Lmst
Login

#APT

VulDB :verified:vuldb@infosec.exchange
2025-12-21

Indicators added for: Gafgyt (+3), MimiKatz (+1), Bashlite (+1), NetSupportManager RAT (+1), Quasar RAT (+2), AsyncRAT (+3) and Havoc (+1). vuldb.com/?actor #apt #cti #ioc

Lilidog LinuxLilidog
2025-12-20

New release Waydog Trixie 25.12.20 sourceforge.net/projects/lilid

Waydog is a Wayland based distribution with labwc and sway.

Several changes and additions this round. New random wallpaper changer.
Ly display manager installer.
Labwc keybinds.

And much more. See all the changes through the Waydog github page: github.com/sleekmason/Waydog-Trixie

Waydog Trixie 25.12.20
Security Landsecurityland
2025-12-20

A sophisticated threat actor with possible links to Russian hybrid-threat groups impersonated Trend Micro security advisories to target defense contractors, energy companies, and cybersecurity firms.

Read More: security.land/shadow-void-042-

VulDB :verified:vuldb@infosec.exchange
2025-12-19

Added more indicators for: DOPLUGS (+1), Cpuminer (+1), QakBot (+1), Aisuru (+10), ValleyRAT (+2), VShell (+5) and Empire Downloader (+1). vuldb.com/?actor #apt #cti #ioc

CyberNetsecIOnetsecio
2025-12-19

πŸ“° China-Linked Hackers Exploit Critical Cisco Email Gateway Zero-Day

πŸ‡¨πŸ‡³ A China-linked APT is exploiting a critical 10.0 CVSS zero-day (CVE-2025-20393) in Cisco Email Gateways for root-level RCE. CISA has added it to the KEV catalog. Patch immediately! πŸ›‘οΈ

πŸ”— cyber.netsecops.io/articles/ch

AskUbuntuaskubuntu@ubuntu.social
2025-12-19

Ubuntu 22.04 Cross compile to arm #apt #2204 #crosscompilation

askubuntu.com/q/1562018/612

Security Landsecurityland
2025-12-19

Chinese threat actor UAT-9686 has been compromising Cisco email security systems since late November with a custom backdoor called AquaShell. Organizations should immediately check Cisco Talos advisories for indicators and remediation guidance.

Read More: security.land/uat-9686-chinese

SOC Goulashsoc_goulash@infosec.exchange
2025-12-19

Alright team, it's been a packed 24 hours in the cyber world! We've got a flurry of actively exploited zero-days and critical vulnerabilities to cover, alongside some significant breaches, new threat actor insights, and a few noteworthy law enforcement actions. Let's dive in:

Actively Exploited Zero-Days and Critical Vulnerabilities ⚠️

- Cisco is battling a maximum-severity zero-day (CVE-2025-20393) in its AsyncOS software for Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Suspected Chinese-government-linked threat actors (UAT-9686) have been exploiting this flaw since late November, deploying persistent Python-based backdoors like AquaShell, along with tunneling tools. There's no patch yet, so Cisco advises customers to assess exposure, limit internet access to the Spam Quarantine feature, and rebuild compromised appliances.
- The React2Shell vulnerability (CVE-2025-55182) in React Server Components continues to spread, with Microsoft confirming hundreds of compromised machines across diverse organisations. Attackers are leveraging this RCE flaw for reverse shells, lateral movement, data theft, and even ransomware deployment (Weaxor ransomware). This critical bug now holds the highest verified public exploit count of any CVE, with new related defects (CVE-2025-55183, CVE-2025-67779, CVE-2025-55184) also emerging. Patching is crucial, but won't evict existing attackers.
- HPE has patched a maximum-severity RCE flaw (CVE-2025-37164) in its OneView infrastructure management software, affecting all versions prior to v11.00. This vulnerability allows unauthenticated attackers to execute arbitrary code with low complexity. Admins should update immediately as no workarounds exist.
- SonicWall is warning customers about an actively exploited zero-day (CVE-2025-40602) in its SMA 1000 remote-access appliance. This bug, stemming from insufficient authorisation checks, can be chained with a previously patched flaw (CVE-2025-23006) to achieve unauthenticated root-level RCE. Immediate updates and restricting console access to trusted networks are advised.
- CISA has added CVE-2025-59374, a critical supply chain compromise impacting ASUS Live Update, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, linked to 2019's Operation ShadowHammer, allowed attackers to distribute trojanised software to specific targets. ASUS Live Update has reached end-of-support, so federal agencies are urged to discontinue its use.
- The Zeroday Cloud hacking competition in London saw researchers demonstrate 11 zero-day vulnerabilities in critical cloud infrastructure components like Redis, PostgreSQL, Grafana, MariaDB, and the Linux kernel. This highlights significant security gaps in widely used cloud systems, including a container escape flaw in the Linux kernel that could break isolation between cloud tenants.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ“° The Hacker News | thehackernews.com/2025/12/cisc
πŸ—žοΈ The Record | therecord.media/chinese-attack
🀫 CyberScoop | cyberscoop.com/react2shell-vul
πŸ“° The Hacker News | thehackernews.com/2025/12/thre (React2Shell Exploited in Ransomware Attacks)
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/12/hpe-
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ“° The Hacker News | thehackernews.com/2025/12/cisa
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

