Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Claude Desktop Silently Alters Browser Settings, Even on Uninstalled Browsers

  Claude Desktop, Anthropic’s standalone AI app for macOS, has come under fire for quietly altering browser‑level settings on users’ machine...

All the recent news you need to know
Malware attacks
AI technology Cyber Security Deceptive npm packages Digital Supply Chain Risk malicious npm package Malware attacks

npm Supply Chain Attack Spreads Worm Malware Stealing Developer Secrets Across Compromised Packages

 

Worry grows within the cybersecurity community following discovery of a fresh supply chain threat aimed at the npm platform, where self-replicating malicious code infiltrates public software libraries to harvest confidential information from coders. Though broad consumer impact seems minimal, investigators at Socket and StepSecurity confirm the assault specifically targets niche development setups - environments often overlooked in typical breach patterns. 

Detection came after unusual network activity flagged automated systems, leading analysts to trace payloads back to tampered dependencies uploaded under legitimate project names. Unlike older variants that rely on user interaction, this version activates silently once installed, transmitting credentials to remote servers without visible signs. Researchers emphasize the sophistication lies not in complexity but timing: attacks unfold during build processes, evading standard runtime checks. 

From initial samples, it appears attackers maintain persistence by chaining exploits across multiple packages. Investigation continues into whether source repositories were breached directly or if hijacked maintainer accounts allowed upload privileges. Not far behind the initial breach, several packages tied to Namastex Labs began showing suspicious behavior. One after another, altered forms of @automagik/genie, pgserve, and similar tools appeared online without warning. 

What started as isolated reports now points to a wider pattern unfolding quietly. Though some tainted releases have been pulled, fresh variants continue turning up unexpectedly. Danger comes from how the code spreads itself automatically. Right after a package installs, it acts like a worm - starting fast, grabbing key details from the system it hits. Things such as API tokens show up on the list, along with SSH keys, cloud login info, and hidden codes used in software build tools, containers, or AI setups. 

Off it goes, sending what it finds to servers run by attackers. Despite lacking conclusive proof, analysts observe patterns matching past operations tied to TeamPCP. Similarities emerge in how malware activates upon installation, grabs login details, and uses distributed infrastructure for spreading code and storing stolen data. What makes this malware more than just a thief is how it pushes outward without pause. 

Once inside, it hunts for npm login details and identifies which libraries the developer can upload. Harmful scripts are then inserted and republished, turning trusted tools into hidden entry points. If Python credentials appear, the same process spreads into PyPI. Not just traditional systems are at risk - crypto-linked holdings face exposure too, with data targeted from tools like MetaMask and Phantom. One weak spot in a developer’s setup can ripple outward, showing how quickly risks spread across software ecosystems.
Read more »
Vishing
Cloud systems Credentials Stolen Cyber Attacks Extortion Fake Login phishing saaS Vishing

Hackers Target Cloud Apps Using Phone Scams and Login Tricks



Cybersecurity researchers have identified two threat groups that are executing fast-moving attacks almost entirely within software-as-a-service environments, allowing them to operate with very little visible trace of intrusion.

The groups, tracked as Cordial Spider and Snarky Spider, are also known by multiple alternate identifiers across different security vendors. Investigations show that both groups are involved in high-speed data theft followed by extortion attempts, and their methods show a strong overlap in how operations are carried out. Analysts assess that these groups have been active since at least October 2025. One of them is believed to be composed of native English speakers and is linked to a cybercrime network widely referred to as “The Com.”

According to findings from CrowdStrike, these attackers primarily rely on voice phishing, also known as vishing, to initiate their intrusions. In these cases, individuals are contacted and guided toward fraudulent login pages that are designed to imitate single sign-on systems. These pages act as adversary-in-the-middle setups, meaning they intercept and capture authentication data, including login credentials and session details, as the victim enters them. Once this information is obtained, attackers immediately use it to access SaaS applications that are connected through single sign-on integrations.

Researchers explain that the attackers deliberately operate within trusted SaaS platforms to avoid raising suspicion. Because their activity takes place inside legitimate services already used by organizations, their presence generates fewer detectable signals. This allows them to move quickly from initial compromise to data access. The combination of speed, targeted execution, and reliance on SaaS-only environments makes it harder for defenders to monitor and respond effectively.

