Cyber Analyzer

How Windows access tokens work #ThreatHunting #DFIR

🚨🚨CVE-2025-53772(CVSS 8.8): Critical RCE in Microsoft IIS WebDeploy! Authenticated attackers can exploit untrusted data deserialization via HTTP headers to execute code remotely. 🔥PoC: gist.github.com/hawktrace/6783… Search by vul.cve Filter👉vul.cve="CVE-2025-53772" ZoomEye Dork👉app="Microsoft Web Deploy" Over 20.8k vulnerable instances found. ZoomEye Link: zoomeye.ai/searchResult?q… In-depth analysis from @hawktrace: hawktrace.com/blog/cve-2025-… Refer: hub.zoomeye.ai/detail/68b7dbb… #RCE #ZoomEye #cybersecurity #infosec #OSINT

🚀 Released NoVirusThanks USB Radar v1.8.0: Track #USB device events (when a USB device is plugged-in or unplugged, when a file is copied/moved from/to a USB device and files deleted on a USB device) ➨ usbradar.com #CyberSecurity #CyberDefense #DFIR #InfoSec

🚨 WinRAR CVE-2025-8088: The invisible persistence SOCs can’t afford to miss Attackers are abusing Alternate Data Streams (ADS) to perform path traversal during archive extraction. By appending colon symbol (:) in file names, they sneak hidden objects into system folders without showing anything in the #WinRAR UI. This vulnerability is dangerous for organizations as the malicious files remain invisible in WinRAR’s interface and many security tools. Employees believe the archive is safe, while persistence is silently installed and activated on reboot. 📂 In one observed case inside ANY.RUN Sandbox: Genotyping_Results_B57_Positive.pdf:.\..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Display Settings.lnk ➡️ Places a .lnk in Startup that executes %LOCALAPPDATA%\ApbxHelper.exe after reboot. ➡️ Result: remote code execution and long-term persistence. 🔗 See full analysis of this CVE, download actionable report, and collect ready-to-use IOCs to speed up investigations and cut response time: app.any.run/tasks/34dcc9a8… 🎯 Who should pay attention Any organization using WinRAR in daily workflows. The threat is especially dangerous for teams exchanging archives via email or shared folders. ❌ Key risks for organizations: 🔹Attacks go unnoticed → hidden files don’t appear in WinRAR or many tools 🔹Analysts lose time → archives look clean but require extra checks 🔹Persistence survives reboot → malware runs automatically once restarted #ANYRUN exposes hidden ADS-based persistence techniques that traditional tools miss, enabling faster decision-making, more effective threat hunting, and reduced investigation costs. 💡 Next steps for orgs: 1️⃣ Patch WinRAR → 7.13 2️⃣ Detonate suspect archives in #ANYRUN → reveal hidden NTFS ADS files + export IOCs 3️⃣ Use TI Lookup to track campaigns and enrich IOCs with live attack data from 15k orgs 🔎 Query 1 – Startup file creation via WinRAR: intelligence.any.run/analysis/looku… 🔎 Query 2 – All CVE-2025-8088 samples: intelligence.any.run/analysis/looku… #IOCs: SHA256: a99903938bf242ea6465865117561ba950bd12a82f41b8eeae108f4f3d74b5d1 Genotyping_Results_B57_Positive.pdf a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa Display Settings.lnk 8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7 ApbxHelper.exe Code Signing Certificate: SN: FE9A606686B3A19941B37A0FC2788644 Thumb: 1EE92AC61F78AAB49AECDDB42D678B521A64EA01 Issuer: Simon Gork 🚀 Detonate malicious archives, uncover hidden ADS files, and export IOCs with #ANYRUN, giving your #SOC full visibility, stronger coverage, and faster response against hidden threats. #ExploreWithANYRUN

🚨 A fake npm package just hijacked crypto wallets. “nodejs-smtp” disguised itself as the legit nodemailer library—while secretly injecting code into Atomic & Exodus apps to steal BTC, ETH, USDT, XRP, and SOL. Full story → thehackernews.com/2025/09/malici…

🚀 The new Tools page is LIVE! 🎉 With 100+ free online security tools, we've got everything about IP/domain analysis, data extraction, image EXIF, URL tools—your security needs, all in one place! ➡️ bit.ly/3HStZJi #infosec #cybersecurity #saas

Improved bypass for Windows 11 OOBE: 1. Shift-F10 2. start ms-cxh:localonly Only required on Home and Pro editions.

🚨#Opendir #Malware🚨 hxxp://172.245.123.24/530/ hxxp://172.245.123.24/380/ ⚠️#FormBook #Stealer ☣️cosses.exe➡️c338c9cdccb21a6f023987865b4a6269 📦#AutoIt 📡hxxp://www.temecula.deals/📸⤵️ 📡hxxp://www.agistaking.xyz

We have entered into a new era that renders MFA useless thanks to phishing kits like #Sneaky2FA which are designed to bypass MFA and provide threat actors with access to victim Office 365 accounts via session cookies. Check out the blog post here for more information and additional safeguards to protect your O365 users: esentire.com/blog/your-mfa-… The figure below shows how the phishing kit exfils the 2FA code from the victim 🐟

New Blog Article: Typosquatting and Misspelled Domains Leading to Malicious HTA File ➨ bit.ly/3FyJLrh #Cybersecurity #Cyberdefense #Infosec #IncidentResponse #Typosquatting #OSINT

Suspicious URL: hxxps://nextpointkaynersave[.]com/index51[.]php at 104.21.16.1 and hxxps://run-px[.]com at 104.21.64.1 | @cloudflare #malvertising #phishing #ads #malware #infosec #cybersecurity

Active #phishing URL used to receive <form> data from pages hosted at ebsau4[.]s3[.]amazonaws[.]com: hxxps://aeriscargo[.]com/wp-admin/js/widgets/widgets/widgets/widgets/push/validate[.]php | HTTP/1.1 200 OK #cybersecurity #infosec #spam

''MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes'' #infosec #pentest #redteam #blueteam blogs.jpcert.or.jp/en/2023/08/mal…

AnyDesk Exploit Alert: CVE-2024-12754 Enables Privilege Escalation—PoC Available securityonline.info/anydesk-exploi…

Sidewinder list of 25 officers.docx 8a4ee0e5267e1393f576aa3732c33d15 C2 pubad-gov-lk[.]net-src[.]info #Sidewinder #APT #IOC

macOS Vulnerability (CVE-2023-32428) Grants Root Access, PoC Published securityonline.info/macos-vulnerab…

#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. welivesecurity.com/en/eset-resear… 1/5

🚨 Cybercriminals are ramping up attacks this season, hiding malware in emails and QR codes. It’s a perfect storm for multi-stage attacks—don’t let your guard down. Learn how to spot these hidden threats: thehackernews.com/2024/11/latest… #cybersecurity

Ducktail C2 ceipvirgendeloreto[.]one Advertising Specialist - Job Description (730).rar f35ddad58eb8da489f60cb4ec65183b6f4f8dbb0ed91a3d87b6db29c2feaa5d8 #Ducktail #IOC

sidewinder Consular_guidline_for _Pakistani_citizen_visiting_Nepal.docx (copy) fa95fadc73e5617305a6b71f77e9d255d14402650075107f2272f131d3cf7b00 C2 nepaliport[.]immigration[.]gov[.]np #sidewinder #APT #IOC