qt5Network.dll, alongside compressed and encrypted data files, functioning collectively as Hijackloader—a loader frequently utilized by the group. Hijackloader’s architecture allows for modular operations and repeated injections, culminating in the final payload being delivered to a legitimate program, specifically PlaneMon.exe, within the %ALLUSERSPROFILE% directory. The final payload deployed in this campaign is the Remcos remote control Trojan, a tool initially designed for legitimate remote management but exploited extensively by cyber attackers. The attackers utilized version 6.1.2 Pro of Remcos, which upon execution decrypts its configuration from a PE resource file. This configuration includes command and control (C2) domain details, victim identifiers, and operational mechanisms for activities such as command execution, system information collection, and audio surveillance. The initial data packet sent to the C2 server transmits vital user information including system username, CPU specifications, and the operating system version. The analysis indicates that APT-C-36's methods align closely with prior incidents associated with the group. The incorporation of AI-generated scripts represents a significant technical advancement, likely reducing development times and enabling an increase in attack frequency and complexity. As such, users in target regions, especially those within vulnerable sectors, are urged to bolster their cybersecurity measures to mitigate potential threats from these evolving tactics.

#threatreport #MediumCompleteness ShinyHunters’ 0-day attacks: After patching, find out if you were breached | 25-06-2026 Source: intel471.com/blog/shinyhunt… Key details below ↓ 🧑‍💻Actors/Campaigns: Shinyhunters Fancy_bear Sandworm 💀Threats: Lolbin_technique, Meshcentral_tool, Devman, Meshagent_tool, 🎯Victims: Education, Government, Commercial, European council 🏭Industry: Government, Education 🔓CVEs: CVE-2026-35273 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - oracle peoplesoft_enterprise_peopletools (8.61, 8.62) 🤖LLM extracted TTPs:` T1021.004, T1036, T1074, T1190, T1219, T1486 🧨IOCs: - IP: 6 - File: 3 - Hash: 4 - Domain: 1 💽Software: Microsoft Defender 🔢Algorithms: sha256 💻Platforms: intel #threatreport: ShinyHunters has exploited a critical unauthenticated remote code execution (RCE) vulnerability in PeopleSoft Enterprise PeopleTools, tracked as CVE-2026-35273, since late May 2026, continuing their attacks even after Oracle patched the vulnerability on June 10, 2026. The group reportedly breached 110 U.S. educational organizations and targeted additional victims in government and commercial sectors, including the European Council. This highlights the necessity for organizations to quickly block indicators of compromise (IOCs) and examine historical logs for previous interactions with those IOCs. The group employed living-off-the-land tactics to evade detection, using tools such as the MeshCentral remote administration tool, disguised as Microsoft Azure services for command-and-control operations. Their activities likely went undetected during the initial exploitation phase, as they blended their malicious traffic with legitimate cloud operations. Investigations into exposed directories tied to ShinyHunters revealed filenames such as .bash_history, indicating the use of preconfigured Windows agent binaries and a history of commands that included the installation of a MeshCentral server, SSH lateral movement attempts, and preparations for potential data exfiltration. To assist in identifying any historical breaches related to ShinyHunters, Retroactive Threat Detection (RTD) tools can automate the generation of IOC-based queries for over 20 platforms, focusing on critical infrastructure indicators. An example involves checking for network connections to specific IP addresses associated with the ShinyHunters campaign, including IPs in the range of 142.11.200.186-190 and the domain azurenetfiles.net. Monitoring these indicators can help ascertain if any interactions have occurred with the known C2 infrastructure. In situations where queries reveal no findings, organizations can conclude that they may not have been affected. However, active detection and response measures, including behavioral hunts, remain vital. Such packages, developed by threat hunters, allow analysts to recognize ShinyHunters' tradecraft behaviors despite variations in indicators across different attacks. For instance, patterns like nonstandard SMB communication have been linked to multiple threat actors, emphasizing the need for a comprehensive behavioral approach to understanding and mitigating such threats. Patching vulnerabilities addresses immediate risks but does not clarify prior breaches. The focus on retroactive detection enables organizations to ascertain whether they suffered compromises prior to patching and understand the extent of any breach. Resource-strained CTI and SOC teams benefit from tools that streamline threat analyses, facilitating a quicker response to campaigns such as ShinyHunters.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 5, schema: 2, dump: 2, code: 1, chart: 1