Earlier research published in January 2026 by Mandiant revealed that these attack patterns represent a continuation of tactics seen in extortion-focused campaigns linked to the ShinyHunters group. These operations involve impersonating IT staff during phone calls to build trust with victims, then directing them to phishing pages in order to collect both login credentials and multi-factor authentication codes.

More recent analysis from Palo Alto Networks Unit 42 and the Retail & Hospitality ISAC indicates, with moderate confidence, that one of the identified clusters is associated with The Com network. These attacks rely heavily on living-off-the-land techniques, where attackers use legitimate system tools instead of introducing malware. They also make use of residential proxy networks to mask their real geographic location and to evade basic IP-based security filtering systems.

Since February 2026, activity linked to one of these clusters has been directed toward organizations in the retail and hospitality sectors. The attackers combine vishing calls, often impersonating IT help desk personnel, with phishing websites designed to capture employee credentials.

Once access is established, the attackers take steps to maintain long-term control. They register a new device within the compromised account to ensure continued access, and in many cases remove previously registered devices. After doing so, they modify email settings by creating inbox rules that automatically delete notifications related to new device logins or suspicious activity, preventing the legitimate user from being alerted.

Following initial access, the attackers shift their focus toward accounts with higher privileges. They collect internal information, such as employee directories, to identify individuals with elevated access and then use further social engineering techniques to compromise those accounts as well. With increased privileges, they move across SaaS platforms including Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, searching for sensitive documents and business-critical data. Any valuable information is then exfiltrated to infrastructure controlled by the attackers.

Researchers note that in many observed cases, the stolen credentials provide access to the organization’s identity provider, which acts as a central authentication system. This creates a single entry point into multiple SaaS applications. By exploiting the trust relationships between the identity provider and connected services, attackers are able to move across the organization’s cloud ecosystem without needing to compromise each application separately. This allows them to access multiple systems using a single authenticated session.


Read more »
Root Access Exploit
CISA KEV catalog Container Security Risk CVE-2026-31431 Cyber Attacks Kernel Exploit Detection Linux Kernel Vulnerability Linux Security Patch Privilege Escalation Root Access Exploit

CISA Highlights CVE-2026-31431 as an Active Linux Root Exploitation Risk


 

Several vulnerabilities in the Linux kernel have been recently disclosed that have attracted heightened scrutiny from the cybersecurity community, following evidence that they can be exploited to obtain full root-level control across a wide range of systems consistently. This vulnerability, formally referred to as “Copy Fail,” affects kernel versions spanning nearly a decade, dramatically expanding its attack surface and posing a significant threat to millions of deployments.

It is tracked as CVE-2026-31431. Several security researchers emphasize that this issue is not only significant when it comes to privilege escalation, but also stands out for its operational simplicity, cross-environment portability, and high exploitation success rate factors, which all contribute to its elevated threat profile and explain why it has been classified as an actively exploited vulnerability. 

Upon reviewing these findings, the Cybersecurity and Infrastructure Security Agency (CISA) has formally escalated the issue by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalogue, which indicates confirmed instances of exploitation across multiple Linux distributions in the wild. 

The weakness, rated CVE-2026-31431, has a CVSS score of 7.8, and is considered to be a local privilege escalation vulnerability (LPE), which permits an unprivileged user with local access to elevate privileges to root privileges. However, its long-lasting undetected status, combined with its reliable exploitation pathway, makes it an operational risk even greater despite its moderate scoring. 

Under the designation “Copy Fail,” security researchers at Theori and Xint first identified and analyzed this issue. The issue arises from the incorrect transfer of resources between security contexts within Linux kernels, which can be exploited to bypass standard privilege boundaries in Linux. 

Several kernel patches, including versions 6.18.22, 6.19.12, and 7.0, have been released in response to this vulnerability, which has been actively exploited. Federal guidance urges organisations to prioritize updating based on the active exploitation status of the vulnerability. Additionally, its unusually low barrier to exploitation and wide ecosystem impact reinforce the urgency surrounding the flaw. 

