Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious activities, including collecting system information, downloading additional files, and establishing remote access through AnyDesk. The threat actors use legitimate software and cloud storage services like Dropbox as part of their attack infrastructure. The malware hides its presence by concealing AnyDesk's interface, making detection difficult for users. This case highlights the evolving tactics of APT groups and the importance of cautious handling of files from unknown sources.

Pulse ID: 6852fb62bacdd68c9f8c2a81
Pulse Link: https://otx.alienvault.com/pulse/6852fb62bacdd68c9f8c2a81
Pulse Author: AlienVault
Created: 2025-06-18 17:46:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #Cloud #CyberSecurity #Dropbox #ICS #InfoSec #Kimsuky #Malware #OTX #OpenThreatExchange #Password #Phishing #RCE #UK #Word #bot #AlienVault

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and download additional malware, and Type B, which employs LNK files to download and execute obfuscated Python scripts. Both types use deception techniques, including decoy documents and task scheduler manipulation. The attacks targeted various sectors, using topics such as financial reporting, privacy protection, and business registration to lure victims. The report provides detailed information on file names, decoy documents, and indicators of compromise, including MD5 hashes, URLs, FQDNs, and IP addresses associated with the malicious activities.

Pulse ID: 6852fb631fbf46af0b21acb2
Pulse Link: https://otx.alienvault.com/pulse/6852fb631fbf46af0b21acb2
Pulse Author: AlienVault
Created: 2025-06-18 17:46:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DNS #ICS #InfoSec #Korea #LNK #Malware #OTX #OpenThreatExchange #Phishing #Privacy #Python #RAT #SouthKorea #SpearPhishing #bot #AlienVault

GitHub's Dark Side: Unveiling Malware Disguised as Cracks, Hacks, and Crypto Tools

Cybercriminals are exploiting GitHub's reputation to distribute malware, particularly targeting gamers and children. They create repositories offering game hacks, cracked software, and crypto tools, which actually contain Lumma Stealer variants. The attack chain begins with users searching for these products online, leading them to malicious GitHub repositories or YouTube videos. These repositories use social engineering tactics, including detailed descriptions, fake licenses, and instructions to disable antivirus software. The malware collects sensitive information from infected systems and transfers it to command-and-control servers. McAfee provides detection and mitigation strategies, emphasizing the importance of user education, regular software updates, and avoiding unofficial downloads.

Pulse ID: 6852b2411a397b8565ae8343
Pulse Link: https://otx.alienvault.com/pulse/6852b2411a397b8565ae8343
Pulse Author: AlienVault
Created: 2025-06-18 12:34:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Education #GitHub #ICS #InfoSec #LummaStealer #Malware #McAfee #OTX #OpenThreatExchange #RAT #SocialEngineering #YouTube #bot #AlienVault

New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.

Pulse ID: 684c90509889eb77ff43d758
Pulse Link: https://otx.alienvault.com/pulse/684c90509889eb77ff43d758
Pulse Author: AlienVault
Created: 2025-06-13 20:55:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #FakeBrowser #ICS #InfoSec #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #PowerShell #RAT #ZIP #bot #AlienVault

Uncovering a Tor-Enabled Docker Exploit

A sophisticated attack campaign exploits exposed Docker Remote APIs and leverages the Tor network to deploy stealthy cryptocurrency miners. The attackers gain access to containerized environments, use Tor to mask their activities, and employ the ZStandard compression algorithm for efficient payload delivery. The attack sequence involves initial access through the Docker API, container creation with host system access, deployment of a malicious script, SSH configuration modification for persistent access, installation of supporting tools, and finally the execution of an XMRig crypto miner. This campaign particularly targets cloud-heavy sectors like technology, finance, and healthcare. The attackers demonstrate advanced evasion techniques and utilize various MITRE ATT&CK framework tactics.

Pulse ID: 68529a8718c8c520f9e67135
Pulse Link: https://otx.alienvault.com/pulse/68529a8718c8c520f9e67135
Pulse Author: AlienVault
Created: 2025-06-18 10:52:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Docker #Healthcare #ICS #InfoSec #OTX #OpenThreatExchange #RAT #SSH #bot #cryptocurrency #AlienVault

📢 Patch Tuesday : Siemens, Schneider Electric et Aveva publient des avis de sécurité ICS
📝 L'article publié sur cyberveille.decio.ch informe sur les derniers avis de sécurité publiés par Siemens...
📖 cyberveille : https://cyberveille.ch/posts/2025-06-15-patch-tuesday-siemens-schneider-electric-et-aveva-publient-des-avis-de-securite-ics/
🌐 source : https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-aveva-cisa/
#Aveva #ICS #Cyberveille

May 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database breaches, and ransomware attacks. A notable case involves the Arkana ransomware group's breach of a global online brokerage firm, In***, resulting in the theft of 50 GB of customer data, including KYC submissions and information of over 163,000 customers. The incident highlights vulnerabilities in trading platforms' identity verification and account protection systems, emphasizing the need for enhanced security measures beyond regulatory compliance.