#threatreport #MediumCompleteness KimJongRAT Continues to Evolve by Leveraging LOTS | 25-06-2026 Source: sect.iij.ad.jp/blog/2026/06/c… Key details below ↓ 🧑‍💻Actors/Campaigns: Kimsuky Scarcruft 💀Threats: Kimjongrat, Meshagent_tool, Meshcentral_tool, 🎯Victims: Users 🌐Geo: North korea, Japan 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1059.001, T1059.003, T1059.005, T1102.001, T1105, T1140, T1204.002, T1218.005, T1218.011, ... 🧨IOCs: - File: 8 - Command: 7 - Url: 4 - IP: 2 - Hash: 4 💽Software: Windows Defender, curl, Twitter 🔢Algorithms: rc4, aes, zip, base64 ⚙️Win Services: WinDefend 📜Programming Languages: javascript, powershell, vbscript #threatreport: In May 2026, a new attack campaign was identified that utilized KimJongRAT, malware associated with the North Korean APT group Kimsuky. This latest variant exploits GitHub and other platforms to distribute its payload. KimJongRAT functions as a hybrid malware, combining features of an InfoStealer and a Remote Access Trojan (RAT) since its initial emergence in 2013. The attack was characterized by its multi-stage execution flow, initiated when a targeted user clicks a malicious shortened URL in an email which leads them to download a ZIP file from GitHub Releases. The ZIP file contains a malicious LNK file that, upon execution, uses the legitimate Windows command mshta to download and execute an HTA file from GitHub. The HTA file then runs an obfuscated VBScript that continues the infection process by fetching additional malware components from a controlled Google Drive account. If Windows Defender is not operational, it downloads hidden files like user.txt and sys.log; otherwise, it retrieves an encrypted ZIP file. The malware utilizes PowerShell commands to handle decryption and execution of subsequent components, including the payload known as KimJongRAT, which has both DLL and PowerShell variants. Moreover, the May 2026 variant introduces a significant change by dynamically retrieving command and control (C2) server addresses from external sources rather than hardcoding them, enhancing its resilience against takedowns. This dynamic linkage allows attackers to adapt without needing to rebuild the malware each time a C2 address changes. Additionally, the updated KimJongRAT has incorporated the ability to install a Remote Monitoring and Management (RMM) tool named MeshAgent, which aims to ensure continued access to infected hosts even if the primary malware is quarantined by security measures. Despite the takedown of an exploited GitHub repository on May 27, 2026, attackers promptly established a new repository to continue their operations, indicating a persistent threat. Overall, these evolutions demonstrate a strategic shift towards exploiting legitimate services for hosting malware and executing attacks, a technique seen increasingly in campaigns linked to various nation-state actors, particularly those from North Korea. As these threats remain prevalent, vigilance and proactive defense strategies are essential for potential targets.

#threatreport #LowCompleteness Miasma Worm Infects Multiple LeoPlatform npm Packages | 25-06-2026 Source: safedep.io/miasma-worm-hi… Key details below ↓ 💀Threats: Miasma, 🎯Victims: Leoplatform, Leoinsights, Software development 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1027.002, T1036.005, T1059.007, T1078, T1195.001, T1550.001 🧨IOCs: - File: 6 - Hash: 7 💽Software: Dependabot, Kubernetes, HashiCorp Vault, curl, 1Password, OPENSSH 🔢Algorithms: sha256, sha1, ed25519, aes-128-gcm 🔠Functions: getBunPath, CreateEvent 💻Platforms: intel #threatreport: On June 24, 2026, the LeoPlatform npm ecosystem suffered an attack involving a variant of the Miasma worm. This incident began when an attacker compromised the npm and GitHub tokens of a maintainer, resulting in the rapid publication of infected versions of 20 npm packages. Additionally, weaponized GitHub Actions workflows were introduced, disguised as Dependabot, in at least three repositories associated with the compromised account. The malicious updates affected 20 packages under the LeoPlatform / LeoInsights organization, identified by their binding.gyp file, which initiated the payload during the installation process, evading detection by lifecycle script scanners. All infected packages had the same SHA256, and while their payloads were encrypted with unique ROT cipher values and AES-128-GCM keys, the underlying functionality remained consistent across all packages. The highest-traffic packages impacted included leo-logger, leo-sdk, and leo-aws, which collectively had approximately 13,600 weekly downloads. Conversely, four other packages maintained by the same operator remained untouched, likely due to the absence of a stable release version. The infection method relied on several key tactics. Infected package.json files included a dependency on Bun, specifically version ^1.3.13, intended for situations where the initial installation process failed. This approach indicates a strategy to ensure unauthorized code execution regardless of the installation environment. The compromised maintainers' GitHub repositories contained fake workflows that utilized legitimate actions while checking out unauthorized code. The workflow exploited broad permissions, including the ability to write an id-token, which could allow the attacker to acquire npm publish credentials. Upon analysis, the worm's payload exhibited capabilities similar to those documented in earlier research, indicating the potential for credential theft and other malicious activities. Notably, regex patterns within the payload suggested that it could extract sensitive information such as authentication tokens and private keys, enhancing its self-propagating nature across multiple platforms including GitHub, AWS, and various coding configuration tools. The event underscores the significant risks associated with compromised maintainer accounts and the necessity for rigorous security practices in package management and GitHub workflows to mitigate the impact of such sophisticated attacks.