According to researchers, an exploit can be executed with as little as 732 bytes of code, which significantly reduces the threshold for abuse and extends its reach across virtually all major Linux distributions since 2017. 

Unprivileged local users are able to manipulate the kernel's in-memory page cache of readable files, including setuid binaries, at the core of the vulnerability. By doing so, executables may be modified at runtime without altering files on disk. Injecting malicious code into trusted binaries such as /usr/bin/su results in root-level permissions for execution. This technique creates a stealthy pathway to privilege escalation. 

The security analysts at Wiz have stated that this in-memory tampering fundamentally undermines traditional integrity assumptions, since the page cache serves as the live execution layer for binaries. Furthermore, this risk is compounded when deploying large-scale Linux-based applications in modern cloud or containerised infrastructures. 

According to Kaspersky's analysis, environments that leverage container technologies, such as Docker, LXC, and Kubernetes, may be particularly vulnerable to threats. By default, container processes may interact with the AF_ALG subsystem if the algif_aead module is present in the host kernel, thus expanding the attack surface and enhancing privilege escalation across boundaries. 

In a technical sense, the vulnerability originates from a logic flaw within the Linux kernel's cryptographic pipeline, specifically the authenticated encryption template ("authenc"), where incomplete handling allows memory interactions that were not intended. 

Essentially, the vulnerability allows a local, unprivileged user to trigger a controlled four-byte write primitive into any readable file's page cache—a capability which appears to be constrained, but which has severe security implications when applied to executable memory. 

A key component of the exploit chain is the AF_ALG interface, which exposes kernel cryptographic operations to user space, as well as the splice() system call, which is used to redirect data flows away from conventional buffers and into the GPU page cache. 

By manipulating the in-memory representation of executables, attackers can subtly modify their execution behaviour without changing files on disk; when these modifications target setuid-root executables, it is trivial to escalate privileges to the full set of privileges. An analysis of the root cause of the issue has revealed that this vulnerability was caused by a 2017 optimization introduced in the Linux kernel version 4.14 that enabled in-place buffer reuse to improve performance but weakened memory isolation guarantees by accident, creating the conditions for an exploit. 

Several distributions have been validated empirically by researchers, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE Linux Enterprise 16, and Debian, all of which have demonstrated near-perfect reliability in a compact Python proof-of-concept. Since this flaw affects virtually all distributed operating systems released since 2017, it has drawn comparisons with previous high-profile flaws, including Dirty Pipe (CVE-2022-0847). 

However, Copy Fail is more portable across kernel versions, more reliable, and is simpler to exploit, as it does not require specific offsets or narrowly scoped configurations to operate. To resolve the issue, kernel maintainers reverted the underlying optimization and reintroduced safer buffer handling mechanisms as part of versions 6.18.22, 6.19.12, and 7.0 of the kernel. 

Despite the fact that major distributions have begun to deploy patched kernels, inconsistencies in advisory publication have caused friction in coordinated response efforts, resulting in security researcher Will Dormann noting that some platforms have issued updates that do not consistently mention CVE-2026-31431, potentially stalling remediation and risk awareness at an enterprise level. 

An additional technical analysis of the flaw has revealed a practical exploitation pathway, illustrating how attackers can operationalise the vulnerability systematically in real-world environments. An attacker typically begins the attack sequence by identifying a Linux host or container that runs on a vulnerable kernel version, followed by the preparation of an attack trigger based on Python tailored specifically for the target machine. 

Upon initiating the exploit, it can be executed either as a standard user on the host system or within a compromised container without elevated privileges utilizing a low-privilege context. By utilizing the underlying flaw, the exploit can overwrite the kernel page cache precisely by four bytes, corrupting sensitive data structures that are managed by the kernel and enabling privilege escalation. Ultimately, this allows the attacker to obtain unrestricted root access by elevating their process to UID 0.

As a result of the active threat landscape, Federal Civilian Executive Branch (FCEB) agencies have been instructed to resolve the vulnerability by May 15, 2026, in accordance with patches released by Linux distributions affected by this vulnerability. 

In the case that immediate patching is not feasible, interim mitigation strategies, including disabling vulnerabilities, segmenting networks, and tightening access controls, have been recommended as a means of reducing exposure and containing potential compromise paths. 