Pulse ID: 684c39e93f94187d72499497
Pulse Link: https://otx.alienvault.com/pulse/684c39e93f94187d72499497
Pulse Author: AlienVault
Created: 2025-06-13 14:47:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CreditCard #CyberSecurity #DataBreach #ICS #InfoSec #Korea #Malware #OTX #OpenThreatExchange #Phishing #RansomWare #bot #AlienVault

Serverless Tokens in the Cloud: Exploitation and Detections

This article explores the security implications of serverless authentication across major cloud platforms. It details how attackers target serverless functions to exploit vulnerabilities arising from insecure code and misconfigurations. The mechanics of serverless authentication are explained for AWS Lambda, Google Cloud Functions, and Azure Functions. The article outlines potential attack vectors for token exfiltration, including SSRF and RCE, and provides simulations demonstrating how tokens can be extracted and misused. Detection strategies are discussed, focusing on identifying serverless identities and anomalous behavior. Prevention measures are suggested, emphasizing the principle of least privilege and robust input validation. The article concludes by stressing the importance of understanding serverless credential mechanics and implementing proactive security measures to protect cloud environments.

Pulse ID: 684c2fe6a5c4505625bfe76d
Pulse Link: https://otx.alienvault.com/pulse/684c2fe6a5c4505625bfe76d
Pulse Author: AlienVault
Created: 2025-06-13 14:04:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #Cloud #CyberSecurity #Google #ICS #InfoSec #OTX #OpenThreatExchange #RAT #RCE #bot #AlienVault

What is the Real Relationship between WordPress Hackers and Malicious Adtech?

An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several commercial TDSs were found to share software elements with VexTrio and benefit from its relationship with website malware actors. The investigation uncovered a complex network of adtech firms, including Partners House, BroPush, and RichAds, that use similar technologies and tactics to distribute malicious content. These firms have information about the identities of malware actors, which could potentially lead to their disruption.

Pulse ID: 684bda6d032b4c4aeb5ec33c
Pulse Link: https://otx.alienvault.com/pulse/684bda6d032b4c4aeb5ec33c
Pulse Author: AlienVault
Created: 2025-06-13 07:59:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RDP #VexTrio #Word #Wordpress #bot #AlienVault

🚨 Help Secure Europe’s Critical Infrastructure!
Your voice matters in shaping the future of OT cybersecurity.

🛡️ Take the CyberSec4OT Survey today 👉 https://cysecsurveys.com/en/unicis/

#OT #Cybersecurity #Education #EU #Master #DigitalSkills #Resilience #ICS #SCADA

New BrowserVenom malware being distributed via fake DeepSeek phishing website

A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy controlled by threat actors, enabling network traffic manipulation and data collection. The infection process involves a fake CAPTCHA, exclusion of the user's folder from Windows Defender, and installation of a malicious certificate. BrowserVenom modifies browser settings across various platforms to route traffic through the attacker's proxy. Infections have been detected globally, with victims in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.

Pulse ID: 68499d3d233e106b9d20d6ff
Pulse Link: https://otx.alienvault.com/pulse/68499d3d233e106b9d20d6ff
Pulse Author: AlienVault
Created: 2025-06-11 15:14:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Africa #Brazil #Browser #CAPTCHA #CyberSecurity #Google #ICS #India #InfoSec #Malware #Mexico #Mimic #Nepal #OTX #OpenThreatExchange #Phishing #Proxy #RCE #Troll #Venom #Windows #bot #AlienVault

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_eggs, a JavaScript-based backdoor. The group uses trusted cloud services like AWS to host malicious infrastructure, evading detection. Their phishing emails impersonate job applicants, with domains mimicking real names. FIN6 employs sophisticated filtering techniques to ensure malware delivery only to intended targets. The more_eggs malware, developed by Venom Spider, allows for command execution and credential theft. Defense strategies include cautious handling of resume links, blocking execution of suspicious files, and implementing EDR policies.

Pulse ID: 68494c3a4501d98c52a609e9
Pulse Link: https://otx.alienvault.com/pulse/68494c3a4501d98c52a609e9
Pulse Author: AlienVault
Created: 2025-06-11 09:28:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #BackDoor #Cloud #CyberCrime #CyberSecurity #EDR #Email #ICS #InfoSec #Java #JavaScript #LinkedIn #Malware #Mimic #OTX #OpenThreatExchange #Phishing #RAT #Rust #SocialEngineering #Venom #bot #AlienVault

Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse tunnels. BladedFeline maintains persistent access to high-ranking officials in both the Kurdistan Regional Government and Iraqi government, likely for espionage purposes. The group's toolset includes sophisticated backdoors, webshells, and custom tunneling applications. ESET assesses with medium confidence that BladedFeline is a subgroup of OilRig, based on shared code, targets, and tactics. The campaign also extended to a telecommunications provider in Uzbekistan.