Recent Cyber Attacks and Breaches πŸ”’

- Amazon's AWS GuardDuty team has warned of an ongoing cryptomining campaign leveraging compromised IAM credentials to exploit Elastic Compute Cloud (EC2) and Elastic Container Service (ECS) instances. Attackers establish persistence by disabling API termination, hindering incident response.
- France's Ministry of the Interior confirmed a cyberattack on its internal email servers, compromising document files. A 22-year-old suspect, previously convicted for similar offences, has been arrested. The notorious BreachForums claimed responsibility, citing revenge for prior arrests, and alleged the theft of 16 million police records, though French authorities have not confirmed this.
- PornHub and SoundCloud have both disclosed data breaches stemming from a compromise at their data analytics service provider, Mixpanel. PornHub stated limited analytics events were extracted, while SoundCloud reported email addresses and public profile information for approximately 20% of its 200 million users were accessed. The ShinyHunters group has allegedly taken credit for the Mixpanel attacks.
- DXS International, a tech supplier for the NHS, is investigating a cyberattack on its internal office servers. While the company claims minimal impact on frontline clinical services, the incident highlights the ongoing risk to critical infrastructure via third-party suppliers.
- The University of Sydney suffered a data breach after hackers accessed an online coding repository, stealing personal information of over 27,000 current and former staff, affiliates, students, and alumni. The stolen data includes names, dates of birth, phone numbers, home addresses, and job details, though no evidence of online publication or misuse has been found yet.
- French authorities arrested a Latvian crew member of an Italian passenger ferry, suspected of installing malware that could allow remote control of the vessel. The incident is being investigated as suspected foreign interference.
- The Clop ransomware gang is actively targeting internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. It's currently unclear if Clop is exploiting a new zero-day or an unpatched N-day vulnerability, but over 200 CentreStack servers are potentially vulnerable.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/france-interio
πŸ—žοΈ The Record | therecord.media/millions-impac
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ—žοΈ The Record | therecord.media/uk-nhs-tech-pr
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