As a result of the active exploitation status of CVE-2026-31431, its extensive reach across the Linux ecosystem, and its relative ease of weaponisation, it serves as a critical reminder of the risks that are inherent to longstanding kernel-level design decisions. As a result of the convergence of high reliability, minimal exploit complexity, and broad distribution exposures, organizations are under increasing pressure to verify their patch postures and expedite remediation. 

As a precautionary measure, security teams should prioritize kernel updates, closely monitor privilege escalation activity, and reassess controls around multi-tenant and containerised environments in which attack surfaces may be heightened. 

Threat actors will continue to exploit low-friction exploitation paths for exploitation, which will require timely mitigation and disciplined system hardening to ensure operational integrity and limit the impact of these kernel vulnerabilities.
Read more »
Window Networks
Cyber Security Kyber Ransomware Quantum Window Networks

Kyber Ransomware Tests Post‑Quantum Encryption on Windows Networks

 

A new ransomware group named Kyber has pushed the envelope by experimenting with post‑quantum encryption in attacks on Windows‑based networks, according to recent cybersecurity analysis. The group has been observed targeting both Windows file servers and VMware ESXi platforms, showing a cross‑platform capability designed to disrupt critical enterprise infrastructure. In one confirmed incident, a major U.S. defense contractor fell victim to the strain, underscoring the threat’s seriousness. 

The Kyber variant deployed on Windows is written in Rust and uses a hybrid encryption scheme that combines classical and post‑quantum algorithms. Researchers at Rapid7 found that the Windows payload wraps AES‑256 file‑encryption keys using Kyber1024 (ML‑KEM1024), a lattice‑based key‑encapsulation mechanism standardized by NIST for quantum‑resistant cryptography. The strain also incorporates X25519 elliptic‑curve cryptography as an additional layer, creating a “belt‑and‑suspenders” approach to protect ransomware keys. 

Despite the marketing‑speak around “quantum‑proof” encryption, security experts note that Kyber’s use of post‑quantum crypto is largely symbolic at this stage. AES‑256 itself is already considered resistant to foreseeable quantum attacks, so relying on Kyber1024 mainly adds overhead without materially changing the practical impact for victims. Moreover, the Linux‑based ESXi encryptor does not actually use Kyber1024; it instead falls back to ChaCha8 and RSA‑4096, highlighting discrepancies between the ransomware’s claims and its implementation. 

Operationally, Kyber behaves like a modern ransomware strain: it seeks local administrator privileges, deletes Volume Shadow Copies via PowerShell and vssadmin, stops critical services, and encrypts files across shared drives. Windows files are typically appended with the .#~~~ extension, while the ESXi version uses .xhsyw, and each variant leaves a ransom note pointing to a Tor‑based leak site. The gang also runs a “Wall of Wonders” leak site to shame victims and pressure them into paying, a tactic increasingly common among ransomware‑as‑a‑service groups. 

For defenders, the lesson is that post‑quantum encryption in ransomware is more about optics than a game‑changer—for now. Organizations should still prioritize basics: strict privilege control, regular air‑gapped backups, monitoring unusual PowerShell and vssadmin activity, and rapid patching of ESXi and Windows servers. As quantum‑resistant standards mature, the broader cybersecurity community gains experience, even if attackers are the first to weaponize them in limited test‑bed campaigns like Kyber.
Read more »
Network Outage
Backdoors Cisco Cyber Outage Cyber Sabotage Cyber Security Iran Juniper Networks Network Outage

Iran Claims US Used Backdoors To Disable Networking Equipment During Conflict Amid Unverified Cyber Sabotage Reports

 

Midway through the incident, Iranian officials pointed fingers at American cyber operations. Devices made by firms like Cisco and Juniper began failing without warning. Power cycles hit Fortinet and MikroTik hardware even as Tehran limited external connections. Outages appeared tied to U.S. digital interference, according to local reports. Backdoors or coordinated botnet attacks were named as possible causes. Global discussion flared up almost immediately. Tensions between nations climbed higher amid unverified assertions. 

