RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2

#threatreport #HighCompleteness StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them | 24-06-2026 Source: microsoft.com/en-us/security… Key details below ↓ 💀Threats: Stealc, Amadey, Lumma_stealer, Redline_stealer, Raccoon_stealer, Vidar_stealer, Seo_poisoning_technique, Clickfix_technique, Credential_stealing_technique, Process_injection_technique, 🎯Victims: Enterprise environments, Consumer devices, Financial services, Cryptocurrency, Gaming, Email services, Information technology 🏭Industry: Entertainment, Financial 🌐Geo: Russian, Ukrainian, Belarusian 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 0 🧨IOCs: - File: 15 - Command: 1 - Path: 1 - Hash: 15 - Url: 12 💽Software: Microsoft Defender, Microsoft Defender for Endpoint, Telegram, Steam, Outlook, Foxmail, WinSCP, Chromium, Chrome, Opera, ... 🔢Algorithms: rc4, base64, sha256 🗂️Win API: As, CreateProcessA, VirtualAllocEx, WriteProcessMemory, QueueUserAPC, ResumeThread, WaitForSingleObject 📜Programming Languages: python, powershell #threatreport: Infostealers, particularly the StealC family, along with delivery mechanisms like Amadey, pose significant risks within the cybercrime ecosystem by efficiently harvesting sensitive data such as passwords, cookies, and session tokens. After compromising personal devices, these threats can extend to enterprise networks, especially if credentials fall into the hands of attackers, potentially bypassing safeguards like multifactor authentication (MFA). StealC operates as a malware-as-a-service (MaaS), allowing threat actors to create tailored payloads and manage exfiltrated data through a centralized web panel. Its capabilities include stealing credentials from various browsers, cryptocurrency wallets, email clients, messaging apps, and gaming platforms. This modular approach makes it easy for operators to use a single initial infection to escalate into multiple threats. The malware is particularly sophisticated, employing techniques to embed its payloads within legitimate processes to enhance stealth. Amadey complements StealC by serving as a loader that delivers various types of malware, including StealC. Functional since at least 2018, Amadey has been associated with several high-profile infections and can execute commands for file downloads, backdoor communication, and credential theft. Its deployment often involves creating scheduled tasks for persistence and uses HTTP for command-and-control (C2) communication, encrypting its traffic with RC4. The attack lifecycle for infostealers typically involves methods that capitalize on user behavior, such as SEO poisoning and phishing. This makes it easier for attackers to distribute malware without relying heavily on exploiting software vulnerabilities. Once deployed, infostealers can extract a wide array of credentials and tokens, often exporting this data back to C2 servers in a highly structured format. The underground market for stolen credentials is lucrative, with logs appearing on dark web platforms shortly after extraction. Prices for logs vary depending on their value—corporate credentials can fetch upwards of $100, while more common logs may sell for as little as $2. This rapid monetization further highlights the need for effective identity protection and breach detection measures, as attackers can exploit stolen credentials for enterprise breaches within a matter of days or even hours. In terms of technical operation, StealC executes a series of complex processes to gather sensitive information. It crafts HTTP POST requests for C2 registration, embedding necessary data in encrypted formats. In practice, this includes intricate methods of credential harvesting from web browsers using injection techniques that circumvent built-in security measures. Amadey’s architecture allows it to modularly expand its capabilities by downloading additional plugins for credential or clipboard theft upon receiving commands from its C2 infrastructure. The malware strategically queries the system registry for configurations that inform its operations, maintaining a flexible and stealthy profile that adapts to the host environment. Despite efforts to disrupt these operations, including a coordinated takedown of infrastructure supporting StealC and Amadey, the adaptability and commercial nature of their services ensure that the threat persists. Organizations must remain vigilant against the risks posed by infostealers and their delivery mechanisms, emphasizing the importance of robust cybersecurity practices to mitigate exposure and respond effectively to breaches.

#threatreport #MediumCompleteness Ransomware Over WebChat: How Deadlock Used Polygon Blockchain and Session-Style Crypto for Negotiations | 16-12-2025 Source: threatscene.com/blog-update/ra… Key details below ↓ 🧑‍💻Actors/Campaigns: Deadlock 💀Threats: Deadlock, 🏭Industry: Financial, Petroleum 🌐Geo: Ukrainian, Ukraine, Austrian, South africa, Germany, Iran, Iranian, Belize 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1059.007, T1071.001, T1090.002, T1102.001, T1140, T1573.002 🧨IOCs: - File: 79 - Coin: 11 - Url: 5 - IP: 5 - Email: 2 - Domain: 5 💽Software: Jabber, WordPress, Telegram, Discord, Truecaller 📲Wallets: mainnet, metamask 🪙Crypto: ethereum, bitcoin, arbitrum, monero 🔢Algorithms: base64, curve25519, poly1305, xsalsa20, md5, ed25519 🔠Functions: constructor, owner, getProxy, setProxy, getContract, ed2curve, getChat, JSON-RPC 🗂️Win API: Polygon, Writer, sendMessage 📜Programming Languages: php, javascript, solidity #threatreport: The Deadlock ransomware incident showcases an innovative communication technique employed by cybercriminals, leveraging a custom HTML chat client embedded within a ransom note delivered as an HTML file on the victim's desktop. When opened, this file initializes a lightweight messaging client crafted in obfuscated JavaScript. This client operates through a smart contract on the Polygon blockchain, enabling a connection to a network of service nodes for secure communication between victim and attacker, effectively creating a covert messenger system. The JavaScript client gathers the proxy URL from the Polygon smart contract and uses it for authentication with unique credentials, which derive keypairs through Ed25519/Curve25519 cryptography. The chat's messages, encoded in a Protobuf format, undergo encryption via NaCl sealed boxes, illustrating the complexity of the encryption employed. The smart contract on Polygon serves as a dynamic configuration tool, hosting a stable endpoint for updating command and control (C2) infrastructure without reliance on static domains. Polygon's role in this operation is pivotal; it provides a cost-effective alternative to Ethereum for hosting and managing the infrastructure needed for the ransomware operations. Limited by significantly lower gas costs, it facilitates the seamless execution of contracts for the threat actors. The research detailed the smart contract mechanics that govern the interactions, emphasizing a design where the contract maintains only essential data for communication routing, further complicating efforts to disrupt the crime. Defense-oriented insights drawn from this incident stress the necessity for analysts to treat HTML artifacts with the same scrutiny as traditional executable malware. Given that the entire communication framework resided within the JavaScript, understanding the network behavior and scripting details is essential for investigations. Moreover, heightened vigilance around blockchain interactions becomes crucial, as the presence of JSON-RPC calls to EVM-compatible networks indicates potential malicious activity.