Pulse ID: 684874c7cbe4dbef4d0ff749
Pulse Link: https://otx.alienvault.com/pulse/684874c7cbe4dbef4d0ff749
Pulse Author: AlienVault
Created: 2025-06-10 18:09:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Cyberespionage #ESET #Espionage #Government #ICS #InfoSec #Iran #OTX #OilRig #OpenThreatExchange #Telecom #Telecommunication #bot #AlienVault

Detecting PureLogs traffic with CapLoader

CapLoader's Port Independent Protocol Identification feature can now detect the C2 protocol used by PureLogs Stealer malware without relying on port numbers. This capability was added in the recent 2.0 release. The blog post demonstrates this functionality using a PCAP file from malware-traffic-analysis.net. It highlights CapLoader's ability to identify protocols in TCP and UDP sessions, enhancing network security monitoring and forensics. The post also provides indicators of compromise, including a domain and IP address associated with PureLogs traffic.

Pulse ID: 6847f86832c3af4f5793bcbe
Pulse Link: https://otx.alienvault.com/pulse/6847f86832c3af4f5793bcbe
Pulse Author: AlienVault
Created: 2025-06-10 09:18:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malware #NET #OTX #OpenThreatExchange #RAT #TCP #UDP #bot #AlienVault

Relying on dual-homed devices to separate your networks? You might be opening the door to attackers without realising it. 🖥️
 
During a recent OT and ICS assessment, what looked like strong segmentation on paper actually created hidden pathways across their networks.
 
We found that dual-homed devices, combined with outdated firmware, default passwords, and exposed services, allowed bridging between different networks (often of varying trust levels).
 
This is a reminder that dual-homed devices are not a safe shortcut for proper network design.
 
You can read the full breakdown here: https://www.pentestpartners.com/security-blog/fully-segregated-networks-your-dual-homed-devices-might-disagree/
 
#CyberSecurity #OTSecurity #ICS #CriticalInfrastructure #NetworkSecurity #NetworkSegregation 

APT 41: Threat Intelligence Report and Malware Analysis

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanese government website. Their attack chain involves spear-phishing emails, malicious ZIP archives, and a three-module malware system called ToughProgress. This malware uses stealthy techniques like in-memory execution, encryption, and process hollowing to evade detection. The unique aspect of ToughProgress is its use of Google Calendar events for covert data exchange, creating a stealthy communication channel for remote command execution and data exfiltration.

Pulse ID: 68480e89dbe1f2bc0746a80c
Pulse Link: https://otx.alienvault.com/pulse/68480e89dbe1f2bc0746a80c
Pulse Author: AlienVault
Created: 2025-06-10 10:52:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberCrime #CyberSecurity #Email #Encryption #Espionage #Google #Government #Healthcare #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #RemoteCommandExecution #SpearPhishing #Telecom #ZIP #bot #AlienVault

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

The research outlines China-nexus threat actors targeting SentinelOne and other organizations between 2024 and 2025. It details intrusions into an IT services company managing SentinelOne's hardware logistics and reconnaissance of SentinelOne's servers. The attacks involved ShadowPad malware and a cluster of activities dubbed PurpleHaze, which included the use of GOREshell backdoors and exploitation of vulnerabilities. Over 70 organizations worldwide were compromised in a broad ShadowPad operation. The threat actors employed sophisticated techniques like operational relay box networks and custom obfuscation methods. The research emphasizes the persistent threat posed by Chinese cyberespionage to various sectors, including cybersecurity vendors.

Pulse ID: 6847eb4c4b4f501a31f255cd
Pulse Link: https://otx.alienvault.com/pulse/6847eb4c4b4f501a31f255cd
Pulse Author: AlienVault
Created: 2025-06-10 08:22:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #Chinese #CyberSecurity #Cyberespionage #Espionage #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RESHELL #SentinelOne #ShadowPad #bot #AlienVault

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto miner. Their tactics include disabling security measures, scheduling tasks to cover their tracks, and exfiltrating sensitive data. The campaign primarily affects industrial enterprises and engineering schools in Russia, with some victims in Belarus and Kazakhstan. The group continues to refine its methods, focusing on data exfiltration, remote access, and email account compromise through phishing sites.

Pulse ID: 684732eb0477b17208dec6c0
Pulse Link: https://otx.alienvault.com/pulse/684732eb0477b17208dec6c0
Pulse Author: AlienVault
Created: 2025-06-09 19:15:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Belarus #CyberSecurity #DataTheft #Email #ICS #InfoSec #Kazakhstan #OTX #OpenThreatExchange #Phishing #RAT #Russia #bot #AlienVault

Operation DRAGONCLONE: Chinese Telecom Targeted by Malware

A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VELETRIX uses anti-analysis techniques, IPFuscation, and a callback mechanism to execute VShell. The campaign shows overlaps with UNC5174 (Uteus) and Earth Lamia, known China-nexus threat actors. The infrastructure utilizes tools like SuperShell, Cobalt Strike, and Asset Lighthouse System. Active since March 2025, this operation demonstrates advanced tactics, techniques, and procedures associated with Chinese state-sponsored threat groups.

Pulse ID: 6844107300a6d8cdddd3cf53
Pulse Link: https://otx.alienvault.com/pulse/6844107300a6d8cdddd3cf53
Pulse Author: AlienVault
Created: 2025-06-07 10:12:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #CobaltStrike #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Telecom #ZIP #bot #AlienVault