Technical Analysis of the BlackForce Phishing Kit

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, including a blocklist for security vendors and web crawlers. The kit features a dual-channel communication architecture, separating the phishing server from a Telegram drop. Its attack chain includes user validation, credential capture, and real-time alerts to attackers. BlackForce employs anti-analysis filters, stateful attack models, and a command-and-control panel for managing phishing sessions. The rapid versioning indicates active development and adaptation to improve resilience and evade detection.

Pulse ID: 693bd6126b0e51b63c7cd87f
Pulse Link: https://otx.alienvault.com/pulse/693bd6126b0e51b63c7cd87f
Pulse Author: AlienVault
Created: 2025-12-12 08:45:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #RCE #Telegram #bot #AlienVault

RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft

A sophisticated mobile fraud operation has been uncovered, distributing a malicious 'RTO Challan / e-Challan' Android application via WhatsApp. The APK uses advanced obfuscation and hidden installation techniques to establish persistent control over victims' devices. It creates a custom VPN tunnel to mask network activity and harvests extensive personal, device, and financial information. The malware intercepts OTPs, manipulates call behavior, and presents a fraudulent payment interface to steal banking credentials. Analysis of the C2 infrastructure revealed obfuscated Base64-encoded URLs pointing to malicious domains. The campaign combines mobile malware, financial fraud, and social engineering, posing a high-risk threat capable of severe monetary losses and large-scale exposure of sensitive personal data.

Pulse ID: 693be9cb223e15fed06b64de
Pulse Link: https://otx.alienvault.com/pulse/693be9cb223e15fed06b64de
Pulse Author: AlienVault
Created: 2025-12-12 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #CyberSecurity #FinancialFraud #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #SocialEngineering #VPN #WhatsApp #bot #AlienVault

🔥 CRITICAL: CVE-2025-67728 in ShaneIsrael fireshare (<1.3.0) enables RCE via crafted file uploads—no auth needed if Public Uploads is on. Patch to 1.3.0+ now & disable Public Uploads! https://radar.offseq.com/threat/cve-2025-67728-cwe-77-improper-neutralization-of-s-a1dfe2f1 #OffSeq #Vulnerability #RCE #fireshare

🚨 Supply Chain Attack Simulation on Drupal (PoC, not a CVE)

What if a malicious actor hijacked the update server for your favorite CMS?
I built a full lab scenario to demonstrate how it could happen — and how to defend against it.

🔬 Techniques covered:

MITM + rogue CA, fake update feeds, trojanized package → RCE & persistence.
Full doc + PDF PoC.

Full documentation: attack steps, scripts (in PDF), hardening tips

⚠️ Not a Drupal 0-day — this is a controlled, educational simulation for awareness and training.

💡 Why it matters

Supply chain attacks are no longer theoretical.
This demo helps Blue Teams, Red Teams, developers, and trainers strengthen detection, review processes, and update security.

👉 Repo :
https://github.com/privlabs/-Supply-Chain-Attack-Simulation-on-Drupal-RCE-via-Malicious-Update-Server-PoC-not-a-CVE-

Questions or feedback?
DM me or email me (contact in README).

All in lab, all safe

#cybersecurity #infosec #securityresearch #offensivesecurity #blueteam
#redteam #supplychainsecurity #drupal #websecurity #devsecops
#softwaresecurity #rce #mitm

Si vous utilisez Gogs, vous avez un gros problème

https://fed.brid.gy/r/https://korben.info/gogs-faille-zero-day-rce-alerte-migrer-gitea.html

NANOREMOTE, cousin of FINALDRAFT

A newly discovered Windows backdoor called NANOREMOTE shares similarities with previously known malware FINALDRAFT. NANOREMOTE's key feature is using the Google Drive API for data exfiltration and payload staging, making detection challenging. The malware includes a task management system for file transfers and incorporates functionality from open-source projects. It communicates with a hardcoded IP address over HTTP, using encrypted and compressed JSON data. NANOREMOTE has 22 command handlers enabling various capabilities such as system reconnaissance, file operations, and command execution. The malware's similarity to FINALDRAFT suggests a shared codebase and development environment between the two threats.

Pulse ID: 6939bd81fe359cfc48685131
Pulse Link: https://otx.alienvault.com/pulse/6939bd81fe359cfc48685131
Pulse Author: AlienVault
Created: 2025-12-10 18:35:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Google #HTTP #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #Windows #bot #AlienVault

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, leading to Remote Code Execution. Over 700 compromised instances have been identified on the internet. The vulnerability affects Gogs servers (version <= 0.13.3) exposed to the internet with open-registration enabled. The attack chain involves creating a repository with a symbolic link, then using the PutContents API to overwrite sensitive files. The malware used in the attacks is based on the Supershell framework, designed for establishing reverse SSH shells.