#threatreport #MediumCompleteness OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat | 23-06-2026 Source: unit42.paloaltonetworks.com/openclaw-ai-su… Key details below ↓ 🧑‍💻Actors/Campaigns: Clawhavoc 💀Threats: Supply_chain_technique, Amos_stealer, Paste-jacking_technique, 🎯Victims: Openclaw users, Macos users, Financial communities, Cryptocurrency users, Mainland china, Hong kong, Singapore 🏭Industry: E-commerce, Financial, Retail 🌐Geo: Singapore, Hong kong, China 🤖LLM extracted TTPs:` T1027, T1027.001, T1036, T1041, T1053.003, T1059.004, T1105, T1140, T1195, T1204.004, ... 🧨IOCs: - IP: 2 - Domain: 7 - Hash: 6 - Url: 6 - File: 1 💽Software: OpenClaw, ClawHub, macOS, Telegram, TradingView 🪙Crypto: solana 🔢Algorithms: sha256, base64 #threatreport: OpenClaw is an AI agent that operates through third-party skills available on ClawHub, which has been under scrutiny due to malicious activities following its launch. Skills in this ecosystem, which offer broad system access, have been found to contain malicious payloads that compromise user systems. A critical examination between February and May 2026 revealed five unblocked malicious skills categorized as infostealers, evasive techniques, and agentic threats. The infostealers specifically included macOS malware that communicated with command-and-control (C2) servers, while the evasive techniques involved file padding to escape detection by screening tools like VirusTotal and ClawScan. Malicious skills abusing the AI supply chain exploit semantic instruction hijacking to bypass conventional security measures. They can manipulate an agent's operational permissions, allowing unauthorized actions without typical exploit methods. This newfound attack surface contrasts traditional software supply chain vulnerabilities, showcasing how attackers leverage the inherent access provided to AI agents. Notably, early reports disclosed that about 17% of analyzed OpenClaw skills carried malicious content, with various methods employed for payload delivery, including deceptive Base64-encoded command structures and paste-site redirects. The malicious payloads included AMOS stealer malware and other infostealers, utilizing Base64-encoded dropper mechanisms. Persistent mechanisms like auto-updaters have been established to maintain C2 communication even after the malicious skills are reported and removed. Additionally, novel schemes, such as runtime affiliate injection through financial advisory skills, propped up profits by steering users to affiliate links without their knowledge. The skill after installation maintained real-time control over the referral data, allowing dynamic adjustment of recommended products or services based on malicious intentions. Another sophisticated attack observed was agentic front-running, wherein operators manipulated the ClawHub platform to execute trades on meme tokens using multiple AI agents. This method involved pooling cryptocurrency within the operator's wallet before publicly launching tokens, creating artificial demand that could be exploited for financial gain. The ongoing evolution of these threats emphasizes the necessity for organizations to implement rigorous monitoring and supply chain verification processes. Active validation of skill documentation, publisher provenance, and line-by-line audits are critical in countering these vulnerabilities, alongside monitoring outbound network connections to detect anomalous behavior indicative of compromise. Such measures are imperative in safeguarding environments against these complex threats that continue to adapt and evade existing detection capabilities.

#threatreport #LowCompleteness DeadLock Ransomware Group Embeds Data Leak Site Within Ransom Note | 08-06-2026 Source: watchguard.com/wgrd-security-… Key details below ↓ 🧑‍💻Actors/Campaigns: Deadlock (🧠motivation: financially_motivated) 💀Threats: Deadlock, Byovd_technique, 🎯Victims: Finance, Government, Electronics manufacturing, Veterinary pharmaceuticals, Europe 🏭Industry: Healthcare, Financial, Government 🌐Geo: Guinea, Taiwan, Spain, Italy, Poland, Gabon, Angola 🤖LLM extracted TTPs:` T1102.001, T1486, T1562.001 🧨IOCs: - Hash: 1 🔢Algorithms: sha256 🗂️Win API: Polygon #threatreport: The DeadLock ransomware group, active since mid-2025, has recently evolved its methods, incorporating double extortion techniques into its operations. This development was identified following an analysis by the WatchGuard Attestation Team, which highlighted the group's latest tactic of embedding a data leak site directly into their ransom notes. This integration serves to enhance the pressure on victims, as they can view the compromised data while being confronted with the ransom demand. Initially observed in its first reported sightings in July 2025, DeadLock's evolution has included various elements previously documented by security firms such as Cisco Talos, Group-IB, and ThreatScene. Early versions of the ransomware exhibited a range of technical characteristics, including the use of custom encryption algorithms and proxy addresses embedded in Polygon smart contracts, although the new ransom notes show a significant evolution in operational behavior. Particularly, a refinement observed in a version compiled in June 2026 indicates that the group has further strengthened its psychological warfare against victims by including claims of providing security reports on how networks were breached, a tactic not commonly used in the past. Analysis of the data leak site revealed that it contains 23 pages with numerous entries implicating various high-profile organizations, primarily from Europe, including significant victims from Spain, Italy, Poland, and Türkiye. Notably, the list includes a large electronics manufacturer from Taiwan and a government agency in Papua New Guinea, suggesting that DeadLock targets a diverse range of sectors globally. Despite this information, operational intelligence regarding the group's initial breach techniques remains scarce. Cisco Talos has suggested that DeadLock employs Bring Your Own Vulnerable Driver (BYOVD) strategies to evade defensive measures during lateral movement post-breach. However, much about how DeadLock gains initial access to targeted networks remains unknown, as detailed telemetry on these initial attack phases has yet to be documented by any leading cybersecurity analysts. The current analysis underscores the pressing need for comprehensive research into the group's methods, as the sophistication and impact of their operations continue to evolve. All relevant indicators of compromise, references, and artifacts related to DeadLock are accessible on their dedicated Ransomware Entry Page.