#threatreport #HighCompleteness Tracking UAC-0226 Tooling Evolution: From WinRAR ADS to Reflective GIFTEDCROOK Loading | 25-06-2026 Source: blog.synapticsystems.de/from-winrar-ad… Key details below ↓ 🧑‍💻Actors/Campaigns: Uac-0226 Gamaredon 💀Threats: Giftedcrook, Antidebugging_technique, Junk_code_technique, 🎯Victims: Defense, Military personnel 🏭Industry: Military 🌐Geo: Ukrainian 🔓CVEs: CVE-2025-8088 \[[Vulners](vulners.com/cve/CVE-2025-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.13) CVE-2025-6218 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.12) 📚TTPs: ⚔️Tactics: 5 🛠️Technics: 5 🧨IOCs: - Hash: 9 - File: 14 - Path: 5 - Command: 6 - Url: 2 - Email: 1 - IP: 2 💽Software: WinRAR, Chromium, Firefox, KeePass, Google Chrome, Microsoft Edge, Opera, Chrome 🔢Algorithms: xor, sha256, zip, rc4, gzip 🔠Functions: Write-Host 🗂️Win API: GetEnvironmentVariableW, CryptUnprotectData, GetSystemTimeAsFileTime, VirtualAlloc, NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx 📜Programming Languages: java, powershell #threatreport: The UAC-0226 threat actor has advanced their attack techniques, employing an ADS-based WinRAR path traversal to position a shortcut in the Windows Startup directory while dropping additional files into the C: ProgramData folder. The initial stage utilizes a PowerShell loader that obscures its function through generated noise while delivering a more sophisticated second-stage payload: an encoded headerless PE image that incorporates its own reflective mapper for execution. The malware specifically targets sensitive information from browsers like Chromium and Firefox, as well as VPN configurations and KeePass databases. The architecture of the payload consists of a headerless PE image that doesn't resemble standard executable formats on disk, necessitating reconstruction for static analysis tools, thereby enhancing its obfuscation. In the first stage, the PowerShell script (WC3) deobfuscates and executes encoded data through a mechanism that internally disables TLS certificate validation, which is critical for reconnaissance. The loader generates telemetry data, indicating loader status while executing the next stage payload. By comparison to earlier iterations, this specific attack demonstrates an evolution in techniques, including changes in persistence, payload encoding, and memory loading mechanisms. Previous samples of UAC-0226 relied on additive byte-decoding, but the most recent attacks used different subtraction values to obfuscate payload data (notably changing from 117 to 72). Additionally, the payload’s reflective mapper plays a crucial role, constructing executable code in memory while providing status updates back to the PowerShell loader, a method that deviates from conventional execution patterns. This reflects a notable progression in operational security and evasion tactics employed by UAC-0226. Furthermore, the attack utilizes specific file collection targets and identifiers linked to both Chromium and Firefox, making it a focused information-gathering tool rather than a general stealer. The persistence mechanisms include planting a malicious shortcut on the user's system, thus guaranteeing execution upon system boot. Infrastructure changes within the UAC-0226 campaign, such as altering the communication port and endpoint names, aim to evade detection by security systems that can track known indicators. Attribution to UAC-0226 remains consistent due to recognizable behavioral patterns and operational techniques that reflect a continuous evolution rather than disparate incidents.

#threatreport #HighCompleteness ESET takes part in Operation Endgame to disrupt Amadey and Stealc | 25-06-2026 Source: welivesecurity.com/en/eset-resear… Key details below ↓ 🧑‍💻Actors/Campaigns: Plymouth 💀Threats: Amadey, Stealc, Lumma_stealer, Danabot, Hvnc_tool, Supply_chain_technique, Process_injection_technique, 🏭Industry: Entertainment, Energy 🌐Geo: Poland, America, Spain, United states, Turkey, India, Egypt, Mexico, Italy 📚TTPs: ⚔️Tactics: 10 🛠️Technics: 43 🧨IOCs: - File: 2 - Hash: 9 - IP: 10 - Domain: 1 💽Software: Telegram, Outlook, WinSCP 🪙Crypto: bitcoin 🔢Algorithms: base64, zip, rc4 🗂️Win API: decompress #threatreport: ESET researchers played a crucial role in Operation Endgame, a global initiative aimed at dismantling the Amadey botnet and the Stealc infostealer, both of which utilize a malware-as-a-service (MaaS) model. Through extensive technical analysis and tracking, ESET was able to provide vital information, including command and control (C&C) server data, encryption keys, and other threat indicators. The operation led to the disruption of approximately 50 domains and nearly 200 active C&C servers linked to these malware families, affecting their operational capabilities significantly. Amadey is a modular malware loader primarily designed to distribute additional malware and possesses capabilities for data exfiltration and remote access. It operates on a pay-per-rebuild model, requiring affiliates to pay for licenses and additional fees when generating new builds, emphasizing the individual control each affiliate has over their infestation techniques, which typically include fake software updates and malware loaders. On the other hand, Stealc is a more conventional infostealer targeting sensitive credentials and files based on predefined patterns. It offers its affiliates a subscription model allowing unlimited build creation, which lowers operational costs and simplifies the process of managing infections. The communication protocols of both malware families also reveal distinct operational methodologies. Amadey utilizes HTTP for its C&C interactions, leveraging a three-stage lifecycle involving initial beacons, registration, and tasking, with a reliance on structured command strings for instructions. Stealc employs a JSON-based communication model encapsulated in RC4-encrypted transmissions, responding to specific commands rendered by its configuration. A key achievement of ESET was developing a clustering method that allows the grouping of malware samples to enhance tracking and identify weak points for disruption. This approach revealed various interconnected clusters within the operation of Amadey and Stealc, with certain clusters demonstrating a high level of coordination among their infrastructures. Importantly, ESET tracked a significant number of clusters within both ecosystems, which complicates disruption efforts since there isn’t a single point of failure. The long-term tracking and technical insight provided by ESET, along with collaboration from law enforcement and partners, contributed significantly to the disruption of the operations supporting Amadey and Stealc. The ongoing surveillance following Operation Endgame aims to monitor potential resurgence attempts by these malware families and provide timely intelligence to counter future threats.