Network disruptions coincided too closely with military actions, some analysts noted These reports indicate Iranian officials see the outages as intentional interference, not equipment malfunction. What supports this view is the idea of harmful software hidden inside firmware or startup systems, set to activate remotely when signaled - possibly through satellite links. A different explanation considers dormant networks of infected machines, ready to shut down gadgets all at once if activated Still, no proof supports these statements. 

Confirming them becomes nearly impossible because Iran has restricted online access for long periods, blocking outside observers from seeing what happens inside its digital networks. Weeks of broad internet blackouts continue across the region, making verification harder than expected under such isolation. Nowhere more visible than in official outlets, the accusations gain strength through repeated links to earlier reports. 

Because evidence once surfaced via Edward Snowden, it gets reused to support current assertions about U.S. practices. Hardware tampering stories resurface when discussions turn to digital trust. From that point onward, examples of intercepted equipment serve as grounding points. Even so, connections drawn today rely heavily on incidents described years ago. 

Thus, suspicion persists within broader debates over tech control Even though claims are serious, public confirmation of deliberate backdoors or a remote "kill switch" remains absent. Still, specialists point out past flaws found in gear from various makers. Yet linking widespread breakdowns to one unified assault demands strong validation. What matters is proof - not just patterns - when connecting such events Nowhere is the worry over digital dependence more clear than in how fragile supply chains have become. 

A single compromised component might ripple across systems, simply because oversight lags behind complexity. Often, failures stem not from sabotage but from overlooked bugs or poor setup. Some breaches resemble accidents more than attacks, unfolding when neglected flaws are finally triggered. Rarely do we see deliberate tampering; far more common are gaps left open by routine mistakes. Hardware made abroad adds another layer of uncertainty, though the real issue may lie in how it's used, not where it's built Even now, global power struggles shape how cyber actions are seen. 

As nations admit using online assaults during warfare, such events fit within larger strategic patterns. Still, absent solid proof, today’s accusations serve more as tools in storytelling contests among states. Truth be told, understanding cyber warfare grows tougher each year, as unclear technology limits, narrow access to data, and national agendas overlap. Though shutting down systems secretly from afar might work on paper, without outside verification, such claims sit closer to suspicion than proof.
Read more »
Virtual Machine Evasion
Active Directory Attacks Cyber Threat Intelligence Cyber Threats Endpoint Security Bypass Hypervisor Security QEMU Exploits Ransomware Attacks Sophos Report Virtual Machine Evasion

Ransomware Campaign Leverages QEMU to Slip Past Enterprise Defences


 

In an effort to circumvent traditional security controls, hackers are increasingly relying on virtualisation as a covert execution layer, embedding malicious operations within QEMU environments. As observed in observed incidents, adversaries deployed concealed virtual machines in which tooling and command execution occurred largely beyond the detection range of endpoint detection systems, leaving minimal forensic artifacts on the operating system. 

In most cases, these environments are introduced as virtual disk images disguised under atypical file extensions such as .db or .dll and triggered by scheduled tasks with SYSTEM level privileges to create a parallel runtime that blends with legitimate processes.

According to analysts at Sophos, such techniques take advantage of the trust associated with widely used virtualization software. This pattern extends to platforms such as Microsoft Hyper-V, Oracle VM VirtualBox, and VMware, among others. These tactics reflect a broader strategic shift in which legitimate infrastructure is used to create isolated, low-noise environments that allow ransomware deployment while retaining effective anonymity to host-based defenses. Based on this pattern, researchers at Sophos have highlighted that QEMU misuse is not a recent development, but its resurgence in recent operations signals a renewed tactical emphasis on the use of QEMU. 

In late 2025, analysts have identified two separate ransomware campaigns, STAC4713 and STAC3725, which use virtualised environments to avoid detection, and STAC4713 is specifically associated with the financial-motivated PayoutsKing cluster of ransomware activities. 

An attacker established persistence for this campaign by creating a scheduled task, “TPMProfiler,” which executed a concealed virtual machine with SYSTEM-level privileges. A disk image deployment was implemented in which benign assets were deliberately disguised as benign assets, initially appearing as database files, but later taking on the appearance of dynamic link libraries in order to blend seamlessly into routine system artifacts. 