#threatreport #MediumCompleteness Deadlock Ransomware: Current Assessment and Defender Guidance | 01-10-2025 Source: threatscene.com/blog-update/de… Key details below ↓ 💀Threats: Deadlock, Softperfect_netscan_tool, Anydesk_tool, Mimikatz_tool, Pchunter64_tool, Process_injection_technique, Credential_dumping_technique, Teamviewer_tool, 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 26 🧨IOCs: - File: 1 - Hash: 12 - Coin: 1 💽Software: PsExec, Windows Service 🪙Crypto: bitcoin, monero 🔢Algorithms: sha256 🗂️Win API: polygon YARA: Found #threatreport: DeadLock ransomware, first reported in mid-July 2025, initially operated as a single extortion mode without a leak site. However, it has since evolved into a double extortion model, as confirmed by ThreatScene UNIT 31. The ransomware encrypts files, appending the .dlock extension along with a victim-specific identifier, such as report.pdf.A1B2C3.dlock. Following encryption, it drops several files, including HOW_RECOVER.ID.txt, RECOVERY_CHAT.ID.html, and ID.ico, and alters the desktop wallpaper to emphasize the extortion message. Victims are guided to contact the attackers through a supplied HTML file via the Session messenger, with ransom demands typically made in cryptocurrencies like Bitcoin or Monero. One distinguishing feature of DeadLock is its execution restriction based on the system's language setting, specifically avoiding Cyrillic configurations, likely reflecting a regional targeting approach by the threat actors. The latest version introduces an additional communication method, providing a minimal Session interface through an HTML file, which facilitates contact for victims who may be less familiar with the messaging application used by the attackers. In terms of tactics, techniques, and procedures (TTPs), DeadLock has been associated with multiple utilities for discovery, credential access, and remote administration. During incident response for DeadLock, tools such as PCHunter64, SoftPerfect NetScan, PsExec, and Mimikatz were noted, underscoring the sophistication and planning behind the attacks. Defensive recommendations include ensuring external firewalls and VPNs are fully patched with supported firmware and current threat signatures. Organizations should monitor traffic for anomalies, especially spikes in outbound connections and unusual authentication patterns, as well as hunt for newly created .dlock files and associated ransom notes. Furthermore, implementing multi-factor authentication for remote access and restricting the use of remote administration tools to approved personnel is advised. Maintaining robust offline backups and regularly verifying restoration processes is essential to counter the impacts of such ransomware attacks. YARA rules have been refined to improve detection of the latest versions of DeadLock, aiding in proactive defense efforts.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, code: 2, schema: 1, dump: 2

#threatreport #HighCompleteness StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader | 24-06-2026 Source: securelist.com/strikeshark-ca… Key details below ↓ 🧑‍💻Actors/Campaigns: Strikeshark (🧠motivation: cyber_espionage) 💀Threats: Cobalt_strike_tool, Sharkloader, Proxylogon_exploit, Dll_sideloading_technique, Dll_hijacking_technique, Fscan_tool, Searchall_tool, Pillager_tool, Sharpgpoabuse_tool, Credential_dumping_technique, 🎯Victims: Diplomatic organizations, Government organizations, Software development companies 🏭Industry: Government, Software_development 🌐Geo: Nepal, Syria, Colombian, Taiwan, Macedonia, Indonesia, Lebanon, Hong kong, Serbia, Colombia, North macedonia, Indonesian, Chinese 🔓CVEs: CVE-2016-4437 \[[Vulners](vulners.com/cve/CVE-2016-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - apache aurora (<0.18.1) - apache shiro (<1.2.5) CVE-2022-40684 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<7.0.7, 7.2.0) - fortinet fortiswitchmanager (7.0.0, 7.2.0) - fortinet fortios (<7.0.7, <7.2.2) CVE-2021-36260 \[[Vulners](vulners.com/cve/CVE-2021-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - hikvision ds-2cd2026g2-iu\/sl_firmware (-) CVE-2022-27925 \[[Vulners](vulners.com/cve/CVE-2022-2…)] - CVSS V3.1: *7.2*, - Vulners: Exploitation: True Soft: - synacor zimbra_collaboration_suite (8.8.15, 9.0.0) CVE-2024-21762 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - fortinet fortiproxy (<2.0.14, <7.0.15, <7.2.9, <7.4.3) - fortinet fortios (<6.0.18, <6.2.16, <6.4.15, <7.0.14, <7.2.7) CVE-2023-32315 \[[Vulners](vulners.com/cve/CVE-2023-3…)] - CVSS V3.1: *8.6*, - Vulners: Exploitation: True Soft: - igniterealtime openfire (<4.6.8, <4.7.5) CVE-2025-55182 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - facebook react (19.0.0, 19.1.0, 19.1.1, 19.2.0) CVE-2023-46747 \[[Vulners](vulners.com/cve/CVE-2023-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - f5 big-ip_access_policy_manager (le13.1.5, le14.1.5, le15.1.10, le16.1.4, le17.1.1) CVE-2023-20198 \[[Vulners](vulners.com/cve/CVE-2023-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - rockwellautomation allen-bradley_stratix_5200_firmware (<17.12.02) CVE-2024-36401 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - geoserver (<2.22.6, <2.23.6, <2.24.4, <2.25.2) - geotools (<29.6, <30.4, <31.2, 30.0, 31.0) CVE-2022-41082 \[[Vulners](vulners.com/cve/CVE-2022-4…)] - CVSS V3.1: *8.0*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-26855 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - microsoft exchange_server (2013, 2016, 2019) CVE-2021-27076 \[[Vulners](vulners.com/cve/CVE-2021-2…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown Soft: - microsoft business_productivity_servers (2010) - microsoft sharepoint_foundation (2013) - microsoft sharepoint_server (2016, 2019) 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1003.001, T1003.003, T1018, T1027.002, T1027.009, T1033, T1036.004, T1036.005, T1036.007, T1049, ... 🧨IOCs: - File: 10 - Path: 3 - Command: 4 - Hash: 9 - Domain: 4 💽Software: Microsoft Exchange, Microsoft SharePoint, Openfire, GeoServer, Apache Shiro, Zimbra Collaboration Suite, Microsoft Exchange Server, BIG-IP, Fortinet FortiOS, AnyConnect, ... 🔢Algorithms: aes, aes-128, blowfish, ror13, md5 🔠Functions: SetUserProcessPriorityBoost, Beacon 🗂️Win API: ShellExecuteW, CreateThread, LoadLibrary, LeaveCriticalSection, InterlockedDecrement64, SetEvent, VirtualAlloc, CreateProcessA, CreateProcessW, CreateWaitableTimerW, ... 📜Programming Languages: powershell #threatreport: The StrikeShark campaign has been identified as a sophisticated threat involving a new malware loader named SharkLoader, aimed at deploying Cobalt Strike Beacon on compromised systems. This campaign appears to leverage multiple infection vectors, primarily through the exploitation of vulnerabilities in internet-facing applications such as Microsoft Exchange, Openfire Server, and GeoServer. Notable vulnerabilities identified include CVE-2021-26855 (ProxyLogon) and CVE-2023-32315, which were exploited in attacks across various nations, indicating a broad target range that spans governmental and software development sectors globally. The attackers utilize both exploitation methods and custom droppers, with the latter often impersonating legitimate software installations. For instance, a Cisco AnyConnect installer was used as a lure, which extracted and executed malicious components while appearing legitimate to users. The SharkLoader dropper executes these components discreetly, storing them in common directories such as %APPDATA% and employs techniques to maintain persistence, including scheduled tasks and registry modifications. Once loaded, SharkLoader employs a Perfect DLL Hijacking technique to execute its malicious code without causing deadlocks due to the Windows loader lock, revealing a high level of technical sophistication. The malware also implements robust evasion techniques, such as API hooking and the use of Vectored Exception Handlers to deceitfully manage memory protections during its operations. The infection chain establishes a layered architecture where SharkLoader unpacks further malicious payloads like DscCoreR.mui and SyncRes.dat, leading to the eventual execution of Cobalt Strike Beacon shellcode. This advanced implementation allows the malware to create threads for executing its payload while actively monitoring system behavior for potential detection. Victimology suggests a dual strategy, targeting both government and commercial software development entities, hinting at potential espionage motives alongside a capacity for opportunistic exploitation of vulnerabilities across sectors. Despite distinct indicators pointing toward Chinese-speaking developers behind the tools utilized in this campaign, attribution remains preliminary as no definitive connections to known cyber threat actors have been established. In summary, the ongoing investigation surrounding the StrikeShark campaign illustrates a complex malware delivery system capable of wide-reaching attacks across various sectors, warranting careful scrutiny and preparation against such evolving technical threats.