#threatreport #LowCompleteness AI Security Incident Case: Jetbrains Plugin Supply Chain Attack Stealing AI Key | 25-06-2026 Source: nsfocusglobal.com/ai-security-in… Key details below ↓ 💀Threats: Supply_chain_technique, Glassworm, 🎯Victims: Software developers, Jetbrains plugin market users, Ai service providers 🤖LLM extracted TTPs:` T1020, T1036, T1071.001, T1195.002, T1528 🧨IOCs: - File: 2 - IP: 1 💽Software: Jetbrains, DeepSeek, OpenAI 🔠Functions: save, FindBugs #threatreport: In June 2026, a significant security breach was identified involving a collection of 15 malicious plugins on the JetBrains plugin market, collectively having close to 70,000 installations. These plugins, which falsely advertised functionalities like AI code completion and bug detection, were designed to covertly exfiltrate API keys from users. Upon saving the API key, the plugin would silently send this sensitive information to an attacker-controlled server without any notification to the user. This malicious activity stemmed from the initial version of these plugins, which can be traced back to October 2025, with ongoing updates occurring even after their discovery. The attack methodology hinged on a shared codebase among the plugins, offering unsuspecting users an ordinary initialization process for entering API keys from popular services like OpenAI. The moment a user clicked 'Apply' to save their API key, the key was validated for format and subsequently sent via a synchronous HTTP POST request to a hard-coded IP address, meaning that the operation was imperceptible to the user. This approach effectively evaded traditional security audits by merging the key theft operation with standard configuration processes. The use of plaintext HTTP instead of HTTPS left the stolen keys vulnerable to interception across networks, including corporate intranets. Additionally, the attackers established a distribution system for stolen API keys, allowing them to sell illegitimate access to AI services to paying customers. The model represents a self-sustaining ecosystem where API keys obtained from victims are exploited to facilitate unauthorized access to AI capabilities by others, thus creating an underground commerce of stolen credentials. The risk posed by IDE plugins is accentuated by their inherent security permissions; they operate in a highly trusted environment, often free from sandboxing and equipped with extensive access to the filesystem and network. This lack of restrictive controls renders them particularly susceptible to supply chain attacks. Although the JetBrains plugin market implements a manual review process, the intricacies of the malicious code could easily evade detection as they could be embedded within normally functioning features. The implications of this incident reflect a broader trend in the development tools ecosystem, marked by a series of supply chain attacks across various platforms, including npm and VS Code. As the usage of AI tools proliferates, the urgency to enhance security scrutiny within plugin ecosystems and increase developer awareness around these threats is critical.

#threatreport #HighCompleteness From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | 23-06-2026 Source: trendmicro.com/en_us/research… Key details below ↓ 🧑‍💻Actors/Campaigns: Teamtnt Autom 💀Threats: Ssh_worm, Xmrig_miner, Flodrix_botnet, Kinsing_miner, Typosquatting_technique, Korkerds, Outlaw_botnet, Hezb, Supportxmr, C3pool, Malxmr_miner, 🎯Victims: Organizations using langflow, Ai application infrastructure, Enterprise environments 🏭Industry: Telco, Financial, Healthcare 🌐Geo: Ontario, Canada, America 🔓CVEs: CVE-2025-3248 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - langflow (<1.3.0) CVE-2026-33017 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - langflow (<1.8.2) 📚TTPs: ⚔️Tactics: 12 🛠️Technics: 26 🧨IOCs: - Url: 7 - File: 8 - IP: 2 - Domain: 1 - Hash: 4 - Coin: 1 💽Software: Langflow, Linux, Docker, Confluence, curl, systemd, AppArmor, SELinux, Alibaba Cloud, Chrome, ... 🪙Crypto: monero, ethereum 🔢Algorithms: randomx, cryptonight, md5, sha256, ghostrider, base64 🔠Functions: createBashScript, b, lambsys_pre_setup_clear_fuckers_FindFile 🗂️Win API: UWEKB 📜Programming Languages: php, python, golang #threatreport: A cryptocurrency-mining campaign has been identified exploiting CVE-2026-33017, a critical unauthenticated remote code execution (RCE) vulnerability in Langflow, which is a Python framework used for creating large language model workflows. The exploitation involves a single unauthenticated POST request to a specific Langflow API endpoint, allowing attackers to execute arbitrary Python code that downloads and launches mining malware. The campaign is notable for its focus on exposed AI application endpoints and employs a delivery vector that has recently changed from previous exploitation methods targeting other platforms like Docker and Confluence. The malware functions by disabling host-level security controls to establish persistence and effectively turns the compromised system into a cryptocurrency miner while also propagating to other machines by reusing SSH keys. The primary component of the campaign is a bash script, `isp.sh`, which checks for existing miner processes, creates a hidden persistence directory, and downloads a binary named `lambsys`. This binary not only operates the mining functionality but also executes numerous commands to kill rival mining processes and disable security features such as firewall protections, AppArmor, and SELinux. Its design suggests a familiarity with both the mining landscape and various Linux configurations. Once deployed, the `lambsys` binary communicates with its command and control (C&C) server via a standard HTTP connection. It uses a JSON-based heartbeat mechanism to