Positive Technologies Global

@secreviewmag @ptsecurity Great interview!

Irina Zinovkina, Head of Information Security Analytics Research at Positive Technologies, explains how connecting legacy operational technology with modern IT networks reshapes priorities and exposes new vulnerabilities - securityreviewmag.com/?p=29675 @ptsecurity

Over 21,000 XWiki instances may be vulnerable worldwide. Researchers from @ptswarm discovered vulnerabilities that could lead to DoS and privilege escalation. If you run XWiki — patch now. Details ↓ dbugs.ptsecurity.com #cybersecurity

Sad news: there will be no #phdays fest in 2026. We had big plans for the 15th anniversary, but venue reconstruction means we can’t deliver the festival the way we envisioned it. Thanks to everyone who submitted papers and supported the community. See you in 2027.

Poisonous Mars, or how LuciDoor knocks on the doors of the CIS In the fall of 2025, the Threat Intelligence team of the Positive Technologies Expert Security Center (PT ESC) discovered attacks targeting telecommunications companies in Kyrgyzstan. The attackers sent themed phishing emails containing malicious documents with macros. Even at this stage, the use of unusual China-origin tools within the documents drew attention. For malware, the attackers used two backdoors. The first, MarsSnake, had previously only been mentioned in ESET’s quarterly report. The second, LuciDoor, was named by us due to its unusual use of the Lucida Console 11x18 font for proper text display in the terminal. 👋 In 2026, the attackers resurfaced — this time targeting telecommunications companies in Tajikistan. We attribute this activity to the East Asian group UnsolicitedBooker, which, according to previous researcher observations, had previously attacked Saudi Arabia. In our article, we provide a detailed account of the detected attacks, fully analyze the functionality of LuciDoor and MarsSnake, and show the common tools used by UnsolicitedBooker and Mustang Panda: global.ptsecurity.com/en/research/pt… #APT #Malware #Backdoor #UnsolicitedBooker #LuciDoor #MarsSnake #MustangPanda #Attack #Hackers #CIS

Click trap: not only for users, but also for link analyzers 🖥 When manually reviewing links, we usually ask ourselves only one question — “is it safe?” This approach cannot be directly transferred to a streaming analysis environment: actions triggered by following a link may lead to new issues. For example, invitations from email messages may be automatically accepted or declined, automatic unsubscribe and/or subscription to correspondence may occur, and so on. If such an action causes the service to send a new email containing similar links, then automatically following them will trigger an ongoing “avalanche” of messages, which may degrade the performance of security solutions or simply annoy users. 🫵 To address this problem, one can propose an approach logically similar to link selection during manual analysis: some links appear highly suspicious or clearly require additional context for analysis, while others are definitely safe or, as in the previous example, trigger specific actions on services (or are even one-time use). An approach where the system determines a set of indicators “definitely follow” and a set of indicators “definitely do not follow” is called a rule-based decision system. What indicators can be proposed to implement such a system? In the set of conditions preventing link traversal, the following can be considered: • presence of patterns in the URL path semantically indicating a possible action upon activation, for example, /(un)subscribe/, /login/, /exit/, /action/, /track/, etc.; • presence of query parameters token, key, uid with values matching the format of UUID or JWT; • presence of query parameters ts or expires indicating the link lifetime; • if the link originated from an email message, its presence in dedicated subscription/unsubscription headers — List-(Un)Subscribe:; • if data streams are supplied with a set of “whitelisted” domains, disabling analysis of URLs containing them can be considered. This option should be used cautiously, since even the most popular and well-known services and domains may be involved in content redirection scenarios. In the set of conditions triggering link traversal, the following can be considered: • links explicitly specifying an IP address and/or a non-standard port; • links with recently registered domains; • if a web resource categorizer with such classification is available — links to URL shortener services. If not available, a condition based on short URL length can be considered; • links referencing files with specific static extensions in the URL path, for example, *.pdf, *.exe, etc.; • links to object storage services, for example S3 or IPFS storage. 🧐 What should be done with links extracted from the analyzed object that do not fall into any of the above lists? Here one can rely on the actual picture obtained after applying such an algorithm: if system performance allows it or the analysis time does not exceed the permitted SLA for object processing, all uncategorized links can be sent for content retrieval. Alternatively, a limit can be introduced on the number of links analyzed simultaneously per object. Additionally, for URL links not categorized by the decision system, a “cautious” algorithm for obtaining additional context can be implemented: perform a HEAD request without retrieving the content. This makes it possible to obtain additional information from HTTP headers, which can be used both within the above-described algorithm and more generally for deciding whether the link is malicious. #urlanalysis #phishing #cybersecurity

🚀 Registration for Positive Hack Camp 2026 is open! July 25–Aug 9 | Moscow, Russia A 2-week onsite program focused on hands-on ethical hacking, global peers, and real skills. Secure your spot early: camp.ptsecurity.com/?utm_source=x&… #PHCamp #PositiveHackCamp

Call for Papers for #PHDays Fest is now open ⚡️ Positive Hack Days, a top-tier international cybersecurity festival in Europe, returns to Moscow May 28–30, 2026. 📅 CFP deadline March 9, 2026 🔗 Submit your proposal at phdays.com/en/cfp/ #CallForPapers #CFP #Cybersecurity

Standoff 17, the legendary international #cyberbattle, returns in 2026. No theory. No demos. Only attack and defense. Red & Blue teams get ready for qualifiers: Feb 28 – Mar 6. Apply by Feb 10: 17.standoff365.com

📑 A new article from our researchers Aleksey Solovev, Nikita Sveshnikov and Vladimir Razov — "Blind trust: what is hidden behind the process of creating your PDF file?". swarm.ptsecurity.com/blind-trust-wh…

❄️ December is wrap-up season — so we went live 🎤 In 2025, we stayed in constant dialogue with the community: research, new products, and events across regions and time zones. ▶️ Happy New Year, and enjoy watching! youtu.be/_l5BifaysSc

🚨 Unregistered CVE 🚨 ⚠️ Location: Positive Technologies office ⚠️ Attack vector: holiday distraction via live broadcast ⚠️ Impact: total cookie loss ⚠️ Threat actor: APT-GRINCH ⚠️ IOCs: green gloves observed on premises Proof of exploit ▶️ youtu.be/_l5BifaysSc

Hey 🇧🇷 Brazil, shall we do it again next year? #PHTalks — question for @amoshkov 😀 If you ask us, we say 💯 yesss

Until next time, Brazil! #PHTalks 🇧🇷

@MisAlmoammar 🤝

يسعدنا في شركة المعمر لأنظمة المعلومات الإعلان عن شراكة جديدة مع @PTsecurity_EN تم توقيعها خلال معرض #بلاك_هات شراكة تجمع بين رؤية مشتركة، وابتكار متقدّم، وخبرة موثوقة، لنواصل معًا تعزيز حلول الأمن السيبراني وتشكيل مستقبل أكثر أمانًا. #BHMEA25 #BlackHatMEA

Who said the art of a great talk only works offline? Today @m0m0x01d proved the opposite at #PHTalks, remotely walking us through The Art of Chaining Low-Hanging Vulnerabilities into a Critical Exploit. Smart, sharp, and beautifully executed. 🎨💥🔐

Today @penegui_oficial delivered a fantastic session on NFC Card Password Bypass, showing real attack vectors and how weak authentication breaks down in practice. #PHTalks Brazil Edition is on fire 🔥📷🔓

Want to know how adversaries hack your PC? Then @cocomelonckz is your guy — he absolutely lit up #PHTalks today with his session on Malware and Hunting for Persistence 2025. 🔥🖥️🕵️‍♂️

Vsevolod from @ptswarm really knows what “old but gold” means — talking about Cryptography Pitfalls at #PHTalks Brazil. 🇧🇷

Bypassing CSP for a bounty, from Informative to High, with @stsewd at the #PHTalks session 🇧🇷

Answering everything about Token Injection: Attacking LLM Infrastructure With Special Tokens. Our amazing speaker @edwardzpeng at #PHTalks!