#threatreport #HighCompleteness Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery | 23-06-2026 Source: securonix.com/blog/taxtriden… Key details below ↓ 🧑‍💻Actors/Campaigns: Tax_trident (🧠motivation: cyber_espionage, financially_motivated) 💀Threats: Steganography_technique, Sysaid_tool, Syncfuture_tool, Ytscrat, Lolbin_technique, Bitsadmin_tool, Spear-phishing_technique, 🎯Victims: Windows endpoints, India 🏭Industry: Financial 🌐Geo: China, Indian, Chinese, India 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 23 🧨IOCs: - Domain: 4 - File: 6 - IP: 8 - Path: 4 - Url: 6 - Hash: 16 💽Software: Windows installer, Windows service, curl 🔢Algorithms: zip, sha256 ⚙️Win Services: BITS 📜Programming Languages: vbscript, powershell, php, visual_basic 💻Platforms: x86 #threatreport: The TAX#TRIDENT campaign represents an ongoing cyber threat leveraging fake Indian Income Tax-themed lures to deliver malicious payloads to Windows endpoints. This operation employs three distinct delivery paths: direct ZIP file downloads, VBScript downloaders, and PHP-looking web endpoints that return malicious script content. Regardless of the delivery mechanism, each route culminates in the installation of a signed ClientSetup payload. Upon execution, this payload establishes a hidden client directory, maintains persistence through services and drivers, writes configuration settings, and initiates outbound network communications. The evolution of the TAX#TRIDENT campaign is marked not by the emergence of new malware but by the repurposing and expansion of previously documented tax-themed tactics. The campaign intertwines established behaviors seen in adverse software associated with Chinese tooling, particularly evident in file metadata and configuration naming conventions that align with known Chinese software abuse. However, while these insights reveal the type of software exploited, they do not provide definitive attribution to specific threat actors. The first delivery chain begins at a fake Indian tax assessment page leading to a ZIP file that executes a signed Windows installer. This method relies on social engineering, prompting victims to believe they are opening legitimate tax-related documents. The second chain deploys the same ClientSetup payload via a VBScript that showcases a decoy image, further obscuring the attack's true intent. The third approach adopts a unique PHP endpoint named "download.php," which serves VBScript content masked as a web application, facilitating downloads from cloud-hosted resources and subtly altering UAC behavior to facilitate the silent installation of the ManageEngine UEMS agent. Key behavioral indicators signal potential malicious activity, such as VBScript execution from unexpected web application extensions like ".php", and the presence of disguised executable tools within public directories. Additionally, unusual UAC policy modifications, silent MSI installations, and unsolicited outbound traffic to unapproved infrastructures should be heavily scrutinized.

#threatreport #LowCompleteness Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware | 23-06-2026 Source: zscaler.com/blogs/security… Key details below ↓ 🧑‍💻Actors/Campaigns: Payouts_king 💀Threats: Edgecution, 🎯Victims: Organizations 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1053.005, T1059.001, T1059.003, T1059.006, T1071.001, T1082, T1112, T1140, ... 🧨IOCs: - Path: 1 - Registry: 2 - File: 2 - Url: 4 - Hash: 2 💽Software: Microsoft Edge, Chrome, Microsoft Teams, Outlook, AutoHotKey, Microsoft Outlook, Windows registry 🔢Algorithms: sha256, zip 📜Programming Languages: python, powershell #threatreport: The Payouts King ransomware has harnessed a sophisticated technique involving a malicious Microsoft Edge browser extension dubbed Edgecution, which is used by an initial access broker. This extension exploits the Chrome native messaging protocol, allowing attackers to bypass typical browser sandbox limitations and gain extensive control over host systems. This capability enables the manipulation of the local filesystem, execution of arbitrary code, and launching of processes directly from the compromised host. The Edgecution malware employs two primary components: the malicious Edge browser extension and a Python-based backdoor. The attack vector typically begins with social engineering tactics, where the threat actor impersonates IT staff through platforms like Microsoft Teams, convincing victims to download a fake patch disguised within an encrypted ZIP file. This ZIP file contains files necessary to deploy the Edgecution malware, including a Python distribution, an extension, and an obfuscated Python script that carries out the malicious functions. Upon installation, commands from the AutoHotKey script or other scripts configure the environment, fix ZIP file headers, and create a scheduled task that executes Microsoft Edge loaded with the malicious extension. The extension masquerades as an "Edge Monitoring Agent" and establishes communication with a command-and-control (C2) server hosted on AWS. The Python backdoor acts as a bridge, executed in a headless mode, allowing the attackers to avoid drawing user attention while maintaining operational control over the compromised environment. Edgecution's functionality includes a variety of commands for malicious activities, many of which require permissions usually restricted to regular browser extensions. By using the native messaging protocol, the Edgecution extension can invoke the backdoor to perform tasks that include filesystem access and code execution. Communication between the extension and the Python backdoor is structured in JSON format, with messages indicating command types and execution results. This collaboration between the malicious extension and its Python backdoor illustrates a sophisticated method of maintaining a foothold in victim environments, marking a notable evolution in tactics employed by ransomware affiliates. The methods employed by the Payouts King attackers highlight the need for organizations to enhance their defenses against such threats, emphasizing the importance of monitoring browser extension installations, controlling native messaging configurations, and conducting user education to detect suspicious communications that mimic legitimate updates.