New Threat Research on Threat Actors, Malware, and Techniques πŸ›‘οΈ

- North Korea's state-backed cybercriminals plundered over $2 billion in cryptocurrency in 2025, a 51% increase year-on-year, accounting for 76% of all crypto service compromises. This surge is largely attributed to a $1.5 billion theft from Bybit and an increased focus on personal wallets, often facilitated by social engineering tactics like posing as IT workers or recruiters.
- The Kimsuky threat actor is distributing a new DocSwap Android malware variant via QR codes on phishing sites mimicking CJ Logistics. The malware uses social engineering to bypass security warnings and provides extensive RAT capabilities, including keystroke logging, audio capture, and file operations.
- GreyNoise observed an automated password spraying campaign targeting Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways. Originating from over 10,000 unique IPs, the attacks use common username/password combinations, indicating scripted credential probing rather than vulnerability exploitation.
- A new modular information stealer, SantaStealer, is being advertised on underground forums, designed to operate in-memory and exfiltrate sensitive documents, credentials, and wallets from a wide range of applications.
- Threat actors are using a new "GhostPairing" social engineering technique to hijack WhatsApp accounts by luring victims to scan QR codes or enter phone numbers on fake Facebook viewer pages, abusing the legitimate device-linking feature.
- Bad actors are observed hosting videos on RuTube, advertising Roblox cheats that lead to Trojan and stealer malware like Salat Stealer, mirroring tactics seen on YouTube.
- An analysis of DDoSia's multi-layered command-and-control (C2) infrastructure reveals an average of 6 control servers active at any given time, with short lifespans, used by pro-Russian hacktivist group NoName057(16) to target Ukraine, European allies, and NATO states.
- A phishing campaign, attributed to Russian APT actors, is targeting entities in the Baltics and Balkans, spoofing government bodies with credential phishing emails that use blurred decoy documents and pop-ups to harvest credentials.
- New "ClickFix" attacks are leveraging fake CAPTCHA checks to trick users into running the `finger.exe` tool to retrieve malicious PowerShell code, attributed to clusters KongTuke and SmartApeSG.
- Threat actors are abusing Google's Application Integration service to send highly convincing phishing emails from authentic @google.com addresses, bypassing SPF, DKIM, and DMARC checks to steal Microsoft 365 credentials.
- Cato Networks observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including those controlling solar panel output. The rise of agentic AI tools is accelerating these attacks, reducing execution time from days to minutes.
- Bitsight research found approximately 1,000 Model Context Protocol (MCP) servers exposed on the internet without authorisation, leaking sensitive data and potentially allowing RCE or Kubernetes cluster management.
- A phishing campaign impersonating India's Income Tax Department is deploying legitimate remote access tools like LogMeIn Resolve, using tax irregularity themes to create urgency and bypass traditional Secure Email Gateway defenses.
- A previously unknown, China-aligned hacker group, LongNosedGoblin, is targeting government institutions across Southeast Asia and Japan. The group abuses Windows Group Policy to deploy malware like NosyHistorian (browser history collector) and NosyDoor (backdoor), with NosyDoor potentially offered as a commercial service.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ—žοΈ The Record | therecord.media/over-3-billion
πŸ“° The Hacker News | thehackernews.com/2025/12/kims
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/12/thre (SantaStealer, GhostPairing, RuTube, DDoSia, APT phishing, ClickFix, Google service abused, AI-driven ICS scans, Exposed MCP servers, Fake tax scam)
πŸ—žοΈ The Record | therecord.media/new-china-link

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #Ransomware #APT #CyberAttack #DataBreach #InfoSec #IncidentResponse #CloudSecurity #SupplyChainSecurity #CryptoCrime

CyberNetsecIOnetsecio
2025-12-18

πŸ“° "Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

APT group 'Operation ForumTroll' is back, targeting Russian academics with a sophisticated phishing campaign. Lures disguised as plagiarism reports deploy the Tuoni C2 framework. πŸŽ“

πŸ”— cyber.netsecops.io/articles/op

Hackread.comHackread@mstdn.social
2025-12-18

Iranian APT β€œPrince of Persia” resurfaces after years underground. Active since 2007, the group now uses Telegram to control new malware strains Foudre and Tonnerre in targeted espionage campaigns. πŸ’»

Read: hackread.com/iran-apt-prince-o

#CyberSecurity #Iran #APT #PrinceOfPersia #Infy #Malware

AskUbuntuaskubuntu@ubuntu.social
2025-12-18

Unable to update my Ubuntu 25.10 #apt #packagemanagement #updates #updatemanager

askubuntu.com/q/1561986/612

Christos ArgyropoulosChristosArgyrop@mast.hpc.social
2025-12-18

This is really weird : the #sycl examples from #inteloneAPI all work but the #openMP @openmp_arb examples fail to offload to the integrated GPU (the device appears not to exist) even though it is there and working and the user is part of the group that use the device for compute. I wonder if I have to purge from #apt and install via the #Intel installer to get a missing component (?driver)