Pulse ID: 6939bd82d7768abb3cf0a04a
Pulse Link: https://otx.alienvault.com/pulse/6939bd82d7768abb3cf0a04a
Pulse Author: AlienVault
Created: 2025-12-10 18:35:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #SSH #Vulnerability #ZeroDay #bot #AlienVault

CRITICAL: Active exploitation of Gladinet CentreStack & Triofox via hard-coded keys in GenerateSecKey(). Attackers gain persistent access + RCE by forging tickets at /storage/filesvr.dn. Patch to v16.12.10420.56791 & rotate machine keys now! https://radar.offseq.com/threat/active-attacks-exploit-gladinets-hard-coded-keys-f-43cb43d6 #OffSeq #CyberSecurity #Gladinet #RCE

⚠️ CRITICAL SOAPwn flaw in .NET lets attackers use rogue WSDLs for arbitrary file writes & RCE. Impacts Barracuda RMM, Ivanti EPM, Umbraco 8. Patch vendors, restrict WSDL imports, audit SOAP client usage! Details: https://radar.offseq.com/threat/net-soapwn-flaw-opens-door-for-file-writes-and-rem-394da945 #OffSeq #Infosec #RCE #DotNet

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE;

https://modzero.com/en/blog/no-leak-no-problem/

#exploitation #cve #rce #rop #aslr #arm #iot

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE;

https://modzero.com/en/blog/no-leak-no-problem/

#exploitation #cve #rce #rop #aslr #arm #iot

Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware

A malicious email campaign exploits workforce anxieties by disguising itself as internal HR announcements about layoffs. The emails contain a RAR archive with a double-extension executable masquerading as a PDF document. Upon execution, the file deploys Remcos RAT, a remote access tool, which establishes persistence, collects system information, and prepares the infected host for remote access. The malware uses NSIS compilation to conceal its intent and creates configuration files and registry entries for victim identification and persistence. The campaign highlights the ongoing exploitation of current organizational trends by threat actors to gain initial access to targeted systems.

Pulse ID: 693858facc22600524468ede
Pulse Link: https://otx.alienvault.com/pulse/693858facc22600524468ede
Pulse Author: AlienVault
Created: 2025-12-09 17:14:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Email #InfoSec #Malware #OTX #OpenThreatExchange #PDF #RAT #RCE #Remcos #RemcosRAT #bot #AlienVault

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked over 131,000 attack attempts since November 24, 2025. Concurrently, a separate attack exploiting an ICTBroadcast vulnerability (CVE-2025-2611) is being used to spread the 'Frost' DDoS botnet. This botnet combines DDoS capabilities with spreader logic, including exploits for fifteen CVEs. The attacks appear to be part of a small, targeted operation, given the limited number of vulnerable internet-exposed systems.

Pulse ID: 69381affff384c7c0e973a8e
Pulse Link: https://otx.alienvault.com/pulse/69381affff384c7c0e973a8e
Pulse Author: AlienVault
Created: 2025-12-09 12:50:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DDoS #DoS #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RDP #RemoteCodeExecution #Vulnerability #Word #Wordpress #bot #botnet #AlienVault

🛑 CRITICAL: CVE-2025-42928 in SAP jConnect - SDK for ASE (v16.0.4, 16.1) enables RCE by high-privileged users via deserialization. No user interaction needed. Patch & restrict privileged accounts now! More info: https://radar.offseq.com/threat/cve-2025-42928-cwe-502-deserialization-of-untruste-9ab39dbb #OffSeq #SAP #Vuln #RCE

🚨 CRITICAL: CVE-2025-66481 affects DeepChat <=0.5.1—XSS via unpatched Mermaid content can lead to RCE through Electron’s ipcRenderer. No fix yet. Disable Mermaid, harden input sanitization, monitor activity. Details: https://radar.offseq.com/threat/cve-2025-66481-cwe-80-improper-neutralization-of-s-13a5bdaf #OffSeq #DeepChat #XSS #RCE

🚨 CVE-2025-65964: CRITICAL RCE in n8n-io n8n (0.123.1–1.119.1). Exploit via Git node lets attackers run arbitrary code through malicious Git hooks. Upgrade to 1.119.2, disable Git node if needed. Details: https://radar.offseq.com/threat/cve-2025-65964-cwe-829-inclusion-of-functionality--14b531c0 #OffSeq #n8n #Vuln #RCE

Кому на Рунете жить хорошо: ТОП/АНТИ-ТОП уязвимостей ноября

Всякий в Рунете ищет себе жизни хорошей, да только одни сервисы живут вольготно и горя не знают, а другие попадаются в сети хитрые, уязвимостями прозванные. Так и эксперты СайберОК весь ноябрь бродили по цифровым тропинкам и всё пытались понять: кому в Рунете жить хорошо, а кому достаётся участь тревожная. Прошлись по инстансам, сверили телеметрию, посмотрели, где есть PoC’ы, а где только шум, и составили ТОП / АНТИТОП уязвимостей ноября.