#threatreport #MediumCompleteness CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised | 23-06-2026 Source: imperva.com/blog/cve-2025-… Key details below ↓ 🎯Victims: E commerce, Healthcare, Financial services, Education, Government, Online gambling and betting, Logistics 🏭Industry: Government, Healthcare, E-commerce, Education, Logistic 🌐Geo: Asia, Indonesian, Asian, Brazilian 🔓CVEs: CVE-2025-54068 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - laravel livewire (<3.6.4) 📚TTPs: ⚔️Tactics: 4 🛠️Technics: 11 🧨IOCs: - Url: 1 - File: 2 - Hash: 1 - IP: 1 - Domain: 1 - Email: 1 💽Software: Laravel Livewire, Livewire, Laravel, telegram, Unix, curl 🔢Algorithms: zip, sha256 📜Programming Languages: php #threatreport: On May 24, 2026, a major credential theft campaign exploiting CVE-2025-54068 was observed targeting Laravel Livewire applications, primarily affecting versions up to v3.6.3. This critical vulnerability arises from inadequate validation of component property updates during the hydration process, which allows unauthenticated attackers to inject malicious serialized PHP objects leading to arbitrary code execution upon deserialization. The attacker leveraged this flaw to execute a payload that fetched and executed a Bash script from their command-and-control (C2) server. The captured payload indicated that the attacker used PHPGGC gadget chains, which exploit existing legitimate PHP classes within Laravel applications. The malicious Bash shell script, identified as shoc.enz, was a lightweight 5,269 bytes in size, and served as a credential stealer. Once executed, it set up a temporary working directory, ensured no other instances were running, searched for sensitive .env files containing crucial configuration data, archived these files, and subsequently exfiltrated them to multiple C2 channels, while also cleaning up to erase forensic traces. Analysis revealed that over 6,167 applications across diverse sectors, including e-commerce, healthcare, financial services, and even governmental bodies, had their credentials compromised. The extant data included more than 1,850 database dumps and extensive email lists, indicating the active exploitation of stolen credentials. Indicators attributing the campaign to an Indonesian threat actor included linguistic elements in the malware’s code and metadata associated with the C2 infrastructure, including Telegram handles and an email address linked to multiple prior breaches in underground forums. The targeted applications encompassed a wide array of Laravel deployments, including platforms related to online gambling, education, and logistics, thereby underscoring the indiscriminate nature of the scanning efforts. Any organization utilizing unpatched Laravel Livewire v3 versions was potential prey for this extensive campaign. Overall, the operation highlights significant vulnerabilities within widely used frameworks and the severe implications of their exploitation in the cyber realm.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 2, filemanager: 1

#threatreport #LowCompleteness A Hidden Threat: Why DarkLoadLibrary Is Dangerous and How to Detect Its Use in Attacks | 24-06-2026 Source: bi.zone/expertise/blog… Key details below ↓ 💀Threats: Darkloadlibrary_tool, Nighthawk_tool, 🤖LLM extracted TTPs:` T1003.001, T1106, T1179, T1620 🧨IOCs: - File: 5 - Coin: 2 🔠Functions: LdrpFindLoadedDllByName, GetModuleHandle 🗂️Win API: ZONE, LdrLoadDll, NtCreateSection, NtMapViewOfSection, GetProcAddress, tMapViewOfSection, NtAllocateVirtualMemory, tMapViewOfSection it, tAllocateVirtualMemory, NtOpenSection, ... #threatreport: DarkLoadLibrary is a sophisticated tool that demonstrates how attackers manipulate low-level Windows mechanisms to bypass security systems, particularly by stealthily loading malicious code. This Dynamic Link Library (DLL) loader circumvents the standard execution notifications provided by the LoadImageNotifyRoutine, allowing attackers to execute code without triggering alerts from security tools. The operation of DarkLoadLibrary begins with the invocation of the NtCreateSection function, where a file is read at the kernel level, creating a section that holds the necessary data. Normally, this process includes mapping the section into memory via the NtMapViewOfSection function, which typically requires LoadImageNotifyRoutine's involvement. However, DarkLoadLibrary diverges from this by using the NtAllocateVirtualMemory function to allocate memory for the DLL, effectively preventing security tools from recording telemetry associated with the loading of the module. This design choice allows malware to use native API functions while avoiding potential hooks set by monitoring security tools. An example of practical implementation can be seen in the NightHawk command and control (C2) framework (version 0.2.1). NightHawk intercepts critical functions such as NtOpenSection, NtCreateSection, and NtMapViewOfSection during the LdrLoadDll call process. The interceptor acts by preventing known DLLs from loading by returning an error code when a targeted DLL attempt matches a predefined list for loading via DarkLoadLibrary. This prevents the DLL from being loaded from the KnownDll and processes it through the stealthier method enabled by DarkLoadLibrary. Once a section for the requested DLL is created, NightHawk modifies its section descriptor to ensure that the memory is allocated from the virtual memory space, which is managed directly by the Windows operating system, thus allowing all normal operations to proceed unhindered after initial interception. Metrics to confirm the presence of DarkLoadLibrary can be derived from memory access events, such as when a process like LSASS.exe is dumped using the MiniDumpWriteDump function. Calls made from memory regions that lack a corresponding file indicate the use of DarkLoadLibrary.

#threatreport #LowCompleteness EvilTokens: How “Ghost” Code Threatens US and European Businesses | 23-06-2026 Source: any.run/cybersecurity-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Businesses, Organizations 🌐Geo: United states 🤖LLM extracted TTPs:` T1027, T1140, T1480.001, T1528, T1550.001 🔢Algorithms: aes-gcm 🗂️Win API: RUN 📜Programming Languages: javascript #threatreport: EvilTokens represents a significant cyber threat due to its sophisticated mechanism for phishing attacks, primarily targeting organizations in the United States and Europe. This phishing kit exploits the Microsoft Device Code Authentication process and operates in a manner that obfuscates its malicious intent, making it difficult for security operations center (SOC) teams to detect. Rather than directly stealing user credentials, EvilTokens entices victims to unknowingly authorize access to their accounts through legitimate login flows. The kit leverages browser-side decryption, where key elements of its phishing scheme are hidden behind AES-GCM encryption, only becoming visible after the browser decrypts and renders the content. This presents a substantial visibility gap during static URL analyses and complicates incident investigations. SOC teams can benefit from examining browser-level evidence that can lead to quicker decisions for containment. Such evidence includes tracking HTML Document Object Model (DOM) changes, monitoring HTTP requests, and analyzing URL details to understand network activity and final destinations involved in the phishing attempt. Moreover, detailed investigation of a single EvilTokens session can uncover related phishing infrastructure, as identified patterns and signatures can link to other phishing activity. This allows SOC teams to look beyond isolated incidents and detect broader campaigns that may utilize similar tactics. By generating threat intelligence based on the behavior and code patterns observed, teams are better equipped to enhance phishing signatures, implement effective custom detection methods, and perform proactive threat hunting. The inherent "ghost code" nature of EvilTokens makes the attack challenging but also highlights the importance of browser monitoring. By reconstructing the phishing logic through decrypted DOM content and correlating it with network traffic, security professionals can identify malicious code patterns, endpoints, and behaviors that could inform future detection efforts. This multi-faceted approach empowers SOC teams to effectively respond to EvilTokens as well as similar threats, thereby improving their overall security posture against evolving phishing tactics.