Once active, the virtual instance initiated reverse SSH tunneling mechanisms and port-forwarding mechanisms, forming covert communication channels that enabled sustained remote access while remaining outside the scope of conventional monitoring tools. 

During this isolated Alpine Linux environment, adversaries employed a compact toolkit that enabled tunneling, obfuscation, and data exfiltration, facilitating credential harvesting, the extraction of Active Directory databases, as well as the lateral exploration of network shares, all by utilizing legitimate system utilities. 

By integrating trusted binaries and hidden virtual infrastructure, this intentional convergence highlights a refined intrusion model where malicious activity is woven into normal system behavior, increasing the difficulty of detecting and responding to intrusions. 

A further investigation of STAC4713 has revealed its origin dates are November 2025, when it has been associated with the GOLD ENCOUNTER threat group and directly associated with PayoutsKing ransomware, a ransomware operation that differs from the conventional ransomware-as-a-service environment by executing intrusions without the assistance of affiliates. 

After emergence in mid-2025, the group has demonstrated a focus on hypervisor-centric environments, developing customized encryption tools for platforms such as VMware and VMware ESXi, signaling a deliberate shift towards infrastructure-level disruption. 

Additionally, a second campaign, STAC3725, appeared in February 2026. This campaign accessed the system via the CVE-2025-5777 exploit chain before deploying a malicious instance of ConnectWise ScreenConnect to secure persistence. Using this foothold, attackers orchestrated credential harvesting against Active Directory environments using a concealed QEMU virtual machine. 

The intrusion sequence in STAC4713 is well-planned, beginning with the creation of the “TPMProfiler” scheduled task which executes qemu-system-x86_64.exe with SYSTEM privileges. As a result, the boot-up of a virtual hard drive image disguised as benign files  initially "vault.db" and later renamed "bisrv.dll" -- was used to evade scrutiny.

In addition to this obfuscation, network manipulation techniques are employed, including port forwarding from non-standard ports such as 32567 and 22022 to SSH port 22, while reverse tunnels involving AdaptixC2 or OpenSSH are used to maintain persistent and covert connectivity to attacker-controlled networks. Embedded virtual machines operate on Alpine Linux 3.22.0 images preconfigured to offer a compact but robust toolkit that enables the rapid transfer of data and execution of commands. 

The toolkit includes Linker2, AdaptixC2, WireGuard's WireGuard Obfuscation Layer (wg-obfuscator), BusyBox, Chisel, and Rclone. In contrast, STAC3725 utilizes a more adaptive approach, compiling its toolset within a virtual environment in situ, including frameworks such as Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, as well as Python, Rust, Ruby, and C dependencies. 

Post-compromise activities include credential extraction, Kerberos user enumeration via Kerbrute, Active Directory reconnaissance via BloodHound, and payload staging over FTP channels, demonstrating a methodical and deeply embedded attack model in which virtualization serves not only as a concealment mechanism, but also as a platform for sustained intrusion. 

In sum, STAC4713 and STAC3725's activity indicate a calculated evolution in adversary tradecraft where virtualisation is no longer just a peripheral tactic for evasion but rather a critical component of adversary operations. A malicious workflow may be embedded within QEMU instances and aligned with trusted system processes, thus decoupling attackers' activities from the host environment. 

As a result, conventional endpoint controls will be unable to detect the attacker's activities while maintaining persistent, low-noise access. By employing disguised storage artifacts, executing tasks at the SYSTEM level, and utilizing encrypted communication channels, a disciplined approach to stealth is demonstrated, while the integration of credential harvesting, Active Directory reconnaissance, and lateral movement capabilities highlights the end-to-end nature of the intrusion. 

Sophos has observed that the resurgence of such campaigns indicates a broader industry challenge, in which legitimate infrastructure and administrative tools are increasingly repurposed to undermine defensive assumptions. 

Virtualised attack frameworks, with their convergence of concealment, persistence, and operational depth, provide a formidable vector for modern ransomware operations, requiring an extension of detection strategies beyond the host to virtual layers where adversaries are actively exploiting these vulnerabilities.
Read more »
Subscribe to: Posts (Atom)

Featured