https://habr.com/ru/articles/974490/

#уязвимость #cybersecurity #CVE #Squid #React_Server #SQLинъекция #RCE #удалённое_выполнение_кода #DevOps #системное_администрирование

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

Pulse ID: 6936a3506299089730f8c4d2
Pulse Link: https://otx.alienvault.com/pulse/6936a3506299089730f8c4d2
Pulse Author: CyberHunter_NL
Created: 2025-12-08 10:07:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RCE #RDP #Word #Wordpress #bot #botnet #CyberHunter_NL

🔴 IDEsaster: 30+ CRITICAL vulns in AI IDEs (Copilot, Cursor, Zed.dev) allow prompt injection, data theft & RCE—no user action needed. Restrict AI agent privileges, isolate execution & monitor MCP servers. More: https://radar.offseq.com/threat/researchers-uncover-30-flaws-in-ai-coding-tools-en-5c971663 #OffSeq #AIsecurity #RCE

It's been a busy 24 hours in the cyber world with significant updates on a critical RCE vulnerability under active exploitation, novel attack techniques leveraging AI and web standards, and a timely reminder about evolving authentication best practices. Let's dive in:

AI-Powered Virtual Kidnapping Scams on the Rise 🚨
- Criminals are now leveraging social media images and AI tools to create convincing fake "proof of life" photos and videos for "virtual kidnapping" and extortion scams.
- These sophisticated social engineering attacks pressure victims with threats of violence, demanding immediate ransom payments, echoing the old "grandparent scam" but with a modern, AI-enhanced twist.
- The FBI advises extreme caution: never provide personal info to strangers, establish a family code word, and always attempt to contact the supposed victim directly before making any payments.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidnapping_scam/

React2Shell RCE Under Widespread Exploitation ⚠️
- The critical React2Shell vulnerability (CVE-2025-55182), an unauthenticated RCE flaw in React Server Components, is under active and widespread exploitation by various threat actors, including China-linked state groups like Earth Lamia, Jackpot Panda, and UNC5174.
- CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, with over 77,000 internet-exposed IP addresses identified as vulnerable and more than 30 organisations already compromised.
- Post-exploitation activities include reconnaissance, credential theft (especially AWS config files), deployment of webshells, cryptojackers, and malware like Snowlight and Vshell. Cloudflare even experienced an outage while deploying mitigations.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
🤫 CyberScoop | https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
📰 The Hacker News | https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/

IDEsaster: 30+ Flaws in AI Coding Tools 🛡️
- New research, dubbed "IDEsaster," has uncovered over 30 vulnerabilities in popular AI-powered Integrated Development Environments (IDEs) like Cursor, GitHub Copilot, and Zed.dev.
- These flaws chain prompt injection with legitimate IDE features, allowing attackers to bypass LLM guardrails and achieve data exfiltration or remote code execution without user interaction.
- The findings highlight a critical need for a "Secure for AI" paradigm, urging developers to apply least privilege to LLM tools, minimise prompt injection vectors, and implement sandboxing for commands.

📰 The Hacker News | https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

Novel Clickjacking via CSS and SVG 🎨
- A security researcher has developed a new clickjacking technique that leverages SVG filters and CSS to leak cross-origin information, effectively bypassing the web's same-origin policy.
- This method allows for complex logic gates to process webpage pixels, enabling sophisticated attacks like exfiltrating Google Docs text, even in scenarios where traditional framing mitigations are absent or ineffective.
- While Google awarded a bounty for the report, the vulnerability remains unpatched across multiple browsers, underscoring the ongoing challenge of securing complex web standards.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clickjacking/

Passkeys: The Future of Phishing-Resistant MFA 🔒
- Traditional SMS and email one-time passwords (OTPs) are increasingly vulnerable to phishing attacks, making them an unreliable form of multi-factor authentication (MFA).
- Passkeys, based on cryptographic key pairs and FIDO2 standards, represent the "gold standard" for phishing-resistant MFA, offering superior security and a significantly improved user experience with faster logins and reduced helpdesk calls.
- While multi-device passkeys can still be susceptible to social engineering (like Scattered Spider attacks), they remain a substantial upgrade from OTPs, with over 2 billion passkeys already in use and strong adoption expected to continue.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/06/multifactor_authentication_passkeys/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #React2Shell #CVE_2025_55182 #NationState #APT #Clickjacking #SVG #CSS #AICodingTools #IDEsaster #PromptInjection #MFA #Passkeys #Phishing #SocialEngineering #InfoSec #CyberAttack #IncidentResponse