#threatreport #LowCompleteness macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox | 23-06-2026 Source: sentinelone.com/labs/macos-gas… Key details below ↓ 💀Threats: Bonzai, Supply_chain_technique, Amos_stealer, Hades, Shai-hulud, 🎯Victims: Macos users 🌐Geo: North korean, Dprk 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1016, T1036.005, T1041, T1057, T1059.004, T1059.006, T1071.001, T1082, T1102.002, ... 🧨IOCs: - Hash: 4 💽Software: macOS, Telegram, Linux, Chrome, Firefox, PyInstaller, Nuitka, Anthropic, Claude 🔢Algorithms: base64, aes-gcm, zip, aes 🔠Functions: getUpdates 📜Programming Languages: python, rust, cpython 💻Platforms: arm, cross-platform, apple #threatreport: The macOS.Gaslight implant, attributed to North Korean-aligned activity, is a sophisticated Rust-based backdoor that utilizes a unique approach to mislead analysts during malware analysis rather than attempting to evade sandbox detection. It embeds a payload consisting of 38 fabricated system messages aimed at casting doubt on the results of LLM-assisted triage processes. This command-and-control (C2) mechanism employs the Telegram Bot API for communication, utilizing a polling method that activates when no webhook is registered, and adheres to strict transport security using AES-GCM encryption over certificate-pinned TLS connections. The implant autonomously redacts its Telegram bot token from its runtime output, thwarting potential data recovery by security analysts. Distribution of macOS.Gaslight was initially detected following an Apple XProtect update in June 2023, though it remained undetected by static analysis at the time of that update. It is designed to prevent system sleep through a power-management assertion, ensuring continual polling and data collection even during periods of inactivity. The implant contains components for data theft, particularly targeting sensitive information such as browser histories and credentials stored in the macOS keychain, facilitated by an encoded Python script that assembles a complete data collection environment using a standalone CPython runtime fetched upon execution. Persistence mechanisms are integrated through a LaunchAgent configured to masquerade as system services, maintaining stealth within the macOS ecosystem. This technique is commonly observed among malware families associated with DPRK. Furthermore, the implementation of self-redaction of the bot token represents a proactive operational security (OPSEC) measure, significantly enhancing the resilience of the implant against analysis. The malware's design highlights an innovative tactic of prompt injection, which serves to compromise the effectiveness of AI-driven analysis by introducing complexity into the evaluation process. This characteristic distinguishes macOS.Gaslight from prior examples of malware that either leveraged AI for operational tasks or employed simpler forms of obfuscation. With its combination of robust collection capabilities, stringent C2 security, and analyst-targeting strategies, macOS.Gaslight exemplifies an emerging threat landscape where adversaries increasingly seek to exploit AI tools that are fundamental to cybersecurity efforts.

#threatreport #HighCompleteness Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory | 24-06-2026 Source: arcticwolf.com/resources/blog… Key details below ↓ 🧑‍💻Actors/Campaigns: Harvester (🧠motivation: financially_motivated, information_theft) 💀Threats: Fortibleed_vuln, Cyberstrikeai_tool, Password_spray_technique, Credential_harvesting_technique, Supply_chain_technique, Impacket_tool, Hashcat_tool, Hashtopolis_tool, Kerberoasting_technique, As-rep_roasting_technique, 🎯Victims: Fortinet firewall and ssl vpn operators, Defense sector 🏭Industry: Healthcare, Energy, Chemical, Telco, Retail, Government, Iot, E-commerce, Financial, Entertainment, Transport, Education, Logistic 🌐Geo: Russian, Asia-pacific, Middle east, America, Turkey 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 15 🧨IOCs: - File: 3 - IP: 2 - Hash: 6 💽Software: FortiGate, Telegram, Linux, Active Directory, MSSQL, MySQL, curl 🔢Algorithms: md5, pbkdf2, rc4, sha256 📜Programming Languages: python, javascript, golang 💻Platforms: amd64 YARA: Found #threatreport: FortiBleed is identified as a significant credential compromise campaign that specifically targets internet-accessible Fortinet FortiGate firewalls and SSL VPN gateways. The campaign leverages a sophisticated credential acquisition pipeline that includes methods such as credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication data processing, rather than relying on traditional malware delivery mechanisms. The investigation into this campaign led to the reverse engineering of the CyberStrike Harvester binary, connecting it to the broader operational framework utilized by the FortiBleed operators. This includes the extraction of multi-protocol credentials, hash cracking, and unauthorized access to Active Directory and SMB services, ultimately facilitating data exfiltration from compromised systems. The campaign is assessed as having a severe risk level, although there is no confirmed evidence of exploitation of a Fortinet CVE as the primary means of initial access. It is believed that the operation serves as a credential brokerage, possibly a hybrid scam focusing on high-value credential harvesting. The tools used in this operation align with public descriptions of the adversaries' environment, which is characterized by a variety of tools and scripts designed for effective exploitation and credential management. The recovered assets include a sophisticated CyberStrike lab setup with a sniffer panel for traffic capture, scripts for processing PCAP files, and various utilities for cracking cryptographic hashes using platforms like Hashcat and Hashtopolis. The CyberStrike Harvester, a key component, is responsible for converting captured network data into actionable credentials and hash outputs, effectively turning traffic and configuration data into usable accesses. The campaign operates through a systematic credential-centric attack vector, utilizing methods for mass credential validation and harvesting configuration files from targeted devices. After gaining access, captured data is processed offline, resulting in the collection of a wide range of authentication artifacts, including session tokens and cookies, which are then cleaned and validated for further attacks. The actor employs a multi-stage cleaning process aimed at refining the credential data before deploying Hashcat for offline cracking efforts, indicating a methodical approach to credential extraction and validation. A notable aspect of the FortiBleed attack infrastructure is that it comprises both attacker-controlled systems and victim-assigned components, with a collaboration setup of virtual machines running Kali Linux and CyberStrike. The operators implement advanced techniques for validating and prioritizing access through protocols like Kerberos and SMB, leading to systematic internal data collection and exfiltration. The operational discipline surrounding the FortiBleed campaign underscores a repeatable and effective system for exploiting exposed exterior credentials, moving through various stages from capture to verification to data procurement. It highlights the critical need for organizations to not only patch vulnerabilities but also to implement comprehensive remediation strategies, including credential resets, validating session authenticity, and enhancing multi-factor authentication measures to mitigate potential threats from similar credential-centric operations.

#threatreport #MediumCompleteness Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | 24-06-2026 Source: security.com/threat-intelli… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragonforce 💀Threats: Mltbackdoor, Kongtuke, Modelorat, Qilin_ransomware, Blackbasta, Interlock, Rhysida, Akira_ransomware, 8base, Clickfix_technique, Filefix_technique, Crashfix, Winpython_tool, Lolbin_technique, Nexshield, Mintsloader, Kerberoasting_technique, Anydesk_tool, Splashtop_tool, 🎯Victims: Insurance, Education, Information technology, Professional services 🏭Industry: Education 🤖LLM extracted TTPs:` T1007, T1018, T1027, T1036, T1053.005, T1059.001, T1059.005, T1059.006, T1059.007, T1069.002, ... 🧨IOCs: - File: 12 - Hash: 9 💽Software: Node.js, Curl, WordPress, Windows File Explorer, Microsoft Teams, Chrome, GateKeeper, Active Directory 🔢Algorithms: rc4 🗂️Win API: GetModuleFileNameW, LoadLibraryW 📜Programming Languages: javascript, vbscript, python, powershell #threatreport: Backdoor.Mistic is a newly identified backdoor that has been active since April 2026, primarily utilized by the cybercrime group Woodgnat, also known as KongTuke. It has been linked with various ransomware operations, particularly Qilin, and is often deployed in conjunction with ModeloRAT, a Python-based remote access trojan (RAT). The modus operandi involves opportunistic targeting across various sectors, such as insurance, education, IT, and professional services, demonstrating a wide-ranging interest in high-value organizational access rather than focusing on specific industries. The backdoor is installed through a technique known as sideloading, using a legitimate file, MpExtMs.exe, to initiate the loading of the malicious DLL named EndpointDlp.dll. This mechanism allows Mistic to evade detection by blending in with trusted software, which enhances its stealth. Once operational, the backdoor executes commands from a command and control (C2) server entirely in memory without writing files to disk, enhancing its persistence and reducing the likelihood of detection. Key capabilities of Mistic include file manipulation, command execution, and self-termination via a kill switch to maintain access covertly over time. Woodgnat's operations are predominantly characterized by the provision of initial access rather than the final delivery of malicious payloads. The group specializes in creating durable remote access for resale to ransomware affiliates, and they utilize a variety of techniques to compromise systems. Their methods include the use of social engineering tactics to trick users into executing malicious PowerShell commands, which enable further exploitation. Additionally, Woodgnat employs an array of tools such as WinPython for running the ModeloRAT, alongside Node.js, which is leveraged to execute JavaScript and chain commands. The group has also been observed using living-off-the-land techniques, leveraging built-in Windows tools like Net.exe for reconnaissance and Curl for data exfiltration. A critical aspect of their strategy involves maintaining operational resilience through multiple C2 paths and obfuscated communications, particularly for non-domain-joined victims, indicating a highly skilled approach to evading detection. The emergence of Backdoor.Mistic marks a notable trend in the evolution of cyber threats, emphasizing the use of custom-developed malware in ransomware attacks. This escalation implies a growing sophistication within the cybercriminal landscape, shifting away from reliance on dual-use tools. Woodgnat is poised as a significant threat actor to monitor, particularly in how it may adapt and innovate in collaboration with ransomware affiliates, further complicating the threat environment.

#threatreport #HighCompleteness Chinese actor compromises thousands of Wordpress sites | 23-06-2026 Source: ctrlaltintel.com/research/Wordp… Key details below ↓ 💀Threats: Godzilla_webshell, Bestshell, Meterpreter_tool, Vshell, Snowlight, 🎯Victims: Wordpress sites, Joomla sites, Prestashop sites, Metinfo sites, Craft cms sites, Magento sites, Nacos sites, Internet facing sites 🌐Geo: Chinese 🔓CVEs: CVE-2025-6389 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-1357 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-13486 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-6433 \[[Vulners](vulners.com/cve/CVE-2026-6…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: Unknown CVE-2025-5394 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-31843 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-1969 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *5.3*, - Vulners: Exploitation: True CVE-2026-4882 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-0740 \[[Vulners](vulners.com/cve/CVE-2026-0…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12057 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-3844 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12352 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-23921 \[[Vulners](vulners.com/cve/CVE-2025-2…)] - CVSS V3.1: *9.0*, - Vulners: Exploitation: Unknown CVE-2025-32432 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - craftcms craft_cms (<3.9.15, <4.14.15, <5.6.17) CVE-2024-34102 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - adobe commerce (2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6) - adobe commerce_webhooks (<1.5.0) - adobe magento (2.4.4, 2.4.5, 2.4.6, 2.4.7) CVE-2026-3300 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-34085 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2024-6648 \[[Vulners](vulners.com/cve/CVE-2024-6…)] - CVSS V3.1: *7.5*, - Vulners: Exploitation: Unknown Soft: - apollotheme ap_pagebuilder (<4.0.0) CVE-2026-29014 \[[Vulners](vulners.com/cve/CVE-2026-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - metinfo (7.9, 8.0.0, 8.1) CVE-2024-8856 \[[Vulners](vulners.com/cve/CVE-2024-8…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - revmakx backup_and_staging_by_wp_time_capsule (<1.22.22) CVE-2024-2961 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: True Soft: - gnu glibc (<2.40) - netapp active_iq_unified_manager (-) - debian debian_linux (10.0) CVE-2026-48907 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - widgetfactorylimited jce (<2.9.99.5) CVE-2025-7852 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-7443 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *8.1*, - Vulners: Exploitation: Unknown CVE-2020-25213 \[[Vulners](vulners.com/cve/CVE-2020-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - filemanagerpro file_manager (<6.9) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 16 🧨IOCs: - File: 17 - Url: 2 - Domain: 1 - IP: 2 - Hash: 9 💽Software: Wordpress, Linux, ThemeREX, BerqWP, WavePlayer, Joomla, WordPress ThemeREX, WordPress WavePlayer, WordPress BerqWP, ThinkPHP, ... 🔢Algorithms: base64, zip, md5, xor 📜Programming Languages: perl, javascript, python, php 💻Platforms: x86, x64, arm #threatreport: A mass web-exploitation operation, attributed to a Chinese actor, compromised thousands of WordPress sites in June 2026, as revealed by data exposed on the Hunt.io platform. This operation involved meticulous target acquisition, with over 850,000 recorded attempts against more than 442,000 vulnerability-site pairs, ultimately identifying 25,195 unique sites that exhibited confirmed or validated evidence of compromise. The attack primarily focused on web applications, notably WordPress plugins, leveraging identified Common Vulnerabilities and Exposures (CVEs) to gain initial access. Key vulnerabilities exploited included arbitrary file uploads and remote code execution capabilities in widely used plugins such as Breeze Cache, ThemeREX Addons, and Gravity Forms, among others, along with various content management systems like Joomla and PrestaShop. Notable CVEs included CVE-2026-48907 (Joomla JCE), CVE-2026-31843 (Pay-UZ), and CVE-2025-7852 (WPBookit), which facilitated the unauthorized exploitation of these platforms. The threat actor implemented sophisticated techniques for initial compromise, utilizing design patterns in their exploits that involved uploading malicious PHP files disguised as legitimate content (e.g., images), executing remote commands through file-handler functions, and deploying custom exploitation tools to automate the process. A variety of post-exploitation techniques were employed, including the installation of web shells and fetching attacker-controlled files. The primary web shell identified, named "down.php," demonstrated advanced capabilities for complete system control, arbitrary command execution, and extensive file management functions. Tooling leveraged by the actor included custom scripts to adjust parameters in various exploit development frameworks and exploitation routines to maximize the efficiency of their scanning processes. This involved modifications to enhance threading parameters and to refine the search patterns for detecting vulnerabilities. The actors also maintained comprehensive logs of their activities, providing insights into their operational tempo and methodologies. Attribution of the campaign rests on linguistic analysis of contained scripts, which exhibited fluent Simplified Chinese, indicating the involvement of a Chinese-speaking actor. The operational methods and toolsets suggest affiliations with groups known to deploy similar tactics. The use of FOFA for reconnaissance and the implementation of the Godzilla webshell for persistent access underscore the sophisticated nature of this attack. In summary, this cyber operation showcases the exploitation of widely-known vulnerabilities across multiple web platforms, with a clear emphasis on WordPress plugins and prominent content management systems, revealing persistent threats to web security and the need for vigilance against similar mass exploitation attempts.

#threatreport #MediumCompleteness The Growing Threat of ShadowPad Malware and Its Business Impact | 24-06-2026 Source: cyberint.com/blog/dark-web/… Key details below ↓ 🧑‍💻Actors/Campaigns: Winnti 💀Threats: Shadowpad, Plugx_rat, Supply_chain_technique, Shadowhammer, Spear-phishing_technique, Lolbin_technique, Watering_hole_technique, Dll_sideloading_technique, Passthehash_technique, Process_injection_technique, 🎯Victims: Government institutions, Critical infrastructure, High value corporate assets, Enterprise software 🏭Industry: Critical_infrastructure, Government 🌐Geo: Chinese 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 20 🧨IOCs: - IP: 34 - Hash: 6 💽Software: NetSarang 🔢Algorithms: sha256 📜Programming Languages: powershell #threatreport: ShadowPad malware, initially attributed to the Chinese state-sponsored group APT41, has become a notable threat in the cybersecurity landscape due to its modular and customizable architecture. First identified in 2015 as an evolution of PlugX, ShadowPad is now utilized by various APT groups, reflecting its versatility in executing malicious operations like data exfiltration, lateral movement, and establishing backdoors into infected systems. Its modularity allows the malware to adapt to specific targets, highlighting its capability for stealth and persistence. The delivery mechanisms for ShadowPad are complex and varied, often employing sophisticated strategies designed to exploit specific vulnerabilities. It can be distributed through software supply chain attacks, wherein attackers compromise updates of legitimate applications, thus exploiting the trust users place in vendors. Additionally, the malware is utilized in conjunction with unpatched vulnerabilities within enterprise software, including zero-day exploits, which provide attackers with a gateway to infiltrate networks. Spear-phishing campaigns further facilitate the spread of ShadowPad, using well-crafted emails containing malicious links or attachments that execute the malware upon interaction. Moreover, operators utilize Living-off-the-Land (LotL) techniques by leveraging existing administrative tools and scripts, such as PowerShell and Windows Management Instrumentation (WMI), which helps avoid detection by security systems. Watering hole attacks also serve as a vehicle for distribution, targeting websites frequented by desired victims to serve the malware inadvertently. The ramifications of deploying ShadowPad can be severe for organizations, leading to significant data breaches characterized by the exfiltration of sensitive information, operational disruptions, espionage activities, and substantial financial losses. The malware’s capabilities lend themselves to stealing intellectual property and customer data, which may be used for espionage or sold on illicit markets. Furthermore, the operational impact can lead to downtime and loss of productivity, as well as the installation of additional payloads that disrupt critical systems. Organizations face the prospect of costly incident response, system recovery efforts, and potential regulatory fines for data breaches that can also incur reputational damage. The public exposure of such incidents may diminish customer trust and market value, resulting in long-term consequences for affected entities.

#threatreport #MediumCompleteness MYRA: A Full Linux RAT Distributed via npm | 23-06-2026 Source: safedep.io/malicious-apin… Key details below ↓ 💀Threats: Myra, Supply_chain_technique, Process_injection_technique, Nop_sled_technique, 🎯Victims: Software development, Linux systems, Npm users 🌐Geo: Polish 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1036.005, T1053.003, T1055.008, T1059.004, T1095, T1113, T1195.001, T1548.003, T1564.001, ... 🧨IOCs: - IP: 2 - Email: 1 - File: 12 💽Software: Linux, Node.js, systemd, curl, Ubuntu, sudo 🔢Algorithms: sha256, base64 🔠Functions: readFileSync, createHmac, persistStealthPreload, writeFileSync, persistStealthCron, persistStealthProfile, findDesktopProcessEnv, readProcEnviron 📜Programming Languages: javascript, python #threatreport: A full-featured Linux remote access Trojan (RAT) named MYRA has been distributed via an npm package titled "apintergrationpost." Despite the author's claimed purpose of facilitating authorized red team exercises and EDR validation, MYRA exhibits significant malicious capabilities. Upon installation, it compiles a native C rootkit, establishes three persistence mechanisms, masquerades as a legitimate system service, and manifests fileless execution. The RAT also grants interactive shell access and stream captures from the infected system. The default command and control (C2) configuration points to a private IP address (192.168.54.1), indicating a focused targeting strategy. The installation process is initiated through three npm lifecycle scripts. The 'prepare' script compiles the rootkit by generating C binaries and shared libraries essential for the RAT's evasion tactics and persistence. The 'preinstall' script forces root privileges, ensuring that the attacker has full access to system-level resources and can install necessary system dependencies. Upon successful installation, the 'postinstall' script launches the RAT in a detached background process, rendering it independently operational from npm. The MYRA RAT employs a plugin architecture with 13 modules for its C2 framework, utilizing TCP for communication and requiring HMAC-SHA256 authentication. Notably, the use of a private IP for the C2 server suggests its deployment in a defined network environment rather than using common public domains seen in typical malware distributions. The native rootkit contains sophisticated components such as 'libcache.so' for file hiding via LD_PRELOAD, 'proc_hide' for process masquerading, and 'memfd_exec' and 'memfd_loader' for executing the RAT entirely from memory, thus leaving no traces on disk. Persistence is achieved through three distinct mechanisms: the LD_PRELOAD file-hiding rootkit, a cron job that triggers every 13 minutes to run the RAT, and a login hook via profile.d that executes a wrapper script utilizing the most covert execution method available. These vectors collectively ensure that the RAT remains active even after system reboots or user intervention attempts. As the RAT was developed within a VMware environment, the codebase of MYRA includes telemetry and various MITRE ATT&CK techniques, pointing towards a scenario for red team testing rather than actual deployment into the wild. However, the publication of MYRA into a public npm registry poses grave risks, as it allows unauthorized users access to a potent toolkit that aggregates well-known evasion techniques. The combination of these sophisticated tactics within a single package presents an alarming threat landscape for defenders, reinforcing the need for cautious evaluation of npm packages before installation.