report its status and expects to receive commands or further instructions. Additionally, it downloads a customized version of the XMRig miner for Monero mining. The miner’s deployment utilizes obfuscation techniques, including path manipulation to evade detection. The campaign's architecture demonstrates a high level of sophistication, involving techniques for lateral movement and evasion based on insights into other cryptomining schemes. The malware rigorously disables specific kernel watchdogs and alters security controls to maintain its foothold on compromised systems. Importantly, the threat actor appears to be targeting specific user accounts linked to previous campaigns, indicating an evolution in the operational methods of cryptocurrency miners. For organizations using Langflow, it is crucial to implement security updates, restrict public access, and monitor for signs of exploitation. Compromised environments should be treated as potential incidents, and exposed SSH keys should be rotated to mitigate further risks. The emergence of this campaign emphasizes the need for vigilance in securing AI application infrastructures, which have become attractive targets for threat actors.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2

#threatreport #HighCompleteness StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them | 24-06-2026 Source: microsoft.com/en-us/security… Key details below ↓ 💀Threats: Stealc, Amadey, Lumma_stealer, Redline_stealer, Raccoon_stealer, Vidar_stealer, Seo_poisoning_technique, Clickfix_technique, Credential_stealing_technique, Process_injection_technique, 🎯Victims: Enterprise environments, Consumer devices, Financial services, Cryptocurrency, Gaming, Email services, Information technology 🏭Industry: Entertainment, Financial 🌐Geo: Russian, Ukrainian, Belarusian 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 15 - Command: 1 - Path: 1 - Hash: 15 - Url: 12 💽Software: Microsoft Defender, Microsoft Defender for Endpoint, Telegram, Steam, Outlook, Foxmail, WinSCP, Chromium, Chrome, Opera, ... 🔢Algorithms: rc4, base64, sha256 🗂️Win API: As, CreateProcessA, VirtualAllocEx, WriteProcessMemory, QueueUserAPC, ResumeThread, WaitForSingleObject 📜Programming Languages: python, powershell #threatreport: Infostealers, particularly the StealC family, along with delivery mechanisms like Amadey, pose significant risks within the cybercrime ecosystem by efficiently harvesting sensitive data such as passwords, cookies, and session tokens. After compromising personal devices, these threats can extend to enterprise networks, especially if credentials fall into the hands of attackers, potentially bypassing safeguards like multifactor authentication (MFA). StealC operates as a malware-as-a-service (MaaS), allowing threat actors to create tailored payloads and manage exfiltrated data through a centralized web panel. Its capabilities include stealing credentials from various browsers, cryptocurrency wallets, email clients, messaging apps, and gaming platforms. This modular approach makes it easy for operators to use a single initial infection to escalate into multiple threats. The malware is particularly sophisticated, employing techniques to embed its payloads within legitimate processes to enhance stealth. Amadey complements StealC by serving as a loader that delivers various types of malware, including StealC. Functional since at least 2018, Amadey has been associated with several high-profile infections and can execute commands for file downloads, backdoor communication, and credential theft. Its deployment often involves creating scheduled tasks for persistence and uses HTTP for command-and-control (C2) communication, encrypting its traffic with RC4. The attack lifecycle for infostealers typically involves methods that capitalize on user behavior, such as SEO poisoning and phishing. This makes it easier for attackers to distribute malware without relying heavily on exploiting software vulnerabilities. Once deployed, infostealers can extract a wide array of credentials and tokens, often exporting this data back to C2 servers in a highly structured format. The underground market for stolen credentials is lucrative, with logs appearing on dark web platforms shortly after extraction. Prices for logs vary depending on their value—corporate credentials can fetch upwards of $100, while more common logs may sell for as little as $2. This rapid monetization further highlights the need for effective identity protection and breach detection measures, as attackers can exploit stolen credentials for enterprise breaches within a matter of days or even hours. In terms of technical operation, StealC executes a series of complex processes to gather sensitive information. It crafts HTTP POST requests for C2 registration, embedding necessary data in encrypted formats. In practice, this includes intricate methods of credential harvesting from web browsers using injection techniques that circumvent built-in security measures. Amadey’s architecture allows it to modularly expand its capabilities by downloading additional plugins for credential or clipboard theft upon receiving commands from its C2 infrastructure. The malware strategically queries the system registry for configurations that inform its operations, maintaining a flexible and stealthy profile that adapts to the host environment. Despite efforts to disrupt these operations, including a coordinated takedown of infrastructure supporting StealC and Amadey, the adaptability and commercial nature of their services ensure that the threat persists. Organizations must remain vigilant against the risks posed by infostealers and their delivery mechanisms, emphasizing the importance of robust cybersecurity practices to mitigate exposure and respond effectively to breaches.

#threatreport #MediumCompleteness Ransomware Over WebChat: How Deadlock Used Polygon Blockchain and Session-Style Crypto for Negotiations | 16-12-2025 Source: threatscene.com/blog-update/ra… Key details below ↓ 🧑‍💻Actors/Campaigns: Deadlock 💀Threats: Deadlock, 🏭Industry: Financial, Petroleum 🌐Geo: Ukrainian, Ukraine, Austrian, South africa, Germany, Iran, Iranian, Belize 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1059.007, T1071.001, T1090.002, T1102.001, T1140, T1573.002 🧨IOCs: - File: 79 - Coin: 11 - Url: 5 - IP: 5 - Email: 2 - Domain: 5 💽Software: Jabber, WordPress, Telegram, Discord, Truecaller 📲Wallets: mainnet, metamask 🪙Crypto: ethereum, bitcoin, arbitrum, monero 🔢Algorithms: base64, curve25519, poly1305, xsalsa20, md5, ed25519 🔠Functions: constructor, owner, getProxy, setProxy, getContract, ed2curve, getChat, JSON-RPC 🗂️Win API: Polygon, Writer, sendMessage 📜Programming Languages: php, javascript, solidity #threatreport: The Deadlock ransomware incident showcases an innovative communication technique employed by cybercriminals, leveraging a custom HTML chat client embedded within a ransom note delivered as an HTML file on the victim's desktop. When opened, this file initializes a lightweight messaging client crafted in obfuscated JavaScript. This client operates through a smart contract on the Polygon blockchain, enabling a connection to a network of service nodes for secure communication between victim and attacker, effectively creating a covert messenger system. The JavaScript client gathers the proxy URL from the Polygon smart contract and uses it for authentication with unique credentials, which derive keypairs through Ed25519/Curve25519 cryptography. The chat's messages, encoded in a Protobuf format, undergo encryption via NaCl sealed boxes, illustrating the complexity of the encryption employed. The smart contract on Polygon serves as a dynamic configuration tool, hosting a stable endpoint for updating command and control (C2) infrastructure without reliance on static domains. Polygon's role in this operation is pivotal; it provides a cost-effective alternative to Ethereum for hosting and managing the infrastructure needed for the ransomware operations. Limited by significantly lower gas costs, it facilitates the seamless execution of contracts for the threat actors. The research detailed the smart contract mechanics that govern the interactions, emphasizing a design where the contract maintains only essential data for communication routing, further complicating efforts to disrupt the crime. Defense-oriented insights drawn from this incident stress the necessity for analysts to treat HTML artifacts with the same scrutiny as traditional executable malware. Given that the entire communication framework resided within the JavaScript, understanding the network behavior and scripting details is essential for investigations. Moreover, heightened vigilance around blockchain interactions becomes crucial, as the presence of JSON-RPC calls to EVM-compatible networks indicates potential malicious activity.

#threatreport #MediumCompleteness OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat | 23-06-2026 Source: unit42.paloaltonetworks.com/openclaw-ai-su… Key details below ↓ 🧑‍💻Actors/Campaigns: Clawhavoc 💀Threats: Supply_chain_technique, Amos_stealer, Paste-jacking_technique, 🎯Victims: Openclaw users, Macos users, Financial communities, Cryptocurrency users, Mainland china, Hong kong, Singapore 🏭Industry: E-commerce, Financial, Retail 🌐Geo: Singapore, Hong kong, China 🤖LLM extracted TTPs:` T1027, T1027.001, T1036, T1041, T1053.003, T1059.004, T1105, T1140, T1195, T1204.004, ... 🧨IOCs: - IP: 2 - Domain: 7 - Hash: 6 - Url: 6 - File: 1 💽Software: OpenClaw, ClawHub, macOS, Telegram, TradingView 🪙Crypto: solana 🔢Algorithms: sha256, base64 #threatreport: OpenClaw is an AI agent that operates through third-party skills available on ClawHub, which has been under scrutiny due to malicious activities following its launch. Skills in this ecosystem, which offer broad system access, have been found to contain malicious payloads that compromise user systems. A critical examination between February and May 2026 revealed five unblocked malicious skills categorized as infostealers, evasive techniques, and agentic threats. The infostealers specifically included macOS malware that communicated with command-and-control (C2) servers, while the evasive techniques involved file padding to escape detection by screening tools like VirusTotal and ClawScan. Malicious skills abusing the AI supply chain exploit semantic instruction hijacking to bypass conventional security measures. They can manipulate an agent's operational permissions, allowing unauthorized actions without typical exploit methods. This newfound attack surface contrasts traditional software supply chain vulnerabilities, showcasing how attackers leverage the inherent access provided to AI agents. Notably, early reports disclosed that about 17% of analyzed OpenClaw skills carried malicious content, with various methods employed for payload delivery, including deceptive Base64-encoded command structures and paste-site redirects. The malicious payloads included AMOS stealer malware and other infostealers, utilizing Base64-encoded dropper mechanisms. Persistent mechanisms like auto-updaters have been established to maintain C2 communication even after the malicious skills are reported and removed. Additionally, novel schemes, such as runtime affiliate injection through financial advisory skills, propped up profits by steering users to affiliate links without their knowledge. The skill after installation maintained real-time control over the referral data, allowing dynamic adjustment of recommended products or services based on malicious intentions. Another sophisticated attack observed was agentic front-running, wherein operators manipulated the ClawHub platform to execute trades on meme tokens using multiple AI agents. This method involved pooling cryptocurrency within the operator's wallet before publicly launching tokens, creating artificial demand that could be exploited for financial gain. The ongoing evolution of these threats emphasizes the necessity for organizations to implement rigorous monitoring and supply chain verification processes. Active validation of skill documentation, publisher provenance, and line-by-line audits are critical in countering these vulnerabilities, alongside monitoring outbound network connections to detect anomalous behavior indicative of compromise. Such measures are imperative in safeguarding environments against these complex threats that continue to adapt and evade existing detection capabilities.

#threatreport #LowCompleteness DeadLock Ransomware Group Embeds Data Leak Site Within Ransom Note | 08-06-2026 Source: watchguard.com/wgrd-security-… Key details below ↓ 🧑‍💻Actors/Campaigns: Deadlock (🧠motivation: financially_motivated) 💀Threats: Deadlock, Byovd_technique, 🎯Victims: Finance, Government, Electronics manufacturing, Veterinary pharmaceuticals, Europe 🏭Industry: Healthcare, Financial, Government 🌐Geo: Guinea, Taiwan, Spain, Italy, Poland, Gabon, Angola 🤖LLM extracted TTPs:` T1102.001, T1486, T1562.001 🧨IOCs: - Hash: 1 🔢Algorithms: sha256 🗂️Win API: Polygon #threatreport: The DeadLock ransomware group, active since mid-2025, has recently evolved its methods, incorporating double extortion techniques into its operations. This development was identified following an analysis by the WatchGuard Attestation Team, which highlighted the group's latest tactic of embedding a data leak site directly into their ransom notes. This integration serves to enhance the pressure on victims, as they can view the compromised data while being confronted with the ransom demand. Initially observed in its first reported sightings in July 2025, DeadLock's evolution has included various elements previously documented by security firms such as Cisco Talos, Group-IB, and ThreatScene. Early versions of the ransomware exhibited a range of technical characteristics, including the use of custom encryption algorithms and proxy addresses embedded in Polygon smart contracts, although the new ransom notes show a significant evolution in operational behavior. Particularly, a refinement observed in a version compiled in June 2026 indicates that the group has further strengthened its psychological warfare against victims by including claims of providing security reports on how networks were breached, a tactic not commonly used in the past. Analysis of the data leak site revealed that it contains 23 pages with numerous entries implicating various high-profile organizations, primarily from Europe, including significant victims from Spain, Italy, Poland, and Türkiye. Notably, the list includes a large electronics manufacturer from Taiwan and a government agency in Papua New Guinea, suggesting that DeadLock targets a diverse range of sectors globally. Despite this information, operational intelligence regarding the group's initial breach techniques remains scarce. Cisco Talos has suggested that DeadLock employs Bring Your Own Vulnerable Driver (BYOVD) strategies to evade defensive measures during lateral movement post-breach. However, much about how DeadLock gains initial access to targeted networks remains unknown, as detailed telemetry on these initial attack phases has yet to be documented by any leading cybersecurity analysts. The current analysis underscores the pressing need for comprehensive research into the group's methods, as the sophistication and impact of their operations continue to evolve. All relevant indicators of compromise, references, and artifacts related to DeadLock are accessible on their dedicated Ransomware Entry Page.

#threatreport #MediumCompleteness Deadlock Ransomware: Current Assessment and Defender Guidance | 01-10-2025 Source: threatscene.com/blog-update/de… Key details below ↓ 💀Threats: Deadlock, Softperfect_netscan_tool, Anydesk_tool, Mimikatz_tool, Pchunter64_tool, Process_injection_technique, Credential_dumping_technique, Teamviewer_tool, 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 26 🧨IOCs: - File: 1 - Hash: 12 - Coin: 1 💽Software: PsExec, Windows Service 🪙Crypto: bitcoin, monero 🔢Algorithms: sha256 🗂️Win API: polygon YARA: Found #threatreport: DeadLock ransomware, first reported in mid-July 2025, initially operated as a single extortion mode without a leak site. However, it has since evolved into a double extortion model, as confirmed by ThreatScene UNIT 31. The ransomware encrypts files, appending the .dlock extension along with a victim-specific identifier, such as report.pdf.A1B2C3.dlock. Following encryption, it drops several files, including HOW_RECOVER.ID.txt, RECOVERY_CHAT.ID.html, and ID.ico, and alters the desktop wallpaper to emphasize the extortion message. Victims are guided to contact the attackers through a supplied HTML file via the Session messenger, with ransom demands typically made in cryptocurrencies like Bitcoin or Monero. One distinguishing feature of DeadLock is its execution restriction based on the system's language setting, specifically avoiding Cyrillic configurations, likely reflecting a regional targeting approach by the threat actors. The latest version introduces an additional communication method, providing a minimal Session interface through an HTML file, which facilitates contact for victims who may be less familiar with the messaging application used by the attackers. In terms of tactics, techniques, and procedures (TTPs), DeadLock has been associated with multiple utilities for discovery, credential access, and remote administration. During incident response for DeadLock, tools such as PCHunter64, SoftPerfect NetScan, PsExec, and Mimikatz were noted, underscoring the sophistication and planning behind the attacks. Defensive recommendations include ensuring external firewalls and VPNs are fully patched with supported firmware and current threat signatures. Organizations should monitor traffic for anomalies, especially spikes in outbound connections and unusual authentication patterns, as well as hunt for newly created .dlock files and associated ransom notes. Furthermore, implementing multi-factor authentication for remote access and restricting the use of remote administration tools to approved personnel is advised. Maintaining robust offline backups and regularly verifying restoration processes is essential to counter the impacts of such ransomware attacks. YARA rules have been refined to improve detection of the latest versions of DeadLock, aiding in proactive defense efforts.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, code: 2, schema: 1, dump: 2