AskUbuntuaskubuntu@ubuntu.social
2025-12-18

apt-get update is asking to go back to an earlier version of MySQL? #apt #packagemanagement #mysql #dependencies

askubuntu.com/q/1561971/612

Security Landsecurityland
2025-12-18

Zscaler ThreatLabz documents BlindEagle APT's sophisticated attack on Colombian government infrastructure using steganography, compromised email accounts, and dual malware deployment (Caminho + DCRat). The September 2025 campaign demonstrates evolved tradecraft including Discord CDN abuse and fileless execution chains.

Read More: security.land/blindeagle-colom

AskUbuntuaskubuntu@ubuntu.social
2025-12-18

Does Ubuntu 25.10 support Wireguard Client? #apt #wireguard #2510

askubuntu.com/q/1561862/612

SOC Goulashsoc_goulash@infosec.exchange
2025-12-17

Alright team, it's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new malware campaigns, and some serious data privacy discussions. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- France's Interior Ministry is investigating a malicious cyber intrusion into its email servers, confirming unauthorised access to several accounts and dozens of confidential documents, including judicial records and wanted persons' data.
- Analytics vendor Mixpanel denies being the source of data stolen from Pornhub, stating the data was last accessed by a legitimate Pornhub employee account in 2023, not during Mixpanel's November 2025 security incident.
- Threat actors are exploiting WhatsApp's legitimate device-linking feature in a campaign dubbed "GhostPairing," tricking users with fake Facebook verification pages to link the attacker's browser to their WhatsApp account, gaining full conversation history access.
- European law enforcement has dismantled two Ukraine-based call centre networks responsible for over $13.7 million in scams, where criminals posed as police or bank employees to trick victims into transferring funds or installing remote access software.
- The FTC has ordered blockchain company Illusory Systems to distribute approximately $37.5 million in recovered funds to customers affected by the 2022 Nomad crypto platform hack, which saw $186 million stolen due to inadequately tested code.

πŸ—žοΈ The Record | therecord.media/france-interio
πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ—žοΈ The Record | therecord.media/european-polic
πŸ—žοΈ The Record | therecord.media/ftc-settlement

Vulnerabilities: Zero-Days & Active Exploitation πŸ›‘οΈ

- SonicWall has warned customers to patch a medium-severity local privilege escalation flaw (CVE-2025-40602) in its SMA1000 Appliance Management Console, which is being chained with a critical pre-authentication deserialisation flaw (CVE-2025-23006) for unauthenticated remote code execution with root privileges.
- The critical React2Shell vulnerability (CVE-2025-55182), an insecure deserialisation issue in React Server Components, is being actively exploited by a ransomware gang (Weaxor) to gain initial access and deploy encryptors in under a minute.
- System administrators should review Windows event logs and EDR telemetry for process creation from Node or React binaries, as well as unusual outbound connections or disabled security solutions, as patching alone might not be sufficient due to the speed of exploitation.

πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu

New Threat Research: APTs, Malware & Tradecraft πŸ•΅οΈβ€β™€οΈ

- The Russian state-sponsored APT28 (BlueDelta) has been conducting a sustained credential-harvesting campaign targeting Ukrainian UKR.net webmail users since June 2024, using fake login pages on legitimate services like Mocky and shortened links in PDF attachments.
- Amazon security researchers report that Russia’s GRU (APT44/Sandworm) has shifted tactics since 2025, now primarily targeting misconfigured network edge devices in Western critical infrastructure, particularly the energy sector, instead of relying on novel vulnerabilities.
- China-linked threat actor Ink Dragon (Jewelbug) is increasingly targeting government entities in Europe, Southeast Asia, and South America, leveraging vulnerable web applications to deploy web shells, ShadowPad IIS Listener modules, and an updated FINALDRAFT backdoor for stealthy, long-term persistence and data exfiltration.
- Operation ForumTroll, an unknown threat actor, is targeting Russian scholars in political science and economics with personalised phishing emails disguised as eLibrary plagiarism reports, delivering the Tuoni C2 framework via malicious LNK files and PowerShell scripts.
- A new Android Malware-as-a-Service (MaaS) called Cellik is being advertised, offering the ability to embed itself into any Google Play Store app, stream screens, intercept notifications, exfiltrate files, and use a hidden browser mode.
- The "GhostPoster" malware has been found in 17 Firefox add-ons with over 50,000 downloads, using steganography in logo files to embed malicious JavaScript that hijacks affiliate links, injects tracking code, strips security headers, and performs ad/click fraud.
- Forensic researchers have discovered "ResidentBat," a previously unknown Android spyware, on a Belarusian journalist's phone, believed to have been installed during KGB detention and capable of accessing call logs, messages, microphone recordings, and files.