#threatreport #HighCompleteness StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader | 24-06-2026 Source: securelist.com/strikeshark-ca… Key details below ↓ 🧑‍💻Actors/Campaigns: Strikeshark (🧠motivation: cyber_espionage) 💀Threats: Cobalt_strike_tool, Sharkloader, Proxylogon_exploit, Dll_sideloading_technique, Dll_hijacking_technique, Fscan_tool, Searchall_tool, Pillager_tool, Sharpgpoabuse_tool, Credential_dumping_technique, 🎯Victims: Diplomatic organizations, Government organizations, Software development companies 🏭Industry: Government, Software_development 🌐Geo: Nepal, Syria, Colombian, Taiwan, Macedonia, Indonesia, Lebanon, Hong kong, Serbia, Colombia, North macedonia, Indonesian, Chinese 🔓CVEs: CVE-2016-4437 \[[Vulners](vulners.com/cve/CVE-2016-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - apache aurora (<0.18.1) - apache shiro (<1.2.5) CVE-2022-40684 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<7.0.7, 7.2.0) - fortinet fortiswitchmanager (7.0.0, 7.2.0) - fortinet fortios (<7.0.7, <7.2.2) CVE-2021-36260 \[[Vulners](vulners.com/cve/CVE-2021-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - hikvision ds-2cd2026g2-iu\/sl_firmware (-) CVE-2022-27925 \[[Vulners](vulners.com/cve/CVE-2022-2…)] - CVSS V3.1: *7.2*, - Vulners: Exploitation: True Soft: - synacor zimbra_collaboration_suite (8.8.15, 9.0.0) CVE-2024-21762 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<2.0.14, <7.0.15, <7.2.9, <7.4.3) - fortinet fortios (<6.0.18, <6.2.16, <6.4.15, <7.0.14, <7.2.7) CVE-2023-32315 \[[Vulners](vulners.com/cve/CVE-2023-3…)] - CVSS V3.1: *8.6*, - Vulners: Exploitation: True Soft: - igniterealtime openfire (<4.6.8, <4.7.5) CVE-2025-55182 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - facebook react (19.0.0, 19.1.0, 19.1.1, 19.2.0) CVE-2023-46747 \[[Vulners](vulners.com/cve/CVE-2023-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - f5 big-ip_access_policy_manager (le13.1.5, le14.1.5, le15.1.10, le16.1.4, le17.1.1) CVE-2023-20198 \[[Vulners](vulners.com/cve/CVE-2023-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - rockwellautomation allen-bradley_stratix_5200_firmware (<17.12.02) CVE-2024-36401 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - geoserver (<2.22.6, <2.23.6, <2.24.4, <2.25.2) - geotools (<29.6, <30.4, <31.2, 30.0, 31.0) CVE-2022-41082 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *8.0*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-26855 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-27076 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - microsoft business_productivity_servers (2010) - microsoft sharepoint_foundation (2013) - microsoft sharepoint_server (2016, 2019) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1003.001, T1003.003, T1018, T1027.002, T1027.009, T1033, T1036.004, T1036.005, T1036.007, T1049, ... 🧨IOCs: - File: 10 - Path: 3 - Command: 4 - Hash: 9 - Domain: 4 💽Software: Microsoft Exchange, Microsoft SharePoint, Openfire, GeoServer, Apache Shiro, Zimbra Collaboration Suite, Microsoft Exchange Server, BIG-IP, Fortinet FortiOS, AnyConnect, ... 🔢Algorithms: aes, aes-128, blowfish, ror13, md5 🔠Functions: SetUserProcessPriorityBoost, Beacon 🗂️Win API: ShellExecuteW, CreateThread, LoadLibrary, LeaveCriticalSection, InterlockedDecrement64, SetEvent, VirtualAlloc, CreateProcessA, CreateProcessW, CreateWaitableTimerW, ... 📜Programming Languages: powershell #threatreport: The StrikeShark campaign has been identified as a sophisticated threat involving a new malware loader named SharkLoader, aimed at deploying Cobalt Strike Beacon on compromised systems. This campaign appears to leverage multiple infection vectors, primarily through the exploitation of vulnerabilities in internet-facing applications such as Microsoft Exchange, Openfire Server, and GeoServer. Notable vulnerabilities identified include CVE-2021-26855 (ProxyLogon) and CVE-2023-32315, which were exploited in attacks across various nations, indicating a broad target range that spans governmental and software development sectors globally. The attackers utilize both exploitation methods and custom droppers, with the latter often impersonating legitimate software installations. For instance, a Cisco AnyConnect installer was used as a lure, which extracted and executed malicious components while appearing legitimate to users. The SharkLoader dropper executes these components discreetly, storing them in common directories such as %APPDATA% and employs techniques to maintain persistence, including scheduled tasks and registry modifications. Once loaded, SharkLoader employs a Perfect DLL Hijacking technique to execute its malicious code without causing deadlocks due to the Windows loader lock, revealing a high level of technical sophistication. The malware also implements robust evasion techniques, such as API hooking and the use of Vectored Exception Handlers to deceitfully manage memory protections during its operations. The infection chain establishes a layered architecture where SharkLoader unpacks further malicious payloads like DscCoreR.mui and SyncRes.dat, leading to the eventual execution of Cobalt Strike Beacon shellcode. This advanced implementation allows the malware to create threads for executing its payload while actively monitoring system behavior for potential detection. Victimology suggests a dual strategy, targeting both government and commercial software development entities, hinting at potential espionage motives alongside a capacity for opportunistic exploitation of vulnerabilities across sectors. Despite distinct indicators pointing toward Chinese-speaking developers behind the tools utilized in this campaign, attribution remains preliminary as no definitive connections to known cyber threat actors have been established. In summary, the ongoing investigation surrounding the StrikeShark campaign illustrates a complex malware delivery system capable of wide-reaching attacks across various sectors, warranting careful scrutiny and preparation against such evolving technical threats.