πŸ“° The Hacker News | thehackernews.com/2025/12/apt2
πŸ—žοΈ The Record | therecord.media/russian-bluede
πŸ—žοΈ The Record | therecord.media/russia-gru-hac
πŸ“° The Hacker News | thehackernews.com/2025/12/chin
πŸ“° The Hacker News | thehackernews.com/2025/12/new-
πŸ€– Bleeping Computer | bleepingcomputer.com/news/secu
πŸ“° The Hacker News | thehackernews.com/2025/12/ghos
πŸ—žοΈ The Record | therecord.media/spyware-belaru

Data Privacy Concerns πŸ”’

- Four popular browser extensions (Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker) have been caught harvesting text from AI chatbot conversations (ChatGPT, Claude, Gemini, etc.) from over 8 million users and sending it to developers, despite some claiming privacy protection.
- Meta has rolled out a new policy to personalise content and ad recommendations based on users' interactions with its generative AI features, with no opt-out option, raising significant privacy concerns among experts about the use of sensitive chat data.
- Digital rights organisation noyb alleges that TikTok and Grindr are violating European GDPR laws by tracking user activities across apps, with TikTok reportedly acknowledging it tracked a user's Grindr activity and other app usage, including shopping cart items.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
πŸ—žοΈ The Record | therecord.media/privacy-advoca
πŸ—žοΈ The Record | therecord.media/tiktok-grindr-

Government & Defence Strategy πŸ›οΈ

- NATO's Assistant Secretary General for Cyber and Digital Transformation stressed the existential urgency for the alliance to develop sovereign cloud-based technologies, highlighting the need for speed, collaboration, and designing systems that enhance autonomy and allied trust.
- Outgoing GAO chief Gene Dodaro warned lawmakers that the U.S. is "very vulnerable" to cyber threats and expressed concern that CISA is "taking our foot off the gas," having lost about a third of its staff, and urged for a permanent director to be confirmed swiftly.

πŸ•΅πŸΌ The Register | go.theregister.com/feed/www.th
🀫 CyberScoop | fedscoop.com/cisa-workforce-th

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Malware #ZeroDay #Vulnerability #DataPrivacy #InfoSec #CyberAttack #NationState #Phishing #SocialEngineering #CloudSecurity #GovernmentSecurity #CISA #GDPR

AskUbuntuaskubuntu@ubuntu.social
2025-12-17

Created a problem trying to update fwupd #apt #snap #fwupd

askubuntu.com/q/1561955/612

TechNadutechnadu@infosec.exchange
2025-12-17

China-linked APT Ink Dragon expanded cyber espionage into European government networks by exploiting IIS and SharePoint misconfigurations and using victim servers as relay nodes.

CPR also observed overlapping access by RudePanda in some networks.

Details:
technadu.com/ink-dragon-expand

#APT #CyberEspionage #ThreatIntel #GovernmentSecurity

Ink Dragon Expands Cyber Espionage to European Government Networks
AskUbuntuaskubuntu@ubuntu.social
2025-12-17

How unsafe is it to always update, upgrade, and autoremove? #apt #packagemanagement #updates

askubuntu.com/q/1561941/612

AskUbuntuaskubuntu@ubuntu.social
2025-12-17

How to disable warnings during `apt install`s to better locate errors? #apt #cmake

askubuntu.com/q/1561913/612

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst